Ole asserts that there are two key infotainment revenue streams that content providers, such as ISPs, maintain: the $150 Cable TV stream and the $50 Internet stream. Given that content providers are required to redistribute some of the $150/month to content creators (often between 0.40-0.50 cents of every dollar collected), Ole argues that ISPs should be similarly required to distribute some of the $50/month to content creators that make the Internet worth using for end-users. Unstated, but presumed, is a very 1995 understanding of both copyright and digital networks. In 1995 the American Information Infrastructure Task Force released its Intellectual Property and the National Information Infrastructure report, wherein they wrote;

…the full potential of the NII will not be realized if the education, information and entertainment products protected by intellectual property laws are not protected effectively when disseminated via the NII…the public will not use the services available on the NII and generate the market necessary for its success unless a wide variety of works are available under equitable and reasonable terms and conditions, and the integrity of those works is assured…What will drive the NII is the content moving through it.

Of course, the assertion that if commercial content creators don’t make their works available on the Internet then the Internet will collapse is patently false. As written about by Middleton in “What if there is no killer application?“, an early study in Littleton about how individuals use high-speed networks in the mid-90s found that customers were most engaged with amateur content production (i.e. that of their neighbours) and entranced by the communicative possibilities made available through broadband (i.e. e-mail and mailing lists). In essence, from this we can suggest that the empirical study demonstrated that the ideological and financial values placed on commercial cultural artifacts by bureaucrats and commercial content producers is less obvious than they (loudly) state. Further, the value of commercial content is arguably diminished even more in an environment where people spend increasing amounts of time engaging with the generative elements of the Internet, often referred to as amateur-dominated social media environments. In essence, the undertone that ISPs can only sell their data transmission services because of commercial content is at the very least shaky, and more likely to be empirically unsupportable if posed as a strong correlation between the value of transmission capabilities and commercial content availability.

Depressingly, Ole believes that a broadcast-based (historical) business model should be imposed on ISP transmission-based companies in an effort to regenerate the value of their (now somewhat devalued) intellectual properties. Specifically,

The ISP business model for the Internet could and should mimic that of Cable/ TV. Modern technology allows the ISP to identify what content is being used and then they can allocate the appropriate share to the creator or supplier of that content.

This would put ISPs in the situation of somehow being liable to the collection societies, and also require substantial telecommunications investment in labour and sunk capital to establish an (ineffective) network surveillance policy designed to monitor the amount of copywritten content flowing across Canada’s networks. Most likely, such a proposal would turn ISPs into content police and require the use of some kind of packet inspection equipment to survey Canadians’ data traffic, pick out that which is believed to be infringing, and pay some kind of monthly tax for the transport of customers’ content. This amounts to a suggestion that ISPs become content police on the basis that only by doing so would they evade being identified as encouraging copyright infringement. Ole is intimating that ISPs must implement surveillance one the networks if they are to avoid third-party liability.

There are systems on the market that claim they can analyze data traffic to develop ‘piracy’ indexes. CView is used by Virgin in the UK (though we’ve no idea how effective it is) and Audible Magic has been successful in forcing some ISPs and campuses to adopt their technology. In most cases, such content analysis technologies require the offloading of data traffic suspected of being infringing in high-traffic networks, doing a one-way hash of the data, checking the hash against known copywritten files’ signatures, and then aggregating the overall amount of infringement and particular cases of infringement on a per-file basis. This is substantial overhead for any party, especially one that is just trying to move data from one place to another. Moreover, any such massive dragnet analysis of content raises real questions of whether ISPs could then be considered ‘transport’ facilities; while presently there is substantial monitoring for particular protocol types, Canadian ISPs are not searching for particular content-types. This is an important distinction, insofar as ISPs can understand what application-types are generating traffic on their networks but not what those application-types are actually being used to transmit and receive. For all Canadian ISPs know, Canadians might have some strange obsession with massive downloading and sharing of Linux .ISO files and the entire Canadian population actually avoids downloading copywritten music.

There continue to be doubts concerning whether any kind of massive copyright-analysis engine could work – prominently by companies that actually sell the solutions and those that would be responsible for deploying these fears – and further whether such engines could ever competently detect fair use/fair dealing of some material. YouTube’s algorithms are relatively notorious for censoring uses of copywritten material falling under fair use and fair dealing provisions; what guarantee do citizens have that any algorithmic surveillance and monitoring system deployed on communicative networks would avoid the YouTube problem? Should the content creator-owner get restitution for fair dealing of works? How would this be adjudicated – by determining where the data was to and from (i.e. if to an educational institution, we must assume that it’s for fair dealing research purposes) or on a case-by-case challenge basis? Moreover, doesn’t the provision of funds for fair dealing uses modify the provisions of fair dealing, insofar as content creator-owners would receive a fiscal benefit even for fair dealing whereas presently fair dealing falls outside of their revenue traps?

Of course, even the suggestion that Canadian ISPs should be required to cough up money to content creator-owners is absurd in the face of a recent Federal Court of Appeals ruling that asserted that ISPs are not broadcasters. The question of ISPs’ status was punted to the Court by the CRTC, who wanted judicial guidance before it proceeds to determine whether ISPs can be legally required to establish copyright levies. Since ISPs fall under the Telecommunications, and not Broadcasting Act, they are seen as solved involved in providing,

the mode of transmission, they have no control or input over the content made available to Internet users by content producers and as a result, they are unable to take any steps to promote the policy described in the Broadcasting Act or its supporting provisions. Only those who “transmit” the “program” can contribute to the policy objectives.

Under this decision, so long as ISPs are not involved in discriminating against any particular content and thus making an input into the content made available on the Internet to and by users (i.e. so long as Canadian ISPs adhere to a form of network neutrality), any levy-based system is dead. The very system that Ole is advocating for has already fallen before the Court of Appeals.

Now, out of all of this, we might be expected to feel poorly for the content creator-owners that depend on selling and licensing content for their commercial success. I think that if we look at the history of these companies’ digital involvement, however, we quickly disenchant ourselves of this position. Major labels refused to license recordings to Napster and subsequently engaged in what Jessica Litman refers to as a process of “suing upstart new businesses into bankruptcy” to try and stem the Internet as a disruptive factor in their businesses. This saw content creator-owners financially assassinate Napster, Scour.com, iCraveTV, RecordTV, mp3.com, Aimster, Grokster, Streamcast, KaZaA, and others. Authors have gone after Google for the mere action of scanning books for search index purposes, a purpose that would enable authors to sell additional texts when the texts appeared through a Google book search. That the copying a text, even for fair-use purposes, is grounds for massive legal obstruction speaks volumes of content creator-owners general willingness to genuinely deal with the digital reality they are immersed in. Broadly, instead of working to establish a marketplace for digital manifestations of content creator-owner works there have been, and continue to be, mass efforts to shut down marketplaces that don’t grant total control to content owner-creators and their associated companies. As such, customers have become used to going to illicit sites that offer superior selection with fewer restrictions than label offerings. This indicates a failure in big content’s rent-seeking business model and the truth that modern customers are rational economic actors. It does not indicate that ISPs are somehow required to prop-up a rent-seeking model, nor a moral deficit on the part of customers.

Labels were, and remain, in a state of ontological insecurity that accompanies their plunging into a decade-long existential crisis: how can they maintain their rent-seeking behaviour in the face of disruptive technologies. Answers to this existential question are out of reach of most companies on the basis that their perception of the world markets preclude taking risks that could see a (necessary) cannibalization of short-term revenue streams for long-term survival. Unfortunately, while adherence to historical models was effective last decade in colonizing their futural existences – in assuring them of how to approach the world and guarantee particular revenue streams – that old model leaves them grasping at new rent-seeking behaviour instead of adopting novel business strategies. While we can all appreciate just how devastating existential crises can be on a personal level, when we consider the multi-billion dollar record industry we tend to have far less sympathy. Just as you or I are unable to let a crisis linger for a decade – we go to a therapist, get straightened out, and get back on our way – neither can these companies. At best we might feel pity as we watch them wallow in their crisis. At worst, we fear what they might crush as they roll around on the ground like starving dinosaurs and demolish other elements of civil society in their throes of panic and fear aimed at extinguishing the generativity seen as endangering their ontological security. They’ve already made a mess of copyright and cultural transmission possibilities; let’s hope they don’t damage the conditions of democratic communication itself while they’re working out their problems.

Other posts you might be interested in:

1. Comment: Canadian ISPs and Internet Traffic Management
2. Update: Associating Canadian ISPs with Anonymized Data Traffic Submissions
3. Deep Packet Inspection: What Innovation Will ISPs Encourage?

In this post I’m going to spell out what the changes actually mean – what duties and responsibilities, in specific, the CRTC is responsible for – and what traffic management on mobile networks would entail. This will see me significantly reference portions of the Canadian Telecommunications Act; if you do work in telecommunications in Canada you’ll be familiar with a lot of what’s below (and might find my earlier post on deep packet inspection and mobile discrimination more interesting), but for the rest this will expose you to some of the actual text of the Act.

In amending the forbearance framework the CRTC is entering the regulatory domain on several topics pertaining to wireless data communications. Specifically, wireless providers are now subject to section 24 and subsections 27(2), 27(3), and 27(4) of the Act. Section 24 states that the “offering and provision of telecommunications service by a Canadian carrier are subject to any conditions imposed by the Commission or included in tariff approved by the Commission.” In effect, the CRTC can now intervene in the conditions of service that carriers make available to other carriers and the public. Under 27(2) carriers can no longer unjustly discriminate against or give unreasonable preference towards any person. This limitation includes the telecommunications carrier itself and thus means that neither fees nor management of the network can be excessively leveraged to the benefit of the carrier and detriment of other parties.

Under 27(3) the CRTC can determine as a question of fact whether carriers have complied with sections 25 (broadly dealing with tariffs), 27 (which concerns the monitoring and enforcement of elements of the Act) or 29 (where the CRTC must approve working agreements between carriers). Further, a question of fact may be used to determine whether a carrier is in compliance with a decision concerning sections 24 (on the conditions of service), 25, 29, 34 (addressing issues of forbearance) or 40 (concerning the connection of facilities between carriers or other facilities).

Broadly, what all of this means is that the CRTC has stepped aside from their position that potential regulation could negatively injure the state of competition in Canada’s wireless market. This isn’t to say that they are regulating, but that they have stepped away from their traditional stance of forbearance around wireless. The shift isn’t terribly surprising given the rise of new entrants to the mobile space in Canada such as Mobilicity and Wind Mobile, as well as the multitude of high speed data networks in the country.

Also important is that the CRTC has decided to apply the Internet Traffic Management Proceedings (ITMP) framework, emergent from the ITMP Decision, to the wireless environment. In short form, this means that the rules Canadian carriers have to follow when they throttle or modify data packets on wireline connections (i.e. the cables running into your home/business) now apply to the wireless space. The shift isn’t surprising, save that it happened relatively shortly after last year’s decision to forbear a decision on the wireless space but had been previously announced as an element of the broader Proceedings to review access to basic telecommunications services and other matters. For practical purposes few will realize any difference in the provision of their wireless data services this week than they did last. It does, however, lay the conditions under which throttling and packet modification appliances can be used. These appliances include those with deep packet inspection functionality.

The ITMP framework identifies what a carrier must do whenever there is a complaint levied to the CRTC concerning the use of a traffic management technique or technology. Specifically the carrier must:

• Describe the ITMP being employed, as well as the need for it and its purpose and effect, and identify whether or not the ITMP results in discrimination or preference.
• In the case of an ITMP that results in any degree of discrimination or preference:
  • demonstrate that the ITMP is designed to address the need and achieve the purpose and effect in question, and nothing else;
  • establish that the ITMP results in discrimination or preference as little as reasonably possible;
  • demonstrate that any harm to a secondary ISP, end-user, or any other person is as little as reasonably possible; and
  • explain why, in the case of a technical ITMP, network investment or economic approaches alone would not reasonably address the need and effectively achieve the same purpose as the ITMP.

Of course, this requires the a complaint be levied: such an action is challenging given that where a customer is dealing with properly installed traffic management gear the equipment is effectively invisible. Determining a problem thus requires a very technically savvy customer or group and/or bad configuration by the carrier(s). As such, the Framework remains useful but mired in some potential implementation problems. More likely any complaint will result from a modification to terms of service between an Incumbent Local Exchange Carrier (ILEC) and Competitive Local Exchange Carrier (CLEC).

What will be fascinating to watch, as a researcher, is whether with Decision Canadian carriers begin deploying traffic management equipment capable of scanning the payloads of mobile data packets. Moreover, if/when the technologies are deployed will we see a trojan-horse like approach in mobile that we did in wireline – will is first be used for subscriber management, then for throttling, then for sending messages over through the browser? If/when they do deploy the technology, will they immediately and publicly update their traffic management policies to reflect the analysis of wireless traffic or will it take another complaint to the Office of the Privacy Commissioner of Canada to ‘encourage’ such modifications? Hopefully after a round in front of the CRTC and OPC carriers will willingly put packet inspection information where the public can easily find it (i.e. not buried in terms of service and changed without notification in the dead of night) but only time will tell. Overall, the decision to implement the traffic management framework is certainly a positive step forward and confirms my earlier hopes that a policy of non-discrimination in the Canadian wireless market would be adopted. The next step will be to watch and see whether deep packet inspection-based equipment is deployed in wireless environments in a transparent fashion or not.

Other posts you might be interested in:

1. Comment: Canadian ISPs and Internet Traffic Management
2. Deep Packet Inspection and Mobile Discrimination
3. Some Data on the Skype iPhone Application

Abstract:

Across the Internet, an arms race between agents supporting and opposing network-based surveillance techniques has quietly unfolded over the past two decades. Whereas the 1990s might be characterized as hosting the first round of the encryption wars, this paper focuses on the contemporary battlescape. Specifically, I consider how ISPs “secure” and “manage” their digital networks using contemporary DPI appliances and the ramifications that these appliances may have on the development, and our understanding, of the code-body. DPI networking appliances operate as surveillance devices that render the digital subject constituted by data packets bare to heuristic analyses, but, despite the ingenuity of these devices, some encryption techniques successfully harden otherwise soft digital flesh and render it opaque. Drawing on Kant and Derrida, I suggest that ISPs’ understanding of the Internet as one of packets arguably corresponds with a Kantian notion of reality-as-such and offers a limited and problematic conception of the code-body. Turning to Derrida, we move beyond protocol alone to consider the specters that are always before, and always after, the code-body; Derrida provides a way of thinking beyond Kantian conceptions of space and time and the reality-as-such code-body and lets us consider the holistic identity of the code-being. Further, Derrida lets us interrogate the nature of DPI networking appliances and see that they resemble thrashing zombie-like code-corpses that always try, but perpetually fail, to become fully self-animated. While Derridean insights suggest that ISPs are unlikely to be successful in wholly understanding or shaping code-bodies, these corporate juggernauts do incite identity transformations that are inculcated in cauldrons of risk and fear. Not even Derridean specters can prevent the rending of digital flesh or act as a total antidote to ISPs’ shaping of consumers’ packet-based bodily identity.

Link to article.

Other posts you might be interested in:

1. Comment: Canadian ISPs and Internet Traffic Management
2. Deep Packet Inspection and Law Enforcement
3. Digital Crises and Internet Identity Cards

Last week my advisor, Dr. Colin Bennett, and I launched a new website that is meant to provide Canadians with information about how their Internet Service Provider (ISP) monitors data traffic and manages their network. This website, Deep Packet Inspection Canada, aggregates information that has been disclosed on the public record about how the technology is used, why, and what uses of it are seen as ‘off limits’ by ISPs. The research has been funded through the Office of the Privacy Commissioner of Canada’s contributions program.

Deep packet inspection is a technology that facilitates a heightened awareness of what is flowing across ISP networks. It has the ability to determine the protocols responsible for shuttling information to and from the Internet, the applications that are used in transmitting the data, and (in test conditions) can even extract elements of data from the application layer of the data traffic in real time and compare it against other packet signatures to block particular data flows based on the content being accessed. Additionally, the technology can be used to modify packet flows using the technology – something done by Rogers – but it should be noted that DPI is not presently used to prevent Canadians from accessing particular content on the web, nor is it stopping them from using P2P services to download copywritten works.

The website was developed so that Canadians can easily, and quickly, learn whether their ISP uses this technology and, if so, how it is used to survey data traffic and the motivations and limitations of such surveillance. The project, and associated web space, has five elements composing its mandate:

1. To develop the largest publicly accessible repository of information concerning the use of DPI in Canada;
2. To explain to Canadians in non-technical language whether and how their ISP uses DPI technologies;
3. To provide regular analyses of current uses of dPI in Canada, as well as abroad when relevant;
4. To facilitate discourse about DPI technologies amongst Canadians;
5. To provide research and analyses of DPI technologies that could be used by government agencies, including privacy and information commissioners.

Presently, we have loaded the website with information about Canada’s largest ISPs – the Bells, Rogers, Cogecos, and so forth – and are beginning to gather and input information about small- and mid-sized ISPs. This present collation of data is the ’stage two’ of our research, and stage three will see us gather information from university networks to try and identify how Canada’s post-secondary educations system is (or is not) surveyed and mediating academic data traffic.

I would invite all of my readers to take a look at the site, and provide feedback. This is seen as a community-informed project; without the community Colin and I stand as two researchers, but with the community our blind spots and areas of ignorance can be revealed and addressed.

Other posts you might be interested in:

1. Draft: What’s Driving Deep Packet Inspection in Canada?
2. Office of the Privacy Commissioner of Canada Reveals their Deep Packet Inspection Website
3. Deep Packet Inspection and the Confluence of Privacy Regimes

As part of an early bit of thinking on this, I want to direct our attention to Canada, the United States, and the United Kingdom to start framing how these jurisdictions are approaching the use of DPI. In the process, I will make the claim that Canada’s recent CRTC ruling on the use of the technology appears to be more and more progressive in light of recent decisions in the US and the likelihood of the UK’s Digital Economy Bill (DEB) becoming law. Up front I should note that while I think that Canada can be read as ‘progressive’ on the network neutrality front, this shouldn’t suggest that either the CRTC or parliament have done enough: further clarity into the practices of ISPs, additional insight into the technologies they use, and an ongoing discussion of traffic management systems are needed in Canada. Canadian communications increasingly pass through IP networks and as a result our communications infrastructure should be seen as important as defence, education, and health care, each of which are tied to their own critical infrastructures but connected to one another and enabled through digital communications systems. Digital infrastructures draw together the fibres connecting the Canadian people, Canadian business, and Canadian security, and we need to elevate the discussions about this infrastructure to make it a prominent part of the national agenda.

The Canadian Situation

In Canada, there has been a substantial amount of attention directed towards the use of DPI equipment since 2007 when CAIP filed a complaint about Bell’s use of the technology to affect how CAIP customers’ data traffic was being transmitted through Bell’s infrastructure. The result of Bell v. CAIP, and the 2008/9 CRTC investigation into how DPI is used by ISPs more widely, was positive in some lights and devastating in others. Positively, out of the 2008/9 investigation the CRTC asserted:

• the blocking of content is prohibited unless approved by the CRTC;
• when noticeable degradation of service for time sensitive services occurs, then a traffic management system amounts to controlling the content or influencing its meaning. As such, any actions that create such a degradation require approval by the CRTC;
• the CRTC affirmed that it works in a complementary fashion with the Privacy Commissioner of Canada and that telecommunications providers are held to a higher standard than that contained in PIPEDA alone. Critically, not only are primary ISPs prohibited from using data gathered from traffic management for anything other than management actions, but “the Commission directs all primary ISPs, as a condition of providing wholesale services to secondary ISPs, to include, in their service contracts or other arrangements with secondary ISPs, the requirement that the latter not use for other purposes personal information collected for the purposes of traffic management and not disclose such information.”
• economic measures are preferred to technical traffic management processes;
• the delaying of non-time sensitive services (e.g. email, peer-to-peer, FTP, etc) does not require CRTC approval.

Of course, this didn’t forbid ISPs from using DPI – something that was unlikely to happen – but did put strong conditions on what was and was not permissible use of DPI. What remained permissible was that delaying non-time sensitive services (e.g. email, peer-to-peer, FTP, etc) does not require CRTC approval, and wholesale ISPs both remain affected by DPI and can expect to receive a mere 30 to 60 day notification before primary ISPs make material changes that would affect wholesale ISPs. The privacy element of the ruling was reinforced in the Privacy Commissioner of Canada’s ruling on deep packet inspection, which required Bell to note on their website that personal information (i.e. subscriber ID and IP address) was briefly collected (and then quickly discarded) in the ongoing use of DPI. Emergent from the CRTC and OPC’s decisions, we can comfortably say that Canada has a strong set of regulatory bones when it comes to DPI and network neutrality; what’s left is fleshing the bones out, which will hopefully happen over the coming months and years.

The United States of Inspection

As we turn our gaze south of the 49th parallel, we see that DPI has been used in various ‘exploratory’ ways. Arguably, it was the use of DPI for behavioural advertising – by the company NebuAd and various ISP partners – and incredibly disruptive treatment of peer-to-peer filesharing applications that brought the technology into the media more widely. In the former case, NebuAd partnered with ISPs such as Charter to insert a DPI device in the ISPs’ network environments. Once in the network, it was possible for NebuAd to modify data transfers by creating a new packet and forging the IP address and port information to make the packet appear to come from the original source. Thus, if you were being served a packet from Google or Yahoo!, it would still appear to your computer as though it was delivered from a Google or Yahoo! server. The NebuAd system used TCP’s ACK and SEQ system to stop users’ computers from refusing to accept the forged packet.

Contained within this new packet was a bit of javascript that directed users’ computers to collect a cookie from a NebuAd server; this cookie was then used to track users and to subsequently serve ads that were relevant to the user based on their browsing history. Attempts to delete the cookie led to it simply being re-delivered the next time a user browsed somewhere on the ‘net. This behaviour led researcher Robert Topolski to assert that “NebuAd’s code injected into another’s page source is a cross-site exploit (XSS) and the subsequent behavior of loading cookies it normally would not load is a browser hijack. NebuAd accomplishes its XSS by using what is effectively a classic man-in-the-middle attack.”

In light of the damning evidence that ‘consent’ was never genuinely achieved (in at least one ISP’s case, there was a change to their already massive privacy policy to “inform” customers of the new behaviour) NebuAd was very publicly disciplined in front of the House Telecommunications Subcommittee. Congressman Markey asserted that “Simply providing a method for users to opt-out of the program is not the same has asking users to affirmatively agree to participate in the program.” While NebuAd has lost it’s CEO, is now subject to a class action lawsuit, and itself is dead in the water (though has arguably been reincarnated in the UK as Insight Ready), no legislation have been passed to address behavioural advertising using DPI. A Senate Commerce Committee session in September 2008 led to three of the US’s largest ISPs – AT&T, Verizon, and Time Warner – committing to an “affirmative consent” model for behavioural advertising should the ISPs ever adopt such an advertising system, but no Senate action even attempted to legislate a consent-based model. The Federal Trade Commission (FTC) went ’so far’ as to advocate for voluntary self-regulation of the industry. This regulation encompassed the following principles;

1. Transparency and customer control, which maintains that on every website where data is collected for behavioural advertising that customers are informed of this in concise and clear language with the option of choosing whether their information will collected for these purposes.
2. Reasonable security, and limited retention, of consumer data. In essence, this requires companies to secure data in a manner consistent with FTC data security enforcement and only retain data as long as required for legitimate business purposes.
3. Affirmative express consent for material change to existing privacy promises. Critical is that this principle is meant to apply even when the material change is a result of a corporate merger when such a merger modifies the ways in which companies collect, use, and share information.
4. Affirmative express consent to (or prohibition against) using sensitive data for behavioural advertising. This principle does not actually identify what constitutes sensitive information; the FTC sought input into what classes of information should be considered sensitive and whether the collection of such information should be prohibited by regulation instead of by customer choice.

In the case of using DPI for network management purposes, Comcast was found using TCP RST packets to intentionally disrupt peer-to-peer filesharing programs that were accounting for substantial amounts of data traffic along their networks. The stated issue with the programs was that they generated high levels of congestion; in effect, this meant that a large number of customers’ packets were regularly being dropped as Comcast routers struggled to keep pace with the high levels of peer-to-peer traffic. While at one point the company maintained that it only used RST packets during periods of high congestion, it ultimately admitted that their RST-based system was triggered regardless of overall network congestion and at all times of they day.

As a result of Comcast’s use of DPI to target particular applications and application-types the FCC issued an order requiring the ISP to stop their particular mode of network management using their ancillary authority, or authority that implicitly is derived from past judicial rulings, policy contours, congressional mandate, and telecommunications act. Specifically, the FCC required Comcast to;

1. Reveal the “precise contours” of its network management practices, including the types of equipment used, when they came into use, how they were configured, and where they have been deployed.
2. Come up with a compliance plan complete with benchmarks that explains how Comcast will move “from discriminatory to nondiscriminatory network management practices by the end of the year.”
3. Publicly disclose the details of its new practices, “including the thresholds that will trigger any limits on customers’ access to bandwidth.”

The FCC decision was met with two responses from Comcast. First, the company adopted a protocol agnostic solution to dealing with high-bandwidth usage. This saw them move from using deep packet inspection – which examines the payload of data packets – to shallow packet inspection that is (relatively) limited to examining header information. Under the revised approach, where it is evidenced that consumers are engaged in high-bandwidth activities for 15 minutes or longer they have their packets reclassified to “best effort” from the default “priority best effort”.

Second, the company took the FCC to court, arguing that the FCC had exceeded their authority in determining how the corporation can manage their networks. The courts recently returned with a decision, and it was in Comcast’s favor: the FCC’s order that Comcast stop issuing RST packets using DPI equipment is now invalidated on the basis that the FCC decision exceeded their authority. This sends a message that American telecommunications carriers can use equipment, as they perceive needed, to manage their networks and such usage includes mobilizing DPI to invade and disrupt customers’ packet stream. It remains to be seen how this will affect the differentiation between facilities-based VoIP services that Comcast provides and the (apparent) degradation of non-facilities based VoIP services (e.g. Skype) when network congestion occurs: does the FCC have the right to require equal treatment of these types of service? This will be an interesting matter to see unfold in light of the Court’s decision today. It will similarly be interesting to see if, after the decision, ISPs actually use RST packets to disrupt particular traffic flows or instead avoid this approach given the negative press this technique attracted.

So, where does this all leave the US in comparison to Canada? It means that non-regulated processes are exclusively meant to limit the use of behavioural advertising – but, as demonstrated by Chris Soghoian’s work such self-regulation is practically non-regulation in the advertising business - and that the traffic management questions linger in the air. ISPs in the US managed to get a bit more freedom from the FCC with the decision favouring Comcast, and the FTC has been unwilling to strongly regulate ISPs’ uses of DPI. Thus, the American reality stands in stark contrast to Canada: Canadians have a skeleton of regulated guidelines that ISPs are required to adhere to, whereas the US remains a relatively unregulated market for DPI.

A Note on the UK

I’m not a European telecommunication scholar, and so don’t want to make broad statements about Europe, but am slightly more aware of the UK situation. As such, I’ll limit discussions of Europe to the UK.

Behavioural advertising and content management are key issues facing the UK citizenry. In the former’s case, Phorm has been the UK’s NebuAd and partnered with various prominent ISPs to provide an advertising service. The company’s use of DPI was perhaps even more egregious than in NebuAd’s case, insofar as Phorm’s use involves a series of 307 redirects that result in a cookie being placed on a customer’s computer for tracking and advertising purposes (a great technical analysis of Phorm’s system has been performed by Richard Clayton). Most significantly, Phorm forges the cookie so that it appears to come from the originating website, rather than the Phorm system; under this system you receive a cookie that appears to legitimately come from cnn.com when browsing to that website even though it comes from Phorm. Activists came together and have continuously put pressure on Phorm – often arguing that it’s actions are in violation of of the Regulation of Investigatory Powers Act – and the EU Commission is presently bearing down on the UK for its failure to address the privacy-related concerns accompanying this instantiation of behavioural advertising. (Perhaps in response, we now see Phorm scurrying to Brasil – will Brasilian activists take a stand against the company as UK citizens have?)

The content management issue has come up most recently in the form of the Digital Economy Bill (DEB), where there is a real possibility that ISPs will be required to act as a third-party in disputes between rights holders and those who are accused of infringing on holders’ copyrights. ISPs will be required to work against their own customers, insofar as repeat copyright infringers will be subject to some form of traffic throttling. Whether this involves the use of deep packet inspection, or other technological measures, isn’t entirely clear from the bill but many ISPs in the UK are violently opposed to redeveloping their network architecture to shield the copyright industries’ business models. The DEB, as presently written, makes it unclear what ISPs will actually be required to do, but rights holders seem to favor the inspection or analysis of data traffic, an approach to managing data that might lead to content discrimination or an extension of the already functioning discrimination against particular applications and application-types. From my own research perspective, it will be interesting to see if there is an expansion of the uses of CView on the Virgin network should the DEB be realized as law, and whether the EU would step in if enforcing the DEB results in egregious violations of privacy.

It must be recognized that UK ISPs, like their Canadian counterparts, are actively engaged in throttling particular applications and application-types during peak usage times to mitigate network congestion. Orange UK, as an example, throttles what they term ‘dirty’ protocols – those which “consume as much of the available bandwidth that is available”, with the rejoinder that if the ISP gives such protocols and their associated applications an inch they will try to “take a mile”. Orange, of course, is not exceptional: both BT and Virgin also have traffic management policies, as do most other UK ISPs that I’ve studied.

So, where does this leave the UK in contrast to the Canadian regulatory position on deep packet inspection, and content management more broadly? It remains questionable whether the EU will permit behavioural advertising that is based around DPI equipment, but the UK government itself has not come out against the technology in any meaningful way. In Canada, any use of DPI for behavioural advertising runs up against both the CRTC and OPC. UK ISPs are permitted to use traffic management systems, many of which, I suspect (though haven’t done the research yet to demonstrate), utilize systems that are similar to those in North America. Regardless, UK ISPs, like their Canadian counterparts, are involved in choosing the winning applications and application-types for content delivery though are potentially faced with the possibility of having to soon filter particular content. Canadian ISPs have repeatedly stated that they have no desire to filter content for technical, privacy, and business reasons, and it doesn’t look like a Canadian equivalent of the DEB is coming down the pipeline for a while. Unlike efforts such as Comcast’s, where traffic management is protocol agnostic, we see some Canadian and UK ISPs targeting particular methods of content delivery as clean or ‘dirty.’ Ultimately, Canadian and UK ISPs are similar in their respective approaches to traffic management but differ in respect to both behavioural advertising and (possibly) content filtering.

Network Neutrality in a Western Context?

We began with a note on network neutrality, and it seems appropriate to close on one as well. I firmly believe that network operators need to be able to manage their network in a manner that is transparent to the public, effective, and efficient. This may indeed require the implementation and use of technologies such as deep packet inspection. I would hasten to note that not all DPI is created equally; some excel at analyzing content by extracting and matching content signatures, but others are predominantly marketed and used as security appliances, and yet others for subscriber billing. Instead of resisting DPI as a broad technology, we need to focus on opposing some applications of the technology while praising others. While I’m not making an argument that DPI is a ‘neutral’ technology – it’s a surveillance technology with elements of control embedded into it – I do want to suggest that not all surveillance, not all applications of control, are inherently bad. Parents carry baby monitors with them – monitors that have surveillance as a key value embedded into their design – and this is a benign, if not positive, application of surveillance. We need to be mindful and on the watch for damaging surveillance and hindering acts of control while recognizing that some surveillance, some control, is good and required for a functioning contemporary Internet.

In light of my willingness to accept the value of DPI in network environments, I see a stanch opposition to ‘network intelligence’ as considerably far of the mark. Networks are intelligent, and there is nothing wrong with intelligence so long as it is used in a manner that is clearly beneficial for customers, with legislation and regulations precluding the application of network intelligence for negative purposes. Gaining customer acceptance may require transparency on the part of vendors and ISP’s alike; vendors to explain what their technology does and offer ‘virtual tests’ of the technology as is done with some consumer routers, and ISPs to explain why and how they have deployed the equipment. As awareness of how the network is intelligent spreads it is possible to engage is a more substantive discussion about the nature of contemporary networks, the challenges perceived by customers, civil advocates, and network operators. As it stands we are regularly subjected to near-dogmatic language from either camp – network neutrality is a meaningless slogan vs. smart networks are the death of the Internet – that is arguably misleading and polemic.

Given the different regulatory environments, we cannot expect supporters of network neutrality to adopt similar language in their advocacy – RIPA is clearly something that doesn’t enter North American debates, whereas different wiretapping laws and consumer protections are drawn on in American cases, and Canada regularly sees the language of privacy and consumer rights presented by its advocates – but this shouldn’t prevent researchers and other interested parties from identifying common advocacy principles to see what does and does not work. Further, any such comparative project ought to try and identify differences that arise when there is greater transparency (either required by regulation or performed on a voluntary basis) surrounding the development, deployment, and usage of the technologies. This would (and, in Canada, did) enable advocates to more clearly articulate their messages while also alleviating some of the concerns that emerge when our communications systems are mediated by an unknown technical power, in unknown manners, for less than clear corporate means.

Citizens of Canada, the US, and UK need to understand how their communications are regulated and have a clear and valued voice in shaping the structure of their communications systems; citizens along with government and business, as opposed to business and deep packet inspection alone, must be responsible for choosing the ‘winning’ applications that facilitate digital communications across the Internet.

Other posts you might be interested in:

1. Background to North American Politics of Deep Packet Inspection
2. Draft: What’s Driving Deep Packet Inspection in Canada?
3. Draft – Deep Packet Inspection: Privacy, Mash-ups, and Dignities

The COUNTER project is a European research project exploring the consumption of counterfeit and pirated leisure goods. It has a series of primary research domains, including: (1) frequency and distribution of counterfeits; (2) consumer attitudes to counterfeit and pirated goods; (3) legal and ethical frameworks for intellectual property; (4) policy options for engaging with consumers of counterfeit; (5) the use of copyrighted goods for the creation of new cultural artifacts; (6) impacts of counterfeiting and control of intellectual property.

What quickly became evident in the course of conference presentations was that there was a relative dearth of reasonable, well-articulated, and non-partisan work devoted to unearthing empirical data about how consumers engage with ‘illegitimate’ sources of content prior to the COUNTER researchers beginning their European data collection. Even where legitimate data sources existed (e.g. OECD data on counterfeit goods) there was rarely a common standard for gathering and archiving that data (e.g. do you measure counterfeit items by discrete number of items, number of shipping containers, street value, manufacturer value, etc.). These issues stemming from data collection were noted by the COUNTER Project Coordinator, Dr. Jo Bryce, as well as the representative from the European Union’s Intellectual Property Unit, Phil Lewis. The latter, in particular, noted the importance of establishing observatories that could gather data and statistics about the use and transit of pirated works, information that could subsequently be used to change public perceptions and attitudes to the usage of infringing works. The EU representative, and the parties he has been working with, are particularly interested in preventing infringing content from ever getting to the ‘net in the first place, though stated in response to a question I raised that deep packet inspection is not something that they are presently thinking of including in their observatories. Their unwillingness to use the technology stems from the fact that they might be unable to legally use it for data surveillance and, even they could use it legally, are uncertain that they want to adopt this mode of data collection.

Dr. Bryce identified consumer behaviour as the problem – or, in other words, the driver – of the the trafficking in counterfeit and pirated goods. Partially as a result of the disorganized responses to infringing uses of content, enforcement and education mechanisms alike have been largely ineffective in stemming the traffic of counterfeited goods or illicit trading in copywritten works. Her research found that while consumers tend to adopt various ethical perspectives on why file-sharing is socially acceptable, by educating consumers on the challenges transit of infringing intellectual properties imposes on individuals working in content generation industries it is possible to reduce consumers’ inclination to engage in file sharing. Moreover, her work noted that the content industries have lost a great deal of consumer trust and remain opaque organizations; consumers need to trust and appreciate the bodies generating content if content industries are to develop a positive relationship with their customers. This need for openness and transparency was regularly noted throughout the conference, though some academics and industry representatives alike dismiss the need for a positive relationship to exist between consumers and content production industries.

In a panel on consumer perspectives on downloading, empirically grounded research was provided to express the position of consumers in relation (primarily) to peer-to-peer filesharing. Emergent from the research presented, we found that consumers actually have a decent intuitive understanding of the world of filesharing, insofar as they differentiate between copyright infringement and stealing. Perhaps worryingly, researchers, consumer advocates, and rightsholders alike (and this is true across much of the conference) struggled with notions of enforcing copyright. Precise concerns and solutions varied, but we regularly heard ruminations about methods to impress upon consumers the moral right to copyright, numbers of ‘coercive impacts’ required to adjust behaviour, need to introduce copyright education to parents and into schools, and so forth. As it stands, research showed that most filesharers fail to see their actions in a moral light and are unworried about the possible consequences of being caught. Effective enforcement, members of the content industries and academics alike noted, requires there being a 10% chance of being caught. As it stands today, enforcement techniques are limited by:

• judicial resources;
• lack of clear sanctions;
• failures in educations (i.e. what does/doesn’t constitute infringing use);
• poor marketing campaigns;
• the use of generic, over specific, messages.

Emergent from this session it was evident that a key issue facing rights holders, and the advocates of rights holders, is the cultural and legal differences that impede uniform positions on copyright. In particular, differing nations adopt differing legal positions concerning downloading, uploading, the degree of criminality of file sharing, and so forth. One academic tried to make the boldfaced equation of copyright infringement and theft…it left him in a very hostile room, and arguably weakened the likelihood that his data will be adopted more widely into the literature.

In a panel where industry experts spoke of the harms caused by file sharing and counterfeit goods – damages ranging from 200 million pound a year, to 43 billion Euro lost in 2008, to equations of counterfeit with organized crime – a member of the audience asked: where is this money going? The thrust of the question was that consumers are choosing to allocate their monies to different areas of the economy, and so assertions that any economy was seeing a removal of monies is only true when economic sectors are seen in absolute isolation to one another. The complexity of the copyright environment, and its necessary interelation with a much more substantive socio-economic domain, should require the content industries to engage in holistic surveys if those surveys are to carry weight amongst critical audiences. Members of industry uniformally lacked such holistic surveys.

I sat in a panel on deep packet inspection – the draft of my paper that touches on deep packet inspection as it related to privacy and freedom of expression has been made available – alongside Klaus Mochalski of Ipoque and Paul Polanski, Director of Electronic Publishing for C.H. Beck Publishing. Klaus noted the capacities of Ipoque’s equipment (and inability for DPI to be used for totally effective inline copyright filtering) and Paul the problems surrounding ISP liability that arise when DPI is used for copyright enforcement purposes. Both were excellent speakers, and all three of us recognized the dangers that DPI threatens to pose for essential liberties in constitutional democracies. On a more personal note, it’s moderately disconcerting about speaking to Brits about the value of privacy, and harms of surveillance, and it felt nice to try and articulate the position that constitutional rights are more important than copyright. The latter position, in particular, wasn’t well received by representative of the content industry in the audience, but was certainly something that needed to be said more regularly than emerged over the course of the conference.

Arguably the most heated session I attended was the last session of the conference, the three strikes panel. It drew together academics, an ISP representative, copyright holder advocates, authors, and a member of the Pirate Party. There was an almost all out assault on the controversial sections of the UK’s Digital Economy Bill, with Richard Mollett of BPI (yes, that Richard Mollett) becoming the punching bag of the panel and audience. Mollett is the directory of policy for BPI and was clearly used to working in hostile rooms, but the vitriol was between members of the panel was particularly thick. Vanessa Mortiaux, Senior Legal Counsel for Orange, made very explicit that Orange was entirely against any requirement that ISPs monitor for copyright enforcement. To the detriment of the panel, however, there was almost exclusive focus on the Digital Economy Bill, to the point where the broader issue of three-strikes was largely implicit, rather than explicit.

Overall, the conference was excellent. It drew together academia, industry, and civil society in productive ways, though largely absent were the actual content creators we were so often speaking about. Consumers were (I would suggest) well represented by the consumer groups and large division of the Pirate Party (local UK, Swedish, and EU levels being represented) present at the conference. I was, however, largely disappointed with attempts to shuffle copyright from an economic privilege to a moral right and the commonly espoused unwillingness to think through the potential harms that threaten to follow from further augmentations of copyright ‘protection’. Admittedly this speaks to my own personal interests – I’m insatiably curious about how economic privileges threaten to upset and disembowel constitutional protections given my own academic background – but also to a culture of what might be called ‘copyright blindness’, where copyright blinds us to the larger issues at play in the copyright debates.

Depressingly, it isn’t that my position is unique or shared only by a handful of people; informally most academics and academically-trained people that I spoke with at the conference were in agreement that the potential harms of copyright must be carefully, and seriously, considered. Publicly, however, this worry and accompanying strong language demanding a rethink of the present copyright regime was largely absent from conference presentations. There were only a few strong voices addressing copyright in light of the larger social good, and while they were (arguably) positive beacons it would have been nice to have much of the ‘informal’ consensus be more formally presented to rightsholders and other members of the conference. Having said this, generally the research presented was well-rooted in rigorous methodological techniques, and perhaps this research might be adopted and leveraged by policymakers in their ongoing engagements with copyright, content producers, and the public. My expectations, however, are less positive: I fear that the work of the COUNTER research project will remain sheltered in academia, sequestered from the public, and consequently ineffective in reshaping the copyright debacle in but the most limited of fashions. Hopefully this is a case where academia can successfully puncture the academic/public divide and breech the public policy debate, but I’m not holding my breath.

Other posts you might be interested in:

1. Draft – Deep Packet Inspection: Privacy, Mash-ups, and Dignities
2. Universities Struggle to Cope with Anti-Piracy Requirements
3. Thoughts: P2P and Complicity in Filesharing

This is a draft of the paper that I’ll be presenting at the Counter: Piracy and Counterfeit conference in Manchester in a few days. It’s still rough around some edges, but feels like a substantial piece. Comments, as always, are welcome.

Abstract: Privacy operates as an umbrella-like concept that shelters liberal citizens’ capacity to enjoy the autonomy, secrecy, and liberty, values that are key to citizens enjoying their psychic and civil dignity. As digitisation sweeps through the post-industrial information economy, these same citizens are increasingly sharing and disseminating copywritten files using peer-to-peer file sharing networks. In the face of economic challenges posed by these networks, some members of the recording industries have sought agreements with Internet Service Providers (ISPs) to govern the sharing of copywritten data. In Britain, file-sharing governance has recently manifested in the form of Virgin Media inserting deep packet inspection (DPI) appliances into their network to monitor for levels of infringing files. In this presentation, I argue that ISPs and vendors must demonstrate technical and social transparency over their use of DPI to assuage worries that communications providers are endangering citizens’ psychic and civil dignities. Drawing on recent Canadian regulatory processes concerning Canadian applications of DPI, I suggest that transparency between civil advocacy groups and ISPs and vendors can garner trust required to limit harms to citizens’ psychic dignity. Further, I maintain that using DPI appliances to detect copyright infringement and apply three-strikes proposals unduly threatens citizens’ civil dignities; alternate governance strategies must be adopted to preserve citizens’ civil dignity.

Download paper

Other posts you might be interested in:

1. Draft: What’s Driving Deep Packet Inspection in Canada?
2. Deep Packet Inspection and the Confluence of Privacy Regimes
3. Office of the Privacy Commissioner of Canada Reveals their Deep Packet Inspection Website

I’m composing the beginning of this article to the sounds of Girl Talk’s ‘Like This’ from his Feed the Animals album. His artistic technique is to take very short samples from a variety of artists – twenty-nine samples are taken in the three minutes and twenty-one seconds of ‘Like This’ – and remix the work to create entirely new songs.[i] He isn’t a DJ but a self-described musician of the digital era, and when his work was presented to Marybeth Peters of the US Registrar of Copyrights she recognized that his music was amazing. She also recognized it was likely illegal, and the fact that his own creativity clearly imbued his creations offered no defense against copyright infringement: “You can’t argue your creativity when it’s based on other people’s stuff.”[ii] This position is mirrored by Barry Slotnick, head of the intellectual property litigation group at Loeb & Loeb, who has stated that “[w]hat you can’t do is substitute someone else’s creativity for your own.”[iii] Girl Talk’s work is recognized as amazing and creative, even by defenders and advocates of the present copyright regime, but is still questionably legal (at best). Feed the Animals is a popular album that pulls together anthems of pop culture, and its artist has been used as a defender of copyright reform movements,[iv] but it is only one item in a rapidly developing and emerging ‘mash-up’ culture that draws together existing cultural artifacts to in the creation of a recombinant digital culture.

Rather than stepping into the technical (il)legalities of mash-ups in any depth in this article I engage with mash-ups at a normative level. I aim to construct a normative argument for the cultural value of mash-ups, recognize some issues concerning expressive and cultural dignity that emerge alongside the ubiquitous surveillance and censorship of mash-up data traffic that may be identified as ‘infringing content’, and offer both a practical and a political solution to alleviate surveillance dangers and secure our emerging digital culture. To this end, I first outline the importance of mash-up culture, and then proceed to sketch a set of dignities that citizens in Canada (and other Western countries) should be able to expect in the digital domains they routinely roam in: citizens should be meaningfully able to possess expectations of contextual privacy and engage in civil expressions in domains of digital hybridity. It is with the shift to previously implausible ubiquitous digital surveillance and control systems, such as deep packet inspection, that Western citizens are again forced to worry about their privacy and expressive capacities in communal, rather than merely individual, senses. Accompanying this surveillance and control system is the threat of chilling speech, limitations of civil expression, and infringements on the possibilities of innovation. The technical structures that wait for copyright infringement should not be permitted to threaten innovation, criminalize otherwise routine communication, or undermine cultural development and experimentation without a full and transparent discussion of the costs such infrastructure could pose to the emergence and development of Western cultures, states, and citizenries.

To this end, I argue that there is a need to moderate the legal considerations of copyright, perhaps by adopting a hardware tariff model or developing distinctions in what constitutes infringing use. This will alleviate the demand to use technologies such as deep packet inspection for copyright enforcement, but is insufficient to genuinely alleviate the more general threat to civil dignities posed by these ubiquitous digital surveillance instruments. To better secure civil actors from the threats posed by these instruments there must be increased transparency surrounding digital networks, insofar as both vendors and Internet service providers must be required to disclose to the public, and its civil advocates, the technologies under development/in use, motivations driving development and usage, and modifications that are made to already deployed systems.

Why Mash-Up Matters

The public domain operates as the basis “for our art, our science, and out self-understanding. It is the raw material from which we make new inventions and create new cultural works.”[v] The public domain is from where the majority of our culture emerges from, and in the face of an ever-extending capture of the public domain by the advocates of strong copyright reform mash-up artists and citizens have taken to the ‘net to (re)generate their cultural heritage. Mash-up matters because it’s the beachhead upon which (dominantly) youth are mounting their critiques about the current legal conditions of their cultural existence. Mash-up matters because if the dogs-of-law do not release this mode of cultural formation from their jaws, then the equivalent of the future’s jazz and rock-and-roll will be criminalized, and the electronic culture of the future put in jeopardy. Mash-up matters because it can be read as the exemplar of the praxis of digitality itself.

Digital technology facilitates the engagement with culture in a massive way. Whereas folk and jazz music alike historically saw relatively small groups coming together to ‘remix’, or modify, add, and subtract, pieces of the music, the Internet has given today’s equivalent of folk and jazz musicians a global audience. There is, however, a clear difference between those musicians that used non-digital instruments and those using laptops, Garageband, and electronic keyboards; the former were limited in the acquisition and distribution of cultural artifacts, whereas the globe is the limit for the former. Lawrence Lessig, Paul Virilio, and Matt Mason recognize that there has been a shift in the speed and virtuality of informatic-creation, movement, and communication. In his recent book Remix, Lessig argues that there is a kind of ‘Read-Only’ culture – one where citizens could only purchase and enjoy culture in relatively static ways – and ‘Read-Write’ culture – a cultural situation where citizens modify and freely exchange new cultural creations.[vi] In the former, culture retains its agency by refusing to let the audience engage with the work itself to unlock its creative possibilities. Expensive equipment or highly specialized training was required to take up film, music, and similar ‘technical’ arts to creatively engage with the material itself in a way that directly copied and implicated the content itself in the development of new cultural artifacts. In the latter situation, culture’s agency becomes shared between the artifacts and those engaging with it: culture becomes ‘active’, as it was in the heydays of folk and jazz music.

In his discussion of the globalization of communications networks and the heightening velocities of contemporary technologies, Virilio ominously writes that we understand nothing of the information revolution, nothing of digitality itself, unless we recognize that it “ushers in, in purely cybernetic fashion, the revolution of generalized snooping.”[vii] With the shift toward ever-increasing standardization of the digital ecosystem – manifest in Internet’s technical architecture in the TCP/IP protocol suite, standardized ‘content containers’ such as JPEG, MP3, AVI, and uniform modes of measurement and signature analysis – comes the capacity to monitor, control, and mediate the objects enclosed in such standardized containers. Simultaneously, there is a division of object, a mass multiplication and exponential enumeration of such objects given that “data objects are nothing but the arbitrary drawing of boundaries that appear at the threshold of two articulated protocols.”[viii] Protocol, the medium binding and delivering cultural artifacts, functions as an instrumental or technical addition, as a necessary element of control that rests upon and frames the playful capacities inherent with digital cultural expression. The protocol that facilitates the playful engagements of youth with their culture simultaneously establishes the mesh within which their cultural artifacts can be scanned, probed, analyzed, and censored.

The search for control over intellectual creations maps onto the logic of perfect control annunciated by James Boyle: there is an argument, routinely touted by copyright holders, that the strength of intellectual property rights must vary inversely with the cost of copying to ensure a vibrant for-profit cultural environment. He calls this ‘the Internet Threat’, the stance that “without an increase in private property rights, cheaper copying will eat the heart out of our creative and cultural industries.”[ix] It is (partly) in reaction to the Internet Threat that Mason examines the effects of the rapid development of the digital ecosystem, and digitality’s potential to enable citizens to engage with cultural artifacts new and novel ways. As we will revisit, shortly, it is the Internet Threat that leads deep packet inspection equipment to be purposed to secure intellectual property.

A clear result of the digitization of cultural artifacts has been the near-instantaneous delivery of cultural content to meet the desires of particular individuals. This is most evidently manifest with Napster’s explosion onto the digital scene, which subsequently lead to the branding of filesharers as pirates. Instead of seeing pirates as the doom of culture, Mason asserts that “[p]irates highlight areas where choice doesn’t exist and demand that it does… this mentality transcends media formats, technological changes, and business models.”[x] A component of transitions to digitality, in particular, entail the ability to enjoy and develop culture through ‘remixing’.  Remixing “is about taking something that already exists and redefining it in your own personal creative space, reinterpreting someone else’s work your way . . . It’s about shifting your perception of something and taking in other elements and influences . . . your originality should outshine the borrowed elements, or at the very least, present them in a new light. A good remix adds value to something.”[xi] In the language of generating cultural artifacts, this means that with the emergence of a new set of tools (cheap, yet technically sophisticated computer software and accompanying cheap, yet powerful, computer hardware) and new communications mediums that realign ‘personal creative space’ with YouTube, the youth of today have begun ‘editing out’ their own cultural commons. The challenge they face can be put thusly: the public domain and the relative anonymity provided in a world of analogue search-and-lawsuit practices are being dissolved in the face of legally driven protocological conflict. Without access to the public domain, without access to anonymity, youth and other participants in recombinant digital culture are under legally sanctioned siege, a siege that is criminalizing an outrageous percentage of the population.

To summarize, mash-ups matter because they can be seen as the resurgence of the past, of a time where individuals could take up and share the cultural artifacts they were immersed in. Mash-ups, in their massively available form, are presently made possible through the usage of contemporary computer systems; the systems of simulation that can be used to play video games, listen to music, and display YouTube videos are the same systems that encourage cultural generativity and massive instances of self-expression. Code can be, and is, taken from disparate sources, tinkered with, and subsequently emitted to the Web. This is an example of mash-up culture. Various musical albums that span various genres are recombined in fits of creativity to generate new conditions for cultural possibility. This constitutes a mash-up. Citizens draw pieces of video from music videos, news, advertisements, and government announcements to inscribe their own social, political, or banal commentary on the actions of the day. This too, is part of mash-up culture. Each of these three elements (of many more!) of mash-up culture play a role in defining how the digital generation will engage with their world; this generation has moved well beyond the recombination of words in blogging, to the recombination of the audio-visual facets of culture to transmute sterile corporate cultural artifacts into invigorated and vibrate artifacts endowed with cultural meaningfulness and life.[xii]

Next Section: As We Walk Into the Valley of the Shadow of Surveillance…

[ii] RIP A Manifesto, at http://www.nfb.ca/film/rip_a_remix_manifesto/

[iii] Steal This Hook? D.J. Skirts Copyright Law by Robert Levine, August 6, 2008. New York Times. Link: http://www.nytimes.com/2008/08/07/arts/music/07girl.html?pagewanted=2&_r=1

[iv] Pennsylvania Congressman Mike Doyle – member of the Subcommittee on Commications, Technology, and the Internet – has spoken highly of Greg Gillis (aka Girl Talk) in Congressional hearings. For more, see: http://www.rollingstone.com/rockdaily/index.php/2007/04/27/why-one-congressman-wants-you-to-borrow-more-music/

[v] Boyle, James. (2008). The Public Domain: Enclosing the Commons of the Mind. P 39.

[vi] Lessig, Lawrence. (2008). Remix: Making Art and Commerce Thrive in the Hybrid Economy.

[vii] Virilio, Paul. (2005). The Information Bomb. P. 62. Emphasis from text.

[viii] Galloway, Alexander. (2004). Protocol: How Control Exists After Decentalization. P 54.

[ix] Boyle, p. 60.

[x] Mason, Matt. (2008). The Pirate’s Dilemma: How Youth Culture is Reinventing Capitalism. P. 46

[xi] Mason, Matt. (2008). The Pirate’s Dilemma: How Youth Culture is Reinventing Capitalism. Pgs. 71, 81, and 83. Emphasis added.

[xii] Something about Adorno and the culture industry

Other posts you might be interested in:

1. Draft – Deep Packet Inspection: Privacy, Mash-ups, and Dignities
2. The Role of Digital Surveillance in Stopping the Past’s Rebirth
3. Will Copyright Kill eHealth?

The result of the wireless competition in Canada is this: Canadians actually enjoy pretty fast wireless networks. We can certainly complain about the high costs of such networks, about the conditions under which wireless spectrum was purchased and is used, and so forth, but the fact is that pretty impressive wireless networks exist…for Canadians with cash. As any network operator knows, however, speed is only part of the equation; it’s just as important to have sufficient data provisioning so your user base can genuinely take advantage of the network. It’s partially on the grounds of data provisioning that we’re seeing vendors develop and offer deep packet inspection (DPI) appliances for the mobile environment.

I think that provisioning is the trojan horse, however, and that DPI is really being presented by vendors as a solution to a pair of ‘authentic’ issues: first, the need to improve customer billing, and second, to efficiently participate in the advertising and marketing ecosystem. I would suggest that ‘congestion management’, right now, is more of a spectre-like issue than an authentic concern (and get into defending that claim, in just a moment). Before diving into this issue, however, I want to be up front with you: much of what I’m going to be referencing in this post is from last year (2009) because I’ve had a pile of stuff I’ve meant to write about but haven’t had the time until recently.[1] I don’t think that this invalidates what I’m writing, but think that you deserve to know ‘when’ quite a few of the links will lead to.

Let’s begin with the issue of mobile ‘data hogs’. Last December, AT&T started making noises that iPhone users were ‘data hogs’ and some kind of extended monetization strategy was required. An economic solution was preferred on the basis that (a) it would generate revenue for AT&T; (b) economics are typically seen as a stellar way of dissuading popular use of expensive new and emerging technologies. In AT&T’s specific case, of course, there were questions about the degree of actual mobile 3G investment but, more significantly, the question of whether ‘data hogs’ were actually the problem.

You see, contemporary smart phones, such as the iPhone, iterations of Android, and Palm Pre, have been designed to maximize their battery life. Unfortunately, this life creates enormous problems for cellular towers. From Ars Technica, we find that:

… the iPhone uses more power saving features than previous smartphone designs. Most devices that use data do so in short bursts—a couple e-mails here, a tweet there, downloading a voicemail message, etc. Normally, devices that access the data network use an idling state that maintains the open data channel between the device and the network. However, to squeeze even more battery life from the iPhone, Apple configured the radio to simply drop the data connection as soon as any requested data is received. When the iPhone needs more data, it has to set up a new data connection.

The result is more efficient use of the battery, but it can cause problems with the signaling channels used to set up connections between a device and a cell node. Cell nodes use signaling channels to set up the data connection, as well as signaling phone calls, SMS messages, voicemails, and more. When enough iPhones are in a particular area, these signaling channels can become overloaded—there simply aren’t enough to handle all the data requests along with all the calls and messages.

In essence, the issue of congestion at cellular towards may not be a result of ‘data hogs’ but a consequence of how smart phones are being engineered; the backhaul networks are in fine shape, but the particular towers are being overwhelmed. (We might have a discussion/debate on the condition of middle-mile backhaul, but I’m less familiar with those stats so I’m leaving them out.) In the US, let’s not forget that areas with high penetration of smart phones like the Eastern and Western seaboard cities are also home to (a) expensive real-estate; (b) people who oppose the development of large cellular towers in their neighbourhoods (often out of fear of depreciating that expensive real-estate). The first condition means that there is an economic challenge to building towers, and the latter focuses on civil resistance to development that could better balance the ’smart phone load’. In what I’ve read about deep packet inspection in the mobile market, DPI doesn’t alleviate this kind of problem – it doesn’t ‘correct’ of battery-saving engineering – but where the appliances can be installed under the guise of data hogs they could subsequently be used for (vendor stated) purposes of billing and service differentiation/provision.

At last year’s Canadian Telecom Summit, various vendors and sessions discussed the need to have better customer transparency to ‘improve the customer-service provider relationship’. In essence, they were really describing a desire to develop ‘insight’ into what customers do on mobile and wireline networks to better monetize those relationships, and in almost all cases the same vendors and speakers acknowledged the need to deal with the ‘creepy feeling’ that comes with using DPI and related surveillance architecture for pico-marketing purposes. Few had clear solutions to this, what is arguably the most significant PR issue that limits ISPs’ expansive uses of DPI for profit generation in the wireline and wireless environments.

It’s significant that the only really pressing statement about needing to efficiently manage bandwidth and spectrum came from RIM’s Mike Lazaridis. He was very concerned with actual mobile data usage, and at no point was traffic shaping or monitoring a ’solution’: improved data compression techniques were the focus of his talk. Here, we had a smartphone vendor focusing on data efficiency itself instead of advocating for traffic shaping and analysis innovation. This strikes me as being very ‘forward thinking’, insofar as it tries to address the underlying issue of data growth instead of trying to find (what I see as) a bandage solution to limit and subsequently monetize this growth. Don’t stop people from using wireless, but learn how to transmit and receive it in a very efficient manner to deliver a solution that customers actually want!

However, it’s important that we not lose sight of the fact that DPI isn’t exclusively intended for traffic management but also to extend vision into the data stream – a data stream, I might add, that unless encrypted is almost entirely public facing. The drive to this transparency is confirmed by Allot Communications’ Cam Cullen, who last year noted that,

[t]he stats and visibility that DPI provides at the access and applications layer lets mobile operators build better service plans for congestion control and feed that data into mobile billing systems to support things like roaming and advice of charge.

To begin: data transparency can facilitate improved service offerings and let network providers more intelligently expand and develop their networks. You can learn what parties you might want to approach about setting up content delivery networks, what the trends in data usage are, and so forth. All of this can be invaluable in making the hard decisions of what to invest in, where, and why.

It is the potentialities of price, service, and customer discrimination that worry both PIAC and doctoral student Fenwick McKelvey. Having spoken with representatives of PIAC, the worry is that any such discrimination will generate inefficient economic situations for customers – they’ll pay higher costs, for less – and McKelvey similarly questions the fairness of any such differentiations. As I’ve understood McKelvey’s position, DPI facilitates an artificial differentiation based on economics rather than efficiency: you charge more for streaming video because it’s profitable, not because the economics of charging for streaming video improve the network situation.

I would suggest that it is a combination of DPI’s bad press, and the kinds of stories that would be generated if telecommunications providers stated they were using DPI for billing reasons, that billing isn’t a public-facing explanation ISPs present for introducing DPI into the mobile environment. I would, however, assert that billing and advertising are key motivating factors: the former allegation based on vendor statements and the latter based on less-public vendor statements and ISP discussions I’ve been privy to.

Even after all of this, there is a question of ’so what?’

Where DPI and other traffic management solutions are publicly deployed to attend to a particular area of the telecommunications companies’ business (e.g. bandwidth management, customer billing, tiering service) it strikes me as dishonest to subtly extend them into other areas of the business without first, very publicly, alerting both customers and appropriate regulatory bodies. In the case of advertising, Canadian ISPs are expected to report to the OPC and CRTC if they ever decide to use DPI for advertising or discrete user-history analysis, but the same ISPs arguably have to meet a low bar to meet the OPC’s disclosure requirements concerning their actual uses of DPI.

Far more significantly, whereas the CRTC has maintained a hands-off approach to regulating wireless – and thus implicitly permitted discrimination in the wireless environment – that might be changing. In the forthcoming hearings in October and November entitled “Proceeding to review access to basic telecommunications services and other matters” we might see the beginning of an anti-discrimination regulatory framework that would address the economics of cellular service. The CRTC has been dropping ‘wireless’ into more regulatory hearing documents recently, which may suggest a transition away from their general forbearance approach and, if so, I expect that the work performed by PIAC and others will be leveraged to try and establish a policy of non-discrimination in the Canadian mobile market. Any such regulation will likely have a very real impact on the permissibility and conditions of deploying DPI appliances in mobile networks, as well as publicly lay bare whether any Canadian ISPs are interested in, or already moving to implement, mobile traffic management facilitated by DPI appliances. If last year was the year of wireline network management/neutrality in Canada, we might get lucky and see this one as the transition year that leads to a public discussion about Canadian telecommunications companies’ wireless network management/neutrality practices, with discrimination as the focal topic.

*********

[1] For the past eight or nine months I’ve been preparing for and writing doctoral candidacy exams. The last exam was recently concluded, leaving me with the new title of ‘Doctoral Candidate’ and time to get back to what I love: network analysis, surveillance, and digital privacy!

Other posts you might be interested in:

1. Background to North American Politics of Deep Packet Inspection
2. Choosing Winners with Deep Packet Inspection
3. Draft: What’s Driving Deep Packet Inspection in Canada?

The Iranian government quickly recognized the power of cheap social coordination technologies and, in response, drastically reduced the capacity of national Internet links – the government, in effect, closed the nation’s Internet faucet, which greatly reduced how quickly data could be transmitted to, and received from, the ‘net as a whole. This claim is substantiated by Arbor Networks’ (Internet) border reports, which demonstrate how, immediately after the presidential election, there was a plummet in the data traffic entering and exiting the nation. (It should be noted that Arbor is a prominent supplier of Deep Packet Inspection equipment.)

Prior to trying to dispel the Fear, Uncertainty, and Doubt (FUD) surrounding the contemporary Iranian ISP-surveillance system that is regularly propagated by the media, I need to give a bit of context on the telecommunications structure in Iran.

The Composition of Iranian Telecommunications

As in Western nation-states, there are a series of ISPs that Iranians can select to receive Internet. The catch is that all data traffic has to pass through the state controlled infrastructure of the Telecommunications Company of Iran (TCI). Household connections have a data-transfer ceiling: in the 2006 Ministry of Communications and Information Technology (MCIT) issued an order that forbade ISPs from providing Internet connectivity to households and public access points that exceeded 128 kilobytes/second. To put this in perspective for Canadians (and others in North America), Bell Canada’s slowest service plan is for up to 256 kilobytes/second (i.e. a 2 Mbps connection). Universities and private businesses in Iran can obtain high-speed access, though as a result of capping residential speeds there has been a substantial reduction in fibre-deployment (and increases in broadband speed), which was rapidly expanding from 2005 – 2007.

The limitation of bandwidth speeds was likely meant to hinder (as opposed to prevent) access to rich-format alternate media sources available on the ‘net (e.g. YouTube, media-heavy websites, etc); when it takes ten minutes to load a BBC broadcast, you go somewhere else to get news instead. The benefit of this strategy is that the government could escape claims that they were censoring content:  it was just delayed, and who minds waiting another few minutes for something they really care about?

Fear, Uncertainty, and Doubt and Iranian Digital Surveillance

The Wall Street Journal (WSJ) ran a piece last summer that accused Iranian officials of using Deep Packet Inspection (DPI) equipment purchased from Nokia-Siemens to survey and censor content. The Journal’s assertions were subsequently picked up by major media sources, and the blogosphere along with reputable journalism sites continue to reinforce the position of the WSJ. The problem, of course, is that that to date there has been little to no reputable reinforcement of the WSJ’s initial claim, and Nokia-Siemens has openly refuted the allegations.

The WSJ asserted that, “[e]very digitized packet of online data is deconstructed, examined for keywords and reconstructed within milliseconds. In Iran’s case, this is done for the entire country at a single choke point, according to networking engineers familiar with the country’s system.” Moreover,  ”Iran is “now drilling into what the population is trying to say,” said Bradley Anstis, director of technical strategy with Marshal8e6 Inc., an Internet security company in Orange, Calif. He and other experts interviewed have examined Internet traffic flows in and out of Iran that show characteristics of content inspection, among other measures.”

After the WSJ piece ran David Isenberg, Mark Hopkins, myself separately found fault with various elements of the story as reported. In summary, we argued that:

• tests for detecting DPI, presently, do not exist;
• Marshal8e6 is a spam/phishing company; there is no reason why they would have any particular insight into DPI, and a look at their website shows that their core business competencies are not in DPI-related activities;
• there is no evidence that the Iranian system uses DPI – all we really have is a lone, anonymous, engineer saying that everything is examined for keywords. Keep this point in mind, as we’ll be getting back to it;
• the WSJ’s primary source, Ben Roome over at Nokia-Siemens, maintains that the company sold only mobile technology capable of lawful access and did not sell DPI equipment. Further, Nokia-Siemens has actually exited the intelligence market, as recognized in the WSJ article.
• it is, quite simply, easier to leverage existing infrastructure rather than import and embed DPI appliances in an already functioning surveillance environment

It’s key to note before getting into the next section that neither myself nor Isenberg are making the claim that DPI isn’t in use, but instead that there is no clear reason to assume that Iranian authorities have incorporated DPI into their arsenal of surveillance technologies (Hopkins is making the full move to state DPI isn’t being used). DPI is expensive to install, and massive inspection comes with a substantial computational and other technical overheads – it’s for this reason that most DPI devices inspect elements of packet streams rather than streams in their entirety when they must be inspected in real-time. To use DPI for full-stream analysis when there are better tools for the job that already are built and running would be mind numbingly stupid, and we have no reason to believe that Iranian IT admins are stupid people.

The Composition of ISP Surveillance in Iran

A very good report on the status of Internet surveillance in Iran was released by ICTRC in 2005, and it’s nicely supplemented by the OpenNet Initiative’s (ONI) report on Iran. From these, we learn that the Iranian government  uses a series of techniques to filter and censor the ‘net. They include:

• the use of SmartFilter (which blocks particular websites and content) by all ISPs. The Telecommunications Company of Iran (TCI) itself has reassumed the role of centralized filtering from the ISPs, according to ONI, though some Iranians still see the old ‘access denied’ images that are branded by their ISP. ONI’s findings suggest that the technical difficulties of centralized filtering, identified in the ICTRC report, have likely been overcome.
• New ‘block sites’ are added to the ever-expanding list of blocked websites, many of which are aimed at countering ‘immoral’ inclinations or limiting dissident political communication.
• Internet ports are regularly closed by ISPs in accordance with government edicts. These ports are used to access proxy servers, such as TOR, which give Iranians access to the uncensored Internet.
• Prior to data exiting the Iranian telecom environment and entering the global Internet, all requests are passed through proxy servers that permit keyword filtering. Web searches containing particular words may be blocked, and because content is passing through proxy servers there is the possibility of monitoring all unencrypted  traffic, including chat conversations, email, and web browsing.

In the WSJ article an anonymous engineer stated that “We didn’t know they could do this much … Now we know they have powerful things that let them do very complex tracking on the network.” While the WSJ alleges that this is a reference to DPI, I would suggest that the engineer is probably referring to the Iranian government having backtracked on stated uses of their proxy-based surveillance architecture. You see, in 2006 the Communication and Information Technology Ministry announced that their surveillance apparatus:

…would block access to unauthorized websites, identify Internet users, and keep a record of the sites they visit. The system administrator would have access to this information.

The ministry subsequently denied that the filtering facility could identify users and track their browsing habits, and it stressed that it only wants to block access to pornography. There also were acknowledgements that the previous methodology was imperfect, and a “filtering databank” would be more precise and make fewer mistakes.

Given this broader context, from 2006, engineer’s statement – that they hadn’t thought the government’s apparatus was designed to massively identify users and record visited sites – makes quite a bit of sense; he didn’t know that the government had adjusted how they were using infrastructure already known to exist. If you recall, the engineer had made a reference ‘keyword filtering’, and it only requires a proxy to analyze text. DPI is not required. Further, when Marshal8e6 Inc. referred to content analysis having been performed, the corporation might have been referring to the proxy-based keyword analysis and not DPI surveillance. Given that an already impressive surveillance infrastructure utilizing proxy-based servers has existed for several years now, and is capable of the filtering being witnessed today, it’s unclear how the present monitoring of digital communications requires, or indicates the use of, DPI appliances. On the basis that sources for the article can easily be read as referring to already known t0 exist surveillance systems their statements shouldn’t be used to support the WSJ’s claim that Iran is using DPI, but that the proxy-system is more impressive than previously thought. The latter is an entirely reasonable claim; the former outlandish and requiring substantial reporting to guarantee accuracy.

Intelligence Through Social Networks

Given the supposition that DPI isn’t being used for surveillance purposes in Iran right now one might ask: how is it, then, that seemingly cautious protestors and organizers who practice ’safe computing’ (i.e. encrypt their data traffic) get caught? In response, I would suggest that rather than focusing on ‘how they broke the encryption’ there needs to be a focus on ‘where they find, and how did they exploit, weak links in the network?’

If just one person transmitted unencrypted data and compromised organizers’ names, then the authorities would have a place to start their investigations. Alternately, if someone in Iran routinely encrypts most of their data traffic they likely rise to the attention of network administrators. Administrators could very easily be under orders to pay attention to any non-encrypted data traffic that such persons of attention transmit to the ‘net, in the hopes of gaining content-based insight into what the encryption-user might be doing, saying, or who they are speaking with online. Moreover, even if you’re sending encrypted email to protect yourself against proxy-based traffic analysis, if your email is stored on an Iranian ISP’s server then the messages are unlikely to be secure when ‘at rest’ on the server itself. Protecting the data in transit isn’t sufficient when you can’t trust your ISP. Finally, there are reports of officer’s seizing people’s laptops, but occasionally leaving the people themselves alone, again negating the value of encrypted data transmissions if data at rest on the computers isn’t similarly secured.

There is often far more to gain in developing social profiles of people and their related associates than on combing through all the data collected of every person; the situation with the Christmas Day bomber last year demonstrates that an excess of particular information, and failure to develop a comprehensive network intelligence system that identifies key threats, is a critical limitation. Without a system that identifies possible ‘persons of interest’ agencies are limited in their abilities to target the ‘right’ person. In developing relationships of people, it is possible to create profiles and map out who is who in vast networks. With the potential to use social demographics to identify ‘key’ figures in any social organization the ‘danger’ in broadcasting oneself through Twitter, Facebook, or other social media environment arises from facilitating network-level intelligence: Who are the key broadcasters and rebroadcasters of messages? Who generates ideas that are rapidly disseminated through the population? Who are the (largely) passive listeners? The last group is probably non-deserving of immediate persecution, but they will be motivated to identify and listen to the first two groups. Thus, if you just watch to see who the ‘passives’ are almost all listening to, you can pick out ‘key’ members of any revolution that target them, weakening or extinguishing the winds of change. The weakest link in a revolution need not be the leaders, but can come from nuanced social profiling, and the Web 2.0 world arguably facilitates such social profiling in ways beyond even that Stasi’s wildest dreams.

Does this mean that even more advanced systems of digital analysis and aggregation won’t be deployed to identify particular patterns of communication in Iran? No. Does what I (or anyone else, for that matter) have definitely written prove that DPI technologies aren’t being used in Iran? No. What I have done, however, is suggest that existing proxy-based surveillance infrastructure can be leveraged in a manner that explains present censorship and content-blocking practices in Iran, and that traditional intelligence gathering processes are likely just being modernized for the social media world. Neither the preexisting surveillance and censorship, nor the intelligence gathering, requires DPI. In light of the evidence and argumentation I have offered, we ought to leverage Occam’s razor to conclude that proxy-based analysis, not DPI-facilitated surveillance, should be the focus of responsible attention to Iranian ISP surveillance practices.

Other posts you might be interested in:

1. Iran, Traffic Analysis, and Deep Packet Inspection
2. Deep Packet Inspection Canada
3. Virgin Media to Monitor Copyright Infringement