Image by David Clow

Rogers Communications modified their packet inspection systems last year, and ever since customers have experienced degraded download speeds. It’s not that random users happen to be complaining about an (effectively) non-problem: Rogers’ own outreach staff has confirmed that the modifications took place and that these changes have negatively impacted peer to peer (P2P) and non-P2P applications alike. Since then, a Rogers Communications senior-vice president, Ken Englehart, has suggested that any problems customers have run into are resultant of P2P applications themselves; no mention is made of whether or how Rogers’ throttling systems have affected non-P2P traffic.

In this brief post, I want to quickly refresh readers on the changes that Rogers Communications made to their systems last year, and also note some of the problems that have subsequently arisen. Following this, I take up what Mr. Englehart recently stated in the media about Rogers’ throttling mechanisms. I conclude by noting that Rogers is likely in compliance with the CRTC’s transparency requirements (or at least soon will be), but that such requirements are ill suited to inform the typical consumer. 

Rogers’ Renewed Throttling Scheme

Last December I wrote about how Rogers’ throttling systems were causing significant problems for customers. Specifically, it seemed as though a badly tested update to the Rogers network mediation infrastructure had caused P2P download speeds to sharply fall, and non-P2P applications were also impacted. These problems were confirmed by Keith McArthur, Rogers’ senior director of social media and digital communications, when he wrote that:

As some of you are aware, Rogers recently made some upgrades to our network management systems that had the unintended effect of impacting non-p2p file sharing traffic under a specific combination of conditions. Our network engineering team is working on the best way to address this issue as quickly as possible. However, I’m not able to provide any updates at this time about when this will be fixed. Our network management policy remains unchanged. You can find details of our policy here (»www.rogers.com/web/content/netwo···nagement). We are working hard to ensure that there are no gaps between our policy and the technology that enables that policy.

While it was disturbing that it took months for an official Rogers representative to confirm the problem – and that even upon confirming the issue, no timeframe for resolving it was provided – at least the company publicly recognized the problem and stated that it would be fixed. Further, it seemed that the fix (whatever it entailed) would return the mediation of customers’ data traffic to a pre-September 2010 status. Unfortunately, rather than working to resolve the problem (and maintain the network management policy) Rogers has changed their policy. This change was needed to comply with a CRTC directive – ISPs must be transparent to their customers about Internet Traffic Management Practices (ITMPs) – but since the change has taken place I’ve not seen any suggestion that things will ‘return to the old normal.’

Public Statements and Policy Updates

The most recent CRTC investigation into ISP traffic management policies began after Justin McKillican filed a complaint alleging that Rogers had “introduced changes to its Internet traffic management practices (ITMP) which impacted downstream peer to peer (P2P) traffic without providing the 30 day notice required by Telecom Regulatory Policy 2009-657.” The CRTC’s response (.pdf) to Mr. McKillican and Rogers’ Ken Thompson (Director and Counsel Copyright and Broadband Law, Rogers Communications Incorporated) directed the company to revise its ITMP disclosures on Rogers web pages on the basis that, at the time of investigating Mr. McKillican’s complaint, the disclosure on Rogers’ website was non-compliant with the transparency requirements set down in 2009-657.

In an interview with Carrt.ca about Rogers’ throttling policies (Subscription required), Mr. Englehart stated that Rogers does not traffic shape downstream traffic. Further, he asserted that Rogers had already provided an explicit disclosure of their practices on their web site. The disclosure that had been available to the public for over a year was previously in conformance “with what the CRTC wanted so it’s strange that they’re now saying it needs more work given we did it in consultation with them.” In the interview, he asserted that only P2P was affected by the throttling mechanisms, though his statement stands at odds with Rogers’ actual traffic management policies that have recently been amended. Perhaps Mr. Englehart was unaware that the policy had been amended on the basis that newly deployed technical measures, but this seems unlikely given that the CRTC letter explicitly noted that there were changes to Rogers’ throttling systems.

The changes to Rogers’ traffic management policy are significant. An entirely new section – “Are there other applications that could be impacted by Rogers traffic management measures?” – has been introduced, following almost word-for-word what Bell Canada has published in the same section of their own traffic management policy. Bell (and, now, Rogers) recognizes that sometimes their DPI systems negatively impact non-P2P applications, and puts the onus on the consumer to get things working again. Specifically, users are instructed to setup applications so that they only use IANA-specified ports[1] (with Rogers providing a non-hyperlined URL to the official IANA list on their traffic management page). Specifically, Bell and Rogers customers are told to:

1. Close the affected application along with all P2P applications;
2. Ensure that non-P2P applications have their ports properly assigned;
3. Wait to ten minutes, and then restart the non-P2P application.

Knowing many Bell and Rogers customers, and just how tech-savvy they are, I cannot imagine that many end-users can actually modify port numbers for various programs. As such, the solutions these companies are providing assume that the people who either care enough to find a solution, or can solve it in the first place, tend to be reasonably technically inclined. At the same time, I fully recognize that the provided solutions will most likely comply with CRTC requirements. This suggests that ISPs are invested in making ITMP policies transparent as far as regulators are concerned, but are not so interested in making the entirety of those policies transparent to typical consumers as well.

Consumer vs Technical/Regulatory Transparency

For a system to be considered transparent to consumers it must be described so that non-experts can decode what is being described. Rogers is almost certainly not being transparent to consumers given the brevity of their ITMP policy and because customers must consult a massive text-based document (with little context), modify some applications’ port numbers, and only then have applications properly access the Internet. While such a list lets me set up port numbers on applications to avoid throttling, this is not the case with far less technically savvy individuals. What does the ‘regular consumer’ do when their particular application isn’t listed in the ports (as will happen, often) and they’re experiencing slowdown on non-P2P application traffic?

In essence, while ISPs have publicized how their traffic management policies impact traffic, in the cases of Bell and Rogers only technically savvy individuals can follow the suggested troubleshooting steps. So, while both companies are (arguably) within the confines of regulatory transparency that is required by the CRTC,[2] the transparency that these bodies require doesn’t necessarily mean that end-users without technical savvy will understand how to resolve problems. Similar to how long or complicated privacy policies are only understood by those trained to read and/or write them, I suspect that only those who already have a degree of technical awareness will understand what ISPs are doing to customer data traffic.

For a policy to be ‘consumer transparent’ it has to be non-technical, while specific enough to inform end-users what is going on. Much of Bell’s own ITMP policy is good, insofar as it is understandable and accessible to those who happen across the policy, but the troubleshooting approach that is provided is poor at best. The brevity of Rogers’ own policy, combined with the poor design decisions that reduce readability, means that Rogers has provided a policy that is less transparent to the consumer, while simultaneously meeting much of the CRTC’s own regulatory transparency requirements. Deep packet inspection and Quality of Service infrastructure regularly mediates Canadians’ digital communications. Given the importance of our digital systems I think that ISPs should remain compliant with technical and regulatory transparency requirements, but also ensure that their policies are also transparent and understandable to end-users.

Footnotes

[1] The Internet Assigned Numbers Authority (IANA) is responsible for allocating and maintaining a variety of numerical codes related to technical standards and protocols that undergird the Internet. To learn more about them, read their About page.

[2] Admittedly, in the case of Rogers the CRTC has taken issue with how ‘transparent’ their approach is. Given that Rogers’ policies are written similarly to Bell, I suspect this has more to do with the ease of finding and reading Rogers’ policies instead of what is written. See the below of how to navigate to a few Canadian ISPs’ traffic management pages:

Rogers

1. Go to the Rogers homepage
2. Select ‘Internet’ >> ‘Packages and Pricing’
3. Scroll to the bottom of the page and click on their Internet Traffic Management Practices and Legal Disclosure link
4. In the popup box, click the grey link in the third paragraph labeled ‘click here’.

Bell

1. Go to Bell’s homepage
2. Select ‘Internet’
3. Scroll down to the bottom of the page and click their Network Management link

Shaw

1. Go to their homepage
2. Select ‘Internet’
3. Select the link to their traffic management policies

Cogeco

1. Go to their homepage
2. Select ‘Internet’
3. Select ‘Internet Usage’
4. Select ‘Learn more about Internet traffic management
5. Select one of the six options to learn about, read it, and then either use your browser’s back button or the back button on the page and scroll back down to where you were on the page.

In the case of both Bell and Shaw, there is an easily found, easily accessed, and easily read traffic management policy. In the cases of Rogers and Cogeco it is more challenging to believe that a casual consumer would happen upon the traffic management policies. The text of Rogers’ ITMP policy is incredibly small – I need to move very close to the screen to read the grey 11 font text – and Cogeco’s is buried – multiple links have to be clicked to read the whole policy even after finding it. Neither of these two policies would pass a sniff test for being ‘consumer transparent’, even if they are seen as compliant with legal and regulatory transparency requirements.

Other posts you might be interested in:

1. Background to North American Politics of Deep Packet Inspection
2. Beyond Fear and Deep Packet Inspection
3. Choosing Winners with Deep Packet Inspection

Image courtesy of the MIT Press

This first: the edited collection is a decade old. Given the rate that communications technologies and information policies change, this means that several of the articles are…outmoded. Don’t turn here for the latest, greatest, and most powerful analyses of contemporary communications policy. A book published in 2001 is good for anchoring subsequent reading into telecom policy, but less helpful for guiding present day policy analyses.

Having said that: there are some genuine gems in this book, including one of the most forward thinking essays around network neutrality of the past decade by Blumenthal and Clark. Before getting to their piece, I want to touch on O’Donnell’s contribution, “Broadband Architectures, ISP Business Plans, and Open Access”. He reviews architectures and ISP service portfolios to demonstrate that open access is both technically and economically feasible, though acknowledges that implementation is not a trivial task. In the chapter he argues that the FCC should encourage deployment of open access ready networks to reduce the costs of future implementation; I think it’s pretty safe to say that that ship sailed by and open connection is (largely) a dead issue in the US today. That said, he has an excellent overview of the differences between ADSL and Cable networks, and identifies the pain points of interconnection in each architecture.

Generally, O’Donnell sees interconnection as less of a hardware problem and more of a network management issue. In discussing the need and value of open access, O’Donnell does a good job at noting the dangers of throttling (at a time well ahead of ISP’s contemporary throttling regimes), writing

differential caching and routing need not be blatant to be effective in steering customers to preferred content. The subtle manipulation of the technical performance of the network can condition users unconsciously to avoid certain “slower” web sites. A few extra milliseconds’ delay strategically inserted here and there, for example, can effectively shepard users from one web site to another (p53).

Arguably not only websites are affected by such ‘steering’ efforts, but protocols and application-types as well; his position on steering users is well reflected in contemporary network neutrality and Internet Governance texts, such as van Schewick’s Internet Architecture and Innovation. In the face of such discriminatory actions by ISPs, what is the solution? For O’Donnell, the solution is to have an objective monitoring regime that both monitors content discrimination and alerts customers of subpar network performance. In today’s landscape we can find these suggestions put into practice (e.g. tools available through M-Lab and the FCC’s recent call for applications to ID net neutrality violations), though it is questionable how widespread and effective they really are/will be.

If you need a justification to buy this book (and, given that it’s a decade old policy book, you likely do) it’s found in Blumenthal and Clark’s “Rethinking the Design of the Internet: The End-to-End Arguments Vs. The Brave New World.” The authors carefully examine how the End-to-End principle is violated by ISPs at the time of the chapter’s writing and the potential implications of such violations. This chapter reads like a well rationalized argument for legally guaranteed network neutrality. The authors worry that ISPs will weaken their commitments to invest in infrastructure for general Internet once they deploy their own content delivery networks. This is, obviously, a key issue in today’s discussions of vertical integration, throttling of over-the-top content streams, and provisioning bandwidth to access third-party content.

When third parties actively inspect content in transit the E2E argument is logically invalid – E2E precludes such interference by the network core. As a result, faced with this situation, the authors suggest that having a debate about the situation requires that either E2E be abandoned, that the third party involvement be rejected in its entirety because it undermines E2E, or that a next generation principle be developed that retains as much of E2E as possible. We regularly see different bodies continuing to weigh this triumvirate of choices today, and Zittrain’s ‘generativity principle’ (a rule that asks that any modifications to the Internet’s design or to the behaviour of ISPs be made when they will do the least harm to generative possibilities, discussed in The Future of the Internet–And How to Stop It) clearly fits within the third option given by Blumenthal and Clark. Rather than turning to derivative versions of this tripartite division, come to this essay instead.

Further, the authors worry that whereas in the 80s and early 90s the core of the network interfered with applications for their benefit, this is less the case today. As a result, injecting middleware ‘intelligence’ is potentially problematic, and even hostile, to users’ data traffic. While much of the chapter reads like a love letter to network neutrality advocates, it comes with some words of caution. First: there is a warning that the law is just not prepared to ‘catch up’ to the technical speed of the ‘net. As a result, legal/regulatory responses will be delayed and code will race ahead. To ‘catch up’ the legal system itself needs to be reformatted in some sense. It’s unclear whether this modification to the legal system has happened, and perhaps even less clear whether the courts and regulators can competently keep pace with telecom developments. Code, it seems, still races ahead of law though it is admittedly ‘pulled back’ by regulatory structures and legal judgements from time to time. The threat of regulation and legal action may actually be more powerful than actual deployments of regulatory capacity and legal might. Second: while E2E empowers connectivity, it should also impose a responsibility. Where the unrestrained actions of ends cause harm to the network and/or its users, the individual(s) responsible for those ends ought to be held accountable. This is a contentious point, one that resonates with tech heads and less with consumers who treat the ‘net as another consumer good.

The final essay that I would highly recommend of the collection (though most are truly excellent) is Greenstein’s “Copyright in the Age of Distributed Applications.” Greenstein recognizes that many of the vicarious copyright infringement findings in the US are based on case law where absentee landlords had a physical capacity to oversee the infringing action(s). Such is not always the case with distributed (P2P) applications. Where the capacity to supervise is infeasible or ineffective in stifling infringing acts it seems unreasonable to apply old case law. A new framework is required, one that would emerge if the following questions guided vicarious infringement judgements:

1. What is the nature of each potential non-infringing use?
2. What is the likelihood that any consumer would acquire and use the product for such non-infringing uses?
3. What is the role of the technology in facilitating the infringing uses?
4. What is the role of the technology in facilitating non-infringing-uses?
5. What is the likelihood that, if the technology is or is not deemed to be infringing, non-infringing uses will proliferate.

One can imagine that, were this set of criteria adopted, case law around P2P in the United States and WIPO signatory nations might be very different…

In addition to these three papers, Rob Frieden’s discussion of peering relationships is truly excellent, and the early discussion of wireline vs wireless deployment in the US and Japan by Moto Murase gives a good (and early) comparison of those nations’ policies. With her work you can nicely anchor a temporal comparison of both nations’ deployment strategies and their respective effects. Both papers are excellent and valuable to the contemporary telecom policy scholar, policy wonk, or layperson interested in telecom policy.

It might be hard to justify the cost of a decade-old communications policy text, but this collection has aged quite well. If network neutrality, peering, copyright, or comparative deployment policies are in your line of interest then this is a wonderful book to add to your collection!

B. M. Compaine and S. Greenstein (eds.). (2001). Telecommunications Policy in Transition: The Internet and Beyond. Cambridge, Mass.: The MIT Press.

Other posts you might be interested in:

1. Review: Network Nation – Inventing American Telecommunications
2. EU: Judicial Review Central to Telecom Disconnects
3. Review: Internet Architecture and Innovation

Photo credit: Faramarz Hashemi

Deep packet inspection (DPI) is a form of network surveillance and control that will remain in Canadian networks for the foreseeable future. It operates by examining data packets, determining their likely application-of-origin, and then delaying, prioritizing, or otherwise mediating the content and delivery of the packets. Ostensibly, ISPs have inserted it into their network architectures to manage congestion, mitigate unprofitable capital investment, and enhance billing regimes. These same companies routinely run tests of DPI systems to better nuance the algorithmic identification and mediation of data packets. These tests are used to evaluate algorithmic enhancements of system productivity and efficiency at microlevels prior to rolling new policies out to the entire network.

Such tests are not publicly broadcast, nor are customers notified when ISPs update their DPI devices’ long-term policies. While notification must be provided to various bodies when material changes are made to the network, non-material changes can typically be deployed quietly. Few notice when a deployment of significant scale happens…unless it goes wrong. Based on user-reports in the DSLreports forums it appears that one of Rogers’ recent policy updates was poorly tested and then massively deployed. The ill effects of this deployment are still unresolved, over sixty days later.

In this post, I first detail issues facing Rogers customers, drawing heavily from forum threads at DSLreports. I then suggest that this incident demonstrates multiple failings around DPI governance: a failure to properly evaluate analysis and throttling policies; a failure to significantly acknowledge problems arising from DPI misconfiguration; a failure to proactively alleviate inconveniences of accidental throttling. Large ISPs’ abilities to modify data transit and discrimination conditions is problematic because it increases the risks faced by innovators and developers who cannot predict future data discrimination policies. Such increased risks threaten the overall generative nature of the ends of the Internet. To alleviate some of these risks a trusted third-party should be established. This party would monitor how ISPs themselves govern data traffic and alert citizens and regulators if ISPs discriminate against ‘non-problematic’ traffic types or violate their own terms of service. I ultimately suggest that an independent, though associated, branch of the CRTC that is responsible for watching over ISPs could improve trust between Canadians and the CRTC and between customers and their ISPs.

What’s Going On?

Rogers has publicly stated that they are predominantly concerned with managing upstream traffic, claiming that without throttling it they risk “becoming the world’s buffet.” As a result, the company uses DPI appliances to delay uploading data to the Internet; downloads are unaffected. Their technology, “looks at the header information embedded in the payload and session establishment procedures” to identify peer-to-peer based upload traffic. If such traffic is identified it is put into a portion or allocation of the network dedicated to upstream peer-to-peer traffic. Further, Rogers’ network management policy states that “For Rogers Hi Speed Internet (delivered over cable) and Portable Internet from Rogers customers, the maximum upload speed for P2P file sharing traffic is 80 kbps at all times. There are no limits on download speed for any application or protocol.”

Unfortunately, it appears as though a badly tested update to Rogers’ DPI equipment has had unintended consequences. Customers that previously enjoyed very fast downloads using P2P clients – often several Mb/s – have seen their download speeds sharply curtailed to the point where some users are reporting maximum speeds of under 100kb/s. Moreover, it isn’t just just P2P applications that are being affected; Keith McArthur, Rogers’ senior director of social media and digital communications, has publicly confirmed that non-P2P applications are being affected by this misconfiguration. Specifically;

As some of you are aware, Rogers recently made some upgrades to our network management systems that had the unintended effect of impacting non-p2p file sharing traffic under a specific combination of conditions. Our network engineering team is working on the best way to address this issue as quickly as possible. However, I’m not able to provide any updates at this time about when this will be fixed. Our network management policy remains unchanged. You can find details of our policy here (»www.rogers.com/web/content/netwo···nagement). We are working hard to ensure that there are no gaps between our policy and the technology that enables that policy.

Keith’s public statement came about a month after people began reporting this problem (September 20, 2010) and after his comment the problem remains unresolved over a month later (now December 3, 2010). There has been a massive delay in recognizing a problem, and an even more massive delay in resolving it.

Problems in Governance

Since September, one forum user has reportedly submitted a complaint to the CRTC. The result is that Rogers has to either reverse its present policies and stop throttling downloads or change their terms of service to reflect their current practice of throttling downstream traffic. While Rogers is to be commended for leaving a comment in a public forum and acknowledging the problem, they have not been particularly proactive in notifying their end-users about the problems with the company’s DPI appliances. As noted in the threads on DSLreports, low level technical staff ascribe degraded service of P2P and non-P2P applications alike to customers’ use of P2P applications. While there may be a correlate relationship, the root cause (improperly configured network infrastructure) is not being identified over the phone.

Such ascriptions indicate that customer service has not been properly notified of DPI-related network degradation problems. Though the senior director of social media and digital communications is aware of these problems, no notice is posted on their social-media inspired RedBoard website or to be found on their traditional corporate website.

To begin, this failure of network configuration suggests that Rogers’ testing system needs to be refined. I expect that Rogers’ professional networking staff tested the network updates – either in an isolated test network that replicates real-world conditions or in a small portion of their production network. Doing anything else would constitute an incredibly arrogant and inappropriate deployment regime, and I cannot believe that Rogers’ networking staff would behave in such an unprofessional manner. What is more likely is that the micro-level tests were either too narrow or the derived findings were misunderstood/ambiguous. Such a failure in the testing regime demands a reevaluation of how engineers make upgrades to the Rogers networks and is especially important given that the error has resulted in a material degradation of service – a change that requires Rogers to notify various actors prior to the modification.

The lack of widespread attention to the problem – at customer service, at their informal website or at their formal corporate website – indicates an additional issue concerning staff and (by extension) customer education. Customers are unlikely to know the source of their network-related problem because Rogers has only acknowledged the misconfiguration in limited channels. A customer shouldn’t have to (and is unlikely to) dig into the depths of a specialized web forum to learn about material changes that have affected their network service for a prolonged period of time, regardless of whether the changes are intentional or not.

Finally, the misconfiguration of Rogers’ equipment shows a failure to proactively notify customers of problems. I’ve contacted a host of Rogers customers over the past day, asking similar questions: Are you experiencing particular degradations of service? (All responses: yes.) Have you been contacted about the problem by Rogers? (All responses: no.) While I appreciate that it would be challenging to call every single customer, a mass email to all Rogers customers would not be a financially expensive operation, nor would a posting on their corporate website. That the company has remained relatively quiet about known issues on its network for over 60 days, knowing that network changes have had material impacts on the quality of service and that are in violation of their network management policy, speaks poorly of the company’s willingness to openly address the problem.

The Impacts of Control

There are consequences associated with running a partially controllable network, a network that is “generally open to new applications, but can be used to block them selectively” (van Schewick 2010: 288). Shifting network architectures away from the end-to-end model and towards applianced models of network connectivity “increases the relative costs of innovation and decreases the relative benefits for independent innovations” (van Schewick 2010: 289). Such changes threaten the development of novel applications that could improve the utility derived from Internet access, as well as potentially imposing constraints on technology and (metaphorically) killing the goose that lays the golden egg (Greenstein 2001: 390).

DPI has been deployed to provide ISPs with insight into, and control over, their customers’ data transmissions. Such insight is needed because applications at the ends of the network are less and less trustworthy; port obfuscation, payload encryption, randomized initial packet exchanges and more are designed to hide what applications customers are using. ISPs assert that they need to better understand the packets in their entirety to properly identify applications and transit their associated packets. In essence, ISP routers cannot trust applications to ‘honestly’ disclose their packets and so ISPs aim to ‘restore’ this trust by inspecting most/all packets that go through their routers. Thus, restoring trust has led ISPs to increase middle-network intelligence and required customers to trust network providers more than when providers operated as ‘simple’ transit networks.

The problem with adding intelligence into the middle of the network is that middle-network failures have broader impacts than failures at the ends. Per Blumenthal and Clark (2001):

Network designers make a strong distinction between two sorts of elements – those that are “in” the network and those that are “attached to,” or “on,” the network. A failure of a device that is “in” the network can crash the network, not just certain applications; its impact is more universal. The end-to-end argument at this level thus states that services “in” the network are undesirable because they constrain application behaviour and add complexity and risk to the core (201).

Blumethal and Clark’s approach to the end-to-end principle restricts the ‘narrow’ version of the end-to-end argument that van Schewick has identified. The narrow version of end-to-end asserts that “A function should only be implemented in a lower layer, if it can be completely and correctly implemented at that layer. Sometimes an incomplete implementation of the function at the lower layer may be useful as a performance enhancement” (2010: 58). Such narrow approaches to the end-to-end principle were meant to try and help implement applications, whereas many present understandings of this principle are used to justify hostile intentions, seeing ISP engineers prevent things from happening on the network and blocking certain applications (Blumethal and Clark 2001: 106-7). The effect overall is to reduce the generativity of network itself, reducing its “capacity to produce unanticipated change through unfiltered contributions from broad and varied audiences” (Zittrain 2008: 70).

Finally, the appropriateness of network control varies depending on the reader’s understanding of the term ‘network management’. The issue with ‘reasonable network management’ language is that it tends not to describe an engineering principle but a policy decision. Such policy decisions are made by weighing legitimate technical and business goals with what society will bear in regards to principles such as user privacy. Thus, reasonable network management is unlikely to correlate with Paul Ohm’s definition, where the term exclusively refers to:

…the activities, methods, procedures, and tools that pertain to the operation, administration, maintenance, and provisioning of networked systems (51).

In aggregate, the introduction of control has a series of impacts. Realigning where intelligence is located in the network changes the risks and cost/benefit structure for innovators at the ends of the network. That ISPs such as Rogers can have misconfigurations lasting over 60 days that detrimentally affect P2P and non-P2P applications alike is problematic. Individuals are unlikely to know who is to blame and such misconfigurations may increase unpredictability of application discrimination to the point where innovators and developers abandon or limit Internet-interfaced application creation. If application-like services from the ISP continue to work (e.g. Rogers On Demand Online) people may be led away from non-proprietary streaming and content delivery services in favour of the ISP’s monetized systems. Moreover, when the ISP’s own services are not impacted by network misconfigurations there is less of an incentive for their engineers to quickly resolve the problem.

Finally, the quiet (if accidental) increase in network control also has the effect of potentially undermining the trustworthiness of the network itself. If DPI was (in part) installed because of untrustworthiness at the ends, now consumers and developers alike have less reason than before to trust the middle and core of the networks. Trust and transparency, it seems, are lacking throughout the network.

Third-Party Oversight

The capacity for large ISPs to modify data transit conditions in a seemingly randomized manner is made possible by the packet monitoring and control systems now grafted into ISPs’ networks. Given the impacts that control can have on the future of telecommunications a trusted third-party is needed. This party should monitor how ISPs govern data traffic, alerting citizens and regulators alike if ISPs are found discriminating against ‘non-problematic’ traffic types or violating their own terms of service. Such a party does not necessarily need to dogmatically require all ISP actions fit within the end-to-end principle. Let me illustrate what this might mean.

While Jonathan Zittrain worries about the installation of intelligence into the network he also argues that we must abandon strict adherence to end-to-end neutrality. Zittrain asserts that we would be well served to replace the end-to-end principle with a generativity principle, “a rule that asks that any modifications to the Internet’s design or to the behaviour of ISPs be made when they will do least harm to generative possibilities” (2008: 165). For such a system to be adopted, however, there must be some third-party that is technically competent and that can audit what ISPs are doing to their networks.

The hope is that by introducing a third-party between customers and ISPs some of the mutual antagonism between these two parties might be alleviated, whilst also reducing some of the privacy concerns associated with DPI more generally. Specifically, the third-party would lack a profit-based motivation to access personal information and could, as part of its mandate, oversee the limitation of ISPs’ access to personal information where the information isn’t relevant for business purposes.

While key-signing authorities could theoretically operate as one of the neutral third-parties, there remains a question of trusting the third-party itself. VeriSign, as an example, presently works alongside American copyright groups and changes DNS entries for some .com addresses and could do the same for .net addresses. As a result, VeriSign couldn’t be considered a trusted third-party because of this partisan behaviour. Thus, any party exercising oversight of ISPs ought to be composed of a set of neutral third-parties so that if/when a member reveals itself as no longer trustworthy the entire oversight committee/board/organization doesn’t collapse.

Such an oversight body (in Canada) could be associated with, but independent of, the CRTC. The body ought to be resourced regardless of whether its investigations embarrass ISPs or its regulatory parent. Its acting commissioner should be appointed for a significant period of time. Further, the commissioner should retain independent authority over who to hire, within requirements set by the CRTC. Anticompetitive actions or those in breech of acceptable use policies, network policy agreements, service level agreements or privacy policies should be fully disclosed to the public by this independent body. ISPs could not claim confidentiality to hide their actions or network configurations when their actions or network configurations violate their public statements, agreements, or CRTC decisions. The threat of this transparency into ISP network operations could and should cause ISPs to be more cautious and measured in their actions, reducing the likelihood of network misconfigurations or at least limiting the duration of misconfigurations. Additionally, this body might generate trust with the public by separating its policies from the more formal regulatory hearings at the CRTC.

Is such an oversight body a pipe dream? Perhaps, but not an entirely unreasonable one. The CRTC is increasingly under pressure by members of the public to be more transparent or dissolve, and telecommunications companies in general are distrusted by Canadians. Adopting an independent oversight board – one solely responsible for audits and oversight of ISP networks, and ensuring compliance with existing CRTC policies – could realign the trust Canadians put in carriers and practically demonstrate the value and legitimacy of the CRTC to the Canadian people.

Book Sources:

Blumenthal, Marjory S. and Clark, David D. (2001). “Rethinking the Design of the Internet: The End-to-End Arguments vs. the Brave New World” in B. M. Compaine and S. Greenstein (eds.). Communications Policy in Transition: The Internet and Beyond. Cambridge, Mass.: The MIT Press.

Greenstein, Shane. (2001). “Copyright in the Age of Distributed Applications” in B. M. Compaine and S. Greenstein (eds.). Communications Policy in Transition: The Internet and Beyond. Cambridge, Mass.: The MIT Press.

van Schewick, Barbara. (2010). Internet Architecture and Innovation. Cambridge, Mass.: The MIT Press.

Zittrain, Jonathan. (2008). The Future of the Internet and How to Stop It. New Haven: Yale University Press.

Other posts you might be interested in:

1. Deep Packet Inspection and Consumer Transparency
2. Background to North American Politics of Deep Packet Inspection
3. Draft: What’s Driving Deep Packet Inspection in Canada?

Ole asserts that there are two key infotainment revenue streams that content providers, such as ISPs, maintain: the $150 Cable TV stream and the $50 Internet stream. Given that content providers are required to redistribute some of the $150/month to content creators (often between 0.40-0.50 cents of every dollar collected), Ole argues that ISPs should be similarly required to distribute some of the $50/month to content creators that make the Internet worth using for end-users. Unstated, but presumed, is a very 1995 understanding of both copyright and digital networks. In 1995 the American Information Infrastructure Task Force released its Intellectual Property and the National Information Infrastructure report, wherein they wrote;

…the full potential of the NII will not be realized if the education, information and entertainment products protected by intellectual property laws are not protected effectively when disseminated via the NII…the public will not use the services available on the NII and generate the market necessary for its success unless a wide variety of works are available under equitable and reasonable terms and conditions, and the integrity of those works is assured…What will drive the NII is the content moving through it.

Of course, the assertion that if commercial content creators don’t make their works available on the Internet then the Internet will collapse is patently false. As written about by Middleton in “What if there is no killer application?“, an early study in Littleton about how individuals use high-speed networks in the mid-90s found that customers were most engaged with amateur content production (i.e. that of their neighbours) and entranced by the communicative possibilities made available through broadband (i.e. e-mail and mailing lists). In essence, from this we can suggest that the empirical study demonstrated that the ideological and financial values placed on commercial cultural artifacts by bureaucrats and commercial content producers is less obvious than they (loudly) state. Further, the value of commercial content is arguably diminished even more in an environment where people spend increasing amounts of time engaging with the generative elements of the Internet, often referred to as amateur-dominated social media environments. In essence, the undertone that ISPs can only sell their data transmission services because of commercial content is at the very least shaky, and more likely to be empirically unsupportable if posed as a strong correlation between the value of transmission capabilities and commercial content availability.

Depressingly, Ole believes that a broadcast-based (historical) business model should be imposed on ISP transmission-based companies in an effort to regenerate the value of their (now somewhat devalued) intellectual properties. Specifically,

The ISP business model for the Internet could and should mimic that of Cable/ TV. Modern technology allows the ISP to identify what content is being used and then they can allocate the appropriate share to the creator or supplier of that content.

This would put ISPs in the situation of somehow being liable to the collection societies, and also require substantial telecommunications investment in labour and sunk capital to establish an (ineffective) network surveillance policy designed to monitor the amount of copywritten content flowing across Canada’s networks. Most likely, such a proposal would turn ISPs into content police and require the use of some kind of packet inspection equipment to survey Canadians’ data traffic, pick out that which is believed to be infringing, and pay some kind of monthly tax for the transport of customers’ content. This amounts to a suggestion that ISPs become content police on the basis that only by doing so would they evade being identified as encouraging copyright infringement. Ole is intimating that ISPs must implement surveillance one the networks if they are to avoid third-party liability.

There are systems on the market that claim they can analyze data traffic to develop ‘piracy’ indexes. CView is used by Virgin in the UK (though we’ve no idea how effective it is) and Audible Magic has been successful in forcing some ISPs and campuses to adopt their technology. In most cases, such content analysis technologies require the offloading of data traffic suspected of being infringing in high-traffic networks, doing a one-way hash of the data, checking the hash against known copywritten files’ signatures, and then aggregating the overall amount of infringement and particular cases of infringement on a per-file basis. This is substantial overhead for any party, especially one that is just trying to move data from one place to another. Moreover, any such massive dragnet analysis of content raises real questions of whether ISPs could then be considered ‘transport’ facilities; while presently there is substantial monitoring for particular protocol types, Canadian ISPs are not searching for particular content-types. This is an important distinction, insofar as ISPs can understand what application-types are generating traffic on their networks but not what those application-types are actually being used to transmit and receive. For all Canadian ISPs know, Canadians might have some strange obsession with massive downloading and sharing of Linux .ISO files and the entire Canadian population actually avoids downloading copywritten music.

There continue to be doubts concerning whether any kind of massive copyright-analysis engine could work – prominently by companies that actually sell the solutions and those that would be responsible for deploying these fears – and further whether such engines could ever competently detect fair use/fair dealing of some material. YouTube’s algorithms are relatively notorious for censoring uses of copywritten material falling under fair use and fair dealing provisions; what guarantee do citizens have that any algorithmic surveillance and monitoring system deployed on communicative networks would avoid the YouTube problem? Should the content creator-owner get restitution for fair dealing of works? How would this be adjudicated – by determining where the data was to and from (i.e. if to an educational institution, we must assume that it’s for fair dealing research purposes) or on a case-by-case challenge basis? Moreover, doesn’t the provision of funds for fair dealing uses modify the provisions of fair dealing, insofar as content creator-owners would receive a fiscal benefit even for fair dealing whereas presently fair dealing falls outside of their revenue traps?

Of course, even the suggestion that Canadian ISPs should be required to cough up money to content creator-owners is absurd in the face of a recent Federal Court of Appeals ruling that asserted that ISPs are not broadcasters. The question of ISPs’ status was punted to the Court by the CRTC, who wanted judicial guidance before it proceeds to determine whether ISPs can be legally required to establish copyright levies. Since ISPs fall under the Telecommunications, and not Broadcasting Act, they are seen as solved involved in providing,

the mode of transmission, they have no control or input over the content made available to Internet users by content producers and as a result, they are unable to take any steps to promote the policy described in the Broadcasting Act or its supporting provisions. Only those who “transmit” the “program” can contribute to the policy objectives.

Under this decision, so long as ISPs are not involved in discriminating against any particular content and thus making an input into the content made available on the Internet to and by users (i.e. so long as Canadian ISPs adhere to a form of network neutrality), any levy-based system is dead. The very system that Ole is advocating for has already fallen before the Court of Appeals.

Now, out of all of this, we might be expected to feel poorly for the content creator-owners that depend on selling and licensing content for their commercial success. I think that if we look at the history of these companies’ digital involvement, however, we quickly disenchant ourselves of this position. Major labels refused to license recordings to Napster and subsequently engaged in what Jessica Litman refers to as a process of “suing upstart new businesses into bankruptcy” to try and stem the Internet as a disruptive factor in their businesses. This saw content creator-owners financially assassinate Napster, Scour.com, iCraveTV, RecordTV, mp3.com, Aimster, Grokster, Streamcast, KaZaA, and others. Authors have gone after Google for the mere action of scanning books for search index purposes, a purpose that would enable authors to sell additional texts when the texts appeared through a Google book search. That the copying a text, even for fair-use purposes, is grounds for massive legal obstruction speaks volumes of content creator-owners general willingness to genuinely deal with the digital reality they are immersed in. Broadly, instead of working to establish a marketplace for digital manifestations of content creator-owner works there have been, and continue to be, mass efforts to shut down marketplaces that don’t grant total control to content owner-creators and their associated companies. As such, customers have become used to going to illicit sites that offer superior selection with fewer restrictions than label offerings. This indicates a failure in big content’s rent-seeking business model and the truth that modern customers are rational economic actors. It does not indicate that ISPs are somehow required to prop-up a rent-seeking model, nor a moral deficit on the part of customers.

Labels were, and remain, in a state of ontological insecurity that accompanies their plunging into a decade-long existential crisis: how can they maintain their rent-seeking behaviour in the face of disruptive technologies. Answers to this existential question are out of reach of most companies on the basis that their perception of the world markets preclude taking risks that could see a (necessary) cannibalization of short-term revenue streams for long-term survival. Unfortunately, while adherence to historical models was effective last decade in colonizing their futural existences – in assuring them of how to approach the world and guarantee particular revenue streams – that old model leaves them grasping at new rent-seeking behaviour instead of adopting novel business strategies. While we can all appreciate just how devastating existential crises can be on a personal level, when we consider the multi-billion dollar record industry we tend to have far less sympathy. Just as you or I are unable to let a crisis linger for a decade – we go to a therapist, get straightened out, and get back on our way – neither can these companies. At best we might feel pity as we watch them wallow in their crisis. At worst, we fear what they might crush as they roll around on the ground like starving dinosaurs and demolish other elements of civil society in their throes of panic and fear aimed at extinguishing the generativity seen as endangering their ontological security. They’ve already made a mess of copyright and cultural transmission possibilities; let’s hope they don’t damage the conditions of democratic communication itself while they’re working out their problems.

Other posts you might be interested in:

1. Comment: Canadian ISPs and Internet Traffic Management
2. Update: Associating Canadian ISPs with Anonymized Data Traffic Submissions
3. Deep Packet Inspection: What Innovation Will ISPs Encourage?

As part of an early bit of thinking on this, I want to direct our attention to Canada, the United States, and the United Kingdom to start framing how these jurisdictions are approaching the use of DPI. In the process, I will make the claim that Canada’s recent CRTC ruling on the use of the technology appears to be more and more progressive in light of recent decisions in the US and the likelihood of the UK’s Digital Economy Bill (DEB) becoming law. Up front I should note that while I think that Canada can be read as ‘progressive’ on the network neutrality front, this shouldn’t suggest that either the CRTC or parliament have done enough: further clarity into the practices of ISPs, additional insight into the technologies they use, and an ongoing discussion of traffic management systems are needed in Canada. Canadian communications increasingly pass through IP networks and as a result our communications infrastructure should be seen as important as defence, education, and health care, each of which are tied to their own critical infrastructures but connected to one another and enabled through digital communications systems. Digital infrastructures draw together the fibres connecting the Canadian people, Canadian business, and Canadian security, and we need to elevate the discussions about this infrastructure to make it a prominent part of the national agenda.

The Canadian Situation

In Canada, there has been a substantial amount of attention directed towards the use of DPI equipment since 2007 when CAIP filed a complaint about Bell’s use of the technology to affect how CAIP customers’ data traffic was being transmitted through Bell’s infrastructure. The result of Bell v. CAIP, and the 2008/9 CRTC investigation into how DPI is used by ISPs more widely, was positive in some lights and devastating in others. Positively, out of the 2008/9 investigation the CRTC asserted:

• the blocking of content is prohibited unless approved by the CRTC;
• when noticeable degradation of service for time sensitive services occurs, then a traffic management system amounts to controlling the content or influencing its meaning. As such, any actions that create such a degradation require approval by the CRTC;
• the CRTC affirmed that it works in a complementary fashion with the Privacy Commissioner of Canada and that telecommunications providers are held to a higher standard than that contained in PIPEDA alone. Critically, not only are primary ISPs prohibited from using data gathered from traffic management for anything other than management actions, but “the Commission directs all primary ISPs, as a condition of providing wholesale services to secondary ISPs, to include, in their service contracts or other arrangements with secondary ISPs, the requirement that the latter not use for other purposes personal information collected for the purposes of traffic management and not disclose such information.”
• economic measures are preferred to technical traffic management processes;
• the delaying of non-time sensitive services (e.g. email, peer-to-peer, FTP, etc) does not require CRTC approval.

Of course, this didn’t forbid ISPs from using DPI – something that was unlikely to happen – but did put strong conditions on what was and was not permissible use of DPI. What remained permissible was that delaying non-time sensitive services (e.g. email, peer-to-peer, FTP, etc) does not require CRTC approval, and wholesale ISPs both remain affected by DPI and can expect to receive a mere 30 to 60 day notification before primary ISPs make material changes that would affect wholesale ISPs. The privacy element of the ruling was reinforced in the Privacy Commissioner of Canada’s ruling on deep packet inspection, which required Bell to note on their website that personal information (i.e. subscriber ID and IP address) was briefly collected (and then quickly discarded) in the ongoing use of DPI. Emergent from the CRTC and OPC’s decisions, we can comfortably say that Canada has a strong set of regulatory bones when it comes to DPI and network neutrality; what’s left is fleshing the bones out, which will hopefully happen over the coming months and years.

The United States of Inspection

As we turn our gaze south of the 49th parallel, we see that DPI has been used in various ‘exploratory’ ways. Arguably, it was the use of DPI for behavioural advertising – by the company NebuAd and various ISP partners – and incredibly disruptive treatment of peer-to-peer filesharing applications that brought the technology into the media more widely. In the former case, NebuAd partnered with ISPs such as Charter to insert a DPI device in the ISPs’ network environments. Once in the network, it was possible for NebuAd to modify data transfers by creating a new packet and forging the IP address and port information to make the packet appear to come from the original source. Thus, if you were being served a packet from Google or Yahoo!, it would still appear to your computer as though it was delivered from a Google or Yahoo! server. The NebuAd system used TCP’s ACK and SEQ system to stop users’ computers from refusing to accept the forged packet.

Contained within this new packet was a bit of javascript that directed users’ computers to collect a cookie from a NebuAd server; this cookie was then used to track users and to subsequently serve ads that were relevant to the user based on their browsing history. Attempts to delete the cookie led to it simply being re-delivered the next time a user browsed somewhere on the ‘net. This behaviour led researcher Robert Topolski to assert that “NebuAd’s code injected into another’s page source is a cross-site exploit (XSS) and the subsequent behavior of loading cookies it normally would not load is a browser hijack. NebuAd accomplishes its XSS by using what is effectively a classic man-in-the-middle attack.”

In light of the damning evidence that ‘consent’ was never genuinely achieved (in at least one ISP’s case, there was a change to their already massive privacy policy to “inform” customers of the new behaviour) NebuAd was very publicly disciplined in front of the House Telecommunications Subcommittee. Congressman Markey asserted that “Simply providing a method for users to opt-out of the program is not the same has asking users to affirmatively agree to participate in the program.” While NebuAd has lost it’s CEO, is now subject to a class action lawsuit, and itself is dead in the water (though has arguably been reincarnated in the UK as Insight Ready), no legislation have been passed to address behavioural advertising using DPI. A Senate Commerce Committee session in September 2008 led to three of the US’s largest ISPs – AT&T, Verizon, and Time Warner – committing to an “affirmative consent” model for behavioural advertising should the ISPs ever adopt such an advertising system, but no Senate action even attempted to legislate a consent-based model. The Federal Trade Commission (FTC) went ‘so far’ as to advocate for voluntary self-regulation of the industry. This regulation encompassed the following principles;

1. Transparency and customer control, which maintains that on every website where data is collected for behavioural advertising that customers are informed of this in concise and clear language with the option of choosing whether their information will collected for these purposes.
2. Reasonable security, and limited retention, of consumer data. In essence, this requires companies to secure data in a manner consistent with FTC data security enforcement and only retain data as long as required for legitimate business purposes.
3. Affirmative express consent for material change to existing privacy promises. Critical is that this principle is meant to apply even when the material change is a result of a corporate merger when such a merger modifies the ways in which companies collect, use, and share information.
4. Affirmative express consent to (or prohibition against) using sensitive data for behavioural advertising. This principle does not actually identify what constitutes sensitive information; the FTC sought input into what classes of information should be considered sensitive and whether the collection of such information should be prohibited by regulation instead of by customer choice.

In the case of using DPI for network management purposes, Comcast was found using TCP RST packets to intentionally disrupt peer-to-peer filesharing programs that were accounting for substantial amounts of data traffic along their networks. The stated issue with the programs was that they generated high levels of congestion; in effect, this meant that a large number of customers’ packets were regularly being dropped as Comcast routers struggled to keep pace with the high levels of peer-to-peer traffic. While at one point the company maintained that it only used RST packets during periods of high congestion, it ultimately admitted that their RST-based system was triggered regardless of overall network congestion and at all times of they day.

As a result of Comcast’s use of DPI to target particular applications and application-types the FCC issued an order requiring the ISP to stop their particular mode of network management using their ancillary authority, or authority that implicitly is derived from past judicial rulings, policy contours, congressional mandate, and telecommunications act. Specifically, the FCC required Comcast to;

1. Reveal the “precise contours” of its network management practices, including the types of equipment used, when they came into use, how they were configured, and where they have been deployed.
2. Come up with a compliance plan complete with benchmarks that explains how Comcast will move “from discriminatory to nondiscriminatory network management practices by the end of the year.”
3. Publicly disclose the details of its new practices, “including the thresholds that will trigger any limits on customers’ access to bandwidth.”

The FCC decision was met with two responses from Comcast. First, the company adopted a protocol agnostic solution to dealing with high-bandwidth usage. This saw them move from using deep packet inspection – which examines the payload of data packets – to shallow packet inspection that is (relatively) limited to examining header information. Under the revised approach, where it is evidenced that consumers are engaged in high-bandwidth activities for 15 minutes or longer they have their packets reclassified to “best effort” from the default “priority best effort”.

Second, the company took the FCC to court, arguing that the FCC had exceeded their authority in determining how the corporation can manage their networks. The courts recently returned with a decision, and it was in Comcast’s favor: the FCC’s order that Comcast stop issuing RST packets using DPI equipment is now invalidated on the basis that the FCC decision exceeded their authority. This sends a message that American telecommunications carriers can use equipment, as they perceive needed, to manage their networks and such usage includes mobilizing DPI to invade and disrupt customers’ packet stream. It remains to be seen how this will affect the differentiation between facilities-based VoIP services that Comcast provides and the (apparent) degradation of non-facilities based VoIP services (e.g. Skype) when network congestion occurs: does the FCC have the right to require equal treatment of these types of service? This will be an interesting matter to see unfold in light of the Court’s decision today. It will similarly be interesting to see if, after the decision, ISPs actually use RST packets to disrupt particular traffic flows or instead avoid this approach given the negative press this technique attracted.

So, where does this all leave the US in comparison to Canada? It means that non-regulated processes are exclusively meant to limit the use of behavioural advertising – but, as demonstrated by Chris Soghoian’s work such self-regulation is practically non-regulation in the advertising business - and that the traffic management questions linger in the air. ISPs in the US managed to get a bit more freedom from the FCC with the decision favouring Comcast, and the FTC has been unwilling to strongly regulate ISPs’ uses of DPI. Thus, the American reality stands in stark contrast to Canada: Canadians have a skeleton of regulated guidelines that ISPs are required to adhere to, whereas the US remains a relatively unregulated market for DPI.

A Note on the UK

I’m not a European telecommunication scholar, and so don’t want to make broad statements about Europe, but am slightly more aware of the UK situation. As such, I’ll limit discussions of Europe to the UK.

Behavioural advertising and content management are key issues facing the UK citizenry. In the former’s case, Phorm has been the UK’s NebuAd and partnered with various prominent ISPs to provide an advertising service. The company’s use of DPI was perhaps even more egregious than in NebuAd’s case, insofar as Phorm’s use involves a series of 307 redirects that result in a cookie being placed on a customer’s computer for tracking and advertising purposes (a great technical analysis of Phorm’s system has been performed by Richard Clayton). Most significantly, Phorm forges the cookie so that it appears to come from the originating website, rather than the Phorm system; under this system you receive a cookie that appears to legitimately come from cnn.com when browsing to that website even though it comes from Phorm. Activists came together and have continuously put pressure on Phorm – often arguing that it’s actions are in violation of of the Regulation of Investigatory Powers Act – and the EU Commission is presently bearing down on the UK for its failure to address the privacy-related concerns accompanying this instantiation of behavioural advertising. (Perhaps in response, we now see Phorm scurrying to Brasil – will Brasilian activists take a stand against the company as UK citizens have?)

The content management issue has come up most recently in the form of the Digital Economy Bill (DEB), where there is a real possibility that ISPs will be required to act as a third-party in disputes between rights holders and those who are accused of infringing on holders’ copyrights. ISPs will be required to work against their own customers, insofar as repeat copyright infringers will be subject to some form of traffic throttling. Whether this involves the use of deep packet inspection, or other technological measures, isn’t entirely clear from the bill but many ISPs in the UK are violently opposed to redeveloping their network architecture to shield the copyright industries’ business models. The DEB, as presently written, makes it unclear what ISPs will actually be required to do, but rights holders seem to favor the inspection or analysis of data traffic, an approach to managing data that might lead to content discrimination or an extension of the already functioning discrimination against particular applications and application-types. From my own research perspective, it will be interesting to see if there is an expansion of the uses of CView on the Virgin network should the DEB be realized as law, and whether the EU would step in if enforcing the DEB results in egregious violations of privacy.

It must be recognized that UK ISPs, like their Canadian counterparts, are actively engaged in throttling particular applications and application-types during peak usage times to mitigate network congestion. Orange UK, as an example, throttles what they term ‘dirty’ protocols – those which “consume as much of the available bandwidth that is available”, with the rejoinder that if the ISP gives such protocols and their associated applications an inch they will try to “take a mile”. Orange, of course, is not exceptional: both BT and Virgin also have traffic management policies, as do most other UK ISPs that I’ve studied.

So, where does this leave the UK in contrast to the Canadian regulatory position on deep packet inspection, and content management more broadly? It remains questionable whether the EU will permit behavioural advertising that is based around DPI equipment, but the UK government itself has not come out against the technology in any meaningful way. In Canada, any use of DPI for behavioural advertising runs up against both the CRTC and OPC. UK ISPs are permitted to use traffic management systems, many of which, I suspect (though haven’t done the research yet to demonstrate), utilize systems that are similar to those in North America. Regardless, UK ISPs, like their Canadian counterparts, are involved in choosing the winning applications and application-types for content delivery though are potentially faced with the possibility of having to soon filter particular content. Canadian ISPs have repeatedly stated that they have no desire to filter content for technical, privacy, and business reasons, and it doesn’t look like a Canadian equivalent of the DEB is coming down the pipeline for a while. Unlike efforts such as Comcast’s, where traffic management is protocol agnostic, we see some Canadian and UK ISPs targeting particular methods of content delivery as clean or ‘dirty.’ Ultimately, Canadian and UK ISPs are similar in their respective approaches to traffic management but differ in respect to both behavioural advertising and (possibly) content filtering.

Network Neutrality in a Western Context?

We began with a note on network neutrality, and it seems appropriate to close on one as well. I firmly believe that network operators need to be able to manage their network in a manner that is transparent to the public, effective, and efficient. This may indeed require the implementation and use of technologies such as deep packet inspection. I would hasten to note that not all DPI is created equally; some excel at analyzing content by extracting and matching content signatures, but others are predominantly marketed and used as security appliances, and yet others for subscriber billing. Instead of resisting DPI as a broad technology, we need to focus on opposing some applications of the technology while praising others. While I’m not making an argument that DPI is a ‘neutral’ technology – it’s a surveillance technology with elements of control embedded into it – I do want to suggest that not all surveillance, not all applications of control, are inherently bad. Parents carry baby monitors with them – monitors that have surveillance as a key value embedded into their design – and this is a benign, if not positive, application of surveillance. We need to be mindful and on the watch for damaging surveillance and hindering acts of control while recognizing that some surveillance, some control, is good and required for a functioning contemporary Internet.

In light of my willingness to accept the value of DPI in network environments, I see a stanch opposition to ‘network intelligence’ as considerably far of the mark. Networks are intelligent, and there is nothing wrong with intelligence so long as it is used in a manner that is clearly beneficial for customers, with legislation and regulations precluding the application of network intelligence for negative purposes. Gaining customer acceptance may require transparency on the part of vendors and ISP’s alike; vendors to explain what their technology does and offer ‘virtual tests’ of the technology as is done with some consumer routers, and ISPs to explain why and how they have deployed the equipment. As awareness of how the network is intelligent spreads it is possible to engage is a more substantive discussion about the nature of contemporary networks, the challenges perceived by customers, civil advocates, and network operators. As it stands we are regularly subjected to near-dogmatic language from either camp – network neutrality is a meaningless slogan vs. smart networks are the death of the Internet – that is arguably misleading and polemic.

Given the different regulatory environments, we cannot expect supporters of network neutrality to adopt similar language in their advocacy – RIPA is clearly something that doesn’t enter North American debates, whereas different wiretapping laws and consumer protections are drawn on in American cases, and Canada regularly sees the language of privacy and consumer rights presented by its advocates – but this shouldn’t prevent researchers and other interested parties from identifying common advocacy principles to see what does and does not work. Further, any such comparative project ought to try and identify differences that arise when there is greater transparency (either required by regulation or performed on a voluntary basis) surrounding the development, deployment, and usage of the technologies. This would (and, in Canada, did) enable advocates to more clearly articulate their messages while also alleviating some of the concerns that emerge when our communications systems are mediated by an unknown technical power, in unknown manners, for less than clear corporate means.

Citizens of Canada, the US, and UK need to understand how their communications are regulated and have a clear and valued voice in shaping the structure of their communications systems; citizens along with government and business, as opposed to business and deep packet inspection alone, must be responsible for choosing the ‘winning’ applications that facilitate digital communications across the Internet.

Other posts you might be interested in:

1. Background to North American Politics of Deep Packet Inspection
2. Draft: What’s Driving Deep Packet Inspection in Canada?
3. Draft – Deep Packet Inspection: Privacy, Mash-ups, and Dignities

The COUNTER project is a European research project exploring the consumption of counterfeit and pirated leisure goods. It has a series of primary research domains, including: (1) frequency and distribution of counterfeits; (2) consumer attitudes to counterfeit and pirated goods; (3) legal and ethical frameworks for intellectual property; (4) policy options for engaging with consumers of counterfeit; (5) the use of copyrighted goods for the creation of new cultural artifacts; (6) impacts of counterfeiting and control of intellectual property.

What quickly became evident in the course of conference presentations was that there was a relative dearth of reasonable, well-articulated, and non-partisan work devoted to unearthing empirical data about how consumers engage with ‘illegitimate’ sources of content prior to the COUNTER researchers beginning their European data collection. Even where legitimate data sources existed (e.g. OECD data on counterfeit goods) there was rarely a common standard for gathering and archiving that data (e.g. do you measure counterfeit items by discrete number of items, number of shipping containers, street value, manufacturer value, etc.). These issues stemming from data collection were noted by the COUNTER Project Coordinator, Dr. Jo Bryce, as well as the representative from the European Union’s Intellectual Property Unit, Phil Lewis. The latter, in particular, noted the importance of establishing observatories that could gather data and statistics about the use and transit of pirated works, information that could subsequently be used to change public perceptions and attitudes to the usage of infringing works. The EU representative, and the parties he has been working with, are particularly interested in preventing infringing content from ever getting to the ‘net in the first place, though stated in response to a question I raised that deep packet inspection is not something that they are presently thinking of including in their observatories. Their unwillingness to use the technology stems from the fact that they might be unable to legally use it for data surveillance and, even they could use it legally, are uncertain that they want to adopt this mode of data collection.

Dr. Bryce identified consumer behaviour as the problem – or, in other words, the driver – of the the trafficking in counterfeit and pirated goods. Partially as a result of the disorganized responses to infringing uses of content, enforcement and education mechanisms alike have been largely ineffective in stemming the traffic of counterfeited goods or illicit trading in copywritten works. Her research found that while consumers tend to adopt various ethical perspectives on why file-sharing is socially acceptable, by educating consumers on the challenges transit of infringing intellectual properties imposes on individuals working in content generation industries it is possible to reduce consumers’ inclination to engage in file sharing. Moreover, her work noted that the content industries have lost a great deal of consumer trust and remain opaque organizations; consumers need to trust and appreciate the bodies generating content if content industries are to develop a positive relationship with their customers. This need for openness and transparency was regularly noted throughout the conference, though some academics and industry representatives alike dismiss the need for a positive relationship to exist between consumers and content production industries.

In a panel on consumer perspectives on downloading, empirically grounded research was provided to express the position of consumers in relation (primarily) to peer-to-peer filesharing. Emergent from the research presented, we found that consumers actually have a decent intuitive understanding of the world of filesharing, insofar as they differentiate between copyright infringement and stealing. Perhaps worryingly, researchers, consumer advocates, and rightsholders alike (and this is true across much of the conference) struggled with notions of enforcing copyright. Precise concerns and solutions varied, but we regularly heard ruminations about methods to impress upon consumers the moral right to copyright, numbers of ‘coercive impacts’ required to adjust behaviour, need to introduce copyright education to parents and into schools, and so forth. As it stands, research showed that most filesharers fail to see their actions in a moral light and are unworried about the possible consequences of being caught. Effective enforcement, members of the content industries and academics alike noted, requires there being a 10% chance of being caught. As it stands today, enforcement techniques are limited by:

• judicial resources;
• lack of clear sanctions;
• failures in educations (i.e. what does/doesn’t constitute infringing use);
• poor marketing campaigns;
• the use of generic, over specific, messages.

Emergent from this session it was evident that a key issue facing rights holders, and the advocates of rights holders, is the cultural and legal differences that impede uniform positions on copyright. In particular, differing nations adopt differing legal positions concerning downloading, uploading, the degree of criminality of file sharing, and so forth. One academic tried to make the boldfaced equation of copyright infringement and theft…it left him in a very hostile room, and arguably weakened the likelihood that his data will be adopted more widely into the literature.

In a panel where industry experts spoke of the harms caused by file sharing and counterfeit goods – damages ranging from 200 million pound a year, to 43 billion Euro lost in 2008, to equations of counterfeit with organized crime – a member of the audience asked: where is this money going? The thrust of the question was that consumers are choosing to allocate their monies to different areas of the economy, and so assertions that any economy was seeing a removal of monies is only true when economic sectors are seen in absolute isolation to one another. The complexity of the copyright environment, and its necessary interelation with a much more substantive socio-economic domain, should require the content industries to engage in holistic surveys if those surveys are to carry weight amongst critical audiences. Members of industry uniformally lacked such holistic surveys.

I sat in a panel on deep packet inspection – the draft of my paper that touches on deep packet inspection as it related to privacy and freedom of expression has been made available – alongside Klaus Mochalski of Ipoque and Paul Polanski, Director of Electronic Publishing for C.H. Beck Publishing. Klaus noted the capacities of Ipoque’s equipment (and inability for DPI to be used for totally effective inline copyright filtering) and Paul the problems surrounding ISP liability that arise when DPI is used for copyright enforcement purposes. Both were excellent speakers, and all three of us recognized the dangers that DPI threatens to pose for essential liberties in constitutional democracies. On a more personal note, it’s moderately disconcerting about speaking to Brits about the value of privacy, and harms of surveillance, and it felt nice to try and articulate the position that constitutional rights are more important than copyright. The latter position, in particular, wasn’t well received by representative of the content industry in the audience, but was certainly something that needed to be said more regularly than emerged over the course of the conference.

Arguably the most heated session I attended was the last session of the conference, the three strikes panel. It drew together academics, an ISP representative, copyright holder advocates, authors, and a member of the Pirate Party. There was an almost all out assault on the controversial sections of the UK’s Digital Economy Bill, with Richard Mollett of BPI (yes, that Richard Mollett) becoming the punching bag of the panel and audience. Mollett is the directory of policy for BPI and was clearly used to working in hostile rooms, but the vitriol was between members of the panel was particularly thick. Vanessa Mortiaux, Senior Legal Counsel for Orange, made very explicit that Orange was entirely against any requirement that ISPs monitor for copyright enforcement. To the detriment of the panel, however, there was almost exclusive focus on the Digital Economy Bill, to the point where the broader issue of three-strikes was largely implicit, rather than explicit.

Overall, the conference was excellent. It drew together academia, industry, and civil society in productive ways, though largely absent were the actual content creators we were so often speaking about. Consumers were (I would suggest) well represented by the consumer groups and large division of the Pirate Party (local UK, Swedish, and EU levels being represented) present at the conference. I was, however, largely disappointed with attempts to shuffle copyright from an economic privilege to a moral right and the commonly espoused unwillingness to think through the potential harms that threaten to follow from further augmentations of copyright ‘protection’. Admittedly this speaks to my own personal interests – I’m insatiably curious about how economic privileges threaten to upset and disembowel constitutional protections given my own academic background – but also to a culture of what might be called ‘copyright blindness’, where copyright blinds us to the larger issues at play in the copyright debates.

Depressingly, it isn’t that my position is unique or shared only by a handful of people; informally most academics and academically-trained people that I spoke with at the conference were in agreement that the potential harms of copyright must be carefully, and seriously, considered. Publicly, however, this worry and accompanying strong language demanding a rethink of the present copyright regime was largely absent from conference presentations. There were only a few strong voices addressing copyright in light of the larger social good, and while they were (arguably) positive beacons it would have been nice to have much of the ‘informal’ consensus be more formally presented to rightsholders and other members of the conference. Having said this, generally the research presented was well-rooted in rigorous methodological techniques, and perhaps this research might be adopted and leveraged by policymakers in their ongoing engagements with copyright, content producers, and the public. My expectations, however, are less positive: I fear that the work of the COUNTER research project will remain sheltered in academia, sequestered from the public, and consequently ineffective in reshaping the copyright debacle in but the most limited of fashions. Hopefully this is a case where academia can successfully puncture the academic/public divide and breech the public policy debate, but I’m not holding my breath.

Other posts you might be interested in:

1. Universities Struggle to Cope with Anti-Piracy Requirements
2. Draft – Deep Packet Inspection: Privacy, Mash-ups, and Dignities
3. Thoughts: Deep Packet Inspection and Copyright Protection

This is a draft of the paper that I’ll be presenting at the Counter: Piracy and Counterfeit conference in Manchester in a few days. It’s still rough around some edges, but feels like a substantial piece. Comments, as always, are welcome.

Abstract: Privacy operates as an umbrella-like concept that shelters liberal citizens’ capacity to enjoy the autonomy, secrecy, and liberty, values that are key to citizens enjoying their psychic and civil dignity. As digitisation sweeps through the post-industrial information economy, these same citizens are increasingly sharing and disseminating copywritten files using peer-to-peer file sharing networks. In the face of economic challenges posed by these networks, some members of the recording industries have sought agreements with Internet Service Providers (ISPs) to govern the sharing of copywritten data. In Britain, file-sharing governance has recently manifested in the form of Virgin Media inserting deep packet inspection (DPI) appliances into their network to monitor for levels of infringing files. In this presentation, I argue that ISPs and vendors must demonstrate technical and social transparency over their use of DPI to assuage worries that communications providers are endangering citizens’ psychic and civil dignities. Drawing on recent Canadian regulatory processes concerning Canadian applications of DPI, I suggest that transparency between civil advocacy groups and ISPs and vendors can garner trust required to limit harms to citizens’ psychic dignity. Further, I maintain that using DPI appliances to detect copyright infringement and apply three-strikes proposals unduly threatens citizens’ civil dignities; alternate governance strategies must be adopted to preserve citizens’ civil dignity.

Download paper

Other posts you might be interested in:

1. Draft: What’s Driving Deep Packet Inspection in Canada?
2. Deep Packet Inspection and the Confluence of Privacy Regimes
3. Background to North American Politics of Deep Packet Inspection

I’m composing the beginning of this article to the sounds of Girl Talk’s ‘Like This’ from his Feed the Animals album. His artistic technique is to take very short samples from a variety of artists – twenty-nine samples are taken in the three minutes and twenty-one seconds of ‘Like This’ – and remix the work to create entirely new songs.[i] He isn’t a DJ but a self-described musician of the digital era, and when his work was presented to Marybeth Peters of the US Registrar of Copyrights she recognized that his music was amazing. She also recognized it was likely illegal, and the fact that his own creativity clearly imbued his creations offered no defense against copyright infringement: “You can’t argue your creativity when it’s based on other people’s stuff.”[ii] This position is mirrored by Barry Slotnick, head of the intellectual property litigation group at Loeb & Loeb, who has stated that “[w]hat you can’t do is substitute someone else’s creativity for your own.”[iii] Girl Talk’s work is recognized as amazing and creative, even by defenders and advocates of the present copyright regime, but is still questionably legal (at best). Feed the Animals is a popular album that pulls together anthems of pop culture, and its artist has been used as a defender of copyright reform movements,[iv] but it is only one item in a rapidly developing and emerging ‘mash-up’ culture that draws together existing cultural artifacts to in the creation of a recombinant digital culture.

Rather than stepping into the technical (il)legalities of mash-ups in any depth in this article I engage with mash-ups at a normative level. I aim to construct a normative argument for the cultural value of mash-ups, recognize some issues concerning expressive and cultural dignity that emerge alongside the ubiquitous surveillance and censorship of mash-up data traffic that may be identified as ‘infringing content’, and offer both a practical and a political solution to alleviate surveillance dangers and secure our emerging digital culture. To this end, I first outline the importance of mash-up culture, and then proceed to sketch a set of dignities that citizens in Canada (and other Western countries) should be able to expect in the digital domains they routinely roam in: citizens should be meaningfully able to possess expectations of contextual privacy and engage in civil expressions in domains of digital hybridity. It is with the shift to previously implausible ubiquitous digital surveillance and control systems, such as deep packet inspection, that Western citizens are again forced to worry about their privacy and expressive capacities in communal, rather than merely individual, senses. Accompanying this surveillance and control system is the threat of chilling speech, limitations of civil expression, and infringements on the possibilities of innovation. The technical structures that wait for copyright infringement should not be permitted to threaten innovation, criminalize otherwise routine communication, or undermine cultural development and experimentation without a full and transparent discussion of the costs such infrastructure could pose to the emergence and development of Western cultures, states, and citizenries.

To this end, I argue that there is a need to moderate the legal considerations of copyright, perhaps by adopting a hardware tariff model or developing distinctions in what constitutes infringing use. This will alleviate the demand to use technologies such as deep packet inspection for copyright enforcement, but is insufficient to genuinely alleviate the more general threat to civil dignities posed by these ubiquitous digital surveillance instruments. To better secure civil actors from the threats posed by these instruments there must be increased transparency surrounding digital networks, insofar as both vendors and Internet service providers must be required to disclose to the public, and its civil advocates, the technologies under development/in use, motivations driving development and usage, and modifications that are made to already deployed systems.

Why Mash-Up Matters

The public domain operates as the basis “for our art, our science, and out self-understanding. It is the raw material from which we make new inventions and create new cultural works.”[v] The public domain is from where the majority of our culture emerges from, and in the face of an ever-extending capture of the public domain by the advocates of strong copyright reform mash-up artists and citizens have taken to the ‘net to (re)generate their cultural heritage. Mash-up matters because it’s the beachhead upon which (dominantly) youth are mounting their critiques about the current legal conditions of their cultural existence. Mash-up matters because if the dogs-of-law do not release this mode of cultural formation from their jaws, then the equivalent of the future’s jazz and rock-and-roll will be criminalized, and the electronic culture of the future put in jeopardy. Mash-up matters because it can be read as the exemplar of the praxis of digitality itself.

Digital technology facilitates the engagement with culture in a massive way. Whereas folk and jazz music alike historically saw relatively small groups coming together to ‘remix’, or modify, add, and subtract, pieces of the music, the Internet has given today’s equivalent of folk and jazz musicians a global audience. There is, however, a clear difference between those musicians that used non-digital instruments and those using laptops, Garageband, and electronic keyboards; the former were limited in the acquisition and distribution of cultural artifacts, whereas the globe is the limit for the former. Lawrence Lessig, Paul Virilio, and Matt Mason recognize that there has been a shift in the speed and virtuality of informatic-creation, movement, and communication. In his recent book Remix, Lessig argues that there is a kind of ‘Read-Only’ culture – one where citizens could only purchase and enjoy culture in relatively static ways – and ‘Read-Write’ culture – a cultural situation where citizens modify and freely exchange new cultural creations.[vi] In the former, culture retains its agency by refusing to let the audience engage with the work itself to unlock its creative possibilities. Expensive equipment or highly specialized training was required to take up film, music, and similar ‘technical’ arts to creatively engage with the material itself in a way that directly copied and implicated the content itself in the development of new cultural artifacts. In the latter situation, culture’s agency becomes shared between the artifacts and those engaging with it: culture becomes ‘active’, as it was in the heydays of folk and jazz music.

In his discussion of the globalization of communications networks and the heightening velocities of contemporary technologies, Virilio ominously writes that we understand nothing of the information revolution, nothing of digitality itself, unless we recognize that it “ushers in, in purely cybernetic fashion, the revolution of generalized snooping.”[vii] With the shift toward ever-increasing standardization of the digital ecosystem – manifest in Internet’s technical architecture in the TCP/IP protocol suite, standardized ‘content containers’ such as JPEG, MP3, AVI, and uniform modes of measurement and signature analysis – comes the capacity to monitor, control, and mediate the objects enclosed in such standardized containers. Simultaneously, there is a division of object, a mass multiplication and exponential enumeration of such objects given that “data objects are nothing but the arbitrary drawing of boundaries that appear at the threshold of two articulated protocols.”[viii] Protocol, the medium binding and delivering cultural artifacts, functions as an instrumental or technical addition, as a necessary element of control that rests upon and frames the playful capacities inherent with digital cultural expression. The protocol that facilitates the playful engagements of youth with their culture simultaneously establishes the mesh within which their cultural artifacts can be scanned, probed, analyzed, and censored.

The search for control over intellectual creations maps onto the logic of perfect control annunciated by James Boyle: there is an argument, routinely touted by copyright holders, that the strength of intellectual property rights must vary inversely with the cost of copying to ensure a vibrant for-profit cultural environment. He calls this ‘the Internet Threat’, the stance that “without an increase in private property rights, cheaper copying will eat the heart out of our creative and cultural industries.”[ix] It is (partly) in reaction to the Internet Threat that Mason examines the effects of the rapid development of the digital ecosystem, and digitality’s potential to enable citizens to engage with cultural artifacts new and novel ways. As we will revisit, shortly, it is the Internet Threat that leads deep packet inspection equipment to be purposed to secure intellectual property.

A clear result of the digitization of cultural artifacts has been the near-instantaneous delivery of cultural content to meet the desires of particular individuals. This is most evidently manifest with Napster’s explosion onto the digital scene, which subsequently lead to the branding of filesharers as pirates. Instead of seeing pirates as the doom of culture, Mason asserts that “[p]irates highlight areas where choice doesn’t exist and demand that it does… this mentality transcends media formats, technological changes, and business models.”[x] A component of transitions to digitality, in particular, entail the ability to enjoy and develop culture through ‘remixing’.  Remixing “is about taking something that already exists and redefining it in your own personal creative space, reinterpreting someone else’s work your way . . . It’s about shifting your perception of something and taking in other elements and influences . . . your originality should outshine the borrowed elements, or at the very least, present them in a new light. A good remix adds value to something.”[xi] In the language of generating cultural artifacts, this means that with the emergence of a new set of tools (cheap, yet technically sophisticated computer software and accompanying cheap, yet powerful, computer hardware) and new communications mediums that realign ‘personal creative space’ with YouTube, the youth of today have begun ‘editing out’ their own cultural commons. The challenge they face can be put thusly: the public domain and the relative anonymity provided in a world of analogue search-and-lawsuit practices are being dissolved in the face of legally driven protocological conflict. Without access to the public domain, without access to anonymity, youth and other participants in recombinant digital culture are under legally sanctioned siege, a siege that is criminalizing an outrageous percentage of the population.

To summarize, mash-ups matter because they can be seen as the resurgence of the past, of a time where individuals could take up and share the cultural artifacts they were immersed in. Mash-ups, in their massively available form, are presently made possible through the usage of contemporary computer systems; the systems of simulation that can be used to play video games, listen to music, and display YouTube videos are the same systems that encourage cultural generativity and massive instances of self-expression. Code can be, and is, taken from disparate sources, tinkered with, and subsequently emitted to the Web. This is an example of mash-up culture. Various musical albums that span various genres are recombined in fits of creativity to generate new conditions for cultural possibility. This constitutes a mash-up. Citizens draw pieces of video from music videos, news, advertisements, and government announcements to inscribe their own social, political, or banal commentary on the actions of the day. This too, is part of mash-up culture. Each of these three elements (of many more!) of mash-up culture play a role in defining how the digital generation will engage with their world; this generation has moved well beyond the recombination of words in blogging, to the recombination of the audio-visual facets of culture to transmute sterile corporate cultural artifacts into invigorated and vibrate artifacts endowed with cultural meaningfulness and life.[xii]

Next Section: As We Walk Into the Valley of the Shadow of Surveillance…

[ii] RIP A Manifesto, at http://www.nfb.ca/film/rip_a_remix_manifesto/

[iii] Steal This Hook? D.J. Skirts Copyright Law by Robert Levine, August 6, 2008. New York Times. Link: http://www.nytimes.com/2008/08/07/arts/music/07girl.html?pagewanted=2&_r=1

[iv] Pennsylvania Congressman Mike Doyle – member of the Subcommittee on Commications, Technology, and the Internet – has spoken highly of Greg Gillis (aka Girl Talk) in Congressional hearings. For more, see: http://www.rollingstone.com/rockdaily/index.php/2007/04/27/why-one-congressman-wants-you-to-borrow-more-music/

[v] Boyle, James. (2008). The Public Domain: Enclosing the Commons of the Mind. P 39.

[vi] Lessig, Lawrence. (2008). Remix: Making Art and Commerce Thrive in the Hybrid Economy.

[vii] Virilio, Paul. (2005). The Information Bomb. P. 62. Emphasis from text.

[viii] Galloway, Alexander. (2004). Protocol: How Control Exists After Decentalization. P 54.

[ix] Boyle, p. 60.

[x] Mason, Matt. (2008). The Pirate’s Dilemma: How Youth Culture is Reinventing Capitalism. P. 46

[xi] Mason, Matt. (2008). The Pirate’s Dilemma: How Youth Culture is Reinventing Capitalism. Pgs. 71, 81, and 83. Emphasis added.

[xii] Something about Adorno and the culture industry

Other posts you might be interested in:

1. Draft – Deep Packet Inspection: Privacy, Mash-ups, and Dignities
2. Will Copyright Kill eHealth?
3. The Role of Digital Surveillance in Stopping the Past’s Rebirth

What we see less of in the eHealth debate are the prevalent dangers accompanying threats to cut citizens off of the ‘net as a consequence of copyright infringement. It’s this issue that I want to briefly dwell on today, in part to start ramping up some thoughts on the wide-ranging effects of three-strikes laws that are starting to be adopted and/or seriously discussed in various jurisdictions around the world.

To give an overview, three-strikes laws in the copyright context are generally presented as a way of curtailing copyright infringement. Often acting under the assumption that a downloaded copy of a file is the equivalent of a lost sale, major content and rights holders insist that they are losing billions of dollars per year to Peer to Peer (P2P) filesharing. While I will note that this is a relatively insane equivalency (it is largely like arguing that every person who opens a book in a bookstore, reads it for about 10 minutes, and then puts it down constitutes a ‘lost sale’ – for more on this read Doctorow’s Ebooks: Neither E, Nor Books), there are lots of great articles you can read that deal with this issue and so I’m not going to dip my feet into that argument here. You might ask how it is possible to identify copyright infringing work, and one of the ways of doing so is through specific implementations of Deep Packet Inspection (DPI) appliances by Internet Service Providers (ISPs). Virgin Media is trialling a system that will generate a copyright infringement index (though won’t identify particular individuals who are infringing on copyright) and DPI vendors such as iPoque have already produced equipment that is designed to identify infringing file transfers in realtime.

Three-strikes laws have a common, general, format: after an individual is found, or believed to have been found, infringing on copyright three times they are forcibly disconnected from the Internet by their ISP either at the behest of the government or content holders. The particular legal structure that facilitates these ejections from the Internet differs – sometimes there is a presumption of innocence and requirement that infringing use is proven, whereas in other systems accusations alone suffice – but the common end is the same: during an era when broadband is seen as a key to performing job searches, gathering academic research, developing knowledge about our illnesses, and discovering new cultural artifacts, copyright holders want to insist that their intellectual property rights should be foregrounded and other social goods put to the back of the line.

This bring us to the question posed by this post’s title: “Will copyright kill eHealth?” What happens when, after investing billions of dollars in ‘revolutionizing’ the current health system so that individuals are ‘empowered’ to access their health records, governments and their citizens realize that they are in a digital wasteland, where accessing health records is dependent on good copyright-related behaviour? When I’m tasked with absolutely securing my wireless network so that a war driver can’t access my network and download some pop track, does this mean that I should sign up for expensive third-party services to guarantee access to my ‘newer and better’ health records and other government services? To alleviate these anxieties, perhaps I’ll be able to pay a small monthly fee to my ISP and they will, on my behalf, block anyone on my network from accessing potentially copyright infringing work from non-sanctioned repositories so that I can participate in the new digital economy.

I’m not suggesting that health authorities are necessarily experts in areas of copyright, network management, network surveillance, or data transactions. Typically, they’re not, and citizens don’t expect their M.D. to understand the ins and outs of file transfer protocols, file signature analysis, or data packet analysis. While I’ve suggested (recently, no less) that it is important to consider the particular impacts of certain ‘high-functional’ technologies, such as deep packet inspection, we do still need to step back occasionally and think of some of the possible impacts that high-functioning technologies and the surrounding basin of law might have on the delivery of core, newly digitized, government services. I don’t want to live in a world where my ISP has a real market incentive to ‘sell’ me the equivalent of copyright-infringement ‘insurance’ on a monthly basis so that I can view the digital records that governments and corporations retain about me. I actually don’t think that ISPs want to live in this world either; in such a world they would be placed in a position of liability upon failing to prevent me from accessing infringing material! It’s because of the wide-ranging possibilities of network intelligence and the laws around it that research into network intelligence and security is so interesting – with the Western transition to the digital, and the ability to watch and impact digital flows, the role of the ISP will only become more and more significant to citizens’ daily lives.

Who can we turn to in the event that some kind of a three-strikes law becomes manifest in a Canadian context? It’s entirely possible that the inspection of data flows for copyright infringing material might be ‘privacy protective’ – privacy might be built into the infrastructure by design per the governing ethos of the Information and Privacy Commissioner of Ontario – and this suggests that the language of privacy may be insufficient to really limit the challenges of any three-strikes law. I have similar worries about the ability for consumer protection laws to effectively limit the negative consequences of a three-strikes law (though Canada does have one of the world’s forefront copyfighter’s on the people’s side), and if we require judges to hold real cases before individuals have their digital lifelines terminated then court costs over what are (likely) just people ‘browsing content’ will be exorbitant. The transition to electronically delivered content has (supposedly) been devastating for how the major content owners have been able to turn profits, but we need to go further than just say they need to develop better models instead of suing people. We need to ask this: should government be developing laws the prop up questionable current-day business models at the potential expense of wasting billions in public infrastructure upgrades, or should government be taking a longer view of things and start siding with both citizens and their own allocation of infrastructure dollars? I worry that if government doesn’t more prominently side with themselves and their citizens, we’ll see eHealth and other eGovernment ventures die under the knife of copyright reform and protection, and that would be a tragic shame and absolute waste of citizens’ tax dollars.

Other posts you might be interested in:

1. Update to Virgin Media and Copyright DPI
2. Virgin Media to Monitor Copyright Infringement
3. Copyright and the Blank Media Levy

The story about Detica’s involvement really broke with Chris Williams’ piece over at the Register entitled, “Virgin Media to trial filesharing monitoring system.” In the piece, he recognized that the trial will encompass roughly 40% of Virgin’s customers, that the aim is to measure overall levels of filesharing rather than identify individual customers, and (at least initially) will focus on music. After I read the piece, I send some questions off to Detica and posted them (“Virgin to Use DPI to ID Copyright Infringement“) based on my reading of Williams’ piece and Detica’s consultation paper, and shortly thereafter followed up with Detica’s responses and thoughts on CView and privacy infringements (“Update to Virgin Media and Copyright DPI“). Between the posting of my questions, and the response from Detica, Richard Clayton had a meeting with representatives from Detica and posted the information they released to him over at Light Blue Touchpaper in a posting “What does Detica Detect?” The Register was also able to get face time with people working at Detica, leading Williams to produce his second piece “Spook firm readies Virgin Media filesharing probes.”

In the rest of this post, I want to pull together the information that has come to light so that we can get a better picture of what is known about CView. As such, this is very much a summary rather than an analytic post; hopefully I’ll have time to delve the information more critically in the near future.

How does CView integrate with the ISP network?

In the interview with Williams, Dan Klein of CView acknowledged that the CView appliances are expensive enough that ISPs are unlikely to purchase very many of them. The system,

starts by using fibre taps to pick off traffic from an appropriate part of the ISP network. They use a fibre tap rather than “port mirroring” to make it easier for the ISP to be sure that they won’t disrupt any traffic. The links that they monitor need not be carrying all of the ISP’s traffic — they merely hope that it will be a statistically significant sample.

The raw traffic is then sent to the CView box, which can handle multiple 10Gbit links. The first stage of processing is in hardware (FPGAs), then software takes over. The “external” endpoint identity is discarded and the “internal” identity is encrypted using a key that is not made available outside the box (ie: the intent is to make the customer “anonymous” but to be able to link different activity from the same source). (“What does Detica detect?“)

Put in other words, the Detica CView system engages in a passive, offline (as opposed to inline) analysis – the traffic is split (i.e. mirrored) from the ISP network so that consumers don’t experience any meaningful impact on their speed, if any impact whatsoever is even felt.

What does CView detect?

The Register, in their December 7, 2009, article revealed that eDonkey, Gnutella, and BitTorrent were the protocols that were to be inspected by the CView. At the moment, the appliance is geared to examine for music files, but the original Register piece raises questions of whether or not it will necessarily be limited to just music files in the future.

How does CView perform detections?

After splitting the traffic into the CView appliance, it examines data traffic to determine if data is being carried along one of the three aforementioned file sharing services. Even when encrypting your data traffic, it is often possible to identify the protocol used based on the cleartext data that precedes the encrypted flow. It should be noted that the most recent Internet Evolution test of DPI provided test results confirming this capacity to detected encrypted P2P flows. Detections are performed passively, out-of-line from the ISP’s traffic. When data traffic is identified as being P2P a content field is generated with the below information:

• the encrypted (and thus anonymised) customer identity
• the type of P2P protocol
• the content identifier value
• the file size
• a timestamp

Where the P2P flow is encrypted, while a record is generated no data can be entered into its fields. In addition to this information, the CView appliance will generate an ‘acoustic fingerprint’ from the file – this is, perhaps, the ‘content identifier value’ that Clayton notes? – and then passes this information along to a separate statistics box that will identify whether the P2P file is copyright infringing.

What about anonymity?

Of course there are worries that a system like CView could be used to rapidly identify the copyright infringers that are operating on a particular ISP’s network. Given the information provided by Detica, the company certainly is trying to secure the anonymity and identificatory privacy of ISP customers. Specifically,

IP addresses are anonymized at the source/DPI device using a pseudo-random replacement algorithm, which also entails ignoring the external IP addresses. The key generation system is managed automatically by the device (and thus an ISP can’t muck around with the system), and keys are periodically cycled and redistributed. The keys are never made available outside of the device, and once a set of keys for a given time period are discarded they cannot be recovered – the process is irreversible. On this basis, we can argue that no subscriber ID is associated with the randomized replacement algorithm, there is no way to associate a subscriber ID with the pseudo-random number after the fact, and as such the anonymization system should serve its purpose. (“Update to Virgin Media and Copyright DPI“)

Richard Clayton maintains, as I do, that CView is employing DPI in a manner that addresses individual privacy and data protection concerns though is mindful of the possible RIPA issues. Specifically, he writes:

I should also address (especially given the huge fuss over Phorm) the rather important question as to whether the system is lawful to operate? Please note thatIANAL, but I’ve studied their writings in this area a fair bit…

The design as explained above seems to address issues of privacy and data protection (amalgamating statistics and discarding identifiers is a sound technique for jumping these hurdles). But there is then the vexed question of illegal interception. The system does “wire-tapping”, that’s obvious, but the criminal offence is called “interception” and that is carefully defined within the Regulation of Investigatory Powers Act 2000. I expect that Detica would wish to argue that there is no interception because no content is seen by any humans… however, spitting out the file identifier might in itself be sufficient to infringe. It may take some case law before anyone can say for sure. (“What does Detica detect?“)

It will be interesting to see whether or not CView faces the same calibre of public outrage as Phorm did; Phorm ran up against Alexander Hanff (amongst others) but Hanff has recently noted his inability to work as a privacy advocate ‘full time’ this round as he did against Phorm. Admittedly, I see Phorm as engaging in different activities as Detica, but the emphasis often placed against Phorm (as I read things) was DPI first, and behavioural advertising second. That might, admittedly, be a coloured reading on my own part. Regardless, I’m sure that Detica’s PR staff is breathing some small sigh of relief that they won’t be dealing with Hanff full-time.

What is the utility of CView to ISPs?

Detica is promoting CView as a way for ISPs to establish an ‘index’ of copyright infringements. As noted by the Register,

Perhaps most importantly, at least at first, CView will measure how the overall level of copyright infringement via peer-to-peer networks responds to Lord Mandelson’s letter-writing campaign. If the Digital Economy Bill is passed in what remains of this Parliament, those observed by rights holder groups sharing copyright material could start receiving statutory warnings in the post from their ISP as soon as April.

A year later a system of “technical measures” – bandwidth restrictions, blocked protocols and disconnections for the most persistent – imposed on ISPs by Ofcom, is likely to follow. If successful in trial, CView will allow Virgin Media to monitor how its customers respond to the regime, although it will not be involved in idenfiying infringers. (“Spook firm readies Virgin Media filesharing probes“)

Richard Clayton notes that it might be the case that a small number of files might be ‘incorrectly’ identified as infringing, but such identifications are likely small enough to be inconsequential. The worry, of course, is that minor tweaks might turn CView into a “first-class monitoring system” that can be used to identify and target individual users. While an injunction would be required for this, the pushes for such injunctions in the EU mean that this is something that must be kept in mind, even though UK media conglomerates have not previously sought such injunctions.

What isn’t (totally) clear to me

I think that we’re developing a pretty good understanding of what the Detica system entails, as well as its characteristics ‘out of the box’. I’m still unclear about how the ‘audio fingerprints’ are taken – I assume (based on Occam’s razor) that based on what has been released to Richard that hash-based, rather than fingerprint-based, methods of analysis are being performed but can’t be totally certain. (Note: fingerprinting can be used to detect infringement where only a fragment of a file is identified as infringing, as in a mashup that includes a second or two of a song, whereas a hash-based analysis would only examine the totality of the file, as in a .mp3 file of Madonna’s ‘Like a Virgin’.)

The other, fairly major, element that isn’t clear is just how easy it is to ‘tweak’ the CView system as Richard suggests is possible. If we’re talking about a firmware update, that’s a fairly low cost with potentially very major functionality changes to the device, and would run counter to the assurances provided by Detica to Richard, the Williams, and myself that the system is designed to provide anonymity. On the other hand, if it would take a hardware modification, then the infrastructure, manpower and capital expenditure costs to ‘upgrade’ the device might alleviate the drive for ISPs to implement a genuinely granular user-identification system. Function creep with these devices, of course, is a real worry – it would be great for Detica to clarify how these ‘tweaks’ are technically possible as part of their ongoing efforts to be transparent.

Other posts you might be interested in:

1. Update to Virgin Media and Copyright DPI
2. Virgin Media to Monitor Copyright Infringement
3. Draft – Deep Packet Inspection: Privacy, Mash-ups, and Dignities