ISP Audits in Canada

Union members call for an independent investigation to ensure safety in Milwaukee County.There are ongoing concerns in Canada about the CRTC’s capacity to gauge and evaluate the quality of Internet service that Canadians receive. This was most recently brought to the fore when the CRTC announced that Canada ranked second to Japan in broadband access speeds. Such a stance is PR spin and, as noted by Peter Nowak, “[o]nly in the halcyon world of the CRTC, where the sky is purple and pigs can fly, could that claim possibly be true.” This head-in-the-sands approach to understanding the Canadian broadband environment, unfortunately, is similarly reflective in the lack of a federal digital strategy and absolutely inadequate funding for even the most basic governmental cyber-security.

To return the CRTC from the halcyon world it is presently stuck within, and establish firm empirical data to guide a digital economic strategy, the Government of Canada should establish a framework to audit ISPs’ infrastructure and network practices. Ideally this would result in an independent body that could examine the quality and speed of broadband throughout Canada. Their methodology and results would be publicly published and could assure all parties – businesses, citizens, and consumers – that they could trust or rely upon ISPs’ infrastructure. Importantly, having an independent body research and publish data concerning Canadian broadband would relieve companies and consumers from having to assume this role, freeing them to use the Internet for productive (rather than watchdog-related) purposes.

Do Businesses Need Broadband Reassurances?

In a word: yes.

In 2009 the CRTC released a traffic management decision that clarified how, when, and why ISPs in Canada could impede data traffic. In their decision, the CRTC made it clear that when ISPs impede data traffic for network management purposes, the following conditions must first be met:

  • demonstrate that the management is designed to address a need and achieve the purpose and effect in question, and nothing else;
  • establish that the management practice results in discrimination or preferential treatments as little as reasonably possible;
  • demonstrate that any harm to a secondary ISP, end-user, or any other person is as little as reasonably possible; and
  • explain why, in the case of a technical management techniques, network investment or economic approaches alone would not reasonably address the need and effectively achieve the same purpose as the technical management techniques.

As part of the decision individuals, rather than the CRTC itself, are responsible for bringing complaints about inappropriate uses of technical systems to impede data transmissions. The onus is on consumers to identify discriminatory behaviours, but from their position as client of a network they are ill-positioned for detailed network analysis. Clients lack access to information about how specific nodes or elements of the network are configured or provisioned, whether an ISP is testing a new rule set, or if something beyond the ISP’s power is responsible for seeming discriminations of traffic. As a result, asking clients to hunt for network discrimination, and positively ascribe the behaviour to the ISP, bears close resemblance to blind men feeling an elephant and trying to determine what they are touching.

It would appear, however, that if enough people feel the telecom elephant they will start to detect service irregularities. Over the past year academics, journalists, and members of the public have questioned the effectiveness of the CRTC’s enforcement of their traffic management decision. Such questions have arisen in light of complaints concerning the throttling of particular applications’ data traffic. In December 2010 qualitative analysis of crowd sourced findings demonstrated that one ISP, Rogers Communications, had refused to correct over broad discrimination of customers’ traffic for months. To this date, Rogers has not fully corrected the problems that they themselves introduced when updating elements of their network infrastructure. Further, an access to information request that was filed by Michael Geist revealed that most of Canada’s largest ISPs have violated the CRTC’s decision. While those who have filed complaints that are technically rigorous should be congratulated, it must be recognized that consumers’ position in the networks make it hard to troubleshoot problems; delays could originate from slow web servers, poorly configured home or business routers, misconfigured routing equipment beyond the ISP’s own network, environmental conditions, or an ISP’s discriminatory routing system.[1] Given the range of possible sources of problems a well-resourced party needs to conduct audits and evaluate Canadian networks using well-tested and peer-reviewed methodologies. Further, such a party needs to be able to examine large data-sets of broadband traffic to draw conclusions concerning how the network operates in aggregate; consumers cannot conduct such wide-based analyses and so may inappropriately ascribe a local problem to a network-wide issue or vice versa.

Our Closest Allies Audit

Audits should see a government body independently gather data about ISP networks to guarantee that customers are receiving the services promised. Further, such audits should evaluate whether ISPs are complying with federal regulations. Some of our closest military and economic partners, such as the United States of America and the United Kingdom, see their telecommunications regulators evaluate mobile and wireline data networks for both speed and quality of broadband connections. The Federal Communications Commission (FCC) in the United States heavily relies on peer-reviewed tools in their data gathering as well as tests by private enterprise, carried out under The United States’ National Broadband Plan, and Ofcom in the United Kingdom has developed analysis systems in partnership with private enterprise.

In both nations, government regulators have adopted rigorous and methodologically consistent techniques to evaluate whether ISPs are meeting consumer expectations. These tools could, with slight reworking, also evaluate the impact of traffic management systems on the delivery of data to customers. Importantly, both nations’ regulators are using independent data to evaluate the claims made by the ISPs that they are responsible for overseeing. In Canada we lack such independent sources of information and are instead largely reliant upon ISPs themselves to self-disclose network information, typically in confidence to the CRTC, or upon national news organizations to conduct investigations and analyses. The non-publicity of ISPs’ own data points prevents independent validation of self-disclosed information, and without a methodologically rigorous public compilation of data there is nothing to cross-reference self-disclosed information against.

What’s Might Canadian Audits Include?

The unjustified discrimination of data traffic may not be evident to all consumers, especially when they lack the skills associated with digital literacy to even register the occurrence of bandwidth or application discrimination. Without solid training, many people resort to subjective ‘smell tests’. This approach to identifying whether discrimination is occurring does not contribute to evidence-based, empirically sound, complaints systems or policy responses. We need an objective measurement system that indicates whether content discrimination is occurring, as well as whether network performance is subpar. Thus, audits should identify, monitor, and evaluate the appropriateness of ISP traffic discrimination and actual network functionality.[2] A division of the CRTC, Measurement Canada, or perhaps even the Office of the Privacy Commissioner of Canada, might conduct such audits. The principles underwriting any audits should parallel those underscoring the recently passed Fairness at the Pumps Act.  A host of variables should be included in wireline and wireless tests, with a few including:

  • Promised versus delivered speed, per day, and across different popular protocols and by geographic location;
  • Jitter;
  • Latency;
  • Network uptime;
  • Impacts of moving large volumes of data;
  • Whether traffic is throttled and whether throttling accords with CRTC and corporate policy;
  • Regularity of congestion on network nodes, tracked over time, and whether congestion persists after nodes have been upgraded.

Tests could include at least two data collection sources. There might be a web-based analysis, such as what is provided by Speedtest.net or other online speed evaluation services, as well as installation of either software on local computers or specialized routers capable of logging information about a customer’s broadband. Hardware analysis could mimic the approach taken by Georgia Tech and University of Napoli Federico, where firmware is made available to install on routers and other routers are distributed by request. Alternately we could adopt a hardware based approach that is used by SamKnows when they conduct tests in the United States or United Kingdom.

Audit to Encourage Trust

The Chairman of the CRTC recently stated that the CRTC’s highly technical complaints process means that customer groups, rather than customers themselves, should be responsible for filing complaints. He also asserted that the CRTC was uninterested in conducting audits in the absence of a pre-existing consumer complaint. In the absence of additional funding sources for these consumer groups it is inappropriate to expect them to establish nation-wide, technically intensive, monitoring stations. Further, even where complaints are lodged the Chairman has recognized that to effectively enforce regulations the CRTC requires the ability to levy administrative monetary penalties. The CRTC’s legitimacy is tarnished when individuals must conduct their own investigations while never expecting their investigations (no matter how well documented) to result in real disciplinary measures being meted out for bad corporate behaviour. Legitimacy could be restored by empowering the CRTC to levy fines and lifting the burden of conducting technical investigations from citizens’ shoulders.

While the CRTC does need the ability to assign penalties to encourage compliance with regulations, to determine whether penalties should be assigned we need a proactive audit approach that can evaluate the condition(s) of Canada’s digital networks. The independent body responsible for the audits should release yearly reports on the ‘State of the Canadian Internet’ so that consumers and businesses alike can understand the condition of the networks that undergird ICT-driven economic growth and democratic involvement.

An open, non-discriminatory Internet lets developers and entrepreneurs create new products, services, and engagement-types without first needing to secure permission from network providers or needing to independently search for non-publicized limitations imposed throughout the communications infrastructure. To help businesses, citizens, and consumers communicate and act online they should be free of the burden of monitoring for discriminatory behaviours on their own, and should be able to trust a third-party to guard against discrimination on their behalf. The CRTC has, to date, argued that they are not a third-party that is interested in proactively preventing discrimination and, even where they are faced with discrimination, cannot levy penalties to punish ISPs’ actions. As a result, we need an independent body to conduct proactive audits, to be funded sufficiently to carry out audits without having to sacrifice rigor for cost purposes, and to issue yearly reports on the state of Internet service in Canada. Either the independent body or the CRTC must then be able to punish network providers who are violating telecommunications regulations or misleading customers about the quality and speed of the broadband product that is being paid for.

Our closest military and economic allies  go to the trouble of conducting audits of the digital networks that drive economic and civil growth. If we want to compete globally in the digital economy and develop a digitally integrated public sphere, then the Government of Canada owes it to Canadians to mimic the best accountability programs that exist in countries that are already aggressively pursuing ICT-driven economic and social growth. Doing anything less is simply irresponsible.

Book References

[1] David, Paul A. (2007). “Economic Policy Analysis and the Internet: Coming to Terms with a Telecommunications Anomaly,” in R. Mansell, C. Avgerou, D. Quah, and R. Silverstone (eds). The Oxford Handbook of Information and Communication Technologies. Pp. 148-167.

[2]  O’Donnell, Shawn. (2001). “Broadband Architectures, ISP Business Plans, and Open Access,” in B. M. Compaine and S. Greestein (eds.). Communications Policy in Transition: The Internet and Beyond. Pp. 35-57.

Christopher Parsons

I’m a Postdoctoral Fellow at the Citizen Lab in the Munk School of Global Affairs at the University of Toronto and a Principal at Block G Privacy and Security Consulting. My research interests focus on how privacy (particularly informational privacy, expressive privacy and accessibility privacy) is affected by digitally mediated surveillance and the normative implications that such surveillance has in (and on) contemporary Western political systems. I’m currently attending to a particular set of technologies that facilitate digitally mediated surveillance, including Deep Packet Inspection (DPI), behavioral advertising, and mobile device security. I try to think through how these technologies influence citizens in their decisions to openly express themselves or to engage in self-censoring behavior on a regular basis.