Newmark vs. McCurry on net neutrality

Craig Newmark of Craigslist and Mike McCurry of "Hands Off the Internet" debate "Should the Net Be Neutral?" at the Wall Street Journal. I'm struck by a number of things that Newmark says:

Do you believe Yahoo should be allowed to outbid Google to slow down Google on people's computers? That's the kind of thing that the big guys are proposing.

In fact, nobody has proposed slowing down anything--the consumer broadband telcos have proposed adding new, higher-bandwidth physical circuits (fiber to the home) which contain virtual circuits dedicated to content with requirements for higher bandwidth and low latency and jitter, for which the primary application they have in mind is IP television. And they want to charge content providers to use those virtual circuits. Now, one can argue that dedicating bandwidth to new applications that content providers have to pay for will have a future consequence that Internet bandwidth will be consumed and not upgraded, leading to degradation for best-effort Internet services, but that requires argument to support the likelihood of that outcome in the face of competition from cable companies and wireless providers.

With all that empty fiber, bandwidth is not an issue. A bigger issue is that we're running out of [Internet protocol] addresses. The new net protocols, IPv6, address that, but the big telecoms are already very late implementing that. (Hey, I'm an engineer, and their engineers talk to me.)

Newmark is confusing Internet backbone bandwidth with last-mile consumer broadband bandwidth. I've addressed this confusion at length. BTW, IPv6 is rife with difficulties and not quite ready (or useful) for the average consumer, but my employer, Global Crossing, has been one of the first to make it widely available to its customers. (I run IPv6 on my home network via a tunnel to Global Crossing.)

No one's talking about "government lawyers and regulators engineer[ing] the future of the Internet," except, well, you, Mike. We're trying to prevent that, and trying to get Congress to maintain the level playing field we have right now, that the FCC just tried to ruin. We're just asking everyone to play fair.
...
I'm being completely straight: no one's interested in regulation in the sense you're thinking, we just want the existing level playing field to continue… Beyond that, we're not interested in mandating performance criteria, none of that stuff.
...
What we're looking for is just fairness, a level playing field, no regulation or stuff like that. In America we believe that if you play fair and work hard, you get ahead. We don't want the government to give special privileges to the big guys, particularly not at the expense of small business and consumers. We don't want more regulation and we don't need lawyers involved where the free market functions well. I guess we're for capitalism.

Here, Newmark is simply failing to recognize what's in the actual network neutrality bills in Congress, which have unintended consequences about how networks are engineered, what can be in acceptable use policies, what kinds of contracts network providers are permitted to enter into with their customers, and how they can charge for access to different services--rules that to date have not existed for Internet services.

Today, many Internet providers have acceptable use policies that prohibit spam, going beyond the requirements of the relatively weak federal CAN-SPAM law. Under all of the net neutrality bills I've seen, providers must permit customers to send or receive any "lawful content," which forces them to reduce their AUPs to the lowest common denominator of whatever is prohibited by law in the jurisdictions where they provide service. These bills prohibit providers in the United States from setting the conditions of contract with their customers regarding activities they consider abusive which are not codified in law. The "pink contract" would thus become a government mandate.

UPDATE: FCC Commissioner Michael Copps and U.S. Supreme Court Justice Clarence Thomas back up McCurry's statement in this debate that the FCC already has authority under Title I to prevent anti-competitive discrimination without the need for new statutory powers from Congress.

McCurry at the WSJ:

And doesn't the FCC have authority already (under Title I) to step in and act if necessary?

Copps:

The Federal Communications Commission has authority under current law to ensure that broadband-access providers -- currently mainly cable and phone companies -- do not discriminate against Web-based providers of content, search services and applications, FCC commissioner Michael Copps said Tuesday.

Thomas:

“The [FCC] remains free to impose special regulatory duties on facilities-based [Internet-service providers] under its Title I ancillary jurisdiction,” Justice Clarence Thomas wrote in National Cable & Telecommunications Association vs. Brand X Internet Services.

This means net neutrality advocates who support the bills in Congress don't think this is enough, and owe an explanation of specifically what powers they want to add to the FCC, what rules they want the FCC to make, and how those rules will be enforced.

Hillary Clinton and Net Neutrality

Adam Thierer of the Cato Institute expresses his bafflement over why people have such faith that instituting government regulations to enforce net neutrality will result in beneficial protection for free speech, when historically Congress has shown little support for the principle. He points out the irony of Hillary Clinton calling for net neutrality in the name of protecting free speech, when she has on multiple occasions called for and supported government restrictions on free speech, including on the Internet. She supported the Communications Decency Act, most of which was overturned by the U.S. Supreme Court as unconstitutional. She supports regulation of video game content. She pushed the V-chip.

Does anyone really believe that the regulated Internet Hillary Clinton wants to see won't ultimately result in any new restrictions on freedom of speech? Especially since the net neutrality bills propose giving regulatory authority over the Internet to the FCC, the same agency that is more aggressive at fining broadcasters for "indecent" content than addressing telemarketing fraud?

Yglesias on McCurry

Matthew Yglesias, covering for Joshua Micah Marshall at Talking Points Memo, writes of Mike McCurry's battle with bloggers over net neutrality:

People disagreed with McCurry about the net neutrality issue because people disagree about issues. People got so mad at him precisely because of this kind of patronizing attitude. He was peddling flimsy arguments as if it never occurred to him that the blogosphere is full of people who know a lot about the internet and could handle a grown-up argument (see a non-flimsy, though ultimately unpersuasive, anti-neutrality piece if you're interested).

One of the most neglected aspects of the blogosphere, in my opinion, is that precisely because it's (mostly) composed of people who aren't professional journalists, it's composed of people who are professional doers of something else and know a great deal about what it is they "really" do. Consequently, the overall network of blogs contains a great deal of embedded knowledge. The consensus that emerges from that process can, of course, be mistaken but even though the most prominent people expressing that consensus may not be experts in the subject at hand (the most prominent bloggers tend to be generalists), the consensus will almost always be grounded in some kind of well-informed opinions. If you want to push back on that, in other words, you'd better know what you're talking about and not treat your audience like a pack of mewling children.

While I agree that McCurry was occasionally patronizing in what he posted, at least he hasn't gotten his facts as wrong as Matt Stoller at MyDD, Adam Green at the Huffington Post, the "Save the Internet" Coalition, or Art Brodsky at Talking Points Memo. These guys don't know the difference between net neutrality and common carriage, don't understand who or what common carriage applies to, don't understand how or why network service providers interconnect, don't understand the utility and current uses by providers of QoS, don't understand the unintended negative consequences of bills like HR 5417, and have a naive faith that the FCC will act only as a force for freedom and goodness.

The fact is that most of the material being posted by bloggers in favor of net neutrality regulation is by people who are not experts in how the Internet works--while there are certainly advocates of net neutrality among those who operate Internet networks (and I myself am supportive, with qualifications, of the four principles in the FCC policy statement), my perception is that most of them favor keeping government out of it as much as possible and agree with the additional six principles advocated by McCurry's organization, "Hands Off the Internet."

Misinformation from "Save the Internet"

The little cartoon movie from "Hands Off the Internet" (an organization funded by member organizations that include major telcos and equipment vendors) has led to a response from "Save the Internet" (advocates of net neutrality funded by MoveOn.org and others).

"Save the Internet" claims that the cartoon is "a clever piece of industry propaganda that is riddled with half-truths and outright lies." It then quotes a few passages from the cartoon and offers responses. Unfortunately, it is "Save the Internet"'s response that contains misinformation, and it fails to point out any alleged lies.

In what follows, I'll quote directly from the "Save the Internet" response (including the quotes from the "Hands Off" cartoon they are responding to) and then respond to each point.

The big telecom companies say: "Is the Internet in Danger? Does the Internet need saving? It keeps getting faster. We keep getting more choices."

The truth: Right now AT&T and others want to take away your choices and control what you can do and watch online. They're on their best behavior while trying to convince Congress to hand over the Internet. But if their high-priced lobbyists get their way in Washington, the Internet as we know it will be gone. Network Neutrality has always curbed the control of the network owners, invited competition and encouraged innovators. It's what made it possible for entrepreneurs and creative thinkers to prosper online. None of the big ideas that made the Internet the innovative engine it is today came from the cable or telephone companies.

Notice that there's no evidence supplied to support the claim that "AT&T and others want to take away your choices and control what you can do and watch online." What the telcos want to do is build new last-mile consumer services by installing a new fiber-to-the-home infrastructure, over which they can offer services in addition to and distinct from the public Internet, just as they currently offer voice telephony as a service separate and distinct from the public Internet. Specifically, they want to offer digital television services and potentially new services which they control, following the model of the cable industry. The telcos' real desire is to compete with the cable industry and be regulated in much the same way. They further want to be able to charge content providers to be able to provide services over this new fiber, because they know that consumer fees alone are not sufficient to recover their costs in rolling out this new infrastructure. (BTW, my opinion is that just as the cable companies lost leverage over content providers as a result of competition from direct broadcast satellite, telcos will lose or fail to gain leverage over content providers using new services over fiber-to-the-home, as a result of competition from wireless broadband providers, as well as from cable companies.)

The big telecom companies say: "Building the next generation of the Internet is going to take a lot of work and cost a lot of money. And some big corporations can't wait to use it.... They're going to make billions. But they don't want to pay anything. Instead they want to stick consumers with the whole bill."

The truth: Nobody is getting a free ride on the Internet. Any Web site or service you use on the Internet has already paid these providers to reach you -- just like you pay to send e-mail and download files. In fact, total expenses from major content and service providers to expand network capacity totaled about $10 billion last year. But the cable and phone companies want even more -- forcing content providers to pay protection money to get a spot in the fast lane. Who do you think will pay that bill? You will … big time. The costs will be passed directly to consumers. If Net Neutrality is so bad for consumers, why do ALL the major consumer groups support it and ALL the major phone companies oppose it? Who do you trust more to defend your Internet rights? Without meaningful protections of Net Neutrality, there will be less choice on the Internet and higher prices, at a time we're already falling far behind the rest of the world.

It's true that content providers are paying Internet providers today to reach the "eyeball customers" of the telcos and cable companies. But they are reaching them over today's best-effort Internet, not over the new infrastructure they want to build out. Now, here there is a real issue, but it's one that advocates of net neutrality have tended to obscure rather than illuminate, and that is that today, telcos are required to allow other Internet providers to provide service over their last-mile consumer broadband (DSL) circuits, and the courts recently ruled that this will no longer be required, putting the telcos on the same footing as the cable companies, which have never been required to share their networks. The difference between the two is that the telcos were given free rights-of-way to build their networks, were given monopoly status for local telephony status, and received huge tax breaks and subsidies in the form of universal service fees collected from long distance providers; this form of public funding justified the common carriage requirements that made them allow their networks to be used by other players that compete with them. The cable companies, by contrast, got none of these benefits and have to pay a portion of their revenues to local municipalities as part of their franchise agreement in an area. The cable model actually seems to be a better model and to be more competitive, though I think both are far from ideal. In any case, the empirical evidence is that the more competition there is for broadband Internet services, the lower the costs to consumers and the more innovation we see.

The big telecom companies say: "These corporations are asking Congress to create volumes of new regulations to control how content is delivered over the Internet. Should politicians and bureaucrats replace network administrators? It will be the first major government regulation of the Internet and it will fundamentally change how the Internet works. These big corporations and the SavetheInternet campaign want the government to take control of the Internet."

The truth: There's nothing new about Net Neutrality. It has been a fundamental part of the Internet since its inception. As a tenet of communications policy, it goes back some 70 years. Only last year did the Supreme Court uphold a bad decision by the Federal Communications Commission to do away with the rules that forced cable and phone companies to open up their networks to competitors. Those rules protected Internet freedom by ensuring lots of competition (think of all the choices you've had for long distance service or dial-up Web access). In fact, these rules still protect the Internet under a temporary FCC ruling. All a Net Neutrality law would do is maintain the even playing field we've always enjoyed -- by preventing big cable and telephone corporations from taking over as gatekeepers.

Now here's where "Save the Internet" goes completely off the rails. Net Neutrality has not been "part of the Internet since its inception" nor does it go back 70 years. This is a confusion about common carriage requirements on telco's networks vs. Internet services. When other DSL services use telco last-mile circuits to reach their customers, they are providing their own Internet services, not the telcos. They aren't using the telco's Internet networks at all. ISPs have never been classified as "common carriers" or required to connect anyone to their networks. Rather, they've been classified as information services or enhanced services, and exempted from common carriage requirements. Internet interconnection is governed by peering arrangements which are arranged either privately between two ISPs or network service providers, or by connecting to a public peering point and governed by the rules of the organization managing that peering point (itself a private, not government, organization).

The sentence about the Supreme Court upholding a bad FCC decision "to do away with the rules that forced cable and phone companies to open up their networks to competitors" is just mistaken in its inclusion of cable companies. Cable companies have never been required to open up their networks to competitors.

(UPDATE May 21, 2006: Timothy Karr of Save the Internet says that the "goes back some 70 years" remark does not refer to common carriage, but he hasn't yet told me what it is referring to. I'll update this entry when he does.)

The big telecom companies say: "The net neutrality issue is a fundamental question about who should control the Internet: The people or the government? And it's a fight about who's going to pay: multi-billion dollar corporations or you?"

The truth: Who should control the Internet? Now that's a good question. But the real choice we face is whether we're going to keep the good government policy that has protected Internet freedom, created a truly free market in content and services, and encouraged free speech to flourish online -- or let predatory companies like AT&T and Comcast rewrite our telecommunications law and place their chokehold on online content and services. For the entire history of the Internet, Web sites and online ideas have succeeded or failed on their own merit based on decisions now made collectively by millions of users. Getting rid of Net Neutrality will hand these decisions over to a cartel of broadband barons. Do we really want Ma Bell and the Cable Guy picking the next generation of winners and losers on the Internet?

This repeats the false claim that net neutrality has been a government policy in force all along, when in fact what "Save the Internet" is advocating is the introduction of new laws which give the FCC the power to regulate the Internet. What "Save the Internet" fails to recognize is that the telcos are an extremely powerful lobbying force in Washington, D.C., and that giving the FCC this power will not change that. Further, the FCC is run by commissioners who want to do more to regulate content for "indecency," and, if given the power to regulate the Internet, that would likely not be far behind. If they have the power to say that ISPs must allow service to X, they're probably also going to have the power to say that ISPs must not allow service to Y. But those are decisions that should be left in the hands of the ISPs, in a competitive environment where the consumer has the power to switch ISPs.

"Save the Internet" tends to avoid spelling out specifically what they are asking for, which is the biggest problem with "net neutrality" advocates. The term seems to mean different things to different people, and a lot of people interpret it to mean prohibition on certain kinds of contractual arrangements and services between providers of network services and their customers that are already common and extremely useful today (e.g., paying for different classes of service).

If you want a better understanding of the issues in the "net neutrality" debate, I can't recommend a better source than the Stifel/Nicolaus analysis, "Value Chain Tug of War" (PDF). Read it, and whichever position you argue for will be better served.

(UPDATE May 20, 2006: Here's a much better commentary on the "Hands Off" cartoon from a net neutrality advocate, Harold Feld, though he also gets some facts wrong. For example, he says that at the time of "Computer Proceedings I" (1971) AT&T was "the only telephone company." It was by far the major player and had attempted earlier to acquire the rest, but this was put to a stop in 1913 via anti-trust action when it tried to acquire Western Union. It was required to allow the remaining independent local telco players to interconnect. These included Rochester Telephone in NY (which was my employer when it was called Frontier). In 1971 AT&T had 100 million subscribers and the independents had 25 million.)

Late 1990s NSA program

The Baltimore Sun has reported on a shelved 1990s NSA program to collect and analyze phone records which had the following features:

*Used more sophisticated methods of sorting through massive phone and e-mail data to identify suspect communications.

* Identified U.S. phone numbers and other communications data and encrypted them to ensure caller privacy.

* Employed an automated auditing system to monitor how analysts handled the information, in order to prevent misuse and improve efficiency.

* Analyzed the data to identify relationships between callers and chronicle their contacts. Only when evidence of a potential threat had been developed would analysts be able to request decryption of the records.

Perhaps this program was brought back after 9/11? If such records were maintained with phone number and caller information encrypted until needed, and decrypted only with appropriate legal authorization, would that enable Verizon and BellSouth to truthfully deny having supplied the records to the NSA? I don't think so, unless the system was in the possession of the phone companies and didn't release data to the NSA until legal authorization was obtained. But would such a system be objectionable? So long as the controls genuinely prevented abuse and legal authorizations were really obtained for each use, I don't think it would be. (Via Talking Points Memo.)

BTW, in a New York Times story in which Verizon denied turning over records to the NSA (which BellSouth has also denied), Tony Rutkowski of Verisign is quoted suggesting that the NSA may have collected long-distance phone records rather than local calls. The article notes that Verizon's denial seems to leave the door open to the possibility that MCI, which Verizon recently acquired, had turned over data. Verisign, it should be noted, has been attempting to develop a business where it acts as a third-party manager for subpoenas and wiretapping for phone companies. While the telcos have strongly attempted to block attempts by the government to expand its wiretapping capabilities into the VOIP and Internet arenas (in part on the grounds that the CALEA statutes do not cover them, and also because the infrastructure expense is placed entirely on the telcos), Verisign has supported the government's efforts, as these filed comments with the FCC make clear (red means support for expanded government wiretapping capability, blue means opposition).

You'll note that Verisign is uniformly supportive of the government, and of the three telcos that have come under fire for giving data to the NSA, two are uniformly opposed (BellSouth and SBC (now AT&T)) and one is partly opposed and partly supportive (Verizon). I'm happy to note that my employer, Global Crossing, is not only on record as opposed, but filed comments which addressed more of the issues than most of the other filers.

(UPDATE May 19, 2006: Apparently the 1990s program was called ThinThread.)

Misinformation in defense of net neutrality

Adam Green, responding to Mike McCurry, writes (following Matt Stoller at MyDD) that:

Lie #1: McCurry knows the Internet is not "absent regulation" yet he's willing to deceive the public if it helps his clients. As Matt Stoller points out on MyDD:

What McCurry did not tell the public was that during the Clinton years, the FCC actively enforced net neutrality -- the Internet's First Amendment -- against his telecom clients. Common carrier statutes have in fact been a bedrock principle of telecommunications law since 1934, and in 1996 Congress ratified that with a commitment to network neutrality.

Mike McCurry has a moral obligation to everyone who has ever respected him and looked up to him to answer this question: Do you stand by your statement that the Internet is "absent regulation?" Or do you admit that, like so many parts of our American economy, the Internet does have rules?

This is deceptive--ISPs are not common carriers and Internet services offered by telecoms are not bound by common carriage regulations. Internet services have been classified as information services or enhanced services, and thus don't have to collect fees for universal service or take anyone who comes along as customers. Common carrier means you have to accept everyone as a customer and not discriminate about what traffic that is carried (so long as it's legal), but ISPs can, do, and should set standards beyond what the law requires in order to (for example) keep spammers off their networks. Common carrier status has only an indirect relationship to the Internet and net neutrality--it is about physical interconnection, not about Internet interconnection.

Stoller goes on to describe the FCC regulatory change regarding DSL networks:

Yet less than a year ago, in August, 2005, the Clinton -Gingrich policy of enforced network neutrality was radically upended by the FCC:

The FCC said that phone companies such as Verizon, SBC, BellSouth, Qwest and other local telcos will no longer be regulated by traditional telephone rules when it comes to their DSL broadband services. The FCC agreed unanimously to classify DSL broadband as an "information service" rather than a telephone service. Phone companies will no longer be required open their broadband networks to access by third-party ISPs.

After a one-year transition period, the phone companies can arbitrarily end any agreements they were forced to make with independent ISPs. During the transition year, the ISPs can attempt to negotiate new deals, but the cards are all in the hands of the telcos.

In other words, you know all that nice Clinton-Gingrich policy that made the internet work? Yeah, after a one year transition period, that's gone, as a sort of sunset provision for the free internet sets. This is incredibly sneaky. What McCurry is doing is couching a radical change to the internet in the guise of the status quo.

Stoller makes it sound like this change has something to do with RBOCs' Internet services, but it doesn't. It has to do with other ISPs using RBOCs' last-mile networks to connect consumers to their own Internet services--those ISPs typically don't connect to the RBOCs' Internet services, but rather purchase IP transit from multiple backbone providers.

Contrary to Stoller and Green, there was no "Clinton-Gingrich policy of enforced network neutrality" that required any kind of interconnection between providers of Internet services--rather, there was a requirement that telcos provide the use of their last-mile networks to ISPs to use to carry their own Internet services.

That requirement seems to have been a good one for creating competition among Internet services, but it's important to be clear that we're talking about the last-mile telco networks and not their Internet services or their backbones, though the telcos have continued to try to present that as the issue and many net neutrality defenders have wrongly accepted that as the issue.

Last mile competition, unlike net neutrality, is a real issue, especially for consumer Internet access. It's less of a problem for businesses since there is wider competition available via colocation services, metro fiber networks, and wireless. In my opinion, the best long-term defense against a telco/cable duopoly will be wireless access solutions, though there will no doubt be some others like broadband over power lines.

It is distressing to see net neutrality advocates continue to get basic facts wrong in defense of their poorly thought-out positions. If you don't understand how the Internet works today (technologically, politically, and legally), then you are not in a position to be making proposals about how it should be regulated that are not going to have significant (and likely very bad) unintended consequences.

Talking Points Memo gets it completely wrong on COPE Act

Josh Marshall writes:

The grand ole daddy of special interest giveaways -- Congress to give away the Internet. This is serious. Find out more here.

Sounds like he's saying that Congress is transferring the authority the Department of Commerce currently has over ICANN somewhere, doesn't it? But he links to Art Brodsky on TPM's "Special Guests Blog," who writes:

Congress is going to hand the operation of the Internet over to AT&T, Verizon and Comcast. Democrats are helping. It's a shame.

Don’t look now, but the House Commerce Committee next Wednesday is likely to vote to turn control of the Internet over to AT&T, Verizon, Comcast, Time Warner and what’s left of the telecommunications industry. It will be one of those stories the MSM writes about as “little noticed” because they haven’t covered it.

What's he talking about? He's talking about the COPE Act, the Communications Opportunity, Promotion, and Enhancement Act of 2006, which just passed the House Subcommittee on Telecommunications and the Internet, and its failure to include provisions mandating "net neutrality."

This doesn't "give away the Internet"--we have no laws mandating "net neutrality" today. This bill doesn't change the ownership or regulation of the Internet. It does make changes to how cable companies operate (permitting national franchising in addition to local franchising), it mandates that VOIP providers must supply E911 service, and it guarantees the right of municipalities to offer wireless broadband access.

Brodsky and Marshall have grossly misrepresented the effect of this bill in claiming that it "gives away the Internet." What it does do with respect to the FCC's policy statement (PDF) on "net neutrality" is give the FCC the ability to enforce that policy statement with fines of up to $500,000, while denying the FCC the authority to "adopt or implement rules or regulations regarding enforcement of the broadband policy statement and the principles incorporated therein, with the sole exception of the authority to adopt procedures for the adjudication of complaints."

Common Cause, an advocate of codifying specific "net neutrality" rules, opposes the bill (see their reasons and analysis here). But the problem with Common Cause's position is that there are no well-defined notions for how "net neutrality" should operate that would ensure that the result isn't just to freeze the Internet in its current state and stifle new innovations and developments. (Common Cause apparently doesn't understand the Internet well enough to know that spam is bad.)

Common Cause overestimates the ability of the telcos to use their existing networks to control how the Internet will work, and is, I believe, mistaken in its fears of classes of service. The existing broadband policy statement is sufficient to prevent telcos from blocking Google, or (more realistically) blocking access to competing VOIP providers without getting FCC fines. Further, it doesn't make the slightest bit of business sense for a DSL or cable modem provider to block access to services like the most popular search engine in the world.

For more on the subject of net neutrality, the single best analysis to date is the Stifel/Nicolaus report, "Value Chain Tug of War" (PDF). Also see my previous posts on this blog here (for my thoughts), and here (for a good analysis by Martin Geddes of the Telepocalypse blog), along with Geddes' speech at Freedom to Connect here, and Paul Kouroupas of Global Crossing's posts here, here, and here. (Disclosure: Global Crossing is my employer; I manage its network security. Global Crossing would be at risk if the RBOCs and cable companies were able to use their control of last-mile networks within the U.S. in an anti-competitive manner, so my position on this issue isn't based on any loyalty or bias towards those companies--I'd like to see more competition in broadband, but I don't think giving the FCC greater regulatory power over the Internet would have any beneficial effects in that regard.)

Net Neutrality

Larry Lessig's blog has linked to an article by Bill Thompson on the BBC's website arguing for "net neutrality," a position that favors FCC regulations to prohibit providers from blocking access to competitors' services and (in some cases, as in Thompson's) prohibit them from charging content providers for access to different classes of service.

I agree that providers shouldn't be able to block access to competitors' services (except, e.g., when necessary for security reasons, or as part of a service like content filtering being provided to a customer who wants it--but see below for my opinion on putting the FCC in charge of enforcement), but I don't think I agree on the latter point. Thompson argues that classes of service beyond the distinctions which providers currently offer based on overall bandwidth are unnecessary. But he's clearly wrong on that point--as more and more services which are sensitive to latency are added to the network (like real-time voice and video), the argument for putting those services into a higher class of service becomes stronger. Given the fact that there are currently several million compromised machines which are regularly used to engage in denial of service attacks, it is trivial for ordinary Internet bandwidth to be saturated--taking anything riding over that bandwidth out of service.

More and more people are depending on Internet access for voice services, including emergency 911 service. If those services are set up without separating them from ordinary Internet traffic in some way, the risk is created that those services may be unavailable when critically needed. Throwing more bandwidth at the problem doesn't help when you're also throwing more bandwidth to that same set of compromised machines, which can multiply that added bandwidth in an attack. One way or another--and likely through a combination of methods, including better filtering mechanisms and separation of different kinds of services into separate virtual channels--action needs to be taken to protect critical services from such attacks.

One thing that tends to be glossed over by proponents of "Net Neutrality" is that the most likely way of the policy being enforced is through regulatory action by the FCC. That, I think, is a huge mistake--these are the same people who can't create regulations to enforce a relatively simple statute like the Telephone Consumer Protection Act (TCPA) without creating loopholes for telemarketers that are not permitted by the statute (e.g., allowing prerecorded or automated voice messages to deliver advertisements when there's an existing business relationship), and the same people who think it's more important to take action in response to carbon-copied indecency complaints from the Parents Television Council than to take action against telemarketers actively engaged in fraud.

Adam Thierer of the Cato Institute makes some excellent arguments against putting "Net Neutrality" into effect through FCC regulation. Part of the problem is the vagueness of what's being asked for. If it's going to be set in place through the law, I would strongly favor that it be done as simply as possible through a statute that gives a private right of action (through injunctive relief or civil penalties for each day that access to a service is blocked for illegitimate reasons) and leaves the FCC out of it. The worst possible thing that could happen would be for the FCC to be given authority to maintain standards of access and turn it into an authority to maintain standards of content--and if you look at who's running the Commission and how they deal and are planning to deal with content in other realms, you can see that this is a real concern.

Disclosure: I work in network security for a global telecommunications company--one which is not an RBOC or cable provider. Our network (like that, I suspect, of most major Internet backbone providers) uses classes of service internally to differentiate voice, video, IP-VPN, and ordinary IP traffic. If the network didn't use classes of service, the more sensitive classes of traffic would be vulnerable to periodic disruption by Internet denial of service attacks.

Freedom Summit: Technological FUD

Sunday morning's first session was by Stuart Krone, billed as a computer security expert working at Intel. Krone, wearing a National Security Agency t-shirt, of a type sold at the National Cryptologic Museum outside Ft. Meade, spoke on the subject "Technology: Why We're Screwed." This was a fear-mongering presentation on technological developments that are infringing on freedom, mostly through invasion of privacy. The talk was a mix of fact, error, and alarmism. While the vast majority of what Krone talked about was real, a significant number of details were distorted or erroneous. In each case of distortion or error, the distortions enhanced the threat to individual privacy or the malice behind it, and attributed unrealistic near-omniscience and near-omnipotence to government agencies. I found his claim that the NSA had gigahertz processors twenty years before they were developed commercially to be unbelievable, for example. He also tended to omit available defenses--for instance, he bemoaned grocery store loyalty programs which track purchases and recommended against using them, while failing to note that most stores don't check the validity of signup information and there are campaigns to trade such cards to protect privacy.

Krone began by giving rather imprecise definitions for three terms: convenience, freedom, and technology. For convenience, he said it is something that is "easy to do," freedom is either "lack of coercion" or "privacy," and technology is "not the same as science" but is "building cool toys using scientific knowledge." While one could quibble about these definitions, I think they're pretty well on track, and that a lack of society intrusion into private affairs is a valuable aspect of freedom.

Krone then said that the thesis of his talk is to discuss ways in which technology is interfering with freedom, while noting that technology is not inherently good or evil, only its uses are.

He began with examples of advancements in audio surveillance, by saying that private corporations have been forced to do government's dirty work to avoid Freedom of Information Act issues, giving as an example CALEA (Communications Assistance for Law Enforcement Act) wiretaps. He stated that CALEA costs are added as a charge on your phone bill, so you're paying to have yourself wiretapped. He said that CALEA now applies to Voice Over IP (VOIP), including Skype and Vonage, and that the government is now tapping all of those, too. Actually, what he's referring to is that the FCC issued a ruling on August 5, 2005 on how CALEA impacts VOIP which requires providers of broadband and VOIP services which connect to the public telephone network to provide law enforcement wiretap capability within 18 months. There is no requirement for VOIP providers which don't connect to the public telephone network, so the peer-to-peer portion of Skype is not covered (but SkypeIn and SkypeOut are). This capability doesn't exist in most VOIP providers' networks, and there is strong argument that the FCC doesn't have statutory authority to make this ruling, which is inconsistent with past court cases--most telecom providers are strongly opposing this rule. The Electronic Frontier Foundation has an excellent site of information about CALEA.

Krone next talked about the ability to conduct audio surveillance on the inside of the home using 30-100 GHz microwaves to measure vibrations inside the home. This is real technology for which there was a recent patent application.

He raised the issue of cell phone tracking, as is being planned to use for monitoring traffic in Kansas City (though he spoke as though this was already in place--this was a common thread in his talk, to speak of planned or possible uses of technology as though they are already in place).
(This is actually currently being used in Baltimore, MD, the first place in the U.S. to use it.)

He spoke very briefly about Bluetooth, which he said was invented by Intel and other companies (it was invented by Ericsson, but Intel is a promoter member of the Bluetooth Special Interest Group along with Agere, Ericsson, IBM, Microsoft, Motorola, Nokia, and Toshiba). He stated that it is completely insecure, that others can turn on your phone and listen to your phone's microphone, get your address book, and put information onto your phone. While he's quite right that Bluetooth in general has major security issues, which specific issues you may have depend on your model of phone and whether you use available methods to secure or disable Bluetooth features. Personally, I won't purchase any Bluetooth product unless and until it is securable--except perhaps a device to scan with.

Next, Krone turned to video surveillance, stating that in addition to cameras being all over the place, there are now cameras that can see through walls via microwave, that can be used by law enforcement without a search warrant, which hasn't been fully decided by the courts yet. I haven't found anything about microwave cameras that can see through walls, but this sounds very much like thermal imaging, which the Supreme Court has addressed. In Kyllo v. U.S. (533 U.S. 27, 2001) it was ruled that the use of a thermal imaging device to "look through walls" constituted a search under the Fourth Amendment and thus requires a search warrant. Scalia, Souter, Thomas, Ginsburg, and Breyer ruled with the majority; Stevens, Rehnquist, O'Connor, and Kennedy dissented.

Krone briefly mentioned the use of "see through your clothes" X-ray scanners, stating that six airports are using them today. This technology exists and is in TSA trials, and was actually tested at a Florida airport back in 2002. A newer, even more impressive technology is the new Tadar system unveiled in Germany in mid-October 2005.

He addressed RFIDs, and specifically RFIDs being added to U.S. passports in 2006, and some of the risks this may create (such as facilitating an electronic "American detector"). This is a real threat that has been partially addressed by adding a radio shielding to the passport to prevent the RFID from being read except when the passport is open. As Bruce Schneier notes, this is not a complete safeguard. Krone also stated that there is a California bill to put RFIDs in cars, with no commercial justification, just to "know where everyone is and what they have with them at all times." I'm not aware of the bill he is referring to, but the use of transponders in cars for billing purposes for toll roads is a possible commercial justification.

He spoke about the laser printer codes that uniquely identify all documents printed by certain laser printers, which have been in place for the last decade and were recently exposed by the Electronic Frontier Foundation and reported in this blog (Krone mistakenly called it the "Electronic Freedom Foundation," a common mistake). He also briefly alluded to steganography, which he wrongly described as "the art of hiding information in a picture." While hiding a message in a picture is one form of steganography, what is characteristic of steganography is that it is hiding a message in such a way as to disguise the fact that a message is even present.

He then went on to talk about Intel's AMT product--"Advanced Management Technology." This is a technology that allows computers to be remotely rebooted, have the console redirected, obtain various information out of NVRAM about what software is installed, and to load software updates remotely, even if the system is so messed up that the operating system won't boot. This is a technology that will be extremely useful for large corporations with a geographically dispersed work force and a small IT staff; there is similar technology from Sun Microsystems in their Sun Fire v20z and v40z servers which allows remote access via SSH to the server independent of the operating system, which allows console port and keyboard access, power cycling of the server, etc. This is technology with perfectly legitimate uses, allowing the owner of the machine to remotely deal with issues that would previously have required either physically going to the box or the expense of additional hardware such as a console server.

Krone described AMT in such a way as to omit all of the legitimate uses, portraying it as a technology that would be present on all new computers sold whether you like it or not, which would allow the government to turn your computer on remotely, bypass all operating system security software including a PC firewall, and take an image of your hard drive without your being able to do anything about it. This is essentially nonsensical fear-mongering--this technology is specifically designed for the owner of the system, not for the government, and there are plenty of mechanisms which could and should be used by anyone deploying such systems to prevent unauthorized parties from accessing their systems via such an out-of-band mechanism, including access control measures built into the mechanisms and hardware firewalls.

He then went on to talk about Digital Rights Management (DRM), a subject which has been in the news lately as a result of Sony BMG's DRM foibles. Krone stated that DRM is being applied to videos, files, etc., and stated that if he were to write a subversive document that the government wanted to suppress, it would be able to use DRM to shut off all access to that file. This has DRM backwards--DRM is used by intellectual property owners to restrict the use of their property in order to maximize the potential paying customer base. The DRM technologies for documents designed to shut off access are intended for functions such as allowing corporations to be able to guarantee electronic document destruction in accordance with their policies. This function is a protection of privacy, not an infringement upon it. Perhaps Krone intended to spell out a possible future like that feared by Autodesk founder John Walker in his paper "The Digital Imprimatur," where he worries that future technology will require documents published online to be certified by some authority that would have the power to revoke it (or revoke one's license to publish). While this is a potential long-term concern, the infrastructure that would allow such restrictions does not exist today. On the contrary, the Internet of today makes it virtually impossible to restrict the publication of undesired content.

Krone spoke about a large number of other topics, including Havenco, Echelon, Carnivore/DCS1000, web bugs and cookies, breathalyzers, fingerprints, DNA evidence, and so on. With regard to web bugs, cookies, and malware, he stated that his defense is not to use Windows, and to rely on open source software, because he can verify that the content and function of the software is legitimate. While I hate to add to the fear-mongering, this was a rare instance where Krone doesn't go far enough in his worrying. The widespread availability of source code doesn't actually guarantee the lack of backdoors in software for two reasons. First, the mere availability of eyeballs doesn't help secure software unless the eyeballs know what to look for. There have been numerous instances of major security holes persisting in actively maintained open source software for many years (wu-ftpd being a prime example). Second, and more significantly, as Ken Thompson showed in his classic paper "Reflections On Trusting Trust" (the possibility of which was first mentioned in Paul Karger and Roger Schell's "Multics Security Evaluation" paper), it is possible to build code into a compiler that will insert a backdoor into code whenever a certain sequence is found in the source. Further, because compilers are typically written in the same language that they compile, one can do this in such a way that it is bootstrapped into the compiler and is not visible in the compiler's source code, yet will always be inserted into any future compilers which are compiled with that compiler or its descendants. Once your compiler has been compromised, you can have backdoors that are inserted into your code without being directly in any source code.

Of the numerous other topics that Krone discussed or made reference to, there are three more instances I'd like to comment on: MRIs used as lie detectors at airport security checkpoints, FinCen's monitoring of financial transactions, and a presentation on Cisco security flaws at the DefCon hacker conference. In each case, Krone said things that were inaccurate.

Regarding MRIs, Krone spoke of the use of MRIs as lie detectors at airport security checkpoints as though they were already in place. The use of fMRI as a lie detection measure is something being studied at Temple University, but is not deployed anywhere--and it's hard to see how it would be practical as an airport security measure. Infoseek founder and Propel CEO Steve Kirsch proposed in 2001 using a brainscan recognition system to identify potential terrorists, but this doesn't seem to have been taken seriously. There is a voice-stress analyzer being tested as an airport security "lie detector" in Israel, but everything I've read about voice stress analysis is that it is even less reliable than polygraphs (which themselves are so unreliable that they are inadmissible as evidence in U.S. courts). (More interesting is a "stomach grumbling" lie detector...) (UPDATE March 27, 2006: Stu Krone says in the comments on this post that he never said that MRIs were being used as lie detectors at airport security checkpoints. I've verified from a recording of his talk that this is my mistake--he spoke only of fMRI as a tool in interrogation.)

Regarding FinCen, the U.S. Financial Crimes Enforcement Network, Krone made the claim that "FinCen monitors all transactions" and "keeps a complete database of all transactions," and that for purchases made with cash, law enforcement can issue a National Security Letter, including purchases of automobiles. This is a little bit confused--National Security Letters have nothing specifically to do with financial transactions per se, but are a controversial USA PATRIOT Act invention designed to give the FBI the ability to subpoena information without court approval. I support the ACLU's fight against National Security Letters, but they don't have anything to do with FinCen. Krone was probably confused by the fact that the USA PATRIOT Act also expanded the requirement that companies whose customers make large cash purchases (more than $10,000 in one transaction or in two or more related transactions) fill out a Form 8300 and file it with the IRS. Form 8300 data goes into FinCen's databases and is available to law enforcement, as I noted in my description of F/Sgt. Charles Cohen's presentation at the Economic Crime Summit I attended. It's simply not the case that FinCen maintains a database of all financial transactions.

Finally, Krone spoke of a presentation at the DefCon hacker conference in Las Vegas about Cisco router security. He said that he heard from a friend that another friend was to give a talk on this subject at DefCon, and that she (the speaker) had to be kept in hiding to avoid arrest from law enforcement in order to successfully give the talk. This is a highly distorted account of Michael Lynn's talk at the Black Hat Briefings which precede DefCon. Lynn, who was an employee of Internet Security Systems, found a remotely exploitable heap overflow vulnerability in the IOS software that runs on Cisco routers as part of his work at ISS. ISS had cold feet about the presentation, and told Lynn that he would be fired if he gave the talk, and Cisco also threatened him with legal action. He quit his job and delivered the talk anyway, and ended up being hired by Juniper Networks, a Cisco competitor. As of late July, Lynn was being investigated by the FBI regarding this issue, but he was not arrested nor in hiding prior to his talk, nor is he female.

I found Krone's talk to be quite a disappointment. Not only was it filled with careless inaccuracies, it presented nothing about how to defend one's privacy. He's right to point out that there are numerous threats to privacy and liberty that are based on technology, but there are also some amazing defensive mechanisms. Strong encryption products can be used to enhance privacy, the EFF's TOR onion routing mechanism is a way of preserving anonymity, the Free Network Project has built mechanisms for preventing censorship (though which are also subject to abuse).