Reply Comments on FCC Privacy
I filed reply comments with the FCC in the broadband privacy proceeding to make a single point: ISPs don’t have the NSA-like powers of code-breaking and aggregation that the NRPM attributes to them. The NPRM’s primary factual claim is that ISPs “are in a position to obtain vast amounts of personal and proprietary information about their customers.” This has to mean that ISPs can see more personal data than edge services can because the NPRM proposes to impose an opt-in regime on ISPs for the same data that edge services can collect on an opt-out basis. So the FCC argues it can’t forbear from opt-in without unreasonably compromising user security.
The “special position” claim in the privacy NPRM comes from the Open Internet order, which takes it from a comment filed by human rights NGO Access. The comment by Access is quite remarkably wrong:
To implement traffic management, ISPs often use tools with highly invasive capacities that can execute blocking, shaping, or filtering of data for unlawful political, social, and commercial purposes. These tools include deep packet inspection (DPI) technology. DPI allows ISPs – and anyone tapped into their networks – to identify and filter content while it traverses the internet, and make a copy of the traffic. DPI is the go-to mechanism governments across the world employ to invade user privacy and censor communications and content with staggering breadth and depth. In 2006, AT&T and the NSA were caught using DPI-capable technology in San Francisco to sort through all traffic flowing through a major switching station, in order to pick out specific messages based on targets like an e-mail address. Left unregulated, under paid priority schemes, ISPs will be incentivized to increase use of DPI to scour internet traffic in search of content to prioritize or degrade, down to the level of individual subscribers.
So in essence Access claims that ISPs have NSA power and must be highly regulated lest we lose all semblance of privacy and security. In the OIO, these concerns motivated a ban on the hypothetical practice of paid prioritization, and in the privacy context they motivate opt-in.
But what policy choice do you have to make if the facts don’t support the claim that ISPs have NSA powers? It would seem to me that the FCC is clearly right about one thing: the degree of regulatory heavy-handedness should be proportional to the power wielded by the regulated firm. And when we assess that power we have to consider what’s practical as well as the incentives driving the firm. The FCC certainly appears to do this when it discusses incentives and capabilities, but in this case (as in the OIO), the agency’s assessment is simply wrong.
The NSA spy program Access brings to the attention of the FCC was known as Stellar Wind. This program involved the NSA collecting packet streams from several ISPs – AT&T and Verizon were named – but the data collection was primarily from their transit business, not their residential ISP business. The ISPs didn’t use any DPI to find email for the NSA, they simply dumped whatever they were carrying and let the NSA decrypt it and sort it out. The scary thing about Stellar Wind is that it gave the NSA access to something like 85% of of North American Internet traffic. To put it in simple terms, it was the aggregation of data combined with the code-breaking that allowed NSA to find email.
ISPs are not in the same position in relation to the Internet as the NSA was while the Stellar Wind program was in effect. In reality, the vantage point that ISPs really have is inferior to that of the large edge services. Here’s how I explain this in my FCC comments:
The reality of the Internet is that each edge service or application has the unfettered ability to see the data it exchanges with each of its customers. Google, Facebook, Amazon, and Netflix see customer-generated messages in plain text, after decryption. Similarly, these firms have unfettered access to the information they send to their customers before encrypting it.
There is a gap in the edge view of the Internet insofar as each edge service only sees information from its own customers. But this gap is reduced for advertising networks that are able to populate third party pages with ads. When an edge service operates both its own application and an advertising network – as many do – the gap becomes extremely small.
The ISP also has a limited view of the Internet for three reasons:
- Each ISP can only see information generated or received by its own customers;
- Most of this customer data handled by the ISP is encrypted; and
- The data the ISP can see is devoid of context.
The first limitation is shared by ISPs, edge services, and advertising networks insofar as each can only view data exchanges involving its own customers. But this factor argues for regulating ISPs less heavily than the large edge and ad companies because the number of users each ISP has is much smaller than the corresponding number in the edge and ad space. The largest wireline ISP, Comcast, has 23 million customers. Netflix has 81 million customers worldwide; Amazon had 244 million users in 2014; Facebook has 1.59 billion customers; Google has seven different services with over a billion users each. There is no dearth of advertising-relevant data for edge services to capture and use. For ISPs to catch up in terms of user counts, each would need to grow by one to two orders of magnitude, signing up more Internet users than the planet contains.
I don’t argue that the large edge services should be regulated more strictly; the FTC has struck the right balance. But I do argue that ISPs and edge services should be on a level playing field (and would be if the FCC had its facts straight):
Like the game of Telephone, the facts of Stellar Wind are distorted by the Hepting/EFF lawsuit, further twisted by the Wired article, misrepresented by Access, misconstrued by the FCC’s Open Internet Order and confused again by the FCC’s Privacy NPRM. ISPs do not have the surveillance advantage over edge services and advertising networks the NPRM attributes to them.
Consequently, the privacy NPRM lacks a coherent factual foundation for the claim that ISPs must be regulated differently than edge services because of their unique vantage point in the Internet.
In reality, edge services, browsers, operating systems, advertising networks, and transit networks all have better and more comprehensive knowledge of user interactions with edge services than ordinary ISPs do. As this is the case, the FCC’s decision to impose Section 222 with a new set of rules deeply at odds with the FTC Privacy Framework is irrational.
The more prudent course is to forbear from imposing the Section 222 opt-in provision on Internet service providers and to generally harmonize ISP privacy regulations with the FTC framework. Opt-in is appropriate for sensitive information but not for generic interactions.
Will the FCC see the light and choose a less discriminatory approach? I’m hopeful, but they probably won’t.
Great post! I am still trying to digest the full argument you made in your reply to the FCC, but I have a quick question that immediately came to mind when I read the passage you quoted from the NGO Access.
As a network technician that works on a moderately sized enterprise network, I am constantly being asked by security engineers to apply network policies that require DPI (e.g, “block packets that contain malware!”). I always tell the security engineers that in order to do what they asking, I would need replace our basic routers with network devices that are capable of doing DPI. However, the prices for DPI-capable network devices are orders of magnitude more expensive that a basic router. It seems crazy to me to say that any ISP would have a financial incentive to deploy DPI. If ISP networks are anything like the network I work on, they would want nothing to do with DPI because it makes the cost of maintaining the network unsustainable.
Do you agree, or am I missing something?
I agree, ISPs don’t have NSA-sized budgets for taking packets apart.
I just finished reading your reply comments to the FCC. Bravo! You are very charitable in saying that it is “understandable” for the NGO Access to not grasp the facts. It is hard for me to read the passage from them that you quote as anything other than deliberate obfuscation…although I defer to your judgement because I have not yet read their complete comment.
These are four questions that occurred to me as I was reading your reply:
1. At one point in your reply, you say that the goal of the FCC should be to create regulations that “promote higher quality advertising through increased competition.” Why do you emphasize advertising?
2. You mention that ISPs and edge services “can only view data exchanges involving their own customers” and “this factor argues for regulating ISPs less heavily than the large edge and ad companies because the number of users each ISP has is much smaller than the corresponding number in the edge and ad space.” But is it really fair to compare customer counts in such a straightforward manner? Netflix may have more customers than Comcast, but Netflix only sees traffic related to Netflix, whereas Comcast can see ALL the traffic their customers send and receive. Somebody arguing against you may be able to claim that a Comcast customer is worth more than a Netflix customer.
3. You write that, “DNS lookups duplicate IP addresses and can be exported to third party DNS providers in any case (and would be, if such activities were truly valuable).” I don’t understand what that means. Can you elaborate?
4. You write that, “…transit networks…have better and more comprehensive knowledge of user interactions with edge services that ordinary ISPs do.” I take this to mean that you think transit providers can be regulated differently than broadband ISPs. Am I misinterpreting you? Are they in fact regulated differently?
1. Advertising is the reason Google and the others collect data on our browsing habits; collecting personal data for other purposes is interesting to law enforcement, but not to anybody else. So the FCC’s rulemaking on privacy is really all about advertising.
2. ISPs can only collect data on their customers, and the ad networks can collect data on users who visit pages with analytics built in. Not only do ad networks have more reach, they get to look at unencrypted data. Netflix knows details about interaction with movies such as rewind and replay, but it’s not a good example. The ad networks potentially know what you’re buying, which is the most valuable advertising data. So ISPs don’t have an advantage over the ad networks.
3. Seeing the customer’s DNS lookups doesn’t provide any data that the seeing the IP address the customer interacts with doesn’t show. And nobody is forced to use the ISP’s DNS, there are independent DNS services from Google and others.
4. Transit networks are unregulated.
Thank you for the explanations!
Techlabs24x7: Norton Antivirus Technical Support Phone Number