Internet Architecture vs. Section 222

If you follow debates about Internet policy in detail, you will often find advocates arguing opposite sides of particular questions in different contexts. Responsible advocates avoid this practice because, obviously, it undermines their credibility because astute observers notice it. But we don’t simply conduct these debates among well-informed and thoughtful participants any more. The pop culture audience is increasingly important in Internet policy because so many people have a stake in the ongoing health and welfare of the Internet, and also because the general audience can, when aroused by advocates, flood the FCC and Congress with canned letters of protest. They also generate traffic to tech policy blogs, especially those that deal with the debates in an emotional, manipulative way.

Net Neutrality vs. Net Neutrality

Some remarks from Public Knowledge about the subject of encryption in the context of Internet privacy are sharply opposite arguments that organization made in the net neutrality debate. The rationale for passing net neutrality regulations comes down to a desire to protect the underlying design of the Internet – its architecture – from meddling by ISPs and other potentially bad actors. This architecture has been claimed by net neutrality advocates to come down to the so-called “end-to-end arguments principle” that holds that new features and functions needed by Internet applications should be provided by the applications themselves and not by actions taken by the Internet Service Providers, the network equipment vendors, or the long-haul transit networks themselves.

Net neutrality advocate Barbara van Schewick wrote a 600 page book on this one idea, Internet Architecture and Innovation. Amazon summarizes it in the following way:

The Internet’s original architecture was based on four design principles: modularity, layering, and two versions of the celebrated but often misunderstood end-to-end arguments. But today, the Internet’s architecture is changing in ways that deviate from the Internet’s original design principles, removing the features that have fostered innovation and threatening the Internet’s ability to spur economic growth, to improve democratic discourse, and to provide a decentralized environment for social and cultural interaction in which anyone can participate. If no one intervenes, network providers’ interests will drive networks further away from the original design principles. If the Internet’s value for society is to be preserved, van Schewick argues, policymakers will have to intervene and protect the features that were at the core of the Internet’s success.

End-to-End Design Principles

The end-to-end arguments principle was originally articulated in a paper by two MIT post-docs and their supervisor, Jerry Saltzer, titled “End-to-End Arguments in System Design” published in 1981. Oddly, the paper does not contain the word “Internet” but advocates argue that it describes the architecture that motivated its design nonetheless. Of particular interest is the one paragraph on security by encryption:

The end-to-end argument relating to encryption was first publicly discussed by Branstad in a 1973 paper[2]; presumably the military security community held classified discussions before that time. Diffie and Hellman[4] and Kent[8] develop the arguments in more depth, and Needham and Schroeder[11] devised improved protocols for the purpose.

This is to say that even before there was an Internet it was recognized in computer science that networks alone cannot provide end-user security unless applications take on the responsibility of encrypting information. Regardless of which bad actor you’re worried about, the best way – and indeed the only way – to protect confidential communication is to encrypt your messages and nobody can do this for you.

With Great Power Comes at Least Some Responsibility

So end-to-end architecture means that users and applications have power they don’t have on centralized networks like the old-school public switched telephone network. But as the mighty American philosopher Spiderman told us, “with great power there must also come — great responsibility.” So it’s up to users and applications to step up and take affirmative steps to protect their communications from abuse. Users of the Internet are also responsible for protecting their devices from viruses by using malware programs, avoiding dodgy websites, and practicing good password hygiene. Even if you practice safe surfing you may be hacked anyway because no one is really immune, but it’s your obligation to try in any event.

Encryption hasn’t always been practical because it requires CPU power, but today’s computers have enough performance that we can and therefore we should. And this includes avoiding websites that don’t use TLS encryption (https) just as you would avoid financial institutions whose websites don’t require annoying two-factor authentication rituals before you can transfer money out of them.

“Oh no, we didn’t mean THAT End-to-End idea”

But Public Knowledge disagrees with the idea that Internet users are responsible for protecting their communications from snooping after spending much of the last decade swearing allegiance to the Internet’s end-to-end architecture. This is what they wrote in their white paper, Protecting Privacy, Promoting Competition: A Framework for Updating the Federal Communication Commission Privacy Rules for the Digital World:

PK quote

Public Knowledge correctly observes that telephone network regulations placed the “burden of privacy” on the network rather than the user but they fail to comprehend why this was the case. It’s not very difficult to understand even if you’re not familiar with end-to-end architecture: For most of the PSTN’s life, there was no practical way for the end user to protect his or her own privacy because all the equipment between calling party and called party was owned and operated by the telephone service provider. Users could speak in code, but few did unless they were up to something because both parties had to be up on the same convention for that to work.

It’s Up to You, Gentle Surfer

So if you’re interested in enjoying full privacy on the Internet it’s not only your responsibility, it’s a power the Internet gives you because of the way it’s designed. And sure enough, encrypting messages is not only something that protects you from bad actors like the Russian mafia: it also protects you from good actors such as your ISP, your search provider, or your email service when they make mistakes and expose your communication to hackers without meaning to.

In reality, the notion that ISPs can protect your privacy without your making an effort to meet them halfway is fiction. All the ISPs can do with respect to “privacy” is refrain from competing with applications such as search, email, and web surfing for the sale of your information to advertisers. That refusal is neither privacy-enhancing to users nor is it pro-competition.

Regulation that requires ISPs to “protect your privacy” by refraining from paying attention to what you’re doing is also inconsistent with end-to-end architecture. The argument that ISPs must refrain from trafficking in the raw material of advertising sales in order to comply with the literal text of Section 222 also tells us that there’s a major disconnect between PSTN regulation and the goals and purposes of the Internet. But you already knew that.

The so-called privacy debate is really a debate about the Internet advertising market. It’s best to have this discussion in a way that doesn’t offend the principles that the net neutrality battle was supposed to protect, but that is not happening.