I tend to favor protecting end-to-end in the Internet context, but I’m a bit worried about what the net neutrality rules will look like in practice. There are two ways to think of this problem. First, who is the target of regulatory action? The FCC’s rules seem to look at the CEO or CTO of an ISP or telecom company. I think the correct focus is farther down the corporate ladder: the IT folks who have to implement rules on their routers. The new rules seem fine as policy statements, but how do they translate into what you can and can’t do with bits?

Second, what existing practices are covered by the net neutrality rules? I worry there are some laudable practices that might run afoul of the rules – even if it’s unlikely the FCC would seek enforcement against them. (Safety that depends on agency discretion is not particularly comforting.) Here’s a fast list of practices that might violate net neutrality right now:

• Port blocking – can ISPs prevent you from sending e-mail except through their servers by blocking port 25? Many, including Verizon, already do. (See Rule 2 in the Press Release.)
• Network Address Translation – NAT rewrites IP addresses to ensure that packets reach their destination. Does altering header information violate the rules? (Rule 6 at least, maybe Rule 4.)
• Spam filtering – ISPs routinely drop connections, or quarantine messages, from known spammers and spam-friendly destinations. (Rules 1, 4.)
• VoIP routing – some telcos route their own VoIP traffic across their network rather than the public Internet, which is more efficient (assuming both ends of the conversation have the same provider). That’s almost certainly out. (Rule 5.)
• Virus prevention – some educational institutions scan connecting devices for Trojans / viruses / malware, or software that protects against them, and condition network access on passing this scan. (Rule 3, though doubtless the FCC would use the “harm” criterion as a dodge.)

So, I’m worried about how the FCC’s legal rules are implemented in code. I think we need a lot more guidance from the agency, particularly since net neutrality still feels somewhat like a solution in search of a problem…

Google uses industry-standard Hypertext Transfer Protocol Secure (HTTPS) encryption technology to protect customers’ login information. However, encryption is not enabled by default to protect other information transmitted by users of Google Mail, Docs or Calendar. As a result, Google customers who compose email, documents, spreadsheets, presentations and calendar plans from a public connection (such as open wireless networks in coffee shops, libraries, and schools) face a very real risk of data theft and snooping, even by unsophisticated attackers. Tools to steal information are widely available on the Internet.

Thanks to Chris Soghoian for his leadership on this one!

Heartland does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates.

“The transactional data crossing our platform, in terms of magnitude… is about 100 million transactions a month,” [the company's president] said. “At this point, though, we don’t know the magnitude of what was grabbed.”

Wow. (The company hastens to add that, because the bad guys didn’t get addresses, they would need to make counterfeit cards to exploit this data. Small comfort if you’ve read stories like this one.)

This disclosure reminded me of a speech I attended recently: an important DC lawyer who represents companies in privacy disputes was complaining about data breach notification laws. He pointed out, correctly I think, that the expense of disclosing a breach often dwarfs the real risk of harms like identity theft. But then he said the better response would be regulatory rules that set the requirements for data security. Not so sure about that.

I am skeptical about the effectiveness of some federal agency (the FTC?) supposedly auditing data security compliance at big firms across the country. It has not worked very well for health care privacy under HIPAA. One thing that moves data security up a company’s priority list is the reality that mistakes will be made public. But for states’ data breach notification requirements, we might never have found out about the Heartland breach (never mind the many, many others revealed through these laws). True, there could be some better standards as to when a breach creates enough risk that the costs of notification are worthwhile. But the basic technique of using the disclosure of errors as deterrence to force better precautions seems sound to me in this setting. How far would we be toward improving data security if these breaches had remained secret?

Spam’s basic problem is the same: our social norms of trust are at odds with the insecure foundations of e-mail. Put another way, both we and our e-mail systems are too trusting, and thus easily duped. Spam exploits the credulous (”If my friend forwarded this link, it must be OK!”) and the opportunistic (”Hey, free Anna Kournikova pictures!).

I still think we should do three things. First, e-mail just doesn’t work for communications that need security and the ability to authenticate senders. I proposed “safe mail” a few years back, and as with most academic ideas, it’s garnered almost as many supporters as Blagojevich for President. But it’s still a good approach. Second, ISPs need to think about rather paternalistic approaches (=URL blocking) in some cases, with opt-out for those willing to take informed risks. Think of this as mandatory StopBadware – when you try to connect to a spoofed or phishing site, you can’t. Finally, we need better defenses on our computers. Microsoft Vista tried for this, but its constant security warnings annoyed everyone without increasing security, leading to defensive ad campaigns rather than defensive computing.

Spam will always be around. It worries me, though, that our perception of its threat seems to be inversely proportional to the harm its payload carries…

According to the local paper, the problem, as so often the case, is bots. Apparently, some resellers use automated software, including a bot made by RMG Technologies, to flood Ticketmaster and similar sites with orders, and also jump in front of other purchasers in the queue. According to the Wall Street Journal:

[T]he software allows users, among other things, to search for tickets at specific price levels for particular events and to generate requests for tickets much more quickly than a human at a typical home computer could. For instance, companies like Ticketmaster require customers searching for tickets online to replicate a set of the squiggly letters and numbers, known as a “Captcha.” Theoretically, only human customers can correctly identify the characters despite the odd fonts, screening out automated purchasing programs. But RMG’s software, according to [a ticket broker who settled a lawsuit with Ticketmaster], can also “figure out the randomly generated characters and retype them automatically.” [The broker] said RMG employees also gave him advice on fooling Ticketmaster’s computers into thinking his requests were coming from different Internet addresses.

The new bill aims to make the use of such software illegal. While normally I am a little wary about laws that forbid a particular technological application, this one seems like it might be narrow enough and also aimed at counterbalancing an innovation that gives some people an unfair advantage over others. Am I missing something?

Not surprisingly, Ticketmaster and major local sports teams support the measure. (Ticketmaster already filed an eleven-count federal civil suit in Los Angeles against RMG last year. The arguments include claims that RMG’s bot violates copyright law, the DMCA, the Computer Fraud and Abuse Act, and Ticketmaster’s terms of service.) It will be interesting to see if such legislation begins to sweep the country. OMG MN Leg — UR2 CSA!!!

UPDATE: The Minnesota bill has now become law.

As Ethan explains:

Google identifies sites that they believe are spreading badware and registers them with Stop Badware. My colleagues with Stop Badware have the unenviable task of managing the Google review process – if a site is tagged as spreading badware, the site’s administrator has the option of protesting and having the site reviewed by a team that includes folks at the Berkman Center. This is a very emotional issue for site owners, as having your site de-listed by Google can have very serious consequences for your traffic, your reputation, etc.

That may not be the sort of self-governing cyberspace that some luminaries envisioned fifteen years ago, but it may be a pretty interesting example of a private resolution process that is nevertheless open and principled. You should go read Ethan’s post.

[UPDATE: And read the commenters at Ethan's post too. Some of them say they too have been tagged with this "harm your computer" notification and are having trouble getting rid of it -- even after they fix the problem. A definite challenge for the Stop Badware model, but I am optimistic that they will work through it.]

Discussion question: Is this “badware“?