I tend to favor protecting end-to-end in the Internet context, but I’m a bit worried about what the net neutrality rules will look like in practice. There are two ways to think of this problem. First, who is the target of regulatory action? The FCC’s rules seem to look at the CEO or CTO of an ISP or telecom company. I think the correct focus is farther down the corporate ladder: the IT folks who have to implement rules on their routers. The new rules seem fine as policy statements, but how do they translate into what you can and can’t do with bits?

Second, what existing practices are covered by the net neutrality rules? I worry there are some laudable practices that might run afoul of the rules – even if it’s unlikely the FCC would seek enforcement against them. (Safety that depends on agency discretion is not particularly comforting.) Here’s a fast list of practices that might violate net neutrality right now:

• Port blocking – can ISPs prevent you from sending e-mail except through their servers by blocking port 25? Many, including Verizon, already do. (See Rule 2 in the Press Release.)
• Network Address Translation – NAT rewrites IP addresses to ensure that packets reach their destination. Does altering header information violate the rules? (Rule 6 at least, maybe Rule 4.)
• Spam filtering – ISPs routinely drop connections, or quarantine messages, from known spammers and spam-friendly destinations. (Rules 1, 4.)
• VoIP routing – some telcos route their own VoIP traffic across their network rather than the public Internet, which is more efficient (assuming both ends of the conversation have the same provider). That’s almost certainly out. (Rule 5.)
• Virus prevention – some educational institutions scan connecting devices for Trojans / viruses / malware, or software that protects against them, and condition network access on passing this scan. (Rule 3, though doubtless the FCC would use the “harm” criterion as a dodge.)

So, I’m worried about how the FCC’s legal rules are implemented in code. I think we need a lot more guidance from the agency, particularly since net neutrality still feels somewhat like a solution in search of a problem…

This might be useful in getting Australia to reform its content classification system, which has some weird dichotomies in evaluating on-line vs. off-line material, and in dealing with different media for the same content. This particular quirk, though, seems like it’s vulnerable to gamesmanship: if I were an Australian gaming company, I’d surely submit complaints about my competitors’ games (especially foreign ones) – censorship could help my sales by eliminating alternatives.

Fun stuff. Hat tip to Boing Boing.

In Germany, the major parties in Parliament are in agreement on a plan to require ISPs to filter a list of sites – limited to child pornography, says the government – provided by the federal police. Opposition has been strong, but for naught, as the government passed legislation today. Ralf Bendrath, an activist and academic whom I met at CFP 2009, is following the situation on his blog. Initially, the government pressed for “voluntary” blocking by ISPs, but the Greens and others pushed for a public, not private, law solution. Rebecca MacKinnon points out that some German politicians already want to expand the scope of blocking – for example, to cover extremist or gambling sites.

Coverage of Internet censorship tends, unsurprisingly, to be libertarian in tone: filtering is implicitly treated as undesirable or illegitimate. Nicole Wong of Google had an insightful point at CFP that captures this argument beautifully: filtering is problematic when adopted by democratic states, she said, because it offers cover to authoritarian ones who use the same practice to more troubling ends.

But, for a change of pace, let me offer three reasons why Germany’s move looks legitimate, and then one criticism.

1. The new filtering legislation has support from the Christian Democratic Party and the Social Democratic Party – in other words, from both conservative and liberal politicians. Thus, filtering has a fairly broad base of political support (unlike, say, in Australia).
2. Germany opted for formal public law after debate, rather than bullying ISPs into quasi-voluntary filtering (as in the UK). Governments make bad law all the time, which is why we vote them out. Legislation is more transparent and more amenable to policy change than private deals.
3. The government recognizes – this was a driver in the shift from private to public law – that the legislation treats questions of fundamental rights, such as expression and access to information. That’s preferable to simply lumping opponents in with child pornographers (as Minister Conroy has done in Australia).

The problem is scope creep: the first step in putting filtering in place is the hardest, both politically and technically. Germany, like most Western states that have contemplated Internet censorship, has focused on the easy case: child pornography. The child pornography lobby is, shall we say, small and underfunded. But once the filtering apparatus is in place – “the machine,” Wendy Carlisle calls it – it can be set to block other things about which there’s less consensus – gambling, euthanasia, copyright infringement. And since the lists of sites to be blocked are secret, it’s very difficult to detect how far the system slips down that slope.

Much depends on the details of Germany’s new law, and on its implementation. We’ll see how much the country’s system looks like the others in the news…

I made a few points that I’ll share here. First, I think that Internet filtering has had three epochs:

1. Filtering 1.0: filtering is technically impossible (Gilmore and the cyber-exceptionalists / cyber-libertarians)
2. Filtering 2.0: filtering is possible, but only done by bad actors / authoritarian states (China, Iran, Saudi Arabia, etc.)
3. Filtering 3.0: filtering becomes widespread, including in Western democracies, and we face hard questions about how to assess the practice’s legitimacy

Second, Australia is the beta for Filtering 3.0. The country is having useful, vehement disagreements over how filtering is implemented (what method is used? who pays? what trade-off in performance is acceptable?) and what gets blocked (who decides? why is certain content prohibited? how can one challenge censorship decisions?). The Rudd government, via Senator Conroy, seems to be backing down on two fronts – specifying that only Refused Classification (RC) material will be blocked in a mandatory fashion, and that a “voluntary” industry code to which all ISPs adhere could substitute for legislation – but a requirement to filter is still a government objective.

Finally, there’s a persistent myth that the U.S. is a filtering-free zone. I think this derives because what we block seems natural / inevitable / invisible. Google has to remove certain search results that link to infringing content to stay within the safe harbor of the Digital Millennium Copyright Act. This is like the dog that didn’t bark in Sherlock Holmes: how do you know what you’re missing? (To Google’s credit, the site includes notification that it has filtered results, and links to Chilling Effects so you can read the DMCA take-down notice.) Linking to a site that you know posts DeCSS is unlawful. Napster had to institute filtering to satisfy the district court in California (which it failed to do). Americans think that prohibiting copyright infringement just makes sense – but Saudi Arabia thinks this about porn, and France for hate speech, and Australia for euthanasia. We aren’t different, and that’s what makes Filtering 3.0 hard.

I’ve got an initial proposal for how to approach Filtering 3.0 (my paper Cybersieves, coming out this year in the Duke Law Journal) that looks at process rather than the content that’s banned. Filtering is coming: to Australia, to Germany, to Minnesota. Gilmore’s optimism no longer applies. We need to think about what comes next.

[Update 1:00PM: The panel is in room 310.]

Update 11:45PM 3 June: Danwei has more details, including a link to a spreadsheet that’s purportedly tracking blocked sites.

When any common carrier, subject to the jurisdiction of the Federal Communications Commission, is notified in writing by a Federal, State, or local law enforcement agency, acting within its jurisdiction, that any facility furnished by it is being used or will be used for the purpose of transmitting or receiving gambling information in interstate or foreign commerce in violation of Federal, State or local law, it shall discontinue or refuse, the leasing, furnishing, or maintaining of such facility

There are at least three reasons why this won’t fly (or float? Need to work in a “Land of 10,000 Lakes” joke here). First, ISPs aren’t common carriers. Second, the Minnesota order is likely unconstitutionally overbroad. Third, there’s a serious dormant Commerce Clause problem given the financial repercussions for ISPs. In short, this attempt is like Brett Favre’s career: dead no matter how hard interested Minnesota parties try to revive it.

First, the common carrier problem: in National Cable & Telecommunications Association v. Brand X Internet Services, 545 U.S. 967 (2005), the Supreme Court deferred to the Federal Communications Commission’s ruling that, under the Communications Act of 1934, cable broadband providers are “information service providers” and not “telecommunications carriers.” Hence, cable broadband isn’t subject to common carrier regulation. The case doesn’t directly address DSL broadband, but the FCC’s logic likely applies there as well. So, the basis for Minnesota’s invocation of the Wire Act – that ISPs are common carriers – seems to run counter to both the Supreme Court’s holding and the FCC’s rulemaking. But what do they know?

Second, this situation looks a lot like Center for Democracy & Technology v. Pappert, 337 F. Supp. 2d 606 (E.D. Pa. 2004). There, a Pennsylvania law required ISPs to block access to sites pinpointed by the state Attorney General (that allegedly contained child pornography). The ISPs responded by blocking the IP addresses of the offending sites. Result: massive overblocking – the ISPs filtered about 1.1 million innocent sites to squash 400 bad ones. Minnesota ISPs might use IP blocking also, since URL filtering is expensive (see next point). Declan McCullagh notes that GetMinted.com, a blacklisted site, shares an IP address with Cashcade, a corporate site. The blacklist is underinclusive – does anyone think the Dept. of Public Safety has found all of the Internet gambling sites? – and overinclusive – because gambling companies will migrate away from blocked URLs, and because IP blocking always catches up unrelated sites.

Finally, the Wire Act itself, and the burden URL filtering would place on ISPs, creates a major dormant Commerce Clause problem. The Constitution’s Commerce Clause gives Congress power to regulate interstate and international commerce; importantly, it also keeps individual states from doing things that overly burden this commerce. The Wire Act shows that Congress is already regulating interstate gambling issues, meaning that states are likely pre-empted from tackling the same problem. Moreover, as the Pappert court noted, it’s quite expensive for ISPs to install URL filtering technology (at 629-34). There’s rarely a single “choke” point in the network where one can put a filter in place, and effective filtering usually slows network transfer speeds. (Australia is grappling with exactly these problems.) Thus, if Minnesota forces ISPs to adopt costly technology to meet its local gaming preferences, that’s clearly a burden on interstate commerce. (See Pappert at 645-46.) Since blocking doesn’t fall within Congressional authorization under the Wire Act, it probably runs afoul of the Commerce Clause.

I think this is bad law and benighted policy. If it gets to a court challenge, I’d be delighted to collaborate with other cyber-folks on an amicus brief explaining exactly why this is. So, I’ll give odds: 2:1 says the Department quietly drops this plan; 1:1 the ISPs politely refuse to comply; 1:2 Brett Favre signs with the Vikings, whose fans quickly come to appreciate Tavaris Jackson…

[Oh no! Now they're filtering Info/Law!]

Update (5 May 1:00PM): I thought it might be helpful to list the 11 ISPs: Charter Communications, Comcast Cable, Direct TV, Dish Network, EMBARQ, Qwest, Sprint/Nextel, Verizon Wireless, AT&T Internet Services, Wildblue, and Frontier all received notices; the FCC received a copy as well.