I tend to favor protecting end-to-end in the Internet context, but I’m a bit worried about what the net neutrality rules will look like in practice. There are two ways to think of this problem. First, who is the target of regulatory action? The FCC’s rules seem to look at the CEO or CTO of an ISP or telecom company. I think the correct focus is farther down the corporate ladder: the IT folks who have to implement rules on their routers. The new rules seem fine as policy statements, but how do they translate into what you can and can’t do with bits?

Second, what existing practices are covered by the net neutrality rules? I worry there are some laudable practices that might run afoul of the rules – even if it’s unlikely the FCC would seek enforcement against them. (Safety that depends on agency discretion is not particularly comforting.) Here’s a fast list of practices that might violate net neutrality right now:

• Port blocking – can ISPs prevent you from sending e-mail except through their servers by blocking port 25? Many, including Verizon, already do. (See Rule 2 in the Press Release.)
• Network Address Translation – NAT rewrites IP addresses to ensure that packets reach their destination. Does altering header information violate the rules? (Rule 6 at least, maybe Rule 4.)
• Spam filtering – ISPs routinely drop connections, or quarantine messages, from known spammers and spam-friendly destinations. (Rules 1, 4.)
• VoIP routing – some telcos route their own VoIP traffic across their network rather than the public Internet, which is more efficient (assuming both ends of the conversation have the same provider). That’s almost certainly out. (Rule 5.)
• Virus prevention – some educational institutions scan connecting devices for Trojans / viruses / malware, or software that protects against them, and condition network access on passing this scan. (Rule 3, though doubtless the FCC would use the “harm” criterion as a dodge.)

So, I’m worried about how the FCC’s legal rules are implemented in code. I think we need a lot more guidance from the agency, particularly since net neutrality still feels somewhat like a solution in search of a problem…

Yoo has set himself apart as one of the most thoughtful and consistent opponents of legislated limits on service providers’ discrimination among content. He suggests that we should instead look for “network diversity” and worries that forced equality among dramatically different applications with different needs (technical and otherwise) will stifle innovation. Wu has been a supporter of mandatory network neutrality, although a careful one who warns that it will be very important to get the precise definition of neutrality requirements exactly right. (My co-blogger Derek pointed out months ago that there is a similar challenge in defining the precise approach on a technical level.)

As with many issues that become politicized, a lot of the debate around net neutrality has gravitated toward competing horror stories. Proponents of regulation paint a picture of gargantuan ISPs like Comcast maintaining a stranglehold over the “last mile” conduit to our computers and favoring highly commercial content that pays for the privilege of loading fast — and consigning smaller or newer content providers to snail-like load speeds that effectively deprive them of an audience. The other side suggests that “regulating” the internet with network neutrality rules will discourage investment, freeze technology in place, and prevent exciting but bandwidth-intensive innovations such as interactive or otherwise enhanced video.

Yoo and Wu are much more thoughtful than that. Personally, I am more persuaded by Wu — especially because, as I have said before, even if competition for last mile service becomes robust (still an open question!), individual consumers are unlikely to have the necessary information to choose among network providers based on their different treatment of content. Rather than competition in a world of “network diversity” I fear lock-in of one set of favored content. But Wu (and Derek) are absolutely right that simply declaring, “No differential treatment of content!” is an unacceptably broad and simplistic solution.

We also see China moving to tighten the link between on-line and off-line identity by requiring bloggers to register with their real names.  This is another example of Internet filtering as a cross-border problem: material hosted in one’s own country is easily controlled by sending a couple police officers with guns to the local ISP (or the local blogger’s home).

The United Arab Emirates is engaging in more widespread blocking of Voice over IP phone services.  ONI found heavy blocking of material in the UAE, but this filtering appears more economic than cultural: Etisalat, the state-owned telco, is protecting its long-distance monopoly.

And a write-up in The Observer covers Vietnam’s Internet controls.  The article is a bit heavy-handed in its descriptions – while cybercafe owners are required to be helpful to security services when asked, most are far less interested in serving as private police than in making money from citizens eager to chat with relatives over VoIP or to check out sports Web sites – but rightly notes that activists such as Cong Thanh Do take serious risks in order to post pro-democracy content on-line in Vietnam. (For a more balanced look, check out ONI’s stats-heavy study.)

Here in the States, the government is back in court arguing laws are needed to overcome technology’s failures: the Justice Department contends that filtering software is insufficiently effective to keep kids away from objectionable content, and hence the federal government should be able to impose penalties on Web site operators who permit minors such access.  This argument is quite clearly garbage on the merits: Saudi Arabia, using the software SmartFilter and a small group of techs, blocks nearly 100% of the porn on the Internet for everyone in that country.  Similar software is readily available for purchase here in the States.

Internet content has its potential risks – viruses, hate speech, raunchy video – and control over the medium exists on a continuum, but we should be wary of efforts to move along that continuum towards higher rather than lower fences.

I approach this with both my former systems engineer and current lawyer hats on. Assume Congress decides network neutrality is a wonderful idea, and legislates to that effect. How would such legal code translate into computer code – in this case, network management policies? What would ISPs or other telecommunications companies be enjoined from doing?

I’ve considered a few possibilities, none satisfactory:

• No port blocking: ISPs could not block ports, which would make it harder to prevent the deployment of new services such as VoIP. However, ISPs already block ports (such as Earthlink, with SMTP’s port 25), and there are excellent reasons to block, say, port 23 (Telnet).

• No discrimination by sender: ISPs could not handle packets from different senders differently. However, ISPs already do this to filter spam (preventing connections or mail from known bad actors) or to mitigate Denial of Service attacks. Both policies seem unobjectionable.

• No discrimination by recipient: ISPs could not handle packets to different recipients differently. However, would this change spam filtering (for example, flagging or quarantining messages addressed to many users – often a sign of spam), or filtering based on parental controls?

• No discrimination by application: ISPs could not handle packets for different applications in a different fashion. Yes, please tell providers that they must allow users to port scan the network.

• No differential charges: ISPs could not charge 1) users or 2) senders differently based on application, content, or destination. But ISPs already offer tiered service plans (based on connection speed, storage space, services offered — try running a DNS server on your network, or upstream bandwidth) to users. Plus, some anti-spam strategies require charging senders differently, and it’s not clear how to craft a policy that lets ISPs block smurfing but prevents differential pricing. (Remember, users are senders too…)

In short, imagine you’re the IT person charged with implementing a law that mandates network neutrality. What switches do you flip? Remember that you have to keep your users and management happy by blocking spam, dealing with virus / worm traffic (including botnets, and perhaps kicking infected machines off the network), and perhaps preventing vulnerability identification with nmap or the like, at the same time you keep Congress happy by avoiding discriminatory treatment. What do you do?

I hope someone will help me with this. Comments appreciated.

While everyone asks about whether or not these companies cooperated with the NSA, and to what extent, I have another question. What about all the other providers of telephone service? USA Today did not even mention the millions of consumers who get phone service from cable, wireless, or VoIP instead of the land lines provided by big Baby Bell-descended phone companies. Is the NSA getting those other phone records (or some of them) too?

Neither potential answer is especially appealing. If yes, then the degree of surveillance, and the number of private companies that compliantly participated in a surveillance program of questionable validity, is much greater than previously reported. If no, then the effectiveness of any resulting social network analysis is even more doubtful because it leaves out significant numbers of users. We may never know — leaving us to speculate which bad answer we would prefer.

VoIP blocking is worrisome for three reasons. First, although telecom companies are primarily responsible for blocks at the moment, this tactic maps out a way for governments to increase control over how their citizens communicate. ISPs are frequently deputized to implement Internet filtering, as in Iran or Yemen. Information control through technology is path-dependent; once filtering systems are in place, states will often find ways to misuse them. Authoritarian states fear that citizens may use programs such as Zfone to communicate in ways that can’t be tapped or recorded.
Second, VoIP filtering undercuts the “end-to-end” architecture responsible for the Internet’s generativity and promise as a platform. Innovators need not ask permission of intermediaries before launching new applications that communicate across the Net – they can depend on the brilliantly “stupid network” to transfer packets for their program in the same way that Web pages and e-mail messages travel from user to user. Much of the network neutrality debate thus far has focused on the risk that Google will have to bribe gatekeepers such as SBC to permit users to access its search engine. I’m less worried about this possibility – any ISP that prevents access to Google will commit financial suicide as consumers flee – than I am about the threat that intermediaries will choke nascent, promising applications to protect legacy business models.

Finally, I’m worried about distributional considerations. When I visited Ho Chi Minh City in March, I was astonished by the number of people using VoIP in cybercafes to make cheap phone calls overseas – it was far more popular as an activity than Web surfing, and many cafes explicitly focused their advertising on VoIP. Using blocking technology to shut off VoIP calls, and thereby keep the price of voice communication high, effectively transfers wealth from citizens in developing countries to protected, often state-owned telco companies. The Internet offers the possibility of heavily reducing the cost of communication, and allowing people in Hanoi the same ability to access and share information as people in Houston. VoIP blocking threatens to throttle that hope.