The Federal Communications Commission is reportedly dismantling its Net neutrality rules. What does that mean for privacy and cybersecurity? The answer is “probably nothing,” but there are some things to look out for.
First, we have to define what we mean by Net neutrality. The definition varies from person to person, moment to moment. The term was coined by Columbia Law School professor Tim Wu in a 2003 paper to mean the equal treatment of all network traffic by Internet service providers. This was then adopted as a political slogan to describe such things as the current FCC Open Internet Order.
It’s important to note that the FCC order does not, in fact, secure Net neutrality. The FCC’s mission is essentially to protect consumer interests in the face of ISP malfeasance and monopolistic power, not to uphold an abstract technical principle. Its Open Internet Order regulates things that have little to do with neutral treatment of network traffic, and it allows numerous things that violate that principle, such as the asymmetric nature (faster downloads than uploads) of most Internet connections.
So at stake here isn’t the equal treatment of all Internet traffic; it quite simply is what would happen when the FCC loosens its current restrictions. And in today’s environment, where consumers increasingly rely on the privacy and security features built into the network and their everyday apps, it simply wouldn’t be in ISPs’ best interest to meddle much.
Let’s consider virtual private networks for a moment. As described in Wu’s paper, many early broadband providers blocked VPN access. This wasn’t an effort to block applications, but rather an effort in “price discrimination”—a way to charge business customers more. VPNs were seen purely as a business application, and thus a legitimate target. This would be similar to Comcast blocking VPNs for ordinary customers but allowing them on its Comcast Business Class service.
Such discrimination is unlikely to happen today. As encryption has spread to consumer products, VPN technology has become a standard consumer application. It is now impractical for ISPs to block.
Another concern among security and privacy advocates over the dismantling of the Open Internet Order is that ISPs could legally intercept Web pages and insert their own ads into them. This has also happened in the past, especially with lower-bandwidth mobile-phone Web browsing. And this also is unlikely to happen today, for two reasons.
The first is that the “deep-packet inspection” required to intercept and replace site ads is expensive for ISPs. Sure, they may try a few proof-of-concept deployments, but as networks get faster, deep-packet inspection can’t keep up, and such projects are canceled. Even mobile networks are reaching traffic volumes that make deep-packet inspection difficult.
Things ISPs used to do with deep-packet inspection (such as transcoding video to lower bit rates for mobile devices) are no longer practical. Today, they do those things on the server, in partnership with video companies, rather than on the network.
The second, more important, reason ISPs can’t insert ads into Web pages is that a large portion of Internet traffic today is encrypted with SSL. ISPs cannot defeat this encryption. Even simple things like your Google searches are secret from your ISPs.
In the years following revelations of mass spying, the Electronic Frontier Foundation’s Let’s Encrypt efforts and CloudFlare hosting have gained in prominence, and the number of unencrypted Web connections has significantly waned. Despite few privacy concerns, even connecting to The New York Times’ site requires an SSL connection.
So sure, ISPs might try to intercept site connections to insert ads, but that would be stupid, as doing so would only drive even more adoption of SSL and potentially regulation.
Encryption stretching far beyond SSL or VPN connections is increasingly built into everything we do. Compared to early broadband 15 years ago, modern ISPs have dramatically fewer ways to compromise your data. The legal threats to consumer security and privacy today come not from companies like Comcast, nor regulatory agencies like the FCC, but rather from potential laws passed by Congress at the behest of the FBI or the Justice Department forcing companies to insert backdoors into their products’ encryption.
Selling DNS metadata
Let’s talk DNS. While encryption protects data, domain name server lookups leak metadata that can’t be encrypted. This is especially true when using the ISP’s own DNS “resolvers.” Sometimes ISPs redirect all traffic on port 53 (the DNS port), forcing you to use their resolver. ISPs can and sometimes do sell this information to advertisers—you may find that even when all your connections are SSL, you get served ads related to your IP address and DNS information.
Many ISPs stopped selling this data after receiving complaints. I’m not sure if, in the absence of the Open Internet Order, they’re likely to resume the practice; it’s something worth keeping track of, as leaking DNS metadata is a great privacy concern.
Let’s talk port filtering. ISPs have long tried to stop network abuses by filtering various ports. They used to filter certain ports to stop hackers from accessing Windows networking. Now that most home machines are behind a NAT or firewall, they basically block outbound port 25 to stymie spam coming from home machines infected with viruses.
Such actions are allowed both under Tim Wu’s original definition of Net neutrality and FCC policies, so this is unlikely to change.
Finally, let’s talk mobile apps. AT&T has blocked FaceTime, and Verizon has blocked Google Wallet. The blocking happened on the device rather than on the network, and the FCC regulates what goes on within a device separately—and more leniently—from what goes on within a network.
With more lenient regulation on how devices handle apps, mobile providers may decide to block various apps’ privacy and security features, hold them ransom for more money, or actively invade them with phone features. They would likely do this through features they build into their own versions of the mobile operating system. But they wouldn’t necessarily do it at all, given how integral privacy and security have become to applications.
The same concept will likely hold for networks. The relaxing of the FCC’s Open Internet rules would theoretically allow broadband and mobile ISPs to broadly mess around with consumer privacy or security. But using technology to compromise what have become key network features simply wouldn’t be practical—or even profitable.