Tuesday, April 19, 2016

Net neutrality, meet lawful interception

This post is written today from the NFV World Congress where I am chairing the first day track on operations. Many presentations in the pre-show workshop day point to an increased effort from standards bodies (ETSI, 3GPP..) and open source organizations (OpenStack, OpenDaylight...) to address security by design in next generations networks architecture.
Law enforcement agencies are increasingly invited to contribute or advise to the standardization work to ensure their needs are baked into the design of these networks. Unfortunately, it seems that there is a large gap between lawful agencies requirements, standards and regulatory bodies. Many of the trends we are observing in mobile networks, from software defined networking to network functions virtualization and 5G assume that operators will be able to intelligently route traffic and apportion resources elastically. Lawful interception regulations mandate that operators, upon a lawful request, may provide means to monitor, intercept, transcribe any electronic communication to security agencies.

It has been hard to escape the headlines, lately when it comes to mobile networks, law enforcement and privacy. On one hand, privacy is an inalienable right that we should all be entitled to, on the other hand, we elect governments with the expectation that they will be able to protect us from harm, physical or digital. 

Digital harm, until recently, was mostly illustrated by misrepresentation, scams or identity theft. Increasingly, though, it translates into the physical world, as attacks can impact not only one's reputation, credit rating but also one's job, banking and soon cars, and connected devices.

I have written at length about the erroneous assumptions that are underlying many of the discourses of net neutrality advocates. 
In order to understand net neutrality and traffic management, one has to understand the different perspectives involved.
  • Network operators compete against each other on price, coverage and more importantly network quality. In many cases, they have identified that improving or maintaining quality of Experience is the single most important success factor for acquiring and retaining customers. We have seen it time and again with voice services (call drops, voice quality…), messaging (texting capacity, reliability…) and data services (video start, stalls, page loading time…). These KPI are the heart of the operator’s business. As a result, operators tend to either try to improve or control user experience by deploying an array of traffic management functions, etc...
  • Content providers assume that highest quality of content (HD for video for instance) equals maximum experience for subscriber and therefore try and capture as much network resource as possible to deliver it. Browser / apps / phone manufacturers also assume that more speed equals better user experience, therefore try to commandeer as much capacity as possible. A reaction to operators trying to perform traffic management functions is to encrypt traffic to obfuscate it. 
The flaw here is the assumption that the optimum is the product of many maxima self-regulated by an equal and fair apportioning of resources. This shows a complete ignorance of how networks are designed, how they operate and how traffic flows through these networks.

This behavior leads to a network where resources can be in contention and all end-points vie for priority and maximum resource allocation. From this perspective one can understand that there is no such thing as "net neutrality" at least not in wireless networks. 

When network resources are over-subscribed, decisions are taken as to who gets more capacity, priority, speed... The question becomes who should be in position to make these decisions. Right now, the laissez-faire approach to net neutrality means that the network is not managed, it is subjected to traffic. When in contention, resources are managing traffic based on obscure rules in load balancers, routers, base stations, traffic management engines... This approach is the result of lazy, surface thinking. Net neutrality should be the opposite of non-intervention. Its rules should be applied equally to networks, devices / apps/browsers and content providers if what we want to enable is fair and equal access to resources.

Now, who said access to wireless should be fair and equal? Unless the networks are nationalized and become government assets, I do not see why private companies, in a competitive market couldn't manage their resources in order to optimize their utilization.

If we transport ourselves in a world where all traffic becomes encrypted overnight, networks lose the ability to manage traffic beyond allowing / stopping and fixing high level QoS metrics to specific services. That would lead to network operators being forced to charge exclusively for traffic tonnage. At this point, everyone has to pay per byte transmitted. The cost to users would become prohibitive as more and more video of higher resolution flow through the networks. It would mean also that these video providers could asphyxiate the other services... More importantly, it would mean that the user experience would become the fruit of the fight between content providers' ability to monopolize network capacity, which would go again any net neutrality's principles. A couple of content providers could dominate not only service but the access to these service as well.

The problem is that encryption makes most traffic management and lawful interception provisions extremely unlikely or at the least very inefficient. Privacy is an important facet of net neutrality's advocates' discourse. It is indeed the main reason many content and service providers are invoking for encrypting traffic. In many case, this might be a true concern, but it is hard to reconcile that with the fact that many provide encryption keys and certificates to third party networks or CDNs for instance to improve caching ratios, perform edge packaging or advertising insertion. There is nothing that would prevent this model to be extended to wireless networks to perform similar operations. Commercial interest has so far prevented these types of models to emerge.

If encryption continues to grow, and service providers deny to operators the capability to decrypt traffic, the traditional burden of lawful interception might be transferred to the former. Since many providers are transnational, what is defined as lawful interception is unlikely to be unenforceable. At this stage we might have to choose, as societies between digital security or privacy.
In all likeliness, though, one can hope that regulatory bodies will up their technical game and understand the nature of digital traffic in the 21st century. This should lead to lawful interception mandate being applicable equally to all parts of the delivery chain, which will force collaborative behavior between the actors. 

No comments: