One of the most frequent refrains from the big broadband players and their friends who are fighting against net neutrality rules is that there's no evidence that ISPs have been abusing a lack of net neutrality rules in the past, so why would they start now? That does ignore
multiple instances of violations in the past, but in combing through the comments submitted to the FCC concerning net neutrality, we came across one very interesting one that actually makes some rather stunning revelations about the ways in which ISPs are currently
violating net neutrality/open internet principles in a way designed to block encryption
and thus make everyone a lot less secure. The filing comes from VPN company Golden Frog
and discusses "two recent examples that show that users are not
receiving the open, neutral, and uninterrupted service to which the Commission says they are entitled."
The first example you may have actually heard about. It got some attention back in July, when entrepreneur Colin Nederkoorn released a video
showing how Verizon was throttling his Netflix connection, which was made obvious when he logged into a VPN and suddenly his Netflix wasn't stuttering and the throughput was much higher. That video got a lot of attention (over half a million views) and highlighted the nature of the interconnection fight in which Verizon is purposely allowing Netflix streams
coming via Level 3 to clog. As most people recognize, in a normal scenario, using a VPN should actually slow down your connection somewhat thanks to the additional encryption. However, the fact that it massively sped up the Netflix connection shows just how much is being throttled when Verizon knows it's Netflix traffic. Nederkoorn actually was using Golden Frog's VyprVPN in that video, so it actually makes Golden Frog look good -- but the company notes that it really shows one way in which "internet access providers are 'mismanaging' their networks to their own users' detriment."
But the second example Golden Frog provides is much scarier and much more pernicious, and it has received almost no attention.
In the second instance, Golden
Frog shows that a wireless broadband
Internet access provider is interfering
with its users’ ability to encrypt their
SMTP email traffic. This broadband
provider is overwriting the content of
users’ communications and actively
blocking STARTTLS encryption. This
is a man-in-the-middle attack that
prevents customers from using the applications of their choosing and directly prevents users
from protecting their privacy.
They demonstrate this with the following graphic:
This is scary
. If ISPs are actively trying to block the use of encryption, it shows how they might seek to block the use of VPNs and other important security protection measures, leaving all of us less safe. Golden Frog provides more details of what's happening in this case:
Golden Frog performed tests using one mobile wireless company’s data service, by
manually typing the SMTP commands and requests, and monitoring the responses from the
email server in issue. It appears that this particular mobile wireless provider is intercepting the
server’s banner message and modifying it in-transit from something like “220 [servername]
ESMTP Postfix” to “200 ********************.” The mobile wireless provider is further
modifying the server’s response to a client command that lists the extended features supported by
the server. The mobile wireless provider modifies the server’s “250-STARTTLS” response
(which informs the client of the server’s capacity to enable encryption). The Internet access
provider changes it to “250-XXXXXXXA.” Since the client does not receive the proper
acknowledgement that STARTTLS is supported by the server, it does not attempt to turn on
encryption. If the client nonetheless attempts to use the STARTTLS command, the mobile
wireless provider intercepts the client’s commands to the server and changes it too. When it
detects the STARTTLS command being sent from the client to the server, the mobile wireless
provider modifies the command to “XXXXXXXX.” The server does not understand this
command and therefore sends an error message to the client.
As Golden Frog points out, this is "conceptually similar" to the way in which Comcast was throttling BitTorrent back in 2007 via packet reset headers, which kicked off much of the last round of net neutrality concerns. The differences here are that this isn't about blocking BitTorrent, but encryption
, and it's a mobile internet access provider, rather than a wired one. This last point is important, since even the last net neutrality rules did not apply
to wireless broadband, and the FCC is still debating if it should apply any new rules to wireless.
After reading the Golden Frog filing, the answer should be that it is absolutely necessary
to apply the rules to wireless, because practices like these put us all at risk by undermining the encryption that keeps us all safe
. As Golden Frog notes:
Absent enforceable Commission rules, broadband providers can (and at least one already
does) block and discriminate against entirely acceptable Internet uses. In this case, users are not
just losing their right to use the applications and services of their choosing, but also their privacy.
It is not at clear that this type of encryption blocking would be forbidden for fixed broadband
Internet access, under the proposed rules’ exception for reasonable network management. This
example involves mobile wireless broadband, however, and it is clear that the proposed rules
would not prohibit the activity. STARTLLS encryption does not constitute “a lawful website” or
“an application that compete[s] with the provider’s voice or video telephony services[.]”11 The
proposed rules on their face do not prohibit mobile broadband Internet access providers from
blocking user efforts to maintain privacy through encryption.
Furthermore, Golden Frog concludes:
The claim that rules banning blocking and unreasonable discrimination are solutions in
search of a problem is flatly wrong. There have been problems in the past and there are problems
now. The proposed rules do not resolve all of the problems identified in the NPRM. Further
broadband Internet access providers are still interfering with beneficial and privacy-enhancing
applications users want to employ.
This is incredibly important -- just at a time when we need stronger encryption and privacy online, the FCC may undermine it with weak net neutrality rules that allow this type of behavior to continue.
A few months ago, I got into a conversation with a well-known internet entrepreneur/investor, who asked about possible "compromise" rules on net neutrality, suggesting that maybe it's okay to throttle Netflix traffic because there's so much
of it. He argued that, perhaps there could be some threshold, and if your traffic was above that threshold it's okay to throttle it. After some back and forth, I asked the hypothetical about encryption: what if, at a time when more and more encryption is important, such a rule was in place, and overall encrypted traffic passed that threshold, then suddenly access providers could throttle all encrypted traffic, doing tremendous damage to security and privacy. What I didn't realize was that some access providers are effectively already attacking privacy and encryption in this manner.