The SANS Technology Institute

Leadership Laboratory

Leadership Lab: Information Technology and the Law

This series of essays explores the many aspects of technology law relating to computer and information security.

Let Credit Card Industry Allocate Data Security Risks by Negotiation - March 12th, 2007
Data Thefts - Give the Public the Disclosure It Seeks - March 22nd, 2007
Network Neutrality - Updated July 3rd, 2007
Can Cyber Criminals Consent to Being Watched and Foiled? - May 14th, 2007
The Dangers of Too Much Data Privacy - May 28th, 2007
Assembly Bill (AB) 779 Suffers from Sloppy Draftsmanship - October 12th, 2007
New Merchant Liability for Losing Credit Card Data - June 14th, 2007
ChoicePoint Marked New Era in Data Security Law - May 31st, 2007

Network Neutrality

July 3rd, 2007
By Stephen Northcutt
Version 1.2

AT&T and Verizon Communications announced their desire in 2006 to create a tiered Internet system that would require big bandwidth hogs like Google or Yahoo to pay more for their access, and it has continued to be a hot-button issue in the tech industry.[1] In response, there is a "Net Neutrality" movement that looks like it will even play a part in the presidential campaign. According to www.savetheinternet.com, "John Edwards has joined the growing list of presidential candidates to voice their support for Net Neutrality. 'We need Net Neutrality,' Edwards told Howard University students in a recent audience Q&A. 'Information vehicles like YouTube, the Internet at large, blogging, video blogging, all these things are ways for democracy to flourish. They're ways for ordinary Americans to participate in the process,' he said."[2]

According to Google, "Network neutrality is the principle that Internet users should be in control of what content they view and what applications they use on the Internet. The Internet has operated according to this neutrality principle since its earliest days. Indeed, it is this neutrality that has allowed many companies, including Google, to launch, grow, and innovate. Fundamentally, net neutrality is about equal access to the Internet. In our view, the broadband carriers should not be permitted to use their market power to discriminate against competing applications or content."[3] Vinton Cerf,[4] a man who really did help invent the Internet, gave the following testimony, "Allowing broadband carriers to control what people see and do online would fundamentally undermine the principles that have made the Internet such a success. For the foreseeable future most Americans will face little choice among broadband carriers. Enshrining a rule that permits carriers to discriminate in favor of certain kinds or sources of services would place those carriers in control of online activity."[5]

John Thorne, a Verizon senior vice president and deputy general counsel was famously quoted giving the other side of the story, "The network builders are spending a fortune constructing and maintaining the networks that Google intends to ride on with nothing but cheap servers."[6]

So far, neither side is overwhelming happy with US legislation, a quick trip to the Library of Congress's Thomas,[7] can show the two bills, which really don't take a strong stand either way for network neutrality. Expect this to come up again! In April 2007, legislation[8] has been introduced in New York that has explicit Net Neutrality language.[9] This is likely to be similar to the citizen's rights to notification of data breach; the Federal government didn't act, but California passed S1386 and many other states followed. Only then did the Federal government eventually take action.[10,11,12]

According to Maury Shenk, an attorney in the UK, this is also a hot topic in the UK. In a meeting with the regulatory body Ofcom,[13] Shenk observed, "UK service providers actually seem more worried about degradation (because it can be difficult to distinguish from non-malicious network performance issues) than outright blocking. But actual incidence of blocking / degradation so far appears to be very low, at least in the experience of the UK Internet Telephony Service Providers Association (the group with whom I met with Ofcom today)."[14] The big concern for UK ISPs seems to be bandwidth issues, which are orders of magnitude more severe for apps like BitTorrent than for VoIP. As VoIP acceptance continues to swing, we will probably see this ratio of concern for BitTorrent fade and VoIP rise; we have already written about concerns related to hidden costs with BitTorrent.[15]

What is network neutrality? Should packets be processed in the order they are received regardless of content? Probably not if you want the Internet to work! But on the other hand, you do not want people intentionally controlling the traffic limiting commerce and granting themselves near monopoly powers. So, there has to be a balance.

Is this a new issue, favoring or disfavoring of one packet or service over another? No, it goes back to an innovator, who was an undertaker in 1890 named Almon Strowger. "What really spurred him on was when he imagined that his undertaking business was missing out because the lady at the phone exchange was connecting callers to a rival funeral business." Strowger then created the automated switching network so that human operators could not favor or disfavor one service over another.[16] In the 1990s, the creators of the Internet had all of this figured out, it was called policy based routing. When a packet is put on the network, a bit pattern in the second octet of the packet could describe how to treat the packet - cheapest path, fastest path, most reliable, etc. However, at the time, no one was particularly interested in the issue. But it looks like that may be changing.[17,18,19] In fact, Time Warner has already announced the use of packet shaping technology to penalize high traffic users during peak periods.[20]

As the United States approaches the 2008 Presidential campaign[21], this may be one of the issues. Recently, "A San Francisco tech show [Supernova 2007] degenerated into a shouting match today, after a pugnacious Bush commerce official squared off with heated supporters of net neutrality."[22] Suw Charman's blog has some of the actual Q+A that took place, including what is rapidly shaping up to be the mantra of Network Neutrality, "There is no marketplace.[23]

Perhaps the best reasoned voice on the subject is Tim Wu,[24] "But what must be banned are blocking, gratuitous discrimination, and choosing favorites. While it's one way to earn cash, it's just too close to the Tony Soprano vision of networking: Use your position to make threats and extract payments. This is similar to the outlawed, but still common, 'payola' schemes in the radio world. Yes, there's money in such schemes, but they aren't good for the industry or the country."[25]

What is the role of the information security leader with respect to Network Neutrality? There is big money riding on this that could affect the operational cost of network access for your organization or company. Read a bit about the issue then set up a google alert;[26] in a few weeks when you have made your mind up on where you feel on this issue, consider dropping your legislator a note. It is that important!


1. http://news.com.com/2100-1037-6049863.html?tag=yt
2. http://www.savetheinternet.com/blog/2007/04/11/john-edwards-we-need-net-neutrality/
3. http://www.google.com/help/netneutrality.html
4. http://www.icann.org/biog/cerf.htm
5. http://commerce.senate.gov/pdf/cerf-020706.pdf
6. http://www.washingtonpost.com/wp-dyn/content/article/2006/02/06/AR2006020601624.html
7. http://thomas.loc.gov/cgi-bin/bdquery/z?d109:HR05252: and, http://thomas.loc.gov/cgi-bin/query/F?c109:140:./temp/~mdbsfxMvew:e729:
8. http://assembly.state.ny.us/leg/?bn=A03980
9. http://www.freepress.net/news/223879
10. http://www.privsecblog.com/archives/federal-legislation-pending-privacy-and-data-security-legislation-in-the-110th-congress.html
11. http://www.sans.edu/resources/leadershiplab/public_relations_bw.php
12. http://www.sans.edu/resources/securitylab/data_breach_disclose.php
13. http://www.ofcom.org.uk/
14. Email conversations with Shenk, April 16, 2007
15. http://www.sans.edu/resources/securitylab/227.php
16. http://www.connected-earth.com/Galleries/Pioneersandpersonalities/S/Strowger/index.htm
17. http://www.cisco.com/warp/public/732/Tech/plicy_wp.htm
18. http://en.wikipedia.org/wiki/Policy_based_routing
19. http://www.linktionary.com/t/tos.html
20. http://www.dslreports.com/forum/remark,18468495
21. Wikipedia, June 28, 2007, http://en.wikipedia.org/wiki/United_States_presidential_election,_2008
22. The Register, June 28, 2007, http://www.theregister.co.uk/2007/06/22/bush_government_net_neutrality/
23. Suw Charman Blog, June 28, 2007, http://conversationhub.com/2007/06/22/day-1-john-kneuer-tech-policy-%20expert/
24. http://www.internetcaucus.org/biography/timothy-wu.shtml
25. http://www.slate.com/id/2140850/
26. http://www.google.com/alerts