You are hereFeed aggregator / Sources / CDT

CDT


Syndicate content
Keeping the Internet Open, Innovative and Free
Updated: 3 hours 1 min ago

Paid Prioritization: We Have Solved This Problem Before

Mon, 2018-04-23 16:20

Net neutrality does not end today. Although today does mark 60 days since the publication of the FCC’s order repealing its own rules, that repeal (due to some obscure and protracted administrative procedure) has not yet taken effect. Keep this in mind if you read or hear any arguments pointing out that ISPs haven’t ruined the internet, even without the net neutrality rules. For now, they still exist. And if the current effort to shut down the repeal through the Congressional Review Act (CRA) succeeds, the net neutrality protections will survive even longer.* But that doesn’t mean the debate is standing still. Instead, opponents of the rules are using the recent and repeated regulatory swings (that they caused) as justification for a legislative compromise. Specifically, some in the telecom industry have argued for watered-down consumer protections, most recently on the subject of paid prioritization.

Although it has been a key tenet of the net neutrality discussion for years, paid prioritization has recently become a more prominent focal point. Commonly spoken of in terms of “fast lanes,” paid prioritization is when online companies pay ISPs to give their data traffic preferential treatment. It allows ISPs to double charge by charging both the customer for service and edge providers to reach customers, and lets well-funded companies buy an advantage over their competitors. Because the value (and therefore the price) of paid prioritization increases as networks become more congested, it also rewards ISPs for letting their networks become clogged rather than upgrading their capacity.

Last week, the House Energy and Commerce Subcommittee on Communications and Technology held a hearing on the subject, ostensibly to “have a realistic discussion” about it and to develop a “nuanced approach.” This language fits nicely with the industry’s calls for compromise legislation, but conveniently discounts the decades-long discussion that led up to the 2015 Open Internet Order (OIO).

In some ways, the focus on paid prioritization represents progress. (It even sells hamburgers!) Practices like blocking websites or applications or throttling certain net traffic have become so universally disapproved that they have faded from the debate. Most ISPs either have no interest in blocking or throttling or they have given up fighting for the ability to do so, and even the current ISP-friendly legislative proposals would prohibit these practices. Paid prioritization, however, remains a core source of disagreement.

Unfortunately, ISPs and their advocates have tried to confuse the issue to hide the negative effects and incentives paid prioritization creates. They have claimed that banning paid prioritization jeopardizes telemedicine applications and autonomous vehicle safety and would inhibit emergency first responders and 911 systems. They have claimed that content delivery networks (CDNs) do the same thing as paid prioritization. They have talked about beneficial network traffic management techniques and paid prioritization as though they are one and the same. They have argued that small businesses would benefit from paid prioritization. They have claimed that paid prioritization would somehow lower the cost of internet access and have even used TSA PreCheck as a positive example of paid prioritization. But these claims are either misleading, ridiculous, or just plain wrong.

The net neutrality rules created by the OIO banned paid prioritization because of its potential for harm to innovation and competition at the edges of the internet was “overwhelming.” The rules, (which the current FCC has voted to repeal) applied only to broadband internet access service (BIAS) and did not apply to “specialized” or non-BIAS services, such as telemedicine applications or autonomous vehicle support. The rules also created exceptions for emergency services. So, under the OIO, ISPs would still be able to offer paid prioritization for the use cases they list because they do not constitute broadband internet access.

The arguments about CDNs and network management amount to semantic sleight-of-hand. CDNs allow companies to store information, like the files that make up websites or the music and movie files for streaming, closer to end users. This decentralized distribution makes for a better, faster experience by minimizing the distance and number of network segments between the user and the information. Prioritization, on the other hand, involves giving favorable treatment to some traffic as it crosses a network. For instance, an ISP can prioritize the traffic from an affiliate’s video streaming service by letting those packets jump the queue at the ISP’s routers, or by creating a separate queue just for the affiliate’s traffic.

Beyond the structural differences between paid prioritization and CDNs, they also have different effects on both network function and competition. Not only do CDNs offer more efficient delivery for their customers, they also reduce traffic loads between distant parts of the internet, improving speeds for everyone else. There is no limit to how many companies can benefit from CDNs, nor do CDNs create a disadvantage for non-customers; no traffic is made slower by CDN usage. Paid prioritization, however, cannot benefit everyone; by definition, it is impossible to prioritize everyone. By the same token, paid prioritization necessarily disadvantages all those who do not, or cannot pay for preferential treatment.

Supporters also try to blur the line between paid prioritization and reasonable network traffic management. Traffic management consists of several techniques by which network operators like ISPs can improve the overall functionality of their network. For instance, operators may be able to provide a better quality of experience for subscribers using real-time video applications by prioritizing that traffic over less time-sensitive traffic like email or software updates. Done properly, no one’s quality of experience is degraded and all similar kinds of traffic enjoy the same treatment. The network works better and no one loses.

The protections against blocking, throttling, and unreasonable discrimination in the OIO each had exceptions for reasonable network management. The rule against paid prioritization, however, did not. According to the Order, paid prioritization, by definition, is not a network management practice because it “does not primarily have a technical network management purpose.” Although (unpaid) prioritization can be a network traffic management technique, it takes on a completely different character when compensation is part of the deal, creating perverse incentives for ISPs and distorting competition online. This is why it’s so important to distinguish paid prioritization from everything else and not fall for the trickery of using paid prioritization and other, harmless terms interchangeably.

The claims that paid prioritization could somehow give small businesses an advantage are almost laughable. Paid prioritization is all about buying an advantage; how can small businesses hope to out-spend their deep-pocketed competitors? Equally ludicrous are the claims that ISPs would somehow drop broadband subscription prices if they could charge for prioritized treatment. As we’ve already said, paid prioritization monetizes network congestion, giving ISPs a way to charge more for getting around traffic jams that they create. In this light, Congresswoman Blackburn’s comparison of paid prioritization to the TSA PreCheck program is somewhat accurate, but it’s also illustrative of the perverse incentives it creates for ISPs.

The conversation about paid prioritization is far from over, and you can be sure that efforts to confuse the issue will continue. Just remember this: the problems with paid prioritization all stem from the “paid” aspect. Whatever other aspects of prioritization ISPs may talk about, getting paid is what they want. But net neutrality cannot coexist with paid prioritization of web traffic; real net neutrality protections must prohibit paid prioritization. The 2015 Open Internet Order did this, while also allowing flexibility to perform reasonable network management and to support limited-purpose “specialized” services like telemedicine. That sounds like a compromise to me.

* There are also two court cases pending: one to strike down the 2015 rules is stalled in front of the Supreme Court, and one to strike down the 2018 repeal of the rules is gearing up for briefing. The outcome of either of these could alter the existing rule set. To add to the complexity, litigation against the various state initiatives to put net neutrality protections in place will emerge as soon as the repeal takes effect.

Categories: Privacy

Initial Observations on the European Commission’s E-Evidence Proposals

Wed, 2018-04-18 15:04

On April 17, the European Commission (EC) published its long-awaited draft legislation on E-Evidence (“E-Evidence”) to facilitate cross-border demands for internet users’ communications content and metadata. Commissioners Jourova (Justice), Avramopoulos (Home Affairs), and King (Security) proposed two separate pieces of legislation: (i) a Regulation (“Regulation”) that enables law enforcement authorities in European Union (EU) Member States to issue production orders on communications and cloud providers based in other Member States or based outside of the European Union, regardless of where the data is located; and (ii) a Directive (“Directive”) that would require Member States to enact legislation compelling providers that offer services in an EU Member State to establish a legal representative in an EU Member State for the receipt of cross-border demands.  

EU Member States and the European Parliament will now begin their review of the proposed legislation. CDT will contribute to this debate. We recognise the concerns about difficulties in obtaining electronic data relevant for criminal investigations that motivate the EC’s initiative. We also recognise that cooperation with communications providers may be enhanced, and that existing MLAT processes may not always be able to scale with the volume of requests. We have participated in a series of stakeholder meetings and a public consultation leading up to these proposals. During this process, we have argued that enhanced access to electronic data by law enforcement authorities cannot come at the expense of fundamental privacy and procedural rights protections. This is the core principle we will base our advocacy on as the legislative process moves forward.

If enacted and implemented, the Regulation and Directive will effectively give each EU Member State access for law enforcement purposes to the data of internet users worldwide. This is because each provider in the scope of the Regulation can be compelled to disclose its users’ data no matter where the user is located and no matter the country of citizenship of the user. This can create an enormous risk to privacy worldwide. Because EU Member States have different national laws that can provide different levels of protection, it is necessary to build strong human rights standards into the E-Evidence proposals.

CDT set out ten human rights standards the EC’s proposals must meet, and has now shown how they match up to these criteria. These are our initial observations. We will develop more detailed positions and suggestions once we have analysed the proposals more comprehensively.

Directive

The preamble to the 10-page proposed Directive paints a picture of inconsistent practices among Member States that the Directive is intended to address partially. Some already require providers to have local legal representatives for the service of process; others take the position that their process works extraterritorially. Member States apply different “connecting factors” to determine whether they have jurisdiction over a provider: some base jurisdiction on the location of the provider’s main office; others base jurisdiction on location of data sought; others base jurisdiction on whether services are offered in the territory of the country. Member States are also inconsistent with respect to whether the demands they issue to providers are obligatory or voluntary.  

The Directive requires certain providers to establish in an EU Member State a legal representative for the receipt of law enforcement demands, including the European Production Orders established in the Regulation described below. The Directive chooses the most minimal of connecting factors as the one that obligates a company to establish a local legal representative: the offer of services in a Member State.  Thus, a start-up in the U.S. that successfully offers its service on global basis would have to have a legal representative in an EU Member State. To partially offset the burden this will create, the EC notes that the legal representative can be a third party shared by multiple providers and could be the same representative the company chose for purposes of compliance with the GDPR. The Directive’s recital 13 indicates that mere accessibility of services in a Member State is not sufficient: there must also be a significant number of users in one or more Member States, or targeting of activities or advertising to one or more Member States. 

The Directive describes very broadly the entities that would have to designate a legal representative to include: providers of electronic communications services, providers of information society services that store data for users — including social networks, online marketplaces and other hosting service providers, and providers of internet names and number services. Entities that offer services for which storage of data is not a defining component are not required to designate a representative, but domain name registrars and registries, and privacy and proxy service providers, are required to do so. Additional clarity is needed to delineate the entities that must appoint a representative. The provider can choose to designate a representative only in a Member State in which the provider has an office or provides services, and particular Member States cannot obligate providers to designate a legal representative on their territory.  

Missing from the Directive is a requirement that disclosure orders issued to a provider’s representative come through a central authority in each Member State.  Such a requirement would promote uniformity and quality in such demands. The absence of a Single Point of Contact (SPOC) is among the features of E-Evidence that drew fire from EuroISPA, the leading trade association among Europe-based ISPs.  

Regulation

The 29-page proposed Regulation would authorise judicial authorities in one Member State to issue “European Production Orders” (“Production Orders”) that compel a provider or a provider’s representative in another Member State to disclose stored communications content and transactional records in a criminal investigation.  Production Orders for subscriber information and a new category of information called “access data” do not require judicial authorisation or approval. “Access data” is data related to the commencement and termination of a user access session to a service that is used, with IP address, by an access service provider to identify the user. The Regulation would also authorize prosecuting authorities in one Member State to issue “European Preservation Orders” (“Preservation Orders”) that compel a provider in another Member State to preserve content, transactional records, access information, and subscriber information until a Production Order or a request under a Mutual Legal Assistance Treaty or similar instrument can be obtained. Preservation Orders, including those for content, do not require judicial authorisation or approval and can be issued in investigations of petty crimes.  

The Regulation will effectively operate against providers that offer services in a Member State which have no physical presence in a Member State, other than the representative that must be designated under the proposed Directive. Like the Directive, the Regulation broadly describes the providers on whom such orders can be served to include all of the entities covered by the proposed Directive.  

Production Orders for subscriber information and access data can be issued in investigations of petty crimes and without judicial authorisation. This creates a risk that providers will be inundated with such demands. Production Orders for content and transactional records can only be issued in criminal investigations of cyber crimes, fraud and counterfeiting of non-cash means of payment, child pornography and child sexual abuse and exploitation, and terrorism, as well as in investigations of any other crime for which the maximum penalty is at least three years in custody.  Limiting Production Orders for content and transactional records to serious crimes is a sensible step, and the European Parliament and Council should consider further limitations for Production Orders for subscriber and access information.

The Regulation states that, as a general matter, when data being sought is held by an entity which is not in the scope of the Regulation, but the entity uses an infrastructure service of a provider covered by the Regulation, a data request should be addressed to the entity, not the service provider. This is a sensible principle.

The Regulation does not require that Member States reimburse providers for costs incurred in reviewing and executing orders. Article 12 says that if a Member State reimburses domestic service providers for their costs, it must reimburse providers elsewhere for their compliance costs. Instead, reimbursement of costs should be mandatory. This would serve a dual purpose of protecting small providers against excessive costs, and more importantly, it would have a privacy-protective effect by making it less likely that Production Orders are issued unless there is a clear need and justification, particularly with respect to orders for access data and subscriber data, which can be sought in investigation of petty crimes.

The provider does not see the information in a Production or Preservation Order that shows the grounds upon which the order was determined to be necessary and proportionate. Instead, they see a Certificate that the order has been issued, and the Certificate provides in a standardised format the information necessary to identify the account from which data are sought. Articles 9 and 15 indicate that a provider can challenge a Production Order that, if complied with, would violate the rights of the individual concerned. Such challenges may be brought in the jurisdiction in which the order is served. However, the Regulation and Annex 1 make it clear that the provider will generally not receive the information that would be necessary to bring such a challenge, particularly in the case of a Production Order that would violate fundamental rights.

In addition, the Regulation does not require dual criminality — that is, that the conduct alleged to be criminal is a crime in both the issuing Member State and the Member State in which the provider’s representative is present, or the Member State in which the person to whom the data pertains resides or is a national of. This presumes a high level of confidence in the adherence to fundamental rights in all Member States because all Member States can issue Production Orders.  

The Regulation imposes tight deadlines for provider response: 10 days normally, and six hours in an emergency when there is an imminent threat to life or physical integrity of a person, or to critical infrastructure. This creates a risk that providers will comply with requests that are improper just because the deadline for compliance is approaching. The 10-day limitation creates a risk that providers will prioritize less important demands (including demands in petty criminal cases) as the clock on them runs out instead of responding promptly in just a few days to more important, non-emergency demands. Annex 1, which contains the form for the European Production Order Certificate that the provider receives, is not faithful to these deadlines. It permits issuing authorities to specify other deadlines in non-emergency situations and does not contain any parameters for the duration of those deadlines.  

The confidentiality provisions of the Regulation in Article 11 may deprive persons whose data is being sought of notice of a Production Order in many circumstances.  The Regulation authorises issuing authorities to gag a provider receiving a Production Order when notice to the person to whom the data pertains would obstruct the criminal proceedings. It does not require issuing authorities to provide notice to such person, except in the case where the provider is gagged. Notice can be delayed to avoid obstructing the criminal proceedings. The question is whether the Law Enforcement Data Protection Directive’s (2016/680) Article 13 ensures that individuals are notified in such cases.

Categories: Privacy

Assessing the European Commission’s E-Evidence Proposals on Ten Human Rights Criteria

Wed, 2018-04-18 14:14

Earlier this week, CDT described and made initial observations to the E-Evidence Directive and Regulation. We also issued a list of 10 human rights criteria that the E-Evidence proposals should meet. With the draft text of both now published, we have assessed each against the criteria.. 

1. Legality: Data demands must be connected to a crime published in a statute that gives sufficient detail to give an accused person notice that her actions are unlawful.

This criterion is partially met because European Production Orders and European Preservation Orders authorised in the Regulation may only be issued for criminal proceedings relating to a criminal offence for which a legal person may be held liable or punished in the issuing State.  Whether the Member State’s criminal code provides sufficient notice to a person that user actions are unlawful depends on the text of the code, and the Regulation sets no requirements in this regard.

2. Judicial Authorisation: Data demands must be authorised by an independent entity – preferably judicial in nature – that is independent from the prosecutorial function.

This criterion is fully met for Production Orders for content and transactional data. The Regulation provides that judicial authorisation is necessary for Production Orders seeking this data.  However, prosecutors can issue Production Orders for access and subscriber data, and they can issue Preservation Orders for all types of data, without judicial authorisation.

3. High Probability: There must be a high degree of probability: (i) that a crime has been, is being, or will be committed; and (ii) that evidence of the crime would be revealed by the compelled disclosure.

If this criterion is met, it is met implicitly. The Regulation could, but does not explicitly require a high degree of probability that a crime has been committed and that the information sought will reveal evidence of the crime.  Issuing authorities are required to assess necessity and proportionality before issuing orders, and decisions of the European Court of Human Rights call for “reasonable suspicion” and even “probable cause,” as part of such assessments.  

4. Particularity: Demands should be limited to seeking only data relevant to the crime and should specify the device, account, or person to whom the data demanded relates.

This criterion seems to have been met. The Regulation provides that Production Orders must include, among other things, the persons whose data is being requested, except where the sole purpose of the order is to identify a person. Annex I prompts the issuing authority to specify device and account identifiers.  

5. Least Intrusive Means: If less intrusive mechanisms could readily be used to obtain the information necessary to prosecute the case, they should be used instead.

This criterion has not been met explicitly. The issuing authority has to demonstrate that the Production Order is necessary and proportionate, but how it meets that threshold is not clear. There may be different thresholds applicable in different Member States that justify including explicit language in the Regulation on this matter. As a general point, it should not be the case that standards are lessened across Member States.   

6. Seriousness: Demands should be limited to serious crimes only, which can be articulated by type of crime (e.g. terrorism) and maximum sentence.

This criterion has been partially met. The Regulation permits Production Orders for content and transactional records only for cyber crimes, fraud and counterfeiting of non-cash means of payment, child pornography and child sexual abuse and exploitation, and terrorism, as well as in investigations of any other crime for which the maximum penalty is at least three years in custody. These are serious crimes or crimes that cannot be investigated effectively without electronic evidence. However, these limitations do not apply to Production Orders for access and subscriber data, and they do not apply to Preservation Orders.  

7. Notice: Users must be notified that their information has been sought or obtained.  Notice can be delayed in limited circumstances to protect the integrity of an investigation.  Provider notice should be permitted, but is no substitute for required notice from the government.

The confidentiality provisions of the Regulation in Article 11 may deprive persons whose data is being sought of notice of a Production Order in many circumstances. The Regulation authorises issuing authorities to gag a provider receiving a Production Order when notice to the person to whom the data pertains would obstruct the criminal proceedings.  It does not require issuing authorities to provide notice to such person, except in the case where the provider is gagged. Notice can be delayed to avoid obstructing the criminal proceedings. National measures implementing Article 13 of the Law Enforcement Data Protection Directive (2016/680) will determine whether individuals are notified in cases where the provider is not gagged.

8. Minimisation: Only information necessary to the investigation can be retained, and excess information must be destroyed or returned.

This criterion has not been met explicitly. The Regulation does not include provisions on data minimisation. The GDPR (2016/679) and the Law Enforcement Data Protection Directive (2016/680) have provisions on minimisation. It is necessary to consider whether such provisions should be added to the Regulation.

9. Transparency: Publication of numbers of data demands made and granted, and types of offences specified.

This criterion has not been met. Article 19 obliges Member States to maintain comprehensive statistics and report them to the EC annually.  However, it does not oblige the EC to publish this information. This criterion would be met if this obligation was imposed. It would also be essential that Data Protection Authorities have full access to the data and can assess the use of the instrument, to verify whether privacy rules are respected.

10. Redress: There must be a process through which a person whose rights are interfered with because these criteria were not met can obtain redress.

The right to redress is addressed in Article 17, which provides that the person whose data was obtained, as well as suspects and accused persons, “shall have the right to effective remedies against a [Production Order] in the issuing State, without prejudice to remedies available under Directive (EU) 2016/680 and Regulation (EU) 2016/679.”  We will consider whether these remedies are sufficient and may provide further suggestions on this point.

Conclusion

Some of the human rights protections set out above have not been fully met, or are only met implicitly. We believe that improvements in the text are necessary to provide these protections. We look forward to working with the EC, the Council, and the Parliament to ensure that the human rights criteria that we have set forth are more fully and clearly met, and to make other improvements as well.

 

Categories: Privacy