What if the U.S. Congress passed a new law prohibiting Internet Service Providers (ISPs) from looking at any part of any packet they route except for the destination IP addresses? The law would accomplish three things.
First, the new law would grant users an extraordinary amount of privacy. By keeping prying eyes (and packet sniffers) away from virtually every part of every packet, it would encapsulate all Internet communications within private tunnels, not of encryption but of law.
Second, the law would mandate a form of network neutrality, the now-well-known principle that ISPs should not be allowed to treat packets differently based on application, content, or source.a For several years, legions of fierce advocates on both sides have debated whether the U.S. government should impose some form of mandatory Net neutrality, with their attention focused lately on the FCC, which is considering such a rule. Despite these years of debate, very few have examined the underexplored relationship between two important Internet values: Net neutrality and privacy.
An ISP that wants to treat packets differently based on application, content, or source must first peer deeply enough into those packets to determine their application, content, or source. If our hypothetical law prohibits an ISP from examining this type of information, then all packets will look alike and discrimination will be impossible. A privacy-respecting network is a neutral network.
Third, sadly, users would enjoy better privacy and mandatory Net neutrality for a fleetingly short time, because the law would also break the Internet. ISPs have good reasons for peeking at a little bit more than just IP addresses on an Internet full of threats. If they could not, those threats would strangle the Internet, grinding traffic to a halt under the weight of too many viruses, hackers, and worms.
Fortunately, Congress has never passed such an extreme law, but two decades ago, it enacted a much more measured network privacy law that deserves to be recognized as the world's first mandatory Net neutrality law.
The Electronic Communications Privacy Act of 1986
The Federal Electronic Communications Privacy Act (ECPA), originally enacted in 1986, prohibits the unjustified interception of information on a computer network. Violators face both significant civil liability and possible criminal punishment.b,c In rare and extreme cases, the FBI can charge people who use packet sniffers as felony wiretappers.
Historically, ISPs have not worried much about ECPA, because Congress built a number of exceptions into the law permitting traditional forms of provider monitoring. Thus, ISPs can monitor to "protect rights and property," for the "rendition of service," and with the consent of their users.
Lately, ISPs have begun to test the limits of these exceptions, engaging in new forms of unprecedented, invasive monitoring designed to generate new revenue sources by monitoring users on behalf of the advertising and copyrighted content industries.1,2,3 These plans may violate ECPA. Although the first two exceptions listed above are broad, they are not boundless, and ISPs will have trouble convincing courts that behavioral advertising or copyright policing have anything to do with "protect[ing] rights and property" or the "rendition of service." Likewise, the third exception, consent, is no panacea. Courts interpreting ECPA should be skeptical about claims of user consent based on buried privacy policies, lengthy banners and terms of service full of microscopic type.
ECPA as Mandatory Net Neutrality
If ECPA forbids providers from aggressively expanding their methods of scrutiny, then it will also prevent providers from implementing aggressive new forms of packet discrimination. To take the most prominent Net neutrality squabble as an example, the FCC disciplined Comcast for slowing down and sometimes blocking its users' BitTorrent connections for violating what the FCC calls "reasonable network management."d (Comcast has appealed.)
Scrutiny without handling does not violate Net neutrality and handling without scrutiny does not necessarily implicate privacy.
What if, rather than complaining to the FCC, some of Comcast's customers had instead sued Comcast for violating ECPA? So long as Comcast identified BitTorrent traffic by looking only at the TCP port numbers on packets, it probably did not violate ECPA. But if Comcast instead used deep packet inspection tools to capture a vast amount of dataand based on Comcast's admitted relationship with deep packet inspection vendor Sandvine, it probably did-then it much likelier violated ECPA. Thus, a court considering an ECPA lawsuit might have found Comcast liable for throttling BitTorrent, whether or not this qualified as reasonable network management, as an undue intrusion on user privacy.
This example reveals that federal privacy law has mandated a form of Net neutrality for nearly a quarter of a century. This seems surprising given that the Net neutrality debate itself is barely five years old. Just as surprising, this conclusion takes a central premise of the debate, that we need a new law before we can have mandatory Net neutrality, and flips it on its head. Those who want mandatory Net neutrality already have it; those who oppose it need to convince Congress to amend ECPA.
But is This Really Net Neutrality?
Net neutrality's champions need not celebrate too quickly, however, because ECPA overlaps only incompletely with their ideals. Net neutrality focuses almost exclusively on the handling of packets. The worst thing a provider can do is block traffic, and slowing traffic is nearly as bad. ECPA-imposed network privacylet us call it Net non-scrutinyfocuses instead almost entirely on a provider's scrutiny of communications. The worst thing a provider can do is capture the contents of communications. Scrutiny without handling does not violate Net neutrality and handling without scrutiny does not necessarily implicate privacy.
Privacy brings in an entirely different frame of reference, one composed of values that have nothing to do with innovation and economic prosperity.
Toward Resolving the Net Neutrality Debate
Privacy and Net neutrality are not mutually exclusive, of course. ECPA's mandatory Net non-scrutiny does not preclude lawmakers from mandating Net neutrality as well. To make Net non-scrutiny look a bit more like Net neutrality, Congress could amend ECPA to clarify and restrict exceptions to the law, for example by getting rid of the consent exception for ISP monitoring. In fact, doing this might serve as a substitute for mandating Net neutrality, because Net non-scrutiny might serve as an acceptable compromise solution, perhaps striking a balance that gives Net neutrality's advocates much of what they desire while giving providers the freedom to manage their networks.
Finally, notice how arguing for Net neutrality through Net non-scrutiny alters the terms of the debate. Proponents of neutrality argue mostly about its benefits for innovation and economic growth. Sometimes, they clothe these arguments in the language of "freedom," but by this they usually mean a narrow, market-drenched conception of freedom. Opponents of neutrality argue also only on economic terms. The debate has taken place too often on insularly economic terms with values lined up on both sides internal to this economic frame. The arguments for and against mandatory neutrality raise especially difficult economic questions, because they require predicting the effect of complex inputs on a complex industry dominated by new technology, and as a result the Net neutrality debate has devolved into a bare-knuckles economics brawl. Neither side has landed a knockout punch, however, and both sides admit that their predictions might be wrong.
Recasting the debate as one about ensuring the proper amount of privacy makes an intractable debate much more tractable. Privacy brings in an entirely different frame of reference, one composed of values that have nothing to do with innovation and economic prosperity. Stacked up against privacy, there is more space between competing visions of ISP behavior: doing X might make it difficult to deploy next-generation video applications, but it will protect user privacy in return.
These are not easy conflicts to resolve, to be sure, but we will find these competing values easier to weigh and contrast, because it is not economics all the way down. We will find it easier to compare the significance of one value versus another, and we will be able to better predict how choosing one over the other will play politically. In this case, there is virtue in comparing apples and oranges.
1. Hansell, S. Charter will monitor customers' Web surfing to target ads. New York Times Bits Blog (May 14, 2008); http://bits.blogs.nytimes.com/2008/05/14/charter-will-monitor-customers-web-surfing-to-target-ads/
2. Stone, B. AT&T and other I.S.P.'s may be getting ready to filter. New York Times Bits Blog (Jan. 8, 2008); http://bits.blogs.nytimes.com/2008/01/08/att-and-other-isps-may-be-getting-ready-to-filter/
d. Memorandum Opinion and Order, In the Matter of Formal Complaint of Free Press and Public Knowledge Against Comcast Corporation for Secretly Degrading Peer-to-Peer Applications (Aug. 20, 2008); http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-08-183A1.pdf
The Digital Library is published by the Association for Computing Machinery. Copyright © 2010 ACM, Inc.