Trustworthiness as a limitation on network neutrality.

• Author: Burstein, Aaron J.

1. INTRODUCTION II. TRACING TRUSTWORTHINESS THROUGH THE NETWORK NEUTRALITY DEBATE A. Defining Trustworthiness 1. Confidentiality 2. Communications Privacy 3. Integrity 4. Availability 5. Correctness B. Trustworthiness as a Limitation on Nondiscrimination in Common Carrier Regulations C. Trustworthiness as a Limitation in Network Neutrality Rules 1. Narrow Exception 2. Medium Exception 3. Broad Exception III. THE IMPLICATIONS OF TRUSTWORTHINESS EXCEPTIONS IN NETWORK NEUTRALITY RULES A. Isolation from Unwanted Traffic 1. Isolation as a Consumer Service 2. Isolation as Provider Policy 3. Isolation Under the Broad Exception B. Availability and Integrity: Attribution of Path C. Privacy and Confidentiality: Guarantees Against Logging D. Trustworthiness and Wireless Net Neutrality IV. KEEPING TRUSTWORTHINESS EXCEPTIONS LIMITED THROUGH DISCLOSURE A. Mechanisms to Deter Trustworthiness-as-Pretext B. Striking the Right Balance for Trustworthiness Disclosures V. CONCLUSION I. INTRODUCTION

   In the United States and other technologically advanced countries, individuals, businesses, and governments have come to depend on the Internet. Daily reports of attacks, accidental data leaks, and service disruptions suggest that the proper functioning of the Internet is not something to take for granted. Trustworthiness--a concept that encompasses not only security but also safety, survivability and other properties that guarantee expected behavior--is becoming a prominent research and public policy objective.

   Internet trustworthiness is hardly the only objective of Internet policy, and setting the terms under which new applications and content sources can reach Internet users has become a focus of much recent debate. Scholars and policymakers have cast this debate in terms of network neutrality, which holds that network providers may not block, degrade, or otherwise discriminate against applications or content sources. A permissive regulatory environment might allow such discrimination, and the lack of competition in last mile broadband connections might well make it profitable.

   What are the implications of a network neutrality rule for trustworthiness (and vice versa)? Scholars and policymakers have thus far given only superficial answers to this question or avoided it entirely, concentrating instead on whether a network neutrality rule would help or hurt innovation on the Internet. Network neutrality opponents argue that improved security is one type of innovation that might follow from not imposing a network neutrality rule, but this position ignores the technical and economic issues that make improving trustworthiness a hard problem. (1) Proponents, on the other hand, concede that network security is crucial enough to warrant making exceptions to a network neutrality rule. Allowing network providers to deviate from neutrality only to the extent necessary to protect network trustworthiness is rooted in judicial and regulatory decisions and administrative rules that helped establish the principle of nondiscrimination as the core of network neutrality. This doctrine of trustworthiness-by-exception stretches back over fifty years and developed around the telephone network. Whether this doctrine is suitable for the technical and institutional complexity of the Internet is unclear, and network neutrality proponents have not made the case that it applies.

   We argue in this Article that using trustworthiness as a limitation on network providers' nondiscrimination obligations is basically sound and that the set of trustworthiness mechanisms network operators may deploy depends heavily on the exact language of the (proposed) exception. (2) Some existing proposals would likely thwart valuable trustworthiness mechanisms, while others could allow network providers to use trustworthiness as a pretext to discriminate while doing little to improve trustworthiness. Still, there is a middle ground that accommodates both neutrality and trustworthiness.

   This Article is structured in three parts. Part I defines trustworthiness and shows that it has served as a limitation on network operators' nondiscrimination obligations throughout the development of network competition policy and scholarship. Reviewing current proposals for network neutrality rules, we show that advocates of network neutrality recognize the need to provide a trustworthiness exception to any neutrality obligation, but they differ in their prescriptions for the scope of this exception. We find three categories of exceptions: broad, medium, and narrow. Part II examines whether several plausible types of trustworthiness improvements would be permissible under these exceptions. We argue that the narrow trustworthiness exception prevents service providers from implementing trustworthiness improvements that are likely to be important in future networks; but the broad exception effectively swallows a neutrality rule. The medium exception avoids both of these problems. Still, getting the formal language of the exception right is only part of what is necessary in order to establish a balance between neutrality and trustworthiness. Part III suggests that a trustworthiness exception provides some means to make ongoing assessments of whether network operators are using the exception appropriately. We propose the trustworthiness exception be conditioned on network providers' disclosure of trustworthiness-related discrimination.

2. TRACING TRUSTWORTHINESS THROUGH THE NETWORK NEUTRALITY DEBATE

   1. Defining Trustworthiness

      A trustworthy system has been described as one that "does what people expect it to do--and not something else--despite environmental disruption, human user and operator errors, and attacks by hostile parties." (3) Trustworthiness is a "multidimensional" concept encompassing "correctness, reliability, security ... privacy, safety, and survivability." (4) Security, in turn, means resistance to attacks that "can compromise the secrecy, integrity, or availability of data and services." (5)

      Where the Internet is concerned, trustworthiness is important for a number of reasons. Computer networks have become elements of our nation's infrastructures. Other highly developed nations are following suit. Network-based attacks, which can last for days, could have major effects on a national economy. For example, in May 2007, Estonia suffered a distributed denial of service attack that brought banking and other services to a halt for several days. (6) Vulnerabilities in a network can also lead to leaks of personal information, potentially leading to a loss of privacy, personal financial losses, and revelations about candidates that might well alter the outcome of national elections.

      To view network neutrality through the lens of network trustworthiness, concrete examples of trustworthiness properties will be helpful. By focusing on properties, and hence what must be guaranteed, we avoid limiting the discussion to the known, specific attacks of today. Attacks coevolve along with defenses, but trustworthiness properties one might expect from a network are independent of threats and the attacks they might employ.

      To start, we refine a model typically used to describe relationships on the Internet. When considering trustworthiness, it is important to recognize that individual end-users are not the only consumers of data services that networks carry; the subnets comprising the Internet also exchange traffic with one another. These interconnections depend on peering and transport agreements, whose significance will become evident in Part II.

      With a network's customer base expanded to include subnets (as well as individual users and computers), we can list examples of network properties that are useful for building trustworthy networked information systems. For each property, we discuss the extent to which the current Internet architecture provides support.

      1. Confidentiality

         A sender might want a guarantee that any data she sends is not intercepted or stored and then later accessed by unauthorized third parties. Such unauthorized access can be prevented by encrypting data, and the current Internet protocols allow this because they do not distinguish between encrypted and unencrypted data. (7)

      2. Communications Privacy

         In addition to preventing third parties from gaining access to the contents of a communication, a user might wish to prevent others from learning about the very existence of a communication. Guarding against disclosure of this kind of information involves limiting the dissemination of traffic logs and restricting access to packets in transit. Currently, network operators alone decide whether to keep logs of the traffic they carry; the Internet architecture does not provide users with a means to direct a network provider not to log traffic.

      3. Integrity

         One of the Internet's core networking protocols, the Transmission Control Protocol (TCP), implements a guarantee that data accepted by a receiver have not been corrupted while in transit. Each TCP header contains a field for a checksum, which is (more or less) a unique numerical coding of the bit strings comprising the header and data in a TCP packet. (8) A receiver independently calculates the checksum of incoming data and compares it to the checksum that is carried in the packet. A difference in these two checksums indicates that the data were corrupted in transit and causes the receiver to discard the packet. The sender would then retransmit that packet. Thus, packets not discarded are identical on the sending and receiving ends of a communication.

      4. Availability

         The current Internet architecture offers only limited guarantees concerning availability. Specifically, the Internet architecture provides guarantees that users who persist for long enough in attempting to communicate will be able to do so, aided (in part) by the multiplicity of routes that packets may take from sender to recipient. TCP enforces the availability...