Not sure if anyone is reading posts anymore, but this was posted on slashdot. We already knew that government agencies have been buying our data from data brokers, but according to this article, some law enforcement agencies are buying things like phone records that are most likely obtained illegally through pretexting or other means.
I think I’m behind by a post or two, and I never got to write about net neutrality after the class discussion, so here’s a double-length post with some of my ideas…
In class we discussed how our intuition contradicts itself for net neutrality. We generally feel that ISPs should be allowed to build their own networks and use them as they see fit. (e.g. build 2 pipes — one for internet and one for proprietary video content. This is the same as 1 pipe, twice as large where they restrict half the bandwidth for video.) At the same time we feel they shouldn’t be allowed to discriminate against certain traffic that might compete with their own services, or charge companies like Google to have their content carried faster. We found that these viewpoints will often contradict each other. Why can’t an ISP add new capacity to their network and then sell that bandwidth exclusively to “preferred” providers? Also, many design tradeoffs must be made, perhaps between bandwidth and latency, and some applications like VOIP or streaming video might be adversely affected by prioritizing one over the other. As an otherwise legitimate design decision, the ISP could design their network for exclusivity in a particular market.
Having given some thought to this contradiction over the past few weeks, I think the problem lies in the abstractions regarding “the Internet” and how we purchase access to it. While we might picture the internet as a giant cloud and we purchase a connection into that cloud with a particular capacity, the real Internet is not so uniform. We buy a connection to our ISP, who has connection points to some larger ISP, who runs part of the backbone and connects to the backbone’s of other ISPs. So some points on the internet at “closer” than others and we can observe the difference. The most obvious is comparing the speed at which we can connect to U.S.-based as compared to those overseas.
For the longest time however, most end-users have been mostly blind to the non-uniformity of the internet. Before wide-spread broadband and fast university connections, we were all on slow modems. Our connection to the local ISP was the bottleneck to get to anyone. Once we got past that and onto the “net”, it didn’t matter very much who we were talking to, where they were, or how we were connected to them. Furthermore, the ISP could have many dialup customers connected aggregated over their own connection to the internet backbone since each user was limited in speed. With broadband, that picture is beginning to change, and the abstraction of the cloud internet will erode even further as individuals have fiber-optic connections in the “last-mile”. It is becoming simple for each user connected to an ISP to have more capacity to the ISP than the ISP can provide him to the rest of the internet or farther away points. As a result, the closer someone is to me on the network, the faster I can communicate with them. If Google happens to use the same ISP that I do, I will get a faster connection than others, without any intentional network discrimination taking place.
This distinction isn’t all bad. For efficiency of the network and reducing cost, it might make sense to design high-bandwidth applications closer to the end users. As an ISP with a customer who wants video content that uses 2 megabits of bandwidth (2 Mbps), I can have an extra 2Mbps in bandwidth to the internet backbone if the provider is remote, or provide that connection directly on my network to a closer provider. The latter would save quite a bit of money since I already have a fast connection within my own network.
Now hopefully we all can visualize the problem a little more, I suggest that we change our abstraction about purchasing “Internet” connections. We need to look at more details. Instead of buying a single Internet connection through an ISP for x Mbps, we should split it up into two components: our connection to the ISP (x Mbps), and our portion of the ISP’s connection to the “Internet” (y Mbps), where x>y . We can still abstract the connections that make up the rest of the internet, the design tradeoffs and even the aggregation of bandwidth, but now we would recognize that my connection to the ISP, and anyone else directly connected to them, is faster than to the rest of the network. For neutrality, we simply ask (or require) that the internet portion of my connection (y Mbps) be blind to the content and destination. We can then give the ISP discretion about what x & y should be and what services they want to offer me directly, and let the market set prices.
So now my ISP can sell me a 20/15 Mbps connection for $20 per month, with 20 Mbps direct to the ISP and 15 Mbps to the rest of the internet. I can use my 15 Mbps to search, buy video, use VOIP, etc from anyone I like, knowing how my capacity is limited. The 40/30 Mbps plan might cost $40 per month, but the ISP could offer me an upgrade to a 40/15 Mbps connection for only an extra $5 per month. Now if I buy their cable TV service which takes 10Mbps, I still have my full 15 Mbps of internet bandwidth, whereas if I choose another cable TV service, I may limit myself to 5 Mbps. The market will help determine what each component of the connection is worth.
Also, this would help make internet connections less of a commodity product. I might choose the cheapest ISP, or I can pick the one that has a direct connection to Vonage and Google, knowing that I’ll need less bandwidth for other things. Maybe the ISP will even pay Google for the privilege, instead of the other way around. The ISP that wants to limit my Internet connection so I’m forced to buy their cable TV service will either reduce my internet bandwidth, or raise the price, and in doing so might price themselves out of the market.
I’m not sure if anyone else is still writing, but it would be great if someone wants follow-up and look at this from the other side. In this model of buying network connections, will the ISP, by setting prices, bandwidth, and choosing when and how to upgrade their network, be able to discriminate against their competition in spite of a content-blind internet component.
I’d like to follow-up on Andrew’s post about TV advertising and the decline of the 30 second spot. The television networks seem to be afraid to change their business model and embrace new technology. They seem to fear that giving us a fast-forward button will dry up their ad revenue and the American public’s demand for television will suddenly dry up if it isn’t “free”. Andrew tells the networks to be creative, and I believe it is just a small step forward rather than leaps and bounds to make alternate models work.
To start with, look at what is already being done on television today. Andrew tells us that only 12% of people have DVRs and of those 70% of shows are watched live. So maybe the traditional advertising model has some life left. The other extreme is abandoning ads entirely and asking us to pay for the content we want and letting the market decide what’s worth watching. HBO is now producing nearly two dozen hit original series, and consumers pay for subscriptions to their content. Move that online and I can avoid the overhead of my cable company. If I don’t want HBO’s all or nothing model, iTunes will sell me individual episodes of TV shows on the really small screen, and various sports are being streamed online. So it seems the only challenge here is making shows that are actually worth watching. Maybe this will spell the end for reality tv, but somehow I doubt it. Then we’ve got product placement. If they can convince Tony Soprano to drink Diet Pepsi, maybe the world will follow. Product placement is not just for American Idol judges, and you can’t fast-forward through it. Sometimes its blatant and other times unobtrusive, and in my opinion, I don’t care if my favorite characters are eating Toastie-O’s or Cheerios, especially if it makes the show free.
There’s even another model to follow – make the commercials entertaining enough that I choose to watch them! Did I actually suggest that? Well I figure it works at least once a year during the Super Bowl, where I pay more attention when the commercials come on than I do during the game. It gets annoying when I see that same commercial 20 more times in the month or two after the game, but I don’t mind making the marketers do a little more work to hold my attention.
I think we can all agree that one way or another, the traditional broadcast model of television will change to on-demand Internet video, and I have no doubt they will learn to leverage that; websites are already learning how. Of course I’m talking about targeted advertising. While we are concerned about privacy violations, with a little bit of careful design and safeguards, maybe we can find a way to let advertisers build enough of a profile about me to show me only the ads I want to see. I welcome the day when I can stop seeing drug ads for diseases I don’t have and ads for trucks I won’t buy, but instead show me some new gadget I can’t live without, or the latest new show a la West Wing. I’d suggest they start with a tiered price structure. If I don’t want to give up any personal details, I’ll pay full price for the content, and the more I feel comfortable sharing, the cheaper it gets. Then the networks can even compete with the best privacy policies. I’ll get free HBO by telling them more about me and in exchange they won’t sell my profile, while I’ll pay NBC a few dollars for the content because I don’t like their agreement.
Similarly, they can compete on the being the least obtrusive with the ads. The content provider who insists on using DRM and forcing me to watch boring ads will lose my business. Maybe the better provider will show me an small ad that piques my interest. I’ll click on it and get more information at the end of the show, or let them send me a one-time e-mail with the details, and maybe even a coupon.
As soon as they abandon the adversarial model of advertising, the better of we’ll be. The truth is, advertising is how we discover new products we want. Hollywood has simply bombarded us with advertising to the point where we fight back. So I’m with you Andrew, let the advertisers be creative and it will be a welcome change.
2. Auditing
The creation of audit trails is an essential element of any comprehensive plan to protect CPNI. Auditing offers a low cost method of preventing the most likely breach scenarios: pretexting and insider theft, as well as some cyber-attacks.
Proposal
We recommend that the Commission take a number of steps in regards to auditing of access to CPNI. First, telecommunications companies should be required to record all electronic access to CPNI, distinguishing between internal uses and disclosures outside of the company (to consumers, outside marketing, third party partnetrs, etc). This record would indicate the purpose of each access (e.g. billing, internal marketing, customer service request, outsourced services, third party partners).
Second, consumers should have the right to request a complete copy of their records, and should receive automatic notification of all disclosures of their CPNI. Customers would be able to report suspicious disclosures to the company which may trigger an internal investigation. Furthermore, companies should be encouraged to use automated anomaly detection as another means of detecting fraud and notifying consumers. It would be helpful for investigations if the companies were encouraged to also kept recordings of all human communications (e.g. phone calls to customer service) for a reasonable length of time when complaints may arrive. These investigations may reveal suspected breaches and help detect attack patterns. This information can be used to eliminate vulnerabilities and develop better procedures for handling private information.
Third, telecommunications companies should be required to maintain the integrity of the audit logs and preserve them for 5 years or as long as the CPNI data is kept, whichever is longer. This would give adequate time for breaches to be detected and investigated.
Implementation and Costs
We expect CPNI to be stored electronically so that an audit record can be automatically generated by a computer anytime the information is accessed. We recommend tying this process with employee computer accounts so that there is no ambiguity as to who is accessing the file. The purpose of an access (e.g. internal marketing, customer service request, outsourced services, third party partners) and type (e.g. use or disclosure) may be automatic based on the system or employee’s role (e.g. billing dept) or may be entered manually (e.g. by customer service reps). This should be logged in addition to basic information such as time or the employee accessing the data. The recording of purpose adds an extra check in the process and provides accountability. Lastly, the system for logging accesses and storing those records needs to be kept secure and only a limited number of high level IT administrators should be able to make extra-system modifications to those logs.
We suggest that these proposals be applied to large telecommunications companies, as defined by the Commission. This balances the requirement of universal security with sensitivity to the limited resources of small firms. For large companies, making records of access to sensitive data should be minimally costly, since these companies already make audits for certain types of access, and CPNI itself is a type of audit log.. Small companies may find it more difficult to create auditing systems (which may not be a feature of off-the-shelf software), but will compensate by having a tighter rein over their employees. Moreover, once large companies adopt stringent security standards, CPNI theft will become financially unviable, so it is not necessary for every company to zealously guard its data so long as most of the market does.
Integration with other security measures
Audits, while moderately useful in their own right as a deterrent and a tool for law enforcement, are most effective when paired with other security measures. The most obvious connection is to customer notice. Allowing customers to access records of all accesses to their CPNI and notifying them when any information is disclosed outside of the company, will improve the chance of catching thieves. It will also increase awareness among consumers of how their data is used, potentially prompting them to take additional security measures.
Beyond consumer notification, automated anomaly detection may be used to flag suspicious access and discover patterns of theft. This will deter insiders from accessing abnormally high numbers of accounts and will force outside thieves to vary their method of access, which should be quite costly. A record of what techniques pretexters use could also be used to train customer service agents and improve anomaly detection.
The final realm for integration would be with preemptive filtering. If audits reveal that thieves tend to use payphones or cell phones, companies could insist that access be done from a land line that can be more easily traced. If certain cities harbor CPNI thieves, more stringent security measures could be implemented in that city. If certain thefts occur at certain times, companies could staff their call centers with more experienced employees during peak theft hours. While some of these preemptive measures could be effective, their expense and the risk of consumer inconvenience make them inappropriate the Commission to mandate, but rather should be left to be adopted voluntarily by companies.
The creation of audit trails is an essential element of any comprehensive plan to protect CPNI. Auditing offers a low cost method of preventing the most likely breach scenarios: pretexting and insider theft, as well as some cyber-attacks.
Proposal
We propose that all “large” telecommunications companies — those with more than $10 million in revenues — be required to:
1. Record all human communication that results in access to CPNI, such as a customer seeking his calling records
2. Record all electronic access of CPNI, such as internal accesses, outside marketers or third party partners
3. Record the purpose of each access, distinguishing between internal uses of CPNI and disclosures to consumers, partners or third parties
4. Make these records available to customers upon request
5. Inform customers when anomalous access is detected
6. Use these audits to monitor and improve employee and third party handling of private information
7. Retroactively analyze and investigate suspected breaches to detect attack patterns and eliminate vulnerabilities
8. Maintain the integrity of CPNI audit logs, and preserve audit logs for 5 years or as long as the CPNI data is kept, whichever is longer.
Cost
The proposal balances the requirement of universal security with sensitivity to the limited resources of small firms. For large telecommunications firms, making records of access to sensitive data should be minimally costly, since these companies already make audits for certain types of access. The cost of analyzing and improving security systems should vanish in time and, in any event, will pale in comparison to the value it provides. Small companies may find it more difficult to create auditing systems, but will compensate by having a tighter rein over their employees. Moreover, once large companies adopt stringent security standards, CPNI theft will become financially unviable, so it is not necessary for every company to zealously guard its data so long as most of the market does.
Integration with other security measures
Audits, while moderately useful in their own right as a deterrent and a tool for law enforcement, are most effective when paired with other security measures. The most obvious connection is to customer notice. Allowing customers to access records of all accesses to their CPNI and notifying them when any human access is made, via email, telephone or mail, will improve the chance of catching thieves. It will also increase awareness among consumers of how their data is used, potentially prompting them to take additional security measures.
Beyond consumer notification, automated anomaly detection should be used to flag suspicious access and discover patterns of theft. This will deter insiders from accessing abnormally high numbers of accounts and will force outside thieves to vary their method of access, which should be quite costly. A record of what techniques pretexters use could also be used to train customer service agents and improve anomaly detection.
The final realm for integration would be with preemptive filtering. If audits reveal that thieves tend to use payphones or cell phones, companies could insist that access be done from a land line that can be more easily traced. If certain cities harbor CPNI thieves, more stringent security measures could be implemented in that city. If certain thefts occur at certain times, companies could staff their call centers with more experienced employees during peak theft hours. While some of these measures could be effective, their expense and the risk of consumer inconvenience make them inappropriate for FCC mandates, but rather should be left to be adopted voluntarily by companies.
Notes:
The proposal section is complete. we have to do a little more editing on the last 2 sections.
To add to text:
- integrity - protect from modification by people making accesses.
- purpose - internal marketing, customer service request, outsourced services, third party partners, etc
Note: statute of limitations on mail and wire fraud is 5 years. (10 years for financial). 2 years is a reasonable compromise for other communications.
We don’t know what’s appropriate for preserving/retaining human communications. might be at discretion of the company as they find useful for investigations.
For today’s post I am writing a first draft of my group’s response to the FCC notice in regards to auditing.
In general, we feel that auditing is a very important requirement for protecting CPNI. It is most effective by enabling investigations and by creating a deterrent to inappropriate disclosure by increasing the likelihood of being detected. In combination with filtering and notification, it also serves to enable consumers and corporate privacy officers to detect violations and trigger investigations. Auditing targets threats of pretexting and insider threats, where accesses are made by authenticated employees through the regular infrastructure. The deterrent effect will stop many individuals from attempting the theft, and through detection and investigations aided by audit logs, security procedures can be improved incrementally. Depending on the mechanism of attack, it is less likely to be able to detect hacking or loss of backup data, however we feel that these threats are less severe and can be addressed by other means.
We feel that keeping and maintaining audit logs should be low cost, at least for large corporations. Telecommunications companies are already required to keep audit logs for marketing, and adding additional items can be expected to be only a small addition in storage and infrastructure. Furthermore, the creation of CPNI itself is a type of audit log (of network usage) that the infrastructure is designed to manage. Auditing the accesses to this data should not be especially burdensome. This situation may be different for small businesses; they may use off-the-shelf software that cannot be easily adapted to new types of auditing. However, this is balanced by the fact that auditing is more necessary and effective in large companies with many employees. Small businesses have a tighter reign over employees to detect insider threats and avoid pretexting attacks by better training and oversight.
It is important that all accesses to CPNI be logged, and that the integrity of these logs is maintained (insiders should be unable to make an access and then remove the log of that access). It is foreseeable that this could generate a large quantity of logs which would make them difficult to scan manually. Therefore it is critical that additional information be stored with each access. In addition to who makes the access and when it was made, the purpose and type of access should be recorded. The purpose might indicate that the information was accessed for customer service, automatic billing, marketing, etc. The type of access would specify whether information was collected, used internally, or disclosed to a third party (consumer, corporate partner, marketing firm, independent contractor, etc). Some information may already be taken down by customer service reps in their notes. Often the purpose can be implied by the user making the access. Any access made by the marketing staff can be tagged as marketing use.
The next step is to have filtering and anomaly detection for post-processing of the audit logs. Rules can be defined for what is considered “normal” accesses to data, and anything out of the ordinary could be automatically flagged and reviewed by a privacy officer. Furthermore, all disclosures would be likely candidates to print on customer bills for notification. The consumer will notice disclosures he did not request, or disclosures in violation of his opt-in/opt-out preferences. It will also increase awareness of consumers for how their data is used, and might prompt them to change their preferences or request additional security on their account, such as a consumer-set password. The complete audit logs would remain available to investigators once an investigation is triggered by a customer complaint or internal trigger. A number of accounts might even be chosen randomly for investigation as a precaution. Furthermore, like credit reports, the consumer should be given the right to review the complete audit logs of his account, including internal uses, if he so desires. Telecommunication companies will be held accountable and might even compete on their privacy protections. They will be expected to justify CPNI disclosures made outside of the company and must hold partners and contractors accountable for their privacy protections as well.
A few weeks ago we discussed spectrum policy and part of this discussion was regulation of content. As part of the contract with the public to acquire the spectrum, broadcasters are subject to limits on their content. Certain shows cannot be broadcast until late evenings, lengths of commercials are limited, and fines are imposed for violations (see recent NYtimes/AP articles). While we may not always agree with the particular censorship decisions of the FCC, the regulation ensures control over a government-formed monopoly on television broadcast. I don’t think there is much doubt over the FCC’s right to regulate. But what about cable tv?
Cable television bypasses the spectrum scarcity by sending the signals over wires into each home. So one would think that this avoids the need for regulation. Yet while there is no government-created monopoly with power to control as a matter of public service, there is still a natural monopoly in place. Installing cable into every home is a huge investment and localities usually grant a monopoly to a single company to provide this service. In theory there is competition… if the locality isn’t happy with the service they receive, they could grant that monopoly to another company, and more recently, the industry was opened to direct competition (although I don’t remember the details offhand) which will only increase with video transmitted over the internet. What I want to point out is how in practice, large media companies control most of the cable tv markets. These companies then decide what content makes it into our homes. If the cable company wants to keep a competitor out of their cities, they can simply decide not to carry them. Think back a few years ago when ABC and other Disney channels were blocked to all of New York City. Do we trust these companies to use their monopoly power properly? At the same time, does the FCC or any other government body have the authority to impose rules on their behavior once their monopoly is not protected by localities, even though the barriers to entry are still too high to allow real choice for consumers?
As far as ideal policy, I’m not entirely sure what I’d like to see. If we don’t let the government regulate, the cable companies have the power to stifle creative new stations and more importantly innovation. Do cable companies have enough incentive to simulcast content over the internet when it is likely to transform their market from a natural monopoly to perfect competition? But is the alternative to give the FCC power to impose decency standards to a medium that doesn’t have intrinsic scarcity?
I’m seeking the ideal solution, in part because I don’t know how the regulatory environment is configured now. Is there regulation only because cable tv is tied to broadcast tv? If so, how far does it go? Does the government simply dictate that local broadcast channels must be carried, or can they also censor that content? What about other content carried or not carried? Then, is that enough to tradeoff competition?
To complete the journey, compare the cable tv scenario to the recording industry. The RIAA and large labels control the copyright over most popular music, and then use that control to monopolize the promotion of new music. They roughly control what goes on the radio (touches back to spectrum policy) and also has great influence on concert promotion. They have enough market-share through copyright, promotion, and broadcast that the competition of independent artists and labels are insignificant. As we discussed in class, it’s not usually the best music that becomes popular. Isn’t that the exact effect that should make us take a closer look for anti-competitive behavior?