At the moment, it's Europe's turn to have Net Neutrality in the spotlight - especially with regard to spotting illegal content downloads, and administering punishment to offenders. There is also a lot of renewed discussion about deep packet inspection, application-level prioritisation or charging and so forth. A new group of vendors, particularly coming from the OSS environment, has jumped on the bandwagon recently.
My view on both these areas is that the practice is going to be much more difficult than the theory, irrespective of how 'moral' or 'elegant' some of their advocates's concepts might seem. I also think there are huge potential pitfalls which threaten to make a bad situation even worse.
Let's start with the piracy issue. There are suggestions that if ISPs are not willing to "police" traffic on their consumers' connections, the media industry might set up a managed service provider to do it for them. Either way, there is a hope for network-level content monitoring as a means to identify the more egregious offenders, and potentially disconnect (or even ban them) from the Internet.
The BBC has an article here , which also highlights that the European Parliament seems to trying to limit the more draconian suggestions of disconnection. It appears to recognise that banning certain groups of people who are heavy file-sharers could work against its efforts for digital inclusion - it seems reasonable to believe that some of the lowest-income people (eg students) are likely to be P2P enthusiasts.
But the "rights and wrongs" seem to be almost irrelevant, because I can see numerous technical and practical difficulties in any scheme:
- Anonymity: in the UK and many other European countries, it is perfectly legal to use anonymous prepay mobile data connections, which may be completely distinct from the user's normal voice SIM and number. Fixed broadband is obviously difficult to anonymise to the same degree.
- Shared use: In theory, whoever pays the bill for broadband is responsible for the content transiting the connection. In practice, this means a parent is responsible for their children's activities, which is fair enough - but is it a proportionate response to excommunicate an entire family from the net because of an unruly teenager's download habits? By the same token, if an employee of a large organisation (eg a university or government department) transgresses the rules, do you cut their main connection to the IP universe?
- VPNs and encryption: As with more general concepts for DPI and application-level monitoring, one of the easiest way to kill the whole notion of monitoring is to stick all the traffic in a secure tunnel (or tunnels). Yes, you can infer lots of things about VPNs based on their destination IP address and other characteristics, but inference is even more vague (and challengeable) than circumstantial evidence when it comes to enforcement. I'm sure most of the P2P guys are a few years ahead in terms of thinking of new and clever ways to use VPNs for their software.
- Obfuscation: For both general DPI and anti-piracy content monitoring, there is a significant risk that software developers will try to "game" the boxes in the network, in ways that could backfire on ISPs in nasty ways. Looking for big file transfers as evidence of illegal content? Tracking P2P "signatures"? Then what happens when the bad guys' software pads out the pirated content with legal stuff? That could increase total traffic. Or P2P software just blends bits of legitimate shared P2P content with illegitimate, perhaps using steganographic techniques? You'll also probably get the open source crowd trying to find ways to spoof the system using "fake" traffic signatures - I wonder what happens to a DPI box if you flip the app signature once a millisecond?
- AJAX: Are you responsible for anything an active web page downloads in the background without your knowledge? Irrespective of the precise legal situation, it's the sort of thing that could mire the whole exercise in lawyers' bills for years. There's also numerous other issues around mashups which completely break the notion of "application" from a DPI perspective. How do you know if an application is YouTube.... or YouTube running in a Facebook page?
- Tracking and auditing: The onus of proof should clearly be on the accusers - and it's far from obvious that the current systems being suggested for piracy control or application DPI are robust enough to generate impeccable audit trails "proving" what is being tracked to a level that would stand up in court. Which, given that we seem to be moving towards Internet access as a basic human right, might be necessary if people start getting disconnected.
- Coverage: One of the themes at last week's Telco 2.0 was around "sender pays data" and various other ways of prioritising content delivery for those media companies or advertisers that pay for it. You can get gold-class service for your video download and get a sponsor to pay for it! Sounds great, but it falls down in mobile if you haven't got signal. There's not much value in 99.9% QoS, if you only get it 70% of the time.
- Network diversity: How do you deal with multi-network connectivity? If I'm simultaneously doing P2P (or legal video downloads) through the cellular network, and WiFi+home broadband, via different ISPs or operators, on the same device, it's going to be rather more complicated to spot. And even more tricky to enforce against. Add in the possibility of localised network-sharing - perhaps 10 smartphones 'pooling' their data connections via local Bluetooth or WiFi - and the problem gets exponentially harder still.
- Reverse engineering of policies: Any attempt to covertly degrade specific apps or streams is likely to be uncovered by the use of monitoring software designed to decode DPI policies. I'm expecting most operators to either publish their network management rules in detail - or cope with 3rd parties publishing reverse-engineered analysis instead.
In the past, I've said that I'm ambivalent about a lot of the Net Neutrality issues in the US, as competition or consumer legislation would kill any companies being stupid (eg blocking VoIP). If the vendors sell service providers the rope to hang themselves, so be it.
Now, as the attention moves to either piracy prevention or perhaps content prioritisation, I have a certain measure of sympathy for media rights owners or operators facing congestion. But I still think that they are set to waste a huge amount of money chasing after the myth of application-level (or content-level) monitoring and enforcement. That's not to say that all attempts at bandwidth management or monitoring are doomed to failure - they're not, and there are all sorts of other legitimate use cases that should work OK.
But operators need to be very wary of both vendor oversimplification, or content-owner indignation, when it comes to dealing with video or other media on their networks.