October 30, 2024

ICANN Cut Secret Domain Deal

According to Michael Froomkin at ICANNWatch, evidence has come to light that ICANN secretly cut a deal with IATA, an airline industry association, to create a new “.travel” domain and give control of it to a front organization controlled by IATA. If true, this is a serious breach of ICANN’s own rules and undermines ICANN’s legitimacy. As Michael says, this is a story that deserves more attention that it is likely to get.

ICANN, depending on whom you ask, is either a technical coordination agency for Internet naming, or the closest thing we have to a government for the Net. One of ICANN’s jobs is to decide whether and how to create new Top-Level Domains (TLDs). TLDs, such as “.com”, “.edu”, and “.uk” are the roots of the Internet’s name space. Whether ICANN is a standards body or a government, it is supposed to follow certain principles of fairness and transparency, as set down in its own bylaws. Apparently it has broken those rules in this case, and has done so in order to grant an unfair advantage in the TLD award process to a particular group.

In a normal organization, revelations like this might cause the members to revolt and elect new leadership. But ICANN doesn’t seem to have membership in the normal sense of the term, and it doesn’t seem to have a legitimate democratic process for picking its leaders. What we’ll get instead, if we get anything, is grumbling, and determination to keep ICANN from expanding its power further.

Revelations like this have to undermine ICANN’s already fragile legitimacy. People will ask why ICANN is in charge; and there’s not really a good answer. We can recount the history of how ICANN got its current position; but it’s hard to justify ICANN’s power as anything other than an accident of that history. My sense is that ICANN keeps its power mostly because nobody knows what would replace ICANN if it were deposed. That’s no way to run an Internet.

UPDATE (April 6): Edward Hasbrouck, who appears to deserve credit for uncovering much of this story, offers more details and background.

BSA To Ask For Expansion of ISP Liability

The Business Software Alliance (BSA), a software industry group, will ask Congress to expand the liability of ISPs for infringing traffic that goes across their networks, according to a Washington Post story by Jonathan Krim.

The campaign to modify the law is part of a broader effort by the BSA to address a variety of copyright and patent issues. In a report to be released today, the group outlines its concerns but offers no specifics on how the 1998 law should be changed. But in an interview, [Adobe chief Bruce] Chizen and BSA Executive Director Robert Holleyman said Internet service providers should no longer enjoy blanket immunity from liability for piracy by users.

The article doesn’t make clear what limits BSA would put on ISP liability. Making ISPs liable for everything that goes over their networks would be a death blow to ISPs, because there is no way to look at a file and tell what might be hidden in it. (Don’t believe me? Then tell me what is hidden in this file.) Actually, BSA members sell virtual private network software that hides messages from ISPs.

So the BSA must want something less than total liability. Perhaps they want to expand the DMCA subpoena-bot rule so that ISPs have to turn over a customer’s name on demand. The music industry once claimed that the existing DMCA rule requires that, but the courts disagreed. Congress could amend the DMCA to override that court decision.

Or perhaps they want to hold ISPs liable unless they deploy filtering and blocking technologies to try to stop certain files from circulating and certain protocols from being used. These technologies are only stopgap measures that would soon be overcome by P2P designers, so requiring their deployment seems like bad policy.

Most likely, this is just a tactic to put political pressure on ISPs, in the hope of extracting some concessions. I predict that either (a) this will go nowhere, or (b) ISPs will agree to allow an expansion of the subpoena-bot rule.

FCC Tome on Net Wiretapping

The FCC has released its Notice of Proposed Rulemaking (NPRM) on Internet wiretapping. (Backstory here.) The NPRM outlines a set of rules that the FCC is likely to issue, requiring certain online service providers to facilitate (properly authorized) government wiretapping of their customers. The document is a dense 100 pages, and it touches on issues from protocol design to administrative law to network economics, so no one reader or analyst can hope to understand it whole. Below is my initial reaction to reading it.

I’ll start by noting that the FCC isn’t working with a clean slate but must adopt the framework established by the CALEA statute. Some FCC critics (not including me) would prefer a world in which the government could never wiretap anybody for any reason; but that’s not the FCC’s decision to make. The question before the FCC is how to apply the CALEA statute to new Net services, not what the optimal wiretapping policy would be.

One important question is whether the FCC has the authority to issue the rules it is considering. Even some of the FCC commissioners express doubt on this point. This question is outside my expertise, so I’ll defer to people like Susan Crawford (who also has doubts about the FCC’s authority).

Instead, I’ll ask whether the FCC’s proposals are good policy, if we take as given the value judgments expressed in the CALEA statute, which I read as these three: (1) Properly authorized wiretapping is an important law enforcement and national security tool. (2) If necessary, communications providers should accept modest costs to enable lawful wiretapping. (3) In designing networks, wiretappability should be a consideration, but it can be overridden by other important design factors. (Again: I’m not taking a position here for or against these three statements; I’m only asserting that they reflect the views of Congress, as expressed in CALEA.)

The FCC’s first proposal is to require broadband ISPs to be ready to provide law enforcement with the packet-level traffic of any of the ISPs’ customers. I read this rule as requiring ISPs to make their best effort to turn over the raw packets as actually sent and received by the customer, and not as requiring ISPs to interpret, classify, or decode the traffic. This seems like a reasonable rule, in light of CALEA. Capturing the necessary packet-streams won’t be overly expensive for ISPs and doesn’t seem to require redesign of ISPs’ networks; and law enforcement can analyze the packet stream as necessary by using standard tools.

The second, and harder, question answered by the FCC is whether to require VoIP (i.e., voice service over the Internet) to be wiretappable. The FCC tries to take a middle ground on this issue, requiring only “managed” VoIP services to be tappable. The definition of “managed” is a little fuzzy, but it seems to apply only to services that meet all three of these criteria: (1) they look to the consumer like a kind of telephone-like service; (2) they allow calls to people with old-fashioned phones; and (3) they involve the provider’s equipment in each call (i.e., involvement in the call itself, not just as a sort of directory service). VoIP services that are “managed” in this sense would be required to facilitate wiretapping. Other services, like voice-enabled instant messaging, are not managed and so would not have to facilitate wiretapping.

The FCC’s proposed rule looks to me like a reasonable attempt to apply the goals of CALEA to VoIP technology. Managed services are precisely those that are best situated to capture the kind of information needed for wiretapping; and network designs that are inherently unwiretappable would seem to qualify as unmanaged. Two caveats apply, though. First, the NPRM’s definition of “managed” isn’t completely clear, so the definition I gave above may not be the one the FCC meant. Second, as any close reading of the NPRM will demonstrate, the actual application of a CALEA regime to these technology would involve lots of detailed decisions and determinations by the FCC and others, and the details could be bungled. (Indeed, given the sheer number of details, and their complexity, some nonzero amount of bungling seems inevitable.)

There’s much, much more in the NPRM, but I’ve gone on long enough, so I’ll stop for now. My overall impression is that this is a document that will get criticism from both directions. Law enforcement will think it doesn’t do enough; and some technologists will think it meddles too much in their affairs. Contrary to the cliche, criticism from both sides often doesn’t mean you’re doing a good job. But this may be one of those cases where the cliche is right. Overall, I think the FCC has done a pretty good job of applying the semi-contradictory goals of CALEA in a new arena.

Wiretapping the Net

Another interesting day at the Meltdown conference. John Morris of CDT gave an eye-opening talk about online wiretapping and the policy debate over how to apply CALEA to VoIP services.

Let me explain the jargon. CALEA is the Communications Assistance to Law Enforcement Act of 1994, which says that telecommunications providers must design their networks so as to allow (properly authorized) government wiretapping. CALEA applies to “telecommunications” but not to “information services,” so Internet software has thus far been exempt. However, the FCC, which regulates telecom, has some power to expand the application of CALEA.

VoIP is Voice over IP, a term referring to services that transmit voice over the Internet. Some VoIP services can substitute for traditional phone service; others provide similar functions in different form, such as voice-enabled instant messaging; and some provide entirely new functions.

In March, law enforcement agencies asked the FCC, which regulates telecom, to apply CALEA to “IP-enabled services” such as VoIP. Conventional wisdom says that the FCC will issue some kind of regulation in this area. But what exactly?

It seems likely that the FCC will require VoIP providers to be ready to provide information to law enforcement. The key question is whether providers will only have to provide the information that they already gather or whether providers will be required to (re-)design their technology so that it can gather the information that law enforcement wants.

A “design for wiretapping” requirement would seem to rule out certain designs, particularly those that rely on open protocols and the end-to-end principle. Such designs leave too much control in the hands of end users, so that no vendor can be assured of having access to the information that they would be required to gather. On the other side, law enforcement will argue that CALEA is toothless without design requirements, and existing telecom providers would be happy to see open, end-to-end architectures outlawed.

Coincidentally, as I was writing the previous paragraph, sitting in my hotel room with the television on in the background, a commercial came on CNN, urging viewers to ask their legislators to “update our telecom laws.” Then I ran across today’s New York Times article on the telecom regulation battles.

This is definitely an issue to watch.

Gleick on the Naming Conundrum

James Gleick has an interesting piece in tomorrow’s New York Times Magazine, on the problems associated with naming online. If you’re already immersed in the ICANN/DNS/UDRP acronym complex, you won’t learn much; but if you’re not a naming wonk, you’ll find the piece a very nice introduction to the naming wars.