FCC Finalizes Opt In ISP Rule for Data Collection.

The FCC recently finalized a set of rules to protect the privacy of subscribers to various broadband ISPs such as Comcast and Time Warner, and even mobile ISPs like Verizon, AT&T, and T-Mobile. The concern here is that ISPs collect data on their customers’ browsing habits and because all customer traffic goes through their servers, they have even more access to user data than than almost any other internet company. Beyond web history, which can be used to ascertain things like medical conditions or financial situations, ISPs can also figure out a subscriber’s geolocation. The FCC wants subscribers consent by opting in before ISPs can access, use, and sell that data.

This is very interesting and I think it sets a precedent for our privacy laws to reach a point similar to the EU’s opt-in internet privacy laws. The FCC can only create rules for these ISPs. Companies like Google and Facebook can only be regulated by the FTC, not the FCC. Before these rules were finalized, T-Mobile complained about a “level playing field” because these rules put ISPs at a greater disadvantage than other internet companies. This situation might motivate the major ISPs to put pressure on the FTC to pass a similar opt-in rule for other internet companies.

FCC Fines T-Mobile $48 Million

The FCC determined that T-Mobile failed to sufficiently inform its customers of the speed and data restrictions for its “Unlimited” wireless data plans. T-Mobile’s current “3 percent policy” dictates that during peak congestion hours, customers on unlimited data plans who have gone over 26 GBs and are within the top 3% of bandwidth usage, will have their data deprioritized. The FCC claimed that…

Company advertisements and other disclosures may have led unlimited data plan customers to expect that they were buying better and faster service than what they received.

$35.5 million of the fee will be used for a customer benefit program that discounts the price of accessories sold by T-Mobile and gives customers an additional 4GB of data for a month in December. $7.5 million will be the fine sent to the US Treasury. The FCC is also requiring T-Mobile spend at least $5 million on providing access to technology in low income school districts.

Additionally, T-Mobile will start using the FCC’s consumer “Broadband Facts” label which looks very similar to the Nutrition Facts label one would find on food packaging. Very interesting. A link to a website that has created a Broadband Facts label for a few of the most popular ISPs in the country:

http://www.broadbandsearch.net/page/broadband-facts-labels

Here is one for Xfinity for example:

xfinity-label

This is all very interesting news to me as a T-Mobile customer! The customer benefit program is a little lame in my opinion though. Can I get a discount on my bill instead please???

I feel like I have always known T-Mobile’s Unlimited Data plan was not truly “unlimited” and was limited to the 3% policy. Truly unlimited mobile data plans died quite a few years ago shortly after the iPhone and Android devices started gaining popularity so I’ve learned to be very suspicious of any telecom using the term “unlimited” and as a result read the fine print very thoroughly, ask customer support clarifying questions, write down names, etc. I shouldn’t have to do this though and I think many other people, unlike me, just go by what the advertisement says, and this is what the FCC has issue with.

I’m most excited about the prospect of a Broadband Facts label. I usually read through basically all of the contracts I sign for ISP and telecom data plans but it’s tedious. Having all the data condensed into one label would be a great time saver. It’s currently not required but it seems like the FCC’s transparency rules  might just motivate ISP and telecom companies to do something as simple as that.

Suspected Hacker from 2012 LinkedIn Data Leak Arrested

Earlier this month Czech police arrested a Russian man, known as Yevgeniy Nikulin, in Prague suspected of various cyber hacks in the United States including the 2012 LinkedIn’s data leak.

This one was very interesting because as far as I could tell, Yevgeniy committed no crimes in or against Czech Republic yet the Czech police were still working with the FBI through Interpol.

Interpol is an international criminal police organization that facilities communication between law enforcement in different countries and makes it easier to overcome language or cultural barriers to more effectively capture criminals. Among other things, Interpol keeps a list of internationally wanted criminals. Yevgeniy was posted on the Interpol website.

Currently, Yevgeniy is still in Prague awaiting a decision from the Prague Municipal Court on whether or not they should extradite him to the United States. What is especially interesting about this is the responses from Russian leadership/administration:

Russian foreign ministry official, Konstantin Dolgov: “[We] will be insisting that he is not extradited to the U.S.”

Russian Embassy in Prague: “[We are] taking every effort to protect the interests of the Russian citizen. We’re working with his lawyer. Russia does not recognize the practice of extraterritorial jurisdiction that the United States is imposing throughout the world.”

Not quite an admission and not quite a denial. Nonetheless, it’s very interesting (but not surprising) seeing two world powers disagree with each other like this. I look forward to the extradition decision the Prague court will make.

No More Ransom: Law Enforcement and IT Security Teams Up

Ransomware is a type of malware that infects a user’s system, encrypts part or all of the system, and displays some kind of message demanding payment from the user for decryption. The No More Ransom Project is a recently launched EU-Dutch based IT Security group working on teaming up with Intel Security and various Law Enforcement agencies (13 currently) throughout the world to fight ransomware.

They provide various free guides and educational resources to teach people what ransomware is, how it works, and how to defend against it. They even have a free decryption tool for victims of ransomware attacks of the most well known viruses. During their first two months of being active they managed to decrypt data for more than 2,500 victims and keep more than $1 million of ransom out of the hands of cyber criminals.

This was interesting to me because it got me thinking about what partnerships between private industry cybersecurity groups and law enforcement agencies look like. I imagine one example could involve law enforcement confiscating computer systems from known cyber crime groups and handing them off to a private industry cybersecurity group.

Those two groups in coordination remind me of when the FBI asked for Apple’s help in unlocking the iPhone of one of the San Bernardino shooters. Apple took a stance and decided to not cooperate as much as legally possible. Ultimately, the FBI ended up, allegedly, unlocking the iPhone without Apple’s help. I’ve always perceived that, at least in the United States, tech culture is significantly defined by an anti-government attitude, especially when it comes to surveillance. No More Ransom tackles a malware issue that is different from surveillance issues so the situation is a little different but interesting nonetheless.

Would the FBI join or support a group like No More Ransom in an official capacity? How likely is this to happen when they have their own division dedicated to cyber crime specifically like ransomware?

Law Enforcement Use Of Sting Ray

The Electronic Frontier Foundation and the Senate have recently called upon the FCC to take action on the use of Sting Ray cell tower simulators. Law enforcement have used Stingray devices to pinpoint the location of a criminal they are searching for. Stingrays use often jams the airwaves and has an indiscriminate affect on every citizen in the surrounding area. Federal law mandates that every consumer device that emits an electromagnetic signal be approved by the FCC. This is meant to ensure that these airwaves stay usable by other citizens without major interference. Law Enforcement use of Stingrays flies directly in the face of that.

I think things like this are pretty relevant in terms of internet communication. Law enforcement has to get a warrant to get data from cellular service providers but this takes a lot more time than just using a Stingray. When they want data from ISPs, they also have to get a warrant but it makes me wonder if there is a Stingray equivalent for ISPs. It also makes me wonder if they can intercept cell phone traffic, which supposedly is very secure, what else could they intercept? Wifi traffic? Bluetooth traffic?

We’ve mentioned IoT a few times and its rising prominence over the past few years. As it becomes more relevant and popular, in what ways will Law Enforcement use Stingrays or Stingray-like devices to capture IoT traffic to conduct its investigations? IoT could potentially have vital life sustaining medical or other mission critical applications in the future. Stingray use has proven to inadvertently blocked 911 calls. It’s not hard to imagine what could also happen to IoT devices of the future. There are plenty of FCC laws against this type of wireless interference. Despite this, the FCC still certified the sale of Stingrays specifically to Law Enforcement. With a vague warrant system currently in place, Stingrays end up getting used for minor non-violent crimes. Does this set a precedent for future wireless communications devices? Who watches the watchman?

Opera VPN and Internet Privacy

Opera recently released an updated version of its web browsing software with the option for free Virtual Private Network (VPN) browsing through Opera’s servers. VPN differs from traditional web browsing by routing all if the user’s traffic through an external server instead if creating a direct connection. The major advantage, and Opera’s primary reason for providing free VPN, is privacy. VPN connections are designed to be secure and encrypt all traffic whether the traffic is already secured by https or not. Additionally, VPN inadvertently allows users to obscure their true IP address.

If my IP address was 128.173.54.29, any website I connect to would see that I am connecting from the Virginia Tech campus and that I am in Blacksburg, VA. If I were using Opera’s VPN service however, the websites I connect to would only see an Opera IP address located wherever in the world the Opera server hosting my VPN is located. There would be no easy way for a website to locate where I am connecting from.

There can be legitimate non-privacy reasons to use a VPN. Virginia Tech has a VPN service available that students and professors need to use when they are off campus to download from VT Network Software, access online library services, or use Virginia Tech’s various research subscriptions to access academic papers. It can also be used in ways it wasn’t intended to be used. For example, a student or professor trying to access Netflix’s US catalog from a foreign country could circumvent Netflix’s regional restrictions by simply connecting to Virginia Tech’s VPN.

There are a few concerning things about Opera’s service. The traffic from all Opera users using this VPN service will end up in Opera servers. That will generate a lot of bandwidth. How is Opera paying for all that bandwidth? As Randy Marchany said in his guest lecture to our class, “If you aren’t paying, you are the product.” What will Opera do with the log data from all that traffic? Second, if Opera is keeping log data, can they be trusted to keep it private? If the goverment comes knocking for whatever legitimate, or even illegitimate, reason, how hard will Opera fight to keep its user data private?

Big ICANN

http://venturebeat.com/2016/09/12/facebook-google-and-twitter-urge-congress-to-transfer-control-of-icann-to-global-community/

ICANN – Internet Corporation for Assigned Names and Numbers

Major companies like Facebook, Google and Twitter want Congress to support US government (US Department of Commerce mainly) plans to hand off the internet’s technical management to the global community. Some politicians in Congress, notably Ted Cruz, want to block the transition because of the potential for authoritarian governments to hold back the internet’s progress and infringe on American freedoms.

First, I support the transition. I don’t like the idea of the United States being the Internet gatekeeper and having relatively much stronger influence over the global Internet compared to other countries.

Second, ICANN is going to govern IP delegation and top level domains. I don’t see what major affect those things could have on the internet infrastructure.

Third, it might not even matter a whole lot. The US will likely have pretty great influence over ICANN anyways. Besides that, the US has historically proven very adept at strong-arming other countries and organizations into acting in US favorable ways. So if ICANN ever actually became a “problem” the US will find a way to deal with it.

Freedom of Speech via The Internet

This past week, we read some examples of jurisdiction cases and discussed when and how a court decides if it can hear an internet related case when the jurisdiction is not so clear. One of the cases was Dow Jones & Co. V. Gutnick. This was a case where the Wall Street Journal posted an article that an Australian man, named Joseph Gutnick, claimed was defamatory. Our professor briefly mentioned the United States values and defends freedom of speech a lot more that the rest of the world and I thought I would investigate that.

I found an All Things Considered interview where the host, Robert Siegel discussed this with an international law professor named Noah Feldman. They briefly discussed an anti-Muslim video, Innocence of Muslims, that caused violent protests in many Muslim countries and communities throughout the world.

Noah talked to a few Tunisians who were astonished that something like that would be protected in the United States. He added that the United States can largely disagree with and condemn controversial and offensive content like this, but it often creates a cultural disconnect, especially to targeted cultures, where the US is seen as complicit because of its unwillingness to take action against said content.

They also discuss the well known limitations on speech where courts have ruled that an individual cannot go in front of a crowd and incite immediate violence. The most interesting point that connects to what we discussed this past week was when they brought up Supreme Court Justice Stephen Breyer. In 2010, he questioned how hyper-connectivity, globalization, and the internet could change free speech and suggested we reconsider our current limitations on free speech. Justice Breyer faced considerable backlash for this but he raised a solid point that becomes especially interesting in the context of Innocence of Muslims and other offensive content like it.

As previously mentioned, it is well known that speech can be shut down if it is evident it will cause immediate danger or harm to someone or a group of people. But what if that speech is in video form and uploaded to the internet? Innocence of Muslims was a video that was uploaded to YouTube and accessible to a global population. It caused a few pretty violent protests in Egypt and other Arab and Muslim nations. One could easily argue it was evident the video would stir up violence and that it should be shut down. Google even took it upon itself to block the video in the Egypt and Libya as a result of the violence. Should the creators of that video face punishment for the resulting violence in foreign countries? Could they be prosecuted in the United States? Should we reconsider our limits on free speech because of the global impact our free speech can have?

Internet Law Across International Borders

I thought David Johnson brought up some interesting points about the internet and physical territorial borders between nations. He talks about how borders are used for power by establishing laws to govern the people and things within the physical space defined by a border. Borders have the effect of keeping countries outside of a border from enforcing their own laws, beyond their own border. Legitimacy comes from the consent of the governed; the people within the borders most directly affected by the laws. Borders also provide notice to anyone crossing a border that the rules have changed.

All of this changes in interesting way when cyberspace is brought into the picture. Companies operating in/through cyberspace can easily circumvent the power and laws of a country established by a border. Ideas in cyberspace can have a global effect because the data exchanged in a network is not centralized. This as a result, can subvert legitimacy and notice because no group of people within any border can make a legitimate claim for regulating cyberspace activities.

This made me think about pirating and how copyright laws are enforced internationally. No doubt, a lot of the push for copyright law enforcement comes from the RIAA and the MPAA which both represent the recording and motion picture industries in the United States. As expected, these organizations want to limit and even stop the file sharing that allows people to download and distribute their media for free. But what has to happen for PirateBay servers in Sweden to get shut down or the owner of KickAssTorrents, a Ukrainian national, to get arrested in Poland.

Both of these countries, and others like it, hosting web sites associated with pirating, have significantly less than the US to preserve, or even gain, from fighting piracy. In some circumstances, these countries may not even have the resources to put up a good fight. Most of the pirated media is not produced in those countries. The people in those countries will likely see very little of the profits made, if any at all. So why would they care about fighting privacy? What motivates these countries into action?

My guess is that the motion picture and recording industries lobby the US government into pressuring other countries with signed treaties, agreements, or even economic trade sanctions. By not directly forcing US copyright law on these countries, the United States, and by extension the RIAA and MPAA, adhere to and respect the border policies David Johnson describes. But is this method legitimate? Do the actions taken by the Polish and Swedish government in the fight against piracy reflect the consent of their governed? Is it okay for foreign governments and businesses to have this kind of influence over the internet policy of other countries? How could this affect global internet policy?