Roger Clarke's Web-Site

 

© Xamax Consultancy Pty Ltd,  1995-2017


Roger Clarke's 'NBN and Privacy'

The National Broadband Network (NBN):
Privacy Considerations

Exposure Draft of 23 December 2009

Roger Clarke **

© Xamax Consultancy Pty Ltd, 2009

Available under an AEShareNet Free
for Education licence or a Creative Commons 'Some
Rights Reserved' licence.

This document is at http://www.rogerclarke.com/II/NBN-PC-0912.html


Abstract

The NBN holds great promise. It also harbours considerable potential threats to privacy. There is to date no sign that NBN Co. is engaging with the issues. It needs to do so.


Contents


1. Introduction

The Australian Government is committed to the implementation of new national infrastructure in the form of the National Broadband Network (NBN) - see, for example, DBCDE, Wikipedia and Communications Alliance (the relevant industry association).

The NBN is to be developed and owned by a new company, NBN Co. NBN Co. is to be owned by the Australian Government initially, with an intention of divestment in the 5-year timeframe. NBN Co. will operate as a monopoly service-provider, up to some (fairly low) level of the protocol stack. Telstra is required to give up its monopoly over the existing information infrastructure, under conditions that could be nasty, or could be quite reasonable. [Declaration: the author owns Telstra shares. Other declarations are below.] For very good reasons, Australia's new information infrastructure initiative is attracting international attention.

On 10 December 2009, NBN's CEO, Mike Quigley, provided a clear and concise outline description of the NBN in his presentation at the Broadband Future event in Sydney (video, slides). I reported my early impressions of the Broadband Future event at lunchtime on 10 December, and my thoughts on public policy and the NBN at the end of the event on the afternoon of 11 December.

On 22 December 2009, NBN Co. published its first public Consultation Paper, on its Proposed Wholesale Fibre Bitstream Products. This is also a mercifully clear and concise presentation. The purpose of the present document is to provide my initial reactions to the Consultation Paper, primarily from the privacy advocacy perspective, but informed by my background in various aspects of eBusiness and information infrastructure.


2. Background

In the early 1990s, the proponents of the Internet were full of hope for freedoms, and for the defeat of the socially and politically constraining influences that had been a feature of the Cold War (c. 1945-1991), primarily on the Communist side of the Wall (but not only). Within a few short years, however, warning signs were already emerging. I contributed to the literature on the sides of both hope and caution. (See sources below).

Any information infrastructure creates scope for social controls, and for enablement of electronic surveillance of human behaviour. A new information infrastructure harbours enormous potential for features hostile to freedoms and democracy, precisely because it is new, and capable of being designed to facilitate surveillance and control.

This paper identifies some potentials within the NBN. It is stressed that this is a first-round analysis, conducted in a few hours, on the basis of two short documents published by NBN Co.


3. Specific Concerns

This section of the paper outlines the concerns I currently have about how the design of the NBN may unfold. They are listed under the following headings:


3.1 Identity and Location

On the Internet, the sources and destinations of messages are indicated using numbers called 'IP-addresses' and corresponding textual descriptors called 'domain-names'. The IP-address is relative to the structure of the network, and does not reliably map onto physical or geographic space. In addition, there are many ways in which addresses are, or can be, obscured. This is to the detriment of marketers, and works against fast, simple and cheap action by law enforcement agencies; but it is also greatly to the benefit of privacy protection.

Generally, a device that is connected to the Internet has some form of 'name'. This may be the identifier of a network interface card that connects the device to the network (the NICId), or the identifier of a processor or other component within the device (such as the IMEI of a mobile phone, or the IMSI of the SIM-card within a mobile phone). A name of this kind is likely to be known within the sub-net that the device is attached to. It may also be known to the provider of the message carriage service. But these names are generally not available across the network to the other party to the message. It is an over-statement to claim that 'on the Internet, everyone is anonymous'; but, on the other hand, there are inbuilt features whose effect is to provide substantial privacy protections.

The NBN can be conceived so as to destroy those protections, or at least so as to facilitate their destruction. That would have serious consequences.

One major issue arises from the impending replacement of Internet Protocol version 4 (IPv4) with IPv6. This is necessary, because version 4 lacks the address-space to support the rapidly-growing numbers of connected devices.

The problem is that, in IPv6, the size of the IP-address is vastly greater. As a result, the 'address-space' that is available is large enough to generate the address, and to derive it from the identifier of the device or of a component within the device. If implemented in this way, the IP-address would in effect become an 'IP-name-and-address', all bundled into one, i.e. it would identify to the party at the other end, and to every device on the message's path from one end to the other, not only where the device is, but what the device's identity is.

Needless to say, this is attractive to marketing corporations, and to law enforcement agencies, and would be easy for technologists to implement. There will therefore be technological, marketing and law enforcement 'imperatives' to implement IPv6 in that way. And it would be to the enormous detriment of privacy, and of freedoms more generally.

During the 1990s, many desktop and even portable computers were used by more than one person, and hence there was at least some ambiguity about which person was party to a particular message. During the 2000s, the trend has been for devices to become personal, particularly mobile phones, personal digital assistants, game-stations and the wide array of 'converged' handhelds.

In the context that looks likely in the 2010s, an IP-name-and-address for a device could be associated with a single person with a high degree of confidence. The infrastructure provider, service-providers, and recipients of messages, would be gifted the ability to break through the veil of nymity and directly identify the individual they are dealing with. For those many individuals who use multiple personas, the organisations they deal with could consolidate the many personas into a single profile, again with a high degree of confidence. That would undermine many privacy tools and services, and, with that, greatly undermine public confidence in the Internet.

An IPv6-name-and-address would disclose the identifier of the device and its net-location, but not its physical or geographic location - at least not directly. A second grave concern is that protocols may be used in such a manner that the physical location of the device might be disclosed, to the infrastructure provider, perhaps to service-providers, and perhaps even to the recipients of messages, and hence the physical location of the person might be disclosed. The most likely way in which this might arise is through inclusion of data that identifies the connection-point between the NBN infrastructure and the premises. (This could be an identifier for the Optical Network Termination - ONT). Other possibilities include the point of connection between the 'drop fibre' (from the pole or buried ducting) and the 'local fibre' (along the line of poles of buried ducting), a local Fibre Distribution Hub, and the Fibre Access Node (FAN) further along the network.


3.2 Surveillance

Surveillance is usefully defined as the systematic investigation or monitoring of the actions or communications of one or more persons. During the last three decades, physical surveillance has been increasingly supplemented by various, inexpensive automated forms, including dataveillance and electronic surveillance. This has resulted in the economic constraints on surveillance falling away. The extent of surveillance undertaken in such countries as the U.K. can now be argued to exceed that which was previously achieved in backward, un-free nations such as East Germany under the Stasi.

The NBN can be designed so as to (intentionally, or accidentally) directly support electronic surveillance, or to facilitate it.

The identity and location features discussed in the preceding sub-section (IP-name-and-address, and disclosure of physical location) would provide a basis for intermediating nodes on the Internet to monitor traffic to and from devices-of-interest. This could be conducted by private sector organisations, and by agencies performing social control functions. Even the suspicion that one's electronic traffic is subject to such monitoring would have an enormous chilling effect on human behaviour. In particular, it would greatly constrain speech, and would dissuade many people from accessing nominally 'open' sources.

It is increasingly feasible to undertake surveillance of content. In recent years, governments have sought to detect and repress behaviours by adding functions to intermediating nodes on the Internet. The terms 'deep packet inspection' and 'proxy server' refer to capabilities to intercept messages containing patterns of data of interest to a powerful organisation. Based on the interception, the surveillance organisation might take various actions, such as blocking the message, varying the message, placing the parties to the message under surveillance, and/or adding the data to a data-warehouse for future mining. Such activities are undertaken not only by the People's Republic of China, but also by the U.S.A. and other nations in the 'free world'.

The NBN could be designed to embody, or to facilitate, the surveillance of content. Ways in which this could be done include the accommodation of the function in the NBN architecture and the NBN infrastructure, the provision of space on NBN Co.'s premises for specialist equipment, enabling the connection of extraneous devices to the network, enabling the inclusion of extraneous software in its own devices, and the permission of access to its premises by organisations that conduct surveillance.

It is crucial to the public trustworthiness of the national infrastucture that it not be prostituted to the wishes of either marketing corporations or national security extremists.


3.3 Denial of Service

There have already been instances of interference with the freedom of individuals to utilise information infrastructure. In a few cases, for example, the courts have placed constraints on Internet use by people convicted of fraud, and of the reticulation of child pornography.

The NBN could be designed so as to embody, or facilitate, the denial of some or all services to some devices, based on the devices' identity or location.

The previous sub-section also discussed the possibility of the NBN embodying or facilitating the surveillance of content. Such a capability could be harnessed so that the NBN could embody, or facilitate, the denial of services based on content, or based on a combination of content and the (presumed) identity of the user of the device.

The Australian Government is quite specifically proposing the implementation of denial of service based on content alone, in the form of its mandatory ISP-level filtering of Refused Classification (RC) -rated content. It is to be anticipated that the moral minority that insists on compromise of existing information infrastructure in order to support censorship will also pressure the Government for the NBN architecture and infrastructure to be compromised for similar purposes. The capability is attractive to politicians and public servants alike, because of its potential value in suppressing other categories of content as well.

All such processes would inevitably be highly inaccurate. The correlation between a device and an individual would always be approximate, and individuals subject to legal denial of service could easily circumvent the restrictions. There would be low success rates, and there would be high levels of 'collateral damage' from false positives. Similarly, the detection and blocking of whatever content is subject to censorship at the time is extraordinarily difficult to perform reliably, and extraordinarily easy to circumvent.


3.4 The Chilling of Privacy-Friendly Services

A great array of tools and services exist whose creation has been motivated by governments and corporations seeking to constrain use of information infrastructure. One catalogue of such tools and services is maintained by EPIC.

There are various ways in which governments and corporations seek to undermine the use of those tools and services. In some cases, they may have legal authority to do so, but in many they do not. The NBN could be designed in such a manner as to stultify privacy-friendly services. In this sub-section, I outline three particular areas of concern.

For two decades from about 1980 until about 2000, the dominant relationship among devices on the Internet was that commonly referred to as 'client-server'. Under this arrangement, user devices are relatively small and 'client' software on them performs functions only for their local user; whereas large, remote devices elsewhere run software called 'servers', which deliver the services, and store data.

Since about 2000, an alternative relationship among devices on the Internet has resurged. Under so-called 'peer-to-peer (P2P)' arrangements, large numbers of devices, including many in the possession of individuals, support both client and server functions.

The NBN could be designed so as to embody, or to facilitate, an inherent bias against the provision of services from user-premises, and in favour of the provision of services by what the NBN Co. refers to as Retail Service Providers (RSPs).

For example, one way in which that could arise would be through a significantly asymmetrical service. The downstream bandwidth would significantly exceed the upstream bandwidth in a pattern reminiscent of old-fashioned broadcasting. The NBN Co. documents can be read as indicating that the company presumes premises to be occupied by consumers, rather than by both businesses and 21st century prosumers. Prosumers are proactive, and produce content and make it available (e.g. by means of home-based web-servers and P2P software) rather than merely accepting what is offered by RSPs.

The standard that NBN Co. is currently proposing (Gigabit Passive Optical Network - GPON) is stated to have an "underlying IP payload carrying capacity" of 2.3Gbps downstream (towards premises) and 1.2Gbps upstream (towards RSPs). If individual premises enjoy a similar downstream/upstream ratio, then no bandwidth constraint exists. However, other factors might still limit the ability of users to be publishers.

A second possibility is that the NBN could be designed such that there is insufficient competition among RSPs, resulting in not only less incentive to them to compete on price, but also less incentive to compete on the basis of superior privacy-friendliness. The NBN Co.'s current intention to offer a Layer 2-Plus service, rather than a Layer 3 (IP) service, demands a much larger investment from a company wanting to act as an RSP. The likelihood is that the market structure would resemble the oligopolistic airline and banking industries, with all of the market power and lack of product differentiation that entails, and (because of ongoing high costs of entry) it would very likely stay that way.

A third aspect is the risk that the NBN could be designed in such a manner that there are inherent barriers against the participation of not-for-profit organisations. The high entry costs represent a very serious hurdle, but other features could be harmful to diversity as well, such as requirements relating to scale, corporate structures, deposits or indemnities. The significance of such a situation for privacy is that community-based and public interest organisations are more likely to offer privacy-friendly alternatives than are large corporations; but they might be locked out of the game.


4. Conclusions

Depending on its design, the NBN might embody or facilitate serious threats to privacy, whether intentionally or accidentally, including the following:

It is essential that the designers of the NBN take into account the enormous potentials for the NBN to undermine the open, free society that Australia has been. This demands active engagement of the NBN Co. with public policy issues. It is noteworthy that the current NBN Co. executive team contains no-one whose scope includes public policy issues such as consumer interests and privacy.

In addition, it is essential that the designers of the NBN publish all details of the design that are relevant to identities and locations. Special pleadings by marketers and by law enforcement and national security agencies must be open and contestable. No consultations must be permitted behind closed doors, because in those circumstances powerful organisations are freed from their responsibility to justify their pleadings, and freed from the inconvenience of being challenged and having to defend them.


Sources

Previous publications of relevance to the topic include ...

... plus these cautionary papers:


Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in the Department of Computer Science at the Australian National University. He is currently chair of the primary privacy advocacy body, the Australian Privacy Foundation.



xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.

Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 22 December 2009 - Last Amended: 23 December 2009 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/II/NBN-PC-0912.html
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2017   -    Privacy Policy