36C3 preroll music
Herald: The next talk is "5G & Net
Neutrality". The status of the net
neutrality reform in Europe and the
presenter is Thomas Lohninger from
epicenter.works and I'm very happy he's
here today with us. So please give a big
applause to Thomas Lohninger. Thank you.
Applause
Thomas Lohninger: Hello. Here we go again.
Yeah. Hello and welcome, everybody. I'm
going to talk a little bit about net
neutrality. This is not my first talk
about this issue here at congress. I
originally joined the net neutrality
debate because I really found it to be an
important issue. I liked it as a
philosophical concept of the Internet
serving the edges and also because back
then it was still a very young debate. You
could still read up on all the legislation
around the world because there was so
little about it. And a decade later, there
is more legislation, the debate has moved
on a lot. Of course, in the U.S. it has
been first and foremost after Trump
repealed the Obama era rules. And in
Europe, we feel like we're a little bit
stuck in time. And I also want to explain
where we currently are and where we are
heading. So it is an update, but it's also
an update with little bit of a
perspective and might even have a silver
lining. But before we do that, we first
have to go back to the beginning and
explain what net neutrality is. If you are
in the U.S. and you ask anybody serving
coffee on the train, they will know it.
But in Europe, it is still something that
maybe needs to be explained. In general,
net neutrality means that all bits should
be created equal, that the network should
not make distinctions about our data
packages, how important they are if the
checksum is correct. Of course, if to
check some is correct but also a lot like,
is this a valid feature for this
application? Is this a legal transmission?
All of these decisions should not be made
in the network because they should be made
by the end points by the applications on
either side. The easiest way to understand
net neutrality is if you compare it with
previous global telecommunication
networks. In the television system you
also have a global communication network
but it takes a lot of money to actually
have a voice there, to start a television
channel. So you're just consuming, it is
not a bidirectional network. Telephony
allows that, it's a global network system
but you have a central entity that decides
if you're allowed to make that call and
what the cost of that call per duration
will be. That's not the case with the
Internet. And in a way, net neutrality is
just trying to protect these inherent
principles that the Internet was born with
from undue discrimination of network
operators, of telecom companies, or ISPs.
And telecom companies can discriminate or
interfere with our traffic more or less in
two ways. The first is technical by
prioritizing or throttling certain data
packages, also modifying them or blocking
them completely. And the second way to
influence them is by so-called zero rating
by making certain data more or less
expensive, cheaper, or more expensive, or
as exempting certain applications from
your monthly data cap at all. And that all
creates a system where certain big players
have it easier to get rich, to grow, to
innovate, and others have a harder time to
even being noticed or growing. And it can
also be summarized by the principle of
innovation without permission so that you
can just start a new service, you don't
need a license to start an app,
you don't need to network to support your new
functionality. The open layered
architecture of the internet is protecting
this innovative capacity, and that even
allowed this young man in 2004 to create the
Facebook.com in his college dorm. The
total cost of operating the server in the
beginning was 85$ per month. And you would
ask yourself: "OK but isn't Mark
Zuckerberg and Facebook really a horrible
person, the company?" Yes, they are.
That's also why they are against net
neutrality these days. Facebook is one of
the most violating companies around the
world because their program free basic,
is really the opposite of net neutrality.
What they are doing there is basically
creating a walled garden for the global
south. The most vulnerable people on this
planet that do not get the full internet
access but what they got is a way of being
marketed to via their Facebook services,
of course, without any privacy. And
similarly, also, Netflix was once a
company strongly on our side supporting
net neutrality. And then when it was clear
that Trump would repeal the Obama era net
neutrality rules, the Netflix CEO said to
their shareholders: "Don't worry, we are
now big enough that we can survive without
net neutrality." So inherently, this
principle protects the underrepresented
voices and the small players, the ones
that still need to grow. And it is not the
silver stick that will solve all of the
problems from the previous talk to
problems we have with the big platforms
but if we lose net neutrality, we more or
less freeze the current dominant players
forever because it would be really hard
for anybody else to ever become as big.
And so it's all about that right column
here. Where are we in Europe? In Europe,
we started the discussion around net
neutrality in 2011/12. There were the
first non-binding resolutions of the
parliament calling for net neutrality
protections. And it all culminated in 2013
when the commission released their
proposal for really an anti net
neutrality bill. So we have to turn the
ship 180° around to get it back on track.
And we did that with the
savetheinternet.eu campaign, which was
hosted by big coalition of NGOs all around
Europe. And we followed the legislative
process for two and a half years with
seven iterations of that campaign always
changing our means from faxing to the
parliament to making phone calls to just
mass bombarding the embassies to sending
comments to the regulators in the
consultation period. We also demonstrated
in Riga, in Barcelona, in Bonn, in
Brussels, in Vienna. And at the end we got
a net neutrality law. The open internet
regulation was adopted in 2015 and it was
further, then, implemented by the BEREC
guidelines that are kind of the handbook
for the guys who actually have to enforce
the law, telecom regulators. And telecom
regulators will be important in the rest
of the talk because that's where the
action currently lies. And so this was in
2016. And in January of 2019, we released
this report, which was really more
academic exercise of summarizing
everything that has happened since. So
it's really the one thing you should read
if you want to know how a t neutrality
has played out over the past two and a
half years. That's a table of content and
there's a lot of it in there from
analyzing 800 pages of annual reporting,
going through case law, and looking ahead
about 5G. But the most important thing
was the chapter about zero rating, because
that's where the debate currently is
focused on in Europe. And in order to
bring this debate back to a factual basis,
we actually did a lot of work. With doing
a complete survey of all zero rating
offers in the European economic area. I
don't think that anything like this was
ever done before also because it wasn't
easy. We went through 32 countries. So all
of the European economic area that this
law applies to, including Switzerland,
because we have German speakers in our
team, so it was not that hard. That meant
in total, going through the websites of
225 mobile operators, both those that have
their own network as well as the virtual
ones. And we collected the data with in
total five people that spoke six languages
and worked for over four months on this.
We found 186 net neutrality violations in
the form of zero rating programs. And all
of that data is openly accessible. It's
linked in the report. It's all online in a
free format and used under a CC BY-SA
license, so share alike.
Applause
I've given that talk in front of many
regulators. You're the first ones to
applaud. I really like that. And the SA,
of course, because we think this data
should remain free. We can always disagree
on the interpretation but at least the
facts, the data itself should be openly
accessible to everybody and scrutinized by
everybody as well. And I've seen other
people actually using that data for
commercial purposes, which we would even
allow but not sharing it back, which is a
sad thing. So what is in that dataset? You
could see this zero-rating is really a big
problem. All but two European countries,
you have these problems. Finland doesn't
have that problem because they don't have
data caps anymore. If you buy a SIM card
in Finland, you'll get a flat rate. The
only distinction there is the speed, the
bandwidth that is available to you. But
you know, I have no data caps at all and
Bulgaria also doesn't have zero-rating. If
we look at the application side and that's
actually the very interesting takeaway for
you. These are the applications that most
profit from zero-rating. So WhatsApp leads
before 50 zero-rating deals in Europe. And
the second to follow is Facebook and also
Facebook messenger in there. In total,
many of these companies that profit are
from the U.S., only 3 European
applications are actually in the top 20 of
zero-rating. And that is the overall
number and there we just looked at the
geographical home of the applications in
the classical zero-rating programs. You
know, the ones where you have a youth
tariff in Portugal and you can pick either
WhatsApp or Telegram or you have YouTube
is for free. Some ISP is actually do that.
And if you just look at these close
programs of only have hand selected
applications, the majority of the apps are
from the U.S., of course, the big
incumbents. But there is also around a
third of applications which are of zero-
rating programs which are open. Open
programs allow other applications to join.
Think of StreamOn here in Germany or
Vodafone Pass or smartnet in Portugal.
These programs are actually trying to
balance the scale a little bit. They are
actually trying to learn from our critique
and allow other applications to join. And
then if we add those to statistics, we
see that the majority of apps are suddenly
from the same country where the internet
service is offered. All of these local
radio stations in Germany, for some
reason, join StreamOn in order to be
exempt from the data volume, the
ridiculously low data volume from Deutsche
Telekom. And then into second place is
still have the U.S. and most
interestingly, the European economic area.
So apps from other EU countries are really
down below. So one could easily make the
interpretation of that data that we
actually create new barriers for cross-
border provisioning of services in the
European digital single market. And if you
then just count, how many of these zero-
rating programs does an app usually join.
You have a stark pick fit one to three and
then it drastically goes down until you
have the 31 - 52 column at the right,
which is the top 20. So there is an
inherent difficulty to actually sign up to
these so-called open nondiscriminatory
zero-rating programs. What Europe has
created here is actually another reason
why it will be difficult for the European
internet industry to be competitive
because these are all new entry barriers
into markets in other EU countries. And we
really have to explain this to the
regulators. And if you just go and take the
perspective of an application, you want to
join a zero-rating program, what do you
have to do? First, you have to find out
that it even exists. We did that mapping
because we didn't know. And there is no
agency that also sells that data. So
obtaining knowledge about the programs
that you might want to join because you
might want to offer a competitive service
to people in that country of that ISP is
the first step. And then secondly, you
have to request the documents, sign an NDA
even, to even find out how the open
Internet works with this mobile operators.
Third, you have to read the contract for
which for many start-ups is already a
problem. Sign it and prepare for the
liability because you are liable for
wrongfully billed data volume, which can
be really problematic. If your app is
producing a lot of data or widely used by
certain people. The technical aspect that
comes into play here is that of course you
are then responsible for providing
identification criteria. If suddenly your
data packages need to be counted
differently, go against not a general data
volume but an application specific volume
per month or are completely exempt from
the data cap. Then you, in order to make
that assessment, need to identify those
data packages, which of course only works
with deep packet inspection in most cases.
In some cases, you also have to modify
your service in order to even enter into
that deal. Spotify in Germany with
StreamOn only wanted their premium
customers to benefit from the zero-rating.
And they tried to separate the ad-based
free version of the Spotify program from
the premium customers that are paying.
They tried for four months. Then they gave
up. So the business decision of that app
provider was directly affected by these
zero-rating programs. Next, whenever you
make a change to your own service or
infrastructure, you change your CDN
provider or whatever you have to give 30
days prior notice to the ISP so that they
can change their DPI equipment to adopt
this change, which of course is a big
hindrance for innovation and in some
contracts that we've analyzed, it also
includes giving access to beta versions of
your own app. And lastly, in the case of
Vodafone, you also have to sign and
execute marketing agreement so they want
to advertise with your app. So there is a
lot of hoops to jump through in order to
be admitted into one of these zero-rating
programs. So you'd think at least they'd
do a lot of effort on the telco side to
make it easier for you. So for this
survey, we actually created a fake
application and we tried to apply to zero-
rating programs. We said "Hello. We are a
student group. We are working out of a
garage. We have that cool app. We want to
join your program." And we just counted
the duration until we got a response. In
two cases we got a response within a day,
in five cases we got a response within a
week, in one case within a month, and in
half of the cases we never got a response
at all - so not after three months, they
never got back to us. So that truly shows
that there is a big problem with these
open programs. And I'm going to soon show
you how the regulators have reacted to
this report in their reform. But another
more general thing is speed testing
because in Europe, net neutrality also
brought us the right to contractually
agreed speeds, for our Internet access. In no
other area and economy, You would buy up
to 8 apples for 5€. But in Internet, for
some reason, that's the case. And so the
European Parliament was keen to adopt
rules that were giving each and every
consumer in their contract at a minimum,
an average and the maximum speed that an
ISP has to deliver. But how do you then
measure the speed ? Speedtest.net is
really not a good site if you look at
their business model. So regulators are
often the ones that should offer these
speed tolls. And BEREC recently released
an open source speed test measurement tool
that hopefully will also change another
problem that are going to show you. In
Norway, the telecom regulator Nkom is
actually really good at showing how the
Internet is improving year by year in the
country. And of course, fiber is hitting
through the roof and it's really good. And
in general, we see that the Internet is
improving healthily and the supply is
increasing to meet the demand. Austria -
similar picture - regulators reporting the
numbers every year. So we know how the
Internet is actually developing in these
countries. You would assume that in
Western countries this is a given. It is
also an obligation under the law. They
really have to do that. But sadly, only
eight countries are actually reporting
figures. If the internet supply is
actually increasing. Twenty three
countries released no numbers at all about
whether the internet capacity is actually
constantly meeting the increasing demand,
which we see as a big problem,
particularly with 5G, because that will
mean that the last mile will suddenly
be very fast, but the rest of the network
to core, the backhaul, this is where the
next bottleneck will lie. And if we don't
invest there soon enough, we'll really
have a big infrastructural problem in the
foreseeable future. So coming to the
reform. So what is on the table? First,
this is not a legislative reform. Contrary
to the previous talk that I've given, this
is not about engaging with the commission
to parliament or the council. This is all
about the regulatory community, like with
the GDPR privacy law it's great when we as
activists proud our head and shoulders that
we actually managed to get a law approved
and then the sad awakening comes. Okay.
But the guys who are in charge with
enforcing the law are really not
particularly motivated to do so. And then
you are stuck in Ireland with the data
protection authority for years. And your
biggest problem is that they are not doing
their job. Similarly, in telecom
regulation, what we have found is the
biggest problem is to get the regulator to
do their job. And that needs a lot of name
calling and submissions and talks with
them, which is really frustrating because
it should not be the jobs of activists to
enforce legislation. It should be the task
of well funded regulators. So in that
reform, we are kind of in the middle. The
scope was released in 2018. In May, we had
an official stakeholder workshop which
went for five hours and was a busy
gladiator debate. And October/November the
draft guidelines were released and
publicly consulted. About 50 stakeholders
participated, we were one of them. And now
BEREC has all of the input on their draft
guidelines and most likely in Q1 2020 will
see an interim report summarizing that
consultation, which again will be
consulted. We would like that to happen
because it would allow us to respond to
comments from the telecom industry and to
kind of have a more Ping-Pong debate. And
finally, that all should come to a close
in June 2020 when the new rules are
adopted. So now I'm gonna go into what is
actually in that draft and what to expect
content-wise from the topic. As you have
seen in the title, what we are mostly
talking about these days is 5G, the next
mobile network generation. You must have
heard about it. The telecom industry
really has spent millions and millions in
advertisement to make people interested in
5G. We have that whole trade war between
Trump and Huawei going on and there are
people talking about health risk, which is
mostly overblown but still 5G is really
portrayed as the revolutionary new
technology. Sadly, that's quite far away
from the truth. 5G is an evolution. If
you've listened to the talk yesterday
morning in German about the path from 4G
to 5G, you will know that technology wise
5G is a very interesting technology. And
as a nerd, I find it interesting but.. The
only thing that's a given is that internet
will become faster. All of the other
promises you should take with a grain of
salt. There are two particular
technology aspects of 5G that I want to
talk about in more detail. The first is
Network Slicing. The title already gives
it away. Network slicing means you slice
the network and every slice, every layer
has different quality characteristics. So
it's basically QoS on the radio access
layer. So it's basically allowing you to
have one SIM card with several internet
accesses to it. So you could have one that
is very high bandwidth super fast for
Netflix, one for very low latency for
gaming, one for very low energy
consumption. So when your battery goes
below 20% or you'll have solar powered IoT
sensors, then you might want to use that
because you actually don't care about
bandwidth, you don't care that much about
reliability, but you only have tiny
battery or solar power. And it actually is
good that we'll have that technology. But
the question is then who gets which slice?
And that's where the regulators in the
business models get back into gear. The
one scenario in which we could see
networks slices being marketed to us is an
a per subscriber basis. So you have that
one SIM card and it allows you to have
several independent Internet access
services that are also separated from each
other. And you as a user are in control.
Which app gets which slice? You should not
assume that all of these slices will be
flat rate. It could be that you have a
normal internet access but a very high
bandwidth or low latency slice is capped
with two gigabytes per month. And so it
actually is important that we as
subscribers have a say in that. The second
way in which network slices could hit us,
is a specialized services. So, there the
access service, the pipe, is the same
thing as the application that runs over
it. So it's no longer universal access. It
is no longer something that connects you
to the whole internet but it's basically
just not a power plug but a Facebook plug.
And we have few safeguards, five in total
in the regulation that are kind of protecting
us against specialized services becoming
too widespread. But this is where we'll
see a lot of "innovation" from the telecom
industry to vertically integrate, try to
have Facebook as a separately sold product
or maybe Facebook, Oculus Rift, VR or
maybe some IoT vertical integration, which
some smart home shit. So stuff like that
will most likely happen and 5G gives them
more argumentation basis for these types
of vertically integrated products. But
that's something for the enforcement. And
lastly, which was our original fear, is
that a network license would be applied on
a per application basis. So, Google could
make a deal and suddenly they are under
high reliability slice - always. And this
is thankfully not the case in the current
draft, so we could already prevent with
the work in the previous years this
scenario from being a likely result of
that reform, which is good because as I
show you later, these rules in Europe will
have repercussions. The second technology
aspect of 5G that merits some discussion
is edge computing and it's kind of
breaking the principle of end-to-end. You
no longer have desktops or mobile devices
that are connected to one Internet,
whereas you have suddenly some
computational power on the cell tower, on
a very close datacenter connected with
fiber lines so that the whole purpose here
is very low latency. The industry is
marketing this as something really great,
something that will be heavily needed.
Actually, there is very little real use
cases out there that I think are
realistic. The only one that we could find
and that merits discussion is local
dynamic maps. So it's basically if you
think of a future in which self-driving
cars all have their own sensory data and
that sensory data is then cached in this
edge-called cloud. So you have a 3-D
model that knows from the car that has gone
around the same curve for a minute ago that
there is a traffic jam over there. And so
your car would know before you even passed
that curve. It is telling that even the
European Commission backed a Wi-Fi based
mesh network standard and not 5G, which
means even that very weak example of edge
computing is kind of discredited in
Europe. So we have good cases for the
global reform. And when we talk about 5G,
it's important to stress that this is a
global standard. 3GPP, an international
body is standardizing the technology for
5G and now it's being rolled out step by
step in the rest of the world. The U.S.,
of course, will not be helpful with that
because they are heavily investing in 5G
but they are no longer net neutrality
standards to test this new technology
against. Canada, great net neutrality law,
but not taking a front seat approach to
5G. So they are not actively engaging with
it. India great net neutrality, again not
interested in 5G yet. South Korea,
actually, our colleagues there could
prevent a repeal of the net neutrality
legislation in South Korea. But they tried
to regulatory sandbox net neutrality from
5G to just let the net neutrality rules
that are already weak in South Korea to
begin with not apply to that technology.
So Europe is kind of the first world
region that tries to square these two
things together. And that's why our
approach here might be quite influential.
Also, if you think of the whole ecosystem
because what does it mean if we have user
controlled network slices? That means that
on my mobile device, I need to somehow
also decide which application gets which
slice at which time. And so Google and
Android - ähm Google and Apple (Freud)
come into play here as well. Another issue
that we did not at all expect to fight
about is parental control filters. So when
we fought about this law in the
parliament and in the council in the
trial, we always had that looming danger
of parental controls, like in the UK. You
buy an internet subscription and you have
a porn filter on it by default. We could
kill this in trial. So parental
controls were struck out of the law books
and for some weird reason I would call it
lobby pressure. The regulators wanted to
allow this in this reform and we've shot
heavily against it. We got even support
from the consumer protection
organizations, from BEUC, and we hope
that we can actually prevent this because
what would it mean? It would mean that
suddenly in the terms of services, you can
circumvent net neutrality. Usually an ISP
is, of course, not allowed to just
randomly block websites but parental
controls are exactly that. If you want to
do parental control filtering do it on the
device but not in the network. Blocking
should always happen on the edge of the
application, not on the network site. The
picture is more interesting when we talk
about zero rating cause they actually took
many of our ideas and also from our report
into consideration. The draft that was
released in October actually contains even
the same language of open zero rating
programs. And it says they have to be
fair, everyone needs to get a response,
they have to be reasonable, so all
documentation should be made public, they
have to be transparent, so if WhatsApp
calls or Spotify ads are actually counting
towards you data cap and are not zero-
rated, you should least tell the customer
and they have to be non-discriminatory. So
Vimeo gets the same response time as
YouTube. These are all our critical
points. I'm very thankful that they have
listened to us but sadly, they are also
allowing ISP to simply don't give a fuck
and have non-open programs, so they have
not drawn a red line. They have not said
clearly we have these types of zero-rating
programs, which are okay and then we have
all of these others that you have to
follow these rules for. And that is just a
level of lack of opportunity and a missed
opportunity for the regulators because
whenever the rules are fuzzy and
unclear,that only creates problems further
down the road in enforcement. The last
issue was also kind of unexpected. In the
beginning, because I thought we've solved
that. Deep packet inspection. So deep
packet inspection means when an ISP is
looking into your data packages. So he's
looking closely into what you are actually
doing online, your concrete user behavior.
The domains you access, the URLs you
access, that means your sexual
preferences, your news preferences, which
videos you have watched, all of that.
Usually that should be prohibited.
Everything that's payload of transport
layer 4 should be off limit for an ISP.
That's the general definition of deep
packet inspection. And actually we thought
that we've won that. But then there were
rumors that deep packet inspection, they
want to open it up and allow it again. So
we launched an open letter which was
signed by 45 NGOs, academics, and privacy
experts. But we still felt like this is a
hard push. We knew the regulators on the
other side - Germany is one of them - that
were just because of lobby pressure,
really asking for ex post allowing deep
packet inspection. And in that moment,
Gandalf came and we really got support
from an unexpected friend. The highest
data protection body in the European
Union, EDPB, issued a letter to BEREC and
saying that the board considers the
processing of data such as domain names
and URLs by Internet access service
providers for traffic management and
billing purposes, it's unlawful unless
consent of all users is obtained. And that
is interesting because of course all users
means that it will never work because
I as a customer of my telco, can maybe
consent to that, but not the rest of the
internet that might send a data package
down my way. They're not just saying this
for their net neutrality law, they are
also saying it for their interpretation of
e-privacy, of the GDPR, all of the other
laws. So this is actually giving us even
more sticks to go after deep packet
inspection in the future of that legal
opinion. And lastly, a completely
unrelated reform but still plays into this
whole thing. In Germany, you can pick your
own router. It doesn't matter which ISP
you have. You have the right to buy a
router from anywhere, even an open source
or libre one. And it needs to be able to
connect to your internet access service.
That is not the case in many European
countries because it is often unclear
where does the network actually end and
where does my home network begin. And that
network termination point is one of the
things that the same body BEREC, the
telecom regulators will decide for us. And
again, it looks like we will win. Winning
in this sense means that you will have it
the freedom to choose your own router, you
will have device freedom also in the
customer premise equipment and the network
ends at the socket, at the wall, at the
antenna. So it's actually quite good for
user choice. The only counterpoint that I have to
give you, of course, when the network
ends, net neutrality ends. But if your ISP
tries to fuck you on your router, you can
just replace it with another device. And
that's it for the neutrality thing.
And I think we still have some time for Q
and A. Thanks.
Applause
Herald: Yeah. Thank you so much. And don't
leave yet. I wanted to say support
epicenter.work, support EDRi. We need support,
we need people who believe in this and to
fight for this and thank you.
Applause
Herald: Okay. So, do we have questions? We
have questions from the Internet, maybe -
not really. Number two, please.
Mic 2: Yes. Have you seen any requirements
in digital media playback for recording
location information and identifying
users? So especially the location
information of media playback.
Lohninger: I'm not sure I follow the
question. So like... you mean like YouTube
reporting the playback position of the
audience?
Mix 2: No, not the not the public playback
position, the position or the location of
the user that is playing back to media.
Lohninger: I'm not sure that that would
relate to this. So, the ISP, of course,
knows in most cases where the user is, you
know, in all cases actually, and the
content provider, if it is not localizing
the user on the app with the location,
then the ISP at least would not share that
location information. I also wouldn't know
by which API or on which legal basis they
could do that. I hope that answers the
question, but I'm not sure.
Herald: Okay, thank you. Okay, we have
another question. Microphone four, please.
Mic 4: Hi. Will the users have the same
rights if they are not in the home country
like if you are roaming?
Lohninger: Yeah, that's actually an
interesting question. So, the net
neutrality regulation is also the roaming
regulation in the EU. These two things a
legally mixed together but they actually
can be seen completely separate. So when
you are roaming in another country, so my
Austrian SIM card here in Germany, it is
actually then the German provider that is
physically providing me the Internet
access service, which has to apply by the
same European regulation for net
neutrality. In most cases that would not
mean that there is even a technical or
legal connection to the customer, to the
ISP in Austria that I have a contract
with. Of course, it gets then interesting
because that's mostly about the technical
aspect when we look about zero rating. For
most cases the zero rating would just not
be possible. So if you have StreamOn in
Germany, you are a customer of T-Mobile,
you are going to Austria and you are in
the network of some ISP, then the zero-
rating would just not be possible and you
would just have additional data volume
given to you. There was actually a court
case about that out of Germany and there's
still ongoing litigation from the consumer
protection NGO, VZBV in Germany against
Vodafone around that same question. It
might be differently if you are a German
T-Mobile customer in Austria and roaming
in the T-Mobile network there because
technically I think it would be possible
to then apply the zero-rating but I'm not
sure if they actually do that. I think it
would not be easy and the incentive
usually would also not be there because
these are very few edge cases that even to
configure and maintain those wouldn't make
a lot of sense.
Herald: Okay, so next, we have a question
from the Internet. Dear signal angel.
Signal: So there was a question about DPI.
Are data protection authorities doing
anything about this and are there any
enforcements in the European country?
Lohninger: Sadly, no and no but I think
there is definitely an opportunity there
for enforcement action. And I know many of
the people that work around strategic
litigation and enforcement of the GDPR.
They have their hands full because similar
to net neutrality, the great law that
we've written in the last year is not
taken very seriously by the regulators.
And I think it will again depend on
activists or other entities bringing
cases, bringing complaints to data
protection authorities around DPI before
we see actual movement there. Legally, I
think particularly with that statement
from the EDPB, it would be an easy win. So
if somebody wants to earn spores or help
of that, I think it's quite doable case to
bring a complaint against DPI based on
that legal opinion.
Herald: So you're all part of it again.
Number two, please.
Mic 2: I want to ask, why the hell should
the ISP mess around on layer 4 laugh ,
as you described it before?
Lohinger: That is the current definition
that we have, like the regulation says no
monitoring of specific content. And BEREC
interpreted that in 2016 it meaning pay a
load of transport layer 4 should be off
limit. That is the interpretation that the
regulators have come up with. And that, of
course, was also a political compromise
like where do you draw the line? And so my
slide there was really based on the 2016
text of the guidelines.
Herald: Okay. Number one, please.
Mic 1: So currently an app developer has
to apply for to an ISP to get zero-rated.
What's to stop an ISP to just zero-rate an
app on its own to gain some market
advantage.
Lohninger: They can. And there's nothing
stopping it. And WhatsApp, for example, is
easily just saying "Okay, here's how you
zero-rate us and we don't even want to
interact with you." There does not need to
be a bilateral agreement. Of course, ISP
then has the problem if the app provider
changes their service or infrastructure
and identification criteria should also
change that the ISP needs to implement
that change before it happens. And so
that's the reason for the 30 day period.
But again, that problem might not even
exist for big providers that have
dedicated IP addresses. If your services
coming out of an CDN and then you would
rely on SNI or other technologies to
actually be identifiable.
Herald: So we have one more minute and I'm
sorry to say it's number 4. Thank you,
others. And yeah, probably you can go to
Epicenter Networks and contact Thomas
there. Thank you.
Mic 4: Hi. I'm very touched by your
argument about regulation not being
enforced right now in the EU. In France,
it has been the case about video
surveillance where the state has stated
that CLIN, the regulators are a
consultative authority. You know, they
shouldn't enforce. That's what quite
arterial the association that is doing
most of the work about that said so. I
don't know where we go from there. You
know, I'm very scared. It's nice that
you're doing...
Herald: What is the question, please? We
just have 20 more seconds.
Mic 4: Sorry, my question is, what do you
think we can do to help enforce regulation
in the EU?
Lohninger: Big question. There are many
things there, like one of the things that
is a positive development to look at a
bright side is that more and more digital
rights NGOs are warming up to strategic
litigation. So ultimately, why are
regulators not acting? Because on the one
side, they have fundamental rights to law,
consumer protection. And on the other
side, you have a big, big company that
will not accept their decision that it
will bring them to court no matter what.
And so if you're a small regulator with a
limited budget, you can either take the
uncomfortable decision that, you know, you
will be sued for. Or just duck away and
then the thing might be over. So that the
risk assessment and the cost calculation
is currently not in our favor. And that's
why we need to bring more cases. We have
to make regulators really bear a certain
risk on both sides of the decision. And
only then will the decision actually move
more to the factual basis. And I mean, I
know there are many problems in France but
at least CLIN was one of the few DPAs that
actually issued a few million penalties.
So there is at least some silver lining.
Herald: Okay, so complain. Support EDRi,
support epicenter.works. Thank you
for being here and given another applause
to Thomas Lohninger. Thank you so much.
Applause
36c3 postroll music
Subtitles created by c3subtitles.de
in the year 2020. Join, and help us!