Return to Video

36C3 - 5G & Net Neutrality

  • 0:00 - 0:20
    36C3 preroll music
  • 0:20 - 0:26
    Herald: The next talk is "5G & Net
    Neutrality". The status of the net
  • 0:26 - 0:31
    neutrality reform in Europe and the
    presenter is Thomas Lohninger from
  • 0:31 - 0:36
    epicenter.works and I'm very happy he's
    here today with us. So please give a big
  • 0:36 - 0:41
    applause to Thomas Lohninger. Thank you.
  • 0:41 - 0:44
    Applause
  • 0:44 - 0:50
    Thomas Lohninger: Hello. Here we go again.
    Yeah. Hello and welcome, everybody. I'm
  • 0:50 - 0:56
    going to talk a little bit about net
    neutrality. This is not my first talk
  • 0:56 - 1:01
    about this issue here at congress. I
    originally joined the net neutrality
  • 1:01 - 1:06
    debate because I really found it to be an
    important issue. I liked it as a
  • 1:06 - 1:11
    philosophical concept of the Internet
    serving the edges and also because back
  • 1:11 - 1:15
    then it was still a very young debate. You
    could still read up on all the legislation
  • 1:15 - 1:20
    around the world because there was so
    little about it. And a decade later, there
  • 1:20 - 1:25
    is more legislation, the debate has moved
    on a lot. Of course, in the U.S. it has
  • 1:25 - 1:31
    been first and foremost after Trump
    repealed the Obama era rules. And in
  • 1:31 - 1:35
    Europe, we feel like we're a little bit
    stuck in time. And I also want to explain
  • 1:35 - 1:39
    where we currently are and where we are
    heading. So it is an update, but it's also
  • 1:39 - 1:43
    an update with little bit of a
    perspective and might even have a silver
  • 1:43 - 1:49
    lining. But before we do that, we first
    have to go back to the beginning and
  • 1:49 - 1:54
    explain what net neutrality is. If you are
    in the U.S. and you ask anybody serving
  • 1:54 - 1:57
    coffee on the train, they will know it.
    But in Europe, it is still something that
  • 1:57 - 2:03
    maybe needs to be explained. In general,
    net neutrality means that all bits should
  • 2:03 - 2:07
    be created equal, that the network should
    not make distinctions about our data
  • 2:07 - 2:12
    packages, how important they are if the
    checksum is correct. Of course, if to
  • 2:12 - 2:17
    check some is correct but also a lot like,
    is this a valid feature for this
  • 2:17 - 2:23
    application? Is this a legal transmission?
    All of these decisions should not be made
  • 2:23 - 2:27
    in the network because they should be made
    by the end points by the applications on
  • 2:27 - 2:33
    either side. The easiest way to understand
    net neutrality is if you compare it with
  • 2:33 - 2:39
    previous global telecommunication
    networks. In the television system you
  • 2:39 - 2:43
    also have a global communication network
    but it takes a lot of money to actually
  • 2:43 - 2:48
    have a voice there, to start a television
    channel. So you're just consuming, it is
  • 2:48 - 2:53
    not a bidirectional network. Telephony
    allows that, it's a global network system
  • 2:53 - 2:58
    but you have a central entity that decides
    if you're allowed to make that call and
  • 2:58 - 3:02
    what the cost of that call per duration
    will be. That's not the case with the
  • 3:02 - 3:06
    Internet. And in a way, net neutrality is
    just trying to protect these inherent
  • 3:06 - 3:11
    principles that the Internet was born with
    from undue discrimination of network
  • 3:11 - 3:17
    operators, of telecom companies, or ISPs.
    And telecom companies can discriminate or
  • 3:17 - 3:21
    interfere with our traffic more or less in
    two ways. The first is technical by
  • 3:21 - 3:26
    prioritizing or throttling certain data
    packages, also modifying them or blocking
  • 3:26 - 3:33
    them completely. And the second way to
    influence them is by so-called zero rating
  • 3:33 - 3:38
    by making certain data more or less
    expensive, cheaper, or more expensive, or
  • 3:38 - 3:43
    as exempting certain applications from
    your monthly data cap at all. And that all
  • 3:43 - 3:50
    creates a system where certain big players
    have it easier to get rich, to grow, to
  • 3:50 - 3:56
    innovate, and others have a harder time to
    even being noticed or growing. And it can
  • 3:56 - 4:00
    also be summarized by the principle of
    innovation without permission so that you
  • 4:00 - 4:05
    can just start a new service, you don't
    need a license to start an app,
  • 4:05 - 4:11
    you don't need to network to support your new
    functionality. The open layered
  • 4:11 - 4:17
    architecture of the internet is protecting
    this innovative capacity, and that even
  • 4:17 - 4:25
    allowed this young man in 2004 to create the
    Facebook.com in his college dorm. The
  • 4:25 - 4:30
    total cost of operating the server in the
    beginning was 85$ per month. And you would
  • 4:30 - 4:33
    ask yourself: "OK but isn't Mark
    Zuckerberg and Facebook really a horrible
  • 4:33 - 4:37
    person, the company?" Yes, they are.
    That's also why they are against net
  • 4:37 - 4:43
    neutrality these days. Facebook is one of
    the most violating companies around the
  • 4:43 - 4:49
    world because their program free basic,
    is really the opposite of net neutrality.
  • 4:49 - 4:52
    What they are doing there is basically
    creating a walled garden for the global
  • 4:52 - 4:57
    south. The most vulnerable people on this
    planet that do not get the full internet
  • 4:57 - 5:04
    access but what they got is a way of being
    marketed to via their Facebook services,
  • 5:04 - 5:09
    of course, without any privacy. And
    similarly, also, Netflix was once a
  • 5:09 - 5:15
    company strongly on our side supporting
    net neutrality. And then when it was clear
  • 5:15 - 5:20
    that Trump would repeal the Obama era net
    neutrality rules, the Netflix CEO said to
  • 5:20 - 5:24
    their shareholders: "Don't worry, we are
    now big enough that we can survive without
  • 5:24 - 5:29
    net neutrality." So inherently, this
    principle protects the underrepresented
  • 5:29 - 5:35
    voices and the small players, the ones
    that still need to grow. And it is not the
  • 5:35 - 5:39
    silver stick that will solve all of the
    problems from the previous talk to
  • 5:39 - 5:43
    problems we have with the big platforms
    but if we lose net neutrality, we more or
  • 5:43 - 5:47
    less freeze the current dominant players
    forever because it would be really hard
  • 5:47 - 5:54
    for anybody else to ever become as big.
    And so it's all about that right column
  • 5:54 - 6:00
    here. Where are we in Europe? In Europe,
    we started the discussion around net
  • 6:00 - 6:04
    neutrality in 2011/12. There were the
    first non-binding resolutions of the
  • 6:04 - 6:10
    parliament calling for net neutrality
    protections. And it all culminated in 2013
  • 6:10 - 6:14
    when the commission released their
    proposal for really an anti net
  • 6:14 - 6:19
    neutrality bill. So we have to turn the
    ship 180° around to get it back on track.
  • 6:19 - 6:24
    And we did that with the
    savetheinternet.eu campaign, which was
  • 6:24 - 6:29
    hosted by big coalition of NGOs all around
    Europe. And we followed the legislative
  • 6:29 - 6:33
    process for two and a half years with
    seven iterations of that campaign always
  • 6:33 - 6:38
    changing our means from faxing to the
    parliament to making phone calls to just
  • 6:38 - 6:43
    mass bombarding the embassies to sending
    comments to the regulators in the
  • 6:43 - 6:48
    consultation period. We also demonstrated
    in Riga, in Barcelona, in Bonn, in
  • 6:48 - 6:54
    Brussels, in Vienna. And at the end we got
    a net neutrality law. The open internet
  • 6:54 - 7:00
    regulation was adopted in 2015 and it was
    further, then, implemented by the BEREC
  • 7:00 - 7:05
    guidelines that are kind of the handbook
    for the guys who actually have to enforce
  • 7:05 - 7:09
    the law, telecom regulators. And telecom
    regulators will be important in the rest
  • 7:09 - 7:15
    of the talk because that's where the
    action currently lies. And so this was in
  • 7:15 - 7:20
    2016. And in January of 2019, we released
    this report, which was really more
  • 7:20 - 7:27
    academic exercise of summarizing
    everything that has happened since. So
  • 7:27 - 7:30
    it's really the one thing you should read
    if you want to know how a t neutrality
  • 7:30 - 7:34
    has played out over the past two and a
    half years. That's a table of content and
  • 7:34 - 7:40
    there's a lot of it in there from
    analyzing 800 pages of annual reporting,
  • 7:40 - 7:45
    going through case law, and looking ahead
    about 5G. But the most important thing
  • 7:45 - 7:48
    was the chapter about zero rating, because
    that's where the debate currently is
  • 7:48 - 7:54
    focused on in Europe. And in order to
    bring this debate back to a factual basis,
  • 7:54 - 7:59
    we actually did a lot of work. With doing
    a complete survey of all zero rating
  • 7:59 - 8:05
    offers in the European economic area. I
    don't think that anything like this was
  • 8:05 - 8:12
    ever done before also because it wasn't
    easy. We went through 32 countries. So all
  • 8:12 - 8:16
    of the European economic area that this
    law applies to, including Switzerland,
  • 8:16 - 8:21
    because we have German speakers in our
    team, so it was not that hard. That meant
  • 8:21 - 8:27
    in total, going through the websites of
    225 mobile operators, both those that have
  • 8:27 - 8:32
    their own network as well as the virtual
    ones. And we collected the data with in
  • 8:32 - 8:37
    total five people that spoke six languages
    and worked for over four months on this.
  • 8:37 - 8:44
    We found 186 net neutrality violations in
    the form of zero rating programs. And all
  • 8:44 - 8:49
    of that data is openly accessible. It's
    linked in the report. It's all online in a
  • 8:49 - 8:56
    free format and used under a CC BY-SA
    license, so share alike.
  • 8:56 - 9:03
    Applause
  • 9:03 - 9:07
    I've given that talk in front of many
    regulators. You're the first ones to
  • 9:07 - 9:12
    applaud. I really like that. And the SA,
    of course, because we think this data
  • 9:12 - 9:17
    should remain free. We can always disagree
    on the interpretation but at least the
  • 9:17 - 9:23
    facts, the data itself should be openly
    accessible to everybody and scrutinized by
  • 9:23 - 9:28
    everybody as well. And I've seen other
    people actually using that data for
  • 9:28 - 9:34
    commercial purposes, which we would even
    allow but not sharing it back, which is a
  • 9:34 - 9:40
    sad thing. So what is in that dataset? You
    could see this zero-rating is really a big
  • 9:40 - 9:45
    problem. All but two European countries,
    you have these problems. Finland doesn't
  • 9:45 - 9:49
    have that problem because they don't have
    data caps anymore. If you buy a SIM card
  • 9:49 - 9:54
    in Finland, you'll get a flat rate. The
    only distinction there is the speed, the
  • 9:54 - 9:59
    bandwidth that is available to you. But
    you know, I have no data caps at all and
  • 9:59 - 10:03
    Bulgaria also doesn't have zero-rating. If
    we look at the application side and that's
  • 10:03 - 10:08
    actually the very interesting takeaway for
    you. These are the applications that most
  • 10:08 - 10:15
    profit from zero-rating. So WhatsApp leads
    before 50 zero-rating deals in Europe. And
  • 10:15 - 10:20
    the second to follow is Facebook and also
    Facebook messenger in there. In total,
  • 10:20 - 10:25
    many of these companies that profit are
    from the U.S., only 3 European
  • 10:25 - 10:31
    applications are actually in the top 20 of
    zero-rating. And that is the overall
  • 10:31 - 10:38
    number and there we just looked at the
    geographical home of the applications in
  • 10:38 - 10:43
    the classical zero-rating programs. You
    know, the ones where you have a youth
  • 10:43 - 10:50
    tariff in Portugal and you can pick either
    WhatsApp or Telegram or you have YouTube
  • 10:50 - 10:55
    is for free. Some ISP is actually do that.
    And if you just look at these close
  • 10:55 - 11:00
    programs of only have hand selected
    applications, the majority of the apps are
  • 11:00 - 11:05
    from the U.S., of course, the big
    incumbents. But there is also around a
  • 11:05 - 11:11
    third of applications which are of zero-
    rating programs which are open. Open
  • 11:11 - 11:16
    programs allow other applications to join.
    Think of StreamOn here in Germany or
  • 11:16 - 11:22
    Vodafone Pass or smartnet in Portugal.
    These programs are actually trying to
  • 11:22 - 11:27
    balance the scale a little bit. They are
    actually trying to learn from our critique
  • 11:27 - 11:33
    and allow other applications to join. And
    then if we add those to statistics, we
  • 11:33 - 11:37
    see that the majority of apps are suddenly
    from the same country where the internet
  • 11:37 - 11:41
    service is offered. All of these local
    radio stations in Germany, for some
  • 11:41 - 11:45
    reason, join StreamOn in order to be
    exempt from the data volume, the
  • 11:45 - 11:50
    ridiculously low data volume from Deutsche
    Telekom. And then into second place is
  • 11:50 - 11:54
    still have the U.S. and most
    interestingly, the European economic area.
  • 11:54 - 12:01
    So apps from other EU countries are really
    down below. So one could easily make the
  • 12:01 - 12:05
    interpretation of that data that we
    actually create new barriers for cross-
  • 12:05 - 12:11
    border provisioning of services in the
    European digital single market. And if you
  • 12:11 - 12:17
    then just count, how many of these zero-
    rating programs does an app usually join.
  • 12:17 - 12:21
    You have a stark pick fit one to three and
    then it drastically goes down until you
  • 12:21 - 12:27
    have the 31 - 52 column at the right,
    which is the top 20. So there is an
  • 12:27 - 12:31
    inherent difficulty to actually sign up to
    these so-called open nondiscriminatory
  • 12:31 - 12:36
    zero-rating programs. What Europe has
    created here is actually another reason
  • 12:36 - 12:41
    why it will be difficult for the European
    internet industry to be competitive
  • 12:41 - 12:46
    because these are all new entry barriers
    into markets in other EU countries. And we
  • 12:46 - 12:52
    really have to explain this to the
    regulators. And if you just go and take the
  • 12:52 - 12:55
    perspective of an application, you want to
    join a zero-rating program, what do you
  • 12:55 - 13:00
    have to do? First, you have to find out
    that it even exists. We did that mapping
  • 13:00 - 13:05
    because we didn't know. And there is no
    agency that also sells that data. So
  • 13:05 - 13:08
    obtaining knowledge about the programs
    that you might want to join because you
  • 13:08 - 13:13
    might want to offer a competitive service
    to people in that country of that ISP is
  • 13:13 - 13:18
    the first step. And then secondly, you
    have to request the documents, sign an NDA
  • 13:18 - 13:22
    even, to even find out how the open
    Internet works with this mobile operators.
  • 13:22 - 13:27
    Third, you have to read the contract for
    which for many start-ups is already a
  • 13:27 - 13:31
    problem. Sign it and prepare for the
    liability because you are liable for
  • 13:31 - 13:37
    wrongfully billed data volume, which can
    be really problematic. If your app is
  • 13:37 - 13:44
    producing a lot of data or widely used by
    certain people. The technical aspect that
  • 13:44 - 13:48
    comes into play here is that of course you
    are then responsible for providing
  • 13:48 - 13:54
    identification criteria. If suddenly your
    data packages need to be counted
  • 13:54 - 13:59
    differently, go against not a general data
    volume but an application specific volume
  • 13:59 - 14:04
    per month or are completely exempt from
    the data cap. Then you, in order to make
  • 14:04 - 14:08
    that assessment, need to identify those
    data packages, which of course only works
  • 14:08 - 14:13
    with deep packet inspection in most cases.
    In some cases, you also have to modify
  • 14:13 - 14:20
    your service in order to even enter into
    that deal. Spotify in Germany with
  • 14:20 - 14:25
    StreamOn only wanted their premium
    customers to benefit from the zero-rating.
  • 14:25 - 14:29
    And they tried to separate the ad-based
    free version of the Spotify program from
  • 14:29 - 14:35
    the premium customers that are paying.
    They tried for four months. Then they gave
  • 14:35 - 14:39
    up. So the business decision of that app
    provider was directly affected by these
  • 14:39 - 14:45
    zero-rating programs. Next, whenever you
    make a change to your own service or
  • 14:45 - 14:50
    infrastructure, you change your CDN
    provider or whatever you have to give 30
  • 14:50 - 14:57
    days prior notice to the ISP so that they
    can change their DPI equipment to adopt
  • 14:57 - 15:02
    this change, which of course is a big
    hindrance for innovation and in some
  • 15:02 - 15:06
    contracts that we've analyzed, it also
    includes giving access to beta versions of
  • 15:06 - 15:11
    your own app. And lastly, in the case of
    Vodafone, you also have to sign and
  • 15:11 - 15:18
    execute marketing agreement so they want
    to advertise with your app. So there is a
  • 15:18 - 15:22
    lot of hoops to jump through in order to
    be admitted into one of these zero-rating
  • 15:22 - 15:26
    programs. So you'd think at least they'd
    do a lot of effort on the telco side to
  • 15:26 - 15:32
    make it easier for you. So for this
    survey, we actually created a fake
  • 15:32 - 15:37
    application and we tried to apply to zero-
    rating programs. We said "Hello. We are a
  • 15:37 - 15:41
    student group. We are working out of a
    garage. We have that cool app. We want to
  • 15:41 - 15:44
    join your program." And we just counted
    the duration until we got a response. In
  • 15:44 - 15:50
    two cases we got a response within a day,
    in five cases we got a response within a
  • 15:50 - 15:55
    week, in one case within a month, and in
    half of the cases we never got a response
  • 15:55 - 16:00
    at all - so not after three months, they
    never got back to us. So that truly shows
  • 16:00 - 16:04
    that there is a big problem with these
    open programs. And I'm going to soon show
  • 16:04 - 16:11
    you how the regulators have reacted to
    this report in their reform. But another
  • 16:11 - 16:15
    more general thing is speed testing
    because in Europe, net neutrality also
  • 16:15 - 16:22
    brought us the right to contractually
    agreed speeds, for our Internet access. In no
  • 16:22 - 16:27
    other area and economy, You would buy up
    to 8 apples for 5€. But in Internet, for
  • 16:27 - 16:32
    some reason, that's the case. And so the
    European Parliament was keen to adopt
  • 16:32 - 16:37
    rules that were giving each and every
    consumer in their contract at a minimum,
  • 16:37 - 16:42
    an average and the maximum speed that an
    ISP has to deliver. But how do you then
  • 16:42 - 16:46
    measure the speed ? Speedtest.net is
    really not a good site if you look at
  • 16:46 - 16:49
    their business model. So regulators are
    often the ones that should offer these
  • 16:49 - 16:56
    speed tolls. And BEREC recently released
    an open source speed test measurement tool
  • 16:56 - 17:01
    that hopefully will also change another
    problem that are going to show you. In
  • 17:01 - 17:05
    Norway, the telecom regulator Nkom is
    actually really good at showing how the
  • 17:05 - 17:10
    Internet is improving year by year in the
    country. And of course, fiber is hitting
  • 17:10 - 17:14
    through the roof and it's really good. And
    in general, we see that the Internet is
  • 17:14 - 17:22
    improving healthily and the supply is
    increasing to meet the demand. Austria -
  • 17:22 - 17:26
    similar picture - regulators reporting the
    numbers every year. So we know how the
  • 17:26 - 17:29
    Internet is actually developing in these
    countries. You would assume that in
  • 17:29 - 17:34
    Western countries this is a given. It is
    also an obligation under the law. They
  • 17:34 - 17:38
    really have to do that. But sadly, only
    eight countries are actually reporting
  • 17:38 - 17:44
    figures. If the internet supply is
    actually increasing. Twenty three
  • 17:44 - 17:50
    countries released no numbers at all about
    whether the internet capacity is actually
  • 17:50 - 17:54
    constantly meeting the increasing demand,
    which we see as a big problem,
  • 17:54 - 17:59
    particularly with 5G, because that will
    mean that the last mile will suddenly
  • 17:59 - 18:04
    be very fast, but the rest of the network
    to core, the backhaul, this is where the
  • 18:04 - 18:08
    next bottleneck will lie. And if we don't
    invest there soon enough, we'll really
  • 18:08 - 18:15
    have a big infrastructural problem in the
    foreseeable future. So coming to the
  • 18:15 - 18:20
    reform. So what is on the table? First,
    this is not a legislative reform. Contrary
  • 18:20 - 18:23
    to the previous talk that I've given, this
    is not about engaging with the commission
  • 18:23 - 18:28
    to parliament or the council. This is all
    about the regulatory community, like with
  • 18:28 - 18:33
    the GDPR privacy law it's great when we as
    activists proud our head and shoulders that
  • 18:33 - 18:39
    we actually managed to get a law approved
    and then the sad awakening comes. Okay.
  • 18:39 - 18:43
    But the guys who are in charge with
    enforcing the law are really not
  • 18:43 - 18:48
    particularly motivated to do so. And then
    you are stuck in Ireland with the data
  • 18:48 - 18:52
    protection authority for years. And your
    biggest problem is that they are not doing
  • 18:52 - 18:57
    their job. Similarly, in telecom
    regulation, what we have found is the
  • 18:57 - 19:02
    biggest problem is to get the regulator to
    do their job. And that needs a lot of name
  • 19:02 - 19:07
    calling and submissions and talks with
    them, which is really frustrating because
  • 19:07 - 19:12
    it should not be the jobs of activists to
    enforce legislation. It should be the task
  • 19:12 - 19:20
    of well funded regulators. So in that
    reform, we are kind of in the middle. The
  • 19:20 - 19:26
    scope was released in 2018. In May, we had
    an official stakeholder workshop which
  • 19:26 - 19:31
    went for five hours and was a busy
    gladiator debate. And October/November the
  • 19:31 - 19:35
    draft guidelines were released and
    publicly consulted. About 50 stakeholders
  • 19:35 - 19:40
    participated, we were one of them. And now
    BEREC has all of the input on their draft
  • 19:40 - 19:46
    guidelines and most likely in Q1 2020 will
    see an interim report summarizing that
  • 19:46 - 19:51
    consultation, which again will be
    consulted. We would like that to happen
  • 19:51 - 19:54
    because it would allow us to respond to
    comments from the telecom industry and to
  • 19:54 - 20:00
    kind of have a more Ping-Pong debate. And
    finally, that all should come to a close
  • 20:00 - 20:06
    in June 2020 when the new rules are
    adopted. So now I'm gonna go into what is
  • 20:06 - 20:12
    actually in that draft and what to expect
    content-wise from the topic. As you have
  • 20:12 - 20:16
    seen in the title, what we are mostly
    talking about these days is 5G, the next
  • 20:16 - 20:20
    mobile network generation. You must have
    heard about it. The telecom industry
  • 20:20 - 20:25
    really has spent millions and millions in
    advertisement to make people interested in
  • 20:25 - 20:31
    5G. We have that whole trade war between
    Trump and Huawei going on and there are
  • 20:31 - 20:37
    people talking about health risk, which is
    mostly overblown but still 5G is really
  • 20:37 - 20:43
    portrayed as the revolutionary new
    technology. Sadly, that's quite far away
  • 20:43 - 20:49
    from the truth. 5G is an evolution. If
    you've listened to the talk yesterday
  • 20:49 - 20:53
    morning in German about the path from 4G
    to 5G, you will know that technology wise
  • 20:53 - 21:01
    5G is a very interesting technology. And
    as a nerd, I find it interesting but.. The
  • 21:01 - 21:05
    only thing that's a given is that internet
    will become faster. All of the other
  • 21:05 - 21:09
    promises you should take with a grain of
    salt. There are two particular
  • 21:09 - 21:15
    technology aspects of 5G that I want to
    talk about in more detail. The first is
  • 21:15 - 21:22
    Network Slicing. The title already gives
    it away. Network slicing means you slice
  • 21:22 - 21:29
    the network and every slice, every layer
    has different quality characteristics. So
  • 21:29 - 21:32
    it's basically QoS on the radio access
    layer. So it's basically allowing you to
  • 21:32 - 21:39
    have one SIM card with several internet
    accesses to it. So you could have one that
  • 21:39 - 21:44
    is very high bandwidth super fast for
    Netflix, one for very low latency for
  • 21:44 - 21:48
    gaming, one for very low energy
    consumption. So when your battery goes
  • 21:48 - 21:54
    below 20% or you'll have solar powered IoT
    sensors, then you might want to use that
  • 21:54 - 21:57
    because you actually don't care about
    bandwidth, you don't care that much about
  • 21:57 - 22:03
    reliability, but you only have tiny
    battery or solar power. And it actually is
  • 22:03 - 22:09
    good that we'll have that technology. But
    the question is then who gets which slice?
  • 22:09 - 22:14
    And that's where the regulators in the
    business models get back into gear. The
  • 22:14 - 22:19
    one scenario in which we could see
    networks slices being marketed to us is an
  • 22:19 - 22:23
    a per subscriber basis. So you have that
    one SIM card and it allows you to have
  • 22:23 - 22:28
    several independent Internet access
    services that are also separated from each
  • 22:28 - 22:35
    other. And you as a user are in control.
    Which app gets which slice? You should not
  • 22:35 - 22:38
    assume that all of these slices will be
    flat rate. It could be that you have a
  • 22:38 - 22:43
    normal internet access but a very high
    bandwidth or low latency slice is capped
  • 22:43 - 22:47
    with two gigabytes per month. And so it
    actually is important that we as
  • 22:47 - 22:53
    subscribers have a say in that. The second
    way in which network slices could hit us,
  • 22:53 - 22:58
    is a specialized services. So, there the
    access service, the pipe, is the same
  • 22:58 - 23:04
    thing as the application that runs over
    it. So it's no longer universal access. It
  • 23:04 - 23:07
    is no longer something that connects you
    to the whole internet but it's basically
  • 23:07 - 23:14
    just not a power plug but a Facebook plug.
    And we have few safeguards, five in total
  • 23:14 - 23:19
    in the regulation that are kind of protecting
    us against specialized services becoming
  • 23:19 - 23:25
    too widespread. But this is where we'll
    see a lot of "innovation" from the telecom
  • 23:25 - 23:30
    industry to vertically integrate, try to
    have Facebook as a separately sold product
  • 23:30 - 23:37
    or maybe Facebook, Oculus Rift, VR or
    maybe some IoT vertical integration, which
  • 23:37 - 23:42
    some smart home shit. So stuff like that
    will most likely happen and 5G gives them
  • 23:42 - 23:48
    more argumentation basis for these types
    of vertically integrated products. But
  • 23:48 - 23:53
    that's something for the enforcement. And
    lastly, which was our original fear, is
  • 23:53 - 23:58
    that a network license would be applied on
    a per application basis. So, Google could
  • 23:58 - 24:04
    make a deal and suddenly they are under
    high reliability slice - always. And this
  • 24:04 - 24:09
    is thankfully not the case in the current
    draft, so we could already prevent with
  • 24:09 - 24:14
    the work in the previous years this
    scenario from being a likely result of
  • 24:14 - 24:21
    that reform, which is good because as I
    show you later, these rules in Europe will
  • 24:21 - 24:26
    have repercussions. The second technology
    aspect of 5G that merits some discussion
  • 24:26 - 24:32
    is edge computing and it's kind of
    breaking the principle of end-to-end. You
  • 24:32 - 24:36
    no longer have desktops or mobile devices
    that are connected to one Internet,
  • 24:36 - 24:41
    whereas you have suddenly some
    computational power on the cell tower, on
  • 24:41 - 24:45
    a very close datacenter connected with
    fiber lines so that the whole purpose here
  • 24:45 - 24:53
    is very low latency. The industry is
    marketing this as something really great,
  • 24:53 - 24:57
    something that will be heavily needed.
    Actually, there is very little real use
  • 24:57 - 25:03
    cases out there that I think are
    realistic. The only one that we could find
  • 25:03 - 25:07
    and that merits discussion is local
    dynamic maps. So it's basically if you
  • 25:07 - 25:13
    think of a future in which self-driving
    cars all have their own sensory data and
  • 25:13 - 25:17
    that sensory data is then cached in this
    edge-called cloud. So you have a 3-D
  • 25:17 - 25:23
    model that knows from the car that has gone
    around the same curve for a minute ago that
  • 25:23 - 25:27
    there is a traffic jam over there. And so
    your car would know before you even passed
  • 25:27 - 25:34
    that curve. It is telling that even the
    European Commission backed a Wi-Fi based
  • 25:34 - 25:39
    mesh network standard and not 5G, which
    means even that very weak example of edge
  • 25:39 - 25:45
    computing is kind of discredited in
    Europe. So we have good cases for the
  • 25:45 - 25:49
    global reform. And when we talk about 5G,
    it's important to stress that this is a
  • 25:49 - 25:55
    global standard. 3GPP, an international
    body is standardizing the technology for
  • 25:55 - 26:01
    5G and now it's being rolled out step by
    step in the rest of the world. The U.S.,
  • 26:01 - 26:04
    of course, will not be helpful with that
    because they are heavily investing in 5G
  • 26:04 - 26:08
    but they are no longer net neutrality
    standards to test this new technology
  • 26:08 - 26:14
    against. Canada, great net neutrality law,
    but not taking a front seat approach to
  • 26:14 - 26:20
    5G. So they are not actively engaging with
    it. India great net neutrality, again not
  • 26:20 - 26:25
    interested in 5G yet. South Korea,
    actually, our colleagues there could
  • 26:25 - 26:31
    prevent a repeal of the net neutrality
    legislation in South Korea. But they tried
  • 26:31 - 26:38
    to regulatory sandbox net neutrality from
    5G to just let the net neutrality rules
  • 26:38 - 26:42
    that are already weak in South Korea to
    begin with not apply to that technology.
  • 26:42 - 26:46
    So Europe is kind of the first world
    region that tries to square these two
  • 26:46 - 26:52
    things together. And that's why our
    approach here might be quite influential.
  • 26:52 - 26:58
    Also, if you think of the whole ecosystem
    because what does it mean if we have user
  • 26:58 - 27:02
    controlled network slices? That means that
    on my mobile device, I need to somehow
  • 27:02 - 27:06
    also decide which application gets which
    slice at which time. And so Google and
  • 27:06 - 27:14
    Android - ähm Google and Apple (Freud)
    come into play here as well. Another issue
  • 27:14 - 27:20
    that we did not at all expect to fight
    about is parental control filters. So when
  • 27:20 - 27:23
    we fought about this law in the
    parliament and in the council in the
  • 27:23 - 27:28
    trial, we always had that looming danger
    of parental controls, like in the UK. You
  • 27:28 - 27:33
    buy an internet subscription and you have
    a porn filter on it by default. We could
  • 27:33 - 27:37
    kill this in trial. So parental
    controls were struck out of the law books
  • 27:37 - 27:42
    and for some weird reason I would call it
    lobby pressure. The regulators wanted to
  • 27:42 - 27:47
    allow this in this reform and we've shot
    heavily against it. We got even support
  • 27:47 - 27:51
    from the consumer protection
    organizations, from BEUC, and we hope
  • 27:51 - 27:56
    that we can actually prevent this because
    what would it mean? It would mean that
  • 27:56 - 28:01
    suddenly in the terms of services, you can
    circumvent net neutrality. Usually an ISP
  • 28:01 - 28:05
    is, of course, not allowed to just
    randomly block websites but parental
  • 28:05 - 28:10
    controls are exactly that. If you want to
    do parental control filtering do it on the
  • 28:10 - 28:16
    device but not in the network. Blocking
    should always happen on the edge of the
  • 28:16 - 28:21
    application, not on the network site. The
    picture is more interesting when we talk
  • 28:21 - 28:26
    about zero rating cause they actually took
    many of our ideas and also from our report
  • 28:26 - 28:32
    into consideration. The draft that was
    released in October actually contains even
  • 28:32 - 28:36
    the same language of open zero rating
    programs. And it says they have to be
  • 28:36 - 28:42
    fair, everyone needs to get a response,
    they have to be reasonable, so all
  • 28:42 - 28:46
    documentation should be made public, they
    have to be transparent, so if WhatsApp
  • 28:46 - 28:50
    calls or Spotify ads are actually counting
    towards you data cap and are not zero-
  • 28:50 - 28:56
    rated, you should least tell the customer
    and they have to be non-discriminatory. So
  • 28:56 - 29:00
    Vimeo gets the same response time as
    YouTube. These are all our critical
  • 29:00 - 29:04
    points. I'm very thankful that they have
    listened to us but sadly, they are also
  • 29:04 - 29:09
    allowing ISP to simply don't give a fuck
    and have non-open programs, so they have
  • 29:09 - 29:14
    not drawn a red line. They have not said
    clearly we have these types of zero-rating
  • 29:14 - 29:18
    programs, which are okay and then we have
    all of these others that you have to
  • 29:18 - 29:27
    follow these rules for. And that is just a
    level of lack of opportunity and a missed
  • 29:27 - 29:32
    opportunity for the regulators because
    whenever the rules are fuzzy and
  • 29:32 - 29:38
    unclear,that only creates problems further
    down the road in enforcement. The last
  • 29:38 - 29:41
    issue was also kind of unexpected. In the
    beginning, because I thought we've solved
  • 29:41 - 29:47
    that. Deep packet inspection. So deep
    packet inspection means when an ISP is
  • 29:47 - 29:51
    looking into your data packages. So he's
    looking closely into what you are actually
  • 29:51 - 29:57
    doing online, your concrete user behavior.
    The domains you access, the URLs you
  • 29:57 - 30:01
    access, that means your sexual
    preferences, your news preferences, which
  • 30:01 - 30:06
    videos you have watched, all of that.
    Usually that should be prohibited.
  • 30:06 - 30:10
    Everything that's payload of transport
    layer 4 should be off limit for an ISP.
  • 30:10 - 30:14
    That's the general definition of deep
    packet inspection. And actually we thought
  • 30:14 - 30:19
    that we've won that. But then there were
    rumors that deep packet inspection, they
  • 30:19 - 30:24
    want to open it up and allow it again. So
    we launched an open letter which was
  • 30:24 - 30:30
    signed by 45 NGOs, academics, and privacy
    experts. But we still felt like this is a
  • 30:30 - 30:35
    hard push. We knew the regulators on the
    other side - Germany is one of them - that
  • 30:35 - 30:41
    were just because of lobby pressure,
    really asking for ex post allowing deep
  • 30:41 - 30:51
    packet inspection. And in that moment,
    Gandalf came and we really got support
  • 30:51 - 30:56
    from an unexpected friend. The highest
    data protection body in the European
  • 30:56 - 31:03
    Union, EDPB, issued a letter to BEREC and
    saying that the board considers the
  • 31:03 - 31:07
    processing of data such as domain names
    and URLs by Internet access service
  • 31:07 - 31:13
    providers for traffic management and
    billing purposes, it's unlawful unless
  • 31:13 - 31:18
    consent of all users is obtained. And that
    is interesting because of course all users
  • 31:18 - 31:24
    means that it will never work because
    I as a customer of my telco, can maybe
  • 31:24 - 31:30
    consent to that, but not the rest of the
    internet that might send a data package
  • 31:30 - 31:34
    down my way. They're not just saying this
    for their net neutrality law, they are
  • 31:34 - 31:40
    also saying it for their interpretation of
    e-privacy, of the GDPR, all of the other
  • 31:40 - 31:44
    laws. So this is actually giving us even
    more sticks to go after deep packet
  • 31:44 - 31:48
    inspection in the future of that legal
    opinion. And lastly, a completely
  • 31:48 - 31:54
    unrelated reform but still plays into this
    whole thing. In Germany, you can pick your
  • 31:54 - 31:59
    own router. It doesn't matter which ISP
    you have. You have the right to buy a
  • 31:59 - 32:03
    router from anywhere, even an open source
    or libre one. And it needs to be able to
  • 32:03 - 32:07
    connect to your internet access service.
    That is not the case in many European
  • 32:07 - 32:11
    countries because it is often unclear
    where does the network actually end and
  • 32:11 - 32:15
    where does my home network begin. And that
    network termination point is one of the
  • 32:15 - 32:22
    things that the same body BEREC, the
    telecom regulators will decide for us. And
  • 32:22 - 32:26
    again, it looks like we will win. Winning
    in this sense means that you will have it
  • 32:26 - 32:31
    the freedom to choose your own router, you
    will have device freedom also in the
  • 32:31 - 32:36
    customer premise equipment and the network
    ends at the socket, at the wall, at the
  • 32:36 - 32:40
    antenna. So it's actually quite good for
    user choice. The only counterpoint that I have to
  • 32:40 - 32:44
    give you, of course, when the network
    ends, net neutrality ends. But if your ISP
  • 32:44 - 32:49
    tries to fuck you on your router, you can
    just replace it with another device. And
  • 32:49 - 32:53
    that's it for the neutrality thing.
    And I think we still have some time for Q
  • 32:53 - 33:01
    and A. Thanks.
  • 33:01 - 33:08
    Applause
  • 33:08 - 33:18
    Herald: Yeah. Thank you so much. And don't
    leave yet. I wanted to say support
  • 33:18 - 33:22
    epicenter.work, support EDRi. We need support,
    we need people who believe in this and to
  • 33:22 - 33:30
    fight for this and thank you.
  • 33:30 - 33:34
    Applause
  • 33:34 - 33:41
    Herald: Okay. So, do we have questions? We
    have questions from the Internet, maybe -
  • 33:41 - 33:48
    not really. Number two, please.
    Mic 2: Yes. Have you seen any requirements
  • 33:48 - 33:53
    in digital media playback for recording
    location information and identifying
  • 33:53 - 33:57
    users? So especially the location
    information of media playback.
  • 33:57 - 34:04
    Lohninger: I'm not sure I follow the
    question. So like... you mean like YouTube
  • 34:04 - 34:06
    reporting the playback position of the
    audience?
  • 34:06 - 34:10
    Mix 2: No, not the not the public playback
    position, the position or the location of
  • 34:10 - 34:14
    the user that is playing back to media.
    Lohninger: I'm not sure that that would
  • 34:14 - 34:21
    relate to this. So, the ISP, of course,
    knows in most cases where the user is, you
  • 34:21 - 34:30
    know, in all cases actually, and the
    content provider, if it is not localizing
  • 34:30 - 34:36
    the user on the app with the location,
    then the ISP at least would not share that
  • 34:36 - 34:42
    location information. I also wouldn't know
    by which API or on which legal basis they
  • 34:42 - 34:46
    could do that. I hope that answers the
    question, but I'm not sure.
  • 34:46 - 34:52
    Herald: Okay, thank you. Okay, we have
    another question. Microphone four, please.
  • 34:52 - 34:59
    Mic 4: Hi. Will the users have the same
    rights if they are not in the home country
  • 34:59 - 35:02
    like if you are roaming?
    Lohninger: Yeah, that's actually an
  • 35:02 - 35:08
    interesting question. So, the net
    neutrality regulation is also the roaming
  • 35:08 - 35:13
    regulation in the EU. These two things a
    legally mixed together but they actually
  • 35:13 - 35:19
    can be seen completely separate. So when
    you are roaming in another country, so my
  • 35:19 - 35:25
    Austrian SIM card here in Germany, it is
    actually then the German provider that is
  • 35:25 - 35:31
    physically providing me the Internet
    access service, which has to apply by the
  • 35:31 - 35:38
    same European regulation for net
    neutrality. In most cases that would not
  • 35:38 - 35:45
    mean that there is even a technical or
    legal connection to the customer, to the
  • 35:45 - 35:51
    ISP in Austria that I have a contract
    with. Of course, it gets then interesting
  • 35:51 - 35:59
    because that's mostly about the technical
    aspect when we look about zero rating. For
  • 35:59 - 36:03
    most cases the zero rating would just not
    be possible. So if you have StreamOn in
  • 36:03 - 36:07
    Germany, you are a customer of T-Mobile,
    you are going to Austria and you are in
  • 36:07 - 36:14
    the network of some ISP, then the zero-
    rating would just not be possible and you
  • 36:14 - 36:19
    would just have additional data volume
    given to you. There was actually a court
  • 36:19 - 36:25
    case about that out of Germany and there's
    still ongoing litigation from the consumer
  • 36:25 - 36:31
    protection NGO, VZBV in Germany against
    Vodafone around that same question. It
  • 36:31 - 36:37
    might be differently if you are a German
    T-Mobile customer in Austria and roaming
  • 36:37 - 36:42
    in the T-Mobile network there because
    technically I think it would be possible
  • 36:42 - 36:47
    to then apply the zero-rating but I'm not
    sure if they actually do that. I think it
  • 36:47 - 36:50
    would not be easy and the incentive
    usually would also not be there because
  • 36:50 - 36:56
    these are very few edge cases that even to
    configure and maintain those wouldn't make
  • 36:56 - 37:02
    a lot of sense.
    Herald: Okay, so next, we have a question
  • 37:02 - 37:09
    from the Internet. Dear signal angel.
    Signal: So there was a question about DPI.
  • 37:09 - 37:15
    Are data protection authorities doing
    anything about this and are there any
  • 37:15 - 37:21
    enforcements in the European country?
    Lohninger: Sadly, no and no but I think
  • 37:21 - 37:29
    there is definitely an opportunity there
    for enforcement action. And I know many of
  • 37:29 - 37:34
    the people that work around strategic
    litigation and enforcement of the GDPR.
  • 37:34 - 37:38
    They have their hands full because similar
    to net neutrality, the great law that
  • 37:38 - 37:44
    we've written in the last year is not
    taken very seriously by the regulators.
  • 37:44 - 37:50
    And I think it will again depend on
    activists or other entities bringing
  • 37:50 - 37:55
    cases, bringing complaints to data
    protection authorities around DPI before
  • 37:55 - 38:00
    we see actual movement there. Legally, I
    think particularly with that statement
  • 38:00 - 38:06
    from the EDPB, it would be an easy win. So
    if somebody wants to earn spores or help
  • 38:06 - 38:11
    of that, I think it's quite doable case to
    bring a complaint against DPI based on
  • 38:11 - 38:16
    that legal opinion.
    Herald: So you're all part of it again.
  • 38:16 - 38:22
    Number two, please.
    Mic 2: I want to ask, why the hell should
  • 38:22 - 38:30
    the ISP mess around on layer 4 laugh ,
    as you described it before?
  • 38:30 - 38:34
    Lohinger: That is the current definition
    that we have, like the regulation says no
  • 38:34 - 38:42
    monitoring of specific content. And BEREC
    interpreted that in 2016 it meaning pay a
  • 38:42 - 38:49
    load of transport layer 4 should be off
    limit. That is the interpretation that the
  • 38:49 - 38:52
    regulators have come up with. And that, of
    course, was also a political compromise
  • 38:52 - 38:59
    like where do you draw the line? And so my
    slide there was really based on the 2016
  • 38:59 - 39:04
    text of the guidelines.
    Herald: Okay. Number one, please.
  • 39:04 - 39:10
    Mic 1: So currently an app developer has
    to apply for to an ISP to get zero-rated.
  • 39:10 - 39:14
    What's to stop an ISP to just zero-rate an
    app on its own to gain some market
  • 39:14 - 39:17
    advantage.
    Lohninger: They can. And there's nothing
  • 39:17 - 39:22
    stopping it. And WhatsApp, for example, is
    easily just saying "Okay, here's how you
  • 39:22 - 39:30
    zero-rate us and we don't even want to
    interact with you." There does not need to
  • 39:30 - 39:34
    be a bilateral agreement. Of course, ISP
    then has the problem if the app provider
  • 39:34 - 39:39
    changes their service or infrastructure
    and identification criteria should also
  • 39:39 - 39:45
    change that the ISP needs to implement
    that change before it happens. And so
  • 39:45 - 39:49
    that's the reason for the 30 day period.
    But again, that problem might not even
  • 39:49 - 39:55
    exist for big providers that have
    dedicated IP addresses. If your services
  • 39:55 - 39:59
    coming out of an CDN and then you would
    rely on SNI or other technologies to
  • 39:59 - 40:05
    actually be identifiable.
    Herald: So we have one more minute and I'm
  • 40:05 - 40:11
    sorry to say it's number 4. Thank you,
    others. And yeah, probably you can go to
  • 40:11 - 40:14
    Epicenter Networks and contact Thomas
    there. Thank you.
  • 40:14 - 40:19
    Mic 4: Hi. I'm very touched by your
    argument about regulation not being
  • 40:19 - 40:24
    enforced right now in the EU. In France,
    it has been the case about video
  • 40:24 - 40:31
    surveillance where the state has stated
    that CLIN, the regulators are a
  • 40:31 - 40:36
    consultative authority. You know, they
    shouldn't enforce. That's what quite
  • 40:36 - 40:41
    arterial the association that is doing
    most of the work about that said so. I
  • 40:41 - 40:44
    don't know where we go from there. You
    know, I'm very scared. It's nice that
  • 40:44 - 40:47
    you're doing...
    Herald: What is the question, please? We
  • 40:47 - 40:50
    just have 20 more seconds.
    Mic 4: Sorry, my question is, what do you
  • 40:50 - 40:54
    think we can do to help enforce regulation
    in the EU?
  • 40:54 - 40:59
    Lohninger: Big question. There are many
    things there, like one of the things that
  • 40:59 - 41:05
    is a positive development to look at a
    bright side is that more and more digital
  • 41:05 - 41:10
    rights NGOs are warming up to strategic
    litigation. So ultimately, why are
  • 41:10 - 41:16
    regulators not acting? Because on the one
    side, they have fundamental rights to law,
  • 41:16 - 41:19
    consumer protection. And on the other
    side, you have a big, big company that
  • 41:19 - 41:24
    will not accept their decision that it
    will bring them to court no matter what.
  • 41:24 - 41:28
    And so if you're a small regulator with a
    limited budget, you can either take the
  • 41:28 - 41:34
    uncomfortable decision that, you know, you
    will be sued for. Or just duck away and
  • 41:34 - 41:38
    then the thing might be over. So that the
    risk assessment and the cost calculation
  • 41:38 - 41:43
    is currently not in our favor. And that's
    why we need to bring more cases. We have
  • 41:43 - 41:49
    to make regulators really bear a certain
    risk on both sides of the decision. And
  • 41:49 - 41:53
    only then will the decision actually move
    more to the factual basis. And I mean, I
  • 41:53 - 41:58
    know there are many problems in France but
    at least CLIN was one of the few DPAs that
  • 41:58 - 42:03
    actually issued a few million penalties.
    So there is at least some silver lining.
  • 42:03 - 42:10
    Herald: Okay, so complain. Support EDRi,
    support epicenter.works. Thank you
  • 42:10 - 42:12
    for being here and given another applause
    to Thomas Lohninger. Thank you so much.
  • 42:12 - 42:13
    Applause
  • 42:13 - 42:14
    36c3 postroll music
  • 42:14 - 42:16
    Subtitles created by c3subtitles.de
    in the year 2020. Join, and help us!
Title:
36C3 - 5G & Net Neutrality
Description:

more » « less
Video Language:
English
Duration:
42:42

English subtitles

Revisions Compare revisions