-
36C3 preroll music
-
Herald: The next talk is "5G & Net
Neutrality". The status of the net
-
neutrality reform in Europe and the
presenter is Thomas Lohninger from
-
epicenter.works and I'm very happy he's
here today with us. So please give a big
-
applause to Thomas Lohninger. Thank you.
-
Applause
-
Thomas Lohninger: Hello. Here we go again.
Yeah. Hello and welcome, everybody. I'm
-
going to talk a little bit about net
neutrality. This is not my first talk
-
about this issue here at congress. I
originally joined the net neutrality
-
debate because I really found it to be an
important issue. I liked it as a
-
philosophical concept of the Internet
serving the edges and also because back
-
then it was still a very young debate. You
could still read up on all the legislation
-
around the world because there was so
little about it. And a decade later, there
-
is more legislation, the debate has moved
on a lot. Of course, in the U.S. it has
-
been first and foremost after Trump
repealed the Obama era rules. And in
-
Europe, we feel like we're a little bit
stuck in time. And I also want to explain
-
where we currently are and where we are
heading. So it is an update, but it's also
-
an update with little bit of a
perspective and might even have a silver
-
lining. But before we do that, we first
have to go back to the beginning and
-
explain what net neutrality is. If you are
in the U.S. and you ask anybody serving
-
coffee on the train, they will know it.
But in Europe, it is still something that
-
maybe needs to be explained. In general,
net neutrality means that all bits should
-
be created equal, that the network should
not make distinctions about our data
-
packages, how important they are if the
checksum is correct. Of course, if to
-
check some is correct but also a lot like,
is this a valid feature for this
-
application? Is this a legal transmission?
All of these decisions should not be made
-
in the network because they should be made
by the end points by the applications on
-
either side. The easiest way to understand
net neutrality is if you compare it with
-
previous global telecommunication
networks. In the television system you
-
also have a global communication network
but it takes a lot of money to actually
-
have a voice there, to start a television
channel. So you're just consuming, it is
-
not a bidirectional network. Telephony
allows that, it's a global network system
-
but you have a central entity that decides
if you're allowed to make that call and
-
what the cost of that call per duration
will be. That's not the case with the
-
Internet. And in a way, net neutrality is
just trying to protect these inherent
-
principles that the Internet was born with
from undue discrimination of network
-
operators, of telecom companies, or ISPs.
And telecom companies can discriminate or
-
interfere with our traffic more or less in
two ways. The first is technical by
-
prioritizing or throttling certain data
packages, also modifying them or blocking
-
them completely. And the second way to
influence them is by so-called zero rating
-
by making certain data more or less
expensive, cheaper, or more expensive, or
-
as exempting certain applications from
your monthly data cap at all. And that all
-
creates a system where certain big players
have it easier to get rich, to grow, to
-
innovate, and others have a harder time to
even being noticed or growing. And it can
-
also be summarized by the principle of
innovation without permission so that you
-
can just start a new service, you don't
need a license to start an app,
-
you don't need to network to support your new
functionality. The open layered
-
architecture of the internet is protecting
this innovative capacity, and that even
-
allowed this young man in 2004 to create the
Facebook.com in his college dorm. The
-
total cost of operating the server in the
beginning was 85$ per month. And you would
-
ask yourself: "OK but isn't Mark
Zuckerberg and Facebook really a horrible
-
person, the company?" Yes, they are.
That's also why they are against net
-
neutrality these days. Facebook is one of
the most violating companies around the
-
world because their program free basic,
is really the opposite of net neutrality.
-
What they are doing there is basically
creating a walled garden for the global
-
south. The most vulnerable people on this
planet that do not get the full internet
-
access but what they got is a way of being
marketed to via their Facebook services,
-
of course, without any privacy. And
similarly, also, Netflix was once a
-
company strongly on our side supporting
net neutrality. And then when it was clear
-
that Trump would repeal the Obama era net
neutrality rules, the Netflix CEO said to
-
their shareholders: "Don't worry, we are
now big enough that we can survive without
-
net neutrality." So inherently, this
principle protects the underrepresented
-
voices and the small players, the ones
that still need to grow. And it is not the
-
silver stick that will solve all of the
problems from the previous talk to
-
problems we have with the big platforms
but if we lose net neutrality, we more or
-
less freeze the current dominant players
forever because it would be really hard
-
for anybody else to ever become as big.
And so it's all about that right column
-
here. Where are we in Europe? In Europe,
we started the discussion around net
-
neutrality in 2011/12. There were the
first non-binding resolutions of the
-
parliament calling for net neutrality
protections. And it all culminated in 2013
-
when the commission released their
proposal for really an anti net
-
neutrality bill. So we have to turn the
ship 180° around to get it back on track.
-
And we did that with the
savetheinternet.eu campaign, which was
-
hosted by big coalition of NGOs all around
Europe. And we followed the legislative
-
process for two and a half years with
seven iterations of that campaign always
-
changing our means from faxing to the
parliament to making phone calls to just
-
mass bombarding the embassies to sending
comments to the regulators in the
-
consultation period. We also demonstrated
in Riga, in Barcelona, in Bonn, in
-
Brussels, in Vienna. And at the end we got
a net neutrality law. The open internet
-
regulation was adopted in 2015 and it was
further, then, implemented by the BEREC
-
guidelines that are kind of the handbook
for the guys who actually have to enforce
-
the law, telecom regulators. And telecom
regulators will be important in the rest
-
of the talk because that's where the
action currently lies. And so this was in
-
2016. And in January of 2019, we released
this report, which was really more
-
academic exercise of summarizing
everything that has happened since. So
-
it's really the one thing you should read
if you want to know how a t neutrality
-
has played out over the past two and a
half years. That's a table of content and
-
there's a lot of it in there from
analyzing 800 pages of annual reporting,
-
going through case law, and looking ahead
about 5G. But the most important thing
-
was the chapter about zero rating, because
that's where the debate currently is
-
focused on in Europe. And in order to
bring this debate back to a factual basis,
-
we actually did a lot of work. With doing
a complete survey of all zero rating
-
offers in the European economic area. I
don't think that anything like this was
-
ever done before also because it wasn't
easy. We went through 32 countries. So all
-
of the European economic area that this
law applies to, including Switzerland,
-
because we have German speakers in our
team, so it was not that hard. That meant
-
in total, going through the websites of
225 mobile operators, both those that have
-
their own network as well as the virtual
ones. And we collected the data with in
-
total five people that spoke six languages
and worked for over four months on this.
-
We found 186 net neutrality violations in
the form of zero rating programs. And all
-
of that data is openly accessible. It's
linked in the report. It's all online in a
-
free format and used under a CC BY-SA
license, so share alike.
-
Applause
-
I've given that talk in front of many
regulators. You're the first ones to
-
applaud. I really like that. And the SA,
of course, because we think this data
-
should remain free. We can always disagree
on the interpretation but at least the
-
facts, the data itself should be openly
accessible to everybody and scrutinized by
-
everybody as well. And I've seen other
people actually using that data for
-
commercial purposes, which we would even
allow but not sharing it back, which is a
-
sad thing. So what is in that dataset? You
could see this zero-rating is really a big
-
problem. All but two European countries,
you have these problems. Finland doesn't
-
have that problem because they don't have
data caps anymore. If you buy a SIM card
-
in Finland, you'll get a flat rate. The
only distinction there is the speed, the
-
bandwidth that is available to you. But
you know, I have no data caps at all and
-
Bulgaria also doesn't have zero-rating. If
we look at the application side and that's
-
actually the very interesting takeaway for
you. These are the applications that most
-
profit from zero-rating. So WhatsApp leads
before 50 zero-rating deals in Europe. And
-
the second to follow is Facebook and also
Facebook messenger in there. In total,
-
many of these companies that profit are
from the U.S., only 3 European
-
applications are actually in the top 20 of
zero-rating. And that is the overall
-
number and there we just looked at the
geographical home of the applications in
-
the classical zero-rating programs. You
know, the ones where you have a youth
-
tariff in Portugal and you can pick either
WhatsApp or Telegram or you have YouTube
-
is for free. Some ISP is actually do that.
And if you just look at these close
-
programs of only have hand selected
applications, the majority of the apps are
-
from the U.S., of course, the big
incumbents. But there is also around a
-
third of applications which are of zero-
rating programs which are open. Open
-
programs allow other applications to join.
Think of StreamOn here in Germany or
-
Vodafone Pass or smartnet in Portugal.
These programs are actually trying to
-
balance the scale a little bit. They are
actually trying to learn from our critique
-
and allow other applications to join. And
then if we add those to statistics, we
-
see that the majority of apps are suddenly
from the same country where the internet
-
service is offered. All of these local
radio stations in Germany, for some
-
reason, join StreamOn in order to be
exempt from the data volume, the
-
ridiculously low data volume from Deutsche
Telekom. And then into second place is
-
still have the U.S. and most
interestingly, the European economic area.
-
So apps from other EU countries are really
down below. So one could easily make the
-
interpretation of that data that we
actually create new barriers for cross-
-
border provisioning of services in the
European digital single market. And if you
-
then just count, how many of these zero-
rating programs does an app usually join.
-
You have a stark pick fit one to three and
then it drastically goes down until you
-
have the 31 - 52 column at the right,
which is the top 20. So there is an
-
inherent difficulty to actually sign up to
these so-called open nondiscriminatory
-
zero-rating programs. What Europe has
created here is actually another reason
-
why it will be difficult for the European
internet industry to be competitive
-
because these are all new entry barriers
into markets in other EU countries. And we
-
really have to explain this to the
regulators. And if you just go and take the
-
perspective of an application, you want to
join a zero-rating program, what do you
-
have to do? First, you have to find out
that it even exists. We did that mapping
-
because we didn't know. And there is no
agency that also sells that data. So
-
obtaining knowledge about the programs
that you might want to join because you
-
might want to offer a competitive service
to people in that country of that ISP is
-
the first step. And then secondly, you
have to request the documents, sign an NDA
-
even, to even find out how the open
Internet works with this mobile operators.
-
Third, you have to read the contract for
which for many start-ups is already a
-
problem. Sign it and prepare for the
liability because you are liable for
-
wrongfully billed data volume, which can
be really problematic. If your app is
-
producing a lot of data or widely used by
certain people. The technical aspect that
-
comes into play here is that of course you
are then responsible for providing
-
identification criteria. If suddenly your
data packages need to be counted
-
differently, go against not a general data
volume but an application specific volume
-
per month or are completely exempt from
the data cap. Then you, in order to make
-
that assessment, need to identify those
data packages, which of course only works
-
with deep packet inspection in most cases.
In some cases, you also have to modify
-
your service in order to even enter into
that deal. Spotify in Germany with
-
StreamOn only wanted their premium
customers to benefit from the zero-rating.
-
And they tried to separate the ad-based
free version of the Spotify program from
-
the premium customers that are paying.
They tried for four months. Then they gave
-
up. So the business decision of that app
provider was directly affected by these
-
zero-rating programs. Next, whenever you
make a change to your own service or
-
infrastructure, you change your CDN
provider or whatever you have to give 30
-
days prior notice to the ISP so that they
can change their DPI equipment to adopt
-
this change, which of course is a big
hindrance for innovation and in some
-
contracts that we've analyzed, it also
includes giving access to beta versions of
-
your own app. And lastly, in the case of
Vodafone, you also have to sign and
-
execute marketing agreement so they want
to advertise with your app. So there is a
-
lot of hoops to jump through in order to
be admitted into one of these zero-rating
-
programs. So you'd think at least they'd
do a lot of effort on the telco side to
-
make it easier for you. So for this
survey, we actually created a fake
-
application and we tried to apply to zero-
rating programs. We said "Hello. We are a
-
student group. We are working out of a
garage. We have that cool app. We want to
-
join your program." And we just counted
the duration until we got a response. In
-
two cases we got a response within a day,
in five cases we got a response within a
-
week, in one case within a month, and in
half of the cases we never got a response
-
at all - so not after three months, they
never got back to us. So that truly shows
-
that there is a big problem with these
open programs. And I'm going to soon show
-
you how the regulators have reacted to
this report in their reform. But another
-
more general thing is speed testing
because in Europe, net neutrality also
-
brought us the right to contractually
agreed speeds, for our Internet access. In no
-
other area and economy, You would buy up
to 8 apples for 5€. But in Internet, for
-
some reason, that's the case. And so the
European Parliament was keen to adopt
-
rules that were giving each and every
consumer in their contract at a minimum,
-
an average and the maximum speed that an
ISP has to deliver. But how do you then
-
measure the speed ? Speedtest.net is
really not a good site if you look at
-
their business model. So regulators are
often the ones that should offer these
-
speed tolls. And BEREC recently released
an open source speed test measurement tool
-
that hopefully will also change another
problem that are going to show you. In
-
Norway, the telecom regulator Nkom is
actually really good at showing how the
-
Internet is improving year by year in the
country. And of course, fiber is hitting
-
through the roof and it's really good. And
in general, we see that the Internet is
-
improving healthily and the supply is
increasing to meet the demand. Austria -
-
similar picture - regulators reporting the
numbers every year. So we know how the
-
Internet is actually developing in these
countries. You would assume that in
-
Western countries this is a given. It is
also an obligation under the law. They
-
really have to do that. But sadly, only
eight countries are actually reporting
-
figures. If the internet supply is
actually increasing. Twenty three
-
countries released no numbers at all about
whether the internet capacity is actually
-
constantly meeting the increasing demand,
which we see as a big problem,
-
particularly with 5G, because that will
mean that the last mile will suddenly
-
be very fast, but the rest of the network
to core, the backhaul, this is where the
-
next bottleneck will lie. And if we don't
invest there soon enough, we'll really
-
have a big infrastructural problem in the
foreseeable future. So coming to the
-
reform. So what is on the table? First,
this is not a legislative reform. Contrary
-
to the previous talk that I've given, this
is not about engaging with the commission
-
to parliament or the council. This is all
about the regulatory community, like with
-
the GDPR privacy law it's great when we as
activists proud our head and shoulders that
-
we actually managed to get a law approved
and then the sad awakening comes. Okay.
-
But the guys who are in charge with
enforcing the law are really not
-
particularly motivated to do so. And then
you are stuck in Ireland with the data
-
protection authority for years. And your
biggest problem is that they are not doing
-
their job. Similarly, in telecom
regulation, what we have found is the
-
biggest problem is to get the regulator to
do their job. And that needs a lot of name
-
calling and submissions and talks with
them, which is really frustrating because
-
it should not be the jobs of activists to
enforce legislation. It should be the task
-
of well funded regulators. So in that
reform, we are kind of in the middle. The
-
scope was released in 2018. In May, we had
an official stakeholder workshop which
-
went for five hours and was a busy
gladiator debate. And October/November the
-
draft guidelines were released and
publicly consulted. About 50 stakeholders
-
participated, we were one of them. And now
BEREC has all of the input on their draft
-
guidelines and most likely in Q1 2020 will
see an interim report summarizing that
-
consultation, which again will be
consulted. We would like that to happen
-
because it would allow us to respond to
comments from the telecom industry and to
-
kind of have a more Ping-Pong debate. And
finally, that all should come to a close
-
in June 2020 when the new rules are
adopted. So now I'm gonna go into what is
-
actually in that draft and what to expect
content-wise from the topic. As you have
-
seen in the title, what we are mostly
talking about these days is 5G, the next
-
mobile network generation. You must have
heard about it. The telecom industry
-
really has spent millions and millions in
advertisement to make people interested in
-
5G. We have that whole trade war between
Trump and Huawei going on and there are
-
people talking about health risk, which is
mostly overblown but still 5G is really
-
portrayed as the revolutionary new
technology. Sadly, that's quite far away
-
from the truth. 5G is an evolution. If
you've listened to the talk yesterday
-
morning in German about the path from 4G
to 5G, you will know that technology wise
-
5G is a very interesting technology. And
as a nerd, I find it interesting but.. The
-
only thing that's a given is that internet
will become faster. All of the other
-
promises you should take with a grain of
salt. There are two particular
-
technology aspects of 5G that I want to
talk about in more detail. The first is
-
Network Slicing. The title already gives
it away. Network slicing means you slice
-
the network and every slice, every layer
has different quality characteristics. So
-
it's basically QoS on the radio access
layer. So it's basically allowing you to
-
have one SIM card with several internet
accesses to it. So you could have one that
-
is very high bandwidth super fast for
Netflix, one for very low latency for
-
gaming, one for very low energy
consumption. So when your battery goes
-
below 20% or you'll have solar powered IoT
sensors, then you might want to use that
-
because you actually don't care about
bandwidth, you don't care that much about
-
reliability, but you only have tiny
battery or solar power. And it actually is
-
good that we'll have that technology. But
the question is then who gets which slice?
-
And that's where the regulators in the
business models get back into gear. The
-
one scenario in which we could see
networks slices being marketed to us is an
-
a per subscriber basis. So you have that
one SIM card and it allows you to have
-
several independent Internet access
services that are also separated from each
-
other. And you as a user are in control.
Which app gets which slice? You should not
-
assume that all of these slices will be
flat rate. It could be that you have a
-
normal internet access but a very high
bandwidth or low latency slice is capped
-
with two gigabytes per month. And so it
actually is important that we as
-
subscribers have a say in that. The second
way in which network slices could hit us,
-
is a specialized services. So, there the
access service, the pipe, is the same
-
thing as the application that runs over
it. So it's no longer universal access. It
-
is no longer something that connects you
to the whole internet but it's basically
-
just not a power plug but a Facebook plug.
And we have few safeguards, five in total
-
in the regulation that are kind of protecting
us against specialized services becoming
-
too widespread. But this is where we'll
see a lot of "innovation" from the telecom
-
industry to vertically integrate, try to
have Facebook as a separately sold product
-
or maybe Facebook, Oculus Rift, VR or
maybe some IoT vertical integration, which
-
some smart home shit. So stuff like that
will most likely happen and 5G gives them
-
more argumentation basis for these types
of vertically integrated products. But
-
that's something for the enforcement. And
lastly, which was our original fear, is
-
that a network license would be applied on
a per application basis. So, Google could
-
make a deal and suddenly they are under
high reliability slice - always. And this
-
is thankfully not the case in the current
draft, so we could already prevent with
-
the work in the previous years this
scenario from being a likely result of
-
that reform, which is good because as I
show you later, these rules in Europe will
-
have repercussions. The second technology
aspect of 5G that merits some discussion
-
is edge computing and it's kind of
breaking the principle of end-to-end. You
-
no longer have desktops or mobile devices
that are connected to one Internet,
-
whereas you have suddenly some
computational power on the cell tower, on
-
a very close datacenter connected with
fiber lines so that the whole purpose here
-
is very low latency. The industry is
marketing this as something really great,
-
something that will be heavily needed.
Actually, there is very little real use
-
cases out there that I think are
realistic. The only one that we could find
-
and that merits discussion is local
dynamic maps. So it's basically if you
-
think of a future in which self-driving
cars all have their own sensory data and
-
that sensory data is then cached in this
edge-called cloud. So you have a 3-D
-
model that knows from the car that has gone
around the same curve for a minute ago that
-
there is a traffic jam over there. And so
your car would know before you even passed
-
that curve. It is telling that even the
European Commission backed a Wi-Fi based
-
mesh network standard and not 5G, which
means even that very weak example of edge
-
computing is kind of discredited in
Europe. So we have good cases for the
-
global reform. And when we talk about 5G,
it's important to stress that this is a
-
global standard. 3GPP, an international
body is standardizing the technology for
-
5G and now it's being rolled out step by
step in the rest of the world. The U.S.,
-
of course, will not be helpful with that
because they are heavily investing in 5G
-
but they are no longer net neutrality
standards to test this new technology
-
against. Canada, great net neutrality law,
but not taking a front seat approach to
-
5G. So they are not actively engaging with
it. India great net neutrality, again not
-
interested in 5G yet. South Korea,
actually, our colleagues there could
-
prevent a repeal of the net neutrality
legislation in South Korea. But they tried
-
to regulatory sandbox net neutrality from
5G to just let the net neutrality rules
-
that are already weak in South Korea to
begin with not apply to that technology.
-
So Europe is kind of the first world
region that tries to square these two
-
things together. And that's why our
approach here might be quite influential.
-
Also, if you think of the whole ecosystem
because what does it mean if we have user
-
controlled network slices? That means that
on my mobile device, I need to somehow
-
also decide which application gets which
slice at which time. And so Google and
-
Android - ähm Google and Apple (Freud)
come into play here as well. Another issue
-
that we did not at all expect to fight
about is parental control filters. So when
-
we fought about this law in the
parliament and in the council in the
-
trial, we always had that looming danger
of parental controls, like in the UK. You
-
buy an internet subscription and you have
a porn filter on it by default. We could
-
kill this in trial. So parental
controls were struck out of the law books
-
and for some weird reason I would call it
lobby pressure. The regulators wanted to
-
allow this in this reform and we've shot
heavily against it. We got even support
-
from the consumer protection
organizations, from BEUC, and we hope
-
that we can actually prevent this because
what would it mean? It would mean that
-
suddenly in the terms of services, you can
circumvent net neutrality. Usually an ISP
-
is, of course, not allowed to just
randomly block websites but parental
-
controls are exactly that. If you want to
do parental control filtering do it on the
-
device but not in the network. Blocking
should always happen on the edge of the
-
application, not on the network site. The
picture is more interesting when we talk
-
about zero rating cause they actually took
many of our ideas and also from our report
-
into consideration. The draft that was
released in October actually contains even
-
the same language of open zero rating
programs. And it says they have to be
-
fair, everyone needs to get a response,
they have to be reasonable, so all
-
documentation should be made public, they
have to be transparent, so if WhatsApp
-
calls or Spotify ads are actually counting
towards you data cap and are not zero-
-
rated, you should least tell the customer
and they have to be non-discriminatory. So
-
Vimeo gets the same response time as
YouTube. These are all our critical
-
points. I'm very thankful that they have
listened to us but sadly, they are also
-
allowing ISP to simply don't give a fuck
and have non-open programs, so they have
-
not drawn a red line. They have not said
clearly we have these types of zero-rating
-
programs, which are okay and then we have
all of these others that you have to
-
follow these rules for. And that is just a
level of lack of opportunity and a missed
-
opportunity for the regulators because
whenever the rules are fuzzy and
-
unclear,that only creates problems further
down the road in enforcement. The last
-
issue was also kind of unexpected. In the
beginning, because I thought we've solved
-
that. Deep packet inspection. So deep
packet inspection means when an ISP is
-
looking into your data packages. So he's
looking closely into what you are actually
-
doing online, your concrete user behavior.
The domains you access, the URLs you
-
access, that means your sexual
preferences, your news preferences, which
-
videos you have watched, all of that.
Usually that should be prohibited.
-
Everything that's payload of transport
layer 4 should be off limit for an ISP.
-
That's the general definition of deep
packet inspection. And actually we thought
-
that we've won that. But then there were
rumors that deep packet inspection, they
-
want to open it up and allow it again. So
we launched an open letter which was
-
signed by 45 NGOs, academics, and privacy
experts. But we still felt like this is a
-
hard push. We knew the regulators on the
other side - Germany is one of them - that
-
were just because of lobby pressure,
really asking for ex post allowing deep
-
packet inspection. And in that moment,
Gandalf came and we really got support
-
from an unexpected friend. The highest
data protection body in the European
-
Union, EDPB, issued a letter to BEREC and
saying that the board considers the
-
processing of data such as domain names
and URLs by Internet access service
-
providers for traffic management and
billing purposes, it's unlawful unless
-
consent of all users is obtained. And that
is interesting because of course all users
-
means that it will never work because
I as a customer of my telco, can maybe
-
consent to that, but not the rest of the
internet that might send a data package
-
down my way. They're not just saying this
for their net neutrality law, they are
-
also saying it for their interpretation of
e-privacy, of the GDPR, all of the other
-
laws. So this is actually giving us even
more sticks to go after deep packet
-
inspection in the future of that legal
opinion. And lastly, a completely
-
unrelated reform but still plays into this
whole thing. In Germany, you can pick your
-
own router. It doesn't matter which ISP
you have. You have the right to buy a
-
router from anywhere, even an open source
or libre one. And it needs to be able to
-
connect to your internet access service.
That is not the case in many European
-
countries because it is often unclear
where does the network actually end and
-
where does my home network begin. And that
network termination point is one of the
-
things that the same body BEREC, the
telecom regulators will decide for us. And
-
again, it looks like we will win. Winning
in this sense means that you will have it
-
the freedom to choose your own router, you
will have device freedom also in the
-
customer premise equipment and the network
ends at the socket, at the wall, at the
-
antenna. So it's actually quite good for
user choice. The only counterpoint that I have to
-
give you, of course, when the network
ends, net neutrality ends. But if your ISP
-
tries to fuck you on your router, you can
just replace it with another device. And
-
that's it for the neutrality thing.
And I think we still have some time for Q
-
and A. Thanks.
-
Applause
-
Herald: Yeah. Thank you so much. And don't
leave yet. I wanted to say support
-
epicenter.work, support EDRi. We need support,
we need people who believe in this and to
-
fight for this and thank you.
-
Applause
-
Herald: Okay. So, do we have questions? We
have questions from the Internet, maybe -
-
not really. Number two, please.
Mic 2: Yes. Have you seen any requirements
-
in digital media playback for recording
location information and identifying
-
users? So especially the location
information of media playback.
-
Lohninger: I'm not sure I follow the
question. So like... you mean like YouTube
-
reporting the playback position of the
audience?
-
Mix 2: No, not the not the public playback
position, the position or the location of
-
the user that is playing back to media.
Lohninger: I'm not sure that that would
-
relate to this. So, the ISP, of course,
knows in most cases where the user is, you
-
know, in all cases actually, and the
content provider, if it is not localizing
-
the user on the app with the location,
then the ISP at least would not share that
-
location information. I also wouldn't know
by which API or on which legal basis they
-
could do that. I hope that answers the
question, but I'm not sure.
-
Herald: Okay, thank you. Okay, we have
another question. Microphone four, please.
-
Mic 4: Hi. Will the users have the same
rights if they are not in the home country
-
like if you are roaming?
Lohninger: Yeah, that's actually an
-
interesting question. So, the net
neutrality regulation is also the roaming
-
regulation in the EU. These two things a
legally mixed together but they actually
-
can be seen completely separate. So when
you are roaming in another country, so my
-
Austrian SIM card here in Germany, it is
actually then the German provider that is
-
physically providing me the Internet
access service, which has to apply by the
-
same European regulation for net
neutrality. In most cases that would not
-
mean that there is even a technical or
legal connection to the customer, to the
-
ISP in Austria that I have a contract
with. Of course, it gets then interesting
-
because that's mostly about the technical
aspect when we look about zero rating. For
-
most cases the zero rating would just not
be possible. So if you have StreamOn in
-
Germany, you are a customer of T-Mobile,
you are going to Austria and you are in
-
the network of some ISP, then the zero-
rating would just not be possible and you
-
would just have additional data volume
given to you. There was actually a court
-
case about that out of Germany and there's
still ongoing litigation from the consumer
-
protection NGO, VZBV in Germany against
Vodafone around that same question. It
-
might be differently if you are a German
T-Mobile customer in Austria and roaming
-
in the T-Mobile network there because
technically I think it would be possible
-
to then apply the zero-rating but I'm not
sure if they actually do that. I think it
-
would not be easy and the incentive
usually would also not be there because
-
these are very few edge cases that even to
configure and maintain those wouldn't make
-
a lot of sense.
Herald: Okay, so next, we have a question
-
from the Internet. Dear signal angel.
Signal: So there was a question about DPI.
-
Are data protection authorities doing
anything about this and are there any
-
enforcements in the European country?
Lohninger: Sadly, no and no but I think
-
there is definitely an opportunity there
for enforcement action. And I know many of
-
the people that work around strategic
litigation and enforcement of the GDPR.
-
They have their hands full because similar
to net neutrality, the great law that
-
we've written in the last year is not
taken very seriously by the regulators.
-
And I think it will again depend on
activists or other entities bringing
-
cases, bringing complaints to data
protection authorities around DPI before
-
we see actual movement there. Legally, I
think particularly with that statement
-
from the EDPB, it would be an easy win. So
if somebody wants to earn spores or help
-
of that, I think it's quite doable case to
bring a complaint against DPI based on
-
that legal opinion.
Herald: So you're all part of it again.
-
Number two, please.
Mic 2: I want to ask, why the hell should
-
the ISP mess around on layer 4 laugh ,
as you described it before?
-
Lohinger: That is the current definition
that we have, like the regulation says no
-
monitoring of specific content. And BEREC
interpreted that in 2016 it meaning pay a
-
load of transport layer 4 should be off
limit. That is the interpretation that the
-
regulators have come up with. And that, of
course, was also a political compromise
-
like where do you draw the line? And so my
slide there was really based on the 2016
-
text of the guidelines.
Herald: Okay. Number one, please.
-
Mic 1: So currently an app developer has
to apply for to an ISP to get zero-rated.
-
What's to stop an ISP to just zero-rate an
app on its own to gain some market
-
advantage.
Lohninger: They can. And there's nothing
-
stopping it. And WhatsApp, for example, is
easily just saying "Okay, here's how you
-
zero-rate us and we don't even want to
interact with you." There does not need to
-
be a bilateral agreement. Of course, ISP
then has the problem if the app provider
-
changes their service or infrastructure
and identification criteria should also
-
change that the ISP needs to implement
that change before it happens. And so
-
that's the reason for the 30 day period.
But again, that problem might not even
-
exist for big providers that have
dedicated IP addresses. If your services
-
coming out of an CDN and then you would
rely on SNI or other technologies to
-
actually be identifiable.
Herald: So we have one more minute and I'm
-
sorry to say it's number 4. Thank you,
others. And yeah, probably you can go to
-
Epicenter Networks and contact Thomas
there. Thank you.
-
Mic 4: Hi. I'm very touched by your
argument about regulation not being
-
enforced right now in the EU. In France,
it has been the case about video
-
surveillance where the state has stated
that CLIN, the regulators are a
-
consultative authority. You know, they
shouldn't enforce. That's what quite
-
arterial the association that is doing
most of the work about that said so. I
-
don't know where we go from there. You
know, I'm very scared. It's nice that
-
you're doing...
Herald: What is the question, please? We
-
just have 20 more seconds.
Mic 4: Sorry, my question is, what do you
-
think we can do to help enforce regulation
in the EU?
-
Lohninger: Big question. There are many
things there, like one of the things that
-
is a positive development to look at a
bright side is that more and more digital
-
rights NGOs are warming up to strategic
litigation. So ultimately, why are
-
regulators not acting? Because on the one
side, they have fundamental rights to law,
-
consumer protection. And on the other
side, you have a big, big company that
-
will not accept their decision that it
will bring them to court no matter what.
-
And so if you're a small regulator with a
limited budget, you can either take the
-
uncomfortable decision that, you know, you
will be sued for. Or just duck away and
-
then the thing might be over. So that the
risk assessment and the cost calculation
-
is currently not in our favor. And that's
why we need to bring more cases. We have
-
to make regulators really bear a certain
risk on both sides of the decision. And
-
only then will the decision actually move
more to the factual basis. And I mean, I
-
know there are many problems in France but
at least CLIN was one of the few DPAs that
-
actually issued a few million penalties.
So there is at least some silver lining.
-
Herald: Okay, so complain. Support EDRi,
support epicenter.works. Thank you
-
for being here and given another applause
to Thomas Lohninger. Thank you so much.
-
Applause
-
36c3 postroll music
-
Subtitles created by c3subtitles.de
in the year 2020. Join, and help us!
