The FCC has released its Notice of Proposed Rulemaking (NPRM) on Internet wiretapping. (Backstory here.) The NPRM outlines a set of rules that the FCC is likely to issue, requiring certain online service providers to facilitate (properly authorized) government wiretapping of their customers. The document is a dense 100 pages, and it touches on issues from protocol design to administrative law to network economics, so no one reader or analyst can hope to understand it whole. Below is my initial reaction to reading it.

I'll start by noting that the FCC isn't working with a clean slate but must adopt the framework established by the CALEA statute. Some FCC critics (not including me) would prefer a world in which the government could never wiretap anybody for any reason; but that's not the FCC's decision to make. The question before the FCC is how to apply the CALEA statute to new Net services, not what the optimal wiretapping policy would be.

One important question is whether the FCC has the authority to issue the rules it is considering. Even some of the FCC commissioners express doubt on this point. This question is outside my expertise, so I'll defer to people like Susan Crawford (who also has doubts about the FCC's authority).

Instead, I'll ask whether the FCC's proposals are good policy, if we take as given the value judgments expressed in the CALEA statute, which I read as these three: (1) Properly authorized wiretapping is an important law enforcement and national security tool. (2) If necessary, communications providers should accept modest costs to enable lawful wiretapping. (3) In designing networks, wiretappability should be a consideration, but it can be overridden by other important design factors. (Again: I'm not taking a position here for or against these three statements; I'm only asserting that they reflect the views of Congress, as expressed in CALEA.)

The FCC's first proposal is to require broadband ISPs to be ready to provide law enforcement with the packet-level traffic of any of the ISPs' customers. I read this rule as requiring ISPs to make their best effort to turn over the raw packets as actually sent and received by the customer, and not as requiring ISPs to interpret, classify, or decode the traffic. This seems like a reasonable rule, in light of CALEA. Capturing the necessary packet-streams won't be overly expensive for ISPs and doesn't seem to require redesign of ISPs' networks; and law enforcement can analyze the packet stream as necessary by using standard tools.

The second, and harder, question answered by the FCC is whether to require VoIP (i.e., voice service over the Internet) to be wiretappable. The FCC tries to take a middle ground on this issue, requiring only "managed" VoIP services to be tappable. The definition of "managed" is a little fuzzy, but it seems to apply only to services that meet all three of these criteria: (1) they look to the consumer like a kind of telephone-like service; (2) they allow calls to people with old-fashioned phones; and (3) they involve the provider's equipment in each call (i.e., involvement in the call itself, not just as a sort of directory service). VoIP services that are "managed" in this sense would be required to facilitate wiretapping. Other services, like voice-enabled instant messaging, are not managed and so would not have to facilitate wiretapping.

The FCC's proposed rule looks to me like a reasonable attempt to apply the goals of CALEA to VoIP technology. Managed services are precisely those that are best situated to capture the kind of information needed for wiretapping; and network designs that are inherently unwiretappable would seem to qualify as unmanaged. Two caveats apply, though. First, the NPRM's definition of "managed" isn't completely clear, so the definition I gave above may not be the one the FCC meant. Second, as any close reading of the NPRM will demonstrate, the actual application of a CALEA regime to these technology would involve lots of detailed decisions and determinations by the FCC and others, and the details could be bungled. (Indeed, given the sheer number of details, and their complexity, some nonzero amount of bungling seems inevitable.)

There's much, much more in the NPRM, but I've gone on long enough, so I'll stop for now. My overall impression is that this is a document that will get criticism from both directions. Law enforcement will think it doesn't do enough; and some technologists will think it meddles too much in their affairs. Contrary to the cliche, criticism from both sides often doesn't mean you're doing a good job. But this may be one of those cases where the cliche is right. Overall, I think the FCC has done a pretty good job of applying the semi-contradictory goals of CALEA in a new arena.

The Wall Street Journal, in an editorial today, has come out against the Induce Act.

(Sorry, I don't have an online pointer to the editorial, since I'm not a subscriber.)

Susan Crawford recently proposed a list of "online principles" to guide development of the online world. Seth Finkelstein comments, "Been there, done that, doesn't work"; but John Palfrey counters that Susan's effort is worthwhile.

Surely it's worthwhile for almost any group to spend at least a tiny fraction of its time talking about its overall goals and principles, especially where (as here) that discussion doesn't crowd out the pragmatic problem-solving the group needs to thrive.

But Seth is right that past attempts to define online principles have often gone off the rails. One reason is that they have lost their connection to the Net and have devolved into general attempts to redesign society as a whole. And while society as a whole could surely be improved, its structure reflects a subtle set of compromises resulting from centuries of struggle, which are unlikely to be forgotten because of the Internet's arrival.

The starting point, then, for devising online principles must be to ask how the online world differs from the traditional offline world. Internet exceptionalism is not the answer, because the Net doesn't change everything. We need to focus instead on specific things it does change, and devise principles for dealing with them.

UPDATE (3:10 PM): Don't miss Hal's insightful comment.

Yesterday, the National Association of [state] Attorneys General sent a letter to P2P United, a trade association of peer-to-peer vendors, chiding the P2P industry for fostering porn, spyware, and copyright infringement. Though the letter does make a few good points, overall it's an embarrassment to the attorneys general.

For starters, the letter contains some real howlers. Here's the worst:

Furthermore, P2P file sharing technology can allow its users to access the files of other users, even when the computer is "off" if the computer itself is connected to the Internet via broadband.

Here's another:

Market forces and technological limitations of the Internet (e.g. the need to pay for web space and bandwidth) have combined to make peer-to-peer software a more attractive alternative to the Internet as a means of disseminating pornography.

Some of the other arguments in the letter betray a similarly naive view of technology. For example, the letter urges P2P vendors to use image-based filtering to block pornographic content; but image-based filtering is known to be ridiculously ineffective at distinguishing porn from non-porn content.

I could go on at length, but I won't. You can read Ernest Miller's point-by-point response to the letter if you like.

Despite its many errors, the letter does make two good points. The first is that some P2P software automatically, by default, shares files from users' hard drives. This is a dangerous practice, since it leads unsuspecting users to share files that might contain private information. The second good point is that some P2P vendors have bundled spyware into their products, thereby tricking their users into accepting surveillance of their activities. If the P2P companies really have their customers' best interests at heart, they will stop these two practices.

As for the attorneys general, they obviously have a few things to learn about technology.

Tim Wu, guest-blogging over at Larry Lessig's site, reports:

So today copyright scholar Joe Liu at Boston College asked a room full of law professors an interesting question. What did we think copyright would look like in 8 years? Here were some of the main categories of predictions (some contradict):

1. Primarily a criminal regime (remember when copyright was considered civil law?)
2. Focused on control of the design of hardware & software (in the model of the Broadcast Flag) to prevent infringement ex ante;
3. A regime dedicated to preserving the retail market and revenue streams for 4 discs: (CDs, DVDs, Software CDs, and Video-Game CDs), having given up on nearly everything else;
4. Made in WIPO or the FCC as often as the U.S. Congress;
5. Gone (not a good bet).

This list is interesting in several ways. (1) There's no mention of alternative compensation systems. I would have expected them to rank, at least, above the no-copyright outcome. (2) The first option, copyright as a criminal regime, seems implausible, given the limited prosecutorial resources available. How much of our public law-enforcement resources will we really be willing to spend to defend copyright? Will this become another drug war? (3) The presence of the second item, copyright as regulation of technology design, is disconcerting. As I have written at length before, such a policy would be a major drag on innovation, while failing to prevent infringement. The lawprofs are not endorsing this outcome but are merely predicting it; but the fact that they find it likely is troubling. (4) The fourth item, copyright law being made in the bodies like the FCC and WIPO rather than in Congress, may already be happening. And it's bad news. Lately, pro-innovation forces have had reasonable success in influencing Congress, and less success with other bodies.

UPDATE (August 6): Tim Wu writes, in a comment below, that the lawprofs did in fact discuss alternative compensation systems.

Tim Wu, guest-blogging on Larry Lessig's site, asks hypothetically whether President Kerry would veto the Induce Act. Tim, quoting some vague pro-technology language from Kerry's website, suggests that Kerry might veto the Act.

This is wishful thinking. The fact is that the record of Kerry, and the Democrats in general, on the copyright/innovation issue is not good at all. Consider, for instance, the 2002 Senate hearing on the Hollings CBDTPA, in which Intel's Les Vadasz faced a phalanx of entertainment-industry witnesses. According to Declan McCullagh's Wired News story, the committee's Democrats, including Kerry, spoke in favor of the dangerous CBDTPA bill, while Republicans were more skeptical. (I attended the hearing, and my memory is consistent with Declan's story.)

Many people here in the copyright/innovation blogosphere are enthusiastic Democrats. It's only natural to project your good policy ideas onto the politicians you support, and skilled politicians helpfully provide boilerplate policy language to help supporters do this.

If you're on the pro-innovation side of the copyright wars, though, most of your natural allies on these issues are Republicans. Your arguments – against regulation, and in favor of market solutions rather than government picking winners – will resonate better on the political right than on the left. And so far, Republicans (with the exception of Orrin Hatch) have been better on these issues than Democrats. True, neither party has been good on this issue; but the Republicans have not been nearly as bad, and they seem more amenable to persuasion.

So if you're pro-innovation, and you want to go beyond complaining to actually change things in Washington, then my advice is to take a conservative to lunch, and explain why they should support your side of the copyright battles.

As to John Kerry, by all means encourage him to change his mind and make a clear statement of principle on this issue. But don't hold your breath waiting for that to happen.

Pay attention now, 'cause this story gets kinda complicated.

See, Apple had this product called iPod that lets you listen to music. That sounds like a good idea. But Apple thought it would be better if the iPod could do less. So their engineers pulled a bunch of all-nighters to make sure that the iPod couldn't play just any music a customer might have laying around. They called this DRM. I think that stands for Don't Replay Music.

Now Apple had a competitor called Real. And Real was unhappy that Apple had made its product less useful. So Real's engineers pulled a bunch of all-nighters, so that they could make Apple's product better. They could've spent that time making their own product better, but that would have been a waste after all of the time they had already spent making their own product worse by making it do DRM too.

You still with me? Good.

Okay, so Apple was mighty ticked off that Real had made Apple's product better, without even getting permission or anything. So Apple cried foul. Apple was shocked 'n' saddened that Real was trying to improve Apple's product, like those hacker guys are always doing. So Apple drew a line in the sand, and swore to make its own product worse again.

I don't know about you, but I find this all very confusing. I guess I just don't have a head for business.

Monday was the second anniversary of Freedom to Tinker. Two years seems like a long time, but I still enjoy doing this. Thanks to all of you for your attention, and for keeping me alert and honest with your comments and feedback.

Here are the obligatory statistics about the site: 604 posts; 1409 comments; 3.2 million visits; 5.2 million page views; 90 gigabytes of data transferred.

Another interesting day at the Meltdown conference. John Morris of CDT gave an eye-opening talk about online wiretapping and the policy debate over how to apply CALEA to VoIP services.

Let me explain the jargon. CALEA is the Communications Assistance to Law Enforcement Act of 1994, which says that telecommunications providers must design their networks so as to allow (properly authorized) government wiretapping. CALEA applies to "telecommunications" but not to "information services," so Internet software has thus far been exempt. However, the FCC, which regulates telecom, has some power to expand the application of CALEA.

VoIP is Voice over IP, a term referring to services that transmit voice over the Internet. Some VoIP services can substitute for traditional phone service; others provide similar functions in different form, such as voice-enabled instant messaging; and some provide entirely new functions.

In March, law enforcement agencies asked the FCC, which regulates telecom, to apply CALEA to "IP-enabled services" such as VoIP. Conventional wisdom says that the FCC will issue some kind of regulation in this area. But what exactly?

It seems likely that the FCC will require VoIP providers to be ready to provide information to law enforcement. The key question is whether providers will only have to provide the information that they already gather or whether providers will be required to (re-)design their technology so that it can gather the information that law enforcement wants.

A "design for wiretapping" requirement would seem to rule out certain designs, particularly those that rely on open protocols and the end-to-end principle. Such designs leave too much control in the hands of end users, so that no vendor can be assured of having access to the information that they would be required to gather. On the other side, law enforcement will argue that CALEA is toothless without design requirements, and existing telecom providers would be happy to see open, end-to-end architectures outlawed.

Coincidentally, as I was writing the previous paragraph, sitting in my hotel room with the television on in the background, a commercial came on CNN, urging viewers to ask their legislators to "update our telecom laws." Then I ran across today's New York Times article on the telecom regulation battles.

This is definitely an issue to watch.

Lots of good stuff yesterday at the Meltdown conference. Rather than summarize it all, let me give you two random observations about the discussion.

The security session descended into a series of rants about the evil of spam. Lately this seems to happen often in conference panels about security. This strikes me as odd, since spam is far from the worst security problem we face online. Don’t get me wrong; spam annoys me, just like everybody else. But I don’t think we’ll make much progress on the spam problem until we get a handle on more fundamental problems, such as how to protect ordinary machines from hijacking, and how to produce higher-quality commercial software.

Another interesting feature, noted by Michael Froomkin, was the central role of identification technologies in the day’s discussions, both in diagnoses of Internet policy problems, and in proposed solutions. When the topic was spam, people liked technologies that identify message senders; but on other topics, identification was considered harmful. I hope to see more discussion about identification at the conference. (I’ll have another posting on online identification later this week.)

[Susan Crawford has an interesting summary of yesterday's discussion. She says I was "wise in the hallways", whatever that means.]