I’m pleased to announce the publication of my latest law review article, “Guns, Limbs, and Toys: What Future for 3D Printing?” The article, which appears in Vol. 17 of the Minnesota Journal of Law, Science & Technology, was co-authored with Adam Marcus. Here’s the abstract:

We stand on the cusp of the next great industrial revolution thanks to technological innovations and developments that could significantly enhance the welfare of people across the world. This article will focus on how one of those modern inventions–3D printing–could offer the public significant benefits, but not without some serious economic, social, and legal disruptions along the way. We begin by explaining what 3D printing is and how it works. We also discuss specific applications of this technology and its potential benefits. We then turn to the policy frameworks that could govern 3D printing technologies and itemize a few of the major public policy issues that are either already being discussed, or which could become pertinent in the future. We offer some general guidance for policymakers who might be pondering the governance of 3D printing technologies going forward. Contra to the many other articles and position papers that have already been penned about 3D printing policy, which only selectively defend permissionless innovation in narrow circumstances, we endorse it as the default rule across all categories of 3D printing applications.

More specifically, we do a deep dive into 3 primary public policy “fault lines” for 3D printing: firearms, medical devices, and intellectual property concerns. Read the whole thing for more details.

The success of the Internet and the modern digital economy was due to its open, generative nature, driven by the ethos of “permissionless innovation.” A “light-touch” policy regime helped make this possible. Of particular legal importance was the immunization of online intermediaries from punishing forms of liability associated with the actions of third parties.

As “software eats the world” and the digital revolution extends its reach to the physical world, policymakers should extend similar legal protections to other “generative” tools and platforms, such as robotics, 3D printing, and virtual reality.

In other words, we need a Section 230 for the “maker” movement.

The Internet’s Most Important Law

Today’s vibrant Internet ecosystem likely would not exist without “Section 230” (47 U.S.C. § 230) of the Telecommunications Act of 1996. That law, which recently celebrated its 20^th anniversary, immunized online intermediaries from onerous civil liability for the content and communications that travelled over their electronic networks.

The immunities granted by Section 230 let online speech and commerce flow freely, without the constant threat of legal action or onerous liability looming overhead for digital platforms. Without the law, many of today’s most popular online sites and services might have been hit with huge lawsuits for the content and commerce that some didn’t approve of on their platforms. It is unlikely that as many of them would have survived if not for Section 230’s protections.

For example, sites such as eBay, Facebook, Wikipedia, Angie’s List, Yelp, and YouTube all depend on Section 230 immunities to shield them from potentially punishing liability for the content that average Americans post to those sites. But Section 230 protects countless small sites and services just as much as those larger platforms and it has been an extraordinary boon to online commerce and speech.

Extending Immunities to Other General-Purpose Technologies: 3 Models

To foster generativity and permissionless innovation for the next wave of tech entrepreneurs, it may be necessary to immunize some intermediaries (i.e., platform providers or device manufacturers) from punishing forms of liability, or at least to limit liability in some fashion to avoid the chilling effect that excessive litigation can have on life-enriching innovation. Specifically, they should be immunized from liability associated with the ways third-parties use their platforms or devices to speak, experiment, or innovate.

“The past ten years have been about discovering new ways to create, invent, and work together on the Web,” noted Chris Anderson in his book Makers: The New Industrial Revolution. “The next ten years will be about applying those lessons to the real world.” But that can only happen if we get public policy right.

Thus, the creators of newer general-purpose technologies may need to receive certain limited immunizations from liability for the ways third-parties use their devices. If troublemakers use general-purpose technologies to do harm—i.e., cybersecurity violations, privacy invasions, copyright infringement, etc.—it is almost always more sensible to hold those problematic users directly accountable for their actions.

The other approach—holding those intermediaries accountable for the actions of third parties—will discourage innovators from creating vibrant, open platforms and devices that could facilitate new types of speech and commerce. Therefore, an embrace of permissionless innovation requires a rejection of such middleman deputization schemes.

There are three different existing immunity models we might consider applying to emerging general-purpose technologies.

Model #1: Section 230 & online services

The first model, of course, is Section 230 itself.  Section 230 stipulated that it is the policy of the United States “to promote the continued development of the Internet and other interactive computer services and other interactive media,” and “to preserve the vibrant and competitive free market that presently exists for the Internet and other interactive computer services, unfettered by Federal or State regulation.” To accomplish that, the law made it clear that, “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”

Since implementation of Section 230 two decades ago, courts have generally read this immunity fairly broadly, so much so that some critics have argued that 230’s scope has been enlarged well beyond congressional intent. Even if that is true, I believe that has been a net positive (excuse the pun) and that it is not only wise to preserve that sweeping immunity but extend it to other technologies and sectors.

Model #2: Firearm manufacturing

Another immunization model can be found in the Protection of Lawful Commerce in Arms Act of 2005 (Pub. L. No. 109-92, 119 Stat. 2095). Although “lawsuits alleging negligent distribution plagued the firearm industry until 2005,” the Protection of Lawful Commerce in Arms Act “effectively ended the ‘gun tort’ era,” notes Peter Jensen-Haxel. The law did so by granting gun manufacturers immunities for such legal actions. (It would seem that, by extension, those who use 3D printers to create firearms will also be immunized from civil actions.)

Importantly, unlike Section 230, which provided broad immunity by default to all online platforms, the Protection of Lawful Commerce in Arms Act applied to manufactures/sellers that fit into the certain qualifications (i.e., they get immunity if they comply with certain licensing rules, record keeping requirements, etc.). This tension between broad versus targeted immunity will become the subject of debate for emerging general-purpose technologies as scholars and policymakers contemplate optimal default liability rules.

Model #3: Vaccines

A final legal immunization model comes, ironically, from the world of medical immunizations. As part of the National Childhood Vaccine Injury Act of 1986 (42 U.S.C. §§ 300aa-1 to 300aa-34), Congress created The National Vaccine Injury Compensation Program, “after lawsuits against vaccine companies and health care providers threatened to cause vaccine shortages and reduce U.S. vaccination rates, which could have caused a resurgence of vaccine preventable diseases.”

As described by the U.S. Department of Health and Human Services, the program, “is a no-fault alternative to the traditional legal system for resolving vaccine injury petitions.” Thus, those suffering injuries from vaccines are able to seek compensation from this program instead of having to sue vaccine companies.

As Avery Johnson of the Wall Street Journal noted in 2009 article about the program, “A spate of lawsuits against vaccine makers in the 1970s and 1980s had caused dozens of companies to get out of the low-profit business, creating a public-health scare. The strategy worked and the public health implications have been sizable. Vaccines have driven huge reductions — and in the case of smallpox, for instance, complete eradications — of major childhood diseases.”

This model is obviously very different than Section 230 and the Protection of Lawful Commerce in Arms Act in that it includes a government-created compensation fund provided as an alternative to civil lawsuit remedies. In all likelihood, such a compensation fund would not be necessary for new general-purpose “maker” technologies or sectors.

Nonetheless, this model could, perhaps, have some relevance for certain narrow classes of those technologies. For example, 3D-printed medical devices might be one area where it would make sense to exempt from liability the creators of 3D printers and the platforms over which 3D printer blueprints are distributed. But if there is significant resulting harm from some of those devices or plans, it remains unclear how compensation would work and who would be picking up the tab for it. The National Vaccine Injury Compensation Program offers one potential answer, although it may not be wise to craft such a consumer-funded or taxpayer-supported program for other reasons. Even if creating a government-run compensation fund was eventually seen as a good idea, we cannot determine how big the fund should be until some actual harms occur.

Three Sectors to Cover

Next, we should consider which sectors or technologies should be eligible for such immunities.

I wish it was possible to craft some sort of “General-Purpose Technology Immunization Act” that would shield such platforms and technologies from onerous liability associated with third-party uses. Realistically, however, it is not likely such a broad-based regime could achieve political traction. There would just be too many opposing forces. Moreover, there may be some unique distinctions between technologies and sectors which necessitate specialized legal regimes.

In any event, I believe a good case can be made for adopting some sort of legal immunity regime for three specific technologies: Robotics, 3D printing, and immersive technology (i.e., virtual reality and augmented reality).

Robotics

Ryan Calo, professor of law at the University of Washington School of Law, has done important work on the law of robotics and he has suggested that such legal immunities may need to be extended to this field. In his 2011 Maryland Law Review article on “Open Robotics,” Calo made his case as follows:

To preempt a clampdown on robot functionality, Congress should consider immunizing manufacturers of open robotic platforms from lawsuits for the repercussions of leaving robots open.  Specifically, consumers and other injured parties should not be able to sue roboticists, much less recover damages, where the injury resulted from one of the following: (1) the use to which the consumer decided to put the robot, no matter how tame or mundane; (2) the nonproprietary software the consumer decided to run on the robot; or (3) the consumer’s decision to alter the robot physically by adding or changing hardware. This immunity would include lawful and unlawful uses of the robot. (p. 134) . . . The immunity I propose is selective: Manufacturers of open robots would not escape liability altogether. For instance, if the consumer runs the manufacturer’s software and the hardware remains unmodified, or if it can be shown that the damage at issue was caused entirely by negligent platform design, then recovery should be possible. The immunity I propose only applies in those instances where it is clear that the robot was under the control of the consumer, a third party software, or otherwise the result of end-user modification. Because this issue will not always be easy to prove, we should expect litigation at the margins. I am thus arguing for a compromise position: A presumption against suit unless the plaintiff can show the problem was clearly related to the platform’s design. (p. 136)

I find this entirely convincing and I also believe Calo is wise to begin with robotics as the first target for such legal immunization because such technologies are already being widely manufactured and deployed today.

These liability questions are already being widely debated, for example, in the field of autonomous systems and driverless cars in particular. I’d like to believe that the common law would sort out these things fairly quickly and that an efficient liability regime would emerge from autonomous technologies in short order.

Alas, because America lacks a “loser pays” rule, a perverse incentive exists for overly-zealous trial lawyers to file an avalanche of lawsuits at the first sign of any problem. This could significantly hamper the development of autonomous technologies, which have the potential to immediately decrease the staggering death toll associated with human error behind the wheel. Therefore, it may be necessary for Congress to craft some sort of limited immunity regime for autonomous technology makers to ensure that the development of these potential life-saving technologies is not discouraged by the looming threat of perpetual litigation.

3D Printing

3D printing would be my second choice for a general-purpose technology that should be covered by some sort of intermediary immunity model.

In a forthcoming law review article for the Minnesota Journal of Law, Science & Technology, Adam Marcus and I argue that “the manufacturers of 3D printing devices and the website operators hosting blueprints for 3D-printed objects may need to be protected from liability to avoid chilling innovation. In this sense, a ‘Section 230 for 3D printing’ might be needed.”

We discuss three specific ways that 3D printers could be used by third-parties in such a way that existing laws or regulations are implicated and someone might seek to bring action against the manufacturers of 3D printers or 3D printing marketplaces, like Shapeways or Thingiverse. These cases involve things like 3D-printed prosthetics, which could raise policy concerns at the Food and Drug Administration, and 3D-printed toys or sculptures, which could present intellectual property issues.

But perhaps the most interesting case study for liability purposes will be 3D-printed firearms, which are already raising a great deal of controversy. Marcus and I argue, once again, that “the proper focus of regulation should remain on the user and uses of firearms, regardless of how they are manufactured.” And because, as already noted, the Protection of Lawful Commerce in Arms Act immunizes gun manufacturers from legal liability for third-party actions, it would seem logical that the law’s protections would extend to 3D-printed firearms. Moreover, Section 230 itself (and perhaps also the First Amendment) might also apply to 3D printing design schematics that appear on various websites or 3D printing marketplaces.

Generally speaking, Marcus and I argue, “imposing liability on third parties—sites hosting schematics, search engines, and manufacturers of devices—seems neither workable nor wise. There exists a broad spectrum of general-purpose technologies that can be used to facilitate criminal activity,” we note, such as cars, computers, or paper printers. But we don’t blame those intermediaries when those technologies are used by third parties in criminal acts. The same principle should apply to 3D printers.

Things get more complicated when intellectual property issues are brought into the debate. In an important 2014 article, “Patents, Meet Napster: 3D Printing and the Digitization of Things,” Deven R. Desai and Gerard N. Magliocca sketched out the potential case for some sort of limited immunity as it pertains to patent infringement and 3D printing. “An obstacle to the growth of 3D printing that Congress should consider addressing is that individuals who engage in that activity are strictly liable if they infringe a patent,” they note, but they continue on to add that:

Exempting personal 3D printing from patent infringement without undermining other aspects of the regulatory scheme will not be easy. It would not be a good idea for Congress to create a fair use exception for all patents or make infringement an intentional tort, as those changes would sweep too far. Targeting 3D printing itself is a possibility, but in that case the legislation would have to distinguish between personal and commercial activity, as there is no rationale for saying that all 3D printing leading to patent infringement, including what Fortune 500 firms do, should be permitted. Drawing that kind of line with a substantive legal standard, though, will generate years of litigation and may not effectively separate the good from the bad. One alternative, should Congress opt to give personal 3D printing some immunity, would be to set a relatively high minimum amount-in-controversy for federal jurisdiction over any [patent] infringement claims involving this technology. (p. 1717)

Getting this balance right will be tricky, yet essential. “Patent law and industries that rely on patents will have to adapt to this new environment or face potential obsolescence,” Desai and Magliocca correctly conclude.

Immersive Technology

A final sector we might eventually want to apply some sort of intermediary immunity model to is immersive technology. “Immersive technology” refers to services that currently utilize wearable devices (such as a head-mounted display or headset) to let users explore virtual worlds, virtual objects, or hologram-like projections. Immersive technology can be separated into two different, but related groups: virtual reality (VR) and augmented reality (AR).

These technologies are still in the cradle, but many companies are already developing VR and AR technologies for both entertainment and professional uses. As they gain more widespread usage, immersive technologies could raise some policy issues, including concerns about privacy, intellectual property (ex: who owns certain “experiences”), and potentially even worries about distraction and addiction.

It would not be surprising, therefore, if some critics begin advocating greater regulation of, or liability for, VR and AR intermediaries. If that happens, policymakers will need to consider immunizing them from the threat of lawsuits or else innovation will die in these sectors.

Conclusion

Following the general logic of permissionless innovation, and understanding the importance of keeping intermediaries free of punishing liability for what others might do with their general-purpose technologies and platforms, the proper focus of regulation should remain on the user and uses of those technologies.

Accordingly, policymakers should craft a “Section 230 for the maker movement” by adopting legal protections for robotics, 3D printing, and immersive technology. At the same time, we should seek out better solutions—legal and otherwise—to the old problems that might persist or new ones that might come about due to the use of these new devices and platforms. But we should not let hypothetical worst-case scenarios and concerns about future technologies lead us down a path where intermediaries are “deputized” or hit with punishing liability for downstream actions by third parties.

Note#1 : This is a preliminary sketch of a law review article I would eventually like to write entitled, “A Section 230 for the “Makers” Movement: Extending Section 230 Immunities to Robotics, 3D Printing & Virtual Reality.” Toward that end, I welcome suggestions for (a) which general-purpose technologies deserve some sort of immunization, and also (b) what other legal immunity regimes exist that we could learn from. Please forward any ideas you might have along to me.

Note #2: My thanks to Adam Marcus and Christopher Koopman for their helpful suggestions on this essay.

by Berin Szoka & Adam Thierer, Progress Snapshot 5.11 (PDF)

Ten years ago, Nobel Prize-winning economist Milton Friedman lamented the “Business Community’s Suicidal Impulse:” the persistent propensity to persecute one’s competitors through regulation or the threat thereof. Friedman asked: “Is it really in the self-interest of Silicon Valley to set the government on Microsoft?” After yesterday’s FCC vote’s to open a formal “Net Neutrality” rule-making, we must ask whether the high-tech industry—or consumers—will benefit from inviting government regulation of the Internet under the mantra of “neutrality.”

The hatred directed at Microsoft in the 1990s has more recently been focused on the industry that has brought broadband to Americans’ homes (Internet Service Providers) and the company that has done more than any other to make the web useful (Google). Both have been attacked for exercising supposed “gatekeeper” control over the Internet in one fashion or another. They are now turning their guns on each other—the first strikes in what threatens to become an all-out, thermonuclear war in the tech industry over increasingly broad neutrality mandates. Unless we find a way to achieve “Digital Détente,” the consequences of this increasing regulatory brinkmanship will be “mutually assured destruction” (MAD) for industry and consumers.

New Fronts in the Neutrality Wars

The FCC’s proposed rules would apply to all broadband providers, including wireless, but not to Google or many other players operating in other layers of the Net who favor such broadband-specific rules. With this rulemaking looming, AT&T came after Google with letters to the FCC in late September and then another last week accusing the company of violating neutrality principles in their business practices and arguing that any neutrality rules that apply to ISPs should apply equally to Google’s panoply of popular services. In particular, AT&T accused Google of “search engine bias,” suggesting that only government-enforced neutrality mandates could protect consumers from Google’s supposed “monopolist” control.

The promise made yesterday by the FCC—to only apply neutrality principles to the infrastructure layer of the Net—is hollow and will ultimately prove unenforceable. The reality is that regulation always spreads. The march of regulation can sometimes be glacial, but it is, sadly, almost inevitable: Regulatory regimes grow but almost never contract. Indeed, in some ways, the prediction we made just three weeks ago is already coming true: The basic premise of neutrality regulation is already being proposed for other layers of the Internet—and not just by AT&T in retaliation. One need not agree with all of AT&T’s accusations to recognize that, whatever the FCC might say today, any large online intermediary with a popular platform potentially faces the threat of “network neutrality” mandates—because every platform is essentially a “network,” too. We’re not just talking about “search neutrality” (Google as well as Microsoft) but also about “device neutrality” (mobile handsets), “app neutrality” (Apple’s iTunes store, Facebook’s developers and Google’s Android mobile OS) and so on for social networking, email, instant messaging, online advertising, etc.

An open letter sent to FCC Chairman Julius Genachowski this week by 28 founders and CEOs of leading application providers—including Amazon, Google, Facebook, Netflix, Craigslist, Sony and Twitter—speaks generally about the need for the FCC to enforce a “guarantee of neutral, nondiscriminatory access by users.” While many of these signatories may have in mind ISPs as the network “gatekeepers” that need to be reined in by the FCC, the more successful among them are likely to find this letter used against them in the future—perhaps even by co-signatories—to advance a broad conception of what the government must do to ensure “openness” and “access” for platforms at all layers of the Internet.

Dumb Networks, Dumb Devices

The intellectual foundations for this regulatory creep have already been laid by groups like Free Press and Public Knowledge and law professors like Columbia’s Tim Wu, Harvard’s Jonathan Zittrain and Seton Hall’s Frank Pasquale. As originally conceived by Tim Wu in 2003, “network neutrality” is not unique to broadband networks: “the basic economic problem found in the network neutrality debate (a form of ‘platform exclusion’ or ‘vertical foreclosure’) can be found in many other markets.” Indeed, Wu’s popular Net Neutrality FAQ declares:

The promotion of network neutrality is no different than the challenge of promoting fair evolutionary competition in any privately owned environment, whether a telephone network, operating system, or even a retail store. Government regulation in such contexts invariably tries to help ensure that the short-term interests of the owner do not prevent the best products or applications becoming available to end-users.

Zittrain picked up where Wu left off in The Future of the Internet and How to Stop It—attacking, as the enemies of innovation, not ISPs but the supposedly “closed” platforms of Apple, TiVo and Microsoft’s Xbox. Zittrain warns that:

If there is a present worldwide threat to neutrality in the movement of bits, it comes not from restrictions on traditional Internet access that can be evaded using generative PCs, but from enhancements to traditional and emerging appliancized services that are not open to third-party tinkering.

Zittrain’s general solution is “API [Applications Programming Interface] neutrality:” If you create a platform (whether hardware or software) and begin allowing third-party contributions (“generativity”), you will lose all control over devices or applications that can run on that platform.

Those who offer open APIs on the Net in an attempt to harness the generative cycle ought to remain application-neutral after their efforts have succeeded, so all those who built on top of their interface can continue to do so on equal terms…. [N]etwork neutrality ought to be applied to the new platforms of Web services that, in turn, depend on Internet connectivity to function.

Clearly, if Zittrain and his allies have their way, the sort of neutrality mandates envisioned by the FCC or some Congressmen for ISPs will eventually cover companies such as Apple, Google, Facebook, Myspace, Twitter and Amazon—all singled out by Zittrain in a New York Times op-ed in July:

If the market settles into a handful of gated cloud communities whose proprietors control the availability of new code, the time may come to ensure that their platforms do not discriminate. Such a demand could take many forms, from an outright regulatory requirement to a more subtle set of incentives — tax breaks or liability relief — that nudge companies to maintain the kind of openness that earlier allowed them a level playing field on which they could lure users from competing, mighty incumbents.

Frank Pasquale agrees on the need to restrain all “the dominant players at all layers of online life,” but focuses on his demand for a Federal Search Commission to control supposedly “biased” search results. While the FCC wrings its hands over “managed services” offered by ISPs, search engines are increasingly offering their own value-added services by “blending” algorithmically-derived results with special features like maps, videos, books or music depending on what the search term suggests the user is interested in. “Artificially” ensuring that these features appear on the first page of search results is clearly non-neutral, and necessarily involves search engines making ”managed” decisions as to whose features to include. Yet such features also clearly benefit users—dramatically improving the usefulness of search engines and helping to sustain struggling business models like music retailing.

But one need not resort to the works of “ivory tower” academics to see the slippery slope we’re already tumbling down with the infinitely elastic principle of “neutrality.” The prospect of the FCC gradually transforming into a “Federal Information Commission” becomes more apparent when one reads the Wireless Innovation and Investment Notice of Inquiry recently released by the FCC:

As other approaches, such as cloud computing, evolve, will established standards or de facto standards become more important to the applications development process? For example, can a dominant cloud computing position raise the same competitive issues that are now being discussed in the context of network neutrality? Will it be necessary to modify the existing balance between regulatory and market forces to promote further innovation in the development and deployment of new applications and services?

One can imagine how some might use such language to accuse Google of being in “a dominant cloud computing position” such that “the context of network neutrality” will be applied to cloud service (like Google Voice) to “modify the existing balance between regulatory and market forces” through regulation. Indeed, that’s precisely what AT&T has suggested in recent letters (September 25 ^th and October 14 ^th) to the FCC.

AT&T’s partner Apple has already been the subject of such attacks for its decision to block the Google Voice app earlier this summer. The incident marked the beginning of open warfare between Google and AT&T/Apple. The FCC quickly jumped into the mix, first questioning how Apple manages its iTunes apps store for the iPhone, then questioning how Google runs its free Voice application. What legal authority the FCC has over either service is far from clear, but Apple seems to have gotten the message: It recently approved the Spotify music streaming app for the iPhone, which could be a serious competitive threat to the iTunes music store. This small incident highlights how easily regulators can impose their will through informal mechanisms like open-ended investigations even without clear authority to issue rules or bring enforcement actions. Yet none dare call it what it is: regulatory blackmail.

The Inevitability of Regulatory Capture

No doubt, other industry players will cheer on such regulatory harassment of the titans of tech—and maybe even demand more of it. Regulatory creep is driven by more than the self-interests of every bureaucracy to expand its own mission, budget and staff. As the Electronic Frontier Foundation has noted, “Experience shows that the FCC is particularly vulnerable to regulatory capture.” While lobbyists play an important role in defending business from government, all too many businesses naively look at government as a beast that can be tamed, trained, and turned to one’s own advantage, and often try to use the expanding regulatory apparatus to their own advantage or simply throw their competitors under the bus to save themselves. The result is a Hobbesian regulatory “war of all against all” within industry.

As Professor Alfred E. Kahn explained in his 2-volume opus, The Economics of Regulation, all regulation—however high-minded—is inevitably captured by special interests because:

When a commission is responsible for the performance of an industry, it is under never completely escapable pressure to protect the health of the companies it regulates, to assure a desirable performance by relying on those monopolistic chosen instruments and its own controls rather than on the unplanned and unplannable forces of competition. […] Responsible for the continued provision and improvement of service, [the regulatory commission] comes increasingly and understandably to identify the interest of the public with that of the existing companies on whom it must rely to deliver goods.

If Internet regulation follows the same course as other industries, the FCC and/or lawmakers will eventually indulge calls by all sides to bring more providers and technologies “into the regulatory fold.” Clearly, this process has already begun. Even before rules are on the books, the companies that have made America the leader in the Digital Revolution are turning on each other in a dangerous game of brinksmanship, escalating demands for regulation and playing right into the hands of those who want to bring the entire high-tech sector under the thumb of government—under an Orwellian conception of “Internet Freedom” that makes corporations the real Big Brother, and government, our savior.

Toward a Less MAD World: Digital Détente

Sincere defenders of real Internet Freedom—that is, freedom from government techno-meddling—recognize that there will always be disputes over how companies deal with each other online across all layers of the Internet. The question is not whether we need a technical coordinating mechanism for handling such disputes. Someone should mediate conflicts over alleged deviations from abstract neutrality principles. But should that arbitrator be an inherently political body like FCC? Or should we instead look to truly independent, apolitical arbitrators like the Internet Engineering Task Force or collaborative efforts like the Network Neutrality Squad? Such alternative dispute resolution mechanisms and fora need not have the power of law to be effective: The weight of their expert opinion, based on careful investigation of the facts, would likely resolve most disputes, because companies have strong reputational incentives to comply with reasoned rulings by truly neutral experts. And the white hot spotlight of public attention has a way of disciplining marketplace behavior as well.

Government would still have a role to play, of course, in enforcing antitrust laws where anticompetitive harm to consumers can be proven, and in enforcing the promises companies make to consumers. Ultimately, however, certain business models and technologies require non-neutral treatment, and the best remedy for concerns about non-neutrality is competition itself: In the high-tech sector more than any other, disruptive innovation makes it difficult for even the most successful companies to stay on top forever. Competitive entry—or even the threat of new entry—provides a powerful check on the power of so-called “gatekeepers,” but even more important is the prospect that today’s leaders will be tomorrow’s laggards: There’s little reason to think Google (search and advertising), Apple (smart phones and music) and Facebook (social networking) won’t someday find themselves playing catch-up, just as IBM (computers), Microsoft (desktop software and search), Friendster and MySpace (social networking), and Yahoo! and AOL (web portals) have had to do.

“Digital Détente” would require that all parties concede something and work constructively toward a more “peaceful” ( i.e., less regulatory) resolution. And yet, no Internet company wants to disarm unilaterally, foreswearing politics as a continuation of competition by other means. Only through multilateral disarmament could they break out of the current cycle of regulatory one-upmanship: If the companies in the Internet ecosystem could form a united front against increased government regulation and in favor of removing existing regulatory obstacles to competition, they could all return to their core competencies of creativity and innovation.

The alternative is a regulatory “nuclear winter”: high-tech titans turning their political fire on each other, catching innocent third parties in the cross-fire and bringing a dark cloud of government regulation over the entire Internet. Such increased regulation would stifle investment and innovation throughout the Internet ecosystem. Thus, it is consumers who will ultimately suffer most from the tech industry’s suicidal impulse, as their choices and digital lives are impoverished. For their sake, we hope all industry players will step back from the brink to avoid such high-tech mutually assured destruction.

Adam Thierer & I have just released a detailed examination (PDF) of brewing efforts to expand the Children’s Online Privacy Protection Act of 1998 to cover adolescents and potentially all social networking sites—an approach we call “COPPA 2.0.”

As Adam explained on Larry Magid’s CNET podcast, COPPA mandates certain online privacy protections for children under 13, most importantly that websites obtain the “verifiable consent” of a child’s parent before collecting personal information about that child or giving that child access to interactive functionality that might allow the child to share their personal information with others. The law was intended primarily to “enhance parental involvement in a child’s online activities” as a means of protecting the online privacy and safety of children.

Yet advocates of expanding COPPA—or “COPPA 2.0″—see COPPA’s verifiable parental consent framework as a means for imposing broad regulatory mandates in the name of online child safety and concerns about social networking, cyber-harassment, etc. Two COPPA 2.0 bills are currently pending in New Jersey and Illinois. The accelerated review of COPPA to be conducted by the FTC next year (five years ahead of schedule) is likely to bring to Washington serious talk of expanding COPPA—even though Congress clearly rejected covering adolescents age 13-16 when COPPA was first proposed back in 1998.

We’ll discuss some of the key points of our paper in a series of blog posts, but here are the top nine reasons for rejecting COPPA 2.0, in that such an approach would:

• Burden the free speech rights of adults by imposing age verification mandates on many sites used by adults, thus restricting anonymous speech and essentially converging—in terms of practical consequences—with the unconstitutional Children’s Online Protection Act (COPA), another 1998 law sometimes confused with COPPA;
• Burden the free speech rights of adolescents to speak freely on—or gather information from—legal and socially beneficial websites;
• Hamper routine and socially beneficial communication between adolescents and adults;
• Reduce, rather than enhance, the privacy of adolescents, parents and other adults because of the massive volume of personal information that would have to be collected about users for authentication purposes (likely including credit card data);

• Would likely be the subject of massive fraud or evasion since it is not always possible to definitively verify the parent-child relationship, or because the system could be “gamed” in other ways by determined adolescents;
• Do nothing to prevent offshore sites and services from operating outside these rules;
• Present major practical challenges for law enforcement officials in the face of such evasion by both domestic users and offshore sites;
• Could destroy opportunities for new or smaller website operators to break into the market and offer competing services and innovations, thus contributing to consolidation of online content and services by erecting barriers to entry; and
• Violate the Commerce Clause of the U.S. Constitution, since Internet activity clearly represents interstate commerce that states have no authority to regulate.

I’m delighted to welcome to the TLF my colleague Adam Marcus, Research Fellow & Senior Technologist at The Progress & Freedom Foundation.  Adam’s already written a few posts here on the TLF about edge caching and cloud computing—cross-posted over the last few months by Adam Thierer and me.  He also appeared on TechPolicy Weekly 38 to discuss  “The Google Kerfuffle — Edge Caching & Net Neutrality.”

Adam (a/k/a “Marcus”) brings an exceptional technological sophistication to bear on policy issues.  He’s already been a real asset to our work at PFF as a sort of “technical ombudsman,” helping us delve into the nitty-gritty details behind the debates.  I hope he’ll play somewhat the same role here on the TLF:  keeping us honest and checking our facts.  

But he’s not just another geek:  With a J.D. from Santa Clara University and an MA in Communications, Culture & Technology from Georgetown University, Adam has lots to say about the legal and policy issues covered by the TLF.

I hope you all enjoy getting to know him—whether through the blog or in person at our semi-regular Alcohol Liberation Fronts—as much as I have.

As a means of introducing myself to TLF readers, this is an article that I wrote for the PFF blog in September that has not been previously mentioned on the TLF. Most of my other PFF blog posts have been cross-posted by Adam Thierer or Berin Szoka, but I’ve taken ownership of those posts so they appear on my TLF author page.

This is the first in a series of articles that will focus directly on technology instead of technology policy. With an average age of 57, most members of Congress were at least 30 when the IBM PC was introduced in 1981. So it is not surprising that lawmakers have difficulty with cutting-edge technology. The goal of this series is to provide a solid technical foundation for the policy debates that new technologies often trigger. No prior knowledge of the technologies involved is assumed, but no insult to the reader’s intelligence is intended.

This article focuses on cookies–not the cookies you eat, but the cookies associated with browsing the World Wide Web. There has been public concern over the privacy implications of cookies since they were first developed. But to understand them , you must know a bit of history.

According to Tim Berners Lee, the creator of the World Wide Web, “[g]etting people to put data on the Web often was a question of getting them to change perspective, from thinking of the user’s access to it not as interaction with, say, an online library system, but as navigation th[r]ough a set of virtual pages in some abstract space. In this concept, users could bookmark any place and return to it, and could make links into any place from another document. This would give a feeling of persistence, of an ongoing existence, to each page.”[1. Tim Berners-Lee, Weaving The Web: The Original Design and Ultimate Destiny of the World Wide Web. p. 37. Harper Business (2000).] The Web has changed quite a bit since the early 1990s.

Today, websites are much more dynamic and interactive, with every page being customized for each user. Such customization could include automatically selecting the appropriate language for the user based on where they’re located, displaying only content that has been added since the last time the user visited the site, remembering a user who wants to stay logged into a site from a particular computer, or keeping track of items in a virtual shopping cart. These features are simply not possible without the ability for a website to distinguish one user from another and to remember a user as they navigate from one page to another. Today, in the Web 2.0 era, instead of Web pages having persistence (as Berners-Lee described), we have dynamic pages and “user-persistence.”

This paper describes the various methods websites can use to enable user-persistence and how this affects user privacy. But the first thing the reader must realize is that the Web was not initially designed to be interactive; indeed, as the quote above shows, the goal was the exact opposite. Yet interactivity is critical to many of the things we all take for granted about web content and services today.

Stateful Sessions

On the original World Wide Web designed by Berners-Lee (Web 1.0), Web servers responded to each client request without relating that request to previous requests. There was no need to remember what other pages the user had requested because the requests were for static pages. But if you’ve used a Web-based email system like Gmail, Hotmail, Yahoo! Mail, etc., you know that once you log in, the service remembers who you are as you click from message to message. When a website can keep track of a user as they move from page to page within a site it is called a “stateful session.” The website doesn’t necessarily need to know anything about the user, it just needs to be able to distinguish that particular user from all other users. For example, if you go to an online store and place a few items in your virtual shopping cart, the site still does not know your name, email address, or billing information. But it does know what you’ve placed in your cart–or more precisely, it knows what someone using your browser has placed placed in a particular cart. If you leave the site before buying anything and then go back an hour later, it’s possible that the site will have completely forgotten about you. In that case, the unique identifier persists during your “session” on the site, but it doesn’t persist between sessions.

URLs and HTTP Requests

Web 1.0 sites achieve Web page persistence by having a unique address or Uniform Resource Locator (URL) for each Web page, which is displayed in the address bar at the top of your browser as you browse the web. For example, http://www.pff.org/about/ is a simple URL pointing to a specific Web page. Every user that visits the PFF site at www.pff.org and clicks on the “About” link will be taken to the exact same page.

URLs can also store information about the user. For example, if you search for “test” on Google, the URL of the resulting page may look like the following: http://www.google.com/search?q=test&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a.[2. http://googlesystem.blogspot.com/2006/07/meaning-of-parameters-in-google-query.html] The URL contains a number of different pieces of data, separated by ampersands. There is the search query (“q=test”), the character encoding of the input (“ie=utf-8”), the character encoding of the output (“oe=utf-8”), the type and language of the client (“rls=org.mozilla:en-US:official”), and the Web browser used (“client=firefox-a”). None of this information can be used to uniquely identify the user, but this basic example illustrates how URLs can be used to specify more than simply static Web pages–and how some information can be remembered as a user navigates a website even without using cookies. Knowing how this works, you can create your own advanced searches or change the way the results are formatted (e.g., changing the language).

So how did Google know I speak English and use Firefox? That information is included in the HTTP request that my Web browser sends to the Google Web server when it requests a page. HTTP requests specify (among a few other more technical things) the desired language and a “User-Agent” field that includes the name of the browser and sometimes your operating system. This information allows websites to customize their content for different Web browsers (e.g., to ensure that it displays properly). HTTP requests also include your IP address so the Web server knows where to send its response, and geotagging allows Web servers to associate an IP address with a geographic area (though the area is rarely more accurate than the country or state). HTTP requests can also contain HTTP cookies.

HTTP Cookies

URLs can be used to uniquely identify individual users and allow stateful sessions, but unless a user bookmarks the URL containing their unique identifier, there is no way for the site to associate the same unique identifier with the same user on subsequent visits. Another option is to have users create an account and then log in each time they access the site. The website could then include the user’s unique ID in the URL on subsequent pages, so that the user only needs to log in once per session. Having to bookmark or create an account on every site you want to remember you would quickly become unmanageable. It would be nice if mapping and weather websites, for example, just remembered your location. It would be nice if the blogs you follow remembered what post you last read and displayed only unread posts when you next visit their site. What was needed at this point in the Web’s evolution was a way for websites to automatically store a unique identifier on the user’s computer and send it back to the website automatically[3. A site could also try to uniquely identify users by the IP address of their computer, but this is unreliable as there can be many computers behind a firewall sharing a single IP address.]—which is precisely what a cookie does.

To quote Wikipedia,

“HTTP cookies, or more commonly referred to as Web cookies, tracking cookies or just cookies, are parcels of text sent by a server to a Web client (usually a browser) and then sent back unchanged by the client each time it accesses that server. HTTP cookies are used for authenticating, session tracking (state maintenance), and maintaining specific information about users, such as site preferences or the contents of their electronic shopping carts.”

A cookie can contain one or more pieces of data, a description and/or URL for an online description of the cookie, how long the Web browser should store the cookie, and the domain, path, and port that the cookie should be limited to. Cookies can be set to expire after a specified interval, or can be “session cookies” that will expire when the Web browser is closed. When a cookie expires, it is deleted by the Web browser. Unexpired cookies are automatically sent back to the originating Web server when the Web browser makes any subsequent requests to the same server (the same domain, path, and port).

Neither Web servers nor Web browsers are required to support cookies, but a server may refuse to work with a Web browser that does not return the cookie(s) it sends. Cookies do not contain any executable code and are extremely small in size. They only contain data sent by the website and the data is not changed by the client computer, so there generally should be no privacy concerns about sending a cookie back to the website that created it (“First-party cookies”).

First-Party and Third-Party Cookies

Cookies are normally only sent to the server setting them or a server in the same domain ( e.g., a cookie set by mail.google.com could be shared with calendar.google.com). These are called first-party cookies because they’re set by the site displayed in the address bar of the Web browser. These cookies are typically used to tailor the website for the user. Third-party cookies, on the other hand, are typically used by advertising networks to track users across multiple Web sites where the networks have placed advertising–which allows the advertising network to target subsequent advertisements to the user’s presumed interests and also to limit the number of times a user is shown a particular ad. This targeting allows the delivery of “smarter” advertising that is less annoying and more informative to the user–and therefore more valuable to the advertiser, who will be willing to pay websites more for their ad space. However, this targeting also raises privacy concerns.

It is trivial for a Web page to contain images or other components stored on servers in other domains (“third-party elements”). In fact, it is often easier to link to an image already hosted online elsewhere than it is to host an image on your own Website.

Examples:

• Typical first-party embedded image:
• Typical third-party embedded image:

Whenever a Web browser loads a Web page or component of a Web page, it will include in its request for that component any cookies already stored on the user’s computer that are associated with the domain hosting the content. The Web server, in turn, can send a cookie or update a cookie already existing on the user’s computer.

Although your Web browser will not send a third-party cookie to the first-party Web server (and it won’t send a first-party cookie to the third-party Web server), the first-party Web server can send information to the third-party Web server by embedding it in the URL for the third-party content. The most common form of this communication between the sites you visit and the sites they rely on for content or ads is called a “web bug”–a small (usually 1 pixel by 1 pixel) graphic not meant to be noticed by the user. Its purpose is to cause the user’s Web browser to load the third-party embedded content from the external Web server, which will allow the third party (usually an advertising network) to track the user.

• Example third-party embedded web bug:

While this all may seem scary and invasive,the fact that a website or ad network can uniquely identify your browser does not mean that they have any clue who you are. Even if you provide your name, email address, or other personally-identifiable information to the first-party Web site, most sites’ privacy policies state that they will not share this information with their advertising partners. To use a real-world analogy, third-party advertising is equivalent to a marketer in a mall watching you come out of a music store and then offering you a flyer for a concert: The marketer may know that you’re interested in music (because you were shopping at the music store), but they have no idea who you are. And as my colleagues Adam Thierer and Berin Szoka explained in their post on Adblock Plus, websites (especially smaller independent websites) depend on advertising as a source of revenue and to cover their overhead costs.

Alternatives to Cookies

Cookies are not the only way websites can do stateful sessions. As has already been mentioned, Websites can put unique identifiers in URLs. But custom URLs don’t last between sessions. Websites that need to remember users ( e.g., websites that charge a fee for access) can require users to create an account and log into the site every time they use it.

But most websites do not require users to create an account and log in every time. And more and more users are configuring their Web browsers to delete all cookies when they close the browser. In response, Web site operators have found other methods to uniquely identify users by storing a unique identifier on users’ computers.

The cookie alternatives listed below are not any more or less invasive of privacy than cookies if the user is aware of them and manages them the same way they manage cookies. But most Web browsers don’t give users the same amount of control over cookie alternatives that they do over cookies, and few users know about these alternatives.

Per-session cookie alternatives – These cookie alternatives are not saved to disk and thus are not accessible after you close your Web browser.

• Hidden form fields – Web pages can contain hidden Web forms that submit data back to the Web server when an on-screen button is pressed. This method is quite limited because it requires the user to click a specific button, and there is no method for saving data after you’ve navigated away from the site. Beyond these limitations, the only way to detect hidden form fields is to inspect the HTML code for a page. There is also no easy way to block hidden form fields.
• window.name – JavaScript embedded in a Web page can set or read the this internal value that’s not really used for anything else. The value can be up to 32 megabytes in size and once set a value can be accessed by any Web site. Although the only way to detect this is to inspect the HTML code for a page, you can disable JavaScript.

Persistent cookie alternatives – These cookie alternatives are like cookies in that they are saved on your computer and can be accessed even after you’ve closed your Web browser.

• Flash Cookies – Also known as Local Shared Objects, Flash cookies require Adobe Flash to be installed on your computer. Whereas HTTP cookies are limited to 4 kilobytes, Flash cookies can contain up to 100 kilobytes by default and can contain an unlimited amount of data if the user desires. To view and delete the Flash cookies stored on your computer, go to this page (although accessed via a Web page, the Flash cookies shown are stored on your computer). You can also permanently disable Flash cookies on that page.
• DOM Storage – DOM storage was designed specifically to allow Web 2.0 applications to work offline, saving data locally when they are unable to access the host website and to save data that would otherwise be lost if a page is accidentally reloaded. DOM storage is currently only implemented in Firefox (and Internet Explorer 8 Beta). If cookies are disabled, DOM storage is also disabled. Users can also manually disable DOM storage even when cookies are enabled.
• userData behavior – The userData behavior does for Internet Explorer what DOM storage does for Firefox. Each “document” is limited to 128 kilobytes of storage, with a per-domain limit of 1024 kilobytes. The data is stored in Internet Explorer’s cache and are deleted when you delete cookies using the Delete Browsing History dialog box.

Conclusion

This article should give you a better sense of what cookies are used for and how they work. You should now see that per-session cookies and cookie alternatives are completely harmless. Persistent cookies (and cookie alternatives) can make your Web browsing a bit easier, but deleting them will not (in most cases) cause any problems. If you are concerned about your privacy, you will need to do a bit more than just delete cookies–you also need to delete or disable the above-mentioned cookie alternatives.

In several of our previous podcasts (see episodes 34, 35,and 37), we’ve discussed what we’ve called the “Comcast Kerfuffle,” which was the controversy surrounding the steps Comcast took to manage BitTorrent traffic on its networks. Critics called it a violation of Net neutrality principles while Comcast and others called it sensible network management.

This week we saw a new kerfuffle of sorts develop over the revelation in a Monday front-page Wall Street Journal story that Google had approached major cable and phone companies and supposedly proposed to create a fast lane for its own content. What exactly is it that Google is proposing, and does it mean – as the Wall Street Journal and some others have suggested – that Google is somehow going back on their support for Net neutrality principles and regulation? More importantly, what does it all mean for the future of the Internet, network management, and consumers. That’s what we discussed on the TLF’s latest “Tech Policy Weekly” podcast.

Today’s 30-minute discussion featured two of our regular contributors at the TLF, who both wrote about this issue multiple times this week. Cord Blomquist of the Competitive Enterprise Institute wrote about the issue here and here, and Bret Swanson of the Progress & Freedom Foundation wrote about it here and here.  To help us wade through some of the more technical networking issues in play, we were also joined on the podcast by Richard Bennett, a computer scientist and network engineer guru who blogs at Broadband Politics as well as Circle ID and he also pens occasional columns for The Register.  Also appearing on the show was Adam Marcus, Research Fellow & Senior Technologist at PFF, who wrote a “nuts and bolts” essay full of excellent technical background on edge caching and net neutrality.

You can download the MP3 file here, or use the online player below to start listening to the show right now.

[display_podcast]

The introduction below was originally written by Adam Thierer, but now that I (Adam Marcus) am a full-fledged TLF member, I have taken authorship.

My PFF colleague Bret Swanson had a nice post here yesterday talking about the evolution of the debate over edge caching and network management (“Bandwidth, Storewidth, and Net Neutrality“), but I also wanted to draw your attention to related essay by another PFF colleague of mine. Adam Marcus, who serves as a Research Fellow and Senior Technologist at PFF, has started a wonderful series of “Nuts & Bolts” essays meant to “provide a solid technical foundation for the policy debates that new technologies often trigger.” His latest essay is on Network neutrality and edge caching, which has been the topic of heated discussion since the Wall Street Journal’s front-page story on Monday that Google had approached major cable and phone companies and supposedly proposed to create a fast lane for its own content.

Anyway, Adam Marcus gave me permission to reprint the article in its entirety down below. I hope you find this background information useful.

Nuts and Bolts: Network neutrality and edge caching

by Adam Marcus, Progress & Freedom Foundation

December 17, 2008

This is the second in a series of articles about Internet technologies. The first article was about web cookies. This article explains the network neutrality debate. The goal of this series is to provide a solid technical foundation for the policy debates that new technologies often trigger. No prior knowledge of the technologies involved is assumed.

To understand the network neutrality debate, you must first understand bandwidth and latency. There are lots of analogies equating the Internet to roadways, but it’s because the analogies are quite instructive. For example, if one or two people need to travel across town, a fast sports car is probably the fastest method. But if 50 people need to travel across town, it may require 25 trips in a single sports car. So a bus which can transport all 50 people in a single trip may be “faster” overall. The sports car is faster, but the bus has more capacity. Bandwidth is a measure of capacity, of how much data can be transmitted in a fixed period of time. It is usually measured in Megabits per second (Mbps). Latency is a measure of speed, of the time it takes a single packet data to travel between two points. It is usually measured in milliseconds. The “speeds” that ISPs advertise have nothing to do with latency; they’re actually referring to bandwidth. ISPs don’t advertise latency because its different for each different site you’re trying to reach. The Internet consists of devices and wires connecting those devices. The speed of data along the wires is fixed–there are no fast lanes and slow lanes. The only way to increase speeds is to either travel a shorter path or to get priority at the routers, the virtual traffic lights of the Internet. ISPs advertise bandwidth because with more bandwidth, more data can get to you in fewer trips, making your broadband connection seem much faster than a dial-up connection.

Sometimes latency and bandwidth are important and sometimes they’re not that important. The typical response time between any two points on the Internet is 1/5th of one second, so the difference between a relatively fast and relatively slow connection isn’t much. If you’re sending an email (without any attachments) or chatting with someone using an Instant Messaging program, you’re not using much bandwidth and if your messages are delayed by a second it’s probably not a problem. Or when Microsoft Windows is downloading system updates in the background, whether the download completes in a few minutes or an hour really doesn’t matter–as long as it completes. The emails and IMs are low-bandwidth and the system updates are usually high-bandwidth, but in both of these examples, latency is not that important. But if you’re playing a real-time online multiplayer game, making a VoIP phone call, videoconferencing, or remotely connecting to another computer using pcAnywhere, GoToMyPC, or Remote Desktop Services, both bandwidth and latency are important. Without a high-bandwidth low-latency connection, you’ll experience drop-outs and lag. NOTE – Latency is a measure of time, so the lower the latency the better.

Latency is most affected by the Internet equivalent to traffic lights: routers. Data transmitted over the Internet is sent in packets which contain a header that specifies, among a few other things, the IP address of the intended destination computer. Between every connection sits a router. For every packet that arrives at every router, the router must look at its header to determine where to send it, and then forward the packet out along the proper connection. Normally, routers inspect and forward packets with almost no delay. But when there are too many packets for a router to handle or the tubes get filled, the packets are temporarily queued in the router’s memory. This queuing imposes some delay. If the memory becomes full, the router drops (deletes) some of the packets and tries to keep going. If the sending computer doesn’t get a response in a certain amount of time, it assumes the packet has been dropped and sends it again, resulting in even more delay. On average, about 6% of packets are lost.

One way to deal with overloaded routers is to simply install more and bigger routers. Another method is to build more connections so packets don’t have to travel through as many routers. But both of these options are costly and it’s not clear whether simply increasing capacity will be enough to keep pace with increasing demand. A third option is to prioritize the packets. Prioritizing packets is kind of like the Mobile InfraRed Transmitter (MIRT) system that allows emergency response vehicles (e.g. fire, police, and EMS) to immediately turn specially-equipped traffic lights green. Most people would probably agree that this form of traffic priortization is a good idea. But when referring to the Internet, talk of traffic prioritization starts arguments.

The Network Neutrality Debate: What’s It All About

The network neutrality debate is a debate about the best method to manage traffic on the Internet. Those who advocate for network neutrality are actually advocating for legislation that would set strict rules for how ISPs manage traffic. They essentially want to re-classify ISPs as common carriers. Those on the other side of the debate believe that the government is unable to set rules for something that changes as rapidly as the Internet. They want ISPs to have complete freedom to experiment with different business models and believe that anything that approaches real discrimination will be swiftly dealt with by market forces.

But what both sides seem to ignore is that traffic must be managed. Even if every connection and router on the Internet is built to carry ten times the expected capacity, there will be occassional outages. It is foolish to believe that routers will never become overburdened–they already do. Current routers already have a system for prioritizing packets when they get overburdened; they just drop all packets received after their buffers are full. This system is fair, but it’s not optimized.

The network neutrality debate needs to shift to a debate on what should be prioritized and how. One way packets can be prioritized is by the type of data they’re carrying. Applications that require low latency would be prioritized and those that don’t require low latency would not be prioritized. But who makes the determinations? What happens if someone hacks their computer to prioritize packets that shouldn’t be? Another method is for ISPs to offer prioritization for a fee. ISPs could determine who should get prioritization based on the source or destination IP address in the packet header, or content providers could pay ISPs to prioritize only packets they tag with a special marker.

Opponents of network neutrality mandates argue that it’s simply not feasible to increase capacity to the extend that would be necessary without prioritization. They believe that with prioritization, they will be able charge more for faster access to those willing to pay, and the increased revenue will provide the funding necessary to upgrade the networks, which will benefit everyone. As the saying goes, a rising tide lifts all boats. Network neutrality advocates fear that if ISPs are allowed to charge for prioritization, they will have no incentive to increase speeds for those who don’t pay for prioritization. While that may be true, price discrimination is very different from other forms of discrimination. It would be a real shame if the net neutrality debate over latency hampered efforts to increase bandwidth. Even common carriers were not restricted from setting different prices for different classes of service, they simply had to offer the same rates to all comers. If those who claim the Internet should be a completely level playing field applied the same logic to the phone system, toll-free numbers wouldn’t be allowed.

Edge Caching: What It Is and Isn’t

Monday’s Wall Street Journal ran an article suggesting that Google is abandoning its stance as an advocate for Network Neutrality because of a plan to set up edge caching servers. Edge caching is just a way to more efficiently balance the costs of storage space and bandwidth in an attempt to decrease latency. It a way to move content “closer” to the end-users that view it to avoid the latency that occurs as packets traverse longer distances across the network.

To continue the roadways analogy, imagine the Internet arranged like a city. The end-users are all in the suburbs and the data they want to access is downtown in the network’s “core.” With this model, every request from a user needs to “commute” from the suburbs to the core, and the requested data needs to then travel from the core all the way back to the suburbs. Just like companies realized that setting up satellite offices nearer to its workers would decrease commuting times and increase productivity, content providers have realized that setting up edge caching servers at major ISPs decreases latency and saves on bandwidth costs.

Edge caching doesn’t work for all types of Internet content. If the content changes rapidly, edge caching doesn’t save much bandwidth because you’re constantly pushing new content to the edge servers. But for popular YouTube videos, edge caching is a great way for Google to save on bandwidth costs. Before Google bought YouTube, YouTube outsourced the hosting of its videos to edge caching provider LimeLight. So its no surprise that Google is now looking to do the same with its own edge caching servers.

The fact that Google can afford to set up edge caching servers around the network does give it a bit of an advantage. But the advantage is mostly a savings in bandwidth costs for the content provider. The use of edge servers is meant to be almost unperceptable to users. Accessing content from edge servers may be a bit faster for users, but nobody is being discriminated against and most content on the Internet is not latency-sensitive. In the example of Internet video, the difference between playing a video hosted on an edge caching server versus playing video from a server located far away may be just a matter of a few seconds delay before the video begins playing.

Some, like the Wall Street Journal, argue that even edge caching violates the net neutrality principle of the Internet being a level playing field. I would suggest that only discriminatory practices, such as an ISP offering packet prioritization to only some companies, should be considered a violation of net neutrality principles.

As Google points out, other companies are free to set up their own edge caching servers or use one of the many companies that offer edge caching services. There have been economies of scale in other industries for generations. The fact that edge caching provides economies of scale for Internet content providers is not a game changer. On the Internet, just as in other media industries, it’s not who can get their goods to market the fastest, it’s whose content best satisfies their audiences.

— Adam Marcus (adamm@pff.org)

The introduction below was originally written by Berin Szoka, but now that I (Adam Marcus) am a full-fledged TLF member, I have taken authorship.

Adam Marcus, our exceptionally tech-savvy new research assistant at PFF, has published his first piece at the PFF blog, which I reprint here for your edification.

Today Google’s DC office hosted an interesting panel on cloud computing.  What was missing was a good definition of what “cloud computing” actually is.

While Wikipedia has its own broad definition of cloud computing, many think of cloud computing more narrowly as strictly web-based for which clients need nothing but a web browser. But that definition doesn’t cover things like Skype and SETI@home.  And just because PFF has implemented Outlook Web Access so we can access the Exchange server via the Web, doesn’t necessarily mean we’ve implemented what most people might think of as “cloud computing.”  Yet these are all variations on a common theme, which leads me to propose my own basic definition: any client/server system that operates over the Internet.

To understand the potential policy and legal issues raised by cloud computing so-defined, one must break down the discussion into a 4-part grid.  One axis is divided into private data ( e.g., email) and public data (e.g., photo sharing).  The other axis is divided into data hosted on a single server or centralized server farm and data hosted on multiple computers in a dynamic peer-to-peer network (e.g., BitTorrent file sharing).

There are also a great number of peer-to-peer cloud computing projects that don’t require the sharing of user data.  SETI@home may be the most well-known example:  When the Search for Extra-Terrestrial Intelligence (SETI) project lost its funding and could no longer afford the massive servers it used to process the data from its radiotelescopes, it realized that it could distribute the work to Internet users in the form of a screensaver (thus the SETI work would only be done when a user’s computer was idle).

It is encouraging to see that Congress is no longer considering simply outlawing cloud computing (which used to be called distributed computing), but if there is to be an intelligible debate about policy responses to cloud computing, we must define our terms and realize that policies beneficial to some forms of cloud computing may complicate-sometimes fatally, in business terms-other forms.  For example, regulations imposed on companies storing users’ personal data may stymie peer-to-peer backup applications like Wuala, which distributes each user’s backup data to other users, but uses encryption to prevent users from accessing the data they’re storing for others. Wuala might be forced to close down if regulations requiring companies to keep records for a set period of time or follow separate procedures for minors were interpreted to apply to each Wuala user.

As Georgetown CCT professor Mike Nelson explained at the Google workshop, technology generally follows a clear evolution in the following steps: from hardware to software to people to organizations to policy.  It’s taken a long time to educate lawmakers about the Internet.  Today’s panelists all seemed to agree that cloud computing could be “the next big thing.”  That necessarily means that the education process for lawmakers needs to start all over again, explaining the ways in which cloud computing is similar to prior technologies, the ways it’s different, and the salient differences among the four broad categories of cloud computing described above.  Until that’s done, any talk of legislation in this area is simply premature.