Slashdot Mirror

smarek writes "The 'Truth in Caller ID Act' passed the US House of Representatives on Wednesday. The legislation is trying to outlaw Caller ID spoofing. In some cases, this spoofing has led to individuals giving out information that has led to identity theft. Last year the NYPD discovered over 6,000 victims of Caller ID spoofing, who together lost a total of $15 million. A companion bill has already been passed by the Senate, and the two are on their way to 'informal conference to reconcile any differences.' The bill that results will most likely pass." PCWorld's coverage notes that callers will still be able to block their information entirely, and that the bill may have negative consequences for legitimate phone-related services, such as Google Voice.

Frequent Slashdot contributor Bennett Haselton writes with his take on the recent Time Warner Cable fiasco: "Net Neutrality crusaders at FreePress.net recently called attention to Time Warner's plan (later rescinded) to impose fines on users for going over bandwidth limits. I agree generally, but I think this is easily confused with the reasoning in favor of Net Neutrality, and it's important to keep the arguments separate." Read on for the rest of Bennett's thoughts.

On April 13th I received an e-mail from FreePress.net, one of the organizations that led the fight in favor of Net Neutrality:

Just as we're suffering economically, Time Warner Cable is trying to squeeze us even further, forcing millions of customers to pay steep fees for exceeding an absurdly low monthly limit on Internet use. [...] The company's scheme would cost customers $15 per month for one gigabyte — the equivalent of one 30-minute HD television show — with a penalty fee of $2 for every additional gigabyte over the limit.

Later, FreePress.net triumphantly announced that Time Warner had reversed their position. Now, I would appear to have painted myself into a corner on this issue, because I wrote in an editorial two years ago arguing in favor of Net Neutrality:

[Net Neutrality is] not about how much a service costs, but about the ethics of double-billing for it. [...] If vastly more people start trying to stream CNN over the Internet 24/7, and fully using the services that ISPs have "only been pretending to sell," as Brad Templeton put it, then ISPs may have to charge more for users who consume too much bandwidth, encouraging people to stay at today's average levels by rationing themselves and perhaps watching 24 on their $5,000 TV sets sometimes instead of downloading it off of BitTorrent to their laptop every week because it makes them feel like a haX0r. Much as we all love our unmetered connections, it wouldn't be a violation of Net Neutrality for ISPs to charge users for bandwidth hogging, to keep everyone from going too far above today's levels.

And yet, even after writing those words, I still think there is an argument against letting ISPs impose bandwidth fines, at least under some conditions. However, I think the argument is completely separate from the argument in favor of Net Neutrality, so it's important to derive both of them independently of each other.

I would try to make both arguments by deriving the conclusions from first principles. This might seem pedantic at times, but I think it's helpful to have a precise mathematical-style "proof" of why a conclusion follows from its premises, because then you can see how changing one premise would change the conclusion.

To me the simplest argument in favor of Net Neutrality follows from three assumptions. You don't have to agree with the assumptions, but I think that all three of them are obvious because the opposite would be untenable.

1. An ISP that blocks (or slows access to) certain websites is defrauding its users UNLESS either (a) the ISP has made its users aware of the filtering, or (b) it's overwhelmingly clear that the filtering protects the users or improves their experience (so more experienced users would assume it is taking place anyway). If your ISP has told you that they're selling "Internet access" but they're silently blocking some Web sites, then this is straightforward. You're paying for one thing, and the ISP is selling you something else that is inferior. In the incident that I wrote about, ISPs like Rogers.com that used AboveNet as their upstream provider, were actually blocking their subscribers from reaching certain websites, even though their customers thought they were getting unfiltered Internet access. Now if the ISP advertises that its Internet connections are filtered, as some "family friendly" providers do — so that virtually all users knew about the filtering — then this would not be a violation of Net Neutrality. And if the ISP is blocking mail from actual spam sources, then this is something that protects users and improves their experience, and so is usually not considered a violation of Net Neutrality either. But if the ISP is silently blocking access to Web sites, or blocking mail from servers that are not sending spam but simply because the ISP owner has a political disagreement with those server owners, then that would violate this principle.

2. "Make its customers aware" means just that — make its customers aware — and not bury something in the Terms of Service. Imagine if the opposite principle were accepted — that websites and software vendors could do anything they wanted as long as they put the right disclaimer in the 23rd paragraph of their site's or program's "Terms of Service" that nobody reads. Scam artists' eyes everywhere would light up with dollar signs thinking of the possibilities: Create a popular program and get people to install it, while putting a clause deep in the TOS that permits them to remotely take over your computer after you've installed their software! Or for a real-world example, Yahoo! once tried to amend the GeoCities Terms of Service to give Yahoo! the copyright on any content uploaded by their users. Yahoo! reversed itself after a public backlash, but even if they hadn't, it would have been good public policy for a court to say that Yahoo!'s copyright claim on their users' content was invalid. You can, of course, strengthen your legal rights by putting the right language in your Terms of Service, but it would mean total chaos if companies could bury "gotchas" in your TOS that are wildly contrary to what users are reasonably likely to assume.

3. If company A sells something to company B which company B then re-sells to the public, but company B almost certainly cannot resell the good without committing fraud as outlined above, then company A is complicit in the fraud as well. Some of AboveNet's defenders argued that they mostly sold Internet connectivity to ISPs, not to the public, and the ISPs knew that the connections were filtered. Even assuming this were true, the ISPs still would not be able to re-sell the service to the public without representing it as "regular Internet access" — nobody would pay full price for a broken or degraded connection when a competitor could offer a regular connection for the same price.

So, an ISP that blocks or degrades access to certain Web sites, when users think they are getting full unfettered Internet access, is cheating customers (or, in the case of a backbone provider, complicit in the downstream ISPs cheating their customers) in violation of the principles of Net Neutrality. QED. I would tentatively call these assumptions airtight; at least, I cannot think of any corporate behavior that violates one or more of these principles and should be allowed under good public policy.

By contrast, the argument against Net Neutrality — that the free market will ensure that ISPs provide effective service without the need for government regulation — relies on assumptions that might sound reasonable, but have loopholes, and the loopholes are precisely where Net Neutrality violations can slip through. An anti-Net-Neutrality editorial by Sonia Arrison, for example, argued that "consumers would never stand for blocked Web sites." However, in the case of AboveNet's filtering, downstream users did of course "stand for it," because they didn't know about it, and the natural assumption, when the user sees a website not responding, is to think that the site is down, not that their provider blocked it.

But the argument against bandwidth fines is different. While "broken" Internet access could never be sold to the public without some sort of misrepresentation, it is conceivable that people would still pay for Internet access even if the price were $15 for the first 1 GB and $2 per GB after that. However, it would still be good public policy to prohibit two variants of this scheme: (a) ISPs silently racking up charges, scummy-cell-phone-company style, against users who may not realize what charges they're incurring, and then shocking them with overage bills at the end of the month; and (b) ISPs charging draconian bandwidth fines in cases where they have a monopoly, or near-monopoly, on users' Internet access options.

Prohibiting "shock" overage bills essentially follows from principles #1 and #2 above — users should know what they're getting, and sneaking something into the fine print doesn't count. If someone is approaching their bandwidth limit, and is on track to run over (and incur a lot of charges) before the end of the month, it wouldn't be too much trouble to send them an e-mail or an automated (or live) phone call to warn the user what's going on. If the ISP objects that this would cost them too much, I'd say I'll happily pay $1 for the trouble of them placing a call to my house if it saved me $20 in surprise overages.

Prohibiting bandwidth fines in the case of monopoly situations simply follows from the principle that without competition, the bandwidth overage fees are likely to be much higher than they would be in a competitive market. It may not be the motivation of the ISP simply to make as much money as possible; perhaps they want to discourage high-bandwidth usage for other reasons. As FreePress.net theorized about the proposed Time Warner bandwidth surcharges: "This trick is designed to make customers think twice before switching off their cable TV and finding the shows they want online." But whether it's to squeeze subscribers for extra money or to stop them from streaming content from the Internet, either way, the plan could not be sustainable if users can find higher bandwidth at a lower cost from other providers. For most of its subscribers, Time Warner doesn't have a pure monopoly — in some areas, you can get only one cable Internet provider and only one DSL provider, but the two still compete with each other to provide "Internet access," and other areas have a choice between cable providers. However, in a situation with only a small number of competitors, companies can still keep prices higher than they would in a purely competitive market, because there are fewer chances for an upstart competitor to find ways to provide a more efficient service at a lower cost.

What if neither of these conditions were true? If an ISP actually did make sure that its subscribers knew about the bandwidth limits, and users got warnings if they were approaching those limits, and there were enough competing providers to ensure real competition, then in that situation it would be harder to make an argument against the bandwidth surcharges. (Admittedly, it may be something of an academic point, because there are so few situations where there are "enough competing providers" to guarantee healthy competition.)

But it's important to keep the arguments for Net Neutrality separate from the arguments against bandwidth surcharges. Bandwidth fines are bad mainly when there are few competing providers, because it will be hard for users to get a better deal somewhere else, and providers like Time Warner may have a vested interest in keeping users' bandwidth limits low to keep them glued to their TV. Violations of Net Neutrality are bad regardless of whether there are few or many competing providers, because users cannot avoid the harm if they're unlikely to discover what's happening in the first place.

A number of readers clued us to the latest development in the saga of te sale of DoubleClick: Google has thrown its hat into the ring against Microsoft and (reportedly) Yahoo and AOL. Most of the stories quote a Wall Street Journal piece that is only available to subscribers. Google's entry into the bidding may boost the price for the remaining pieces of DoubleClick (parts of the company having already been sold off) to $2 billion, twice what its current owners paid for the whole thing. Some reports speculate that this figure could give Microsoft pause.

Slashdot contributor Bennett Haselton writes "A recurring theme in editorials about Net Neutrality -- broadly defined as the principle that ISPs may not block or degrade access to sites based on their content or ownership (with exceptions for clearly delineated services like parental controls) -- is that it is a "solution in search of a problem", that ISPs in the free world have never actually blocked legal content on purpose. True, the movement is mostly motivated by statements by some ISPs about what they might do in the future, such as slow down customers' access to sites if the sites haven't paid a fast-lane "toll". But there was also an oft-forgotten episode in 2000 when it was revealed that two backbone providers, AboveNet and TeleGlobe, had been blocking users' access to certain Web sites for over a year -- not due to a configuration error, but by the choice of management within those companies. Maybe I'm biased, since one of the Web sites being blocked was mine. But I think this incident is more relevant than ever now -- not just because it shows that prolonged violations of Net Neutrality can happen, but because some of the people who organized or supported AboveNet's Web filtering, are people in fairly influential positions today, including the head of the Internet Systems Consortium, the head of the IRTF's Anti-Spam Research Group, and the operator of Spamhaus. Which begs the question: If they really believe that backbone companies have the right to silently block Web sites, are some of them headed for a rift with Net Neutrality supporters?" Read on for the rest of his story.

In the aforementioned instance, AboveNet and TeleGlobe were not selling "parental filters" or other common types of filtered Internet access; the users being blocked from our Web sites were adults paying for what they thought were unfiltered Internet connections. What had happened was that AboveNet and TeleGlobe signed up to block Web sites on the Realtime Blackhole List, a list which was widely (but inaccurately) thought to be a list of "spammers", put out by a group called the Mail Abuse Prevention System. (MAPS and the RBL still exist, but under new management and in a form that bears little resemblance to their late-90's forerunners.) Most ISPs that used the RBL used it to filter only incoming e-mail, but AboveNet went all-out and blocked users from even viewing RBL'ed web sites, presumably because two of MAPS's founders, Paul Vixie and Dave Rand, were on the AboveNet board of directors. And it turned out that the RBL not only included spammers, but also Web sites that were not sending mail at all but were blocked because of their content -- in our case, our ISP got blocked because some other customers were selling mailing list software that MAPS believed could be too easily abused by spammers.

These two distinctions -- (1) the distinction between blocking incoming e-mail from spammers, versus blocking Web sites; and (2) the distinction between blocking traffic due to spam activity, versus blocking sites because of their content -- both go to the heart of what Net Neutrality is, and isn't, about. Net Neutrality is about user preferences -- not meaning that as a buzzword, but as an actual guiding principle to figure out what is and is not covered by the cause. If an ISP filters incoming mail from known spammers, that generally improves the user experience, and is something many users would expect an ISP to do anyway. But if an ISP blocks users from reaching Web sites (even, for the sake of argument, the Web sites of actual spammers), then that's generally counteracting the user's wishes -- if the user didn't want to go there, they wouldn't have typed it in. (After all, I visit spammers' Web sites all the time, usually right before I sue them.) Similarly, if an ISP blocks traffic from sites because of spam or other network abuse, that serves to protect their own users. But if an ISP blocks users from viewing sites because of their content, that's generally not expected by users, unless they've specifically signed up for something like parental controls. The Snowe Net Neutrality amendment proposed last year recognized both of these distinctions, and stated that nothing in the amendment would be interpreted to prohibit spam filtering, parental control services, or measures to protect network security.

The MAPS incident thus shaped most of my opinions about Net Neutrality 6 years before the debate even had a name. When I first found out in August 2000 that our ISP was blacklisted, like most people I believed that the RBL really was a list of spammers; after all the MAPS web page said that the RBL was a list of networks that "originate or relay spam". So I called my ISP screaming at them for being incompetent spam-enablers (the culmination of many frustrating issues with them), and saying that if they really were letting customers send spam, or running an insecure server that spammers were hijacking, I would leave on principle, if the cretins managing our server didn't drop it in the lake first. The ISP owner then told me what happened: that the ISP was not blacklisted for spamming customers, but because of the content of the other sites. (Buried in the list of RBL criteria on MAPS's site was the statement that sites could be blacklisted for providing "spam software", although the criteria did not define how they distinguished between spam software and regular mailing list software, which is how our ISP got caught in the net. And the criteria did not disclose anywhere the most controversial feature of the RBL, which is that if an ISP didn't comply, MAPS would start blacklisting other unrelated sites at the same ISP to put more pressure on them.) I agreed that this seemed to be absurd, and said I wouldn't leave the ISP if they were being blackballed just because of the content of hosted pages.

I don't know exactly what the mail software in question did or where MAPS thought the line should be drawn, but I am a purist about content -- it's a long-standing principle among the Internet security community that if a tool exists which exploits a security hole, you don't try to make the software disappear, you fix the hole. And besides, since MAPS and their supporters wanted to blackball ISPs that hosted spamming software (however you defined that), but the same people had never advocated blackballing ISPs that hosted network break-in tools and other cracking programs, for example, then what were they really saying? That spamming someone more unethical than breaking into their network?

But by far the most common objection to my complaint about AboveNet blocking Web sites was, "Hey, if a private company blocks things, as long as they're being honest to their users about it, who cares?" Well, true, but the fact that AboveNet blocked Web sites was not widely known even within the company; when I once called AboveNet feigning ignorance and asking them if they blocked RBL'ed Web sites, the technician who spoke to me said, "No, that wouldn't make any sense." (Well, half right.) Their AUP mentioned "protecting users from spam" but said nothing about blocking Web sites. In fact, other than "family-filtered" ISPs and similar services, I've never heard of any company blocking Web sites that actually did try to make their users aware of it. (On the other hand, even if AboveNet had fully disclosed their filtering, they were still a backbone company selling connectivity mainly to ISPs -- and I think if you sell something wholesale that can only be re-sold to the public by fraudulent means, then you're at least partly complicit in that fraud as well.)

If you're tempted to argue that backbone providers should be allowed to block whatever they want as long as they bury it in their AUP (although AboveNet and TeleGlobe didn't even do that much), just consider: When you access Google from your home computer, have you read the AUP of every network that the packets pass through, to check whether they reserve the right to block or even modify your traffic? Without doing a traceroute, could you even name all the networks that the traffic passes through? Do you really want the burden to be on you to check with all of them every time there's a problem reaching a Web site? Or do you feel like there's an understanding that as long as you pay your bill, they should let you go wherever you want?

Some have argued that if an ISP blocks the user from reaching a Web site, then even if the ISP is defrauding the user, that's still strictly an issue between the user and the ISP. But if a user is trying to reach your Web site, the user is trying to give you something of value: their attention, their eyeballs on your advertisements, sometimes even their money (with the expectation that you will provide them with something in return, of course, like some content worth reading). If the ISP steps in and blocks that, then the ISP has taken something of value that the user was attempting to give to you, and diverted it to serve their own interests. To me that doesn't seem ethically much different from the FedEx driver swiping the chocolates that someone tried to send you for Valentine's Day. Is that just between the sender and FedEx? Or do you have a beef because you didn't get the present that was intended for you, and you had to eat last week's chocolates to cheer up?

The modern-day threats to Net Neutrality are different: slowing access to Web sites unless the site owners pay a "toll", instead of blocking access to sites because of the content of other sites hosted at the same ISP. But they both boil down to the same thing: not giving end users what they have already paid for. If a user buys Internet access, they almost always buy it with the understanding that if they access a site, the content will download as quickly as their connection allows.

Thus the most common misconception about Net Neutrality is that the proponents are fighting against "capitalism" -- ISPs just charging more for different delivery speeds. But ISPs are already charging users for those delivery lines -- including different tiers for different prices. That's capitalism, and it works, with prices falling all the time in a fairly competitive market. But charging publishers for those higher delivery speeds to the user's house, is really more like double-billing, because the user has already been charged once for the lines that the content is coming over, so the ISP is trying to charge the content publisher again for the same service. Of course, if you charge party A for doing X, and then you try to charge party B for the same instance of doing X, and party B doesn't pay up so you don't do X, you're also breaking your deal with A. Brad Templeton of the EFF stated as much on his blog in 2006:

The pipes start off belonging to the ISPs but they sell them to their customers. The customers are buying their line to the middle, where they meet the line from the other user or site they want to talk to. The problem is generated because the carriers all price the lines at lower than they might have to charge if they were all fully saturated, since most users only make limited, partial use of the lines. When new apps increase the amount a typical user needs, it alters the economics of the ISP. They could deal with that by raising prices and really delivering the service they only pretend to sell, or by charging the other end, and breaking the cost contract. They've rattled sabres about doing the latter.

And I think the same is clearly true if, instead of trying to extract money from the content publisher, the ISP tries to extract something else, like an agreement to shut down certain Web sites before the ISP will let their users view other sites hosted at the same company. You can talk all day about how evil those Web sites are, but the ISP has already sold the user a connection with the implied ability to access them.

Anyway, this all came out in 2000 when a Slashdot article revealed that AboveNet had been blocking Web sites, and AboveNet stopped doing it two hours after the article came out. (TeleGlobe stuck with it for a few more months.) But from the hostility of the reaction, you'd think that we had published cartoons in a Danish newspaper showing Paul Vixie with a bomb in his turban. I got more e-mails than I could count arguing that AboveNet had the right to block whatever Web sites they felt like, regardless of whether the end users knew it was happening. To those people, I'd be sincerely interested in their answer to this question: Does that mean they've have no problem if they found out their ISP was silently blocking sites for political reasons? There is a clear line between following user preferences by blocking spam, and countermanding user preferences by blocking sites because of their content -- and once you've crossed that line, where's the logical stopping point? Seriously, I would have liked to have known how they would answer that, if I could have gotten any meaningful dialog going with them, which most of the time I couldn't. At the time, I'd just spent four years telling people that kids looking at porn was a non-issue, and that by the way if their kids came to my Web site I'd even help them get around their blocking software, and I still got more angry e-mails for disclosing the fact that AboveNet blocked Web sites based on their content, than I'd gotten in all the previous four years combined. (A few even accused us of moving into a blacklisted address block on purpose. This was because the actual move happened after the blacklisting was in place, even though I told them all that our ISP had announced the coming move two months before -- repeat, before -- they ever heard from MAPS. Some people were so in love with that "smoking gun" that they didn't believe me; that's their prerogative. But don't take my word for it -- when one supporter wrote to MAPS to ask about un-blocking our site, MAPS officer Kelly Thompson replied:

>Would it be possible to
>selectively unblock peacefire.org (209.211.253.169)?
Technically? Yes, it is. It's a violation of our policy, though, so I can't do so.

I would be willing to help you find other free or reduced cost hosting, however.

It was MAPS's decision, not ours or our ISP's, to have our site blocked. That should settle that once and for all, just as soon as there is peace in the Middle East and a black lesbian in the White House.)

But what do all these people think about Net Neutrality, 6 years later? I tried to track down the influential people who had spoken out supporting AboveNet's blocking of Web sites, or at least their right to block Web sites. My position was, we can agree to disagree on that, but if they really feel that way, why haven't they been speaking out against Net Neutrality? The proposed Snowe amendment was pretty clear:

SEC. 12. INTERNET NEUTRALITY
(a) Duty of Broadband Service Providers- With respect to any broadband service offered to the public, each broadband service provider shall--
(1) not block, interfere with, discriminate against, impair, or degrade the ability of any person to use a broadband service to access, use, send, post, receive, or offer any lawful content, application, or service made available via the Internet.

John Levine, webmaster of Abuse.Net, head of the IRTF's Anti-Spam Research Group, and one of the most vocal critics of Peacefire's campaign against AboveNet's Web filtering, said that he would have opposed the bill but didn't bother because it didn't have much chance of passing. Well, it didn't, but the bill was significant not because of its likelihood of passage, but because it articulated the principles that the Net Neutrality coalition had rallied around, and with the momentum behind the movement, it's likely to achieve at least some of its goals, by legislation or otherwise.

Paul Vixie, Dave Rand, and Steve Linford did not respond to requests for comment on Net Neutrality. But Paul Vixie wrote something very interesting in a May 2006 blog post:

Second, there's network neutrality. In telephone service, the government mandates that all companies providing voice-grade telephony interconnect with eachother at preset rates, thus ensuring that any phone can call any other phone and that new phone companies can enter the field to help ensure competition. In Internet service, the government mandates nothing. Recently SBC (I mean AT&T, I think, is it Wednesday?) rattled its sabre and said that Google and other content supplying companies should be paying for the use of SBC's backbone to reach SBC's eyeballs. Most of us said, uh, what? "Aren't SBC's own customers paying SBC to carry that traffic?" Some of us even said "I am not an eyeball, I am a person!" But anyway, from time to time these Internet companies shut down interconnects in hopes of creating new cash flows among eachother, and until the government regulates this, we're all at risk of higher prices or lower service with zero notice. Some well meaning democrats are trying to challenge this with "network neutrality" legislation, but this probably isn't their year. Or their decade.

San Francisco has a government, though. And if San Francisco owned and operated its own wireless Internet plant, we could mandate that any Internet company wishing to do business in this city interconnect at fair and reasonable cost to all other Internet companies wishing to do business in this city.

"Until the government regulates this"? "Government mandates"? "Fair and reasonable cost"? Quick, call the anti-socialist intervention squad! How long does it take those San Francisco hippies to suck the new arrivals' brains out anyway? Of course, I agree with everything he said. It's just that if you replace "create new cash flows" with "try to get ISPs to remove content from their servers", this describes exactly what Vixie and AboveNet were doing a few years earlier. He's a smart guy, and I'm sure this didn't escape his sense of irony, so perhaps this confirms something I'd suspected all along, which is that Vixie understood the subtleties of the issue better than most of his cheerleaders, and may be having second thoughts about AboveNet's Web-blocking misadventure. From the beginning, in a 1997 interview with Sun World, he sounded like someone trying to at least keep an open mind:

Concentration of power into a single individual: It's very true that power has corrupted every individual in whom it has ever been concentrated in the history of mankind. I do not feel that I am necessarily above whatever elements of human nature give rise to that. I worry about it. Probably other people worry about it more than I do.

Although, he didn't get to making any such frank statements during the controversy over AboveNet's Web site blocking. (Perhaps MAPS's lawyers were worried that he was a little too unfiltered and advised him not to comment; at the time, the MAPS Web site had a "How to sue MAPS" link on the front page.)

Speaking of which, Anne Mitchell, Director of Legal and Public Affairs for MAPS during the time when AboveNet was blocking Web sites, was the only MAPS adherent from the era that I could find who has since clearly and publicly come out against Net Neutrality. In May 2006 she wrote:

Here's the thing that the 3Ns (Net Neutrality Nuts) don't get: bandwidth costs money. And if you can't charge those who use the majority of it accordingly, then you are going to have to amortize it across everybody.

So, if a net neutrality law passes, don't be surprised when your costs to have an Internet account skyrocket.

Because somebody has to pay those bills, and if the law says that the ISPs can't charge the big guys - the big users - differently, it means that they have to charge them the same rate that they charge everyone else. And that means not that their rate will go down, but that everybody else's rate will go up.

And then again in February 2007 in another blog post titled "Towards A Nanny Internet", she wrote, "Network neutrality is the idea that ISPs should be forced to charge everybody the same for their Internet use", grouping it together with proposed anti-bullying and anti-anonymity laws.

Well, points to Anne for being consistent, and for publicly declaring her views in no uncertain terms, which is all I'm asking of the other supporters of AboveNet's website blocking policy. (Although she's coming at it from a different angle this time, "How do we work out who pays for the traffic" rather than "ISPs should be allowed to block whatever they want without telling anybody".) But this is also a textbook example of what I think are the three major fallacies of opposition to Net Neutrality:

First, lumping it together with other examples of unpopular regulation and calling it one more example of Big Government -- an argument also tried in other editorials ("Politicians and public figures alike should realize the absurdity of advocating more red tape to keep the Internet free"). This meme has never really caught on, possibly because groups like the ACLU and the EFF that have traditionally opposed true Internet censorship, have lined up in favor of Net Neutrality. All the proposed "red tape" and "regulation" really says is that if a user attempts to access a Web site over a connection that they've paid for, the ISP may not block or slow down their access, a law which most people would hardly consider tyrannical.

Second, asserting that "Network neutrality is the idea that ISPs should be forced to charge everybody the same for their Internet use." I've never actually heard anyone advocate anything close to that, but a common question among skeptics is why different "tiers" for Internet traffic are really any different from different-tiered pricing for dial-up vs. DSL, or for different levels of Web hosting. The difference is that when users and Web site owners pay for those connections, they are paying for their respective connections to the rest of the Internet. But an ISP charging a Web site owner to carry their traffic the last mile to the user's house, is not charging for a product or service, but really charging a fee not to break a service that they've already agreed to provide to the user.

Which leads to the third misconception: "Here's the thing that the 3Ns (Net Neutrality Nuts) don't get: bandwidth costs money... So, if a net neutrality law passes, don't be surprised when your costs to have an Internet account skyrocket." But it's not about how much a service costs, but about the ethics of double-billing for it. We know that ISP pricing models can already support the total traffic that people consume today, and ISPs do already follow net neutrality principles most of the time, so nobody's costs will "skyrocket" just because a neutrality law passes. If vastly more people start trying to stream CNN over the Internet 24/7, and fully using the services that ISPs have "only been pretending to sell" as Brad Templeton put it, then ISPs may have to charge more for users who consume too much bandwidth, encouraging people to stay at today's average levels by rationing themselves and perhaps watching 24 on their $5,000 TV sets sometimes instead of downloading it off of BitTorrent to their laptop every week because it makes them feel like a haX0r. Much as we all love our unmetered connections, it wouldn't be a violation of Net Neutrality for ISPs to charge users for bandwidth hogging, to keep everyone from going too far above today's levels. What ISPs should not do is charge users for implied full-throttle connections, and then turn around to charge publishers for moving bits over those same lines, or block the connection for any other reason.

So, yes, Virginia, blocking of Web sites does happen -- and by "Virginia", I mean FTC Chairman Deborah Platt Majoras, who said in a speech in August 2006: "I have to say, thus far, proponents of net neutrality regulation have not come to us to explain where the market is failing or what anticompetitive conduct we should challenge; we are open to hearing from them." This was echoed in an editorial later that month from Sonia Arrison of the Pacific Research Institute:

Internet service providers have voluntarily upheld content-neutral practices without the need for government intervention, and consumers would never stand for blocked Web sites... If the loss of net neutrality principles was really a problem, advocates wouldn't need to scare Americans in order to win their support. Using government regulation preemptively to shortchange business partners is a reckless abuse of the public policy process. New laws should be based on facts and reality, not fear and hypothetical situations.

I guess both of those ladies' ISPs must be blocking access to the SaveTheInternet.com Web site, so I e-mailed both of them the coalition's list of examples, and added a note about the AboveNet/TeleGlobe incident as well. No personal response from either of them yet, but I'm sure they just got lost in the shuffle while they were so busy sending out corrections. (On the other hand, I did get a courteous response from Randolph J. May of the Free State Foundation, when I wrote to him about an editorial he penned which also argued that violations have not happened: "It is generally agreed that except for a few isolated and quickly remedied incidents, neither the cable operators nor the telephone companies providing broadband Internet services have blocked, impaired or otherwise restricted subscriber access to the content of unaffiliated entities." He said he hadn't known about the AboveNet/TeleGlobe incident either.)

Another theme in some anti-Net-Neutrality editorials is that existing laws are enough to deal with the problem. In Majoras's speech, she said, "We should not forget that we already have in place an existing law enforcement and regulatory structure." Arrison's echoed that "Numerous federal agencies already have set a basic legal framework in place to preserve fair competition and business practices on the Internet". Well, as Yogi Berra says, in theory, there is no difference between theory and practice, but in practice, there is. After I found out AboveNet and TeleGlobe were blocking my Web site, I called about twenty lawyers in the Bellevue phone book, figuring: I wasn't greedy, but surely there would be financial damages for deceiving users and blocking our site, enough to pay a lawyer in return for handling the case? I think about two lawyers called me back, and they both said that even though what the backbone companies were doing clearly looked like fraud, it would take tens of thousands of dollars just to get started, and even if we ever got to court, the judge could call it however they wanted. Whatever laws exist now, they may help the slightly smaller big guy against the bigger big guy, but are not much use to the little or medium-sized guy.

So, any informed debate about Net Neutrality has to include the fact that, yes, some providers have blocked Web sites on purpose, for long periods of time, and no, the free market didn't fix it by itself. Even if something on that scale never happens again, if the free market and the anti-trust laws didn't automatically correct a case where Web sites were being blocked outright, then it's wishful thinking to think that those forces will prevent ISPs from merely slowing down Web access to sites that haven't paid a "toll", as they have made noises about doing. One AboveNet customer, Sam Knutson, said when he found out about the Web site blocking, "This type of behavior on the part of an ISP is reprehensible. I pay for a pipe and don't expect this type of monkey business." Well, I agree that it's reprehensible; whether we should "expect" more of it or not, depends on how much the Net Neutrality movement achieves its goals.

Slashdot contributor Bennett Haselton writes "A recurring theme in editorials about Net Neutrality -- broadly defined as the principle that ISPs may not block or degrade access to sites based on their content or ownership (with exceptions for clearly delineated services like parental controls) -- is that it is a "solution in search of a problem", that ISPs in the free world have never actually blocked legal content on purpose. True, the movement is mostly motivated by statements by some ISPs about what they might do in the future, such as slow down customers' access to sites if the sites haven't paid a fast-lane "toll". But there was also an oft-forgotten episode in 2000 when it was revealed that two backbone providers, AboveNet and TeleGlobe, had been blocking users' access to certain Web sites for over a year -- not due to a configuration error, but by the choice of management within those companies. Maybe I'm biased, since one of the Web sites being blocked was mine. But I think this incident is more relevant than ever now -- not just because it shows that prolonged violations of Net Neutrality can happen, but because some of the people who organized or supported AboveNet's Web filtering, are people in fairly influential positions today, including the head of the Internet Systems Consortium, the head of the IRTF's Anti-Spam Research Group, and the operator of Spamhaus. Which begs the question: If they really believe that backbone companies have the right to silently block Web sites, are some of them headed for a rift with Net Neutrality supporters?" Read on for the rest of his story.

In the aforementioned instance, AboveNet and TeleGlobe were not selling "parental filters" or other common types of filtered Internet access; the users being blocked from our Web sites were adults paying for what they thought were unfiltered Internet connections. What had happened was that AboveNet and TeleGlobe signed up to block Web sites on the Realtime Blackhole List, a list which was widely (but inaccurately) thought to be a list of "spammers", put out by a group called the Mail Abuse Prevention System. (MAPS and the RBL still exist, but under new management and in a form that bears little resemblance to their late-90's forerunners.) Most ISPs that used the RBL used it to filter only incoming e-mail, but AboveNet went all-out and blocked users from even viewing RBL'ed web sites, presumably because two of MAPS's founders, Paul Vixie and Dave Rand, were on the AboveNet board of directors. And it turned out that the RBL not only included spammers, but also Web sites that were not sending mail at all but were blocked because of their content -- in our case, our ISP got blocked because some other customers were selling mailing list software that MAPS believed could be too easily abused by spammers.

These two distinctions -- (1) the distinction between blocking incoming e-mail from spammers, versus blocking Web sites; and (2) the distinction between blocking traffic due to spam activity, versus blocking sites because of their content -- both go to the heart of what Net Neutrality is, and isn't, about. Net Neutrality is about user preferences -- not meaning that as a buzzword, but as an actual guiding principle to figure out what is and is not covered by the cause. If an ISP filters incoming mail from known spammers, that generally improves the user experience, and is something many users would expect an ISP to do anyway. But if an ISP blocks users from reaching Web sites (even, for the sake of argument, the Web sites of actual spammers), then that's generally counteracting the user's wishes -- if the user didn't want to go there, they wouldn't have typed it in. (After all, I visit spammers' Web sites all the time, usually right before I sue them.) Similarly, if an ISP blocks traffic from sites because of spam or other network abuse, that serves to protect their own users. But if an ISP blocks users from viewing sites because of their content, that's generally not expected by users, unless they've specifically signed up for something like parental controls. The Snowe Net Neutrality amendment proposed last year recognized both of these distinctions, and stated that nothing in the amendment would be interpreted to prohibit spam filtering, parental control services, or measures to protect network security.

The MAPS incident thus shaped most of my opinions about Net Neutrality 6 years before the debate even had a name. When I first found out in August 2000 that our ISP was blacklisted, like most people I believed that the RBL really was a list of spammers; after all the MAPS web page said that the RBL was a list of networks that "originate or relay spam". So I called my ISP screaming at them for being incompetent spam-enablers (the culmination of many frustrating issues with them), and saying that if they really were letting customers send spam, or running an insecure server that spammers were hijacking, I would leave on principle, if the cretins managing our server didn't drop it in the lake first. The ISP owner then told me what happened: that the ISP was not blacklisted for spamming customers, but because of the content of the other sites. (Buried in the list of RBL criteria on MAPS's site was the statement that sites could be blacklisted for providing "spam software", although the criteria did not define how they distinguished between spam software and regular mailing list software, which is how our ISP got caught in the net. And the criteria did not disclose anywhere the most controversial feature of the RBL, which is that if an ISP didn't comply, MAPS would start blacklisting other unrelated sites at the same ISP to put more pressure on them.) I agreed that this seemed to be absurd, and said I wouldn't leave the ISP if they were being blackballed just because of the content of hosted pages.

I don't know exactly what the mail software in question did or where MAPS thought the line should be drawn, but I am a purist about content -- it's a long-standing principle among the Internet security community that if a tool exists which exploits a security hole, you don't try to make the software disappear, you fix the hole. And besides, since MAPS and their supporters wanted to blackball ISPs that hosted spamming software (however you defined that), but the same people had never advocated blackballing ISPs that hosted network break-in tools and other cracking programs, for example, then what were they really saying? That spamming someone more unethical than breaking into their network?

But by far the most common objection to my complaint about AboveNet blocking Web sites was, "Hey, if a private company blocks things, as long as they're being honest to their users about it, who cares?" Well, true, but the fact that AboveNet blocked Web sites was not widely known even within the company; when I once called AboveNet feigning ignorance and asking them if they blocked RBL'ed Web sites, the technician who spoke to me said, "No, that wouldn't make any sense." (Well, half right.) Their AUP mentioned "protecting users from spam" but said nothing about blocking Web sites. In fact, other than "family-filtered" ISPs and similar services, I've never heard of any company blocking Web sites that actually did try to make their users aware of it. (On the other hand, even if AboveNet had fully disclosed their filtering, they were still a backbone company selling connectivity mainly to ISPs -- and I think if you sell something wholesale that can only be re-sold to the public by fraudulent means, then you're at least partly complicit in that fraud as well.)

If you're tempted to argue that backbone providers should be allowed to block whatever they want as long as they bury it in their AUP (although AboveNet and TeleGlobe didn't even do that much), just consider: When you access Google from your home computer, have you read the AUP of every network that the packets pass through, to check whether they reserve the right to block or even modify your traffic? Without doing a traceroute, could you even name all the networks that the traffic passes through? Do you really want the burden to be on you to check with all of them every time there's a problem reaching a Web site? Or do you feel like there's an understanding that as long as you pay your bill, they should let you go wherever you want?

Some have argued that if an ISP blocks the user from reaching a Web site, then even if the ISP is defrauding the user, that's still strictly an issue between the user and the ISP. But if a user is trying to reach your Web site, the user is trying to give you something of value: their attention, their eyeballs on your advertisements, sometimes even their money (with the expectation that you will provide them with something in return, of course, like some content worth reading). If the ISP steps in and blocks that, then the ISP has taken something of value that the user was attempting to give to you, and diverted it to serve their own interests. To me that doesn't seem ethically much different from the FedEx driver swiping the chocolates that someone tried to send you for Valentine's Day. Is that just between the sender and FedEx? Or do you have a beef because you didn't get the present that was intended for you, and you had to eat last week's chocolates to cheer up?

The modern-day threats to Net Neutrality are different: slowing access to Web sites unless the site owners pay a "toll", instead of blocking access to sites because of the content of other sites hosted at the same ISP. But they both boil down to the same thing: not giving end users what they have already paid for. If a user buys Internet access, they almost always buy it with the understanding that if they access a site, the content will download as quickly as their connection allows.

Thus the most common misconception about Net Neutrality is that the proponents are fighting against "capitalism" -- ISPs just charging more for different delivery speeds. But ISPs are already charging users for those delivery lines -- including different tiers for different prices. That's capitalism, and it works, with prices falling all the time in a fairly competitive market. But charging publishers for those higher delivery speeds to the user's house, is really more like double-billing, because the user has already been charged once for the lines that the content is coming over, so the ISP is trying to charge the content publisher again for the same service. Of course, if you charge party A for doing X, and then you try to charge party B for the same instance of doing X, and party B doesn't pay up so you don't do X, you're also breaking your deal with A. Brad Templeton of the EFF stated as much on his blog in 2006:

The pipes start off belonging to the ISPs but they sell them to their customers. The customers are buying their line to the middle, where they meet the line from the other user or site they want to talk to. The problem is generated because the carriers all price the lines at lower than they might have to charge if they were all fully saturated, since most users only make limited, partial use of the lines. When new apps increase the amount a typical user needs, it alters the economics of the ISP. They could deal with that by raising prices and really delivering the service they only pretend to sell, or by charging the other end, and breaking the cost contract. They've rattled sabres about doing the latter.

And I think the same is clearly true if, instead of trying to extract money from the content publisher, the ISP tries to extract something else, like an agreement to shut down certain Web sites before the ISP will let their users view other sites hosted at the same company. You can talk all day about how evil those Web sites are, but the ISP has already sold the user a connection with the implied ability to access them.

Anyway, this all came out in 2000 when a Slashdot article revealed that AboveNet had been blocking Web sites, and AboveNet stopped doing it two hours after the article came out. (TeleGlobe stuck with it for a few more months.) But from the hostility of the reaction, you'd think that we had published cartoons in a Danish newspaper showing Paul Vixie with a bomb in his turban. I got more e-mails than I could count arguing that AboveNet had the right to block whatever Web sites they felt like, regardless of whether the end users knew it was happening. To those people, I'd be sincerely interested in their answer to this question: Does that mean they've have no problem if they found out their ISP was silently blocking sites for political reasons? There is a clear line between following user preferences by blocking spam, and countermanding user preferences by blocking sites because of their content -- and once you've crossed that line, where's the logical stopping point? Seriously, I would have liked to have known how they would answer that, if I could have gotten any meaningful dialog going with them, which most of the time I couldn't. At the time, I'd just spent four years telling people that kids looking at porn was a non-issue, and that by the way if their kids came to my Web site I'd even help them get around their blocking software, and I still got more angry e-mails for disclosing the fact that AboveNet blocked Web sites based on their content, than I'd gotten in all the previous four years combined. (A few even accused us of moving into a blacklisted address block on purpose. This was because the actual move happened after the blacklisting was in place, even though I told them all that our ISP had announced the coming move two months before -- repeat, before -- they ever heard from MAPS. Some people were so in love with that "smoking gun" that they didn't believe me; that's their prerogative. But don't take my word for it -- when one supporter wrote to MAPS to ask about un-blocking our site, MAPS officer Kelly Thompson replied:

>Would it be possible to
>selectively unblock peacefire.org (209.211.253.169)?
Technically? Yes, it is. It's a violation of our policy, though, so I can't do so.

I would be willing to help you find other free or reduced cost hosting, however.

It was MAPS's decision, not ours or our ISP's, to have our site blocked. That should settle that once and for all, just as soon as there is peace in the Middle East and a black lesbian in the White House.)

But what do all these people think about Net Neutrality, 6 years later? I tried to track down the influential people who had spoken out supporting AboveNet's blocking of Web sites, or at least their right to block Web sites. My position was, we can agree to disagree on that, but if they really feel that way, why haven't they been speaking out against Net Neutrality? The proposed Snowe amendment was pretty clear:

SEC. 12. INTERNET NEUTRALITY
(a) Duty of Broadband Service Providers- With respect to any broadband service offered to the public, each broadband service provider shall--
(1) not block, interfere with, discriminate against, impair, or degrade the ability of any person to use a broadband service to access, use, send, post, receive, or offer any lawful content, application, or service made available via the Internet.

John Levine, webmaster of Abuse.Net, head of the IRTF's Anti-Spam Research Group, and one of the most vocal critics of Peacefire's campaign against AboveNet's Web filtering, said that he would have opposed the bill but didn't bother because it didn't have much chance of passing. Well, it didn't, but the bill was significant not because of its likelihood of passage, but because it articulated the principles that the Net Neutrality coalition had rallied around, and with the momentum behind the movement, it's likely to achieve at least some of its goals, by legislation or otherwise.

Paul Vixie, Dave Rand, and Steve Linford did not respond to requests for comment on Net Neutrality. But Paul Vixie wrote something very interesting in a May 2006 blog post:

Second, there's network neutrality. In telephone service, the government mandates that all companies providing voice-grade telephony interconnect with eachother at preset rates, thus ensuring that any phone can call any other phone and that new phone companies can enter the field to help ensure competition. In Internet service, the government mandates nothing. Recently SBC (I mean AT&T, I think, is it Wednesday?) rattled its sabre and said that Google and other content supplying companies should be paying for the use of SBC's backbone to reach SBC's eyeballs. Most of us said, uh, what? "Aren't SBC's own customers paying SBC to carry that traffic?" Some of us even said "I am not an eyeball, I am a person!" But anyway, from time to time these Internet companies shut down interconnects in hopes of creating new cash flows among eachother, and until the government regulates this, we're all at risk of higher prices or lower service with zero notice. Some well meaning democrats are trying to challenge this with "network neutrality" legislation, but this probably isn't their year. Or their decade.

San Francisco has a government, though. And if San Francisco owned and operated its own wireless Internet plant, we could mandate that any Internet company wishing to do business in this city interconnect at fair and reasonable cost to all other Internet companies wishing to do business in this city.

"Until the government regulates this"? "Government mandates"? "Fair and reasonable cost"? Quick, call the anti-socialist intervention squad! How long does it take those San Francisco hippies to suck the new arrivals' brains out anyway? Of course, I agree with everything he said. It's just that if you replace "create new cash flows" with "try to get ISPs to remove content from their servers", this describes exactly what Vixie and AboveNet were doing a few years earlier. He's a smart guy, and I'm sure this didn't escape his sense of irony, so perhaps this confirms something I'd suspected all along, which is that Vixie understood the subtleties of the issue better than most of his cheerleaders, and may be having second thoughts about AboveNet's Web-blocking misadventure. From the beginning, in a 1997 interview with Sun World, he sounded like someone trying to at least keep an open mind:

Concentration of power into a single individual: It's very true that power has corrupted every individual in whom it has ever been concentrated in the history of mankind. I do not feel that I am necessarily above whatever elements of human nature give rise to that. I worry about it. Probably other people worry about it more than I do.

Although, he didn't get to making any such frank statements during the controversy over AboveNet's Web site blocking. (Perhaps MAPS's lawyers were worried that he was a little too unfiltered and advised him not to comment; at the time, the MAPS Web site had a "How to sue MAPS" link on the front page.)

Speaking of which, Anne Mitchell, Director of Legal and Public Affairs for MAPS during the time when AboveNet was blocking Web sites, was the only MAPS adherent from the era that I could find who has since clearly and publicly come out against Net Neutrality. In May 2006 she wrote:

Here's the thing that the 3Ns (Net Neutrality Nuts) don't get: bandwidth costs money. And if you can't charge those who use the majority of it accordingly, then you are going to have to amortize it across everybody.

So, if a net neutrality law passes, don't be surprised when your costs to have an Internet account skyrocket.

Because somebody has to pay those bills, and if the law says that the ISPs can't charge the big guys - the big users - differently, it means that they have to charge them the same rate that they charge everyone else. And that means not that their rate will go down, but that everybody else's rate will go up.

And then again in February 2007 in another blog post titled "Towards A Nanny Internet", she wrote, "Network neutrality is the idea that ISPs should be forced to charge everybody the same for their Internet use", grouping it together with proposed anti-bullying and anti-anonymity laws.

Well, points to Anne for being consistent, and for publicly declaring her views in no uncertain terms, which is all I'm asking of the other supporters of AboveNet's website blocking policy. (Although she's coming at it from a different angle this time, "How do we work out who pays for the traffic" rather than "ISPs should be allowed to block whatever they want without telling anybody".) But this is also a textbook example of what I think are the three major fallacies of opposition to Net Neutrality:

First, lumping it together with other examples of unpopular regulation and calling it one more example of Big Government -- an argument also tried in other editorials ("Politicians and public figures alike should realize the absurdity of advocating more red tape to keep the Internet free"). This meme has never really caught on, possibly because groups like the ACLU and the EFF that have traditionally opposed true Internet censorship, have lined up in favor of Net Neutrality. All the proposed "red tape" and "regulation" really says is that if a user attempts to access a Web site over a connection that they've paid for, the ISP may not block or slow down their access, a law which most people would hardly consider tyrannical.

Second, asserting that "Network neutrality is the idea that ISPs should be forced to charge everybody the same for their Internet use." I've never actually heard anyone advocate anything close to that, but a common question among skeptics is why different "tiers" for Internet traffic are really any different from different-tiered pricing for dial-up vs. DSL, or for different levels of Web hosting. The difference is that when users and Web site owners pay for those connections, they are paying for their respective connections to the rest of the Internet. But an ISP charging a Web site owner to carry their traffic the last mile to the user's house, is not charging for a product or service, but really charging a fee not to break a service that they've already agreed to provide to the user.

Which leads to the third misconception: "Here's the thing that the 3Ns (Net Neutrality Nuts) don't get: bandwidth costs money... So, if a net neutrality law passes, don't be surprised when your costs to have an Internet account skyrocket." But it's not about how much a service costs, but about the ethics of double-billing for it. We know that ISP pricing models can already support the total traffic that people consume today, and ISPs do already follow net neutrality principles most of the time, so nobody's costs will "skyrocket" just because a neutrality law passes. If vastly more people start trying to stream CNN over the Internet 24/7, and fully using the services that ISPs have "only been pretending to sell" as Brad Templeton put it, then ISPs may have to charge more for users who consume too much bandwidth, encouraging people to stay at today's average levels by rationing themselves and perhaps watching 24 on their $5,000 TV sets sometimes instead of downloading it off of BitTorrent to their laptop every week because it makes them feel like a haX0r. Much as we all love our unmetered connections, it wouldn't be a violation of Net Neutrality for ISPs to charge users for bandwidth hogging, to keep everyone from going too far above today's levels. What ISPs should not do is charge users for implied full-throttle connections, and then turn around to charge publishers for moving bits over those same lines, or block the connection for any other reason.

So, yes, Virginia, blocking of Web sites does happen -- and by "Virginia", I mean FTC Chairman Deborah Platt Majoras, who said in a speech in August 2006: "I have to say, thus far, proponents of net neutrality regulation have not come to us to explain where the market is failing or what anticompetitive conduct we should challenge; we are open to hearing from them." This was echoed in an editorial later that month from Sonia Arrison of the Pacific Research Institute:

Internet service providers have voluntarily upheld content-neutral practices without the need for government intervention, and consumers would never stand for blocked Web sites... If the loss of net neutrality principles was really a problem, advocates wouldn't need to scare Americans in order to win their support. Using government regulation preemptively to shortchange business partners is a reckless abuse of the public policy process. New laws should be based on facts and reality, not fear and hypothetical situations.

I guess both of those ladies' ISPs must be blocking access to the SaveTheInternet.com Web site, so I e-mailed both of them the coalition's list of examples, and added a note about the AboveNet/TeleGlobe incident as well. No personal response from either of them yet, but I'm sure they just got lost in the shuffle while they were so busy sending out corrections. (On the other hand, I did get a courteous response from Randolph J. May of the Free State Foundation, when I wrote to him about an editorial he penned which also argued that violations have not happened: "It is generally agreed that except for a few isolated and quickly remedied incidents, neither the cable operators nor the telephone companies providing broadband Internet services have blocked, impaired or otherwise restricted subscriber access to the content of unaffiliated entities." He said he hadn't known about the AboveNet/TeleGlobe incident either.)

Another theme in some anti-Net-Neutrality editorials is that existing laws are enough to deal with the problem. In Majoras's speech, she said, "We should not forget that we already have in place an existing law enforcement and regulatory structure." Arrison's echoed that "Numerous federal agencies already have set a basic legal framework in place to preserve fair competition and business practices on the Internet". Well, as Yogi Berra says, in theory, there is no difference between theory and practice, but in practice, there is. After I found out AboveNet and TeleGlobe were blocking my Web site, I called about twenty lawyers in the Bellevue phone book, figuring: I wasn't greedy, but surely there would be financial damages for deceiving users and blocking our site, enough to pay a lawyer in return for handling the case? I think about two lawyers called me back, and they both said that even though what the backbone companies were doing clearly looked like fraud, it would take tens of thousands of dollars just to get started, and even if we ever got to court, the judge could call it however they wanted. Whatever laws exist now, they may help the slightly smaller big guy against the bigger big guy, but are not much use to the little or medium-sized guy.

So, any informed debate about Net Neutrality has to include the fact that, yes, some providers have blocked Web sites on purpose, for long periods of time, and no, the free market didn't fix it by itself. Even if something on that scale never happens again, if the free market and the anti-trust laws didn't automatically correct a case where Web sites were being blocked outright, then it's wishful thinking to think that those forces will prevent ISPs from merely slowing down Web access to sites that haven't paid a "toll", as they have made noises about doing. One AboveNet customer, Sam Knutson, said when he found out about the Web site blocking, "This type of behavior on the part of an ISP is reprehensible. I pay for a pipe and don't expect this type of monkey business." Well, I agree that it's reprehensible; whether we should "expect" more of it or not, depends on how much the Net Neutrality movement achieves its goals.

Slashdot contributor Bennett Haselton writes "A recurring theme in editorials about Net Neutrality -- broadly defined as the principle that ISPs may not block or degrade access to sites based on their content or ownership (with exceptions for clearly delineated services like parental controls) -- is that it is a "solution in search of a problem", that ISPs in the free world have never actually blocked legal content on purpose. True, the movement is mostly motivated by statements by some ISPs about what they might do in the future, such as slow down customers' access to sites if the sites haven't paid a fast-lane "toll". But there was also an oft-forgotten episode in 2000 when it was revealed that two backbone providers, AboveNet and TeleGlobe, had been blocking users' access to certain Web sites for over a year -- not due to a configuration error, but by the choice of management within those companies. Maybe I'm biased, since one of the Web sites being blocked was mine. But I think this incident is more relevant than ever now -- not just because it shows that prolonged violations of Net Neutrality can happen, but because some of the people who organized or supported AboveNet's Web filtering, are people in fairly influential positions today, including the head of the Internet Systems Consortium, the head of the IRTF's Anti-Spam Research Group, and the operator of Spamhaus. Which begs the question: If they really believe that backbone companies have the right to silently block Web sites, are some of them headed for a rift with Net Neutrality supporters?" Read on for the rest of his story.

In the aforementioned instance, AboveNet and TeleGlobe were not selling "parental filters" or other common types of filtered Internet access; the users being blocked from our Web sites were adults paying for what they thought were unfiltered Internet connections. What had happened was that AboveNet and TeleGlobe signed up to block Web sites on the Realtime Blackhole List, a list which was widely (but inaccurately) thought to be a list of "spammers", put out by a group called the Mail Abuse Prevention System. (MAPS and the RBL still exist, but under new management and in a form that bears little resemblance to their late-90's forerunners.) Most ISPs that used the RBL used it to filter only incoming e-mail, but AboveNet went all-out and blocked users from even viewing RBL'ed web sites, presumably because two of MAPS's founders, Paul Vixie and Dave Rand, were on the AboveNet board of directors. And it turned out that the RBL not only included spammers, but also Web sites that were not sending mail at all but were blocked because of their content -- in our case, our ISP got blocked because some other customers were selling mailing list software that MAPS believed could be too easily abused by spammers.

These two distinctions -- (1) the distinction between blocking incoming e-mail from spammers, versus blocking Web sites; and (2) the distinction between blocking traffic due to spam activity, versus blocking sites because of their content -- both go to the heart of what Net Neutrality is, and isn't, about. Net Neutrality is about user preferences -- not meaning that as a buzzword, but as an actual guiding principle to figure out what is and is not covered by the cause. If an ISP filters incoming mail from known spammers, that generally improves the user experience, and is something many users would expect an ISP to do anyway. But if an ISP blocks users from reaching Web sites (even, for the sake of argument, the Web sites of actual spammers), then that's generally counteracting the user's wishes -- if the user didn't want to go there, they wouldn't have typed it in. (After all, I visit spammers' Web sites all the time, usually right before I sue them.) Similarly, if an ISP blocks traffic from sites because of spam or other network abuse, that serves to protect their own users. But if an ISP blocks users from viewing sites because of their content, that's generally not expected by users, unless they've specifically signed up for something like parental controls. The Snowe Net Neutrality amendment proposed last year recognized both of these distinctions, and stated that nothing in the amendment would be interpreted to prohibit spam filtering, parental control services, or measures to protect network security.

The MAPS incident thus shaped most of my opinions about Net Neutrality 6 years before the debate even had a name. When I first found out in August 2000 that our ISP was blacklisted, like most people I believed that the RBL really was a list of spammers; after all the MAPS web page said that the RBL was a list of networks that "originate or relay spam". So I called my ISP screaming at them for being incompetent spam-enablers (the culmination of many frustrating issues with them), and saying that if they really were letting customers send spam, or running an insecure server that spammers were hijacking, I would leave on principle, if the cretins managing our server didn't drop it in the lake first. The ISP owner then told me what happened: that the ISP was not blacklisted for spamming customers, but because of the content of the other sites. (Buried in the list of RBL criteria on MAPS's site was the statement that sites could be blacklisted for providing "spam software", although the criteria did not define how they distinguished between spam software and regular mailing list software, which is how our ISP got caught in the net. And the criteria did not disclose anywhere the most controversial feature of the RBL, which is that if an ISP didn't comply, MAPS would start blacklisting other unrelated sites at the same ISP to put more pressure on them.) I agreed that this seemed to be absurd, and said I wouldn't leave the ISP if they were being blackballed just because of the content of hosted pages.

I don't know exactly what the mail software in question did or where MAPS thought the line should be drawn, but I am a purist about content -- it's a long-standing principle among the Internet security community that if a tool exists which exploits a security hole, you don't try to make the software disappear, you fix the hole. And besides, since MAPS and their supporters wanted to blackball ISPs that hosted spamming software (however you defined that), but the same people had never advocated blackballing ISPs that hosted network break-in tools and other cracking programs, for example, then what were they really saying? That spamming someone more unethical than breaking into their network?

But by far the most common objection to my complaint about AboveNet blocking Web sites was, "Hey, if a private company blocks things, as long as they're being honest to their users about it, who cares?" Well, true, but the fact that AboveNet blocked Web sites was not widely known even within the company; when I once called AboveNet feigning ignorance and asking them if they blocked RBL'ed Web sites, the technician who spoke to me said, "No, that wouldn't make any sense." (Well, half right.) Their AUP mentioned "protecting users from spam" but said nothing about blocking Web sites. In fact, other than "family-filtered" ISPs and similar services, I've never heard of any company blocking Web sites that actually did try to make their users aware of it. (On the other hand, even if AboveNet had fully disclosed their filtering, they were still a backbone company selling connectivity mainly to ISPs -- and I think if you sell something wholesale that can only be re-sold to the public by fraudulent means, then you're at least partly complicit in that fraud as well.)

If you're tempted to argue that backbone providers should be allowed to block whatever they want as long as they bury it in their AUP (although AboveNet and TeleGlobe didn't even do that much), just consider: When you access Google from your home computer, have you read the AUP of every network that the packets pass through, to check whether they reserve the right to block or even modify your traffic? Without doing a traceroute, could you even name all the networks that the traffic passes through? Do you really want the burden to be on you to check with all of them every time there's a problem reaching a Web site? Or do you feel like there's an understanding that as long as you pay your bill, they should let you go wherever you want?

Some have argued that if an ISP blocks the user from reaching a Web site, then even if the ISP is defrauding the user, that's still strictly an issue between the user and the ISP. But if a user is trying to reach your Web site, the user is trying to give you something of value: their attention, their eyeballs on your advertisements, sometimes even their money (with the expectation that you will provide them with something in return, of course, like some content worth reading). If the ISP steps in and blocks that, then the ISP has taken something of value that the user was attempting to give to you, and diverted it to serve their own interests. To me that doesn't seem ethically much different from the FedEx driver swiping the chocolates that someone tried to send you for Valentine's Day. Is that just between the sender and FedEx? Or do you have a beef because you didn't get the present that was intended for you, and you had to eat last week's chocolates to cheer up?

The modern-day threats to Net Neutrality are different: slowing access to Web sites unless the site owners pay a "toll", instead of blocking access to sites because of the content of other sites hosted at the same ISP. But they both boil down to the same thing: not giving end users what they have already paid for. If a user buys Internet access, they almost always buy it with the understanding that if they access a site, the content will download as quickly as their connection allows.

Thus the most common misconception about Net Neutrality is that the proponents are fighting against "capitalism" -- ISPs just charging more for different delivery speeds. But ISPs are already charging users for those delivery lines -- including different tiers for different prices. That's capitalism, and it works, with prices falling all the time in a fairly competitive market. But charging publishers for those higher delivery speeds to the user's house, is really more like double-billing, because the user has already been charged once for the lines that the content is coming over, so the ISP is trying to charge the content publisher again for the same service. Of course, if you charge party A for doing X, and then you try to charge party B for the same instance of doing X, and party B doesn't pay up so you don't do X, you're also breaking your deal with A. Brad Templeton of the EFF stated as much on his blog in 2006:

The pipes start off belonging to the ISPs but they sell them to their customers. The customers are buying their line to the middle, where they meet the line from the other user or site they want to talk to. The problem is generated because the carriers all price the lines at lower than they might have to charge if they were all fully saturated, since most users only make limited, partial use of the lines. When new apps increase the amount a typical user needs, it alters the economics of the ISP. They could deal with that by raising prices and really delivering the service they only pretend to sell, or by charging the other end, and breaking the cost contract. They've rattled sabres about doing the latter.

And I think the same is clearly true if, instead of trying to extract money from the content publisher, the ISP tries to extract something else, like an agreement to shut down certain Web sites before the ISP will let their users view other sites hosted at the same company. You can talk all day about how evil those Web sites are, but the ISP has already sold the user a connection with the implied ability to access them.

Anyway, this all came out in 2000 when a Slashdot article revealed that AboveNet had been blocking Web sites, and AboveNet stopped doing it two hours after the article came out. (TeleGlobe stuck with it for a few more months.) But from the hostility of the reaction, you'd think that we had published cartoons in a Danish newspaper showing Paul Vixie with a bomb in his turban. I got more e-mails than I could count arguing that AboveNet had the right to block whatever Web sites they felt like, regardless of whether the end users knew it was happening. To those people, I'd be sincerely interested in their answer to this question: Does that mean they've have no problem if they found out their ISP was silently blocking sites for political reasons? There is a clear line between following user preferences by blocking spam, and countermanding user preferences by blocking sites because of their content -- and once you've crossed that line, where's the logical stopping point? Seriously, I would have liked to have known how they would answer that, if I could have gotten any meaningful dialog going with them, which most of the time I couldn't. At the time, I'd just spent four years telling people that kids looking at porn was a non-issue, and that by the way if their kids came to my Web site I'd even help them get around their blocking software, and I still got more angry e-mails for disclosing the fact that AboveNet blocked Web sites based on their content, than I'd gotten in all the previous four years combined. (A few even accused us of moving into a blacklisted address block on purpose. This was because the actual move happened after the blacklisting was in place, even though I told them all that our ISP had announced the coming move two months before -- repeat, before -- they ever heard from MAPS. Some people were so in love with that "smoking gun" that they didn't believe me; that's their prerogative. But don't take my word for it -- when one supporter wrote to MAPS to ask about un-blocking our site, MAPS officer Kelly Thompson replied:

>Would it be possible to
>selectively unblock peacefire.org (209.211.253.169)?
Technically? Yes, it is. It's a violation of our policy, though, so I can't do so.

I would be willing to help you find other free or reduced cost hosting, however.

It was MAPS's decision, not ours or our ISP's, to have our site blocked. That should settle that once and for all, just as soon as there is peace in the Middle East and a black lesbian in the White House.)

But what do all these people think about Net Neutrality, 6 years later? I tried to track down the influential people who had spoken out supporting AboveNet's blocking of Web sites, or at least their right to block Web sites. My position was, we can agree to disagree on that, but if they really feel that way, why haven't they been speaking out against Net Neutrality? The proposed Snowe amendment was pretty clear:

SEC. 12. INTERNET NEUTRALITY
(a) Duty of Broadband Service Providers- With respect to any broadband service offered to the public, each broadband service provider shall--
(1) not block, interfere with, discriminate against, impair, or degrade the ability of any person to use a broadband service to access, use, send, post, receive, or offer any lawful content, application, or service made available via the Internet.

John Levine, webmaster of Abuse.Net, head of the IRTF's Anti-Spam Research Group, and one of the most vocal critics of Peacefire's campaign against AboveNet's Web filtering, said that he would have opposed the bill but didn't bother because it didn't have much chance of passing. Well, it didn't, but the bill was significant not because of its likelihood of passage, but because it articulated the principles that the Net Neutrality coalition had rallied around, and with the momentum behind the movement, it's likely to achieve at least some of its goals, by legislation or otherwise.

Paul Vixie, Dave Rand, and Steve Linford did not respond to requests for comment on Net Neutrality. But Paul Vixie wrote something very interesting in a May 2006 blog post:

Second, there's network neutrality. In telephone service, the government mandates that all companies providing voice-grade telephony interconnect with eachother at preset rates, thus ensuring that any phone can call any other phone and that new phone companies can enter the field to help ensure competition. In Internet service, the government mandates nothing. Recently SBC (I mean AT&T, I think, is it Wednesday?) rattled its sabre and said that Google and other content supplying companies should be paying for the use of SBC's backbone to reach SBC's eyeballs. Most of us said, uh, what? "Aren't SBC's own customers paying SBC to carry that traffic?" Some of us even said "I am not an eyeball, I am a person!" But anyway, from time to time these Internet companies shut down interconnects in hopes of creating new cash flows among eachother, and until the government regulates this, we're all at risk of higher prices or lower service with zero notice. Some well meaning democrats are trying to challenge this with "network neutrality" legislation, but this probably isn't their year. Or their decade.

San Francisco has a government, though. And if San Francisco owned and operated its own wireless Internet plant, we could mandate that any Internet company wishing to do business in this city interconnect at fair and reasonable cost to all other Internet companies wishing to do business in this city.

"Until the government regulates this"? "Government mandates"? "Fair and reasonable cost"? Quick, call the anti-socialist intervention squad! How long does it take those San Francisco hippies to suck the new arrivals' brains out anyway? Of course, I agree with everything he said. It's just that if you replace "create new cash flows" with "try to get ISPs to remove content from their servers", this describes exactly what Vixie and AboveNet were doing a few years earlier. He's a smart guy, and I'm sure this didn't escape his sense of irony, so perhaps this confirms something I'd suspected all along, which is that Vixie understood the subtleties of the issue better than most of his cheerleaders, and may be having second thoughts about AboveNet's Web-blocking misadventure. From the beginning, in a 1997 interview with Sun World, he sounded like someone trying to at least keep an open mind:

Concentration of power into a single individual: It's very true that power has corrupted every individual in whom it has ever been concentrated in the history of mankind. I do not feel that I am necessarily above whatever elements of human nature give rise to that. I worry about it. Probably other people worry about it more than I do.

Although, he didn't get to making any such frank statements during the controversy over AboveNet's Web site blocking. (Perhaps MAPS's lawyers were worried that he was a little too unfiltered and advised him not to comment; at the time, the MAPS Web site had a "How to sue MAPS" link on the front page.)

Speaking of which, Anne Mitchell, Director of Legal and Public Affairs for MAPS during the time when AboveNet was blocking Web sites, was the only MAPS adherent from the era that I could find who has since clearly and publicly come out against Net Neutrality. In May 2006 she wrote:

Here's the thing that the 3Ns (Net Neutrality Nuts) don't get: bandwidth costs money. And if you can't charge those who use the majority of it accordingly, then you are going to have to amortize it across everybody.

So, if a net neutrality law passes, don't be surprised when your costs to have an Internet account skyrocket.

Because somebody has to pay those bills, and if the law says that the ISPs can't charge the big guys - the big users - differently, it means that they have to charge them the same rate that they charge everyone else. And that means not that their rate will go down, but that everybody else's rate will go up.

And then again in February 2007 in another blog post titled "Towards A Nanny Internet", she wrote, "Network neutrality is the idea that ISPs should be forced to charge everybody the same for their Internet use", grouping it together with proposed anti-bullying and anti-anonymity laws.

Well, points to Anne for being consistent, and for publicly declaring her views in no uncertain terms, which is all I'm asking of the other supporters of AboveNet's website blocking policy. (Although she's coming at it from a different angle this time, "How do we work out who pays for the traffic" rather than "ISPs should be allowed to block whatever they want without telling anybody".) But this is also a textbook example of what I think are the three major fallacies of opposition to Net Neutrality:

First, lumping it together with other examples of unpopular regulation and calling it one more example of Big Government -- an argument also tried in other editorials ("Politicians and public figures alike should realize the absurdity of advocating more red tape to keep the Internet free"). This meme has never really caught on, possibly because groups like the ACLU and the EFF that have traditionally opposed true Internet censorship, have lined up in favor of Net Neutrality. All the proposed "red tape" and "regulation" really says is that if a user attempts to access a Web site over a connection that they've paid for, the ISP may not block or slow down their access, a law which most people would hardly consider tyrannical.

Second, asserting that "Network neutrality is the idea that ISPs should be forced to charge everybody the same for their Internet use." I've never actually heard anyone advocate anything close to that, but a common question among skeptics is why different "tiers" for Internet traffic are really any different from different-tiered pricing for dial-up vs. DSL, or for different levels of Web hosting. The difference is that when users and Web site owners pay for those connections, they are paying for their respective connections to the rest of the Internet. But an ISP charging a Web site owner to carry their traffic the last mile to the user's house, is not charging for a product or service, but really charging a fee not to break a service that they've already agreed to provide to the user.

Which leads to the third misconception: "Here's the thing that the 3Ns (Net Neutrality Nuts) don't get: bandwidth costs money... So, if a net neutrality law passes, don't be surprised when your costs to have an Internet account skyrocket." But it's not about how much a service costs, but about the ethics of double-billing for it. We know that ISP pricing models can already support the total traffic that people consume today, and ISPs do already follow net neutrality principles most of the time, so nobody's costs will "skyrocket" just because a neutrality law passes. If vastly more people start trying to stream CNN over the Internet 24/7, and fully using the services that ISPs have "only been pretending to sell" as Brad Templeton put it, then ISPs may have to charge more for users who consume too much bandwidth, encouraging people to stay at today's average levels by rationing themselves and perhaps watching 24 on their $5,000 TV sets sometimes instead of downloading it off of BitTorrent to their laptop every week because it makes them feel like a haX0r. Much as we all love our unmetered connections, it wouldn't be a violation of Net Neutrality for ISPs to charge users for bandwidth hogging, to keep everyone from going too far above today's levels. What ISPs should not do is charge users for implied full-throttle connections, and then turn around to charge publishers for moving bits over those same lines, or block the connection for any other reason.

So, yes, Virginia, blocking of Web sites does happen -- and by "Virginia", I mean FTC Chairman Deborah Platt Majoras, who said in a speech in August 2006: "I have to say, thus far, proponents of net neutrality regulation have not come to us to explain where the market is failing or what anticompetitive conduct we should challenge; we are open to hearing from them." This was echoed in an editorial later that month from Sonia Arrison of the Pacific Research Institute:

Internet service providers have voluntarily upheld content-neutral practices without the need for government intervention, and consumers would never stand for blocked Web sites... If the loss of net neutrality principles was really a problem, advocates wouldn't need to scare Americans in order to win their support. Using government regulation preemptively to shortchange business partners is a reckless abuse of the public policy process. New laws should be based on facts and reality, not fear and hypothetical situations.

I guess both of those ladies' ISPs must be blocking access to the SaveTheInternet.com Web site, so I e-mailed both of them the coalition's list of examples, and added a note about the AboveNet/TeleGlobe incident as well. No personal response from either of them yet, but I'm sure they just got lost in the shuffle while they were so busy sending out corrections. (On the other hand, I did get a courteous response from Randolph J. May of the Free State Foundation, when I wrote to him about an editorial he penned which also argued that violations have not happened: "It is generally agreed that except for a few isolated and quickly remedied incidents, neither the cable operators nor the telephone companies providing broadband Internet services have blocked, impaired or otherwise restricted subscriber access to the content of unaffiliated entities." He said he hadn't known about the AboveNet/TeleGlobe incident either.)

Another theme in some anti-Net-Neutrality editorials is that existing laws are enough to deal with the problem. In Majoras's speech, she said, "We should not forget that we already have in place an existing law enforcement and regulatory structure." Arrison's echoed that "Numerous federal agencies already have set a basic legal framework in place to preserve fair competition and business practices on the Internet". Well, as Yogi Berra says, in theory, there is no difference between theory and practice, but in practice, there is. After I found out AboveNet and TeleGlobe were blocking my Web site, I called about twenty lawyers in the Bellevue phone book, figuring: I wasn't greedy, but surely there would be financial damages for deceiving users and blocking our site, enough to pay a lawyer in return for handling the case? I think about two lawyers called me back, and they both said that even though what the backbone companies were doing clearly looked like fraud, it would take tens of thousands of dollars just to get started, and even if we ever got to court, the judge could call it however they wanted. Whatever laws exist now, they may help the slightly smaller big guy against the bigger big guy, but are not much use to the little or medium-sized guy.

So, any informed debate about Net Neutrality has to include the fact that, yes, some providers have blocked Web sites on purpose, for long periods of time, and no, the free market didn't fix it by itself. Even if something on that scale never happens again, if the free market and the anti-trust laws didn't automatically correct a case where Web sites were being blocked outright, then it's wishful thinking to think that those forces will prevent ISPs from merely slowing down Web access to sites that haven't paid a "toll", as they have made noises about doing. One AboveNet customer, Sam Knutson, said when he found out about the Web site blocking, "This type of behavior on the part of an ISP is reprehensible. I pay for a pipe and don't expect this type of monkey business." Well, I agree that it's reprehensible; whether we should "expect" more of it or not, depends on how much the Net Neutrality movement achieves its goals.

snow_man writes to mention an article on the E-Commerce News site about techno-literacy problems with incoming college freshmen. Some schools, like CSU, are planning on including a technology comprehension test alongside their English and Math evaluations for new students. From the article: "Not all of Generation M can synthesize the loads of information they're accessing, educators say. 'They're geeky, but they don't know what to do with their geekdom,' said Barbara O'Connor, a Sacramento State communications studies professor involved in a nationwide effort to hone students' computer-research skills. On a recent nationwide test to measure their technological 'literacy' -- their ability to use the Internet to complete class assignments -- only 49 percent of the test-takers correctly evaluated a set of Web sites for objectivity, authority and timeliness. Only 35 percent could correctly narrow an overly broad Internet search."

VE3OGG writes "The SCO Group — the litigation firm currently in dispute with, among many, IBM, over supposed copyright infringing code in Unix — has quietly asked the courts to reconsider IBM's request to toss the case out. SCO argued that the court's November decision was procedurally and substantially flawed and they say 'the rules of procedure do not support such a result under the circumstances of this case.' If allowed to reopen the case, the SCO Group argues, that new evidence would present itself through the deposition of several IBM programmers who had previously been interviewed."

illeism writes "E-commerce News is reporting that Microsoft is going after Ebay sellers offering pirated copies of Microsoft software. From the article 'The suits do not name eBay as a defendant and Microsoft indicated that it has received extensive cooperation from the auction giant in the past as it tried to ferret out piracy. In fact, Microsoft said it asked eBay to remove some 50,000 suspicious auctions during 2005 alone ... The suits are mainly against individuals and cover alleged counterfeit sales of several Microsoft programs, including Windows and Office XP and older versions, such as Office 2000.'" More interestingly, the article flatly states that MS has no hope of ending piracy. The suits are apparently meant to 'protect consumers'.

Cobb writes "The 2nd U.S. Circuit Court of Appeals recently ruled that it is legal for adware programs to show you pop ups for knock-offs and rivals when you visit a companies website. 'In 1-800 Contacts's lawsuit against adware provider WhenU.com, the appeals court likened WhenU's ads to retail stores that place generic competitors next to brand-name products.'"

Roland Piquepaille writes "Based on ideas taken from Wikipedia and dodgeball, Cellphedia allows its members to broadcast questions to its community and receive answers, using SMS text messaging on cell phones. Here is how it works, according to "Cellphedia Melds Facts with Mobile Smart Mobs" from E-Commerce Times. First, you register for free on the site and you indicate your subjects of interest. If you want to ask a question, it is sent to all the members who expressed interest in this particular subject. Finally, the first answer received by Cellphedia is sent back to you. This means that later answers, which could have been more accurate, are discarded. But this service is still very young and its creator is working hard to improve it. Read more for some examples of questions and answers stored on the Cellphedia central server."

Rollie Hawk writes "When it comes to online shoppers, conventional wisdom has long been divided. Some have argued that the instant nature of shopping from home over the Internet leads to quick purchases while others have contended that easy price comparisons on the Web allow buyers to do more research first. For now, it looks like the latter camp is closer to the truth. According to a press release by ScanAlert, online shoppers are more frugal than many retailers previously thought. According to their testing, 35% take more than 12 hours to make a purchase, 21% take more than three days, and 14% take more than a week. On the average, online shoppers take 19 hours to make a purchase after the initial visit. This has some important marketing ramifications according to ScanAlert CEO Ken Leonard. "The implication to merchants is that the shopping cart is not just a convenience factor. It must be a comfort zone to shoppers. These results were not expected." In the press release, Leonard advised online sellers that "consumers abandon shopping carts with an ease that frustrates and often confuses online retailers. Retailers must understand, however, that almost half of all online purchases are from shoppers who leave a site after the first visit, and return -- even days later -- to buy.""

DigitumDei writes "Originally reported on Slashdot last year when Apple accused Benjamin Cohen of being a cybersquatter, the UK Internet registry has now ordered Cohen to give up the domain to Apple. Nominet ruled that Cohen had made an "abusive registration," and that he "is using the domain name in a way which has confused people or businesses into believing that the domain name is registered to, operated or authorized by, or otherwise connected with the complainant."

A few Google bits in the bin this morning starting with Philipp Lenssen writes "Google Local has now moved to the Google homepage. The service, while still in beta, has been around for quite a while as one of many Google tools in the Google labs." Mr. Anonymous noted that "In the past, when you clicked the [definition] link after a Google search, you'd be taken to the Dictionary.com page for the word. Now, Google has jumped aboard GuruNet's Answers.com, which not only provides definitions, but encyclopedia articles, etymology, medical defnitions, legal definitions, and word translations all on one page." And lastly, several folks noted that Google has moved into the Domain Registrar Biz which we mentioned monday.

localman writes "Cedant, the owner of Super 8 motels and Days Inn, is suing Amazon for patent infringement for recommending books with it's 'customers who purchased X also purchased Y' technology. Heh. 'Technology.' It's always fun to see Amazon hoist by its own petard, as it were, but it would really stink if no website could offer it's customer's recommendations. Got Prior Art?"

An anonymous reader submits "Opera, the sometimes forgotten #3 web browser, reported a third quarter loss that tripled that of last year's third quarter despite a seven-fold increase in revenue. Opera is blaming a weaker dollar for the losses, and say they're spending money on marketing and new ventures like teaming with IBM to use their ViaVoice technology. Opera's future seems uncertain as Firefox's growing popularity may hurt Opera by stealing potential customers. With Internet Explorer, Firefox, and Safari all free, is there room for a non-free browser in the market?"

BMcWilliams writes "Russell McGuire, one of the government lawyers who prosecuted spammer Jeremy Jaynes, has published an article justifying the tough sentence recommended by a Virginia jury. He writes, 'the defense attorney argued that greed cuts both ways and the victims got what they deserved because they were trying to get rich quick. Needless to say, this did not go over well with the jury.' Still, the eye-popping 9-year sentence has even some ardent anti-spammers wondering whether 'proportionality is becoming a completely forgotten concept.'"

ValourX writes "Microsoft's Sender ID has already been rejected by both the Debian Project and the Apache Software Foundation, but Joe Barr of NewsForge today interviewed Larry Rosen of the Open Source Initiative and discovered that there are negotiations between the two entities with regard to Sender ID's licensing. Could Microsoft be considering an Open Source license for Sender ID? Slashdot has covered other aspects of this story in the past. NewsForge is part of OSTG, like Slashdot."

foobsr writes "According to an article in EcommerceTimes, Microsoft is trying to migrate Office from a product to an online service with a focus on automating collaborative work. Quote: 'Making collaboration faster, easier and more efficient will be the next revolution in worker productivity, and we want to be in the forefront,' said Peter Rinearson, vice president for new business development in Microsoft's information worker group"."

Tarantolato writes "According to a recent Gartner report, low-end Linux server shipments grew significantly in the first quarter of 2004. Part of this may be due to the comeback of the relational database market in 2003, where Linux growth was especially strong, while Windows growth was weaker. There is mixed news for Sun, who saw growing shipments but declining revenues in Q1 of 2004."

theodp writes "In April, IBM CEO Samuel Palmisano told investors Big Blue hopes to dodge an estimated $6 billion in liability stemming from a judge's ruling that IBM violated U.S. federal age discrimination laws. In May, IBM closes on its $150-$200MM purchase of Indian outsourcer Daksh, whose age requirements for job applicants make Logan's Run seem progressive. On its Opportunities page, Daksh states that Customer Care Specialists should be between 21-25 years of age and Team Leaders should be no older than 27. Early Daksh investors included Citigroup and we-don't-need-no-stinking-unions Amazon."

theodp writes "In a USA Today interview, Intel CEO Craig Barrett pooh-poohs arguments against outsourcing, explaining 'We do not send our basketball teams to compete against the rest of the world, saying the other teams have to play slower because our folks aren't fit enough to run as fast.' He is also fed up with being called a Benedict Arnold CEO (perhaps he'd prefer Unemployed Computer Scientist). Barrett pegs K-12 math and science education as the biggest threat to U.S. employment, but when pressed about U.S. kids who do well in both, attend excellent universities, but have no guarantees of good jobs when they graduate, Barrett remarks 'I don't have a solution to that one.'"

theodp writes "With IE, IM and Linux all threatened by patent infringement lawsuits, it's worth noting that Saturday marks what would have been the third anniversary of BountyQuest. With $1+ million of Amazon CEO Jeff Bezos' money and an Amazon VP on its Board, BountyQuest vowed to reform the patent system through its prior art contests. While BountyQuest raised eyebrows when it found winning prior art right off the bat for a patent Amazon was sued for infringing on, it surprisingly drew little heat when it announced no winning prior art could be found for Bezos' own 1-Click patent. 'There was no Bounty winner, mainly because the 1-Click patent is specific to the Web,' explained BountyQuest. 'This was a tough one to win because the Amazon 1-Click patent is so specific to the Web,' added BountyQuest investor Tim O'Reilly. Amazon's claim that the contest outcome vindicated Bezos' 1-Click patent went unchallenged by the New York Times, who instead took contestants to task for submitting prior art that 'failed to mention the Internet.' But legal documents have surfaced revealing that a month before these arguments were made, Amazon was told by a Federal Court that 'This distinction is irrelevant, since none of the [Bezos 1-Click patent] claims mention either the Internet or the World Wide Web.' If it was 'in everyone's interest to get all relevant prior art out into the open,' as Bezos said, then what happened?"

theodp writes "With IE, IM and Linux all threatened by patent infringement lawsuits, it's worth noting that Saturday marks what would have been the third anniversary of BountyQuest. With $1+ million of Amazon CEO Jeff Bezos' money and an Amazon VP on its Board, BountyQuest vowed to reform the patent system through its prior art contests. While BountyQuest raised eyebrows when it found winning prior art right off the bat for a patent Amazon was sued for infringing on, it surprisingly drew little heat when it announced no winning prior art could be found for Bezos' own 1-Click patent. 'There was no Bounty winner, mainly because the 1-Click patent is specific to the Web,' explained BountyQuest. 'This was a tough one to win because the Amazon 1-Click patent is so specific to the Web,' added BountyQuest investor Tim O'Reilly. Amazon's claim that the contest outcome vindicated Bezos' 1-Click patent went unchallenged by the New York Times, who instead took contestants to task for submitting prior art that 'failed to mention the Internet.' But legal documents have surfaced revealing that a month before these arguments were made, Amazon was told by a Federal Court that 'This distinction is irrelevant, since none of the [Bezos 1-Click patent] claims mention either the Internet or the World Wide Web.' If it was 'in everyone's interest to get all relevant prior art out into the open,' as Bezos said, then what happened?"

securitas submits this painfully well-linked piece: "eWEEK reviews the RIM BlackBerry 7230 color handheld, Research In Motion's latest combination wireless e-mail/phone/PDA, and the first BlackBerry to feature a full-color display. The tri-band GSM/GPRS J2ME device features a 240-by-160-pixel, 65,000-color display, 16 MB flash +2 MB SRAM, an Intel 386 32-bit chip, SMS, an HTML browser (missing from the preceding BlackBerry 5810), a claimed 4 hours talk/10 days standby removable/rechargeable lithium-ion battery, POP3/IMAP/Exchange/Notes wireless e-mail for up to 10 accounts with file attachment management, security via Triple DES encryption, USB sync/recharging and the usual organizer functions. RIM squeezes it all into a 4.8 oz/136g, 4.4x2.9x0.8 inch/11.3x7.4x2.0 cm package (tech specs at RIM). The BlackBerry 7230 is exclusive to T-Mobile USA until 2004 and costs about $400. With this release, RIM is moving the BlackBerry into the prosumer/consumer market to expand its customer base beyond enterprise users. The release comes amid speculation of BlackBerry doom following RIM's recent patent ruling loss and ahead of the highly anticipated Handspring Treo 600, its direct competition (which includes the MS Pocket PC Phone Edition Smartphone and the Palm Tungsten W). More at Wired News, E-Commerce Times, InfoWorld and Forbes/Reuters."

Barry mentions his "sender pays" spamfighting plan more than once in his answers to your questions, and discuessed it at length in an InternetWeek.com article published on Feb. 20. Is Barry's plan workable? Do you have a better idea? Or should we all just get used to spam as part of the online experience, and learn to live with it and block it as best we can?

1) Back to the 90s
by gylz

If you had known back in the early 90s that spam was going to be the problem it is now, what steps would you have taken then to protect yourself and others from it?

For instance, what changes would you have advocated in the mail protocols and what standard procedures would you have told other ISPs to use to prevent spammers from getting a foothold in the first place?

Barry:

When The World began selling the first commercial dial-up internet accounts in 1989 one question we were frequently asked by the privileged few who had internet access was: How are you going to control them? To be honest, we never had a good answer other than developing what everyone thought was a pretty good AUP (Acceptable Use Policy) and promising to enforce it as best we could.

But even as the net developed, in the early-mid 90s, there were similar problems with system cracking and break-ins. Back then there were more open holes to just walk right through, get a privileged shell, or just cause mayhem. To a great extent spam can be viewed as a form of system compromise and similar to malicious cracking in many ways.

One of my pleas back then to other ISPs was to make some sincere effort to know to whom you were giving accounts. Many of the ISPs with big funding and marketing departments to match would just give out new accounts to anyone with a drink coaster and worry about it later, oftentimes much later only when the bill wasn't paid.

I think practices like these gave rise to the sense of anarchy and lawlessness on the net that came from the easy abuse of anonymity which persists today. At The World we were careful about not enabling new accounts until we were pretty sure we had valid information. Many ISPs did not do this and tracing problems back to an account on their service would lead to a dead end; the info they had on the account would turn out to be obviously fraudulent.

Also, and this isn't a regret but more of an observation, some early internet advocates wanted only end-to-end services which basically meant that every single computer on the net should be a mostly autonomous client and server. Dial-up made this impractical; you couldn't really run a web site or even a decent mail server over a part-time connection. But I think some of that ambivalence over goals contributed to inaction on issues which might have helped with problems we see today.

2) Acting Locally, Effecting Globally
by merlin_jim

Many posts talk about proposed changes to society, government, and technology to lessen the spam problem. However, an ISP has more insight into the problem than many others, and I thought I'd ask a question to tap that insight:

Given today's society, technology and infrastructure, what can an individual do that would be effective in reducing not only the personal strain of spam, but also lessen an ISP's burden.

What kind of strategies have you seen work. For instance, in particularly bad instances I'm prone to send an e-mail to spam@isp.net, abuse@isp.net, or admin@isp.net, but usually never even get a response. Is there a better thing to do? Are there things that are absolutely the wrong thing to do (such as replying to a spam)?

In short, what would you like to see users do in response to spam today?

Barry:

Pressure your legislators to enforce the laws already on the books! Hijacking others' systems, identity falsification, and fraud are already illegal. These aren't legitimate business people who send all this bulk mail, they're crooks.

Even if a spammer can sneak around the laws making it clear that the activity is illegal, this prevents a spammer from getting investors, incorporating, taking out bank loans, obtaining legal indemnification against liability, buying business insurance, registering with their state or owning intellectual property (e.g., trademarks), etc.

Something else everyone can do is install spam filters. And help others install spam filters. Ultimately, I believe it's an arms race between the filters and the spammers so other forces need to be put into play.

But my reasoning is that utilizing filters now will make the internet experience more pleasant and productive for many which is a good thing. Their wide-spread use will also serve as a wake-up call to those companies who are deluding themselves into thinking they're "white-hat" spammers so ought to be exempt. The filters throw their stuff away also.

The so-called legitimate advertisers need to get to the table with the ISPs and figure this thing out and stop thinking the status quo serves them.

At this point my thinking is that there isn't much difference, from the point of view of an ISP, between companies whose spam you don't hate and those whose spam you do hate.

When it's paper mail you have to put a stamp on a letter whether the intended recipient asked for the mail piece or not. I think we need to move in the same direction on the net with all bulk e-mailers. They need to start paying for the infrastructure they're exploiting.

The current situation is that people tend to define "spam" as e-mail which promotes products which they don't want others to think they want. We need to get beyond that because you're paying for any e-mail you receive, even if only indirectly.

3) why not whitelist?
by Aviancer

Why hasn't any large ISP or enterprise seriously considered whitelisting mail? The traditional blacklist idea -- when I see spammers I'll no longer accept their mail -- is so easily overcome that many spammers don't even wait one generation to change addresses. Instead, bounce all mail you don't recognize, with a note to the sender on how to inform the system that you are a real user. Nearly all spammers loose their incoming account immedately, so this seems the natural choice. There's some more detail on this method at the TMDA project.

Barry:

The easy answer is that the target moves too fast. How could we begin to keep up a whitelist at the ISP level on behalf of thousands or even millions of customers?

And how exactly do you propose to "inform the system that you are a real user"? Right there is the crux of the matter. What you're suggesting is one of those techniques which works pretty well for individuals but is unmanageable at the ISP level.

Something from the TMDA site I do agree with is:

Spam will not cease until it becomes prohibitively expensive for spammers to operate.

We just have slightly different approaches to making spam prohibitively expensive. Let a thousand flowers bloom!

4) Is there a reasonable solution?
by PincheGab

Given that junk mail in the regular mail is more acceptable (and I will mention that my wife (specially) does like to know when there's a sale on), and given that e-mail is the next big thing, what do you see as an acceptable solution/accord to spam?

I certainly am tired of deleting the penis enlargement and Nigerian bank deposit e-mails, but where is the balance and how do we attain it, if ever?

Barry:

I believe the only approach which will work is a "sender pays" model for bulk e-mail advertising. Such a model corrects the current situation on several levels:

a) Sender pays can provide an economy to enforce its own rules.

Most proposals I've seen to deal with spam are workable on paper but fail in this regard. If, when considering yet another spam proposal, you ask yourself who will pay for this or that solution, how will it be enforced (e.g., if it requires lawsuits who will pay the lawyers?) generally no answer comes to mind.

However, if we create a (bulk) sender pays model through some sort of trade association then that organization would have a revenue stream which can be tapped to enforce its revenue model, and a monied interest in defending that revenue model.

b) Sender pays creates a conduit of control between the sender and the ISPs.

Right now spammers can use an ISP's facilities to firehose any spam they want, to anyone and everyone they like, at almost zero cost. For example, kids' accounts are flooded with explicit pornographic come-ons. There's no ability to control that sort of thing.

What business allows its facilities to be used to offend its customers?

In a sender pays model one could also refuse to be paid and, hence, refuse the advertising. Spammers are trying to send their spam to the ISP's customers. I think the ISP has both a right and an interest in controlling that so as not to drive customers away. It's not reasonable that an ISP such as myself has no control over what sort of advertising is placed in my customers' mailboxes yet is left responsible for the quality of that experience.

c) Sender pays clarifies the legal situation without a need for new legislation.

Sending, and not paying, would become simple theft of service, wire fraud, etc.

5) ISP Tools
by feenberg

Do ISPs have the tools they need to prevent outgoing SPAM from their own customers? I look at Sendmail and don't see anything that would allow you to throttle mail volume, check outbound messages for SPAM, restrict new customers etc. There isn't even anything built in that would warn you about a customer sending a million messages. It would seem that a few tools like that would be a big help to an ISP too small to develop its own.

Barry:

I think the best tool is knowing who your customer is and having a clear and effective policy if a customer spams such as clean-up costs which should also include intangibles such as public relations costs.

But you're correct, better tools at that level might help if ISPs were inclined to use them. Many ISPs do use tools such as you describe, others obviously don't care.

6) RBL's
by sabri

One of the few measures that can be taken against spam is the use of blacklists (for instance via DNS). There are a lot of pro's and con's for the use of DNSBL's. How do you feel about these? Should DNSBL's be governmentally regulated? Do you use any DNSBL? Should an ISP enforce certain RBL's (let say, of open relay's) on its customers?

Barry:

I've always resisted using these blacklist services at the ISP level. There are several reasons why but the most important is control.

If the blacklist suddenly began blocking some site, such as a major university or corporation because it was the source of spam the night before, that might cause a big problem with our customers. Even if it could be worked around it'd be just another out of control detail which might send one into fire-fighting mode suddenly.

Another problem I've had with blacklists is that some have become rogue and gone power-mad, blacklisting addresses for reasons completely unrelated to their stated purpose such as personal politics.

Also, the blacklists I've looked into were volunteer efforts which meant the people involved often felt they could paper over any mistake or oversight or staff unresponsiveness with the excuse that they were unpaid volunteers so what do you expect? You can't have your ISP be dependent on organizations with that attitude. And what if I don't like a blacklist's policies or implementation of their policies? If I'm not paying them I can't vote with my wallet.

I suspect that anyone attempting to run a blacklist in a professional, paid manner would go broke; the service isn't worth what it'd have to charge to stay in business. The legal costs alone can be daunting. With legal issues even if you're right it can be expensive getting there. And customers of any service don't want to pay for your legal bills as the major cost of such a service. So we're back to problems with the economic models.

I don't think government regulation would help with blacklists, per se, except in very general ways (they can run the courts for the lawsuits!) The only analogy I can think of are credit bureaus but most of the government regulation in that area is to protect consumers. I don't think we want the government stepping in to protect spammers!

Finally, yes, just about all ISPs blacklist (block) offending sites. Doing it in-house gives them the control they need. It's not great to have to take this on but it's the only choice right now. Unfortunately it's becoming a major burden, and the results are not altogether predictable.

7) What would be the minimum actual cost?
by jamie

What would be your actual dollar cost of spam, if you didn't spend much time and effort fighting it?

Let me explain...

I sometimes hear that spam has significant costs in bandwidth and storage but I don't believe it. As far as I can tell, SMTP traffic is at most 2-5% of net traffic. And a quick calculation shows that an ISP's costs for storing its users' spam are fractions of pennies on the dollar. (*)

You've likened spam to a DDoS attack on your mail servers. Stories about being flooded with traffic sound impressive but computers are so fast now, it's hard to put anecdotes into context. So I'm looking for dollar amounts. For a customers paying b dollars per unit time, an ISP like yours has to spend c dollars per unit time on servers that can handle those customers' incoming SMTP traffic. If this is significant, I'm looking for c over a times b :)

Obviously admins to run the servers are an important cost. But for purposes of this question, suppose you wanted to do the bare minimum. Say you set up the SMTP servers to use just a few of the less-intrusive DNSBL lists, like sbl.spamhaus, relays.ordb, or list.dsbl, and then ignored them as much as possible.

The next most common argument I hear is that customers will abandon ISPs that don't fight spam. But every ISP has the same problem, so this is really a competitive advantage issue except for the small percentage of users who are actually driven off the internet by spam.

Then there's outgoing spam but I don't imagine that's too hard to recognize and stop quickly.

Let me know what I'm missing...

(*) Thumbnail calculations of spam storage follow. Let's say J. Average ISP Customer gets 20 spams a day at 10K each, and deletes them only every 30 days. That's an average of 20*10K*15 = 3 MB of storage. If the ISP replaces hard drives every two years on average and its total storage costs are ten times the actual medium costs (for labor, backup, redundancy, downtime), then at today's hard drive prices, that spam storage will cost the ISP 0.003 * 10 / 2 dollars, or about a penny and a half. Over that same year, J. Customer pays the ISP $100+.

Barry:

Your figures for the percentage of bandwidth which is spam are far too low. Others have put the numbers much higher. NewsFactor cites studies putting the figure somewhere between 17 and 38%. See http://www.ecommercetimes.com/perl/story/19803.html.

As to computers getting faster, that's not a primary issue in my mind. But addressing even that point, how rapidly should I have to amortize and replace my equipment just to accommodate spammers?

And what about the intangibles? They're becoming the major factor in all this. E-mail is the "killer app" on the net. Yet spam is fouling that e-mail experience.

People reading Slashdot might be sufficiently committed to e-mail that they'll wade through all the spam and tweak spam filters even if it takes hours per day and a clothes pin on their collective noses. But what about the many millions of people who aren't so committed to this technology?

As an ISP I can tell you they're giving up on the internet, to them the cost/benefit is just not worthwhile. That's not a good trend.

Another cost is that spam is undermining the standardization of protocols on the net, and thus introducing a pervasive chaos. Every ISP and many other sites are scrambling around implementing mostly different "solutions" to the spam problem. Some of these in-house solutions might be ok, others can be pretty bad.

One result is that e-mail is becoming less reliable as a communications tool. Your mail might get through, it might be kicked out or filtered as spam, you might be able to figure out why and get the message through on a slightly changed subsequent attempt, or maybe not.

Who needs this kind of craziness? How can this situation possibly be productive?

How productive is it to have millions of people installing and customizing spam filters? Or having really bright people writing spam filtering programs? And where is this all going?

In my opinion, if unchecked, I think the current trend is very destructive to the entire idea of a public network.

P.S. I realize in another answer I recommend installing spam filters, but I see that only as a temporary measure.

8) Collateral Damage
by aridhol

One of the greatest problems with spam-prevention techniques has to do with collateral damage. Can you see any solution to spam that either prevents or minimizes the damage to innocent bystanders, such as other users of a spammer's ISP?

Barry:

Yes, the solution I favor is going to a sender pays model aimed at bulk e-mailers.

Other approaches, in particular technical solutions, are prone to causing collateral damage. Inevitably as the arms race heats up, and spam filters have to take bigger and bigger risks to have any effect, collateral damage will become more common.

And it's already worse than you might imagine. Spam and similar are causing severe operational problems on the net and undermining standards as ISPs and others invent new ways to avoid the spew.

As one concrete example, right this minute there's a network provider who was just assigned most of the 69.0.0.0/8 IP address space. Unfortunately, this was formerly a spam and DOS (denial-of-service) cesspool so many sites out there just block the whole 69.* address space.

So the new owners are making appeals to firewall managers asking them to please remove their blocks in the 69.* space on the NANOG (North American Network Operators Group) list.

But NANOG is not a particularly big or influential mailing list. At best it's only aimed at North America while the blocking exists world-wide. But how do you communicate with so many sites and undo the problem? In a nutshell, you can't. I suspect their customers who get space in 69.* are going to find themselves blocked by many sites for many years to come.

See what a mess spam is causing? It's like asking how much can such a little tiny termite eat? And then the house falls down.

9) Spam Lawsuits
by ca1v1n

Do you think new laws that allow ISPs and end-users to collect damages from spammers on a per-message basis can be effective tools to reduce spam?

Barry:

Although it should be part of the picture I think this sort of litigation would be ineffective as a primary attack on the problem.

What we need to do first is stop the insanity!

To do that I say introduce sensible economics into e-mail advertising. You may find network TV commercials annoying, but imagine if just anyone could break into a station's signal at any time and insert advertising! That's what we have right now, and it's crazy.

If we were subjected to a few, well-paid and placed ads it might be annoying to some but others might even find it beneficial like the person in the previous message whose wife likes to know about the good sales. Or we could just pay a premium and not see another ad, analogous to premium cable TV. Or find ways to block them via our personal mail clients, analogous to what people do with PVRs. It'd just be a matter of economics and marketing and taste.

But right now it's complete anarchy, only the introduction of a viable economic model can tame the situation.

Also, I'm not optimistic about any legalistic approach so long as there's no scalable revenue stream associated with e-mail or its abuse.

Currently the general consensus on the net is that we don't even want sales taxes on e-commerce, which might be a reasonable point of view, but then we're going to ask that billions should be spent on courts and enforcement of new spam laws? Where is that money supposed to come from? Cut the fire dept? The schools? Not-growing corn subsidies? Without additional revenue something has to give.

Given a sender pays model money could be earmarked for private enforcement, such as investigation and litigation. And the case could be more realistically made as to the exact economic cost of spam. If an ISP was supposed to get paid for ads going through their system then anyone evading that is simply guilty of good old fashioned theft of service, no new laws needed. And legislators, who presumably would be getting their usual business tax cut of such revenue, could begin to see the logic in returning some tax money to defend these revenue streams.

There would still be challenges to be worked out internationally but it wouldn't be the first time a revenue model had to work on a global scale. Obviously international telephony and postal mail works well enough to combat fraud. But only with some sort of concomitant revenue stream attached to the activity could you possibly begin to tackle the problem, domestically or internationally.

10) Kill 'em all
by Lord_Slepnir

If you could meet a spammer, what would you say? What would you do? What caliber would you use? Would you want someone to do it for you? Is $10,000 a head too much?

Barry:

I would tell the spammer in no uncertain terms that spammers' days are numbered, just like junk faxers and other scam artists who exploited a brief window of vulnerability.

Situations like this don't last long.

Of course, then the spammer would laugh in my face because that's what sociopaths like to do when confronted. But, as the expression goes, we'll see who laughs last.

One thing is clear, however, spammers will not listen to reason. So any change in their behavior will have to be the result of force.

Devistater writes "Spotted on hardocp. The FCC said in a ruling yesterday that telephone companies can sell your name, who you call, and for how long you talk to anyone who is an "affiliate." No longer is this required to be an opt in marketing approach, now its OPT OUT. Sounds like spam is coming to the telephone world, and what an egregious breach of privacy. Article on PCWorld has some of the details." There's also a short Reuters story and a good one on ecommercetimes.com.

AOL, Yahoo!, Microsoft, and Napster. These four "web properties" account for 50 percent of the time people spend online. Check out the trend: at the 60-percent level, the number of companies shrank from 110, two years ago, to fourteen today. Hello, I'm with Mergers & Acquisitions, can I borrow your mouse please?

Three days ago, a small group called Interhack was featured in an AP wire story about some curious data transmission they'd found. The company receiving the data, Coremetrics, tracks unique visitors through its clients' corporate websites, and promises those clients "seamless performance," because: "data tags load invisibly as small transparent gifs, and information is encrypted to appear invisible to your customer." The customer is you, the user. The GIFs are web bugs. The information can be personally identifying, which most of its clients' privacy policies fail to mention. But -- importantly -- the company promises that "Any data Coremetrics tracks and reports is owned solely by our customers and we are contractually precluded from reselling or using this data." Is that enough? Emmett and I talked both to Coremetrics and to the hackers who put the spotlight on them.

Emmett Interviews Interhack

Slashdot: For those uninitiated, what's interhack all about?

Basically, we're a firm of hackers interested in pushing technology forward through research, making computing apply to people by developing custom products and consulting for folks who want to put the technology to use, and helping people understand exactly what the ramifications of these systems are. That's a pretty broad way of saying that we're all about the Internet and making it work.

Slashdot: When did you start researching this story, and how long did it take to put the pieces together?

Sometime in May, someone sent us a tip about Coremetrics and what it's doing. We took a quick look over their web site to see their advertised services and then started to look at how the service is actually implemented on various client sites. We examined several sites, most of which very clearly stated in their privacy policies that they're using Coremetrics for site monitoring and provided links necessary for people who don't like it to opt out of the system. Most of the sites with clear, full disclosure policies weren't even sending Coremetrics personally-identifiable information like names and addresses.

The more interesting part of our find was in the sites that did send personal information to Coremetrics, particularly those that carried the TRUSTe privacy seal. Over the course of about three weeks, we performed an investigation of these sites, gathering as much information as possible from them. We reverse-engineered the system by reading the sites' code, reading through the obfuscation, and comparing logs of our network's activity with the activity that would be perceived by an end user.

What we found was a clear difference in user expectations and what was actually happening, as well as a clear difference between what Coremetrics says it offers and what its eLuminate service makes technically feasible. After writing drafts of our report and press release, we decided to take a wait-and-see approach to the release. Specifically, we wanted to ensure that sites that just started to use the Coremetrics service had adequate time to update their policies and to have an accurate idea of what was happening with the system after having been in production.

After waiting and watching for more than a month, we decided to release our findings. So, on Monday morning, we sent a pre-release copy of our report to Richard Smith and some folks at Zero Knowledge Systems. In addition, we contacted each of the firms named in our report and Coremetrics so that if the failure to disclose or the ability to profile people across web sites was unintentional, there would be time for some investigation and a decision about how to fix the problem. After the end of business Monday, we released our report.

Slashdot: What needs to change? In a perfect world, how do we deal with this?

This is a very interesting question. In my perfect world, detailed levels of profiling would not take place at all. There would be no such thing as persistent cookies. In general, I'm just not comfortable with the level of privacy that the industry as a whole has given up for the sake of a little convenience.

How big of a deal, really, is it to have to enter your password when you login to a web site? Don't forget that the reason why we have passwords in the first place is so that you'll have to do something at the beginning of the session to prove who you are.

Web browsers also need to be more intelligent. That is, they need to be able to identify things like dependencies on third parties so the user can know whether those images should be fetched or ignored. Right now, browsers -- for the most part at least -- just aren't very defensive. The model of parsing everything you're given worked fine in the Old Days for which some of us long so much but the fact of the matter is that you really can't blindly trust anyone on the Internet.

I'm not suggesting becoming a luddite. I'm suggesting that folks take a sort of "trust, but verify" approach a la Ronald Reagan. Right now, there's a lot of trust and almost no way to verify.

Slashdot: This all comes down to trust. How many policies are just there so people will shut up about personal information so they'll start buying stuff online?

I couldn't say. Policies are almost always written by lawyers. That probably speaks to the covering-one's-posterior-position value of privacy policies.

Slashdot: Since we can't trust written policies, what should people be doing before they start conducting business with these websites?

Verify everything. As I said earlier, though, we're severely lacking in tools that are accessible to most people that can help in that regard. I think Zero Knowledge Systems' Freedom network is a huge step in the right direction. Tools like Muffin (muffin.doit.org) also help, but it would be cooler for that kind of functionality to live right in the browser itself. There are opportunities for eager hackers on this front.

It's also important to stress that tools alone won't do it -- there is no silver bullet. People are going to have to have some understanding of what's happening in order to use these tools effectively.

Finally, where you see discrepancies, point them out. Most of the time, they're oversights. Look at how Lucy.com and Fusion.com dealt with this problem: they updated their sites. So although the problem shouldn't have happened in the first place, they did the right thing. Contrast that with Toys "R" Us, which issued a statement saying that what they're doing isn't a violation. And their privacy policy still doesn't say a word about Coremetrics. They still haven't said anything to address the issue of having information collected on children.

Companies that don't fix their problems don't take your privacy seriously, no matter how much lip service they pay. So don't go to their sites. Don't buy their stuff. Tell them why you're not buying their stuff. Tell their competitors why you shop where you do, lest the new places you shop get the bright idea to try to hide something.

Jamie Talks to Coremetrics

Here's the service Coremetrics provides to corporate websites:

Many companies demand accurate knowledge of how their sites are being used: what sections are popular, what paths visitors take through the site, where people click over from, and so on. It's like web log analysis but more specialized for large shopping sites.

Since these demands are very much the same, and the code to do the analysis is similar, outsourcing happens. From a CEO's viewpoint, Coremetrics fiddles with the website to do better-quality tracking than the company could do on its own, and then makes the resulting statistics available over SSL.

But from your viewpoint and mine, that "fiddling" results in cookie-carrying web bugs all over the sites we visit -- web bugs which usually send back to the Coremetrics servers a unique visitor tag, like any other cookie, but one that sometimes includes your name, email address or other personally identifying information.

Coremetrics promises that this information remains private. When DoubleClick collects data from <img> cookies across multiple websites, they do so with the stated intention of tracking you personally; this is part of their business plan.

According to Coremetrics, they do things very differently. Data is not cross-correlated between their client websites, they say, because their contracts with their clients prohibit this. In fact, their contract forbids them from doing much of anything with that data except statistical analysis.

I gave the Coremetrics PR person I talked to a chance to explain, using the example of their client Toys 'R' Us:

"Coremetrics is merely an agent that collects this data on behalf of an individual customer, for that individual's sole use only. We do not collect data, as was inferred very incorrectly by Interhack, across multiple unrelated websites, with any intention of selling it to third parties -- or even distribution to third parties. That's because we, as the agent, do not own that data, nor do we have any rights to that data. Toys 'R' Us, and Toys 'R' Us only, is the sole owner of that data. So legally, we cannot do any of the possibilities that Interhack had alluded to in their report."

But here's the interesting thing.

If I'm browsing my favorite website, Coremetrics is clearly a third party. They have a special contractual relationship to keep my data private, which we shouldn't ignore. But nevertheless -- a third party.

So why do some of their clients' privacy policies not mention this?

Toys 'R' Us is a good example. As Interhack made clear, they do send personal data to Coremetrics' servers. But their privacy policy reads, "We do not share any personally identifying data about our guests with anyone outside of Toysrus.com, its parent, affiliates, subsidiaries, operating companies and other related entities."

So is Coremetrics one of their affiliates or a related entity? I wouldn't think so, but I'm not a lawyer. One interesting thing is hidden in that privacy policy's HTML; after the closing </html> tag is the hidden message: "<!--CoreMetrics Information if enabled-->." Hmmmmmm.

Coremetrics lists twenty clients; I tried to contact seventeen of them for comment, with marginal success by press time. Three reported that they had not yet activated Coremetrics or had decided not to use the service at all. One (guru.com) reported not sending any personal information -- presumably, only tracking visitors with a non-identifying unique ID.

Two sites (lucy.com and fusion.com) began mentioning Coremetrics in their privacy policies on August 1, the day after the Interhack report. One site (thewest.com) did not even have a privacy policy until yesterday; they'd been working on it, and my email may have made it a priority because it was on their site three hours later.

According to Coremetrics, they encourages all their clients to disclose the use of their service in their privacy policy, and include a link for users to opt out. But some sites reported as using or planning to use Coremetrics' services have privacy policies that could use some clarification.

Altrec.com informs me that "...in the near future ... we plan to add to our privacy statement our use of Coremetrics and the fact that Coremetrics neither owns, distributes, nor has rights to the data it sorts on Altrec.com's behalf." However, their current privacy policy states very simply: "Altrec.com will never sell or give your e-mail address (or any other information about you) to anyone else without your permission. Period."

(Last-minute update -- just before press time, Altrec.com clarified that they are "sending unique ID (unique to Altrec.com) and city, state and zip. No other personally identifiable information is being sent to Coremetrics.")

Bravanta.com bounced me between different people until I got to leave voicemail that wasn't returned by press time. Their policy says they "do not and will not sell, trade or rent the personal information of our customers or gift recipients to any third parties."

(Update two hours later: Bravanta reports that they also have decided not to use Coremetrics' service, and are not currently using it.)

Mall.com didn't get back to me either, and their policy reads "We will NEVER release your name and personal information to a third party..."

Getplugged.com has a rather confusing privacy statement that begins, "Any personally identifiable information GetPlugged.com collects will be used solely for the purposes stated within this Privacy Statement" and wanders around from there. I'm not sure what to make of it, frankly.

All these polices may indeed be correct, if the sites are stingy with personal data. Like guru.com (and altrec.com), they may be using the Coremetrics service only with non-personal IDs. But, as with Toys 'R' Us, that may also not be the case.

(fusion.com, getplugged.com, and altrec.com also happen to be TRUSTe licensees, but TRUSTe wasn't able to comment by press time. In the AP wire story on Monday, they had harsh words but were speaking hypothetically; no comment since then.)

It's hard enough to read privacy policies already. Most of them are designed to protect companies legally, and mostly manage to confuse users. The distinction between Coremetrics as a third party; or affiliate; or agent, is a little too fine for the average consumer, and needs to be spelled out in each policy, as Coremetrics itself recommends.

But is all this a tempest in a teapot? If a signed contract forbids a company from misusing data, is that all we need to know?

I don't think so. In the first place, at the very least, companies like Toys 'R' Us need to disclose such things in their privacy policies. That's just common sense.

In fact, according to Coremetrics privacy advisor Dave Farber, they plan contractually to require such disclosure with future clients. (The company could not confirm or deny this at this time.)

More importantly, we as consumers are being asked to trust a third party whose reputation we know nothing about. In fact, 99% of us will never even have heard of them and might not understand what they do. We're told that a contract protects us, but we're still being asked to trust something we can't see. And when evidence of policy violations is turned up by a group of hackers, that erodes our trust.

After speaking at length with Coremetrics' PR, I get a general feeling of trust from them. (Of course that's a large part of their PR staff's job, earning reporters' trust.) More importantly, Dave Farber is well-respected, and his confidence carries weight -- with me at least.

Still, as Interhack says, our motto should be "trust but verify." That's why I proposed, to Coremetrics, that they publicly post, on their website, the paragraphs from their clients' contracts which assure that our private data remains private. If the actual legal words that protect our data are up there for us to see, we don't have to trust anyone.

When I mentioned this to Coremetrics' PR person, he promised to consider it; Dave Farber thought it was "a very good idea." It's unusual for corporations to make contracts public, even in part, but in this case it would do a great deal to put everyone's fears to rest.

sirch wrote to us with the latest research from Forrester Reports. The report alleges that this year's massive hyping of Linux will fade in 2000, as well as stating that it's not probable that CIOs will be switching over in massive numbers to Linux. However, the report than goes on to say that Linux will probably see continued growth, through "dominating new application segments." Not really that surprising of a report. One of the interesting points is the prediction that by 2004, the other Unices and Linux will have converged to the point that binaries for any one will probably run on all the others.

mulan writes "Following the approval of S.761 (Millennium Digital Commerce Act), PalmTop has released software which will do just that. Using a Palm app and a Windows-based conduit, digital documents may be legally signed via the Palm device. Pricipal markets include online vendors. This could also help reduce fruadulant credit card transactions on the Internet. " It's not just PalmPilots either - custom solutions are/will be supported, including IBM's WorkPad. However, until Oct. 31, you can get free copies for the Palm (OS3 or better).

Forrester Research has released a study of the internet which claims that "90% of sites fail to comply with the five basic privacy protection principles" and "most privacy policies are a joke." To read the full report, you need to be a paying client, but the E-Commerce Times reprints some tidbits. Among them: the research firm, contradicting a Georgetown University study accepted by the Federal Trade Commission just two months ago, recommends that the FTC take action because third-party oversight is not proving effective.

TriangleMan writes "Compaq will be making RH Linux an option on a number of their PCs and workstations. The press release is here and press coverage is already appearing. It also looks like RH and Compaq are going to be enhancing interoperability between Tru64 and Linux, including binary compatibility. "