COMMENTARY: Security issues aside, the FCC’s repeal of net neutrality pisses me off.

I know – that’s an unusual introduction to an article, but it’s important you know an author’s bias before taking their word on a subject. Security aside, I believe the repeal of net neutrality is a travesty for all citizens. The Internet has become so important to society that everyone should have affordable, unfettered access to it. Therefore, it makes sense that the government treat it like a utility or telecommunication service, and limit commercial organizations’ ability to constrain or control it. I’m not alone in feeling this way, as the vast majority of voters agree. Nonetheless, the FCC decided to repeal it late last year. Yes, this repeal introduces potential consumer ramifications, but it also presents new cyber security implications you need to consider as well.

Let’s rewind a bit. For the two of you that might have lived on an island with no Internet access for the last few years, net neutrality is simply the principle that Internet Service Providers (ISPs) should treat all data on the Internet equally. These providers should not have the power to modify our access to the Internet for their own purposes, but should offer open and unrestrained access to all Internet-based services. This seems like a no-brainer, but before net neutrality, nothing legally restricted ISPs from messing with your Internet connection.

For decades, the FCC classified the Internet as an information service, which falls under Title I of the Communication Act of 1934. Telephone service, on the other hand, falls under Title II for telecommunication services. What’s the difference? As core utilities, Title II services must follow “common carrier” regulations, which prevents service providers from blocking, throttling, or prioritizing these sorts of communications. In February 2015, the FCC classified “broadband” as a Title II service, thus allowing the FCC to legally enforce the principles of net neutrality.

ISPs and business lobbyists might argue, “broadband services have worked fine as a Title I service for decades. We don’t need these new regulations.” What those pundits fail to mention is that without regulation, ISPs have blocked innovative Internet technologies that compete with their business, throttled or blocked traffic they don’t like, made people or companies pay more (tolls) to access particular Internet services, and even forcefully injected ads into all of their customers’ web traffic. Net neutrality opponents and ISPs may argue that we don’t need regulations to do the right thing, but history has proven that without regulation, ISPs will eventually take advantage of their role as access providers. Now that net neutrality is gone there’s nothing holding them back from repeating these practices.

Cyber security is one of the elements of this debate that needs more attention. Here are four security risks that come with the repeal of net neutrality:

Loss of Privacy – ISPs conduct content monitoring in order to filter and throttle traffic. Once they know about your interests and tendencies from your online activities, they can sell this data to the highest bidder. This is not trivial information. This sort of big data has allowed some organizations to realize someone was pregnant before that person even knew it themselves. Many experts talk about how privacy and security are different, and sometimes competing issues. However, privacy is also critical to security in that knowing about you makes you easier to attack. Social engineers can use what they know about you to trick you into trusting them. Sure, the ISP probably won’t use information this way (though they will certainly use it to influence your purchasing decisions), but they will gather this information and store it. That makes them a huge target to malicious threat actors. Do you think your ISP will have perfect security and can guarantee this information’s safety? ISPs should not be monitoring our Internet usage and storing this data for their own use, especially when it could eventually expose our information to hackers. Restricting encryption and other security-related products – There are many types of tools – from proxies, to VPNs, to Tor – that allow us to protect and anonymize our Internet usage. Yes, these tools could be used to conceal bad activities, but they all have very legitimate usages too. For instance, people very regularly use VPNs to protect business communications. Security researchers often use proxies and even Tor to anonymize themselves against threat actors. Unfortunately, ISPs have previously tried to block or throttle some of these tools in the past. While it hasn’t happened in the U.S. yet, it’s not unimaginable that an IPS could restrict these tools in the future. Net neutrality would ensure that everyone could use VPNs and other security tools freely over the Internet. Restricting your security services to force their own – Today, many security services are cloud-based. Imagine if your ISP launched their own cloud-based IP, Domain, URL or file scanning security service. What if they decided to throttle, or even block your connection to that service, and they offered their own in response? Sounds like a conspiracy theory from a bad movie, right? Well they’ve done it before. For instance, they already make Netflix pay extra fees because of its high use. One ISP has even blocked VoIP traffic in the past since it was affecting their telephony service revenue. The point is, the absence of net neutrality paves the way for further bad behaviors like this. Injected ads can turn into injected malware – We’ve already seen ISPs forcefully inject advertisements and content into our Web traffic. This is bad enough from a consumer experience standpoint, but it has many security implications as well. First, malvertising is a significant problem. Attackers have learned that some online ad agencies don’t have great security practices. Attackers can simply buy ad space as a customer and insert some additional script that will force ad recipients to visit malicious sites. Furthermore, just having an “injection” mechanism makes the ISP a huge target. If I’m a criminal hacker and can get privileged access to an ISP’s ad injector, I now have a great mechanism to infect every one of that ISP’s customers. Again, ISPs will argue they have better security than the average business, which could be true; but if hackers can breach governments with basic phishing emails, they can compromise ISPs too. By the way, a related threat is the additional tracking tags ISPs can add to ALL our internet traffic. If malicious actors got access to all that tracking info, it would make their spear phishing emails even more effective.

Those are just a few of the security risks we’re facing without net neutrality. However, in fairness, I will share one of the security benefits too. Some experts believe that ISPs should take a more active role to secure their customers. In fact, I agree with this concept in certain scenarios, such as filtering obvious (DDoS) attacks or using anti-spoofing technology (BCP 38). However, some interpretations of common carrier regulations could make it harder for an ISP to enforce a security action on your behalf, since that technically means they aren’t treating all your traffic “equally.” Personally, I think the regulations could be updated or interpreted to allow for opt-in, ISP-based security actions. Nonetheless, this is one of the security-related arguments you will hear from net neutrality detractors.

So, what now?

Since the FCC has already repealed net neutrality, should you give up all security and privacy hope? No. The good news is we live in a democracy and can eventually bring these crucial regulations back under the right circumstances. Some states are already taking the matter into their own hands, like Washington state did in June of this year. These states are basically copying the regulations related to the FCC Title II rules to prevent ISPs from throttling or blocking Internet services. If enough states do this, the ISPs themselves might actually prefer to have one federal net neutrality rule, as I would presume it’s a bigger burden to have to adhere to many different sets of rules in many different places. In any case, if you live in the right state, net neutrality is not dead yet.

In cryptography, the most secure systems are the ones open to peer review, because when you know exactly how a system works and still can’t find any security flaws, you know it’s safe. The lack of transparency involved in how ISPs route, modify, and collect our Internet usage data without Net Neutrality regulations introduces major security risks. Sure, they can say, “Don’t worry about it. We’re on the up an up,” but their previous actions don’t inspire much confidence. If you believe everyone has the right to affordable, open access to the Internet, stay engaged in the net neutrality conversation. Look a little closer at your ISP’s practices. Don’t give up!