A first pass look at the issue of net neutrality might not immediately bring to mind concerns around cybersecurity, but we shouldn’t ignore the logical security implications of fundamentally reclassifying the Internet.

Let’s level set a little bit, for net neutrality doesn’t appear to be a simple issue for most, but it’s actually not that complicated. The FCC previously classified the Internet as a telecommunications system, which is defined by Congress as allowing users to transmit “information of the user’s choosing to and from endpoints specified by the user without making any changes to the user’s information.”

That definition places the Internet alongside other telecommunications systems like the telephone. And it implies a whole bunch of regulatory behavior.

The FCC has now passed the proposal of chairman Ajit Pai to reclassify the Internet as an information service. There’s a whole line of analysis that points out why this is wrong as well as plenty of commentary and discussion online about it. There’s no doubt that conversation will continue, but that’s not what this post is about. I’m here to ask how this change affects cybersecurity.

With this change, the role of ISPs on the Internet will shift away from providing open access to providing filtered and tiered services. It won’t come overnight, and we can’t know for sure what specific changes will occur, but it’s a very reasonable assumption that ISPs will start interfering with content.

That interference might involve:

  • qualitative changes to speed (i.e. Netflix pays for priority),
  • specific service fees (i.e. customer pays for access to Facebook), and
  • censored content (i.e. no adult content, no conservative/liberal content, no foreign content)

All of these kinds of actions might happen today in a variety of ways, but they cannot legally be implemented by the ISPs themselves. (Read more...)