The FCC Must Prevent ISPs From Blocking Encryption
Last month, the popular online publication TechDirt published an article based on Golden Frog’s filing with the FCC that urged the commission to truly restore an Open Internet. A key portion of the article focuses on how we noticed that ISPs and wireless broadband providers can block encryption technologies if they desire.
We discovered this by studying the service of a particular wireless broadband provider, and discovered it was able to interfere with the ability of one of our engineers to encrypt their email communication.
The article gathered a fair amount of attention and we received questions from the press (including the Washington Post), advocacy groups and our customers. We wanted to share the full story:
A Golden Frog engineer first noticed the issue in September 2013 when he was an AIO Wireless customer. (AIO was a prepaid wireless service provider and subsidiary of AT&T). Being a privacy-focused individual, he set his email client to require using an encrypted connection to his email server using STARTTLS. STARTTLS is an extension to SMTP (the standard email sending protocol) that allows an email server and client to use TLS (Transport Layer Security) to provide private, encrypted, and authenticated communication over insecure Internet connections.
In May 2014, AIO merged with Cricket Wireless so the Golden Frog engineer became a Cricket customer. In June 2014, he brought the issue to the attention of Golden Frog Co-CTO Michael Douglass while the two were working together at a coffee shop. While using his laptop tethered to his phone and connected via Cricket, he was unable to send email securely. He switched to the coffee shop’s Wifi and was able to send encrypted email. They concluded that STARTTLS was being intercepted.
The two investigated further and started running tests. They determined Cricket was intercepting and blocking STARTTLS on port 25 – basically, the STARTTLS command was masked out in server responses, and a command failure response was returned. The engineer was connecting to a personal mail server NOT associated with the wireless provider. The test was repeated by connecting to multiple mail servers including Golden Frog’s corporate mail servers. These were SMTP connections USING the Cricket/AIO network as a network provider to reach a remote, unaffiliated with AIO mail server.
Golden Frog Co-CTO Philip Molter presented the STARTTLS findings in a lightning talk at the Texas LinuxFest in Austin, TX a couple weeks later. We tested again in July 2014 when we filed our comments with the FCC, and found the same results. We included the screenshots of those test results, which are in our FCC filing.
After the TechDirt article came out, we anticipated we’d get some questions so we ran the same testing and found that STARTTLS is not currently being intercepted and blocked. We are unsure what changed.
We also tested on AT&T’s network and found the encryption is not being blocked. Good.
However, this is a clear indication of what wireless ISPs can do under the claim of reasonable network management. Although it has apparently now reversed course, this particular ISP was putting its customers at serious risk by inhibiting their ability to protect online communications. We included it in our filing because as long as the FCC refuses to return to its prior “open access” policies and enable wide competition then it must establish effective rules to prevent both wireless and wireline ISPs from throttling and blocking users’ Internet traffic and preventing them from using encryption to protect their privacy. We also need more competition between ISPs so if an ISP blocks encryption citizens can “fire their ISP” and choose an ISP that doesn’t block encryption or intentionally slows down content providers such as Netflix.
We ask: Is it reasonable to invade privacy by deactivating encryption to block outgoing spam?
Neither the old or the new proposed Internet rules being debated by the FCC would stop wireless providers from blocking encryption technologies. That is very frustrating and one of the key points in our FCC filing. The FCC is a government organization and tasked with protecting national security when it comes to electronic communications. They are part of the same government that surveils its citizens. It’s not unreasonable to think they are getting pressure to curtail encryption.
Furthermore, ISPs have incentive to block privacy technologies like VPNs. They want to profit as much as possible from the way you use the Internet. Privacy services that are independent of their offerings don’t allow them to do that. If they aren’t selling the service to you, they aren’t making money and that frustrates them. However, when they are blocking privacy services, they are dangerously putting businesses’ confidential communications and individual customers’ privacy at risk.
We strongly believe that the same Open Access rules that should apply to wired Internet providers should also apply to mobile Internet providers, especially considering this specific encryption-related incident that affects online privacy.