About this blog…

I am employed by Netnod as head of engineering, research and development and am among other things chair of the Security and Stability Advisory Committee at ICANN. You can find CV and photos of me at this page.

As I wear so many hats, I find it being necessary to somewhere express my personal view on things. This is the location where that happens. Postings on this blog, or at Facebook, Twitter etc, falls under this policy.

The views expressed on this post are mine and do not necessarily reflect the views of Netnod or any other of the organisations I have connections to.

FRA: Possible to know what is Swedish traffic?

I get the question a lot on whether it is possible to know what traffic is swedish and not. Two phone calls today… Mary wrote about it, and she links to an earlier posting I did on the topic.

My short answer is always no.

A little bit longer answer is that the question is not correctly stated, because most of the people asking the question want to know whether one can know what Internettraffic is Swedish and what is not. But the legislation is not about Internet. It is about tapping information from wires. Where some of the traffic is IP traffic, a piece of that (but not all) is Internet traffic. But other traffic on the wires is not IP based.

This is a problem with layering similar to the confusion on whether it is the owner of the fiber or the one controlling the traffic that is required to fulfil whatever requirements the new legislation put on the operator.

30 years ago, we had only one telco in each country. Vertically integrated solutions. And many players and applications are like that. But that is a more and more rare situation. One can today often have one organisation owning the fiber, a second one the transmission (SDH for example), a third is the Internet provider and a fourth provides the applications. We have separation between the horizontal layers in the value chain.

But, as I was asked this morning, what matter does this make for the political decisions? This is of course a good question, but in reality it does matter. First of all, the regulation must be clear enough so that an organisation managing one or more layers described above know whether they have to do something or not. Secondly, some of the players are already under oversight by the regulator due to the legislation on the Electronic Communications Directive, and if grandfathering this, one can get 25% of the solution for free.

Unfortunately the current legislation does come up with a new definition of operator and not (regardless of what they claim) the same as in the electronic communications directive. For me that is a bad thing. Better to inherit what already exists, and if needed update that referenced legislation.

But back to this definition of what is Swedish traffic. That also depends on what layer you are looking at. The end points of the fiber, the endpoints of the SDH flow, the end points of the IP flow, the physical locations of the computers used, the email addresses used, or the persons reading the email? And this is only the example when looking at IP traffic. For other kind of communication there are other decisions that have to be made.

It is though true that given such definitions it should be possible to do automatic filtering that throw away things. But it moves the problem from the filtering to the creations of the definitions. A good thing perhaps? I think one, given the debate at the moment, have to move in this direction.

Another important thing to think of is why we have the legislation in the first place. There is a need to gather data. Unknown data (if we know what data we wanted to have, we might not have to gather it) in many cases. But what people are afraid of is for specific data to be collected. So why not describe what FRA can not collect instead of describing what they can collect. If people are nervous that FRA collects data from IP traffic that goes between two IP addresses in Sweden, then say that FRA is not to collect data where both endpoints have an IP address in a list that some organisation create, and then look at what organisation should create that list.

Note that I am explicitly in the 2nd sentence not using the word IP address in Sweden or Swedish IP address. This because any such list will have errors. And there might be other reasons for addresses to be on that list.

But given that we have such specific rules for what FRA MUST throw away (or some third party between the operator and FRA) for say Internet and Telephony, then people might be much more calm? Sure, the legislation ends up being more technology specific (instead of neutral) but on the other hand, the current new legislation no one understand.

Comments are closed.