N. van Eijk

Security economics in the HTTPS value chain

Even though we increasingly rely on HTTPS to secure Internet communications, several landmark incidents in recent years have illustrated that its security is deeply flawed. We present an extensive multi-disciplinary analysis that examines how the systemic vulnerabilities of the HTTPS authentication model could be addressed. We conceptualize the security issues from the perspective of the HTTPS value chain. We then discuss the breaches at several Certificate Authorities (CAs). Next, we explore the security incentives of CAs via the empirical analysis of the market for SSL certificates, based on the SSL Observatory dataset. This uncovers a surprising pattern: there is no race to the bottom. Rather, we find a highly concentrated market with very large price differences among suppliers and limited price competition. We explain this pattern and explore what it tells us about the security incentives of CAs, including how market leaders seem to benefit from the status quo. In light of these findings, we look at regulatory and technical proposals to address the systemic vulnerabilities in the HTTPS value chain, in particular the EU eSignatures proposal that seeks to strictly regulate HTTPS communications.

Net neutrality and the value chain for video

AbstractPurpose – Video distribution over the internet leads to heated net-neutrality related debates betweennetwork operators and over-the-top application providers. The purpose of this paper is to analyze thisdebate from a new perspective that takes into account all of the assets that companies try to exploit inthe so-called battle for eyeballs in video distribution.Design/methodology/approach – The systematic value chain analysis is used to determine the pointsalong the value chain where net neutrality interacts with video distribution. The inputs to the analysis arethe existing and proposed policy measures for net neutrality in Europe and in the USA, and a number ofnet neutrality incidents that have led to discussions earlier.Findings – The paper finds that the current and proposed policy measures aimed at net neutrality eachcontribute to a certain extent to their intended effects. However, the analysis also shows that they arelikely to lead to new debates in other parts of the value chain, as players try to compensate the loss ofinfluence or revenue streams by rearranging the ways in which they exploit their assets.Practical implications – Further and new debates are expected in the areas of peering andinterconnection, distribution of resources between over-the-top and managed services and the role ofdevices with tightly linked search engines, recommendation systems and app stores.Originality/value – The new perspectives offered by our value-chain based analysis are valuable forpolicy makers who aim to promote net neutrality and simultaneously stimulate competition andinnovation throughout the value chain.Keywords Net neutrality, Value chain, Video distribution, Internet, Over-the-top, Regulation,Transparency, No blocking, Managed services, Europe, United States of AmericaPaper type Research paper

Online tracking: Questioning the power of informed consent

Purpose – The paper aims to report the main findings of a study for the Dutch Regulatory Authority for the Telecommunications sector OPTA to explore how the new European ‘‘cookie rules’’ in the ePrivacy Directive impact on behavioral advertising practices via the storing and reading of cookies. The paper identifies the main dilemmas with the implementation of the new European rules. The Dutch case provides a valuable reality check also outside The Netherlands. Even before the amendment of the directive, The Netherlands already had an opt-in system in place. From the Dutch experience important lessons can be learned also for other European countries. Design/methodology/approach – After a brief analysis of the legal situation in Europe and in The Netherlands (section 2), section 3 reports about the findings of a survey among the main providers of targeted advertising in The Netherlands to explore the current use of cookies and targeted advertising practices. Section 4 describes the findings of a qualitative survey among Dutch internet users with the goal to define their level of skills and knowledge, acceptance of and behavior towards the placing and reading of cookies. A concluding section (section 5) summarizes the main findings and identifies implications for the future policy debate. Findings – The results show that the majority of the surveyed parties involved in behavioral advertising do not inform users about the storing of cookies or the purposes of data processing of the subsequently obtained data, neither have they obtained users’ consent for the storage of cookies. The authors also found that the majority of users lack the skills and knowledge to handle cookies. Social implications – The findings critically question the wisdom of the ‘‘informed consent regime’’ that currently lies at the heart of Europe’s ePrivacy Directive. The paper concludes with reflections about the concrete policy implications of the study, and a number of concrete suggestions of how to approach the future debate with regard to the regulation of online tracking and cookies. Originality/value – The approach of the paper is original in that it combines legal analysis with two surveys: one among behavioral advertisers and one among online users. This approach permits us to better understand the efficacy of the new legal rules, to make predictions regarding the level of compliance with the new rules and identify areas in this highly topical debate that require further attention.

Obscured by Clouds or How to Address Governmental Access to Cloud Data from Abroad

Transnational surveillance is obscured by the cloud. U.S. foreign intelligence law provides a wide and relatively unchecked possibility of access to data from Europeans and other foreigners. The amendments to the Foreign Intelligence Surveillance Act in 50 USC 1881a (section 702) are of particular concern. Recent leaks around the PRISM surveillance program of the National Security Agency seem to support that these legal possibilities are used in practice on a large scale. These developments will affect market conditions and competition, notably for U.S.-based cloud services. In addition, the possibility of foreign governmental access impacts the privacy of cloud end-users and can cause chilling effects with regard to cloud computing use. Calls for regulatory action and termination of cloud contracts are starting to emerge – such as in cases of medical data storage in electronic patient record systems and biometric data processing in relation to passports in The Netherlands. This Article analyses regulatory solutions to the current status quo on four levels: i) the possibility of limiting surveillance in the U.S. itself; ii) international law as a framework to impose some limitations; iii) the EU General Data Protection Regulation proposals and the EU Cloud Strategy, and iv) improved oversight on transnational intelligence gathering. If transnational intelligence remains obscured by the cloud, the various promises of the cloud, and electronic communications in general, might stall. It will be hard, but considering all the interests involved in the transition to the cloud, it must be possible to come to some agreement about restrictions on transnational intelligence gathering and stronger protections for non-U.S. persons in U.S. clouds.

Broadband services and local loop unbundling in the Netherlands

This article describes the availability of broadband services in the Netherlands. This particularly concerns broadband services for the consumer/end user such as access to the Internet. We first discuss the new Telecommunications Act before dealing with current market relations and regulation of the telecommunications sector. This is followed by a description of the most significant decisions of the independent supervisory body, the Independent Post and Telecommunications Authority, as related to broadband services.

The Proof of the Pudding is in the Eating: Net Neutrality in Practice, the Dutch Example

The Netherlands is among the few countries that have put specific net neutrality standards in place. It was the first country to do so in the European Union. Contrary to the original European Union approach, which lacks a material implementation of net neutrality principles, the Dutch parliament decided to take a firmer position and introduced a quite detailed regimen on net neutrality. Providers of public electronic communications networks via which Internet access services are delivered and providers of Internet access services shall not hinder or slow down applications or services on the Internet. There is a limited group of exceptions to this rule. Hindering and slowing down Internet traffic is allowed a) to minimise the effects of congestion, whereby equal types of traffic must be treated equally, b) to preserve the integrity and security of the network and service of the provider in question or the end-user’s terminal, c) to restrict the transmission of unsolicited communication (spam) to end-users, provided that the end-users have given their prior consent for this to be done, and d) to implement a legislative provision or court order. Another very important net neutrality principle was based on incidents of blocked applications such as Skype and WhatsApp on the announcement by mobile operators that they would start charging for applications. The Dutch net neutrality article also forbids providers of Internet access services to charge for Internet access services dependent on the services and applications which are offered or used via these services. The newly proposed European rules on net neutrality (as part of the new regulatory package) have borrowed heavily from the Dutch example. However, are the Dutch rules a success? The no-blocking/no-charging restriction had an immediate effect on the market, in particular on the mobile one. Originally, the mobile providers intended to block or to charge for specific services (Skype, WhatsApp), but they had to abandon the idea due to the new net neutrality rules. This led to a new subscription structure, with a substantially increased emphasis on data traffic. Data bundles are priced more specifically, and existing packages with unlimited data access have been replaced by packages with a specific size (data caps) and specific speeds. In fact, voice is no longer a dominant factor in the pricing models. But how did these changes affect the consumer? The no-blocking/no-charging rule more or less killed traditional texting (SMS), but it is too early to tell whether net neutrality has had an effect on the overall costs for mobile broadband. There are some indications that the overall price levels and options in the Dutch market are (still) in line with the prices in other European countries. The new neutrality rules had no effect on the fixed market. Internet service providers on cabled networks have no history of blocking traffic. Only one incident with the slow-down of traffic was reported but turned out to be a ‘misunderstanding’. One should keep in mind that the Dutch fixed broadband market is very competitive with the incumbent operator offering high-speed DSL or fibre and the cable television network operators offering high-speed broadband via their coaxial networks. The Netherlands belongs to the top broadband countries in the world. The regulator in charge – the Authority for Consumers and Markets – took a first decision on applying the new rules in a case where Internet access in trains was blocked for congestion reasons. In another case, a service similar to WhatsApp was inaccessible via wireless networks. In two cases, the Authority investigated the bundling of data packages with free services (i.e. a mobile subscription with ‘free’ access to Spotify). To deal with these cases, a new guideline has been drafted by the ministry involved. The consultation process on the guideline has recently ended. The conclusion of the paper is that putting net neutrality into more material regulation is much more complicated than defining it in a more abstract sense. Putting the rules into practice is even more challenging. In our view, the Dutch example shows that if regulation is too detailed, the development of services might be hampered and might to some extent ridicule the true objectives of net neutrality. The focus should be on a dynamic and evolutionary approach, offering the opportunity to adapt interventions quickly, depending on the specifics of the case. In order to establish such a more flexible framework, the present provision needs to be amended.