Submission to the Institute of Federal Telecommunications’ Consultation on the Draft Guidelines on Traffic Management and Network Administration
This submission was prepared for the Federal Institute of Telecommunications of Mexico (the “Institute”) public consultation on the Draft Guidelines for Traffic Management and Network Administration for concessionaires and authorized Internet Service Providers (“Draft Guidelines”).[1] The Draft Guidelines were published in December of 2019, in accordance with article 145 of the Federal Telecommunications and Broadcasting Law which establishes, alongside article 146, network neutrality requirements for Internet Service Providers (“ISPs”).
We appreciate the opportunity to submit our comments, and the Institute’s initiative in soliciting feedback on the optimal regulatory structure for ISPs to manage and administer Internet traffic while remaining respectful to network neutrality. However, we have concerns regarding the potential impact of the Draft Guidelines on Mexican internet users, particularly as a result of our belief that the changes will weaken network neutrality protections, to the detriment of freedom of expression and digital rights in Mexico. Our submission includes a set of recommendations aimed at mitigating this impact, in order to preserve Mexico’s vibrant online speech environment.
- Net Neutrality, Freedom of Expression and Human Rights
The Internet has become one of the most important spaces through which the people of Mexico exercise their rights to freedom of expression and access to information. These rights are protected under Mexico’s Constitution, as well as in human rights treaties that Mexico is a part of, including the Universal Declaration of Human Rights (“UDHR”)[2], the International Covenant on Civil and Political Rights (“ICCPR”)[3] and the American Convention of Human Rights (“ACHR”)[4]. Since its landmark 2012 resolution on “the promotion, protection and enjoyment of human rights and the internet,” the UN Human Rights Council established that “the same rights that people have offline must also be protected online, in particular freedom of expression, which is applicable regardless of frontiers and through any media of one’s choice.”[5] It is in this context and with this understanding that the third paragraph of article 6 of the Constitution of Mexico guarantees access to technologies of information and communication, “including broadband and internet”. ISPs play a crucial role in the provision of this access and in the popular exercise of freedom of expression and access to information.
International human rights standards are abundantly clear on the importance of preserving network neutrality, as a guarantor of the rights to freedom of expression and access to information. In 2011, the United Nations Special Rapporteur on Freedom of Opinion and Expression, the Organization for Security and Cooperation in Europe (OSCE) Representative on Freedom of the Media, the Organization of American States (OAS) Special Rapporteur on Freedom of Expression, and the African Commission on Human and Peoples' Rights Special Rapporteur on Freedom of Expression and Access to Information issued a Joint Declaration on Freedom of Expression and the Internet, which specified that “[t]here should be no discrimination in the treatment of Internet data and traffic, based on the device, content, author, origin and/or destination of the content, service or application.”[6] The importance of network neutrality was further reinforced by the OAS Special Rapporteur on Freedom of Expression, Catalina Botero, who observed in her 2013 Report that “net neutrality is part of the original design of the Internet… [and] is fundamental for guaranteeing the plurality and diversity of the flow of information.”[7] Interpreting the American Convention on Human Rights, the Special Rapporteur affirmed categorically that respecting net neutrality “is a necessary condition for exercising freedom of expression on the Internet pursuant to the terms [of the Convention’s] article 13”.[8]
The growth of Internet traffic and the development of new and increasingly bandwidth-hungry technologies has led to increased demands for regulatory flexibility among ISPs, who face novel challenges in managing their networks. However, network neutrality remains foundational to safeguarding the online expressive space. This is not only because of its importance to ensuring that powerful intermediaries cannot stifle voices they disagree with, but also because of the importance of network neutrality in guaranteeing that the Internet remains a fundamentally egalitarian expressive medium, where the voices of individual users and startups are not drowned out by those with more power and resources. For that matter, network neutrality continues to play an important role in fostering innovation and providing for fair competition. While we are mindful of the concerns expressed by ISPs, as well as by Providers of Apps, Content and Services (“PACS”), that overregulation and ex ante regulation pose a challenge to their own ability to innovate in the provision of Internet services, a robust regulatory posture in defense of network neutrality remains vital to guaranteeing that online markets function in a way which continues to facilitate the rights to freedom of expression and access to information.
2. Network Management Rules
Among the distinguishing features of the Internet is the enormous influence which intermediaries, and in particular private sector intermediaries, wield over the online discourse. This includes ISPs, whose function gives them the technical power to speed up, hinder or block access to the network for particular users. The ability to amplify certain voices and silence others has the potential to be wielded as a weapon of censorship, either to suit the ISPs’ own interests (for example, by undercutting the services offered by their competitors), or to silence government critics at the behest of authorities. Against this enormous power, the Institute stands as a guarantor of fundamental freedoms for the Mexican people, including equality of access to the means of communication.
In this context, article 5 of the Draft Guidelines warrants a high degree of scrutiny as it facilitates the implementation of traffic management and network administration policies that could undercut network neutrality, through the limitation, degradation, restriction, discrimination, obstruction, interference, filtering or blocking of access to particular content, applications or services. These policies can obviously have an adverse impact on the expressive rights of users. While there can be circumstances where such traffic management and network administration measures are warranted, the potential for abuse necessitates clear and strict guidelines, including an assessment of the necessity and proportionality of particular interventions with regard to their expressive impacts. For instance, it might be legitimate to impose restrictions on PACS whose operations are compromising the integrity or security of the network, or which undermine user privacy, as is provided for in article 5(I). However, a number of the other subclauses allow or require ISPs to implement these policies in situations which are much more difficult to justify from a freedom of expression perspective.
For instance, article 5(IV) establishes that “competent authorities” can request that ISPs establish traffic management policies, including blocking or filtering content, without specifying which authorities are empowered to make such requests or enumerating clear guidelines for what scenarios might justify these requests. This provision is ripe for abuse, as it opens the door to authorities issuing requests for ISPs to block or restrict access to particular content that they find embarrassing or politically problematic. The lack of clear technical parameters for these requests, or any conditions at all on their exercise, poses an obvious threat to freedom of expression. It also has the potential to undermine the right to privacy, by facilitating invasive surveillance requests.
In this regard, we also note our concerns with article 5(III), which establishes that these restrictions can be imposed during an emergency or national security situation, as provided by law. Once again, the ambiguity of the circumstances in which these restrictions can be implemented is troubling. Traffic interferences in the name of public safety or national security should be reserved for exceptional and narrowly defined circumstances, in order to prevent abuse. The National Security Law (“NSL”), which establishes Mexico’s main framework for responding to national security crises, defines the scenarios that are considered threats to national security, but fails to define the specific circumstances which would justify exceptional network restrictions. Furthermore, the Draft Guidelines allow ISPs to make these determinations themselves, rather than leaving it in the hands of government authorities, which creates further potential for abuse. The lack of a formal procedure even raises the possibility of extra-legal requests for Internet shutdowns, an extremely severe and unjustifiable interference with the right to freedom of expression.[9] Any change in the law which further facilitates these actions presents grave human rights concerns.
An additional area of concern is article 5(V) of the Draft Guidelines, which allows ISPs to implement traffic management and network administration policies which undermine access to certain content or services at the express request of users. While the desire to promote user autonomy and freedom of choice is understandable, in practical terms this could allow ISPs to coax customers into entering into agreements which are contrary to their interests, potentially through the use of unclear or misleading provisions in user agreements. It is, by now, a common trope to note that consumers are nearly universally ignorant of the conditions that they acquiesce to as part of terms of service agreements, and that the level of informed consent contained in these agreements is very low.[10] For this reason, international human rights standards tend to be skeptical of programs which allow consumers to decide for themselves the degree to which network neutrality standards are reflected in the packages they sign on to. The Model Framework on Net Neutrality, as initiated by the Council of Europe and developed by the Dynamic Coalition on Network Neutrality, prohibits ISPs or their commercial partners from incentivizing users to sign on to services which violate network neutrality.[11] In line with this standard, we suggest that article 5(V) be modified to prohibit ISPs and PACS from incentivizing customers to sign on to services which are inconsistent with network neutrality.
3. Differentiated services
Another concerning aspect of the Draft Guidelines is article 7, which permits the provision of differentiated services. Differentiated services include zero rating[12] and sponsored services,[13] both of which are generally considered to run counter to the principle of network neutrality.[14] The UN Special Rapporteur on Freedom of Expression has noted that zero rating services can harm users’ access to information, because they privilege access to content within the zero rating agreement and disincentivize the use of metered data to access external content. The Special Rapporteur notes that “for users who struggle to afford metered data, they might end up relying exclusively on zero-rated services, resulting in limited access to information for communities that may already be marginalized in their access to information and public participation.”[15] This also could have the effect of promoting low data caps and inflating the price of metered data.[16]
According to the Special Rapporteur, it is still subject to debate whether zero rating may be justified as a mechanism to expand access to the internet “in areas genuinely lacking Internet access.”[17] In this regard, it should be noted that although article 7(I) of the Draft Guidelines links the sponsored services to bridging the digital divide, it does not restrict it to underserved populations. Rather, the provision is framed in such broad terms that, in practice, it would allow ISPs to justify most sponsored services. While expanding access to the Internet is an important goal, it must not be used as a fig leaf to cover mechanisms whose primary purpose is commercial, and which are not specifically targeted towards getting more people online.[18] The importance of network neutrality to freedom of expression and access to information, and the negative impact that zero rating has on these rights, means that zero rating programs bear a heavy burden of justification, in terms of demonstrating via a proportionality assessment that their benefits in promoting access significantly exceed their inherent harms.[19] The vague and unclear requirements contained in the Draft Guidelines manifestly fail to fulfill this requirement. As an alternative, the Institute could consider imposing assessment criteria which are similar to the EU’s BEREC Guidelines on the Implementation by National Regulators of European Net Neutrality Rules, which provide national regulatory authorities a range of comprehensive criteria to take into account when assessing zero rating practices.[20]
4. Specialized services
According to article 8 of the Draft Guidelines, ISPs are allowed to offer specialized services to PACS. Once again, the breadth of definitions in this provision are problematic.[21] While the provision of specialized services can be justifiable in certain circumstances, these should be limited to PACS which, due to their specialized nature, cannot be conducted on the normal network.
Article 8 mandates that specialized services must not be offered in a manner which harms the quality or speed of Internet access more generally. While this is a good requirement, specialized services can often distort the commercial incentives for ISPs in terms of how their network upgrades are targeted. In other words, even if ISPs do not deteriorate the quality and speed of their general services in order to facilitate specialized services, these services can have an adverse impact on the growth and development of the network, by creating a narrower and more profitable band of services which may be prioritized over general speed and connectivity. This, in turn, can feed a broader migration of more and more traffic over to the specialized services, creating exactly the kind of tiered structure that network neutrality is meant to prevent.
For this reason, it is important that specialized services be restricted to functions whose needs are truly exceptional, such as telesurgery or self-driving cars.[22] Some countries, notably India,[23] have adopted exceptions for such services, following a decision from its Telecom Regulatory Authority banning most other forms of zero rating.[24] Likewise, the Net Neutrality Principles call for specialized services to be limited to circumstances which specifically demand “levels of quality that are not assured by the Internet access services […] and only be prioritized if there is sufficient network capacity to provide them in addition to Internet access service.”[25] Following this formula, we recommend specialized services in article 8 of the Draft Guidelines be narrowly limited to activities that cannot be provided through the regular network.
5. Privacy and Transparency
One other broad area of improvement for the Draft Guidelines would be to boost provisions for transparency among ISPs, and to enhance the rules on respecting user privacy.
The enormous power and influence that intermediaries, including ISPs, wield in the actualization of the right to freedom of expression gives rise to a heightened public interest in transparency around their operations. In particular, the Draft Guidelines should aim to provide consumers with sufficient information to make informed choices, and to select providers whose attitude towards digital expression matches their own values. There is a parallel public interest in allowing researchers, journalists, and civil society watchdogs to monitor the operation of Mexico’s digital space. Transparency is also important to support the Institute’s own regulatory decision-making, to ensure that both ISPs and PACS are following all requirements established in the Guidelines.
In articles 10-13, the Guidelines establish transparency requirements for ISPs related to the differentiated services and specialized services they provide, as well as the traffic management policies they adopt. These requirements are a good starting point, but there is room for improvement. For instance, ISPs should be required to publish information regarding differentiated and specialized services in advance of their being implemented, in order to allow suitable time for a public response to policies which may be problematic. Similarly, more detail should be added to the traffic management policies in article 13, to bring greater predictability into the system.
There is also room for improvement in how information regarding government requests for user data is handled, including regular reporting on aggregated data around government requests, and how these are handled by the ISPs (i.e. what percentage are granted, what percentage included a warrant, what percentage, if any, originated from a foreign source, etc.). Similar data should be published with regard to requests to block or hinder access to particular content, whether these are made formally or informally.
This ties into another area of concern, namely the protection of privacy. As important as it is to facilitate free information flows regarding the ISPs’ and PACS’ operations, the centrality of the Internet to freedom of expression creates a concomitant interest in safeguarding online privacy. ISPs and PACS are already regulated on this front by the Federal Law on the Protection of Personal Data Held by Private Individuals (“LFPDPP”). However, there is a need for additional provisions within the Draft Guidelines to specify how these values specifically translate to traffic management and network administration policies. ISPs and PACS are in a position of incredible power, given their technical ability to watch and track the activities of millions of Mexicans, both as they communicate online and, increasingly, as they go about their day-to-day life. Any traffic management and network administration practices that have the potential to impact users’ privacy should require additional authorization, particularly where these are not strictly necessary for the provision of service.[26] Likewise, the Draft Guidelines should prohibit particularly invasive practices, such as deep packet inspection and the deployment of intrusive surveillance tools, that undermine the privacy and integrity of online communications.
Finally, while we welcome, in general terms, a requirement for ISPs to publish privacy recommendations for their users, it is important to bear in mind the limitations of such educational initiatives. Working proactively to encourage stronger cyber hygiene is a good move, but it is important that this not detract in any way from the overall responsibility that these companies have to keep their customers safe. Certainly, the existence of these initiatives should not be used to transfer responsibility for personal data protection onto consumers.
6. Recommendations
WIII acknowledges the Institute’s efforts to regulate traffic management and network administration in a way that is respectful of network neutrality principles, as well as the open consultation process that it has conducted to discuss the proposed Draft Guidelines. However, we consider that the Draft Guidelines could be improved through the following changes:
- Article 5(III) should be amended so that it defines narrow and specific scenarios under which emergency interventions may be justified, as well as to establish a procedural framework by which government authorities may trigger the implementation of these restrictions.
- Article 5(IV) should be deleted.
- Article 5(V) should be amended to prohibit ISPs and their commercial partners from incentivizing users to request the limitation, degradation, restriction, discrimination, obstruction, interference, filtering or blocking of specific PACS.
- Article 7 should be amended such that zero rating and sponsored services may only be permitted where their positive impact on expanding Internet access to underserved populations clearly outweighs the broader interference with freedom of expression, with the burden of justification resting on the ISPs. They should be targeted as far as possible so that these services are only available to underserved populations.
- Article 8 should be amended to clarify that the provision of specialized services should be narrowly limited to those which, due to their exceptional nature, cannot operate through the regular network.
- The Draft Guidelines should include enhanced transparency standards, particularly a requirement to publish information regarding specialized and differentiated services before they are offered, as well as detailed information about government requests for user data, and any requests to block or hinder access to particular content.
- The Draft Guidelines should include enhanced privacy protections, including requirements for authorization for any network management measures which have the potential to harm user privacy, and prohibitions against particularly invasive practices.
This submission was prepared by Michael Karanicolas, Juan Carlos Salamanca Vázquez, Ayesha Khan, and Tomiwa Ilori of the Wikimedia Initiative on Intermediaries and Information (“WIII”). WIII grew out of an ongoing academic affiliation and collaboration between Yale Law School’s Information Society Project and the Wikimedia Foundation. It currently operates as a research program based at Yale which aims to raise awareness of threats to an open Internet, especially those affecting online intermediaries and their users, and to make creative policy suggestions that protect and promote Internet-facilitated access to information.
[1] In Spanish, “Anteproyecto de Lineamientos para la Gestión de Tráfico y Administración de Red a que Deberán Sujetarse los Concesionarios y Autorizados que presten el Servicio de Acceso a Internet”.
[2] Universal Declaration of Human Rights art.19, G.A. Res. 217 (III) A, U.N. Doc A/RES/217(III) (Dec. 10, 1948).
[3] International Covenant on Civil and Political Rights art. 19, opened for signature Dec. 19, 1966, 999 U.N.T.S. 171 (entered into force Mar. 23, 1976).
[4] American Convention on Human Rights art 13, 1144 U.N.T.S. 123 (Nov. 22, 1969)
[5] Human Rights Council Res. 20/8, U.N. Doc A/HRC/RES/20/8 at 1. Reaffirmed in 2018 through H.R.C. 38/L, U.N. Doc A/HRC/38/L.10/Rev.1
[6] The United Nations Special Rapporteur on Freedom of Opinion and Expression, the Organization for Security and Co-operation in Europe Representative on Freedom of the Media, the Organization of American States Special Rapporteur on Freedom of Expression and the African Commission on Human and Peoples’ Rights Special Rapporteur on Freedom of Expression and Access to Information, Joint Declaration on Freedom of Expression and the Internet ¶ 5 (2011), available at https://www.osce.org/fom/78309 (hereinafter “Joint Declaration”).
[7] Catalina Botero Marino, Freedom of Expression and the Internet, Office of the Special Rapporteur for Freedom of Expression Inter-American Commission on Human Rights (2013) ¶ 27, available at https://www.oas.org/en/iachr/expression/docs/reports/2014_04_08_Internet_ENG%20_WEB.pdf
[8] Id. ¶ 25
[9] Joint Declaration, supra note 6.
[10] See, e.g., Yannis Bakos, Florencia Marotta-Wurgler, and David R. Trossen, “Does Anyone Read the Fine Print: Consumer Attention to Standard-Form Contracts”, 43 J. Legal Stud. 1 (2014).
[11] “In accordance with the network neutrality principle, Internet service providers shall refrain from discriminating, restricting, or otherwise interfering with the transmission of Internet traffic, unless such interference is strictly necessary and proportionate to: [...] d) comply with an explicit request from the subscriber, provided that this request is given freely and is not incentivised by the Internet service provider or its commercial partner;” Model Framework on Network Neutrality R. 2 available at http://www.networkneutrality.info/sources.html
[12] Included in art. 7(II) of the Draft Guidelines, zero-rating services are those in which ISPs provide customers access to specific PACS at zero cost.
[13] Included in art. 7(I) of the Draft Guidelines, sponsored services are those in which PACS, through an agreement with ISP, sponsor internet customers access to their application, content or service so that they can access it at zero cost. Sponsored services are a subclassification of zero-rating services, where the PACS covers the cost.
[14] Arturo J Carrillo, Having Your Cake and Eating it Too? Zero-Rating, Net Neutrality and International Law, 19 Stan. Tech. L. Rev. 367 (2016) (hereinafter “Zero-Rating, Net Neutrality and International Law”)
[15] Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, Report for 35th Session on the role of digital access providers. ¶ 26, U.N. Doc A/HRC/35/22 (Mar. 30, 2017)
[16] Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, Supplementary Material Accompanying the Thematic Report. ¶ 46, U.N. Doc A/HRC/35/22/Add.4 (May 22, 2017)
[17] Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, Report for 32th Session on Freedom of Expression, States and the Private Sector in the Digital Age. ¶ 49 U.N. Doc A/HRC/32/38 (May 11, 2016)
[18] Human Rights Council Res. 32/13, U.N. Doc A/HRC/RES/32/13, at operative par. 5 (Jul. 18, 2016)
[19] Zero-Rating, Net Neutrality and International Law supra note 14.
[20] Sections 40-48, Article 3(3), BEREC Guidelines on the Implementation by National Regulators of European Net Neutrality Rules, BoR (16) 127, August 2016, available at https://berec.europa.eu/eng/document_register/subject_matter/berec/regulatory_best_practices/guidelines/6160-berec-guidelines-on-the-implementation-by-national-regulators-of-european-net-neutrality-rules.
[21] Draft Guidelines art. 2(VII).
[22] See comments of Professor van Schewick. Aroon Deep, Enforcing Net Neutrality in India, Medianama (Jun. 22, 2020) https://www.medianama.com/2020/06/223-net-neutrality-enforcement/.
[23] Regulatory Framework on Net Neutrality, Section 3.3, Dept of Telecommunications of India (2018), https://dot.gov.in/sites/default/files/DoT%20Letter%20on%20Net%20Neutrality%20Regulatory%20Framework%20dated%2031%2007%202018_0.pdf?download=1.
[24] Adi Robertson, India just approved net neutrality rules that ban ‘any form’ of data discrimination, The Verge, (Jul. 11, 2018) https://www.theverge.com/2018/7/11/17562108/india-department-of-telecommunications-trai-net-neutrality-proposal-approval
[25] These Principles represent areas of consensus reached among U.S. net neutrality experts during the Net Neutrality Experts’ Roundtable Series. Net Neutrality Principles, Internet Society (2019) https://www.internetsociety.org/resources/doc/2019/net-neutrality-legislation-a-framework-for-consensus
[26] In terms of the LFPDPP, ISPs could include some of these practices in their privacy notices as secondary purposes that knowledgeable and aware users would be able to reject, but that would be accepted disproportionately by users with a poor understanding of the implications of such privacy invasions.