How encryption threatens mobile operators, and what they can do about it

Encrypted traffic threatens operators' efforts to protect the consumer experience and create potential new business models. What can they do about it?

This story has several starting points. You could choose major entry points like debates around net neutrality, user data privacy and security, operator data monetisation and the pros and cons of developing quality-based personalised service offers.

The jumping off point I have chosen is a conversation I had, back in the autumn last year, with Vasona Networks, a company that provides edge-based capacity management. That means it has software that allocates capacity based on which applications are calling for resources on the radio link.

THE SET UP – THE VASONA EXAMPLE

Vasona’s general pitch (and I hope they’ll forgive me for the crude reductionism) is that centralised optimisation platforms are crude and unwieldy in the face of fluctuating demands on the edge of the network. For instance, an operator may always heavily compress certain types of video at all times. Yet doing that for all users in all cells, whether congested or not, is a clumsy and often ineffective use of resources. Why not give users access to higher resolution video if the network can support it, rather than always limit the experience?

Vasone smartAIR

Vasona’s John Reister tells me that the company’s SmartAir platform provides operators with a new sort of edge-based, or cell-based, optimisation that can allocate radio resources on a cell-by-cell basis, so that applications can be optimised to local conditions. This adapts bandwidth resources to the actual needs of the customer, and the actual conditions in a cell at any one time. You can’t do that if you set up a rule on a server that optimises all content of a certain type no matter what.

ENCRYPTION FRICTION

Reister continues to posit that a further driver for this need for edge-based adaptation is that within their current optimisation platforms operators cannot see encrypted content. That means that the normal processes they take to optimise content are rendered unworkable. And that’s a problem because there’s an increasing amount of encrypted forms of content, indeed of data in its entirety, of all types – but especially from the big social network, applications and video providers.

Why is this? Analyst Dean Bubley of Disruptive Analysis, says there are several reasons for the increasing amount of encrypted traffic, ranging from perceived threats to data privacy, to the move towards default-crypto in HTTP2 with protocols such as SPDY, to Google ranking https pages more positively.

Bubley outlines the following list of encryption protocols and sources that we will see hit networks: “SPDY, HTTPS, QUIC – plus also BlackBerry, Microsoft, Opera & others running proxies, Enterprise VPNs, personal VPNs, TOR etc; Anything that combines multiple streams & flows into a single one to minimise concurrent connections. WebRTC is encrypted too,” he adds.

Bubley considers that encrypted traffic is already at 50% on some networks, and heading north.

Yoav Shay Daniely, Director of Product Management at Flash Networks, says, “User generated content is becoming increasingly popular and commands a huge amount of web traffic.

As a result the need for secure content is growing and as such encrypted HTTPS data is on the rise.” According to Daniely HTTPS encryption is being favoured as content providers can gain a higher control on the data passing through their sites.

 Daniely says that as it stands less than 1% of websites currently utilise HTTPS encryption. The issue is that these 1% include the likes of YouTube, Facebook, Twitter and WordPress.

facebook-like-or-dislike

WHY ENCRYPTION MATTERS TO OPERATORS

To date, mobile operators have often interceded in the delivery of data over mobile networks and to mobile devices. To put it simply, the video you watch on your phone screen, say over an HSPA connection, may have been transrated to a lower bit-rate suited to network conditions, and/or been transcoded to a codec your device can support.

FOR MORE ON TRANSCODING IN THE NETWORK READ THIS FREE TMN EBOOK

To do this, operators need to know what video traffic is going across their network, where it is headed, and if they need to do anything to it to meet either network or device conditions. They may also want to know about the traffic to try and do some “monetisation” around it – current or potential – or to apply QoS or policy rules.

However, encrypted traffic makes that harder to do and, although they are loathe to acknowledge it themselves publicly, is causing problems for operators.

The CTO of one (very) major vendor says, “There’s a tug of war right now between operators and OTT encryption. Google’s SPDY protocol is an IETF standard that is meant to provide a better service between endpoints – but it doesn’t consider the network. In the mobile network you have different needs and you need to be able optimise because of resources you have. We are working with a number of technologies to be able to keep doing that so even if the payload is encrypted the knowledge about what kind of traffic it is will be open.

Daniely adds, “The problem lies in the fact that encrypted traffic is now being hidden to operators. Therefore, the move to HTTPS means that there is a lack of data transparency between the content providers and operators.

“This lack of transparency means that operators and platforms are unable to fulfil essential tasks such as optimisation, acceleration and analytics.”

Another optimisation company, Openwave Mobility, is also considering the effects of encryption on its systems. It wrote to TMN: “In environments today each operator has made significant choices to facilitate the delivery of media-rich content from the basics of investing in higher speed network, to caching, transport optimisation, content and delivery optimisation techniques. In addition some operators have considered offering differential limits on video versus non video consumption for data plans. If the environment goes ‘Dark’ then operators lose the leverage to meter what is happening and optimise their network; the possibility of going ‘Dark’ is illustrated by YouTube App version 5.7 on Android using secure access in unregistered user/non-member browsing.”

Analyst Patrick Lopez of Core Analysis confirms the issue for operators, and also that it goes beyond video optimisation.

“Encrypted traffic (be it SSL, HTTPS or SPDY) is a problem for all network operators and is a very real threat to their business model. Encrypted traffic impairs the following network functions:

Firewall (network and web application); Security (DDOS detection…); WebRTC gateway; TCP Proxy; Ad and header insertion; DPI, Network probes; Web and video optimisation; DNS cache, NAT; SIP Proxy

“Essentially, when traffic is encrypted, the network cannot inspect, protect, prioritise, optimise or load balance it effectively. While encrypted traffic was a relatively low incidence in mobile networks until this year, with HTTP 2.0 standardisation progress and the adoption of Google’s SPDY as a possible underlying protocol, mobile networks have seen encrypted web traffic grow from 2-5% to 30-35% of the overall traffic. In some countries, it amounts up to 50% of the data traffic. For video, specifically the proportion is much less, as only portions of YouTube gets encrypted (depending on device used) and all of Netflix.

WHAT SHOULD OPERATORS BE DOING ABOUT IT?

You can put responses to this into two camps – technical and social/commercial. The latter is really code for operators and app and content providers coming to an understanding to let operators intermediate between the consumer and the provider.

Here’s Openwave Mobility on some possible solutions:
“In the short term they [operators] can invest in transport optimisation – TCP optimisation techniques for mobile networks; in the medium term they can look to establish relationships with both the content provider and the end user for encrypted access (SSL). From the perspective of a good user experience – this is a win-win-win scenario; a win for the user as they see the content they want – fast, a win for the content provider as they can be ensured that their brand is not affected by mobile delivery and a win for the operator because they can manipulate content for changing radio conditions.”

There is a perception that this is a possible invasion of privacy and that the content providers don’t need to care, but Openwave expresses the following three responses:

“[a] Most users trust their operator and may agree to SSL interception if the service avoids buffering; but essentially users should be offered a choice

[b] The world is going mobile; if the content provider wants their content to have the eyeballs of the user outside of Wifi hotspots they have to care about how it is encoded and transported. Some content providers/CDN can have more closely coupled relationship with the operator – which can allow for optimisation over SSL

[c] The use of encryption is being applied to imply privacy – when it is really only as secure as the end point you are talking  to; most users trust their operator and operators trust their users – this is an extension.”

So optimisation, Openwave Mobility says,  can be applied in an SSL environment as long as the trust relationship, privacy policy and benefit is made clear.

Lopez of CoreAnalysis outlines several initiatives along the lines Openwave Mobility proposes –  all intended to try and reduce the impact on networks.

“1. Network operators have been collaborating with content providers (increase in Facebook, Whatsapp, Netflix, YouTube partnerships with network operators) in order to make sure that traffic is either not encrypted or has enough unencrypted metadata (headers, manifests…) to enable correct management.

2. The Open Web Alliance has been formed earlier this year to introduce a proposal at IETF to create a new web entity, the “trusted proxy” which would request explicit subscriber’s authoriSation to decrypt encrypted content in order to be able to manage it and to increase user experience.

3. Vendors are coming with solutions enabling either collaborative approach (explicit traffic mediation and agreement between content providers are network operators) or assertive approach (traffic  decryption without agreement from content provider).

4. Network operators have treated encrypted traffic with traffic shaping rules, mostly either throttling or capping based on the traffic’s origin.”

However, some think it’s too late for operators to interpose themselves between customer and service provider – even for the supposed benefit of all. The relationship required to generate the trust is broken. Disuptive Analysis’ Bubley goes so far as to state that operators have abused their “network privilege” to indulge in “non-consensual activities which mess with users’ or app/content companies’ reasonable expectations of unmodified / filtered data”. The knock-on effect of this is that key potential partners feel their trust has been abused.

“Unfortunately, while some of these actions can be seen as benefiting users indirectly, others have been covert, unsolicited and solely for the gain of the MNOs – as well as implicitly representing a security vulnerability in some cases. It is unsurprising that the web and app communities are unwilling to consider “trusted proxies”, firstly as there’s a general dislike of proxies, and secondly because that trust has been abused in the past.”

CONCLUSION

Encryption is increasing, and will increase more as HTTP 2.0 standards roll out. As the rate of encryption grows operators may be forced to think about how they intercede themselves in the relationship between users and their content, data and apps. There are technical and political moves afoot to achieve this. The issue is, can operators retain service levels users desire without doing that?

Comments

1

[…] Dyer, from The Mobile Network, did an excellent job on his pieceon this topic. He got really good inputs from the interviews he conducted, like this one from the […]

Leave a Reply