The second-class internet? You're soaking in it

Forget about net neutrality and balkanisation; Lenovo's Superfish idiocy proves that we already have a dual-class internet -- and most of us are proles.
Written by Stilgherrian , Contributor

Back in mid-2011, a bunch of American cyberguys -- sorry, a group of former and then-current US national security officials and analysts -- promoted the idea of creating a separate, new internet to improve security for critical services such as banking. Some even suggested creating a ".secure" top-level domain, accessible only if you had certified digital credentials and signed away all of your privacy rights.

The supporters of these ideas included former CIA director Michael Hayden, then-NSA director General Keith Alexander, and others attending a round table on cybersecurity at the Potomac Institute for Policy Studies.

James Mulvenon, a China and cybersecurity specialist with intelligence analysis firm Defense Group Inc, noted that countries with fewer civil liberties, such as China, could use deep packet inspection to monitor private network traffic for nasties in a way that American privacy laws didn't allow. That could be giving them an edge when it came to cyberdefence.

Mulvenon proposed a three-tiered internet. "If you want to do banking, there's no anonymity," Nextgov reported him as saying. It'd be real names, digital credentials, and pervasive surveillance all the way. The middle level would require fewer personal details from users, and that's where the .edu domain might operate, he said. "At the bottom, you can run around like a hobbit."

Those proposals didn't really go anywhere. San Francisco-based Artemis Internet Inc has been hoping to register the .secure domain, but ended up in competition with Amazon, as well as embroiled in controversy. Artemis withdrew and went with .trust instead, leaving the field clear for Amazon.

In the second half of 2013, following Edward Snowden's revelations, we started to see suggestions that the internet might be split another way: A country-by-country or region-by-region balkanisation to avoid surveillance by other nations.

As The Guardian reported in November 2013, Germany and Brazil began encouraging their regional online traffic to be routed locally rather than through the US. If other countries followed, and if they backed up their encouragement with laws, the US cloud computing market could stand to lose tens of billions of dollars in future revenue, according to one report. Watch this space.

The net neutrality debate represents a third way in which the internet might be split. Rather than the neutral approach of treating all internet traffic equally, there could be fast and slow lanes, priced accordingly.

Thursday's decision by the US Federal Communications Commission now makes net neutrality the law in that country, at least. There's nothing stopping the countries that make up the other 96 percent of the world's population from making their own rules for traffic within their own borders.

All of those examples are theoretical.

But look at Lenovo's recent issue with the Superfish software -- which inserted advertising into users' web browsing sessions -- introducing a nasty, nasty security vulnerability in the process. Doesn't this show that we already have a two-tier internet?

Our internet experience is already split into two classes, "enterprise" and "consumer". Enterprise users get to use endpoint devices that are properly secured, and vendors work hard to keep it that way -- provided you've got more than 500 or 1,000 employees. Consumers, on the other hand, get whatever they're handed. Their data and communications are mere fodder for whatever commercial interests the vendor might have.

Lenovo's original tone-deaf statement on the Superfish matter included a telling paragraph.

"In our effort to enhance our user experience, we pre-installed a piece of third-party software, Superfish (based in Palo Alto, CA), on some of our consumer notebooks. The goal was to improve the shopping experience using their visual discovery techniques," it said.

Lenovo went on to stress that Superfish's software wasn't anywhere in its enterprise devices -- let's face it, it wouldn't dare. But in order to "improve the shopping experience" -- because that's what consumers do, right? -- it thought it was perfectly fine to fiddle with the content of other organisations' web pages and give users something other than what they'd requested.

Is the word "arrogance" adequate to cover this sort of behaviour?

It sounds to me like if Lenovo were a car company, you'd start driving to your mother's house, but before you even got to the end of your street, the car would have decided to take a detour, pick up a few of its mates, and head out for pizza.

Lenovo is far from being the only example, of course. Do I need to list them?

Many of the sci-fi dystopias of the 1970s imagined the creation of a two-tier society, with one level for corporations and governments in an all-too-close alignment, and the other an endless advertising-riddled shopping mall for the proles. Well, it's already here.

Updated at 9.46am AEDT, March 2: Added information on Artemis' withdrawal from the competition for .secure.

Editorial standards