Henning Schulzrinne: So I’ve been involved in the Internet tech­ni­cal com­mu­ni­ty since the ear­ly 90s. So pri­mar­i­ly in my aca­d­e­m­ic role as fac­ul­ty at Columbia and pre­vi­ous­ly as a researcher at Bell Labs and a German research lab here in Berlin, actu­al­ly. And sec­ond­ly, more recent­ly as a staff mem­ber of the Federal Communications Commission. An so in that role I’ve been par­tic­i­pat­ing in tra­di­tion­al aca­d­e­m­ic research pri­mar­i­ly in the net­work­ing realm, but also work­ing with­in pri­mar­i­ly the Internet Engineering Task Force on stan­dards devel­op­ment for Internet appli­ca­tions, pri­mar­i­ly real-time applications. 

Intertitle: Describe one of the break­through moments or move­ments of the Internet in which you have been a key participant.

Schulzrinne: The top­ics I have worked on prob­a­bly the most are as I said the real-time Internet appli­ca­tions on voice over IP and real-time stream­ing appli­ca­tions. So voice over IP, deliv­ery of phone calls over the Internet. And that led to a num­ber of polit­i­cal devel­op­ments that are now fair­ly com­mon­ly used in the indus­try. So this is the Real-time Transport Protocol that trans­ports audio and video con­tent across net­works. And now it’s often used for audio and video on tele­pho­ny with­in in enter­pris­es but also increas­ing­ly on the wide areas. So there’s a num­ber of voice over IP providers as well as what are known as 4G, or voice over LTE, sys­tems that use that type of technology. 

And then a cor­re­spond­ing pro­to­col that is used to con­trol the ses­sion, the Session Initiation Protocol, SIP, that’s com­mon­ly used again in the enter­prise space. Many of your new IP PBXs that are used as kind of your desk­top phones in offices, they typ­i­cal­ly use that, as again on mobile phone car­ri­ers, as part of the Internet Multimedia Subsystem, IMS, in that. 

I’ve also worked on a num­ber of appli­ca­tions in pub­lic safe­ty, in how do you sup­port emer­gency calls such as 112 or 911 in a new all-IP environment. 

Intertitle: Describe the state of the Internet today with a weath­er anal­o­gy and explain why.

Schulzrinne: It’s real­ly hard to answer that in gen­er­al­i­ties because the Internet has become such a diverse ecosys­tem. And it’s prob­a­bly much more pro­duc­tive to think of it as not like a sin­gle enti­ty but again, like an ecosys­tem, where parts of the ecosys­tems are quite healthy, and others…not so much. So, let me try to just give a few exam­ples of that. Because we’re now see­ing real­ly that when we talk about the Internet we’re real­ly talk­ing about two some­what sep­a­rate things: the tech­nol­o­gy, and the glob­al infrastructure. 

The tech­nol­o­gy, name­ly the pro­to­cols and oth­er soft­ware arti­facts and so on that use Internet pro­to­cols but may not actu­al­ly be used on the Internet. They may be used in pri­vate net­works, in data cen­ters, in enter­pris­es, in homes, with­out nec­es­sar­i­ly touch­ing the Internet. I think that devel­op­ment has been robust and con­tin­ues to progress pret­ty rapid­ly, where the major prob­lems are prob­a­bly in terms of robust­ness and reli­a­bil­i­ty, and security-related prob­lems as well. But the tech­nol­o­gy seems to be able to keep pace with demand. 

The oth­er one is the Internet as a net­work that you con­nect to, exchange data on, com­mu­ni­cate with oth­er peo­ple on. And that again…I think that in many coun­tries and many regions, things are mov­ing ahead quite nice­ly. Speeds are improv­ing, the avail­abil­i­ty on mobile devices is dra­mat­i­cal­ly increas­ing. But we also have simul­ta­ne­ous chal­lenges. Just to name a few, again the secu­ri­ty chal­lenges that increas­ing­ly make it dif­fi­cul­ty par­tic­u­lar­ly for indi­vid­u­als and small busi­ness­es to know what infor­ma­tion is tru­ly secure and pri­vate, what their bank account or their pri­vate data, med­ical data is at risk. And also at a larg­er scale for enter­pris­es, being exposed to theft of their intel­lec­tu­al property—and I’m not talk­ing about music here and videos climb, pri­mar­i­ly. I’m talk­ing here about blue­prints, and chem­i­cal for­mu­las, and cus­tomer lists, and all the oth­er things that com­pa­nies main­tain pri­vate in order to main­tain their com­pet­i­tive posi­tion. That I think is a major chal­lenge sim­ply because it does­n’t seem pos­si­ble for ordi­nary indi­vid­u­als to keep up with the defi­cien­cies in both pro­to­col design and imple­men­ta­tion to have rea­son­able cer­tain­ty that the tools they use won’t be used against them. 

There’s also about more larg­er-scale chal­lenges, name­ly the sup­pres­sion of Internet free­doms in a num­ber of coun­tries. Issues of pri­va­cy. How do we bal­ance free access to infor­ma­tion and ser­vices on mobile devices with my desire to main­tain pri­vate infor­ma­tion as private. 

Intertitle: What are your great­est hopes and fears for the future of the Internet?

Schulzrinne: Let me talk about secu­ri­ty as one. First of all I think it’s impor­tant that I don’t want to just fall into the trap to say the Internet is inse­cure, because that’s not real­ly a help­ful state­ment. It does­n’t dif­fer­en­ti­ate enough between the var­i­ous com­po­nents. Because I would look at that in pieces, name­ly one piece is the under­ly­ing tech­nol­o­gy; the sec­ond piece is the implementation—software pri­mar­i­ly and hard­ware to some lim­it­ed extent; and third­ly the oper­a­tional prac­tices. And there are prob­lems in all areas but they’re very dif­fer­ent problems. 

I think there gen­er­al­ly has been for at least a decade a fair­ly pro­found aware­ness on the design and engi­neer­ing side that A, you need to design pro­to­cols for a hos­tile envi­ron­ment, and we have rea­son­able ideas on how to do that. I would say that at least most pro­to­cols that have been designed some­what recent­ly or have been enhanced recent­ly all have good to accept­able secu­ri­ty mech­a­nisms built in. So it is not so much a prob­lem that Internet pro­to­cols are inse­cure, though there are some that cer­tain­ly could use strength­en­ing, par­tic­u­lar­ly in the rout­ing side and again on the access side more in the LAN protocols. 

But the oth­er areas are far less encour­ag­ing, name­ly in the imple­men­ta­tion side we seem to have dif­fi­cul­ty on two counts, name­ly A, rou­tine­ly we’re design­ing reli­able sys­tems (soft­ware engi­neer­ing) often because it is not imme­di­ate­ly obvi­ous when some­thing is inse­cure (since it works just fine) until some­body attacks it. 

And sec­ond­ly on how to test it and how to dein­cen­tivize peo­ple from build­ing inse­cure sys­tems. Currently, there seems to be a prob­lem that many soft­ware devel­op­ers, par­tic­u­lar­ly small­er ones but cer­tain­ly not lim­it­ed to those, seem to have difficulty…I don’t know if it’s an engi­neer­ing prob­lem or a man­age­ment prob­lem, to put enough resources into cre­at­ing secure sys­tems. Designing by good engi­neer­ing prac­tices, test­ing, and in par­tic­u­lar rely­ing not just on inter­nal test­ing but also on exter­nal test­ing. We are used to in oth­er areas where safe­ty and secu­ri­ty are at stake— Think of vehi­cles or elec­tric toast­ers. We have cer­ti­fy­ing bod­ies because we don’t want to rely on the man­u­fac­tur­er them­selves, as dili­gent they as may be, to com­plete­ly trust them that they will know whether they did a good job. So we have enti­ties like the Underwriters Laboratory for elec­tri­cal equip­ment, the TUV in Germany and oth­er coun­tries for safe­ty, on just about any­thing, whether it’s ele­va­tors or cars or umbrel­las, that have any type of even remote secu­ri­ty or safe­ty impli­ca­tion. We don’t do that for soft­ware and it is fair­ly obvi­ous that that isn’t real­ly working. 

Just to give you one exam­ple that I’ve encoun­tered in my work, in my cur­rent line of work. In the United States we have a sys­tem called the Emergency Alert System, EAS, which is used to alert TV view­ers on immi­nent threats to life or prop­er­ty. So think storms, or flash floods, tsunamis, all of those. So every TV sta­tion and cable sys­tem is oblig­at­ed to have a device that allows a pub­lic safe­ty author­i­ty to sub­mit a request to send out a broad­cast say­ing to take cov­er, to take appro­pri­ate action. So it’s obvi­ous­ly very impor­tant that this is a reli­able system. 

Until maybe five years ago, these sys­tems weren’t not con­nect­ed to the Internet at all. There were some mas­ter sta­tions that would broad­cast it and then they would retrans­mit it down the line. More recent­ly for con­ve­nience and oper­a­tional pur­pos­es, they have designed sys­tems that use Internet-connected devices. 

Recently in the past five years, these TV sta­tions have for con­ve­nience and oper­a­tional effi­cien­cy’s sake installed box­es that con­nect on one side to the Internet, and on the oth­er side inter­cept the TV sig­nal so that they can inject a crawler on the bot­tom of the screen, and audio into the TV sig­nal, because emer­gen­cies could hap­pen any time, even when there is no engi­neer on staff, for example. 

Well unfor­tu­nate­ly, these are fair­ly spe­cial­ty devices and who­ev­er designed those did­n’t do a whole lot of test­ing. They vio­lat­ed just about every guide­line known for design­ing secure sys­tems, so what hap­pened was some­body dis­cov­ered you could search for those—you could Google them on the Internet. You just searched for the log­ging string. And then they used a default pass­word which you could also eas­i­ly Google just by look­ing at the man­u­al. And they then inject­ed in about a dozen TV sta­tions, pri­mar­i­ly small­er TV sta­tions, a fake emer­gency alert about zom­bies ema­nat­ing from the ground and that the pop­u­la­tion should take cover.

Obviously kin­da fun­ny the first time around? but could eas­i­ly be mis­used. So in our case this hap­pened just before the State of the Union address of the pres­i­dent of the United States Senate, so there was grave con­cern that some­body would use that to sow pan­ic like report a false ter­ror­ist attack that would occur. 

And so that was an exam­ple where some­body had designed a sys­tem not think­ing that these would be con­nect­ed to the Internet, that peo­ple would not change the default pass­word, and that there would be no oth­er secu­ri­ty pro­tec­tions in place. And there’s many of these small­er systems—these could be home routers, it could be elec­tric meters, it could be car sys­tems, where there does­n’t seem to be a true appre­ci­a­tion as to the dan­ger­ous that could occur if some­body gets access to those. And we don’t seem to have a good way of deal­ing with that. 

The third aspect, I’ll briefly talk about the oper­a­tional aspect as the third con­sid­er­a­tion, is it used to be that many com­put­ing system—or most of them, probably—were oper­at­ed by trained sys­tem admin­is­tra­tors that at least had some pro­fes­sion­al aware­ness. Their skill lev­el prob­a­bly var­ied, but at least many that worked in that field had edu­ca­tion in com­put­er sci­ence or maybe even some secu­ri­ty train­ing. But nowa­days, many if not most com­put­ers are oper­at­ed by indi­vid­u­als that have no tech­ni­cal train­ing what­so­ev­er, and they should­n’t have. And this is true for home net­works, it’s true for small busi­ness networks—I mean your den­tist, your bak­er type of thing. Everybody has a com­put­er, gen­er­al­ly con­nect­ed to the Internet. Like your doc­tor’s office prob­a­bly has one for elec­tron­ic med­ical records. And none of those are oper­at­ed by trained sys­tem admin­is­tra­tor. So it is very easy for these ama­teurs to make mis­takes in oper­at­ing those type of systems. 

Again, we’ve designed sys­tems not real­ly well antic­i­pat­ing the kind of users that would real­ly use them, think­ing that they would—or maybe not even thinking—that they would be used in the same way that they were in the 1980s and 1990s. 

That does­n’t mean we should train every­body to be a sys­tem admin­is­tra­tor. That just does­n’t work. We need to design sys­tems that are secure out of the box. You just can’t make them inse­cure with­out a lot of effort. And we haven’t real­ly suc­ceed­ed and that’s been far too dif­fi­cult. The type of tech­nolo­gies that peo­ple use like pass­words and so on are becom­ing increas­ing­ly user unfriend­ly. And they’ve become increas­ing­ly unman­age­able. And that’s what I see as one of the chal­lenges now to make it easy to both build secure sys­tems, and to oper­ate secure systems. 

One par­tic­u­lar one is that the bar­ri­er to entry to cre­at­ing new busi­ness­es, new con­tent, has dropped dra­mat­i­cal­ly. In the last decade or so it is now pos­si­ble for a much wider vari­ety of indi­vid­u­als to not just con­sume con­tent— You could always do that—radio, TV, and all that have exist­ed for a cen­tu­ry. But you have now the pos­si­bil­i­ty that ordi­nary indi­vid­u­als with­out a large bud­get or maybe even large deep tech­ni­cal skill sets could cre­ate very inter­est­ing con­tent of all kinds. So just exam­ples, the Khan Academy for train­ing mate­ri­als. Individual small local groups that could dis­trib­ute videos. Web sites and web appli­ca­tions that could be built. Apps on smart­phones. All of those are now acces­si­ble to many more indi­vid­u­als than they were even a rel­a­tive­ly short while ago. And that I think has prob­a­bly been the great­est enabling capac­i­ty of the Internet, not so much just as a dis­trib­u­tor of high-cost, highly-produced con­tent. That’s always been avail­able. But as a means for dis­trib­ut­ing low-cost, low-effort—much more demo­c­ra­t­ic if you like—content, both for cul­tur­al as well as just plain busi­ness uses, as well as educational. 

Intertitle: Is there action that should be tak­en to ensure the best pos­si­ble future?

Schulzrinne: One of the things I’ve been involved in now in the Federal Communications Commission is to ensure an open Internet. Namely, almost by phys­i­cal design not every­body— Well, every­body can, or most every­body can cre­ate con­tent and appli­ca­tions. It is very dif­fi­cult for most peo­ple to oper­ate their own net­work. You just can’t string you own fiber or run your own cell tow­ers. And so the num­ber of oper­a­tors in almost every coun­try in a par­tic­u­lar region tends to be very small; a hand­ful, even if you count wire­less oper­a­tors. Typically you have your copper-based provider, your fiber or coax-based provider, and them maybe a small number—three or four—wireless oper­a­tors, cell operators. 

Because of the cost, bil­lions of dol­lars to build a net­work, we can’t real­ly rely pure­ly on com­pe­ti­tion to ensure that users have access to legal con­tent that they want to get access to, cre­ate con­tent that they want to cre­ate, because in some cas­es both for con­tent that they want to access and for con­tent that they want to cre­ate, may well com­pete with oth­er busi­ness ven­tures that a net­work provider has. Most of the net­work providers, at least in the US for exam­ple, also dis­trib­ute their own video con­tent. They may have appli­ca­tions of their own. They cer­tain­ly have had voice appli­ca­tions, for exam­ple. That’s very com­mon for almost every net­work oper­a­tor. And so they have incen­tives to give them­selves an advan­tage in order to com­pete with oth­er providers of con­tent and applications.

So I believe it con­tin­ues to be impor­tant to have rules and mech­a­nisms in place so that providers can­not dis­crim­i­nate against providers of appli­ca­tions and con­tent, because in many cas­es that is essen­tial­ly our pri­ma­ry means of access­ing infor­ma­tion of all kinds. That remains a long-term chal­lenge, how to do that in ways that does­n’t undu­ly inter­fere with expan­sion of a net­work, does­n’t undu­ly increase cost. So in the US we have found, as one cur­rent mech­a­nism, the FCC Open Internet Order, which spells out some of the con­di­tions kind of at a high lev­el how that should work out. But oth­er regions and coun­tries such as Europe are still try­ing to find their way to find that balance. 

Intertitle: Is there any­thing else you would like to add?

Schulzrinne: One of the oth­er chal­lenges that I see is as the net­work has become in both good ways and bad ways a com­mod­i­ty, name­ly we all rely on it, it’s some­thing that we notice main­ly when it’s not around as in, I can’t get Internet access. What’s going on here?” We expect it in every hotel and every air­port, cer­tain­ly in most homes, schools, wher­ev­er. One of the things that is I think in some dan­ger is a robust research infra­struc­ture. If you look at many of the major providers of hard­ware and soft­ware and ser­vices, used to all have significant-sized research labs. 

Just to give you one exam­ple that I heard recent­ly, Nokia—obviously pri­mar­i­ly they would do both do net­work infra­struc­ture and handsets—used to have 600 researchers in their lab. They’re now down to six­ty. Verizon in its pre­vi­ous incar­na­tions used to have large research labs in mul­ti­ple dif­fer­ent facil­i­ties that did not just short-term but long-term research through their Bell Atlantic and oth­er research labs facil­i­ties. Telcordia, the same thing. They all used to have long-term research. They’ve large­ly dis­con­tin­ued that. There’s only real­ly a rel­a­tive­ly small num­ber of com­pa­nies that still do networking-related research that has more than just a six-month time horizon. 

Universities con­tin­ue to devel­op as a vibrant research com­mu­ni­ty. But it can’t be uni­ver­si­ties by them­selves. Particularly because for a vari­ety rea­sons fund­ing is no longer near­ly as avail­able as it used to be, both fund­ing through gov­ern­ments as well as because of the down­siz­ing of cor­po­rate research activ­i­ties, fund­ing avail­able through cor­po­rate spon­sor­ship. If we don’t have a vibrant research com­mu­ni­ty, the prob­lems that I allud­ed to earlier—security, acces­si­bil­i­ty, the usage for con­tent cre­ation, will all suf­fer. We won’t notice it because we won’t notice direct­ly; we won’t notice what we’re miss­ing since we don’t see it. But if we don’t that, I think it will be much hard­er to solve those prob­lems, because in many ways, those type of research efforts have often cre­at­ed arti­facts that were wide­ly dis­trib­uted, had low cost to acquire, which means lots of peo­ple could use those and adopt them. They tend­ed to be non-proprietary. There tend­ed to be an empha­sis on mak­ing sure that it was avail­able. And if you don’t have that any­more, if you just have very small-scale, ven­ture capital-style research going on, we’re miss­ing out on something.

I think it’s par­tial­ly the com­pet­i­tive pres­sures. Namely research, almost by its def­i­n­i­tion, does­n’t just accrue ben­e­fits to who­ev­er does it. It’s real­ly hard to keep research secret so that nobody else ben­e­fits. You can do that in some areas such as phar­ma­ceu­ti­cals, where the out­put is a sin­gle drug that is eas­i­ly patent­ed and you have a twenty-year pro­tec­tion hori­zon on that and it’s very dif­fi­cult for some­body else to repli­cate exact­ly that pre­scrip­tion drug. 

But if you look at net­work­ing or com­put­er sci­ence research in gen­er­al, most of the ideas you gen­er­ate are…they’re hard to con­tain. They just dis­trib­ute them­selves, so to say, through stu­dents, through pub­li­ca­tions, and all the nor­mal mechanisms—which is a good thing. We want that to hap­pen. But from a pure­ly local eco­nom­ic opti­miza­tion mech­a­nism, it’s easy to say, Hey, some­body else should do the research. I just get the ben­e­fit.” But if every­body does that, you don’t get any research done anymore. 

And in the old days, we always had, and this was like more an acci­dent than any­thing else or any plan­ning, we either had a strong gov­ern­ment fund­ing which isn’t con­cerned about those issues and they don’t real­ly care, except maybe on a nation­al lev­el as to who ben­e­fits from research. Which in itself is a prob­lem when you have now some peo­ple say, Well, let the oth­er coun­tries—” this is in the US, Let the oth­er coun­tries do the research and we’ll just basi­cal­ly build the stuff.” Or we just do shorter-term devel­op­ment work. 

The oth­er prob­lem, or the oth­er issue, is that in those envi­ron­ments you don’t real­ly have a set of peo­ple who can con­tin­ue to do that research, because some of the areas have become kind the go-to areas. Big data, say graph­ics in some cas­es. So we don’t have quite the same stu­dent pop­u­la­tion that we had avail­able. It’s par­tial­ly also because there aren’t as many research jobs out there that peo­ple in the indus­try would go to. I mean, peo­ple don’t have— When they start mas­ter’s or PhD pro­gram, they want to have some assur­ance that they will find a job after­wards, and indus­tri­al research was often a very attrac­tive des­ti­na­tion because peo­ple rec­og­nized that only a very small frac­tion could become fac­ul­ty so what else are you gonna do? And indus­tri­al research offered an oppor­tu­ni­ty for a cre­ative out­let and so on. So that is this kind of feed­back loop that’s not work­ing very well right now, and it’s not clear how we can get out of this, giv­en that gov­ern­ment fund­ing in gen­er­al for research both in Europe and the US isn’t increas­ing, to put it very polite­ly. And we have a sep­a­rate decrease which then dimin­ish­es the sup­ply of tal­ent­ed stu­dents who want to par­tic­i­pate in that research.

Further Reference

Henning Schulzrinne pro­file, Internet Hall of Fame 2013