Henning Schulzrinne: So I’ve been involved in the Internet tech­ni­cal com­mu­ni­ty since the ear­ly 90s. So pri­mar­i­ly in my aca­d­e­m­ic role as fac­ul­ty at Columbia and pre­vi­ous­ly as a researcher at Bell Labs and and a German research lab here in Berlin, actu­al­ly. And sec­ond­ly, more recent­ly as a staff mem­ber of the Federal Communications Commission. An so in that role I’ve been par­tic­i­pat­ing in tra­di­tion­al aca­d­e­m­ic research pri­mar­i­ly in the net­work­ing realm, but also work­ing with­in pri­mar­i­ly the Internet Engineering Task Force on stan­dards devel­op­ment for Internet appli­ca­tions, pri­mar­i­ly real-time applications. 

Intertitle: Describe one of the break­through moments or move­ments of the Internet in which you have been a key participant.

Schulzrinne: The top­ics I have worked on prob­a­bly the most are as I said the real-time Internet appli­ca­tions on voice over IP and real-time stream­ing appli­ca­tions. So voice over IP, deliv­ery of phone calls over the Internet. And that led to a num­ber of polit­i­cal devel­op­ments that are now fair­ly com­mon­ly used in the indus­try. So this is the Real-time Transport Protocol that trans­ports audio and video con­tent across net­works. And now it’s often used for audio and video on tele­pho­ny with­in in enter­pris­es but also increas­ing­ly on the wide areas. So there’s a num­ber of voice over IP providers as well as what are known as 4G, or voice over LTE, sys­tems that use that type of technology. 

And then a cor­re­spond­ing pro­to­col that is used to con­trol the ses­sion, the Session Initiation Protocol, SIP, that’s com­mon­ly used again in the enter­prise space. Many of your new IP PBXs that are used as kind of your desk­top phones in offices, they typ­i­cal­ly use that, as again on mobile phone car­ri­ers, as part of the Internet Multimedia Subsystem, IMS, in that. 

I’ve also worked on a num­ber of appli­ca­tions in pub­lic safe­ty, in how do you sup­port emer­gency calls such as 112 or 911 in a new all-IP environment. 

Intertitle: Describe the state of the Internet today with a weath­er anal­o­gy and explain why.

Schulzrinne: It’s real­ly hard to answer that in gen­er­al­i­ties because the Internet has become such a diverse ecosys­tem. And it’s prob­a­bly much more pro­duc­tive to think of it as as not like a sin­gle enti­ty but again, like an ecosys­tem, where parts of the ecosys­tems are quite healthy, and others…not so much. So, let me try to just give a few exam­ples of that. Because we’re now see­ing real­ly that when we talk about the Internet we’re real­ly talk­ing about two some­what sep­a­rate things: the tech­nol­o­gy, and the glob­al infrastructure. 

The tech­nol­o­gy, name­ly the pro­to­cols and oth­er soft­ware arti­facts and so on that use Internet pro­to­cols but may not actu­al­ly be used on the Internet. They may be used in pri­vate net­works, in data cen­ters, in enter­pris­es, in homes, with­out nec­es­sar­i­ly touch­ing the Internet. I think that devel­op­ment has been robust and con­tin­ues to progress pret­ty rapid­ly, where the major prob­lems are prob­a­bly in terms of robust­ness and reli­a­bil­i­ty, and security-related prob­lems as well. But the tech­nol­o­gy seems to be able to keep pace with demand. 

The oth­er one is the Internet as a net­work that you con­nect to, exchange date on, com­mu­ni­cate with oth­er peo­ple on. And that again…I think that in many coun­tries and many regions, things are mov­ing ahead quite nice­ly. Speeds are improv­ing, the avail­abil­i­ty on mobile devices is dra­mat­i­cal­ly increas­ing. But we also have simul­ta­ne­ous chal­lenges. Just to name a few, again the secu­ri­ty chal­lenges that increas­ing­ly make it dif­fi­cul­ty par­tic­u­lar­ly for indi­vid­u­als and small busi­ness­es to know what infor­ma­tion is tru­ly secure and pri­vate, what their bank account or their pri­vate data, med­ical data is at risk. And also at a larg­er scale for enter­pris­es, being exposed to theft of their intel­lec­tu­al property—and I’m not talk­ing about music here and videos climb, pri­mar­i­ly. I’m talk­ing here about blue­prints, and chem­i­cal for­mu­las, and cus­tomer lists, and all the oth­er things that com­pa­nies main­tain pri­vate in order to main­tain their com­pet­i­tive posi­tion. That I think is a major chal­lenge sim­ply because it does­n’t seem pos­si­ble for ordi­nary indi­vid­u­als to keep up with the defi­cien­cies in both pro­to­col design and imple­men­ta­tion to have rea­son­able cer­tain­ty that the tools they use won’t be used against them. 

There’s also about more larg­er-scale chal­lenges, name­ly the sup­pres­sion of Internet free­doms in a num­ber of coun­tries. Issues of pri­va­cy. How do we bal­ance free access to infor­ma­tion and ser­vices on mobile devices with my desire to main­tain pri­vate infor­ma­tion as private. 

Intertitle: What are your great­est hopes and fears for the future of the Internet?

Schulzrinne: Let me talk about secu­ri­ty as one. First of all I think it’s impor­tant that I don’t want to just fall into the trap to say the Internet is inse­cure, because that’s not real­ly a help­ful state­ment. It does­n’t dif­fer­en­ti­ate enough between the var­i­ous com­po­nents. Because I would look at that in pieces, name­ly one piece is the under­ly­ing tech­nol­o­gy; the sec­ond piece is the implementation—software pri­mar­i­ly and hard­ware to some lim­it­ed extent; and third­ly the oper­a­tional prac­tices. And there are prob­lems in all areas but they’re very dif­fer­ent problems. 

I think there gen­er­al­ly has been for at least a decade a fair­ly pro­found aware­ness on the design and engi­neer­ing side that A, you need to design pro­to­cols for a hos­tile envi­ron­ment, and we have rea­son­able ideas on how to do that. I would say that at least most pro­to­cols that have been designed some­what recent­ly or have been enhanced recent­ly all have good to accept­able secu­ri­ty mech­a­nisms built in. So it is not so much a prob­lem that Internet pro­to­cols are inse­cure, though there are some that cer­tain­ly could use strength­en­ing, par­tic­u­lar­ly in the rout­ing side and again on the access side more in the LAN protocols. 

But the oth­er areas are far less encour­ag­ing, name­ly in the imple­men­ta­tion side we seem to have dif­fi­cul­ty on two counts, name­ly A, rou­tine­ly we’re design­ing reli­able sys­tems (soft­ware engi­neer­ing) often because it is not imme­di­ate­ly obvi­ous when some­thing is inse­cure (It works just fine.) until some­body attacks it. 

And sec­ond­ly on how to test it and how to dein­cen­tivize peo­ple from build­ing inse­cure sys­tems. Currently, there seems to be a prob­lem that many soft­ware devel­op­ers, par­tic­u­lar­ly small­er ones but cer­tain­ly not lim­it­ed to those, seem to have difficulty…I don’t know if it’s an engi­neer­ing prob­lem or a man­age­ment prob­lem, to put enough resources into cre­at­ing secure sys­tems. Designing by good engi­neer­ing prac­tices, test­ing, and in par­tic­u­lar rely­ing not just on inter­nal test­ing but also on exter­nal test­ing. We are used to in oth­er areas where safe­ty and secu­ri­ty are at stake— Think of vehi­cles or elec­tric toast­ers. We have cer­ti­fy­ing bod­ies because we don’t want to rely on the man­u­fac­tur­er them­selves, as dili­gent as may be, to com­plete­ly trust them that they will know whether they did a good job. So we have enti­ties like the Underwriters Laboratory for elec­tri­cal equip­ment, the TUV in Germany and oth­er coun­tries for safe­ty, on just about any­thing, whether it’s ele­va­tors or cars or umbrel­las, that have any type of even remote secu­ri­ty or safe­ty impli­ca­tion. We don’t do that for a soft­ware and it is fair­ly obvi­ous that that isn’t real­ly working. 

Just to give you one exam­ple that I’ve encoun­tered in my work, in my cur­rent line of work. In the United States we have a sys­tem called the Emergency Alert System, EAS, which is used to alert TV view­ers on immi­nent threats to life or prop­er­ty. So think storms, or flash floods, tsunamis, all of those. So every TV sta­tion and cable sys­tem is oblig­at­ed to have a device that allows a pub­lic safe­ty author­i­ty to sub­mit a request to send out a broad­cast say­ing to take cov­er, to take appro­pri­ate actions. So it’s obvi­ous­ly very impor­tant that this is a reli­able system. 

Until maybe five years ago, these sys­tems weren’t not con­nect­ed to the Internet at all. There were some mas­ter sta­tions that would broad­cast it and then they would retrans­mit it down the line. More recent­ly for con­ve­nience and oper­a­tional pur­pos­es, they have designed sys­tems that use Internet-connected devices. 


Recently in the past five years, these TV sta­tions have for con­ve­nience and oper­a­tional effi­cien­cy’s sake installed box­es that con­nect on one side to the Internet, and on the oth­er side inter­cept the TV sig­nal so that they can inject a crawler on the bot­tom of the screen, and audio into the TV sig­nal, because emer­gen­cies could hap­pen any time, even when there is no engi­neer on staff, for example. 

Well unfor­tu­nate­ly, these are fair­ly spe­cial­ty devices and who­ev­er designed those did­n’t do a whole lot of test­ing. They vio­lat­ed just about every guide­line known for design­ing secure sys­tems, so what hap­pened was some­body dis­cov­ered you could search for those—you could Google them on the Internet. You just searched for the log­ging string. And then they used a default pass­word which you could also eas­i­ly Google just by look­ing at the man­u­al. And they inject­ed in about a dozen TV sta­tions, pri­mar­i­ly small­er TV sta­tions, a fake emer­gency alert about zom­bies ema­nat­ing from the ground and that the pop­u­la­tion should take cover.

Obviously kin­da fun­ny the first time around? but could eas­i­ly be mis­used. So in our case this hap­pened just before the State of the Union address of the pres­i­dent of the United States Senate, so there was grave con­cern that some­body would use that to sow pan­ic like report a false ter­ror­ist attack that would occur. 

And so that was an exam­ple where some­body had designed a sys­tem not think­ing that these would be con­nect­ed to the Internet, that peo­ple would not change the default pass­word, and that there would be no oth­er secu­ri­ty pro­tec­tions in place. And there’s many of these small­er sys­tems. These could be home routers, it could be elec­tric meters, it could be car sys­tems, where there does­n’t seem to be a true appre­ci­a­tion as to the dan­ger­ous that could occur if some­body gets access to those. And we don’t seem to have a good way of deal­ing with that. 

The third aspect, I’ll briefly talk about the oper­a­tional aspect as the third con­sid­er­a­tion, is it used to be that many com­put­ing system—or most of them, probably—were oper­at­ed by trained sys­tem admin­is­tra­tors that at least had some pro­fes­sion­al aware­ness. Their skill lev­el prob­a­bly var­ied, but at least many that worked in that field had edu­ca­tion in com­put­er sci­ence or maybe even some secu­ri­ty train­ing. But nowa­days, many if not most com­put­ers are oper­at­ed by indi­vid­u­als that have no tech­ni­cal train­ing what­so­ev­er, and they should­n’t have. And this is true for home net­works, it’s true for small busi­ness networks—I mean your den­tist, your bak­er type of thing. Everybody has a com­put­er, gen­er­al­ly con­nect­ed to the Internet. Like your doc­tor’s office prob­a­bly has one for elec­tron­ic med­ical records. And none of those are oper­at­ed by trained sys­tem admin­is­tra­tor. So it is very easy for these ama­teurs to make mis­takes in oper­at­ing those type of systems. 

Again, we’ve designed sys­tems not real­ly well antic­i­pat­ing the kind of users that would real­ly use them, think­ing that they would—or maybe not even thinking—that they would be used in the same way that they were in the 1980s and 1990s. 

That does­n’t mean we should train every­body to be a sys­tem admin­is­tra­tor. That just just does­n’t work. We need to design sys­tems that are secure out of the box. You just can’t make them inse­cure with­out a lot of effort. And we haven’t real­ly suc­ceed­ed and that’s been far too dif­fi­cult. The type of tech­nolo­gies that peo­ple use like pass­words and so on are becom­ing increas­ing­ly user unfriend­ly. And they’ve become increas­ing­ly unman­age­able. And that’s what I see as one of the chal­lenges now to make it easy to both build secure sys­tems, and to oper­ate secure systems. 


One par­tic­u­lar one is that the bar­ri­er to entry to cre­at­ing new busi­ness­es, new con­tent, has dropped dra­mat­i­cal­ly. In the last decade or so it is not pos­si­ble for a much wider vari­ety of indi­vid­u­als to not just con­sume con­tent— You could always do that—radio, TV, and all that have exist­ed for a cen­tu­ry. But you have now the pos­si­bil­i­ty that ordi­nary indi­vid­u­als with­out a large bud­get or maybe even large deep tech­ni­cal skill sets could cre­ate very inter­est­ing con­tent of all kinds. So just exam­ples, the Khan Academy for train­ing mate­ri­als. Individual small local groups that could dis­trib­ute videos. Web sites and web appli­ca­tions that could be build. Apps on smart­phones. All of those are now acces­si­ble to many more indi­vid­u­als than they were even a rel­a­tive­ly short while ago. And that I think has prob­a­bly been the great­est enabling capac­i­ty of the Internet, not so much just as a dis­trib­u­tor of high-cost, highly-produced con­tent. That’s always been avail­able. But as a means for dis­trib­ut­ing low-cost, low-effort—much more demo­c­ra­t­ic if you like—content, both for cul­tur­al as well as just plain busi­ness uses, as well as educational. 

Intertitle: Is there action that should be tak­en to ensure the best pos­si­ble future?

Schulzrinne: One of the things I’ve been involved in in the Federal Communications Commission is to ensure an open Internet. Namely, almost by phys­i­cal design not every­body— Well, every­body can, or most every­body can cre­ate con­tent and appli­ca­tions. It is very dif­fi­cult for most peo­ple to oper­ate their own net­work. You just can’t string you own fiber or run your own cell tow­ers. And so the num­ber of oper­a­tors in almost every coun­try in a par­tic­u­lar region tends to be very small; a hand­ful, even if you count wire­less oper­a­tors. Typically you have your copper-based provider, your fiber or coax-based provider, and them maybe a small number—three or four—wireless oper­a­tor, cell operators. 

Because of the cost, bil­lions of dol­lars to build a net­work, we can’t real­ly rely pure­ly on com­pe­ti­tion to ensure that users have access to legal con­tent that they want to get access to, cre­ate con­tent that they want to cre­ate, because in some cas­es both for con­tent that they want to access and for con­tent that they want to cre­ate, may well com­pete with oth­er busi­ness ven­tures that a net­work provider has. Most of net­work providers, at least in the US for exam­ple, also dis­trib­ute their own video con­tent. They may have appli­ca­tions of their own. They cer­tain­ly have had voice appli­ca­tions, for exam­ple. That’s very com­mon for almost every net­work oper­a­tor. And so if they have incen­tives to give them­selves an advan­tage in order to com­pete with oth­er providers of con­tent and applications.

So I believe it con­tin­ues to be impor­tant to have rules and mech­a­nisms in place so that providers can­not dis­crim­i­nate against providers of appli­ca­tions and con­tent, because in many cas­es that is essen­tial­ly our pri­ma­ry means of access­ing infor­ma­tion of all kinds. That remains a long-term chal­lenge, how to do that in ways that does­n’t undu­ly inter­fere with expan­sion of a net­work, does­n’t undu­ly increase cost. So in the US we have found, as one cur­rent mech­a­nism, the FCC Open Internet Order, which spells out some of the con­di­tions kind of at a high lev­el how that should work out. But oth­er regions and coun­tries such as Europe are still try­ing to find their way to find that balance. 

Intertitle: Is there any­thing else you would like to add?

Schulzrinne: One of the oth­er chal­lenges that I see is as the net­work has become in both good ways and bad ways a com­mod­i­ty, name­ly we all rely on it, it’s some­thing that we notice main­ly when it’s not around as in, I can’t get Internet access. What’s going on here?” We expect it in every hotel and every air­port, cer­tain­ly in most homes, schools, wher­ev­er. One of the things that is I think in some dan­ger is a robust research infra­struc­ture. If you look at many of the major providers of hard­ware and soft­ware and ser­vices, used to all have significant-sized research labs. 

Just to give you one exam­ple that I heard recent­ly, Nokia—obviously pri­mar­i­ly they would do both do net­work infra­struc­ture and handsets—used to have 600 researchers in their lab. They’re now down to six­ty. Verizon in its pre­vi­ous incar­na­tions used to have large research labs in mul­ti­ple dif­fer­ent facil­i­ties that did not just short-term but long-term research through their Bell Atlantic and oth­er research labs facil­i­ties. Telcordia, the same thing. They all used to have long-term research. They’ve large­ly dis­con­tin­ued that. There’s only real­ly a rel­a­tive­ly small num­ber of com­pa­nies that still do networking-related research that has more than just a six-month time horizon. 

Universities con­tin­ue to devel­op as a vibrant research com­mu­ni­ty. But it can’t be uni­ver­si­ties by them­selves. Particularly because for a vari­ety rea­sons fund­ing is no longer near­ly as avail­able as it used to be, both fund­ing through gov­ern­ments as well as because of the down­siz­ing of cor­po­rate research activ­i­ties, fund­ing avail­able through cor­po­rate spon­sor­ship. If we don’t have a vibrant research com­mu­ni­ty, the prob­lems that I allud­ed to earlier—security, acces­si­bil­i­ty, the usage for con­tent cre­ation, will all suf­fer. We won’t notice it because we won’t notice direct­ly; we won’t notice what we’re miss­ing since we don’t see it. But if we don’t that, I think it will be much hard­er to solve those prob­lems, because in many ways, those type of research efforts have often cre­at­ed arti­facts that were wide­ly dis­trib­uted, had low cost to acquire, which means lots of peo­ple could use those and adopt them. They tend­ed to be non-proprietary. There tend­ed to be an empha­sis on on mak­ing sure that it was avail­able. And if you don’t have that any­more, if you just have very small-scale, ven­ture capital-style research going on, we’re miss­ing out on something.


I think it’s par­tial­ly the com­pet­i­tive pres­sures. Namely research, almost by its def­i­n­i­tion, does­n’t just accrue ben­e­fits to who­ev­er does it. It’s real­ly hard to keep research secret so that nobody else ben­e­fits. You can do that in some areas such as phar­ma­ceu­ti­cals, where the out­put is a sin­gle drug that is eas­i­ly patent­ed and you have a twenty-year pro­tec­tion hori­zon on that and it’s very dif­fi­cult for some­body else to repli­cate exact­ly that pre­scrip­tion drug. 

But if you look at net­work­ing or com­put­er sci­ence research in gen­er­al, most of the ideas you gen­er­ate are…they’re hard to con­tain. They just dis­trib­ute them­selves, so to say, through stu­dents, through pub­li­ca­tions, and all the nor­mal mechanisms—which is a good thing. We want that to hap­pen. But it had from a pure­ly local eco­nom­ic opti­miza­tion mech­a­nism, it’s easy to say, Hey, some­body else should do the research. I just get the ben­e­fit.” But if every­body does that, you don’t get any research done anymore. 

And in the old days, we always had, and this was like more an acci­dent than any­thing else or any plan­ning, we either had a strong gov­ern­ment fund­ing which isn’t con­cerned about those issues and they don’t real­ly care, except maybe on a nation­al lev­el as to who ben­e­fits from research. Which in itself is a prob­lem when you have now some peo­ple say, Well, let the oth­er coun­tries—” this is in the US, Let the oth­er coun­tries do the research and we’ll just basi­cal­ly build the stuff.” Or we just do shorter-term devel­op­ment work. 

The oth­er prob­lem, or the oth­er issue, is that in those envi­ron­ments you don’t real­ly have a set of peo­ple who can con­tin­ue to do that research, because some of the areas have become kind the go-to areas. Big data, say graph­ics in some cas­es. So we don’t have quite the same stu­dent pop­u­la­tion that we had avail­able. It’s par­tial­ly also because there aren’t as many research jobs out there that peo­ple in the indus­try would go to. I mean, peo­ple don’t have— When they start mas­ter’s or PhD pro­gram, they want to have some assur­ance that they will find a job after­wards, and indus­tri­al research was often a very attrac­tive des­ti­na­tion because peo­ple rec­og­nized that only a very small frac­tion could become fac­ul­ty so what else are you gonna do? And indus­tri­al research offered an oppor­tu­ni­ty for a cre­ative out­let and so on. So that is this kind of feed­back loop that’s not work­ing very well right now, and it’s not clear how we can get out of this, giv­en that gov­ern­ment fund­ing in gen­er­al for research both in Europe and the US isn’t increas­ing, to put it very polite­ly. And we have a sep­a­rate decrease which then dimin­ish­es the sup­ply of tal­ent­ed stu­dents who want to par­tic­i­pate in that research.

Further Reference

Henning Schulzrinne pro­file, Internet Hall of Fame 2013


Help Support Open Transcripts

If you found this useful or interesting, please consider supporting the project monthly at Patreon or once via Cash App, or even just sharing the link. Thanks.