Google researchers have devised a replacement for the HTTP protocol that carries the World Wide Web. By default, it’s encrypted end to end, it’s very fast, you’re probably already using it, and Google is offering it as the basis for the next version of HTTP. It’s called SPDY (yes, “speedy”) and as with the Road Runner, Wile E. Coyote is trying to catch and kill it.
It should be obvious why we need SPDY. Ever since Edward Snowden demonstrated that Internet paranoia is justified, a stream of discoveries has made always-on, end-to-end encryption even more desirable. The recent move by the Electronic Frontier Foundation, Mozilla, and others, who announced they will back a new nonprofit to promote and enable secure communications on the Internet, was welcome – by most of us.
Meanwhile, a shady consortium of telecom industry companies is fighting with all the political tools at their exceptionally well-funded disposal to prevent us from being secure. The so-called Open Web Alliance was formed back in April, led by Verizon and Cisco at industry consortium ATIS. They describe their mission as "to meet the service needs of all stakeholders in the Web ecosystem while supporting the goals of encryption and privacy," but at the heart of their crusade is angst concerning Google’s new SPDY protocol, suggesting those goals are at best selective.
SPDY was created by researchers at Google to make Internet transactions faster and more secure. It works well, so all major browsers and Web server platforms have implemented it, and many large websites (including Google, Twitter, Facebook, and others) have adopted it. You can check for use of SPDY by installing a small indicator extension in Chrome or Firefox.
It reduces bandwidth consumption by several mechanisms, including compressing traffic, eliminating redundant header retransmissions, and tokenizing protocol elements. It accelerates page loading by building a pipeline to the server, so minimum processing is needed between browser and server. It can even prompt the browser when data is ready to be requested. Using all these ideas, SPDY achieves up to 64 percent improvement in page load times, according to Google. It has been selected as the base for the next HTTP standard at IETF and work is in progress to use it. Who could possibly want to kill it it?
The answer lies in what it prevents rather than the improvements it enables. SPDY is effectively an optimized, compressed, and encrypted pipeline for HTTP and HTTPS traffic. That includes both the content being transported and the metadata, which is usually sent in the clear even when the content is protected by HTTPS. As well as making everything much faster, it keeps out prying eyes.
Telecom operators wanting to mess with traffic – for censorship, for traffic prioritization, for tracking and inserting probes – are incensed. Encrypted end-to-end pipelines are very hard to tamper with, and they seriously interfere with successful deep-packet inspection. OWA says SPDY will "impact [the] ability to manage traffic, improve subscriber experience and drive new revenue models" – euphemisms for selectively invading privacy for profit.
The NSA is probably irritated, too. Although the agency likely has the technology to decrypt anything in routine civilian use, the header elimination and compression of metadata inhibit easy access to the “communications data” it depends on to guide fishing expeditions in its data lake.
What will the OWA do about it? The launch strategy presentation shows it may:
- Develop competing specifications that protect their ability to snoop
- Interfere in the HTTP/2 standards process to adjust the standard
- Lobby regulatory bodies
- Recruit privacy advocacy groups to lobby on their behalf
Watch out when OWA shows up in your area. It will arrive talking "open" and "secure," but its goal is anything but.