Compulsory Routers is a term which describes the situation that a client of an Internet Service Provider (ISP) is forced to use the router that his provider wants him to use. This compulsion might be created by different restrictions:
- The ISP does not allow the client to use another router, i.e. by contract
- The ISP does not give the client the connection data like username and password for the PPPoE/VoIP connection (might be different in other countries but the problem remains the same)
- The ISP uses non-standard techniques to connect his clients to the internet/his infrastructure, i.e. special plugs or proprietary protocols
- The ISP requires any router to be registered at his own infrastructure, i.e. by MAC address or other identification. So the client is not able to use his own devices because they won't get an IP address or something like that
Situation in Germany
The FSFE encountered these problems in Germany. The main problem was the definition of the point where the ISP's infrastructure ends and the user's begins. If the end would be defined as behind the router, the user might not have the right to use his own equipment because it belongs to the ISP and is protected by contract.
The legal situation in Germany was very unclear and some ISPs already established compulsory routers. After three years we were successful: a law has been established which forbids compulsory routers. For more information, please see our news entry and the detailed timeline.
On this subpage we also keep track of the implementation progress in Germany, asking users to provide us with reports whether a switch to an alternative device was successful for their internet contract, and whether they've had any issue with that.
Why is this bad?
Maybe you see the same or similar situation in your country and ask yourself, why this is bad:
- No client is able to use his own devices and the products he trusts
- No client is able to find out what software and functions work in his own house
- No client is able to be sure that his devices work for him and not for the ISP, security agencies, or other instances.
YOUR whole internet traffic, encryption, backups, communication, shopping, writings, business stuff, and so on are transferred through a locked-down, enforced, and intransparent device. If you favour Free Software, a compulsory router is the devil in your own house
This section is about possible arguments against Compulsory Routers. All arguments are derived from the situation in Germany as I don't know the facts in other countries very well.
Competition is one of the the strongest argument because it attacks at a point which is of great interest for IT companies, political actors and so on. It does not sound like a "geek's problem" but like a very important issue (and as we know, it IS important)
In most countries, you can count the important ISPs by one or two hands. Assuming your country has 7 ISPs (each with more than 5-10% market share) than you can assume that all these 7 providers give their users routers of not more than 10 IT companies in the best case. Most of the companies are settled in asian countries.
Other companies can not sell their products because no one is able to use them. This is a great danger for local tech companies.
- In most cases, ISPs distribute the cheapest routers that suit their needs. They are bought by volume contracts, mostly without strong future compatibility, maintaining, support, security enhancements, rare features, or something else - they should work, not more, not less. But the point above are oftenly the strenghts of EU-based companies because they cannot win the dumping price game.
Security is another important issue where you can tackle compulsory routers - and maybe the easiest one.
- Take the arguments above and rethink them with focus on security problems:
You have not many companies that produce routers for ISPs in a country: There is the danger of monocultures. Even in school biology you learn that monocultures are dangerous. If the same product/gene is spreaded in i.e. 50% households/livings, it is easy for a clever virus to put this critically high number in danger.
If there is a security flaw in a product that is only used by 5% of the users, it is bad indeed, but not critical because the other 95% of users are not affected. Assuming that no single product is dominant and that the market shares of single products are not very high (so that there are many routers in a country's households), malware and security flaws are equally distributed.
Dangers that derive from security flaws in routers?
- Sniffing tools (Banking, account credentials)
- Botnets (Routers are full computers and therefore able to use your whole bandwidth to attack (i.e. DDoS) infrastructure)
- Victim Proxies (let criminals use your IP to surf through the internet. In most cases, you are responsible for their criminal acts)
- Hosting malware (Again, you are responsible if found by state authorities)
Do you want to have some examples of the disadvantages of monocultures? Here you go:
- Oracle Java RTE
- Adobe Acrobat Reader
- Microsoft Windows
- Routers are pruduced by lowest costs without long-term support: If there are any security flaws, bugs, or new security enhancing technologies, they are not/slowly fixed/supported. Because routers should be as cheap as possible, ISPs do not focus on security interests. Longterm maintenance is expensive, adding new technologies to the firmware as well.
- If there is no competition, there is no critical need for the companies/ISPs to maintain their routers: Assuming, all 7 ISPs do have strong security problems, users can only choose the smallest evil.
Technical innovation and compatibility
Due to lack of competition and need to produce good routers (because users cannot decide to buy them even if they want to), new technologies are only slowly adapted. If no other competitor supports new technologies, why should anyone focus on supporting them? User can only decide for pricing, not for quality of hardware, even if they wanted to do so.
Technologies for security enhancements like tunneling protocols, or filtering, useful innovations like IPv6, important functions like port forwarding or SIP integration - everything needs years to be adapted by the ISPs' routers because it costs money and no other competitor supports them due to the same reasons.
This goes even further: If a user is forced to use a router, then the ISP is only one step apart from supporting only one SIP provider, one cloud storage, one DynamicDNS provider, one media streaming platform... The user cannot use their phones, their trusted online storage or their hardware, because it's not supported.
This creates even more problems on more levels: economic ("throw-away-society"), environment ("why throwing away a working device?" "why having to use many devices if I could only buy a single one which includes all desired functions?")...
The last, but also very important section for argumentation we used, is freedom: Every human should have the permission to use, study, share and improve his software, because only then he's able to be sure to know what the software does and to improve it, when it does not suits his needs. But in this case, he should not only be able to use the software/router he wants to use, but also to force the ISP to let him do this without losing functionality.
We as the FSFE should not focus on stressing that the user HAS to choose a router: Many people do not want to choose a device, they just want to make "internet working". We should respect that. But we should make sure that the ISP/state does allow every user to have FULL access and souvereignty over the hard- and software that runs in his house. We should be able to install any software on any device, because every user should be able to use the devices he has trust in.
ISPs and other parties that support compulsory routers (or whatever they call them) may be very creative in finding counterarguments to weaken your position. Here are only some of them as we didn't find any pro compulsory routers statements in the German media so far:
"Getting one device from the ISP is easier than letting every user choose his own device. This ensures that everything works fine"
--> Look at the "Freedom" argumentation: It's okay to suggest one router, but everyone should be able to use another. If an ISPs uses open standards and does not lock-down his infrastructure or uses proprietary protocols or other bad (and senseless) stuff, there are no technical obstacles that cannot be solved. If the users have the connection credentials, all connection information, and the traffic is not devided/changed/filtered elsewhere, they should be able to use every service they want to.
"If all our clients use the same router, we are able to maintain all of them by ourselves and react to security threats"
--> Wrong. read the "Security" section: Monocultures are not good and those routers do not focus on security enhancements or fast bug fixing. The ISP does not have the ressources to maintain all routers and fix those things.
Additionally it is enormeously critical to let the ISP access all routers without the clients' permission. This is done by insecure protocols (TR-069) and it does not ensure that all routers are maintained sufficiently. We have enough examples in Germany that show that ISPs need months and years to fix simple bugs (i.e. W-LAN bug in AVM Fritz!Box Cable devices from KabelBW and KabelDeutschland). The users are not able to update the firmware by themselves or replace them.
"If we have to support many routers from different companies, our support costs raise"
--> That's true and there's nothing to change it. But you have to differentiate: If users are free to choose a device, they can choose a device that supports their needed functions by factory. They don't need to put other devices behind the modem/routing box that may interfere. They can change important settings by theirselves, i.e. DNS servers, tunneling protocols, DynamicDNS providers, opened ports and so on.
Of course it's more difficult for the ISP's support to find out what does not work (IPS's infrastructure or user's router), but at least the user has the right to use any device he wants to use - and the others can stick to the ISP's suggestion. And if every ISP is forced by law to support other routers, there is a whole new competition field.
How to stress the topic in media and public
tl;dr: Collect experts, editors and other organisations; set up good communication structures; use blogs and news sites; wait for a good moment to publish the topic; allot enough time for collecting all information; write a press release.
We have to admit: This topic is not very easy to put in the public media agenda. Many people do not care/understand it, but with arguments like competition, security and innovation, you have many other recipients of your message: IT industry, economical politicians, people/organisations interested in security/net neutrality/transparence/privacy.
In Germany, FSFE has started to collect some arguments with external IT professionals: developers of alternative router firmwares or plugins, volunteers interested in networking and even legal experts. This gives you a larger network and more expertise. Consider creating a QuickMailingList for this.
In the next step, we wrote a short public statement on a blog and pushed the topic to some tech magazines and news sites. This creates the first echo and forces the editors to get used to this topic.
Then we answered the questions of our federal network agency (read above). Luckily we had some contact with an editor from heise.de/c't who had more ideas for our larger public statement and gave us some advice how to publish it to produce the largest effect - and it worked out!
Of course, the situation in other countries may be totally different, but it should help you in every case to build up contacts with tech news sites, bloggers, IT specialists, politicians, companies. This gives you the network to spread the message on all levels and to gain experiences and arguments from different sectors and interests.
The most difficult part will be to collect all these informations and put it into a consistent form. Ideally your respective network agency or other instances also call for papers or statements so you don't have to create this topic out of nothing. Contacts in political levels, companies, or other organisations may help you with finding the right time.
In every case you should write a Press Release if you decide to push it to the media. By this, other news sites, news agencies, or newspapers can make a referance to you (i.e. the FSFE) and give them the possibity to cite you without the need to contact you.