The telecom regulator intends to make flow tests, or speed tests, more reliable. For this purpose, it is planned to open the Internet boxes of access providers by installing a kind of probe. With it, the measurement of the flow rates and the technical characterization of the connection should be much more accurate.
The project to open the operators’ Internet boxes to better measure the quality of each access is progressing well. On 16 January, the government published an order in the Official Gazette validating the telecoms regulator’s decision of 10 October, which aims to enable Internet users to find out the characteristics of their line with even greater precision than at present.
Reminder of the facts. In 2018, the Autorité de régulation des communications électroniques, des postes et de la distribution de la presse (ARCEP) launched a project aimed at resolving concerns related to the measurement of the quality of service of fixed networks. A public consultation followed in April to gather input from the sector, which fed into the reflection process. Then, on October 25, ARCEP’s decision was adopted.
The four major ISPs are on the front line. // Source: FrAndroid
The main ISPs (Orange, SFR, Bouygues Telecom Free) responded, as did the alternative operators and the various lobbies representing them (FFDN, AOTA, FFT, DigitalEurope). The French Association of Telecommunications Users also contributed, as did CNES (for the satellite Internet part) and EDF (in the context of energy network management).
Based on this feedback, the telecom gendarme has therefore taken a decision that specifies the technical specifications for implementing the programming interface (API). It will be at the heart of the equipment to offer a reliable assessment of the quality of service. The latter will propose an “access identity card”, including the type of line, the quality of the Wi-Fi or the subscribed speed.
The decision also sets out the timetable for setting up this API, the boxes and ISPs concerned by this device, as well as the technical parameters that will be transmitted to the measurement tools (the famous “speed tests”, which generally measure your actual flow rate). Only those who abide by ARCEP’s code of conduct will be able to access the API and the information it delivers.
The internet access identity card project carried by ARCEP concerns both wireline and non-wireline links. // Source: Nicolas Nova
The implementation of this project must respond to a problem: that of a correct and precise measurement of wireline links: “On fixed networks, the measurement of quality of service is particularly complex: it is currently almost technically impossible for a measurement tool to know with certainty the access technology on which atest has been carried out”, regrets the regulator.
Properly characterizing a fixed line is a less obvious exercise than it appears. // Source: Slon Pics
In order to characterise the measurement environment, i.e. the context in which the speed test is carried out, ARCEP wishes to establish an “identity card” for each access, with the type of technology used (fibre optic, cable, copper), the quality of the Wi-Fi or the subscribed speed. In this way, the evaluation is made more reliable. This plan falls within the framework of the “data” regulation, dear to the regulator.
The interest is direct for the Internet user, because “this lack of characterisation of the measurement makes the data [from the speed tests] difficult to exploit, and in some cases even misleads the consumer“, since it is not possible “to isolate factors that could strongly modify the results“. Poorly lit, the Internet user is then likely to make bad decisions
The general functioning of the mechanism devised by ARCEP is as follows. Once the API has been installed in the user’s box, via an advanced remote update, the test can take place. When the measure is launched by the Internet user, the tool of his choice (provided that it respects the code of conduct established by the telecom gendarme) then sends a request to the API in its box.
The schematic operation of the PLC. // Source: ARCEP
The API then collects the technical specifications “that characterize the user’s environment during the Internet quality of service measurement test”, i.e. the type of link (fiber optic, ADSL, VDSL, cable, satellite, 4G, 5G, etc.) and various other indicators. This work is done locally, since most of this information is already in the box.
For further information, however, the API must contact the operator’s information system. This is particularly the case for the subscribed debit. Once all the elements are in the possession of the PLC, everything is then transmitted to the measuring tool – which can be a software to be installed on the terminal, a web tester, a hardware probe or an agent in the box.
It should be noted that these transmissions are encrypted. The API listens in HTTPS only: it does not respond on an HTTP connection without TLS encryption layer (whose minimum version must be 1.2). In addition, the TLS certificate must be constantly valid. Requests from the Internet are not listened to; only those from the local network are listened to.
For outdoor use, information is encrypted to prevent interception. // Source: Claire Braikeh for Numerama
Other security measures that are expected include the ability of the operator to temporarily restrict access to the API, should a security breach or major bug on the box be revealed. In this case, the Internet Service provider is obliged to inform the Arcep immediately of the situation and its progress in correcting any problems.
In addition, again with a view to limiting exposure to an attack, ARCEP has provided for an access restriction mechanism involving an authentication token whose validity lasts only 15 minutes and “resource sharing between multiple origins” (CORS). Each authorized measuring tool has a dedicated OAuth 2.0 token and can request a second token to perform pre-production checks.
The API will be mandatory for operators and boxes in the following cases:
- Operators with more than a million customers;
- Boxes that are marketed after 1 July 2008;
- More than 30,000 boxes have been built;
- Boxes for xDSL, cable, FTTH (fibre to the home) and 5G fixed access technologies. So these are the high and very high speed boxes.
For example, SFR Box 8 will be concerned. // Source: FrAndroid
ARCEP “encourages” nevertheless everyone to implement the said API, even if such or such material does not fall within the scope of the decision. The same applies to operators, which will primarily concern alternative ISPs, whose customer base is much smaller than the four market leaders. ARCEP recalls in this respect that API has open technical specifications.
The decision also specifies the cases in which the boxes are no longer covered by the API. This concerns models that have not been on the market for five years. This is “not to require the operator to maintain box updates only for API“, which would have a cost. ARCEP authorizes the deactivation of the API at the end of these five years, but simply asks to be informed at least three months beforehand.
Regarding the deployment of the API, the telecoms regulator proposes a timetable based on the date of publication of the decision in the Official Journal – which is not yet the case, as it still needs approval from the State Secretariat for Digital Affairs. Once this legal step has been taken, the pace of deployment is as follows:
The Delta Freebox will also be affected. // Source: Ulrich Rozier for Numerama
- 22 months after publication in the Official Journal, the API will have to be present in 5 % of the boxes concerned by the Decision.
- 4 months later, it will have to be present in 40% of the stalls.
- Another 4 months later, it should be in 95% of the park. In addition, 100% of the boxes for new customers will have to have it.
ARCEP specifies that the presence in these boxes also includes the activation of the said API. It also tolerates a margin of 5 % of boxes without APIs in order, it explains, “not to require operators to replace, if necessary, all the boxes that could no longer be updated remotely“. The implementation of the API will be done through an update of the box, a physical recall being unthinkable.
As of October 25, the telecom regulator notes that five test tools have declared themselves compliant with its code of conduct. The latter requires speed tests the protection of personal data, within the framework of the DPMR, but also to comply with criteria of transparency and robustness in the areas relating to the measurement itself (latency, throughput, navigation, streaming, etc.).
An example of a speed test, which evaluates the speed of a connection at a time T.
The five tools are as follows:
ARCEP indicates that API “does not respond to requests from Internalt”. It is “accessible [only] from user‘s local network”. Its design also includes a “” access restriction system so that only authorized tools can access API. Other speed tests will be able to access the line’s ID card, but only if they comply with the code of conduct.
At the request of ARCEP, the National Commission for Information Technology and Civil Liberties (CNIL) “was able to ensure that the principle of the system met the requirements for the protection of personal data“. Firstly through a legal framework, since the code of conduct imposes strict compliance with the GDMP. Then by taking technical measures to avoid data transmission.
In particular, the DPMR must be complied with. // Source: Claire Braikeh for Numerama
According to ARCEP, no user identification data (identifier, name, location, etc.) will be transmitted by the API to the measurement tools. Nor will they be transmitted to ARCEP. In principle, the API measurements will not be triggered from the Internet either: the user will have the upper hand, by activating the test of his or her choice himself or herself.
If no personal data is involved in this process, other information, of a technical nature, will of course circulate until the speed test. The list is detailed in the decision, but includes, for example, information on the LAN and WAN connection (upload and download speeds, minimum and maximums, type of technology, standards, radio bands, etc.).
(updated on 17 January with the publication in the Official Journal of a decision approving the ARCEP mechanism)
Article originally published on 29 October 2019