Bandwidth caps: they're coming, and the ISP's really want them. Why? They can charge you a flat rate for, say, 5GB a month, such as is already done by Sprint and AT&T for their wireless broadband offerings. With 5G a month you can do a lot of email, some web browsing, perhaps a Hulu video or two. But what happens when you go over that 5GB in a month? You get charged by the megabyte, say 5 cents/MB. So customers using bandwidth caps need to be parsimonious with their Internet usage. Gone are the days of being able to download anything that caught their fancy. No more movies from iTunes, not so many songs from Napster, and no more huge OS updates. Wait, what? That's right. These customers will definitely think twice before downloading any costly OS or security updates. And we will all pay as a result.
Some examples are Apple's recent Mac OS X 10.5.7 combo update (729MB), a massive Microsoft update that patches 31 vulnerabilities (some critical), and even the 36MB Ubuntu update that I am downloading as I type. If the user thinks his/her computer is working fine, why would that user waste valuable bandwidth downloading what seems like a totally necessary update? Who cares if the recent Microsoft update includes a patch to protect against Conficker (that has its million-plus botnet aimed at...well, we're still waiting)? Instead, the user saves his/her bandwidth for a couple of episodes of The Office. Meanwhile, the user's unprotected PC becomes another zombie. And now becomes everyone else's problem.
Internet access cannot be treated as just another utility. If the electric company decides it needs to upgrade its infrastructure to protect against SCADA attacks, it charges its customers a couple more pennies per kilowatt hour. It doesn't demand the customer buy some copper wire and pipe and get to work. Just as most users won't spend their time and money upgrading a utility, most users won't going to spend an extra couple hundred MB improving their own PC's security.
If the trend is to treat the Internet as just another utility, update downloads should be exempt. Otherwise, don't cap bandwidth. Also, OS vendors like Microsoft, Apple, even Ubuntu need to stop taking unlimited broadband for granted! Why are all updates available only as a download? Some of it is understandably because of zero-day exploits, but these security patches are relatively small. Otherwise, give customers the option of getting their updates via a non-download method, such as CD or a recycled USB key (you send it in, they send it back with the update.) Be creative.
PC security is no longer about a virus that trashes your hard drive. It's about botnets made up of millions of unpatched computers that attack banks, infrastructures, governments. Bandwidth caps will contribute to this unless the thinking of Internet providers and OS vendors change. Because we are all inter-connected now.
Before you get worried about the effects of bandwidth caps on the download habits of customers of American ISPs, please have a look at security patterns in countries which have never enjoyed unlimited bandwidth.
Australia (my country), for example, is similar socially to the USA, but has never had unlimited bandwidth offered by ISPs - mostly due to the cost of rolling out the required infrastructure across a large country for a relatively small customer base. Our ISPs offer a range of plans (at a range of costs) from 400MB/month up to "unlimited" plans, which in parctice are actually capped at about 20GB. The lower end plans usually charge around 15c per MB above the cap. The higher end plans are pretty expensive, particularly comapred to US rates, but often don't charge for excess downloads. Instead the ISP throttles the customer's speed down to 56kbps or less until the start of the next billing cycle.
I don't have any objective evidence for this, but I don't think the high cost of bandwidth in Australia means that Australian users are any less secure than American users.
Also, given the logisitcal difficulties, do you really think that sneaker-net is a solution to regular patch rollouts? Who is really going to send a USB key every month to the half-dozen software vendors they rely upon in order to keep their systems up-to-date? Not to mention the manual update process required once the key is returned. I would think that setting aside a proportion of your bandwidth cap (a bandwidth budget, if you like) for essential traffic like security patches would be easier for most users to handle.
The positive side of bandwidth caps is that users then end up paying for the bandwidth they use. The grandma who just want to receive email from her grandchildren could pay for a plan with a 2GB cap (my mother works happily within 400MB and accepts the need to occasionally pay for extra bandwidth for a large security update). The movie junkie could pay more for a plan with a much larger cap (say 50 - 100GB). The customers who actually use the bandwidth are then paying for the development/maintenance of the infrastructure required to support that volume of traffic.
Posted by: Andrew Cooper | 14 June 2009 at 21:22
Speaking from my own experience, I recently switched to a 5GB/month plan. It was a new experience to have to keep track of what and how much I was downloading. It was toward the end of the billing cycle when I got a Mac Software Update notice telling me I had over 400MB of updates ready for download. So I had to make a choice: update my OS or wait until next month and do it then. I also had the choice not to update at all. For customers on the 400MB/month plan, will they always choose to update their OS above all else?
I posit that PCs of customers with bandwidth caps may be more likely to be compromised, because they are less likely to be updating their PC due to cost. I also suggest that the current update process has an unlimited bandwidth mindset. I agree a physical delivery method isn't the best either, but I do think we need at least a second (less costly) option for consumer to choose from. Thanks for a perspective from outside America!
Posted by: Don Franke | 16 June 2009 at 07:55
A download cap and penalty fees for going over the cap are not new. I have read them in ISP contracts for a long - long time. What is new, is that some of the vendors have finally decided to invoke the billing for overages or cut backs in service speeds after the overages start. This had to start sometime. You can’t put the verbiage into the contract and not charge for it in a ever tightening economy.
The risks are real based on user actions. 1. Some users will skip the updates completely. 2. Some users will delay the updates. 3. Fewer will pay extra to get the updates now.
Yes this increases the risk for all of us.
But this is not a new experience. Keep yourself safe by doing the updates. Keep yourself safe by have reasonable protection from a botnet denial of service attack. Keep up on your endpoint security. Use software and systems that are designed to weather the storm.
And keep working, because the run and hide mentality is an even higher risk.
Posted by: Dean_E_Brown | 16 June 2009 at 08:38
Don: Your problem is caused by charging extra when you go over the limit, instead of being shaped. The other thing that's very common in Australia is local traffic is free, so Linux mirrors, Apple updates (they use Akamai) don't count towards the limit.
Microsoft did offer to send WinXP SP2 on CD for free to anyone.
Posted by: TRS-80 | 21 June 2009 at 06:09
That would be great if update downloads were free--this should be required of all ISPs. It would take some logistical work by the OS vendors and internet providers, but would definitely address the problem.
And true, many major updates are also available via CD--I just updated my Ubuntu from 8 to 9 by getting a CD off eBay. It's the customer not getting all the smaller updates and security patches that can be the problem. Thanks for the input!
Posted by: Don Franke | 21 June 2009 at 08:58