Technology, Thoughts, and Trinkets » Christopher

(Un)Lawful Access Forum in Ottawa

Christopher — Mon, 06 Feb 2012 14:00:02 +0000

I’ll be speaking at a forum about Canada’s forthcoming lawful access legislation on February 8 at St. Paul University. From 6pm-7pm there will be the formal book launch of the Canadian Centre for Policy Alternatives’ recent title, The Internet Tree: The State of Telecom Policy in Canada 3.0. Those attending the forum may be particularly interested in the two chapters on surveillance (one of which I authored). The lawful access event runs from 7-10PM. From 7:00-7:30 the organizers will be showing the mini-documentaries “(Un)Lawful Access” and “Moving Towards a Surveillance Society.” Following this, there will be two panels to discuss the expected legislation. The first (which I’m on) runs from 7:30-8:30 and discusses the technical elements of the forthcoming legislation. The panel is composed of myself, Kirsten R. Embree, Stephen McCammon, and John Lawford. The second panel runs from 8:45 to 9:30, and focuses on the political dimensions of the legislation. Panelists include Charlie Angus and Elizabeth May, with Michael Geist moderating. The final 30 minutes are devoted to summarizing the forum, outlining actions that are taking place, and suggesting continuing activities.

For more information about the event, see Unlawfulaccess.ca, and register for the event on Facebook. You can also download/print/share copies of the poster for the event. This will be a really great event, and the mixture of formally separated technical and political panels should do a great job in outlining the range of issues that lawful access legislation touches upon.

Other posts you might be interested in:

Amici Curiae on IMSI Catchers

Christopher — Sat, 04 Feb 2012 21:55:23 +0000

Image by iDownloadBlog

Security, surveillance, and privacy researchers alike have been watching how authorities exploit cellular communications devices – often in secret, or absent sufficient oversight – for years. Research to-date has been performed by security researchers and hackers, social scientists, advocates, activists, and the curious, with contributions spanning hundreds of discreet investigations into technical capabilities and their social implications. Of late, a considerable amount of attention has been devoted to IMSI Catchers, which are devices that establish false mobile phone towers for the purpose of monitoring and tracking mobile phones without their users’ awareness.

Given the use of IMSI catchers by American authorities, a group of researchers and academics submitted an Amici Curiae (in their individual capacities) January 17, 2012 concerning the catchers. Specifically, the brief is in support of a defendant’s motion for disclosure of all relevant and helpful evidence withheld by the government based on a claim of privilege. The government, in this particular case, has admitted that the surveillance technologies used simulated a cell site but have refused to provide specific details of how this surveillance was conducted. We argue that a substantial amount of information surrounding IMSI catchers is already public and that, as a result, the secrets that the government is attempting to protect are already in the public domain. Moreover, the public interest is best served by “greater public discussion regarding these tracking technologies and the security flaws in the mobile phone networks that they exploit, not less.”

I want to thank the primary draftees of the brief for their (as always) excellent work and for the opportunity to sign on to it. Bringing transparency to government surveillance systems – especially when the government tries to limit public attention after information about these systems is publicly available – is critical if we are to foster serious and critical discussions about authorities’ capacity, and potential, to monitor and track citizens. Democratic systems work best when all branches of government – including law enforcement – cannot inappropriately hide their actions from the public. With an awareness of their government’s actions, the public can drive how their government functions as opposed to things happening the other way around.

I would note that IMSI catchers are of particular importance to Canadians. If forthcoming lawful access legislation is passed, in a format similar or identical to its last drafting, then Canadian police, intelligence, and security officers would be permitted to collect IMSI numbers, using catchers, and subsequently compel subscriber information from Canadian mobile phone providers. All of this would happen without a warrant. It cannot be stated enough that legalizing this level of unsupervised surveillance would have significant chilling speech and association implications. Moreover, it would significantly expand what constitutes ‘legitimate’ government surveillance while simultaneously undermining key privacy rights and expectations. Thus, while this particular Amici Curiae was sent to an American court, citizens in the Canada and UK would all be well served if our respective governments were transparent about their (stated and intended) usage of surveillance equipment, such as IMSI catchers, to surreptitiously monitor citizens.

To download the Amici Curiae, click here.

Other posts you might be interested in:

Publication: (Un)Lawful Access, Its Potentials, and its Lack of Necessity

Christopher — Sun, 15 Jan 2012 01:43:58 +0000

Cover of the 2011 Winston Report (Winter)

Last year I was approached by the founder and editor in chief of The Winston Report to update and publish one of my postings on Canada’s forthcoming lawful access legislation. The Report is the quarterly journal of the Canadian Association of Professional Access and Privacy Administrators (CAPAPA). The updated piece that I contributed is more compact than what I originally wrote on this site, though I think that this makes it a stronger, more direct piece. I want to publicly thank Sharon Polsky for the opportunity that she provided to me, and for being so kind as to position my piece as the lead featured article in the Winter edition of the journal. I also want to thank my tireless editor, Joyce Parsons, for her incredible work strengthening my prose. A preprint version of my contribution, which retained a creative-commons license as part of my agreement with the editor in chief, is made available to you below under the normal Creative Commons Attribution, Noncommercial 2.5 Canada license.

Download pre-print .pdf version of (Un)Lawful Access: Its Potentials, and its Lack of Necessity.

Other posts you might be interested in:

(Un)Lawful Access: Vancouver Premiere & Panel Discussion

Christopher — Wed, 11 Jan 2012 00:09:37 +0000

Image courtesy of UnlawfulAccess.Net

I’ll be presenting at a panel discussion on Canada’s forthcoming lawful access legislation this Thursday, January 12. It looks to be a terrific panel, and includes British Columbia’s Information and Privacy Commissioner, Elizabeth Denham, the BBCLA’s policy director, Michael Vonn, the producer of the documentary (Un)Lawful Access, Dr. Kate Milberry, and myself. Andrew Clement, professor at the University of Toronto and co-producer of (Un)Lawful Access will be moderating. In addition to a panel discussion, Drs. Milberry and Clement will be showing their documentary, (Un)Lawful Access, and the BCCLA will be revealing their report on lawful access. I’ve contributed research to the report, with my focus being on how lawful access powers are taken up and used by governments and authorities in the US and UK.

It should be a terrific event. If you’re in the area I highly recommend attending. Information is available at the event’s Facebook page and below:

Event Details

Do you think the Internet is a powerful tool for change?

The Conservative government is trying to push through a set of electronic surveillance laws that will invade your privacy and cost you money. The plan is to force every phone and Internet provider to allow “authorities” to collect the private information of any Canadian, at any time, without a warrant.

Find out more THIS THURSDAY at 6:30 PM.

SCREENING:

The Vancouver premiere of (Un)Lawful Access, a mini-documentary about the Conservative government’s proposed online spying legislation, and what Canadian experts have to say about it.

PANEL DISCUSSION:

Elizabeth Denham, BC Privacy Commissioner
Micheal Vonn, Policy Director of the BCCLA
Christopher Parsons, University of Victoria
Dr. Kate Milberry, producer of (Un)Lawful Access
Andrew Clement, producer of (Un)Lawful Access (moderator)

Panelists will discuss the serious implications of Lawful Access and what we can do about it.

REPORT LAUNCH:

This event is also the launch of the BC Civil Liberties Association’s much-anticipated report – Moving Toward a Surveillance Society: Proposals to Expand “Lawful Access” – the most comprehensive to date. Co-authors Micheal Vonn and Christopher Parsons will be present to answer your questions.

Location: W2 Media Cafe, 111 West Hastings St.
DOORS: 6:30 PM
CASH BAR/REFRESHMENTS
ADMISSION: By donation (suggested $5-10)*

Send a message to the government at: http://stopspying.ca/

Hosted by OpenMedia.ca and W2 (http://creativetechnology.org/)

*OpenMedia.ca Allies enter free! See http://openmedia.ca/allies for more info on the Allies program.

Other posts you might be interested in:

Transparent Practices Don’t Stop Prejudicial Surveillance

Christopher — Mon, 09 Jan 2012 21:44:18 +0000

In February I’m attending iConference 2012, and helping to organize a workshop titled “Networked Surveillance: Access Control, Transparency, Power, and Circumvention in the 21^st Century.” The workshop’s participants will consider whether networked surveillance challenges notions of privacy and neutrality, exploits openness of data protocols, or requires critical investigations into how these surveillance technologies are developed and regulated. Participants will be arriving from around the world, and speaking to one (or more) of the workshop’s four thematics: Access Control, Transparency, Power, and Circumvention. As part of the workshop, all participants must prepare a short position statement that identifies their interest in network surveillance while establishing grounds to launch a conversation. My contribution, titled “Transparent Practices Don’t Stop Prejudicial Surveillance,” follows.

Transparent Practices Don’t Stop Prejudicial Surveillance

Controversies around computer processing and data analysis technologies led to the development of Fair Information Practice Principles (FIPs), principles that compose the bedrocks of today’s privacy codes and laws. Drawing from lessons around privacy codes and those around Canadian ISPs’ surveillance practices, I argue that transparency constitutes a necessary but insufficient measure to mitigate prejudicial surveillance practices and technologies. We must go further and inject public values into development cycles while also intentionally hobbling surveillance technologies to rein in their most harmful potentialities.

Lesson Drawing from Privacy Principles and Codes

FIPs are used to make organizations accountable for how and why information is collected, for how information is processed, and for the accuracy of retained information. It is contestable that FIPs, however integrated into policy and law, are effective in preventing surveillance technologies and practices so much as they legitimize them. As noted by Rule, codes based on FIPs “help surveillance systems to achieve their intended ends more fairly and openly” but do not “help us decide when institutional appetites for personal information simply go too far.”[1] Privacy and data protection rules and laws may make data collection and processing activities more transparent while simultaneously failing to “significantly reduce or mitigate the amount of potentially damaging social sorting that occurs.”[2] Moreover, codes and principles are commonly bound within legal privacy protections that “tend to be more circumscribed than the subjective experience of violation associated with new forms of surveillance.”[3] The law simply doesn’t keep up with, or adequately address, the surveillance-related harms and injustices that people experience on a regular basis.

While codes based on FIPs might limit data collection and empower end-users when users know they are exchanging data with specific data collectors, such codes “work less well in systems in which devices blab information indiscriminately so that there’s no way to identify a class of information collectors who can be made subject to the rules.”[4] The Internet, and the devices that silently communicate with data collectors via the Internet, constitutes a space where FIPs minimally limit the spread of surveillance technologies and practices. Even if organizations are held accountable for the data they analyze and process, end-users’ abilities to ascertain who and what is collecting and processing information is limited. Formalized privacy rules, in other words, can influence the fairness of surveillance but are less likely to stop the surveillance practices themselves.

Canadian ‘Consequences’ of Rendering Surveillance Transparent

FIPs’ effectiveness in stopping the spread of novel surveillance processes and practices, and limiting their harms, is mirrored by efforts in Canada to mediate ISPs’ surveillance technologies and practices. Numerous Canadian ISPs use deep packet inspection (DPI) systems to inspect and analyze Canadians’ encrypted and unencrypted data transmissions. Such systems evaluate data transmission protocols (e.g. SMTP, HTTP/HTTPS) and, depending on how the systems are configured, can conduct content and flow analyses, as well as modify and interrupt packets flows in real-time.[5] In light of significant opposition to DPI the Canadian Radio-television Telecommunications Commission (CRTC) and Office of the Privacy Commissioner of Canada (OPC) investigated DPI-related practices. Both bodies established provisions to limited how ISPs could employ the technology. Despite both organizations requiring ISPs to publicly declare how they use DPI, ISPs have regularly acted beyond their publicly stated practices. These companies have not been transparent with consumers nor with regulators, nor have breeches of government provisions led to serious punishments.[6] In effect, consumer and governmental awareness of the technology has had limited effects on preventing of harmful uses.[7] Rather than stopping prejudicial actions that limit online speech and association, the CRTC and OPC legitimized some practices while seemingly having had limited effect on ISPs’ extensions of practices beyond regulator- and commissioner-established limits. Transparency helps to understand (some of) what is happening in Canada’s telecommunications networks but has not stopped bad practices, prevented fungible surveillance technologies from being widely deployed, nor led to consequences for secretive extensions of DPI-related practices.

Hobbling Fungible Surveillance Technologies and Stopping Unjust Practices

There isn’t a positive link between knowledge and power, especially when speaking of political or social power. Knowledge constitutes one of many elements that frame power relations.[8] That said, by empowering those with knowledge to influence technical developments at product development rather than implementation phases we might rein in particularly expansive network surveillance tools and jettison such systems’ prejudicial capabilities. Such empowerment might include having public policy advocates who are versed in human and civil rights involved during the earliest phases of technical design processes. They could inject public concerns and values into development processes and excise coding mechanisms that challenge basic democratic values. Moreover, we could require inefficiencies in technical surveillance devices to minimize their capabilities to threaten basic social values: rather than simply guarding against particular practices in policy, we could mandate that surveillance products include limitations that are technically challenging to overcome. The ultimate aim of such limitations is to restrain surveillance technologies’ fungibility and thus increase the friction of expanding their uses. Such intentional injections of friction, combined with public advocates being involved in development processes, could hobble the growth of surveillance practices. Putting emphases on limiting surveillance capabilities at development stages, and thus limiting such technologies’ capabilities, would be a positive step beyond current data protection regimes, which tend to influence the fairness of surveillance technologies and practices rather than stopping them altogether.

References

[1] J. B. Rule. (2007). Privacy in Peril. Toronto: Oxford University Press. Pp. 27.

[2] D. Lyon. (2007). Surveillance Studies: An Overview. Cambridge, UK: Polity Press. Pp. 173.

[3] K. D. Haggerty and R. V. Ericson. (2007). “The New Politics of Surveillance and Visibility,” in Kevin D. Haggerty and Richard V. Ericson (Eds). The New Politics of Surveillance and Visibility. Toronto: The University of Toronto Press. Pp. 9.

[4] J. Weinberg. (2008). “RFID and Privacy,” in A. Chander, L. Gelman, M. J. Radin (Eds.) Securing Privacy in the Internet Age. Stanford: Stanford Law Books. Pp. 263-264.

[5] C. Parsons. (2011). “Deep Packet Inspection” Big Brother Incorporated research site. Published November 30, 2011. Available: <https://www.privacyinternational.org/article/bbi-deep-packet-inspection>

[6] M. Geist. (2011). “Canada’s Net Neutrality Enforcement Failures,” Michael Geist. Published July 8, 2011. Available: <http://www.michaelgeist.ca/content/view/5918/159/>

[7] While there have been some successes – Rogers Communications Ltd. may face some fines for their behaviors – it should be noted that it has taken over a year to raise an issue to the CRTC, and the process for investigating and disciplining the company has yet to conclude. See: N. Kyonka. (2011). “Whitelisting, an ISP solution to throttling, may conflict with net neutrality rules,” The Wire Report. Published Sept 27, 2011. Available: <http://www.thewirereport.ca/reports/content/13004-whitelisting_an_isp_solution_to_throttling_may_conflict_with_net_neutrality_rules>

[8] L. Winner. (1986). The Whale and the Reactor. Chicago: University of Chicago Press. Pp. 109-110.

Other posts you might be interested in:

Respecting User Privacy in WordPress

Christopher — Fri, 23 Dec 2011 20:06:15 +0000

Image by Surian Soosay

Automattic has a poor record of respecting its users’ privacy, insofar as the company has gradually added additional surveillance mechanisms into their products without effectively notifying users. Several months ago when I updated the WordPress Stats plugin I discovered that Automattic had, without warning, integrated Quantcast tracking into their Stats plugin. Specifically, there was no notice in the update, no clear statement that data would be sent to Quantcast, nor any justification for the additional tracking other than in a web forum where their CEO stated it would let Automattic “provide some cool features around uniques and people counting.” This constituted a reprehensible decision, but one that can fortunately be mediated with a great third-party plugin.

In this post, I’m going to do a few things. First, I’m going to recount why Automattic is not respecting user privacy by including Quantcast in its Stats plugin. This will include a discussion about why reasonable users are unlikely to realize that third-party tracking is appended to the Stats plugin. I’ll conclude by discussing how you can protect your web visitors’ own privacy and security by installing a terrific plugin developed by Frank Goossens.

WordPress and Quantcast

In early 2011, after a major redesign of my website, I activated the Ghostery plugin in my web browser and navigated to my site. The tool “tracks the trackers and gives you a roll-call of the ad networks, behavioral data providers, web publishers, and other companies interested in your activity.” Visually, the plugin causes a small notification box to appear in the upper right hand corner of websites that you browse to. Contained in this box are a list of the parties that are monitoring your movements across that particular website. When navigating to my own site I had expected to see WordPress Stats and perhaps some social sharing services listed. I did not expect to see Quantcast.

Quantcast’s cookies are used to monitor individuals who visit websites, and the company uses the information they collect to provide “audience composition reports.” Such reports are meant to help target online advertising and content development, but is predicated on the notion that the website owner is responsible for integrating the tracking system for the same owner’s benefit. Prior iterations of WordPress Stats did not include Quantcast tracking, and there was no notification or warning that updating the Stats plugin meant you were also forced to accept third-party tracking. Since the initial inclusion of Quantcast, the plugin’s description in the WordPress repository has been amended to include a small notice that reads “[a]s we are considering adding great new features, this plugin also puts a Quantcast tracking script on your page.”

While Automattic’s disclaimer may count as ‘notice’, it does not clarify what the additional tracking is actually meant for. Descriptions and notices around privacy policies and statements must be clear to be meaningful, and Automattic has had over a year to ascertain what “great new features” warrant transmitting website visitors’ information to Quantcast. To date, as far as I can tell, the company has not disclosed to its user base what precisely warrants sending information to Quantcast.

While there is a warning about Quantcast if you download the plugin from the repository, the support document for WordPress Stats that was updated December 21, 2011 – over a year after public complaints over Automattic’s failure to notify plugin users about the inclusion of Quantcast – still lacks any mention that a condition of using Stats is sending your site visitors’ information to a third-party. Perhaps most significantly, Automattic has recently introduced its Jetpack service. Jetpack is a bridge between self-hosted WordPress installs and Automattic’s cloud offerings, offerings that include WordPress Stats. To use WordPress Stats today you must use Jetpack. Unfortunately, Automattic has failed to notify Jetpack users of the third-party tracking accompanying the Stats plugin, as demonstrated in the lack of information about Quantcast in the following screenshot.

No mention of Quantcast tracking

It is utterly unreasonable to expect that users of the Stats plugin will hunt for a single sentence of text that discloses the inclusion of third-party surveillance with the Stats plugin. Moreover, if an enterprising user clicks on Automattic’s privacy policy linked at the bottom of the Jetpack screen they are unlikely to divine that Quantcast is associated with Automattic or the Stats plugin.

Automattic’s Privacy Policy #Fail

Let’s briefly look into Automattic’s privacy policy to determine whether a reasonable individual could ascertain Quantcast’s involvement with self-hosted versions of the Stats plugin. First, we see that Automattic

discloses potentially personally-identifying and personally-identifying information only to those of its employees, contractors and affiliated organizations that (i) need to know that information in order to process it on Automattic’s behalf or to provide services available at Automattic’s websites, and (ii) that have agreed not to disclose it to others.

Why, exactly, is Quantcast receiving any of my visitors’ personal information? We might assume that this happens so information can be processed “on Automattic’s behalf or to provide services available at Automattic’s websites.” Unfortunately, Automattic has not publicly clarified why they need this information processed. Instead, we are left with vague statements of providing “great new features.” From the privacy policy, we see that potentially personally-identifying and definitively personally-identifying information is also disclosed “in response to a subpoena, court order or other governmental request, or when Automattic believes in good faith that disclosure is reasonably necessary to protect the property or rights of Automattic, third parties or the public at large.” No subpoena, court order, or other government request is presumably requiring the link between WordPress Stats and Quantcast, nor do the tracking systems clearly “protect the property or rights of Automattic, third parties or the public at large.”

In the ‘Cookies’ section of the privacy policy, we find that “Automattic uses cookies to help Automattic identify and track visitors, their usage of Automattic website, and their website access preferences.” A reasonable person might believe that self-hosted installations of WordPress were not considered part of the Automattic website itself. Such a person might be quite wrong, however, based on Matt Mullenweg’s (Automattic’s CEO) comment about Automattic’s network, where he stated that “the bump you see in November is when we started tracking Polldaddy, ID, Gravatar, and WordPress.com Stats users in addition to WordPress.com visitors.” His comment suggests that Automattic considers self-hosted blogs as being part of the company’s network, though I doubt that this view is shared amongst self-hosted users. I should add that I have never received notice from Automattic informing me that this site is part of their network. No reasonable person is likely to come to this conclusion unless they’ve been watching the Automattic/Quantcast issue like a hawk.

Arguably the only section of the privacy policy that is suggestive of third-party tracking taking place is in the ‘Ads’ section. It reads:

Ads appearing on any of our websites may be delivered to users by advertising partners, who may set cookies. These cookies allow the ad server to recognize your computer each time they send you an online advertisement to compile information about you or others who use your computer. This information allows ad networks to, among other things, deliver targeted advertisements that they believe will be of most interest to you.

From reading this, it initially seems to be addressing advertisements that appear on Automattic’s own web properties. It is utterly unclear that the ads that are shown online are going to be tied to Quantcast cookies linked to the Stats plugin.

Overall, the Automattic privacy policy is absolutely insufficient in notifying users of third-party surveillance. Those who install the stats program – website owners and developers – cannot be reasonably expected to know of Quantcast’s inclusion. This is important because if those same users have privacy policies on their websites – perhaps assuring visitors that only WordPress Stats is used to collect information and no other tracking party or system is used – then those users may be violating local laws by establishing a false contractual privacy agreement between themselves and their website visitors.

WP DoNotTrack to the Rescue

Frank Goossens has stepped up to fix the problems that Automattic is responsible for. Last December he released his donottrack plugin in response to Automattic’s unwillingness to either remove or make optional Quantcast tracking. Months after he released his plugin Automatic modified their Quantcast code, mandating a new release of his plugin. In response Frank has released an updated version of his plugin, now titled WP DoNotTrack, and made it available in the WordPress.org repository.

Frank outlines several reasons for installing the plugin:

make your WordPress blog/ site honour visitors who request not to be tracked, even if the 3rd parties you include do not (conditional privacy)
stop any tracking by 3rd parties (absolute privacy)
protect your blog from rogue plugins that dynamically add malicious external javascript to your wp-admin pages (security)
limit the number of external servers that are called from your blog (performance)

There are full configuration instructions on his website and information in the FAQ that can help you determine what options you want to flag. If you decide to just use the default settings you’ll successfully block Quantcast tracking. I cannot recommend this plugin highly enough. Not only will it improve the privacy, security, and performance of your website, but it will also ensure that you’re not making false privacy claims to your website visitors.

Other posts you might be interested in:

The Anatomy of Lawful Access Phone Records

Christopher — Tue, 22 Nov 2011 02:57:21 +0000

Photo by mjecker

Canadian advocates, government officials, and scholars are all concerned about the forthcoming lawful access legislation. A key shared concern is that authorities could, under the legislation, access telecommunications subscription records without court oversight. Moreover, as a condition of accessing these records businesses might be served with gag orders. Such orders would prevent Canadians from ever knowing (outside of court!) that the government had collected large swathes of information about them. In response to concerns aired in public, the Public Safety Minister has insisted that the legislation would merely let police access “phone book” information from telecommunications providers.

I maintain that such assertions obfuscate the sheer amount of information contained in the records that authorities would collect. The aim of this post is to make clear just how much information is contained in a single lawful access “phone record”, demonstrating that the government is seeking information that grossly exceeds what is contained in the white or yellow pages today. As a result, I first provide an example phone record that resembles those in every phonebook in Canada and then offer an example of a lawful access record. Remember that such requests may be filed to multiple service providers (e.g. Internet service provider, web forum hosts, blogs, mobile phone companies, etc) and thus a swathe of records can be combined to generate a comprehensive picture of any particular individual. By the conclusion of the post it should be evident that information provided under lawful access powers is more expansive than the phone records government ministers allude to and lay bare those ministers’ technical obfuscations.

Phonebook Records, Today

In his response to the Information and Privacy Commissioner of Ontario, Vic Toews (Public Safety Minister) insisted that police would simply have access to “phone book” information under the forthcoming lawful access legislation. He asserted that, “Our proposed approach of linking an internet address to subscriber information is on par with the phone book linking phone numbers to an address.” While government officials insist Toews’ response obfuscates just how expansive lawful access records are from traditional phone records, it is arguably challenging for the lay public to grasp the amount of information contained in the proposed subscriber record fields. So, let’s consider the differences between a phone book record accessible in your home, today, using a phone book and “phone book” data the federal government wants to make available to authorities without a warrant. The following resembles a phone record reminiscent of one in a phone book today:

John Smith, 456 Westminister Ave . . . . . . (636)-421-6124

This record contains the listed name of an individual, the address associated with the phone number, and the area and local code for the telephone service. Not all individuals provide full details in the phone books that are distributed each year. Some individuals have their addresses removed or substitute their full names with their initials. Such modifications are often the result of people feeling uncomfortable with fully disclosing their address, phone number, and name in one publicly accessible location. Using this information you can (potentially) learn where the individual associated with a phone number lives, but you do not necessarily discover the names of particular individuals living in the home, number of people in the home, and so forth. Thus, where multiple people share a single phone and address the subscriber record may be somewhat nebulous; while it should identify an individual at the address it is questionable whether that particular individual interests the authorities.

Phonebook Records, Tomorrow

The ‘phone records’ that Minister Toews is talking about are quite a bit larger, and far more descriptive, than those found in the local yellow or white pages. As I’ve depicted them, one line grows to six, and three data items explode to eleven descriptively rich fields. The expanded list will be available as phone records to authorities but not to individuals. This stands as a clear distinction between a phone record that individuals think of in phonebooks and the record that authorities will have access under lawful access legislation. An updated record might appear as follows:

John Smith, 456 Westminister Ave . . . . . . (636)-421-6124
jsmith@example.com . . . . . . . . . . . . I.P., 10.0.0.100
MIN, 250-5211-0091 . . .  . . . . . . SPID, 636-421-6124-00
ENS . . . . . . . . 1000 0010 0001 1010 0000 0101 0110 1111
IMEI, 35-209900-176148-23 . . . . . IMSI, 310-150-564857956
SIM . . . . . .. . . . . . . . . . . 894411 0112 12333344 4

Most of what is contained in these eleven fields will be foreign to the average user. In light of this, let’s turn to unpack the new record in a line-by-line format.

The first line is identical to your typical phone book record. Note that the phone number here would be a permanent number, such as the number to call if the mobile number identified in line three is inoperable. Obviously there may be instances where there isn’t a distinction between the phone numbers in those lines if the mobile subscriber either lacks a landline or alternate mobile phone. Further, where the telecommunications service provider, such as a web forum, only has a single phone number then a mobile number might be situated on this line.

Line two offers the email address and Internet Protocol address of the subscriber in question. Email addresses will be tied to particular accounts; you may have one email address for a web forum, another for purchases online, and yet another for personal correspondence from your Internet service provider. While a singular email address is given here, this is representative of a single subscriber record from a single telecommunications service provider. It is likely that different emails (and, thus, different ‘phone records’) are kept by each of the service providers you engage with on a daily basis. The Internet Protocol address is assigned to you by your Internet service provider and is an essential element to accessing the Internet itself. IP addresses identify where data originates from and should be sent towards. Your IP address is likely either dynamic (changes with some degree of frequency) or static (permanently assigned to your modem). Regardless, using an IP address authorities could identify your Internet service provider and, from there, demand that the Internet provider disclose which subscriber was assigned the IP address at some particular time. Given that many IP addresses are dynamic it is possible that different telecommunications service providers will have different addresses attached to your record instead of the singular address offered in the example line two.

The third line contains the Mobile Identification Number (MIN) and Service Provider Identifier (SPIN). This line is needed for subscriber records associated with mobile phone/device usage. The MIN uniquely identifies a mobile device on a mobile provider’s wireless network and can be used to dial to and from the device. While the record that I provide is accessible to the human eye, MINs are typically kept in a database in two components. The area code is often stored in a 10 bit MIN2 section and the local portion in a 24 bit MIN1 section. (See UK ESN/MIN Grabbing for more information on how these two sections are divided.) Unlike other serials and codes, which are engrained into the hardware of a device, a MIN is stored in a mobile providers’ database and can be changed. A SPIN is a unique number assigned to service providers so that telecommunications switch owners and service providers can enter financial relationships for the purposes of carrying traffic. The number identifies the company that ‘owns’ the account associated with the traffic. Thus, even when calling using a Rogers mobile phone on the AT&T network, the SPIN will help to ascertain that Rogers (and, ultimately, the account owner) is responsible for paying for using the AT&T network.

The fourth line holds the Electronic Serial Number (ESN), a number that is encoded into each mobile device as a 32-binary bit number. It is embedded into the device by the manufacturer and thus is not assigned by a mobile telephony/Internet company from whom a device is purchased. The ESN is often checked against the MIN to prevent fraud. Specifically, while an individual could try and have their MIN changed to try and receive free services, by correlating the MIN and ESN in the providers’ database the likelihood of successfully conducting fraudulent activities are diminished. Moreover, with the ESN it is possible to ascertain whether the same phone is being used across a set of wireless carriers’ networks.

The fifth line contains the International Mobile Equipment Identification (IMEI) and International Mobile Subscriber Identification (IMSI) numbers. These numbers are tied to mobile devices (e.g. phones, 3G-capable tablets). The following information can be derived from the IMEI number used in the example above, “35-209900-176148-23″: that the number was issued by the British Approvals Board for Telecommunications (“35″) and given allocation code “2099″. The “00″ reveals the period of time when the device was manufactured, “176148″ reveals the serial number issued to the model of device, and the “23″ reveals the version of software installed on the phone. The IMSI identifies the mobile country code (“310), mobile network code (“150″), and mobile subscription identification number (“564857956″). “310″ is the number associated with America, and “150″ with AT&T. As a result, with the IMEI and IMSI numbers you can ascertain when the device was made, serial of the device, version of its software, nation of usage-origin, carrier-of-origin, and the subscriber code of the carrier associated with the device.

Line six has the Subscriber Identification Module (SIM) number. This number, “894411 0112 12333344 4″ in our example, is broken into subcomponents to identify different bits of information. The first two digits (“89″) are associated with the telecom operators identifier. “44″ refers to the country code and “11″ to the network code the module is associated with. The next four digits (“0112″) indicate the month and year of the SIM’s manufacture and following two numbers (“12″) of the switch’s configuration code. The next six numbers disclose the SIM number itself and the last holds the digit to confirm the validity of the SIM serial itself.

Perhaps it needn’t be stated, but as should be clear there is a significant difference between a “phone record” in a phonebook and a “phone record” under the Canadian government’s proposed lawful access legislation. A phone number and address does not reveal the manufacturer of a mobile device, when it was made, when elements of the phone were provisioned, the provider of the telephone services, and so forth. Instead, the lawful access record affords a trove of data that is far in excess of what a citizen would find when they looked up a name, address, or phone number in the hardcopy phonebook that is delivered to their door each year.

Aggregating Records for Citizen Transparency

Not all telecommunications service providers could make available a full post-lawful access legislation “phone record.” However, once authorities have a single piece of information they can then move to other service providers to develop a full record, one that could subsequently be used to map a person’s presence on the Internet, their habits, and their activities. Using open source intelligence, the email address can be employed to determine what other services are attached to that email address, and using the IP address authorities can determine where a person is accessing the Internet from (i.e. was the IP address leased to a cafe? to a home? to a business? to a mobile network?) and the billing records associated with that IP address. If browsing from Starbucks, the cafe might be able to turn over a log of users who used their wireless network during the time authorities are interested. If browsing from home, or your own mobile device, then the subscriber records associated with that billing address might be available. And, if browsing from a friend’s phone or computer, then their information might be given to police regardless of your friend’s interest to the police.

Remembering back to the discussion of traditional phone records, it is possible that multiple people share the same account and thus what turns up in the phonebook remains somewhat ambiguous. This may remain so when dealing with communal Internet connections but is far less true when dealing with mobile devices. Phones have, for many people, become fetishes that are carried on one’s person and jealously protected from third-party intrusion. Thus, the ability to ascertain who owns, and is using, a particular mobile device is far less ambiguous than who subscribes to, and uses, a landline phone. Using contemporary policing technologies such as IMSI catchers, authorities can de-anonymize a crowd by catching the IMSI associated with each phone and immediately requesting subscriber data from mobile phone providers. While it may not be legal for authorities to engage in ruses to compel individuals to identify themselves when those individuals have done nothing wrong, with IMSI catchers no ruse is needed for the identification process to occur. The term “papers please” is a distinctly analogue notion, one that can be abandoned by authorities in possession of IMSI catchers and lawful access powers.

Surveillance is being automated, and vendors are accelerating the rates that records can be collected and analysed to meet the needs and expectations of the multibillion dollar surveillance complex that has significantly grown post-9/11. Developers are not about to slow the rate of their surveillance innovations in the face of regulation that permits more expansive surveillance, records collection, and correlation of online actions with those records. Technology, however, does not determine the course of society: technology and society are mutually entwined, with each influencing the other. While surveillance architectures are being developed, if their uses are either illegal or are accompanied by high administrative or financial burdens then the architecture can lay substantively dormant save for in truly exceptional times associated with incredibly significant events. Legal friction can encourage such high costs by outlawing particular ways of collecting subscriber information and requiring administrative burdens (e.g. the warranting process) to force authorities to intentionally assign resources to access subscriber records. Reducing legal and administrative frictions in an era where technical frictions are quickly becoming a thing of the past is a recipe for expanded government surveillance. Such surveillance can detrimentally affect individuals by chilling speech and association, harm businesses by increasing the costs of complying with regulation, and force citizens to pay for their own surveillance in increased service costs and by way of their charter rights. We must avoid such harms and, as such, retain administrative and legal frictions to ensure that strong oversight bodies exist and that appropriate frictions accompany novel policing and intelligence powers.

No related posts.

Lawful Access, Its Potentials, and Its Lack of Necessity

Christopher — Thu, 10 Nov 2011 00:44:26 +0000

Image by mattwi1s0n

New surveillance powers are typically framed using benevolent and/or patriotic languages. In the United States, we see the PATRIOT Act, the Stored Communications Act, and National Security Letters. Powers associated with this surveillance assemblage have been abused and people have been spied upon in violation of the law, bureaucratic procedure, and regardless of demonstrating real and present dangers. The UK has the Regulation of Investigatory Powers Act (RIPA), which significantly expanded the capabilities of police and intelligence to monitor citizens in previously illegal ways. This legislation is also used improperly, as revealed in the yearly reports from the Interception Commissioner. In Canada, the Canadian government has publicly stated its intention to press ahead and introduce its lawful access legislation despite concerns raised by the public, members of the advocacy and academic community, and the information and privacy commissioners of Canada. Here, we can also expect uses of lawful access powers to overstep stated intents and infringe on Canadians’ rights, intrude upon their privacy, and injure their dignity.

Over the past months I’ve been actively involved in working with, and talking to, other parties about lawful access legislation. This has included speaking with members of the media, publishing an op-ed, and conducting various private discussions with stakeholders around Canada who are concerned about what this legislation may (and may not) mean. Today, in the interests of making public some of the topics of these discussions, I want to address a few things. First, I quickly summarize key elements of the lawful access legislation. Next, I note some of the potentials for how lawful access powers will likely be used. None of the potentials that I identify depend on ‘next generation’ technologies or data management/mining procedures: only technologies that exist and are in operation today are used as mini-cases. None of the cases that I outline offer significant insight into the operational working of stakeholders I’ve spoken with that can’t be reproduced from public research and records. I conclude by questioning the actual need for the expanded powers.

What is Lawful Access?

Lawful access legislation enhances policing and intelligence powers. As recognized by Ontario’s Information and Privacy Commissioner, Ann Cavoukian, “it is highly misleading to call it “lawful.” Let’s call it what it is – a system of expanded surveillance.” In general, there are three classes of access powers associated with such legislation: search and seizure provisions, interception of privacy communications powers, and production of subscriber data. On the basis of past lawful access legislation that has been tabled, but not passed, we can expect forthcoming legislation to ‘modernize’ the existing criminal code to accommodate several of these powers.

To begin, the legislation is expected to require telecommunications service providers (such as Internet service providers, web forums, bloggers, etc) to be able to decrypt any communications they are responsible for encrypting. Such encryption services might be used to ensure customer privacy, such as by offering secured communications between parties. While communications may generally be secure they cannot legally be made secure from the government by a service provider offering a turnkey encryption solution. In effect, communications will thus be pseudoencrypted: protected against adversaries with the same level of power as the services’ users, but unprotected against the more powerful agents such as the state.

In addition, telecommunications service providers (TSPs) will need the ability to retain data on subscribers for up to 90 days. TSPs may be served with preservation orders, which would require them to retain data on specific individuals. Preserved data would be transferred to authorities once they have secured a production order from a judge and issued the order to the TSP. The TSP could then delete/destroy the preserved data.

Whereas preservation orders are used to require storage of the content of communications, police can access subscriber information without first receiving a court order. A wide variety of information may be disclosed, including:

name
address
telephone number
electronic mail address
Internet protocol address
mobile identification number
electronic serial number
local service provider identifier
international mobile equipment identity number
international mobile subscriber identity number
subscribe identity module card number associated with the subscribers’ service and equipment

This information lets authorities definitely identify individuals and the records held on them by the TSPs used in the communications process. Accompanying the no-warrant-required elements of the bills is a capacity for authorities to install ‘number recorders’ in TSPs’ communications hubs in exigent circumstances. As noted by the National Post’s Kathryn Blaze Carlson:

A number recorder, which records the telephone numbers associated with outgoing and incoming calls, would be installed remotely by a telecommunications provider at their call centre hub. The installation can last up to 60 days, but it could be extended to one year if a warrant is obtained and if the investigation involves organized crime or terrorism.

The legislation also introduces the ability to activate and/or monitor the signals emitted from location-enabled devices that Canadians carry with them or are in regular contact with. Police can do this today but lawful access legislation would permit them to activate disabled locational systems (e.g. your phone’s GPS) including in covert ways. Such actions could be undertaken with court supervision or, potentially, in instances of emergency or exigent circumstances. It should be noted that access to geolocatational information is more expansive than just your physical location at a particular time: the legislation is also intended to let authorities discover the location of ”transactions such as geo‐tagged comments or photos from private sector service providers.” (.pdf source).

It is unlikely that a targeted Canadian will be made aware of lawful access-enabled surveillance unless charges are brought to bear. As noted in the letter that was sent to the Prime Minister’s Office in August 2011 (.pdf), and re-confirmed in Blaze’s piece, there are elements of the legislation that impose ‘gag’ orders on anyone who is ordered to comply with lawful access powers. Specifically,

Clause 6(2) permits the government to impose, in regulations, sweeping and categorical confidentiality obligations on service providers that will apply across all interception warrants. Second, under Clause 71, any telecommunications service provider obligated to comply with a warrantless seizure request will be subject to the secrecy provisions in proposed section 7.4 of PIPEDA. Proposed section 7.4 of PIPEDA prevents organizations from disclosing the fact of their cooperation with state efforts to spy on their customers. The sweeping nature of the secrecy measures envisioned by these provisions is in stark contrast to existing practice, where gag orders must be requested from a judge and justified on a case by case basis. The problem with such measures is that they will prevent individuals from challenging abuses of the powers granted in this Bill.

Lawful Access, In Summary

As I wrote in an op-ed in the Vancouver Sun in October, this legislation can be summarized as requiring:

Corporate surveillance. Internet service providers, mobile phone providers, and even the websites that Canadians visit could become agents of the state, forced to preserve records of Canadians’ actions at the request of authorities (Source);
Minimal oversight. Audit powers will be offloaded to privacy commissioners without corresponding material or legislative resources to effectively conduct audits and limit abuse (Source);
Warrantless disclosures. Internet users’ subscriber information will be disclosed to authorities, regardless of the information’s usefulness or uselessness to an investigation (Source);
Secrecy orders. Authorities might collect Canadians’ private information without those Canadians ever knowing about the collection or the reasons for collecting it (.pdf Source).

Lawful Access in Practice

A large number of Canadians who look at these proposals may feel some unease but then quickly assert that the legislation is ultimately innocuous. The standard rhetoric is that “If you have nothing to hide then you shouldn’t fear this legislation.” Such a statement obfuscates the realities of both contemporary policing and what studies demonstrate about how people actually versus rhetorically understand privacy. To begin, contemporary policing is deeply invested in identifying deviant behaviour and acting upon it in an ‘actuarial’ manner. David Lyon, a world-leading scholar on the topic and issue of surveillance, presciently wrote the following back in 2003:

As with database marketing, the policing systems are symptomatic of broader trends. In this case the trend is towards attempted prediction and pre-emption of behaviours, and of a shift to what is called “actuarial justice” in which communications of knowledge about probabilities plays a greatly increased role in assessments of risk (Lyon 2003: 15-16).

Thus, mistakenly being situated in a wrong category can have significant implications on one’s life regardless of whether a person has ‘something to hide’ or not. The degree to which one is public is (arguably) secondary to the ‘types’ of people one knowingly and unknowingly associates with, whom their associates are connected to, and the risk profiles that are assigned to those communicative partners and their colleagues. To make this somewhat clearer, consider the following: In college/university/your private life you likely communicate with individuals who have, or presently do, agitate peacefully against certain state behaviours. You may or may not be aware that those individuals agitate. Perhaps you have/do engage in discussions with those people online, either on websites that those opposed to certain state behaviours, or in the comments section of newspaper articles, or other electronic formats. Should the police be interested in tracking the individuals invested in an issue (e.g. legalization of marijuana, legal issues surrounding sex work in Canada, protest against federal decisions concerning Sri Lanken immigrants, etc) then they may request available subscriber records for all who have participated in the online discussion.

Now, let’s again assume that you were not supportive of opposition to an official government position and thus aren’t necessarily of direct interest to authorities. Regardless, your subscriber data and that of everyone else engaged in these discussions might be requested by the police. No warrant is required to provide this information. Let’s assume that you used a unique pseudonym and throwaway email address. The authorities would gain access to your IP address and email address. They would get the same information for every participant of the discussion. With this information they could turn to whomever provided the email account, as well as contact the ISP who provisioned the IP address at the specific time that you posted your message. With information from the email provider they may be able to definitely identify the ISP that you use and, from there, your name, address, and so forth. Thus, you as ‘hungrybunny19′ are identified as ‘John Smith’ who was involved in discussion with individuals who authorities are interested in monitoring for some reason or another. John Smith, you, are subsequently added into a database as associating with persons the authorities find questionable. Mr. Smith will never know that he was added into such a database because the service provide could not legally disclose that the information had been released and, as a result, Mr. Smith’s life prospects may change for legally associating and speaking with those who were similarly engaged in legal speech and association.

Perhaps you insist that this doesn’t describe you: you would never communicate about anything in any electronic environment with any person that would ever be of interest to authorities (and, if you can make and stand by these claims, you’re vetting the people that you speak with using intelligence-service-level thoroughness!). Perhaps you have a cellular phone and you have passed near major events that the police have an interest in monitoring. For example: you may have been involved in peacefully assembling during the G20 in Toronto, been a passive spectator at the Vancouver riots, visited an Occupy camp, or may simply pass by union members who are protesting working conditions in a public space several times a day as you walk around your city conducting legitimate personal business. In all cases, the authorities may have an interest in monitoring individuals associated with such groups. Using a technology known in the United States as ‘Stingray’ or, more precisely, IMSI catcher surveillance equipment, police can impersonate a cellular tower and capture all the IMSI numbers within several kilometers of the catcher (.pdf source). The IMSIs, or International Mobile Subscriber Identity numbers, can be taken to a mobile phone provider and used to compel the subscriber data associated with the caught IMSI numbers. Thus, should one of these catchers be deployed by authorities ‘just in case’ an individual may find their personal information sent along to police on the basis of their physical presence during a legal public event. The capacity to acquire IMSI numbers en masse, combined with legal powers to compel subscriber information, creates the perfect framework for mass fishing expeditions based on where citizens are physically present.

Canadians may be uncomfortable with these propositions but immediately follow up with the position that such concerns are hyperbolic. Unfortunately, a brief reflection on the history of surveillance in Canada and present actions taken by our allies (depressingly) suggests that these concerns are practically banal. During the Vancouver Olympics authorities spent incredulous amounts of money on security, an element of which was allocated towards monitoring legal associations of citizens. As disclosed in memos there were no specific, credible, terror threats against the Vancouver Olympics. Despite these threat assessments, citizens who had specific political and economic concerns were routinely placed under surveillance. In effect, citizens conducting legal actions that might lead to disruptions of the games became targets of a surveillance apparatus designed to prevent the next Munich massacre. Surveillance and intelligence gathering did not solely focus on citizens involved in protesting government actions or others associated with the Olympics, but also their contacts, friends, students, former partners, and academic and professional acquaintances. Efforts were also made to recruit neighbours, friends, and acquaintances to spy on suspected activists, and the RCMP tried to legally shield itself from fulfilling FOI requests under the guise of operational security. Under lawful access legislation, the lines of inquiry could expand beyond police associations of people online – the aforementioned people communicating in Web forums – to using technologies like IMSI catchers to identify who is often nearby citizens-under-suspicion. Having coffee with a work friend who advocates for social justice on the weekends could lead to unsuspecting, and utterly uninvolved, citizens being stuck in the same net as their law-abiding colleagues who are caught in the web of actuarial justice.

Further, Canadian authorities have a history of monitoring those who are often the least-advantaged in our society. Consider that Military Intelligence places native communities under intense surveillance. As reported in the Globe and Mail, eight reports were generated in just 18 months. Surveillance was conducted to record Natives’ concerns surrounding new tax policies, potential to blockade Highway 401, and possible future protests, lobbying activities, and lawful associations. The group responsible for this surveillance was a counter-intelligence body charged with “identifying, investigating and countering threats to the security of the Canadian Forces and the Department of National Defence from foreign intelligence services, or from individuals/groups engaged of espionage, sabotage, subversion, terrorism, extremism or criminal activities.” At no point in the reports is it evident that native groups fell under the latter set of descriptors. With the introduction of lawful access legislation other authorities could have become involved in the surveillance and compelled telecommunications providers to disclose the contents of communications. Further, using previously mentioned tactics embedded in the legislation, subscriber information and who was communicating with who could have been determined without warrant or court oversight.

In short, it is entirely plausible that lawful access could be utilized to expand existing surveillance practices conducted by Canadian authorities. There are serious oversight concerns. Specifically, the Office of the Privacy Commissioner of Canada would be hamstrung in auditing the surveillance conducted and its motivations, and the legislation fails to extend the powers of that Office to accommodate the expansion of police powers. Further, where local or provincial police conduct surveillance, audit responsibilities would fall to provincial commissioners and they similarly lack the resources to mount full-scale audits of authorities’ proposed expansive surveillance practices. This position is forcefully stated the Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian. She poignantly writes that,

Canadians must press the federal government to publicly commit to enacting much-needed oversight legislation in tandem with any expansive surveillance measures. Intrusive proposals require, at the very least, matching legislative safeguards. The courts, affected individuals, future Parliaments and the public must be well informed about the scope, effectiveness and damaging negative effects of such intrusive powers.

The Need for Lawful Access

Over the past months I’ve had the opportunity to speak with counsellors, engineers, privacy officers, and policy staff for telecommunications service providers. This has ranged the gamut from ISPs to an ex-VoIP provider employee to webmasters responsible for large online environments to policy wonks for massive Internet-based corporations. The various parties I’ve spoken with have held varying opinions on the previously proposed lawful access legislation; everything from cost issues, to rights problems, to implementation woes, to issues of being identified as a ‘problem’ in the policing process.

All, however, have told me in almost every case that data is requested on exigent circumstances grounds it is, in fact, disclosed.

What, specifically, is the need driving the legislation then? Authorities have routinely insisted that lawful access powers would only be used when investigating the most serious of crimes (e.g. see this audio interview with the CBC’s ‘Spark’) but in other jurisdictions we regularly have seen expanded surveillance used to investigate less serious offences. For extensive documentation of such ‘expanded uses’, see Priest’s and Arkin’s Top Secret America: The Rise of the New American Surveillance State, allegations that the FBI conducted dragnet surveillance to trace bank robbers, claims that routine conversations lead individuals to be labeled as potential terrorists in government databases, inappropriate monitoring of hundreds of people each year, yearly monitoring of over 500,000 people’s communications records, or the usage of terror-based surveillance provisions to ensure children are registered in correct school districts. I cannot state emphatically enough: this is a very small sampling of how widely used lawful-access style legislation is used by our closest of close economic, political, and military allies. There is no reason that Canadian authorities won’t demonstrate the same types of behaviour.

British Columbia’s Information and Privacy Commissioner, Elizabeth Denham, has asserted that authorities have not demonstrated evidence that investigations have been thwarted under existing access powers. Authorities have failed to provide empirical data that reveal a clear and present need for enhanced powers contained in past, or forthcoming, lawful access legislation. Authorities have noted concerns with warranting processes and if these concerns are legitimate (insofar as they can be documented using empirical datasets) then perhaps Parliament should consider modifying the warranting process or increase resources so that warrants can be processed more rapidly. If, however, authorities are simply looking abroad and finding their power lacking in comparison – and cannot clearly outline why they need their compatriots’ powers to protect us from truly serious crimes – then they should not be granted expanded powers. Police and other authorities should not be permitted to infringe upon Canadians’ rights and further erode expectations of communicative privacy, associative privacy, or basic dignities on the basis of cross-jurisdictional envy.

Other posts you might be interested in:

Mobile Security and the Economics of Ignorance

Christopher — Tue, 04 Oct 2011 08:05:53 +0000

Photo by JolieNY

Mobile penetration is extremely high in Canada. 78% of Canadian households had a mobile phone in 2010, in young households 50% exclusively have mobiles, and 33% of Canadians generally lack landlines. Given that mobile phones hold considerably more information than ‘dumb’ landlines and are widely dispersed it is important to consider their place in our civil communications landscape. More specifically, I think we must consider the privacy and security implications associated with contemporary mobile communications devices.

In this post I begin by outlining a series of smartphone-related privacy concerns, focusing specifically on location, association, and device storage issues. I then pivot to a recent – and widely reported – survey commissioned by Canada’s federal privacy commissioner’s office. I assert that the reporting inappropriately offloads security and privacy decisions to consumers who are poorly situated to – and technically unable to – protect their privacy or secure their mobile devices. I support this by pointing to intentional exploitations of users’ ignorance about how mobile applications interact with their device environments and residing data. While the federal survey may be a useful rhetorical tool I argue that it has limited practical use.

I conclude by asserting that privacy commissioners, and government regulators more generally, must focus their attention upon the Application Programming Interfaces (APIs) of smartphones. Only by focusing on APIs will we redress the economics of ignorance that are presently relied upon to exploit Canadians and cheat them out of their personal information.

Mobile Privacy

The latest smart devices often spur national headlines and consume hours of television reporting and advertising. Consumers are typically sold of the ‘cool’ features of devices, such as video chats, new intuitive gestures, better screens and speakers, superior access to third-party applications, music services, and so forth. Rarely are security improvements or enhancements to user privacy anywhere near the popular marketing material. This isn’t to say that innovations in security aren’t regular: every generation of Apple’s iDevices have been accompanied by more sophisticated hardware- and software-based security innovations, and the same can be said for Android, Blackberry, and Nokia devices. Innovations in privacy are somewhat rarer. Some proponents of smartphone privacy, such as Apple, have chosen to walk away from strong privacy settings in preference for more ‘engaging’ interfaces. Contemporary conveniences have come at the cost of consumer privacy protections.

There are (at least) three key areas where mobile privacy commonly comes to the fore. The integration of GPS and wifi-based location tools with the core operating systems of contemporary phones has, and will continue to, raise serious concerns about locational privacy. In tying contact information with underlying APIs, along with weak consumer privacy protections, expectations of privacy in who we associate with are threatened. Finally, poor management of third-party applications’ access to stored data has, and will likely continue to, limit consumers’ abilities to secure their data or prevent borderline malicious surveillance processes from taking place.

I will note that many of the examples I draw on will refer to Apple’s iPhone, with far fewer examples drawn from other smart phones. This isn’t necessarily meant to single out Apple but is the result of conducting months of research on deficiencies associated with Apple products. Other devices – Android in particular! – have and will likely continue to manifest security vulnerabilities that infringe upon their users’ expectations of privacy.

Location Privacy

Where a mobile device happens to be on a regular and not-so-regular basis can reveal considerable amounts of information about an individual, especially when data is collected over extended periods of time. Using basic data mining (and common sense) it is possible to identify routine movement patterns, where someone is likely to be at any time of the day, where they live and work, whether they suffer from medical conditions requiring (semi-)regular treatment, when an abnormal life event occurs, and so on. While these movement patterns are revealed regardless of whether someone has a smartphone, feature and dumb phones are less able to disclose this information to non-carrier partners. All three types of phone will disclose the following to a carrier (and anyone it’s partnered with): information such as cell identification, signal level, angle of arrival, time of arrival, and time of difference to arrive can be used to calculate a phone’s position.[1] In the case of smartphones, third-party applications can typically access collected location information and transmit it back to its corporate servers. Further, on smart devices location information can be collected by identifying nearby wifi access points, by activating the GPS system, and/or by locating the phone in relationship to cellular towers.

Once movement location is collected it can have other data overlaid upon it to gain deeper insight into who is using the phone. Imposing demographic, psychographic, and consumer information over geolocational data can establish nuanced profiles.[2] Such profiles are not just geolocationally-sensitive but also vary over time. By integrating time as a variable the data miner can develop deeper insights about the device owner by integrating migratory patterns with behavioural and imputed racial characteristics (e.g. pinpointing a phone as at gay pride parades, carnival routes, or other cultural events that have publicly disclosed geo-temporal characteristics).[3]

In the case of the iPhone, Apple had initially required application developers to query the user every time before accessing the GPS sub-system or locating the phone using nearby wifi access points. This meant that a customer could sporadically disclose their location as they saw fit, trading their privacy for specific benefits. This capability, which was present in all versions of iOS prior to 3.2.1, has subsequently been replaced with a uniform opt-in/out mechanism. If a user selects “OK” once when an application asks to access a device location they must do the following to modify their configuration:

Open Settings;
Select General;
Open Location Services;
Turn off a particular application’s sharing of the device location.
Steps 1-4 must be repeated every time that a user wants to opt-out of location sharing again.

While this is an opt-in approach, it stands in stark contrast to Steve Jobs’ statements at the D8 conference. Specifically, Jobs stated that Apple has a “very different view of privacy than some of our colleagues in [Silicon] Valley. We take privacy extremely seriously. That’s one of the reasons we have the curated apps store. We have rejected a lot of apps that want to take a lot of your personal information and suck it up into the cloud. Privacy means that people know what they’re signing up for. In plain English, and repeatedly, that’s what it means. Ask them. Ask them every time. Make them tell you to stop asking them if they get tired of you asking them. Let them know precisely what you’re going to do with their data.” Evidently, Apple no longer takes privacy as seriously as it had in previous iterations of its business strategy.

In the case of Windows Phone 7 device, many of the applications will request access to location information as a precondition of installing the application. This is true for RSS feed readers, calendaring programs, and video games. Some applications, such as the BC Ferries Sailing Information app, prominently display an option on the main screen so that users can opt-out of location sharing at any time. Unlike Apple, however, Microsoft’s phone does not contain a setting page where users can opt-out of location sharing on a per-app basis. Instead, users must entirely disable or enable all location services. Many apps will let you subsequently opt-out of location sharing, but where to disable the feature varies depending on the application.

Smartphones also have a habit of turning their users into ‘warphoners’. To clarify, this means that the phones detect, store, and subsequently transmit information about the wifi access points the phones pass by (with geolocation information) to their respective corporations. Microsoft, Apple, and Google have all been ‘caught’ capturing locational information and sending it home to their servers. While Google’s database does limit some of the information it discloses, we can intuit its capabilities based on what was revealed about Microsoft’s own location database. Specifically, when researchers examined the Live.com database they found that some of its items moved from location to location. The Live.com database was tracking where mobile hotspots were and, thus, giving Microsoft and those accessing the database insight into the movements of not just mobile phone owners but also of non-Windows phone users who had mobile wifi access. On a contemporary smartphone there is no reason why a third-party application couldn’t also develop similar sniffing services that operated while the app was running.

Various privacy officials have stated that there is relatively little harm in access point information being captured. Unfortunately, few seem aware of how easy it is to collect a router’s MAC address. With this address it is possible to query publicly available databases that retain correlated MAC addresses and location information. Using this information, you can identify where an individual is physically situated.

Unfortunately, many data protection and privacy commissioners operate on complaints-based systems dependent on citizens identifying harms. Most citizens are poorly situated to trace the data flowing in and out of their phone, and have limited insight into what happens to data after it leaves their device. Those that know may be bound by non-disclosure agreements, limiting their ability to contribute to the public sphere. In light of these limitations commissioners and regulators must proactively engage with smartphone manufacturers. Government officials must ensure that APIs guarantee effective privacy controls over location information so that citizens can ‘control’ or be aware of the flow of their personal information.

Association Privacy

The fact that considerable amount of personal information is held on mobile phones is nothing new. There have been worries around what happens if a person loses their phone for years, and such anxieties will likely continue as long as humans outsource memory retention to semi-animate objects. What has changed with the rise of data-enabled devices is the ease of unknowingly losing your contact list without ever having physically lost hold of your phone. The loss of this information not only compromises contact details of associates and colleagues, but also sheds light upon who the device owner likely communicates with, has met, or generally has in their social network. Such revelations impact citizens’ association privacy, insofar as they cannot be sure that their communications device won’t indiscriminately disclose to parties-unknown about who the owners associate with. Such revelations can have chilling consequences and also lead to profiles being developed that negatively impact the device owners or others who have their information stored on the mobile device.

All smartphones have address books (or address book equivalents, in the case of Windows Phone). The iPhone, in particular, is well-known for letting third-party applications transmit copies of users’ address books. Apple installs their ‘Contacts’ app on all phones and it cannot be removed by the phone owner. In a report by the European Network and Information Security Agency (ENISA), it was noted that there was a serious privacy concern related to how third-party applications interact with the ‘Contacts’ application. The report’s authors write, “…in iOS, the address book is accessible to all apps. No special status is given to the user’s own contact details in the address book, meaning that, apart from the large amounts of personal data this exposes, the user’s own phone number is also accessible, which can be used for unsolicited marketing” (.pdf). Third-party application developers can access a considerable amount of personal information without first informing users of the access.

To be more specific, software engineer Nicholas Seriot writes that the following items are accessible through the Address Book database, which underlies the Contacts application:

Names of contacts;
User and contacts’ phone numbers;
User and contacts’ email addresses;
Notes field, “in which many Mac users store sensitive data such as door codes or bank accounts’” (.pdf)

These concerns are not just academic or hypothetical. In 2008, Aurora Feint was caught looking through the Address Book Database, sending it unencrypted to their servers, and subsequently matching the data against others users’ contact lists to inform users when their contacts/friends were also playing the game. In this case Apple did identify the problem and subsequently removed the application from their app store. Importantly, however, the problem was detected after it had previously been approved for sale within their curated environment and following considerable public outrage. Other companies have secretively collected data as well: MogoRoad collected Swiss phone numbers to subsequently call users (though not in contravention of Swiss law) (.pdf) and Storm8 collected users’ phone numbers and correlated them with users’ names, email address, and unique device identifiers.

Apple does note in their iOS Reference Library that “the Address Book database is ultimately owned by the user, so applications must be careful not to make unexpected changes to it. Generally, changes should be initiated or confirmed by the user.” Despite this suggestions, it remains possible for application developers to access, transmit, and modify information from the Address Book database without first requesting the user’s permission.

Of some concern is Apple’s more recent response when contacted about applications that transmit contact information without user consent. In their paper, “PiOS: Detecting Privacy Leaks in iOS Applications” [.pdf] researchers M. Egele, C. Kruegel, E. Kirda, and G. Vigna found that popular social network application Gowalla transmitted a user’s contact book, in its entirety, without the owner’s consent. When the authors contacted Apple about this indiscriminate appropriation of contact information the company suggested that the researchers direct their concerns directly to the application developer.

There are several problems with how Apple has established the API for their mobile environment. To begin, their API enables access to contacts information without imposing code-based restrictions. This is a serious deficit. Second, the information that is being shared is not exclusively owned or controlled by the phone owners. There is no ability for those in the ‘Contacts’ application to consent to the disclosure of their personal information to a third-party. Moreover, given their lack of consent or notice to the device owner, and given that we cannot reasonably expect that those included in the contacts book will be notified of disclosures, it is dubious that individuals in a person’s contact book will ever know to contact the application developer and have their personal information removed. Ignorance permeates all stages of the disclosure process, and this ignorance fuels the monetization of personal information.

Device Storage Privacy

Of course, there is even more information that is stored on these devices. In the case of iDevices there is a unified keyboard cache that is accessible to third-parties. The cache “contains all the words ever typed on the keyboard, except for the ones entered in the password field. This is supposed to help autocompletion but this mechanism effectively acts as a key-logger, storing potentially private and confidential names and numbers.” (source .pdf) As it stands, third-parties that access this information – without the owner knowing about this caching feature, or consenting to third-parties accessing it for non-cut/paste purposes – can uncover significant personal information about the owner. Have they recently been searching for medical products? Have they been visiting job search or infidelity websites? Have they input addresses, text messages, emails, or comments in web forums that could be sensitive? All this information is prospectively available.

Device storage is typically what people worry about when thinking of mobile security. Specifically, they establish passwords for their mobiles so that if the devices are lost then whoever finds the phone cannot immediately access its full contents. While physical access protection is important – and something that was specifically noted in the federal privacy commissioner’s recent survey – it is a very small part of a much larger device security and privacy framework. Simply setting a password protects you against the most obvious, if not the most common, sources of data appropriations, privacy infringements and security breaches.

Reporting on Perception-Based Studies

The purpose of walking through these security and privacy vulnerabilities isn’t intended to drive people away from smartphones or any other computing device. Rather, it is meant to underscore the current technical reality of owning and using the devices. Few people, even those who are technically savvy (myself included!), can limit the sharing of information if they are using certain smartphones. Privacy settings are not intended to maximize customer privacy but to facilitate perceptions that companies are meeting consumer privacy concerns. That these same companies enable the dissemination of personal information to third-parties, often without consumers learning about the dissemination or purposes of data collection, indicate the importance that Apple et al places on consumer privacy. Even for the interested consumer, many apps lack a privacy policy and neither Apple nor Google require developers to create or make available such policies. Indeed, to ‘simply’ access Apple’s own privacy policy from their iDevice consumers must do the following:

Select ‘Settings’
Select ‘General’
Select ‘About’
Select Legal
Press screen until copy option is available and copy the URL to the privacy policy
Click the ‘Home’ button
Open Mobile Safari
Select Address Bar and paste URL
Select ‘Go’

Given the reality that customers cannot secure their personal information, or effectively even be aware of when or where it is flowing, headlines concerning the Privacy Commissioner of Canada’ recent survey can be both misleading and harmful. CBC led their coverage of the report with an article entitled “Canadians lax about cellphone security“ and the Vancouver Sun with “Do a better job protecting mobile privacy, Canadians told.” The articles pick up on the fact that a minority of Canadians establish locking passwords or modify their privacy/sharing settings on their mobile devices. The actual study notes that those who store personal information on the devices are more likely to install a password (52% versus 33%) as are those who install applications beyond those installed on the phone by default (68% versus 27%). The report also notes that almost 60% of the people with GPS-enabled phones don’t actually have the GPS enabled. The majority is somewhat concerned about privacy issues stemming from location information but the survey fails to inquire whether their GPS-enabled devices are smartphones that can (and do) leak and collect location information based on other data sources.

While it is admirable that many people claim to modify their mobile device settings to limit data disclosure, such modifications have varying degrees of effect. In the case of an iPhone, key bits of data are being collected by third-parties without customers having any option to prevent the collection and subsequent dissemination of personal information. The iOS API itself permits for accessing the address book, and similar public calls can discretely be made to the wifi location system and the keyboard cache. The nature of iDevices make these actions possible. Thus, even if an iPhone user has a password their data is insecure from the companies invited onto the device. Further, establishing a password is insufficient to secure a mobile device: did the users of iDevices use more than the 4-digital password, which is required to initiate the full range of iDevice encryption? What did users of older devices, which no longer receive security updates, do with their devices? Use them? If so, did these same users identify themselves as taking actions to secure their privacy and believe it was effective?

The problem with the study, and with the subsequent headlines, is that it fails to adequately identify who an data thief might be and suggests that owners can genuinely protect their privacy if using their devices. Generally, individuals will assume that it’s a bad third-party, not Apple or their favourite video game manufacturer, who is going to abscond with their personal information and that of their family, friends, and business contacts. When the hostile party is the operating system itself consumers can only save themselves by refusing to purchase or use the device, or by relying on government regulators to prevent the harm and force manufactures to sell devices that comply with Canadian law.

Undermining the Economic of Ignorance

The problem with studies like the Privacy Commissioner’s – if only for how the media will report on them – is that consumers come to believe that they are primarily responsible for security failures. This offloads a considerable amount of responsibility from government officers to a relatively impotent citizenry. Further, the survey offers a sense that device owners can take actions to significantly limit the primary vectors of information leakage. While they have some control over a few vectors they rarely have control of the primary means of information collection and dissemination.

There is a high level of friction when a customer must disable systems-level processes to use an application without disclosing location information. Performing such actions add considerable delays in accessing features of the phone and, as a result, most consumers simply will not disable location awareness on a regular basis. This is a behaviour we will see even if the device owners are uncomfortable with persistent disclosures. Such high levels of friction also indicate near-absolute absences of any genuine privacy-by-design features. Privacy-by-design does not simply mean that citizens can proactively protect their privacy but that user interfaces are configured to best let citizens control how and when they disclose personal information. Not only is it incredibly hard to limit the sharing of personal information using the devices’ options (varying UIs in the same operating system, single opt-in options, having to burrow through layers of settings to opt-out of features that can negatively impact the rest of the device’s operation, etc) but in many cases the dissemination of personal information cannot be blocked, no notice is given of disseminations, and data cannot be subsequently deleted from third-parties’ repositories. For many smart phones, APIs should stand for ‘Advanced Privacy Intrusions’ instead of ‘Application Programming Interfaces’.

Unwanted collection and dissemination of personal information, to say nothing of the lack of notice or inability to delete disseminated data, exploits users’ ignorance and impotence for economic gain. The smartphone ecosystem is substantially predicated on an economics of ignorance which, if unveiled and addressed by parties with significant direct market power, is reversible.

To be forthright: companies do not collect large sums of data and pay to store it in their databases for no reason. Corporations are not in the habit of intentionally increasing the costs of doing business without some profit-based rationale. After selling an app of $0.99 or less no company is interested in then developing an ever-larger server infrastructure to store collected personal information without anticipating a return on their investment. The issue, however, is that many apps lack discernible privacy policies and users – especially those in curated gardens – may ‘trust’ the applications they install on the basis that a ‘knowledgable’ party is believed to have rooted out bad or malicious applications. While this may be true in some cases, Apple’s integration of surreptitious data expropriation without consumer consent into their API clearly reveals that the gatekeepers who directly profit from application sales cannot be trusted. We cannot trust the fox to protect the henhouse from the other foxes!

Popular consumer surveys can be valuable. They are noticeably less helpful when delving deeper and deeper into technical matters, of which few members of the public should be expected to know much about. Consumers may be cognizant of superficial ways to protect their personal information on their devices. Those same knowledgable consumers are far less likely to know about the deeper vulnerabilities and intentionally designed weaknesses that pervade mobile devices. Consequently, privacy commissioners and government regulators more generally should take long, hard looks at how mobile operating systems are designed. They should ensure that the systems – and by extension the information environments they spawn – comply with Canadian law.

Commissioners should focus on the source of the worst privacy concerns which, in the case of smartphones, arguably originate in the design of operating system APIs that exploit citizens’ ignorance of how and when data is migrated off of their smartphones. While there is some value in evaluating how often people modify their sharing options on mobile phones it is as important to know why they don’t modify these settings - are they using devices where they don’t know how to do so, or find it tiresome to manage their privacy? If yes to either of the latter, then there has been a serious failure in designing the operating system’s graphic user interface. In the case of Apple and Microsoft, both of whom have almost entirely locked down basic facets of their operating system while investing heavily in designing their mobile environments, these are intentional (if correctable) errors.

If operating system manufacturers will not restrict indiscriminate and non-consensual sharing of personal information on their own then the Canadian government should step in. Government, using its regulatory powers, can resolve market imbalances by investing in the research to identify market problems and subsequently correcting information asymmetries that disrupt market processes and that infringe upon Canadian law. Such corrections might entail issuing fines on a per-device sold basis, publicly naming and shaming offending companies, or ever using federal dollars to deliver public warning announcements about the harms associated with specific smartphone operating systems.

Regardless of the solution, it should be significant enough to either rebalance the information assymetry between consumers and device manufacturers or disrupt the profitability of exploiting ignorance to extract personal information from mobile devices. Ultimately, commissioners and regulators must demand that device manufacturers either provide APIs that comply with Canadian law or change existing APIs in the face of prevalent privacy issues. Where neither of these conditions are met, OS vendors should be forced to suffer significant penalties. The only way to secure devices’ security and citizens’ privacy is to erode the economics of ignorance that application vendors and device manufacturers alike depend on to cheat Canadians out of their personal information.

References

[1] C. A. Ardagna et al. (2008). “Privacy-Enhanced Location Services Information,” in A. Acquisti, S. Gritzalis, C. Lambrinoudakis, and S. De Capitani di Vimercati (eds.). Digital Privacy: Theory, Technologies, and Practices. New York: Auerbach Publications.

[2] G. Elmer. (2004). Profiling Machines: Mapping the Personal Information Economy. Cambridge, Mass.: The MIT Press.

[3] See: D. Phillips’ and M. Curry’s “Privacy and the phonetic urge: Geodemographics and the changing spatiality of local practice.”

Other posts you might be interested in:

Technology, Thoughts, and Trinkets » Christopher

(Un)Lawful Access Forum in Ottawa

Amici Curiae on IMSI Catchers

Publication: (Un)Lawful Access, Its Potentials, and its Lack of Necessity

(Un)Lawful Access: Vancouver Premiere & Panel Discussion

Event Details

SCREENING:

PANEL DISCUSSION:

REPORT LAUNCH:

Transparent Practices Don’t Stop Prejudicial Surveillance

Transparent Practices Don’t Stop Prejudicial Surveillance

Lesson Drawing from Privacy Principles and Codes

Canadian ‘Consequences’ of Rendering Surveillance Transparent

Hobbling Fungible Surveillance Technologies and Stopping Unjust Practices

References

Respecting User Privacy in WordPress

WordPress and Quantcast

Automattic’s Privacy Policy #Fail

WP DoNotTrack to the Rescue

Recommended Books from 2011 Readings

Landau’s Surveillance or Security?

Levmore and Nussbaum’s (Eds.) The Offensive Internet

Morozov’s The Internet Delusion

Farivar’s The Internet of Elsewhere

Berners-Lee’s Weaving the Web

Birkland’s After Disaster

Abbate’s Inventing the Internet

Turkle’s Alone Together

Aldrich’s GCHQ

The Anatomy of Lawful Access Phone Records

Phonebook Records, Today

Phonebook Records, Tomorrow

Aggregating Records for Citizen Transparency

Lawful Access, Its Potentials, and Its Lack of Necessity

What is Lawful Access?

Lawful Access, In Summary

Lawful Access in Practice

The Need for Lawful Access

Mobile Security and the Economics of Ignorance

Location Privacy

Association Privacy

Device Storage Privacy

Reporting on Perception-Based Studies

Undermining the Economic of Ignorance

References