Cover of the 2011 Winston Report (Winter)

Last year I was approached by the founder and editor in chief of The Winston Report to update and publish one of my postings on Canada’s forthcoming lawful access legislation. The Report is the quarterly journal of the Canadian Association of Professional Access and Privacy Administrators (CAPAPA). The updated piece that I contributed is more compact than what I originally wrote on this site, though I think that this makes it a stronger, more direct piece. I want to publicly thank Sharon Polsky for the opportunity that she provided to me, and for being so kind as to position my piece as the lead featured article in the Winter edition of the journal. I also want to thank my tireless editor, Joyce Parsons, for her incredible work strengthening my prose. A preprint version of my contribution, which retained a creative-commons license as part of my agreement with the editor in chief, is made available to you below under the normal Creative Commons Attribution, Noncommercial 2.5 Canada license.

Download pre-print .pdf version of (Un)Lawful Access:  Its Potentials, and its Lack of Necessity.

Other posts you might be interested in:

1. Lawful Access, Its Potentials, and Its Lack of Necessity
2. The Anatomy of Lawful Access Phone Records
3. (Un)Lawful Access: Vancouver Premiere & Panel Discussion

Photo by mjecker

Canadian advocates, government officials, and scholars are all concerned about the forthcoming lawful access legislation. A key shared concern is that authorities could, under the legislation, access telecommunications subscription records without court oversight. Moreover, as a condition of accessing these records businesses might be served with gag orders. Such orders would prevent Canadians from ever knowing (outside of court!) that the government had collected large swathes of information about them. In response to concerns aired in public, the Public Safety Minister has insisted that the legislation would merely let police access “phone book” information from telecommunications providers.

I maintain that such assertions obfuscate the sheer amount of information contained in the records that authorities would collect. The aim of this post is to make clear just how much information is contained in a single lawful access “phone record”, demonstrating that the government is seeking information that grossly exceeds what is contained in the white or yellow pages today. As a result, I first provide an example phone record that resembles those in every phonebook in Canada and then offer an example of a lawful access record. Remember that such requests may be filed to multiple service providers (e.g. Internet service provider, web forum hosts, blogs, mobile phone companies, etc) and thus a swathe of records can be combined to generate a comprehensive picture of any particular individual. By the conclusion of the post it should be evident that information provided under lawful access powers is more expansive than the phone records government ministers allude to and lay bare those ministers’ technical obfuscations.

Phonebook Records, Today

In his response to the Information and Privacy Commissioner of Ontario, Vic Toews (Public Safety Minister) insisted that police would simply have access to “phone book” information under the forthcoming lawful access legislation. He asserted that, “Our proposed approach of linking an internet address to subscriber information is on par with the phone book linking phone numbers to an address.” While government officials insist Toews’ response obfuscates just how expansive lawful access records are from traditional phone records, it is arguably challenging for the lay public to grasp the amount of information contained in the proposed subscriber record fields. So, let’s consider the differences between a phone book record accessible in your home, today, using a phone book and “phone book” data the federal government wants to make available to authorities without a warrant. The following resembles a phone record reminiscent of one in a phone book today:

John Smith, 456 Westminister Ave . . . . . . (636)-421-6124

This record contains the listed name of an individual, the address associated with the phone number,  and the area and local code for the telephone service. Not all individuals provide full details in the phone books that are distributed each year. Some individuals have their addresses removed or substitute their full names with their initials. Such modifications are often the result of people feeling uncomfortable with fully disclosing their address, phone number, and name in one publicly accessible location. Using this information you can (potentially) learn where the individual associated with a phone number lives, but you do not necessarily discover the names of particular individuals living in the home, number of people in the home, and so forth. Thus, where multiple people share a single phone and address the subscriber record may be somewhat nebulous; while it should identify an individual at the address it is questionable whether that particular individual interests the authorities.

Phonebook Records, Tomorrow

The ‘phone records’ that Minister Toews is talking about are quite a bit larger, and far more descriptive, than those found in the local yellow or white pages. As I’ve depicted them, one line grows to six, and three data items explode to eleven descriptively rich fields. The expanded list will be available as phone records to authorities but not to individuals. This stands as a clear distinction between a phone record that individuals think of in phonebooks and the record that authorities will have access under lawful access legislation. An updated record might appear as follows:

John Smith, 456 Westminister Ave . . . . . . (636)-421-6124
jsmith@example.com . . . . . . . . . . . . I.P., 10.0.0.100
MIN, 250-5211-0091 . . .  . . . . . . SPID, 636-421-6124-00
ENS . . . . . . . . 1000 0010 0001 1010 0000 0101 0110 1111
IMEI, 35-209900-176148-23 . . . . . IMSI, 310-150-564857956
SIM . . . . . .. . . . . . . . . . . 894411 0112 12333344 4

Most of what is contained in these eleven fields will be foreign to the average user. In light of this, let’s turn to unpack the new record in a line-by-line format.

The first line is identical to your typical phone book record. Note that the phone number here would be a permanent number, such as the number to call if the mobile number identified in line three is inoperable. Obviously there may be instances where there isn’t a distinction between the phone numbers in those lines if the mobile subscriber either lacks a landline or alternate mobile phone. Further, where the telecommunications service provider, such as a web forum, only has a single phone number then a mobile number might be situated on this line.

Line two offers the email address and Internet Protocol address of the subscriber in question. Email addresses will be tied to particular accounts; you may have one email address for a web forum, another for purchases online, and yet another for personal correspondence from your Internet service provider. While a singular email address is given here, this is representative of a single subscriber record from a single telecommunications service provider. It is likely that different emails (and, thus, different ‘phone records’) are kept by each of the service providers you engage with on a daily basis. The Internet Protocol address is assigned to you by your Internet service provider and is an essential element to accessing the Internet itself. IP addresses identify where data originates from and should be sent towards. Your IP address is likely either dynamic (changes with some degree of frequency) or static (permanently assigned to your modem). Regardless, using an IP address authorities could identify your Internet service provider and, from there, demand that the Internet provider disclose which subscriber was assigned the IP address at some particular time. Given that many IP addresses are dynamic it is possible that different telecommunications service providers will have different addresses attached to your record instead of the singular address offered in the example line two.

The third line contains the Mobile Identification Number (MIN) and Service Provider Identifier (SPIN). This line is needed for subscriber records associated with mobile phone/device usage. The MIN uniquely identifies a mobile device on a mobile provider’s wireless network and can be used to dial to and from the device. While the record that I provide is accessible to the human eye, MINs are typically kept in a database in two components. The area code is often stored in a 10 bit MIN2 section and the local portion in a 24 bit MIN1 section. (See UK ESN/MIN Grabbing for more information on how these two sections are divided.) Unlike other serials and codes, which are engrained into the hardware of a device, a MIN is stored in a mobile providers’ database and can be changed. A SPIN is a unique number assigned to service providers so that telecommunications switch owners and service providers can enter financial relationships for the purposes of carrying traffic. The number identifies the company that ‘owns’ the account associated with the traffic. Thus, even when calling using a Rogers mobile phone on the AT&T network, the SPIN will help to ascertain that Rogers (and, ultimately, the account owner) is responsible for paying for using the AT&T network.

The fourth line holds the Electronic Serial Number (ESN), a number that is encoded into each mobile device as a 32-binary bit number. It is embedded into the device by the manufacturer and thus is not assigned by a mobile telephony/Internet company from whom a device is purchased. The ESN is often checked against the MIN to prevent fraud. Specifically, while an individual could try and have their MIN changed to try and receive free services, by correlating the MIN and ESN in the providers’ database the likelihood of successfully conducting fraudulent activities are diminished. Moreover, with the ESN it is possible to ascertain whether the same phone is being used across a set of wireless carriers’ networks.

The fifth line contains the International Mobile Equipment Identification (IMEI) and International Mobile Subscriber Identification (IMSI) numbers. These numbers are tied to mobile devices (e.g. phones, 3G-capable tablets). The following information can be derived from the IMEI number used in the example above, “35-209900-176148-23″: that the number was issued by the British Approvals Board for Telecommunications (“35″) and given allocation code “2099″. The “00″ reveals the period of time when the device was manufactured, “176148″ reveals the serial number issued to the model of device, and the “23″ reveals the version of software installed on the phone. The IMSI identifies the mobile country code (“310), mobile network code (“150″), and mobile subscription identification number (“564857956″). “310″ is the number associated with America, and “150″ with AT&T. As a result, with the IMEI and IMSI numbers you can ascertain when the device was made, serial of the device, version of its software, nation of usage-origin, carrier-of-origin, and the subscriber code of the carrier associated with the device.

Line six has the Subscriber Identification Module (SIM) number. This number, “894411 0112 12333344 4″ in our example, is broken into subcomponents to identify different bits of information. The first two digits (“89″) are associated with the telecom operators identifier. “44″ refers to the country code and “11″ to the network code the module is associated with. The next four digits (“0112″) indicate the month and year of the SIM’s manufacture and following two numbers (“12″) of the switch’s configuration code. The next six numbers disclose the SIM number itself and the last holds the digit to confirm the validity of the SIM serial itself.

Perhaps it needn’t be stated, but as should be clear there is a significant difference between a “phone record” in a phonebook and a “phone record” under the Canadian government’s proposed lawful access legislation. A phone number and address does not reveal the manufacturer of a mobile device, when it was made, when elements of the phone were provisioned, the provider of the telephone services, and so forth. Instead, the lawful access record affords a trove of data that is far in excess of what a citizen would find when they looked up a name, address, or phone number in the hardcopy phonebook that is delivered to their door each year.

Aggregating Records for Citizen Transparency

Not all telecommunications service providers could make available a full post-lawful access legislation “phone record.” However, once authorities have a single piece of information they can then move to other service providers to develop a full record, one that could subsequently be used to map a person’s presence on the Internet, their habits, and their activities. Using open source intelligence, the email address can be employed to determine what other services are attached to that email address, and using the IP address authorities can determine where a person is accessing the Internet from (i.e. was the IP address leased to a cafe? to a home? to a business? to a mobile network?) and the billing records associated with that IP address. If browsing from Starbucks, the cafe might be able to turn over a log of users who used their wireless network during the time authorities are interested. If browsing from home, or your own mobile device, then the subscriber records associated with that billing address might be available. And, if browsing from a friend’s phone or computer, then their information might be given to police regardless of your friend’s interest to the police.

Remembering back to the discussion of traditional phone records, it is possible that multiple people share the same account and thus what turns up in the phonebook remains somewhat ambiguous. This may remain so when dealing with communal Internet connections but is far less true when dealing with mobile devices. Phones have, for many people, become fetishes that are carried on one’s person and jealously protected from third-party intrusion. Thus, the ability to ascertain who owns, and is using, a particular mobile device is far less ambiguous than who subscribes to, and uses, a landline phone. Using contemporary policing technologies such as IMSI catchers, authorities can de-anonymize a crowd by catching the IMSI associated with each phone and immediately requesting subscriber data from mobile phone providers. While it may not be legal for authorities to engage in ruses to compel individuals to identify themselves when those individuals have done nothing wrong, with IMSI catchers no ruse is needed for the identification process to occur. The term “papers please” is a distinctly analogue notion, one that can be abandoned by authorities in possession of IMSI catchers and lawful access powers.

Surveillance is being automated, and vendors are accelerating the rates that records can be collected and analysed to meet the needs and expectations of the multibillion dollar surveillance complex that has significantly grown post-9/11. Developers are not about to slow the rate of their surveillance innovations in the face of regulation that permits more expansive surveillance, records collection, and correlation of online actions with those records. Technology, however, does not determine the course of society: technology and society are mutually entwined, with each influencing the other. While surveillance architectures are being developed, if their uses are either illegal or are accompanied by high administrative or financial burdens then the architecture can lay substantively dormant save for in truly exceptional times associated with incredibly significant events. Legal friction can encourage such high costs by outlawing particular ways of collecting subscriber information and requiring administrative burdens (e.g. the warranting process) to force authorities to intentionally assign resources to access subscriber records. Reducing legal and administrative frictions in an era where technical frictions are quickly becoming a thing of the past is a recipe for expanded government surveillance. Such surveillance can detrimentally affect individuals by chilling speech and association, harm businesses by increasing the costs of complying with regulation, and force citizens to pay for their own surveillance in increased service costs and by way of their charter rights. We must avoid such harms and, as such, retain administrative and legal frictions to ensure that strong oversight bodies exist and that appropriate frictions accompany novel policing and intelligence powers.

No related posts.

Image by mattwi1s0n

New surveillance powers are typically framed using benevolent and/or patriotic languages. In the United States, we see the PATRIOT Act, the Stored Communications Act, and National Security Letters. Powers associated with this surveillance assemblage have been abused and people have been spied upon in violation of the law, bureaucratic procedure, and regardless of demonstrating real and present dangers. The UK has the Regulation of Investigatory Powers Act (RIPA), which significantly expanded the capabilities of police and intelligence to monitor citizens in previously illegal ways. This legislation is also used improperly, as revealed in the yearly reports from the Interception Commissioner. In Canada, the Canadian government has publicly stated its intention to press ahead and introduce its lawful access legislation despite concerns raised by the public, members of the advocacy and academic community, and the information and privacy commissioners of Canada. Here, we can also expect uses of lawful access powers to overstep stated intents and infringe on Canadians’ rights, intrude upon their privacy, and injure their dignity.

Over the past months I’ve been actively involved in working with, and talking to, other parties about lawful access legislation. This has included speaking with members of the media, publishing an op-ed, and conducting various private discussions with stakeholders around Canada who are concerned about what this legislation may (and may not) mean. Today, in the interests of making public some of the topics of these discussions, I want to address a few things. First, I quickly summarize key elements of the lawful access legislation. Next, I note some of the potentials for how lawful access powers will likely be used. None of the potentials that I identify depend on ‘next generation’ technologies or data management/mining procedures: only technologies that exist and are in operation today are used as mini-cases. None of the cases that I outline offer significant insight into the operational working of stakeholders I’ve spoken with that can’t be reproduced from public research and records. I conclude by questioning the actual need for the expanded powers.

What is Lawful Access?

Lawful access legislation enhances policing and intelligence powers. As recognized by Ontario’s Information and Privacy Commissioner, Ann Cavoukian, “it is highly misleading to call it “lawful.” Let’s call it what it is – a system of expanded surveillance.” In general, there are three classes of access powers associated with such legislation: search and seizure provisions, interception of privacy communications powers, and production of subscriber data. On the basis of past lawful access legislation that has been tabled, but not passed, we can expect forthcoming legislation to ‘modernize’ the existing criminal code to accommodate several of these powers.

To begin, the legislation is expected to require telecommunications service providers (such as Internet service providers, web forums, bloggers, etc) to be able to decrypt any communications they are responsible for encrypting. Such encryption services might be used to ensure customer privacy, such as by offering secured communications between parties. While communications may generally be secure they cannot legally be made secure from the government by a service provider offering a turnkey encryption solution. In effect, communications will thus be pseudoencrypted: protected against adversaries with the same level of power as the services’ users, but unprotected against the more powerful agents such as the state.

In addition, telecommunications service providers (TSPs) will need the ability to retain data on subscribers for up to 90 days. TSPs may be served with preservation orders, which would require them to retain data on specific individuals. Preserved data would be transferred to authorities once they have secured a production order from a judge and issued the order to the TSP. The TSP could then delete/destroy the preserved data.

Whereas preservation orders are used to require storage of the content of communications, police can access subscriber information without first receiving a court order. A wide variety of information may be disclosed, including:

• name
• address
• telephone number
• electronic mail address
• Internet protocol address
• mobile identification number
• electronic serial number
• local service provider identifier
• international mobile equipment identity number
• international mobile subscriber identity number
• subscribe identity module card number associated with the subscribers’ service and equipment

This information lets authorities definitely identify individuals and the records held on them by the TSPs used in the communications process. Accompanying the no-warrant-required elements of the bills is a capacity for authorities to install ‘number recorders’ in TSPs’ communications hubs in exigent circumstances. As noted by the National Post’s Kathryn Blaze Carlson:

A number recorder, which records the telephone numbers associated with outgoing and incoming calls, would be installed remotely by a telecommunications provider at their call centre hub. The installation can last up to 60 days, but it could be extended to one year if a warrant is obtained and if the investigation involves organized crime or terrorism.

The legislation also introduces the ability to activate and/or monitor the signals emitted from location-enabled devices that Canadians carry with them or are in regular contact with. Police can do this today but lawful access legislation would permit them to activate disabled locational systems (e.g. your phone’s GPS) including in covert ways. Such actions could be undertaken with court supervision or, potentially, in instances of emergency or exigent circumstances. It should be noted that access to geolocatational information is more expansive than just your physical location at a particular time: the legislation is also intended to let authorities discover the location of ”transactions such as geo‐tagged comments or photos from private sector service providers.” (.pdf source).

It is unlikely that a targeted Canadian will be made aware of lawful access-enabled surveillance unless charges are brought to bear. As noted in the letter that was sent to the Prime Minister’s Office in August 2011 (.pdf), and re-confirmed in Blaze’s piece, there are elements of the legislation that impose ‘gag’ orders on anyone who is ordered to comply with lawful access powers. Specifically,

Clause 6(2) permits the government to impose, in regulations, sweeping and categorical confidentiality obligations on service providers that will apply across all interception warrants. Second, under Clause 71, any telecommunications service provider obligated to comply with a warrantless seizure request will be subject to the secrecy provisions in proposed section 7.4 of PIPEDA. Proposed section 7.4 of PIPEDA prevents organizations from disclosing the fact of their cooperation with state efforts to spy on their customers. The sweeping nature of the secrecy measures envisioned by these provisions is in stark contrast to existing practice, where gag orders must be requested from a judge and justified on a case by case basis. The problem with such measures is that they will prevent individuals from challenging abuses of the powers granted in this Bill.

Lawful Access, In Summary

As I wrote in an op-ed in the Vancouver Sun in October, this legislation can be summarized as requiring:

• Corporate surveillance. Internet service providers, mobile phone providers, and even the websites that Canadians visit could become agents of the state, forced to preserve records of Canadians’ actions at the request of authorities (Source);
• Minimal oversight. Audit powers will be offloaded to privacy commissioners without corresponding material or legislative resources to effectively conduct audits and limit abuse (Source);
• Warrantless disclosures. Internet users’ subscriber information will be disclosed to authorities, regardless of the information’s usefulness or uselessness to an investigation (Source);
• Secrecy orders. Authorities might collect Canadians’ private information without those Canadians ever knowing about the collection or the reasons for collecting it (.pdf Source).

Lawful Access in Practice

A large number of Canadians who look at these proposals may feel some unease but then quickly assert that the legislation is ultimately innocuous. The standard rhetoric is that “If you have nothing to hide then you shouldn’t fear this legislation.” Such a statement obfuscates the realities of both contemporary policing and what studies demonstrate about how people actually versus rhetorically understand privacy. To begin, contemporary policing is deeply invested in identifying deviant behaviour and acting upon it in an ‘actuarial’ manner. David Lyon, a world-leading scholar on the topic and issue of surveillance, presciently wrote the following back in 2003:

As with database marketing, the policing systems are symptomatic of broader trends. In this case the trend is towards attempted prediction and pre-emption of behaviours, and of a shift to what is called “actuarial justice” in which communications of knowledge about probabilities plays a greatly increased role in assessments of risk (Lyon 2003: 15-16).

Thus, mistakenly being situated in a wrong category can have significant implications on one’s life regardless of whether a person has ‘something to hide’ or not. The degree to which one is public is (arguably) secondary to the ‘types’ of people one knowingly and unknowingly associates with, whom their associates are connected to, and the risk profiles that are assigned to those communicative partners and their colleagues. To make this somewhat clearer, consider the following: In college/university/your private life you likely communicate with individuals who have, or presently do, agitate peacefully against certain state behaviours. You may or may not be aware that those individuals agitate. Perhaps you have/do engage in discussions with those people online, either on websites that those opposed to certain state behaviours, or in the comments section of newspaper articles, or other electronic formats. Should the police be interested in tracking the individuals invested in an issue (e.g. legalization of marijuana, legal issues surrounding sex work in Canada, protest against federal decisions concerning Sri Lanken immigrants, etc) then they may request available subscriber records for all who have participated in the online discussion.

Now, let’s again assume that you were not supportive of opposition to an official government position and thus aren’t necessarily of direct interest to authorities. Regardless, your subscriber data and that of everyone else engaged in these discussions might be requested by the police. No warrant is required to provide this information. Let’s assume that you used a unique pseudonym and throwaway email address. The authorities would gain access to your IP address and email address. They would get the same information for every participant of the discussion. With this information they could turn to whomever provided the email account, as well as contact the ISP who provisioned the IP address at the specific time that you posted your message. With information from the email provider they may be able to definitely identify the ISP that you use and, from there, your name, address, and so forth. Thus, you as ‘hungrybunny19′ are identified as ‘John Smith’ who was involved in discussion with individuals who authorities are interested in monitoring for some reason or another. John Smith, you, are subsequently added into a database as associating with persons the authorities find questionable. Mr. Smith will never know that he was added into such a database because the service provide could not legally disclose that the information had been released and, as a result, Mr. Smith’s life prospects may change for legally associating and speaking with those who were similarly engaged in legal speech and association.

Perhaps you insist that this doesn’t describe you: you would never communicate about anything in any electronic environment with any person that would ever be of interest to authorities (and, if you can make and stand by these claims, you’re vetting the people that you speak with using intelligence-service-level thoroughness!). Perhaps you have a cellular phone and you have passed near major events that the police have an interest in monitoring. For example: you may have been involved in peacefully assembling during the G20 in Toronto, been a passive spectator at the Vancouver riots, visited an Occupy camp, or may simply pass by union members who are protesting working conditions in a public space several times a day as you walk around your city conducting legitimate personal business. In all cases, the authorities may have an interest in monitoring individuals associated with such groups. Using a technology known in the United States as ‘Stingray’ or, more precisely, IMSI catcher surveillance equipment, police can impersonate a cellular tower and capture all the IMSI numbers within several kilometers of the catcher (.pdf source). The IMSIs, or International Mobile Subscriber Identity numbers, can be taken to a mobile phone provider and used to compel the subscriber data associated with the caught IMSI numbers. Thus, should one of these catchers be deployed by authorities ‘just in case’ an individual may find their personal information sent along to police on the basis of their physical presence during a legal public event. The capacity to acquire IMSI numbers en masse, combined with legal powers to compel subscriber information, creates the perfect framework for mass fishing expeditions based on where citizens are physically present.

Canadians may be uncomfortable with these propositions but immediately follow up with the position that such concerns are hyperbolic. Unfortunately, a brief reflection on the history of surveillance in Canada and present actions taken by our allies (depressingly) suggests that these concerns are practically banal. During the Vancouver Olympics authorities spent incredulous amounts of money on security, an element of which was allocated towards monitoring legal associations of citizens. As disclosed in memos there were no specific, credible, terror threats against the Vancouver Olympics. Despite these threat assessments, citizens who had specific political and economic concerns were routinely placed under surveillance. In effect, citizens conducting legal actions that might lead to disruptions of the games became targets of a surveillance apparatus designed to prevent the next Munich massacre. Surveillance and intelligence gathering did not solely focus on citizens involved in protesting government actions or others associated with the Olympics, but also their contacts, friends, students, former partners, and academic and professional acquaintances. Efforts were also made to recruit neighbours, friends, and acquaintances to spy on suspected activists, and the RCMP tried to legally shield itself from fulfilling FOI requests under the guise of operational security. Under lawful access legislation, the lines of inquiry could expand beyond police associations of people online – the aforementioned people communicating in Web forums – to using technologies like IMSI catchers to identify who is often nearby citizens-under-suspicion. Having coffee with a work friend who advocates for social justice on the weekends could lead to unsuspecting, and utterly uninvolved, citizens being stuck in the same net as their law-abiding colleagues who are caught in the web of actuarial justice.

Further, Canadian authorities have a history of monitoring those who are often the least-advantaged in our society. Consider that Military Intelligence places native communities under intense surveillance. As reported in the Globe and Mail, eight reports were generated in just 18 months. Surveillance was conducted to record Natives’ concerns surrounding new tax policies, potential to blockade Highway 401, and possible future protests, lobbying activities, and lawful associations. The group responsible for this surveillance was a counter-intelligence body charged with “identifying, investigating and countering threats to the security of the Canadian Forces and the Department of National Defence from foreign intelligence services, or from individuals/groups engaged of espionage, sabotage, subversion, terrorism, extremism or criminal activities.” At no point in the reports is it evident that native groups fell under the latter set of descriptors. With the introduction of lawful access legislation other authorities could have become involved in the surveillance and compelled telecommunications providers to disclose the contents of communications. Further, using previously mentioned tactics embedded in the legislation, subscriber information and who was communicating with who could have been determined without warrant or court oversight.

In short, it is entirely plausible that lawful access could be utilized to expand existing surveillance practices conducted by Canadian authorities. There are serious oversight concerns. Specifically, the Office of the Privacy Commissioner of Canada would be hamstrung in auditing the surveillance conducted and its motivations, and the legislation fails to extend the powers of that Office to accommodate the expansion of police powers. Further, where local or provincial police conduct surveillance, audit responsibilities would fall to provincial commissioners and they similarly lack the resources to mount full-scale audits of authorities’ proposed expansive surveillance practices. This position is forcefully stated the Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian. She poignantly writes that,

Canadians must press the federal government to publicly commit to enacting much-needed oversight legislation in tandem with any expansive surveillance measures. Intrusive proposals require, at the very least, matching legislative safeguards. The courts, affected individuals, future Parliaments and the public must be well informed about the scope, effectiveness and damaging negative effects of such intrusive powers.

The Need for Lawful Access

Over the past months I’ve had the opportunity to speak with counsellors, engineers, privacy officers, and policy staff for telecommunications service providers. This has ranged the gamut from ISPs to an ex-VoIP provider employee to webmasters responsible for large online environments to policy wonks for massive Internet-based corporations. The various parties I’ve spoken with have held varying opinions on the previously proposed lawful access legislation; everything from cost issues, to rights problems, to implementation woes, to issues of being identified as a ‘problem’ in the policing process.

All, however, have told me in almost every case that data is requested on exigent circumstances grounds it is, in fact, disclosed.

What, specifically, is the need driving the legislation then? Authorities have routinely insisted that lawful access powers would only be used when investigating the most serious of crimes (e.g. see this audio interview with the CBC’s ‘Spark’) but in other jurisdictions we regularly have seen expanded surveillance used to investigate less serious offences. For extensive documentation of such ‘expanded uses’, see Priest’s and Arkin’s Top Secret America: The Rise of the New American Surveillance State, allegations that the FBI conducted dragnet surveillance to trace bank robbers, claims that routine conversations lead individuals to be labeled as potential terrorists in government databases, inappropriate monitoring of hundreds of people each year, yearly monitoring of over 500,000 people’s communications records, or the usage of terror-based surveillance provisions to ensure children are registered in correct school districts. I cannot state emphatically enough: this is a very small sampling of how widely used lawful-access style legislation is used by our closest of close economic, political, and military allies. There is no reason that Canadian authorities won’t demonstrate the same types of behaviour.

British Columbia’s Information and Privacy Commissioner, Elizabeth Denham, has asserted that authorities have not demonstrated evidence that investigations have been thwarted under existing access powers. Authorities have failed to provide empirical data that reveal a clear and present need for enhanced powers contained in past, or forthcoming, lawful access legislation. Authorities have noted concerns with warranting processes and if these concerns are legitimate (insofar as they can be documented using empirical datasets) then perhaps Parliament should consider modifying the warranting process or increase resources so that warrants can be processed more rapidly. If, however, authorities are simply looking abroad and finding their power lacking in comparison – and cannot clearly outline why they need their compatriots’ powers to protect us from truly serious crimes – then they should not be granted expanded powers. Police and other authorities should not be permitted to infringe upon Canadians’ rights and further erode expectations of communicative privacy, associative privacy, or basic dignities on the basis of cross-jurisdictional envy.

Other posts you might be interested in:

1. Publication: (Un)Lawful Access, Its Potentials, and its Lack of Necessity
2. (Un)Lawful Access Forum in Ottawa
3. The Anatomy of Lawful Access Phone Records

Photo by Jenissee Volpintesta

There are ongoing concerns in Canada about the CRTC’s capacity to gauge and evaluate the quality of Internet service that Canadians receive. This was most recently brought to the fore when the CRTC announced that Canada ranked second to Japan in broadband access speeds. Such a stance is PR spin and, as noted by Peter Nowak, “[o]nly in the halcyon world of the CRTC, where the sky is purple and pigs can fly, could that claim possibly be true.” This head-in-the-sands approach to understanding the Canadian broadband environment, unfortunately, is similarly reflective in the lack of a federal digital strategy and absolutely inadequate funding for even the most basic governmental cyber-security.

To return the CRTC from the halcyon world it is presently stuck within, and establish firm empirical data to guide a digital economic strategy, the Government of Canada should establish a framework to audit ISPs’ infrastructure and network practices. Ideally this would result in an independent body that could examine the quality and speed of broadband throughout Canada. Their methodology and results would be publicly published and could assure all parties – businesses, citizens, and consumers – that they could trust or rely upon ISPs’ infrastructure. Importantly, having an independent body research and publish data concerning Canadian broadband would relieve companies and consumers from having to assume this role, freeing them to use the Internet for productive (rather than watchdog-related) purposes.

Do Businesses Need Broadband Reassurances?

In a word: yes.

In 2009 the CRTC released a traffic management decision that clarified how, when, and why ISPs in Canada could impede data traffic. In their decision, the CRTC made it clear that when ISPs impede data traffic for network management purposes, the following conditions must first be met:

• demonstrate that the management is designed to address a need and achieve the purpose and effect in question, and nothing else;
• establish that the management practice results in discrimination or preferential treatments as little as reasonably possible;
• demonstrate that any harm to a secondary ISP, end-user, or any other person is as little as reasonably possible; and
• explain why, in the case of a technical management techniques, network investment or economic approaches alone would not reasonably address the need and effectively achieve the same purpose as the technical management techniques.

As part of the decision individuals, rather than the CRTC itself, are responsible for bringing complaints about inappropriate uses of technical systems to impede data transmissions. The onus is on consumers to identify discriminatory behaviours, but from their position as client of a network they are ill-positioned for detailed network analysis. Clients lack access to information about how specific nodes or elements of the network are configured or provisioned, whether an ISP is testing a new rule set, or if something beyond the ISP’s power is responsible for seeming discriminations of traffic. As a result, asking clients to hunt for network discrimination, and positively ascribe the behaviour to the ISP, bears close resemblance to blind men feeling an elephant and trying to determine what they are touching.

It would appear, however, that if enough people feel the telecom elephant they will start to detect service irregularities. Over the past year academics, journalists, and members of the public have questioned the effectiveness of the CRTC’s enforcement of their traffic management decision. Such questions have arisen in light of complaints concerning the throttling of particular applications’ data traffic. In December 2010 qualitative analysis of crowd sourced findings demonstrated that one ISP, Rogers Communications, had refused to correct over broad discrimination of customers’ traffic for months. To this date, Rogers has not fully corrected the problems that they themselves introduced when updating elements of their network infrastructure. Further, an access to information request that was filed by Michael Geist revealed that most of Canada’s largest ISPs have violated the CRTC’s decision. While those who have filed complaints that are technically rigorous should be congratulated, it must be recognized that consumers’ position in the networks make it hard to troubleshoot problems; delays could originate from slow web servers, poorly configured home or business routers, misconfigured routing equipment beyond the ISP’s own network, environmental conditions, or an ISP’s discriminatory routing system.[1] Given the range of possible sources of problems a well-resourced party needs to conduct audits and evaluate Canadian networks using well-tested and peer-reviewed methodologies. Further, such a party needs to be able to examine large data-sets of broadband traffic to draw conclusions concerning how the network operates in aggregate; consumers cannot conduct such wide-based analyses and so may inappropriately ascribe a local problem to a network-wide issue or vice versa.

Our Closest Allies Audit

Audits should see a government body independently gather data about ISP networks to guarantee that customers are receiving the services promised. Further, such audits should evaluate whether ISPs are complying with federal regulations. Some of our closest military and economic partners, such as the United States of America and the United Kingdom, see their telecommunications regulators evaluate mobile and wireline data networks for both speed and quality of broadband connections. The Federal Communications Commission (FCC) in the United States heavily relies on peer-reviewed tools in their data gathering as well as tests by private enterprise, carried out under The United States’ National Broadband Plan, and Ofcom in the United Kingdom has developed analysis systems in partnership with private enterprise.

In both nations, government regulators have adopted rigorous and methodologically consistent techniques to evaluate whether ISPs are meeting consumer expectations. These tools could, with slight reworking, also evaluate the impact of traffic management systems on the delivery of data to customers. Importantly, both nations’ regulators are using independent data to evaluate the claims made by the ISPs that they are responsible for overseeing. In Canada we lack such independent sources of information and are instead largely reliant upon ISPs themselves to self-disclose network information, typically in confidence to the CRTC, or upon national news organizations to conduct investigations and analyses. The non-publicity of ISPs’ own data points prevents independent validation of self-disclosed information, and without a methodologically rigorous public compilation of data there is nothing to cross-reference self-disclosed information against.

What’s Might Canadian Audits Include?

The unjustified discrimination of data traffic may not be evident to all consumers, especially when they lack the skills associated with digital literacy to even register the occurrence of bandwidth or application discrimination. Without solid training, many people resort to subjective ‘smell tests’. This approach to identifying whether discrimination is occurring does not contribute to evidence-based, empirically sound, complaints systems or policy responses. We need an objective measurement system that indicates whether content discrimination is occurring, as well as whether network performance is subpar. Thus, audits should identify, monitor, and evaluate the appropriateness of ISP traffic discrimination and actual network functionality.[2] A division of the CRTC, Measurement Canada, or perhaps even the Office of the Privacy Commissioner of Canada, might conduct such audits. The principles underwriting any audits should parallel those underscoring the recently passed Fairness at the Pumps Act.  A host of variables should be included in wireline and wireless tests, with a few including:

• Promised versus delivered speed, per day, and across different popular protocols and by geographic location;
• Jitter;
• Latency;
• Network uptime;
• Impacts of moving large volumes of data;
• Whether traffic is throttled and whether throttling accords with CRTC and corporate policy;
• Regularity of congestion on network nodes, tracked over time, and whether congestion persists after nodes have been upgraded.

Tests could include at least two data collection sources. There might be a web-based analysis, such as what is provided by Speedtest.net or other online speed evaluation services, as well as installation of either software on local computers or specialized routers capable of logging information about a customer’s broadband. Hardware analysis could mimic the approach taken by Georgia Tech and University of Napoli Federico, where firmware is made available to install on routers and other routers are distributed by request. Alternately we could adopt a hardware based approach that is used by SamKnows when they conduct tests in the United States or United Kingdom.

Audit to Encourage Trust

The Chairman of the CRTC recently stated that the CRTC’s highly technical complaints process means that customer groups, rather than customers themselves, should be responsible for filing complaints. He also asserted that the CRTC was uninterested in conducting audits in the absence of a pre-existing consumer complaint. In the absence of additional funding sources for these consumer groups it is inappropriate to expect them to establish nation-wide, technically intensive, monitoring stations. Further, even where complaints are lodged the Chairman has recognized that to effectively enforce regulations the CRTC requires the ability to levy administrative monetary penalties. The CRTC’s legitimacy is tarnished when individuals must conduct their own investigations while never expecting their investigations (no matter how well documented) to result in real disciplinary measures being meted out for bad corporate behaviour. Legitimacy could be restored by empowering the CRTC to levy fines and lifting the burden of conducting technical investigations from citizens’ shoulders.

While the CRTC does need the ability to assign penalties to encourage compliance with regulations, to determine whether penalties should be assigned we need a proactive audit approach that can evaluate the condition(s) of Canada’s digital networks. The independent body responsible for the audits should release yearly reports on the ‘State of the Canadian Internet’ so that consumers and businesses alike can understand the condition of the networks that undergird ICT-driven economic growth and democratic involvement.

An open, non-discriminatory Internet lets developers and entrepreneurs create new products, services, and engagement-types without first needing to secure permission from network providers or needing to independently search for non-publicized limitations imposed throughout the communications infrastructure. To help businesses, citizens, and consumers communicate and act online they should be free of the burden of monitoring for discriminatory behaviours on their own, and should be able to trust a third-party to guard against discrimination on their behalf. The CRTC has, to date, argued that they are not a third-party that is interested in proactively preventing discrimination and, even where they are faced with discrimination, cannot levy penalties to punish ISPs’ actions. As a result, we need an independent body to conduct proactive audits, to be funded sufficiently to carry out audits without having to sacrifice rigor for cost purposes, and to issue yearly reports on the state of Internet service in Canada. Either the independent body or the CRTC must then be able to punish network providers who are violating telecommunications regulations or misleading customers about the quality and speed of the broadband product that is being paid for.

Our closest military and economic allies  go to the trouble of conducting audits of the digital networks that drive economic and civil growth. If we want to compete globally in the digital economy and develop a digitally integrated public sphere, then the Government of Canada owes it to Canadians to mimic the best accountability programs that exist in countries that are already aggressively pursuing ICT-driven economic and social growth. Doing anything less is simply irresponsible.

Book References

[1] David, Paul A. (2007). “Economic Policy Analysis and the Internet: Coming to Terms with a Telecommunications Anomaly,” in R. Mansell, C. Avgerou, D. Quah, and R. Silverstone (eds). The Oxford Handbook of Information and Communication Technologies. Pp. 148-167.

[2]  O’Donnell, Shawn. (2001). “Broadband Architectures, ISP Business Plans, and Open Access,” in B. M. Compaine and S. Greestein (eds.). Communications Policy in Transition: The Internet and Beyond. Pp. 35-57.

Other posts you might be interested in:

1. Summary: CRTC PN 2008-19; ISP Traffic Managment in Canada
2. Draft: What’s Driving Deep Packet Inspection in Canada?
3. Update: CRTC PN 2008-19 ISP Filing Summary Document

Image by Steve Rhode

Each year Canada’s leaders in telecommunications gather at the Canadian Telecommunications Summit to talk about ongoing policy issues, articulate their concerns about Canada’s status in the world of telecommunications, and share lessons and experiences with one another. This years Summit was no exception. While some commentators have accused this year’s event of just rehashing previous years’ content – it is true that each Summit does see similar topics on the conference agenda, with common positions taken each year – there are some interesting points that emerged this year.

Specifically, discussions about the valuation of telecom services regularly arose, discussions of supply and demand in the Canadian ISP space, as well as some interesting tidbits about the CRTC. For many people in the industry what I’ll be talking about isn’t exactly new; those not inside the industry’s fold, however, may find elements of this interesting. After outlining some of the discussions that took place I will point to something that was particularly striking throughout the Summit events I attended: Open Media loomed like a spectre throughout, shaping many of the discussions and talking points despite not having a single formal representative in attendance.

Value Propositions

Throughout the Summit speakers regaled the audience with just how much Canadians take advantage of the Internet; we are the most prolific users of YouTube, heavy users of Facebook, and are online for longer periods of time than many other countries’ citizens. Thus, from the telecommunications perspective, current pricing models and bandwidth allowance conditions are set so that consumers still enjoy high value from their services. Interestingly, while Canadians my be online for greater periods of time Europeans are actually consuming twice as much bandwidth as North Americans. To clarify, customer value propositions almost uniformly adhere to the following equation:

Value to customers = Benefits received by customers – cost of service/good

Given that prices for broadband are typically lower in Europe, and that members of the EU are even more prolific users of broadband (presumably also receiving at least equal benefits as Canadians) it would seem that the value to consumers provided by European carriers is actually higher than that provided to Canadians.

During the Summit, ISPs were informed by policy management vendors that the complementary products that compose a significant facet of ISPs’ revenue streams are in danger. Sandvine’s President and CEO, Dave Caputo, pointed to a report from Barclay’s capital equity research that found voice traffic was presently worth about 10,000 Euro/GB of traffic, text messages about 30,000 Euro/GB, and pure data transmissions only about 5 Euro/GB. Further, Mark Henderson (President and CEO of Ericsson Canada Inc.) asserted in his keynote that voice traffic was effectively noise on mobile networks on the basis that voice traffic accounts for almost single digital percentages of overall data transmissions. As a result, voice services are decreasingly seen as effective profit centers. Taken together, it would appear that the value proposition of offering all you can eat broadband services is diminishing from a carrier perspective whilst consumer value propositions from such models continue to increase as Internet experiences become richer and richer.

More generally, with the introduction of more and more services that are designed to use data, and that let people cut SMS and voice plans, core mobile profit centres are threatened. Of course, such centers are perhaps enhanced whenever customers exceed their data plans and receive incredibly high bills that price bandwidth capacity usesignificantly above the ‘bucket’ cost of data. While the ‘overage market’ might be seen as a potential site of revenue growth, carriers and vendors alike suggested that differentiated service offerings are a preferred means of enhancing customer value propositions. Generally, the argument was that customers want the experience of regular and predicable billing, and that the potential of overage charges are a limiting factor in driving data usage. In a differentiated service model customers might choose particular kinds of data-based services; perhaps they receive email and access to social networking sites but lack access to the web generally, or have to pay a certain amount to receive ‘so much’ web access over the course of a month. What remains unclear to me is that:

1. Users actually want a differentiated offering. Instead, they seem to want to avoid bill shock. Differentiated billing is not the solution to the problem facing consumers, though effective policy controls that stem the ability of users to massively exceed their monthly data caps would (in part) resolve the ‘pain point’ felt by consumers. Further, where overages occur prices should be fair; there is no clear reason why someone that uses an extra few gig of mobile data should have to mortgage their home to pay off a monthly cellular bill.
2. Service differentiation necessarily reduces the amount of bandwidth that users will consume. While this may be the case sometimes it seems as though the emphasis should be on data usage instead of service usage. In a ‘Facebook package’ can individuals click the links associated with people’s Walls? Watch embedded videos? Upload an infinite number of photos? If not, then are individuals receiving a ‘Facebook’ experience where that experience is dependent on the socialized nature of sharing and access to the greater web? Is someone who uploads hundreds or thousands of photos to Facebook a less prolific user of data as compared to someone who checks a few emails and browses the web a little bit every day?

This isn’t to say that I don’t understand carriers’ fear of the Over-the-Top services that are slamming their complementary products. At peaks times of the day Netflix is currently accounting for around 29-30% of all data traffic in North America, and accounts for 13.5% of Canadian traffic during peak periods. The rise of high-quality on-demand OTT content also changes the language of carriers: legitimate customers who are accessing well integrated and easy to use OTT services are driving growth, not ‘content thieves’. No longer are carriers’ portals competing with infringing content but legitimate content, and while carriers were quick to tout the ‘large’ number of online offerings they have through their portals what struck me was that in at least the case of Videotron I personally have more legitimate content on my home NAS than their company makes available to their consumer base. This is not the case when contrasting my personally stored media content against that of Netflix’s library! I recognize that part of the problem facing carriers today relates to rights clearing, but given just how vertically integrated many of the largest carriers are I cannot see consumers genuinely sympathizing with their ISPs and television providers. Instead, customers are ‘enjoying’ low data caps that punish excessive enjoyment of OTT, non-carrier provided, content: the pain point around costs of bandwidth capacity provision are driven by carrier scarcity of legitimate online content combined with high overage costs, not with ‘data hogs’ that are violating social norms by watching their movies and TV from the Internet.

Supply vs. Demand and Spectrum Framing

Throughout the Summit, attendees (and members of the various government regulatory bodies) heard that ‘supply isn’t the problem, demand is!’ In effect, Canada’s telecommunications companies were stating that they are meeting the expectations of Canadians and that the companies would continue to meet expectations in the future. Consumers themselves were seen as the problem in the supply/demand curve of Canadian telecommunications. Specifically, carriers can move large capacities of traffic but there are many Canadians that cannot access even basic computer services. Without access to computers, combined with high levels of literacy, consumers cannot understand the benefit of broadband.

Mark Goldberg, one of the two primary organizers of the Summit, began his address on the first day with this point and it was reiterated throughout the event. Interestingly, Rob Bruce (President of Rogers Communications) recognized that his company had to do a better job in making access to devices, and their daily use, a simpler experience. He also recognized that Canadians needed to be able to control their ‘digital consumption’. While on the one hand I agree with this sentiment (because of the horrendously high overage fees potentially facing mobile and wireline consumers of Canadian providers) I worry that this is really an indirect way of asserting that managed networks and differentiated access types to the Internet are ‘needed’ by today’s consumers. Further, if such a managed and differentiated product offering is required to avoid high overage fees and afford some sense of monthly financial security, then one has to wonder how effectively the ‘supply’ side of the supply/demand equation is really being handled. Managing resources to maximize return on supply is not the same thing as establishing a healthy supply/demand equilibrium that conforms to basic economic theory and free market expectations.

If supply truly is meeting demand today (a questionable position based on carriers’ stated needs to throttle traffic throughout the day and charge grossly highly overage fees for bandwidth capacity use) then we might wonder about the regularized scare tactics surrounding Long Term Evolution (LTE) deployment in Canada. Access to the 700 MHz spectrum was a regular point of contention throughout the Summit, with carriers insisting that next-generation Internet services were dependent on each carrier receiving a large amount of that spectrum block. Discussions over wireless spectrum saw some ISPs advocate for entirely open auctions that avoid set-asides for new(er) entrants and others demanding spectrum set-asides or offering their own policy models that favor new(er) carriers.

For those not invested in the spectrum debates, the 700 MHz block is presently used for analogue television and is soon to be auctioned off once all television in Canada has migrated to digital systems. This particular block of spectrum is terrific at travelling long distances and passing through structures and other physical objects. Large carriers assert that delivering high-speed broadband to rural and remote locations will prominently require LTE technologies. Further, these same carriers threaten that LTE systems will be experience delayed deployments (or not be deployed at all) if they are not given access to the 700 MHz spectrum block. A critical observer might wonder whether those companies’ shareholders will stand for the executive and board  simply refusing to keep updating systems with the times, perhaps using non-beachfront spectrum, if not upgrading will reduce shareholder returns. The same observer might also wonder at just how often the larger providers have actually carried through with such threats of non-investment.

More generally, the efforts to frame the upcoming spectrum auctions were fast and furious, with each large company getting time on stage to talk to an audience composed of other telecommunications providers, regulators, media, and a precious few academics and students. The regulatory staff that I spoke to were all aware of the framing process – some found it moderately amusing – but it’s important to note not just what was said and who said it, but what wasn’t said and who didn’t have a chance to speak. Specifically, the strong positions taken by groups such as CIPPIC and Open Media over the past few years  in public and regulatory spaces were not articulated by members of those groups, nor were they given between a half-hour or an hour of stage time. More carefully stated, a framing process entails groups identifying a problem, groups responsible for it, and policy solutions to correct it. For all parties to have an equal handle in trying to shape the agenda, all must be permitted to proceed through the framing process during moments where the elites of the policy subsystem meets. Unsurprising, given the highly corporatized nature of the Summit, members of advocacy groups and coalitions were not invited to speak and have a shake at shaping Canada’s telecommunications regulatory agenda.

This isn’t to say, of course, that advocacy voices were entirely silent: John Lawford from PIAC spoke, as did Commissioner Stoddart. Neither focused on spectrum, but instead of specific harms experienced by Canadians. Their contributions operated within the conservative nature of the telecommunications subpolicy group, insofar as they slightly expand the scope of discourse without significantly throwing off or challenging ISPs’ cohesive framing (and exclusion/denigration) efforts.

Throughout the Summit there was a regular emphasis on disdain towards advocacy groups that had garnered significant attention from the media and Canadians more generally: Open Media’s recent report was referred to as “an homage to state sponsored network neutrality and broadband” by TELUS’ VP Regulatory, the organization was accused of taking advantage of social media and undermining its value as a source of information by Rogers’ President of Communications and the group is apparently obscuring network realities as far as Videotron’s President and CEO is concerned. The regulator also got involved, when the Chairman of the CRTC asserted that the consumer groups generally had to get organized and expand their knowledge.

This kind of broad framing – of extinguishing the legitimacy of a large voice without letting it speak – indicates a pair of things;

1. Open Media has been incredibly successful in getting under telecommunications providers’ skins. I’ve never been at a Summit (or other large industry event, of any kind) where an advocacy group and its coalition has attracted so much explicit and implicit vitriol;
2. Some companies are now ‘framing’ the group’s crowd-source effects as illegitimate and thus trying to illegitimate other attempts to crowd-source information.

I don’t expect, nor am I suggesting, that framing entirely obfuscates or undermines the conditions of Open Media’s attempts to work in the telecommunications regulatory space, but it does work to identify ‘qualified’ epistemic elites by whom telecommunications should be handled. The long-term consequences of depriving this advocacy group a voice at the Summit is to simultaneously reaffirm the legitimacy of actors that are present and harden combative language amongst the various members, as well as confirm that Open Media is a recognized adversary in Canada’s telecom space. This isn’t to suggest that providers have some kind of a ‘battle plan’ – there isn’t a central organizer that is using this space to intentionally coordinate language – but rather the result of a closed communications loops that constitute an ‘iron triangle’. Such triangles are composed of closed and mutually supportive groups that see governmental agencies, special interest lobbying groups, and legislative (sub)committees working together to develop policy. Members of such groups are typically specialized in very particular policy areas and present a united front towards interlopers or outsiders who

attempt to invade their turf and alter established policies that have been worked out by years of private negotiations among the “insiders” … These triangles are said to be as “strong as iron” in that these mutually supportive relationships are often so politically powerful that representatives of the more general interests of society are usually effectively prevented from “interfering” with policy-making altogether whenever their concept of the general interest runs counter to the special interests of the entrenched interest groups, bureaucrats and politicians (Source).

The CRTC in Focus

The Chairman of the CRTC was at this year’s Summit, and as usual interesting little tidbits came out in his discussion with Summit co-organizer, Mark Goldberg. von Finckenstein was regularly asked questions that followed Open Media’s general talking points, including questions of structural separation, roles of consumer groups, and effectiveness of existing CRTC regulatory policies. During the questions the Chairman was asked about the CRTC’s research capacity: in effect, is the regulator conducting in-depth research of goings on around the world, or is it predominantly relying on what is provided to it by those coming before the regulator? While I had expected that the CRTC was stacked with some research analysts who conduct research, von Finckenstein instead said that while the CRTC has a good handle on ‘the basics’ it isn’t actually engaged in detailed research of any particular regulatory approach to telecommunications. His rationale was that if the Commission was involved in intense research then it would come to particular proceedings with biases that might limit their position as impartial regulators. While I can appreciate the sentiment here, it seems somewhat off-base: as a scholar I expect that when I submit a piece for peer-review that it will be treated fairly and as neutrally as possible. This said, expect that reviewers will have conducted research in similar topic areas and that they will have private opinions concerning the argument-types presenting. I fail to understand why the CRTC cannot conduct basic research to evaluate the claims made by carriers and consumer groups alike, balancing any claims against existing policy research and analyses that are both conducted in house and by other regulators/academics.

Somewhat distressingly, the Chairman asserted a point that those who have spent time watching the CRTC already knew: the CRTC is of the opinion that consumer groups should be driving complaints before the CRTC instead of consumers themselves. von Finckenstein maintains that the highly technical nature of filing complaints means that the process is ill-suited to average consumers and that, as a result, consumers need to organize and develop a broader knowledge base concerning telecommunications so that they can then file complaints as appropriate. This having been said, he also asserted that consumers don’t generally have problems communicating with the CRTC. While unstated, I suspect that this particular comment was meant to capture the individuals consumers who are filing ITMP complaints with the CRTC, though doubt that he appreciates the level of consumer resentment towards the CRTC’s apparently toothless enforcement of their own regulatory decision around traffic management policies in Canada. I also find it of concern that the Chairman focuses on consumer groups as chiefly responsible for the formal complaints: for the full range of consumer issues to be brought before the CRTC there must be enhanced funding for these very groups. Canada is not the US, it doesn’t have the support of private foundations that enable civil society to work in the favor of citizens and consumers. Ideally, if the Chairman were serious about his suggestion, he would also demand that additional funds be provided to consumer groups prior to filing a claim so that research and testing could be performed ahead of time. As the ITMP proceeding demonstrated, the costs associated with significant hearings are so high that few can afford to do the work and simply hope to get paid at the conclusion of a particular regulatory procedure.

Unsurprisingly, the Commissioner also asserted that ITMP audits were not something that CRTC was interested in conducting because any such practice would operate under the assumption that there might be something wrong in the first place. As a complaints-driven body it would be inappropriate to make such an assumption. This is unfortunate because it can be so challenging for individuals to actually trace the source of network-based problems. Further, it is in companies’ best interests to keep a shroud drawn tightly around themselves and their infrastructure operations to obfuscate their own misdeeds. Indeed, this very point has been made repeatedly by scholars in the telecommunications sphere but without a research wing it would appear that the CRTC is ignorant of the basic facts of corporate strategies that are designed to confuse consumers. Further, without such a research wing the Commission is apparently unaware that those conducting research on the outskirts of the network infrastructure will almost certainly have a very difficult, if not impossible, time trying to identify problems that reside within ISPs’ infrastructure.

The Haunting of Open Media

Open Media hung over most of the Summit as a spectre that could-not-be-named. Various CEOs, Presidents, and Vice-Presidents raised concerns over the role of advocacy groups. Rogers’ President of Communications worried that ‘special interests’ were undermining the value of social media as a source of fact-finding and outreach, Videotron’s President and CEO asserted that customers were happy with Usage Based Billing and that Open Media was just trying to obscure network realities and the Chairman of the CRTC maintained that a series of Open Media’s key issues (audits of ITMP systems, functional separation) were not issues that the regulator was willing to take up. TELUS’s Mike Hennessy stated (without defending the claim) that Open Media’s recent report, “Casting an Open Net: A Leading-Edge Approach to Canada’s Digital Future,” was homage to state-sponsored network neutrality and broadband. Further, it was suggested that Open Media should have been the consumer group that was present at the annual ‘Regulatory Blockbuster’ panel instead of PIAC, based on each consumer groups’ relative prominence in the broadband space this past year. It is admittedly somewhat anecdotal, but a vast number of the conversations that I participated in over the two days I attended the Summit saw Open Media either directly or indirectly come up.

What does this mean for Open Media as an organization? To begin, it indicates that the organization is implicitly recognized as an actor in the Canadian telecommunications policy subsystem, as demonstrated both by their involvement in discussing policy issues and bargaining in pursuit of their interests, as well as by the agenda denial tactics that are being undertaken by incumbent subsystem actors. The group’s effectiveness is arguably tied to their ability to harness epistemic elites that are not typically associated with regulatory proceedings and while simultaneously forging alliances with established actors. Further, Open Media has a demonstrated an ability to capture public attention and focus government awareness on issues in a manner that simultaneously aligns and opens policy windows. As a result of their focusing efforts, the group have effected changes to the regulatory agendas.

The capturing of public attention is key to their status as members of this particular policy sub-community: while they present policy alternatives they have also leveraged the potential votes of their backers and thus seen political parties seek Open Media’s favor. As a result of their capacity to capture and harness public attention, Open Media is challenging existing policy monopolies by becoming a dark horse that frames problems differently than Canada’s dominant carriers and that demands solutions often diverging from carriers’. Despite this divergent framing and solution set, the organization has often attempted to link their own issue set with the government’s economic principles and objectives, defending their position by appealing to key regulatory directives and frameworks. This insulates some of their work from overt assault. In effect, Open Media is working to alter “policy images through a number of tactics related to altering the venue of policy debate” and is consequently undermining “the complacency or stability of an existing policy subsystem” (Howlett and Ramesh 2003: 139).

The organization’s actual impact in the formation of policy itself – decision, implementation, and auditing policy stages that follow agenda shaping – is less clear. Along with other sub-system actors, such as Jean-François Mezei, Open Media has successfully rebuffed at least one major policy initiative that was decided by the CRTC around UBB. The development of alternate policy principles and guidelines may assist in promoting their issue-set but the rate of seeing their suggestions introduced into regulatory policy will be delayed based on the complexity of the policy subsystem they are operating in. Further complicating their efforts are the constraints placed upon the regulators who are expected to make, implement, and regulate telecommunications policy. Consequently, incrementalist changes are most likely. Incrementalism does not necessarily mean that Open Media’s own policy initiatives and principles are transformed into policy, but that existing policy actors’ traditional principles, aims, and policy preferences may not be codified as rapidly as in the past. Further, traditional actors may need to modify their narrative and either incorporate some of Open Media’s language to hedge out the advocacy group or reorient their discourse to more effectively isolate and exclude Open Media as a legitimate policy actor. Regardless, for the moment at least Open Media has successfully intruded on a (relatively) monopolized policy subsystem and is affecting change, though it will be an uphill battle to establish themselves as a long-term member in Canada’s telecommunications policy network.

Text Sources:

M. Howlett and M. Ramesh. (2003). Studying Public Policy: Policy Cycles and Policy Subsystems (Second Edition). Toronto: Oxford University Press.

Other posts you might be interested in:

1. Canadian Telecom Summit and DPI
2. Privacy Advocates and Deep Packet Inspection: Vendors, ISPs, and Third-Parties
3. EU: Judicial Review Central to Telecom Disconnects

Image by Kris Krüg

For the past several months I’ve been working away at a series of ‘traditional’ publication-type writings. One of those pieces included major sections of OpenMedia.ca’s report that was released today, entitled “Casting an Open Net: A Leading Edge Approach to Canada’s Digital Future.”

More specifically, I worked as the lead author on the economic section of the report, arguing that obtrusive network management practices, bandwidth speeds, and download/upload capacities that unduly favor one party over another are damaging to innovation in Canada. I’m also third author of the technical section, where I brought my expertise around deep packet inspection and usage based billing to the group of excellent authors who led that section. I’ve included the introduction, below, as well as links to download the report. Comments are, of course, welcome.

The Open Internet: Open for Business and Economic Growth

The Internet is widely regarded as one of the modern era’s greatest engines of economic growth and innovation. Ensuring ubiquitous, affordable, and open access to the Internet across all social sectors supports and promotes economic growth. By providing a reliable platform for applications development, communications improvements, and content distribution, we create the potential for greater efficiencies and growth in business-to-business, business-to-consumer, peer-to-peer, and consumer-to-business transactions.

In this section, we delve deeper into the essential role that the open Internet plays in the Canadian economy as an engine of innovation and growth. The unique characteristics of the Internet have allowed Canadians to create some of the world’s leading websites and applications. We argue that when businesses and citizens are forced to pay more for Internet access in Canada, or face other restrictions on use — especially compared to our global counterparts — we have fewer opportunities to invest in and develop the kind of innovations that make our economy flourish.

In Section One, we argue that co-invention and web-based entrepreneurship flourish best in neutral networks and that the Internet’s innate openness enables a democratization (i.e. of access and success) that fosters creativity, competition, and innovation. In Section Two, we argue that Canadian Internet Service Providers (ISPs) are transitioning towards technical architectures that discriminate against and seek to control certain applications, and we warn that this gradual enclosure of the Internet threatens to restrict user access, choice, and innovation, and thus threatens to reduce the value of the Internet overall. In particular, we discuss how ISPs use the practice of bandwidth throttling of specific applications (e.g. P2P file sharing) and usage-based pricing to discriminate against certain types of online activities in an effort to centralize control. Finally, we conclude by emphasizing that ISP interference undermines the core values of equality and neutrality operating at the heart of the Internet and that this interference threatens the Internet’s invaluable role as an engine of innovation and economic growth.

The ability for Canadians to innovate is more and more central to our economic well-being and competitiveness. As we explain below, the open Internet is an essential engine of innovation; without a fast, ubiquitous, and open Internet, Canada will continue to fall behind in economic productivity. E-commerce, the information and communications technologies (ICT) sector, and increasingly, traditional businesses, depend heavily on open access to the Internet. Any barrier to Internet use is a barrier to business development in general.

• Link to .pdf version of report
• Link to .pdf of just economics and business section of report
• Link to .pdf of just technical discussion in the report

Other posts you might be interested in:

1. Open Source and Open Office XML
2. Boost Up Your Net With ISP Injections
3. Analyzing the Verizon-Google Net Neutrality Framework

Image by Håkan Dahlström

The capacity for the Internet to route around damage and censorship is dependent on there being multiple pathways for data to be routed. What happens when there are incredibly few pathways, and when many of the existing paths contain hidden traps that undermine communications security and privacy? This question is always relevant when talking about communications, but has become particularly topical given recent events that compromised some of the Internet’s key security infrastructure and trust networks.

On March 22 2011, Tor researchers disclosed a vulnerability in the certificate authority (CA) system. Certificates are used to encrypt data traffic between parties and to guarantee that security certificates are actually issued to the parties holding them. The CA system underpins a massive number of the Internet’s trust relationships; when individuals log into their banks, some social networking services, and many online email services, their data traffic is encrypted to prevent a third-party from listening into the content of the communication. Those encrypted sessions are made possible by the certificates issued by certificate authorities. The Tor researchers announced that an attacker had compromised a CA and issued certificates that let the attacker impersonate the security credentials associated with many of the world’s most prominent websites. Few individuals would ever detect this subterfuge. In effect, Tor researchers discovered that a central element of the Internet’s trust network was broken.

In this post I want to do a few things. First, I’ll briefly describe the attack and its accompanying risks. This will, in part, see me briefly discuss modes of surveillance and motivations for different gradients of surveillance. I next address a growing problem for today’s Internet users: the points of trust we depend on, such as CAs and the DNS infrastructure, are increasingly unreliable. As a result, states can overtly or subtly manipulate to disrupt or monitor their citizens’ communications. Finally, I suggest that in spite of these points of control, states are increasingly limited in their capacities to unilaterally enforce their will. As a consequence of networked governance, and its accompanying power structures, citizens can impose accountability on states and limit their ability to (re)distribute power across and between nodes of networks. Thus, networked governance not only transforms state power but redistributes (some) power to non-state actors, empowering those actors to resist illegitimate state actions.

The Attack

Your web browser has been programmed to trust certain figures of authority. When you visit your bank’s website, encrypted Facebook pages, secured email accounts, and so forth your browser engages in a cryptographic exchange to establish an encrypted communication session. This session prevents third-parties from intercepting the content of the communications. Establishing this private communication relies on public key cryptography. Under this cryptographic system, communicating parties assume that a hostile third party is trying to listen into the communication and thus only provide one half of the encryption key – the public key – in the clear. Private keys are subsequently used to decrypt the communications. They are never shared.

Many websites rely on certificate authorities to establish this cryptographic exchange. Certificate authorities issue digital certificates that include a public key that web browsers use to initiate encrypted communications with the website. A CA acts as a trusted third-party in any communications process because the visitor of a website (typically) assumes that the issued certificate actually belongs to the website in question. Further, the visitor assumes that only the website’s operator, and no third party, is privy to the website’s private key. Certificates are (ostensibly) only issued when a CA is certain the the individuals requesting the certificate actually run/control the website the certificate would be used at. Unfortunately, it has recently come to light that a CA, Comodo, issued certificates for the following websites:

• mail.google.com (Gmail, google apps)
• login.live.com (Hotmail and other live services)
• www.google.com
• login.yahoo.com (three separate certificates for this website)
• login.skype.com
• addons.mozilla.org (Firefox extensions)
• “Global Trustee”

With these rogue certificates, an attacker could perform a man-in-the-middle attack on each of these websites, meaning that they could act as an intermediary for any communications between the two parties. This attack relies on both parties believing that they are talking directly with one another, when in fact the third party is between them and reading the content of the communications. SSL connections, such as those used by Facebook, Gmail, Yahoo! mail, Microsoft’s Live services, Skype, and Mozilla, are meant to defeat such an attack but this is only possible where authentic certificates are issued. In the case of rogue certificates, this assumption of trust is violated. The EFF is presently suggesting that the ‘Global Trustee’ certificate may permit an attacker to impersonate any domain on the web. By receiving certificates, the attackers are not only able to encrypt communications so that it appears legitimate (using the publicly available public key) but also receive the private key, enabling them to decrypt messages that are encrypted using that public key. In effect, whomever the attacker(s) is, they managed to break the Internet in incredibly significant way by exploiting one of the key nodes of trust in the online world.

Comodo, the CA that fell victim to this attack, is suggesting that individuals in Iran are likely responsible for having compromised a certificate-issuing account. This is based on the significant number of Iranian IP addresses that were used in launching the attack, the need to be a state-level actors to maximally exploit this weakness, the focus on communications websites instead of financial sites, and the Iranian government’s recent efforts to undermine and block encrypted communications. Comodo also believe that the attack was preplanned based on the attackers’ rapid generation of certificates for the above mentioned sites.

It should be noted that while it is a plausible theory that the attacker was Iranian, this is not the only possibility. Robert Graham, at Errata Security, quickly noted that the security industry,

has a flaw in it’s critical thinking process. When something happens, we try to fit it into the story of the day. For example, when Slammer first hit, everyone thought it was a DDoS attack, because DDoS was the major story of the day. Similarly, with the transparent proxying in Tunisia and political unrest throughout the Middle East, that becomes the dominant story. Any crumb of evidence, such as one of the addresses being located in Iran, is suddenly magnified to become the most important piece of evidence. In fact, it’s one of the least important pieces.

Thus, while Iran remains a likely suspect it is challenging to definitively ascribe blame of this attack to any actor without additional information.

What can be done with this information?

A considerable amount of intelligence gathering today depends on signals collection. In a digital world, this sees attackers survey networks of communication to identify the flows and types of communicative traffic between nodes (actors) that are communicating with one another. This approach was adopted during the second world war because communications were sufficiently encrypted that many couldn’t be decrypted in time for the message content to be useful. Since then, signals intelligence has proliferated alongside the the growth of strong encryption. Most recently, national security agencies have either invested in social media tracking tools or are having members of the government advocate on their behalf to acquire those tools. Such efforts are in addition to ECHELON, the NSA’s wireless wiretapping, and GCHQ’s drive to deploy deep packet inspection systems through ISPs’ networks. In short, signals intelligence is important in identifying key nodes in communications network, for understanding relationships between nodes, and for determining which nodes are sufficiently important to subvert them for content analysis.

In the case of the certificate compromise, an attacker can access the network that people communicate with and the content of their communications. Thus, a network analysis could be performed on a wide range of email, Facebook, and Skype accounts that were compromised, correlating address books and frequency of messaging to identify key nodes in a communications network. Having identified those nodes, and other key points in a communications network, the attacker could take the time to analyze the content of those communications and develop intelligence about the particularities of those communicators. In essence, breaking the CA trust system permits the mapping individuals and then investigating key individuals participating in the network.

If the attacker is, indeed, the Iranian government then dissidents who have used electronic communications have a right to be concerned. Google and Skype both provided encrypted means of communication to enable dissident communications, though Iran has a history of disrupting encrypted communications provided by Google, Yahoo!, and others. By actively undermining the trust relationship between Google et al. and their users, the government could theoretically permit dissidents access to ‘encrypted’ communications channels whilst listening into what was being said at the same time.

It must also be noted that, even though the attack has been identified and measures taken to remedy the problem, that this does not solve underlying problems. This is noted by Jacob Appelbaum, who writes that

an attacker who is able to [man-in-the-middle] SSL/TLS will also [man-in-the-middle] the [Online Certificate Status Protocol/Certificate Revocation List] requests. Moxie’s sslstrip demonstrated that an attacker would do this automatically and his software has done this for OCSP in public since 2009. Mozilla did not fix this issue at the time and they have once again punted on the issue. An even lower tech attack is possible and it’s why revocation does not work: By returning a HTTP 500 error, the browser will the continue on as if revocation checks showed the certificate to be perfectly fine.

This means that if web browsers are not updated (updates will include blacklists for fraudulent certificates) an attacker can convince a web browser that a faked certificate remains legitimate because the browser can be prevented from checking the validity of its current certificates against CAs’ lists of revoked certificates. Of note: if the “global trustee” certificate is, indeed, used to sign any domain it means that the attacker could successfully trick web browsers that navigate to any SSL ‘protected’ website. Thus, if a government is responsible for this action, it could follow dissidents to alternate encrypted channels that rely on a CA and continue to eavesdrop on the content of communications.

Hierarchy of Control

The Internet was designed to be a trusting network, and that trust is routinely exploited today. As a trusting network, a hierarchy of authority makes sense: there are simply some parties that you should always trust. When the Internet was still young there were personal relationships between users and those ‘in control’ of aspects of the system. Since the 80s and early 90s, however, hundreds of millions of people have come online: it’s no longer practical to call up a friend or file a quick support request to guarantee that a site, certificate, or other element of a hierarchical trust network is working properly. To demonstrate the problems related to the hierarchy of control/trust, let’s briefly consider the Distributed Name System (DNS) in addition to certificate authorities.

The DNS hierarchy correlates human-readable domain names to the Internet Protocol addresses that actual identify servers and communicating nodes on the network. Compromising the DNS by redirecting human-readable names to false IP addresses is a tactic used by the US government, and even less scrupulous attackers, to censor communications transmissions and inject malicious code onto individuals’ computers. There are some suggestions on how to combat low-level attacks.

One suggestion is to replace the present DNS infrastructure with DNSSEC, a secured version of the DNS protocol that would guarantee that domain names correctly resolved to IP addresses. Per Landau, DNSSEC provides two things:

1. Source authentication: A DNS resolver can verify that the information it received originally came from a DNS authoritative nameserver (one that the DNS resolver can “trust”).
2. Integrity verification: A DNS resolver can determine that the information it has received from the DNS nameserver has not been tampered with during transit from the original authoritative nameserver (2011: 60).

Unfortunately, DNSSEC depends on all nameservers in the DNS lookup chain being DNSSEC-enabled; if there is a break in this chain then the chain of authenticity cannot be trusted. We can imagine an authoritarian regime that controls DNS lookups refusing to join the DNSSEC system and thus its citizens would never enjoy the chain of trust. Further, if you cannot trust the root nameservers (as is the case with all .com, .net, and other top-level domains in the face of American abuse of the root nameservers) then the chain of trust envisioned by DNSSEC is impossible to establish or maintain. Thus, even were DNSSEC implemented today state-sanctioned abuse of the DNS hierarchy might not be prevented. There are also discussions of abolishing the DNS hierarchy entirely, replacing it with a horizontal, distributed, DNS system. Horizontal DNS systems are in their infancy, however, and can’t be expected to alleviate concerns about DNS abuse anytime soon.

Certificate Authorities are another point of trust in the trust hierarchy of the web but, as demonstrated by both Comodo’s security breech and the inability of web-browsers to effectively notify end-users of revoked certificates, CAs are also not to be trusted. As Chris Soghoian and Sid Stamm write in their paper “Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL“ governments in the West can compel certificate authorities to produce false SSL certificates that enable government surveillance efforts. This attack can be performed in such a way that few end-users would realize that they were being provided a modified certificate for a secure website. As a result we shouldn’t only fear how repressive governments invade private, encrypted, communications but be even more worried about so-called democratic governments that can secretly compel the largest Certificate Authorities in the world to issue forged certificates for government surveillance and wiretapping purposes.

States Adapt, Not Abandon, Sovereign Power

While optimists in the early 1990s hoped that the Internet would lead to an era where individuals were largely free of state censorship and control this has not been the case. Censorship and the mediation of data flows are prevalent actions that take place around the world by public and private actors. This said, we needn’t adopt Goldsmith and Wu’s (2006) strong thesis that the Internet is being ‘bordered’ by nation-states, with such bordering degrading the Internet’s democratic potentialities. We might instead adopt Cowhey’s and Mueller’s (2009) more moderate thesis, that the Internet is mediating states’ modes of governance; states are being forced to exercise influence to shift flows of power in today’s networked governance environments instead of dictating the direction of flows. While this isn’t a new mode of directing power relationships, it is significant that clear-cut expressions of sovereign power encompass increasingly small spectrums of society; even in the face of revolution states must negotiate with international organizations on topics such as telecommunications, finances, and human rights. States are increasingly unable to just ‘retreat’ into their borders and act without grievous consequences to their economic and political well-being.

Today’s networked state is “characterized by shared sovereignty and responsibility between different states and levels of government; flexibility of governance procedures; and greater diversity of times and spaces in the relationship between governments and citizens compared to the preceding nation-state” (Castells 2009: 40). Where the state strongly influences the necessary nodes for digital communications, such as ISPs, they can dictate conditions that must be followed to behave as a node. In Iran, we see this through ISPs’ requirements to comply with government censorship and complicity in state surveillance efforts. The newly networked state is vulnerable, however, to acts of resistance that block the switches responsible for connecting nodes throughout the network – if command and control cannot be communicated between points then the exercise of networked power is significantly reduced. Thus, surveillance capabilities that are disaggregated across a spectrum of actors are only effective in their roles if they can correlate and act on their findings somehow; should the communications networks required for such sharing be closed or rendered transparent to the public a state’s surveillance capabilities are compromised.

In the case of Iran and its most recent actions, we might question the adequacy of some surveillance scholarship to effectively classify state surveillance programs. While arguably true that surveillance is intended to “precede the event” and “code” bodies across ambiguous spaces and times (Lyon 2003) the intensity of personal surveillance directed at individuals suggests that we must be wary of making strong claims about surveillance technologies. In stating that “[s]urveillance technologies do not monitor people qua individuals, but instead operate through processes of disassembling and reassembling. People are broken down into a series of discrete informational flows which are stabliized and captured according to pre-established classificatory criteria” (Haggerty and Ericson 2007) it is important to acknowledge that the networked state can express power in ways similar to the sovereign state. While the repressive networked state operates through an assemblage of techniques, variety of nodes, and acts according to networked governance principles, it may remain intensively interested about individuals. Rather than monitoring flows for information abstracted from individuals, the very intention of examining flows may be to become better ’acquainted’ with individuals. Indeed, when participating in a network requires authenticating against a subscriber database (the case for many digital connections) a digital surveillance system may begin with the individual and ‘simply’ correlate flows to that individuals and parties the individual is associated with. Where this is the case an individual’s identity operates as the key orienting factor of surveillance instead of being a secondary facet of the monitoring process. In effect, while the network state may change its techniques of surveillance we should avoid stating that altering technique means that models of data aggregation and the intentionality driving surveillance are necessarily also altered.

The operation of extensive Internet-based surveillance facilitated by networked governance underscores Galloway’s argument that control and surveillance have operated at the heart of the Internet since its  beginning (Galloway 2004). While true that the manifestations of control are variable, variability alone does not negate the fact that protocological analysis and control are located at the heart of contemporary data networks. Today we see efforts to weaken control by separating and ‘freeing’ the physical, logical and content layers of the Internet (Benkler 2006; Wu 2010) but not all state governance models are receptive to such a distinction, to say nothing of the liberation associated with Benkler’s compassionate liberalism. This is especially the case where the state is hostile to having its power disagregated, and is actively invested in transitioning as many of its sovereign capabilities to its newfound operation as a contemporary networked state. The willingness of states to adopt a separation thesis is perhaps best revealed when considering their attitudes towards the Internet’s hierarchical points of control: where governments resist horizontal network (re)development and instead support ‘better secured’ vertical networks we can intuit a residual desire to retain traces of classic sovereign power. It should be noted, that neither Iran, nor the United States government, nor the European Union, is seriously committed to reshaping the certificate authority system or moving towards a distributed DNS system that is resistant to state-sanctioned influence and interference.

So, what are the solutions to disrupting the networked state? Hardt and Negri (1999) argue that nomadic actions – those which quickly emerge and then recede into the noise of society – provide a means of hindering the globalized, networked, state. Indeed, as the state responds and reforms itself in responding to nomadic disruptions the nomads display their power to reconfigure facets of the state and its accompanying institutions. Civil advocates such as the Electronic Disturbance Theatre suggest that DDoS attacks that digitally mirror sit-ins can weaken the nodes of influence and control that networked governance regimes rely when exercising their power. Further, the networked state is situated within global networks of power and thus regularly struggles with external governing agents to assert its preferences. This affords dissidents with another avenue to affect change on the state: they can act upon repressive states through the international networks that repressive states hold membership in. Finally, authoritarian regimes and democratic states alike, along with their technical talent, must now confront well resourced multinationals, NGOs, and private citizens who may oppose the state’s governing influence. The capacity of these non-state actors to interrupt the state’s governance functions that are reliant on digital networks is a more significant threat today than it was a decade ago, and this new vulnerability affords new opportunities to disrupt the routines of power that constitute the networked state’s capacity to act. In disrupting the very points that afford control – the DNS, CA networks of trust, and the like – and by implementing competing non-hierarchical alternatives to current vertical power networks, states’ powers can be further disaggregated and their sovereignty made increasingly accountable to the world’s networked citizenries.

Text Sources:

Y. Benkler. (2006). The Wealth of Networks: How Social Production Transforms Markets and Freedom. New Haven: Yale University Press.

M. Castells. (2009). Communication Power. Toronto: Oxford University Press.

P. Cowhey and M. Mueller. (2009). “Delegation, Networks, and Internet Governance” in

K. Haggerty and P. Ericson. (2007). “The New Politics of Surveillance and Visibility” in K. G. Haggerty and P. Ericson (eds). The New Politics of Surveillance and Visibility. Toronto: University of Toronto Press.

M. Kahler (ed.). Networked Politics: Agency, Power, and Governance. London: Cornell University Press.

J. Goldsmith and T. Wu. (2006). Who Controls the Internet? Illusions of a Borderless World. Toronto: The Oxford University Press.

S. Landau. (2011). Surveillance or Security. Cambridge, Mass.: The MIT Press.

D. Lyon. (2003). “Surveillance as social sorting: computer codes and mobile bodies” in D. Lyon (ed.). Surveillance as Social Sorting: Privacy, Risk and Digital Discrimination. New York: Routledge.

A. Negri and M. Hardt. (2000). Empire. Cambridge, Mass.: Harvard University Press.

T. Wu. (2010). The Master Switch: The Rise and Fall of Information Empires. New York: Knopf.

Other posts you might be interested in:

1. Review: Surveillance or Security?
2. IPv6 and the Future of Privacy
3. Is Iran Now Actually Using Deep Packet Inspection?

Image by United4Iran

For some time, I’ve been keeping an eye on how the Iranian government monitors, mediates, and influences data traffic on public networks. This has seen me write several posts, here and elsewhere, about the government’s usage of deep packet inspection, the implications of Iranian government surveillance, and the challenges posed by Iranian ISPs’ most recent network updates. Last month I was invited to give a talk at the Pacific Centre for Technology and Culture about the usage of deep packet inspection by the Iranian and Tunisian governments.

Abstract

Faced with growing unrest that is (at least in part) facilitated by digital communications, repressive nation-states have integrated powerful new surveillance systems into the depths of their nations’ communications infrastructures. In this presentation, Christopher Parsons first discusses the capabilities of a technology, deep packet inspection, which is used to survey, analyze, and modify communications in real-time. He then discusses the composition of the Iranian and Tunisian telecommunications infrastructure, outlining how deep packet inspection is used to monitor, block, and subvert encrypted and private communications. The presentation concludes with a brief reflection on how this same technology is deployed in the West, with a focus on how we might identify key actors, motivations, and drivers of the technology in our own network ecologies.

Other posts you might be interested in:

1. Is Iran Now Actually Using Deep Packet Inspection?
2. Iran, Traffic Analysis, and Deep Packet Inspection
3. Background to North American Politics of Deep Packet Inspection

Image by Dimitri N.

Communications systems are integral to emerging and developed democracies; the capability to rapidly transmit information from one point to another can help fuel revolutions and launch information campaigns about unpopular decisions to ‘meter’ the Internet. In foreign nations and at home in Canada we regularly see ISPs interfere with transmissions of data content. Both abroad and at home, researchers and advocates often have difficulties decoding what telecom and cableco providers are up to: What systems are examining data traffic? How is Internet access distributed through the nation? Are contractually similar data plans that are sold in different geographic regions providing customers with similar levels of service?

To date, Canadian advocates and researchers have been limited in their ability to draw on empirical data during major hearings at the CRTC. This makes research and advocacy challenging. Over the past several years, researchers, advocates, counsel, and members of industry that I’ve spoken to have complained that they need hard data. (It’s a gripe that I’ve stated personally, as well). With your help, numbers will be on the way.

Most regulatory proceedings see corporate data filed in confidence, and what is made available to the public typically lacks the methodology by which data is collected, or the steps taken to generate final percentages and conclusions that are sometimes made public. Effectively, this means that advocates and researchers alike have to turn to foreign nations’ traffic information, data taken from independent Internet observatories, or perform theoretical extrapolations from the data that is provided to identify whether the numbers industry provides match up with the networks’ actual conditions. I want to change that and work with interested people to create an accessible and public dataset that maps Canada’s broadband conditions.

At a recent event in Victoria, I passionately pitched that I should win the available $800 to help pay for a developer to create a broadband analysis tool. Once developed and deployed, the end-user would just see an online form that let them choose their ISP, their service package, insert their postal code, and then press ‘go’. After initiating the analysis, data would be pumped to and from a series of servers around Canada/the world and the user’s computer. As a result, we could identify latency, jitter, broadband service levels, open ports, and whether traffic was being throttled or not.

Anyone who’s looked at broadband analysis immediately come upon the same question: why use this tool over the other, already existing, tools that are available? First, we can customize the code-based to capture exactly the information that we need. Second, it should be harder to ‘game’ than the existing public tools. Third, many of the existing options make it challenging to easily access the data provided the end-user. With the data we plan on collecting, we should be able to actually map Canada’s broadband services.

The talk was a hit (proposal available in .pdf). Unfortunately I didn’t win the money I was competing for. Fortunately, I got a lot of people at the event interested. Even better, several of those people were willing to lend their time and services to roll out the tool. Since then, the broadband analysis tool has been in development. Hopefully the open-sourced code will be ready for a production environment in a month or two. The tool is composed of three elements:

1. A front-end Flash-based object that let’s individuals select their ISP, their broadband plan, and where they receive Internet service;
2. Bandwidth servers that are hosted by people with public IP addresses and have bandwidth to spare for testing;
3. A central server that has a master list of the bandwidth servers and aggregate statistics from the bandwidth servers.

While running code is (clearly) a key part of what we need to start testing broadband service in Canada, it’s not enough. We need people to actually host the bandwidth servers (code will be open sourced, so you can check that nothing funky is going into your infrastructure) and someone to help design the Flash object (it’s not particularly pretty right now). While the initial work is aimed at Canadian Internet transparency, the code will be publicly available so there isn’t any reason why it couldn’t be used to similarly map broadband services in other nations and jurisdictions around the world.

We’ll be working with the folks at Open Data BC to figure out how best to disseminate the data that we collect: we’re not looking to create a new silo! We’re committed to making our findings and raw data accessible to anyone who’s interested. Since Canadians are amongst the most prolific users of broadband in the world it’s time that light be shed on how broadband services are actually being provided.

Ultimately, this is a call: the code is coming, but infrastructure is needed. Can you, or someone you know, help in making some infrastructure available to bring transparency to the contemporary Canadian broadband landscape? If you can help please get in touch!

Other posts you might be interested in:

1. Call for Cyber-Surveillance Annotated Bibliographies
2. Iran, Traffic Analysis, and Deep Packet Inspection
3. Analysis: ipoque, DPI, and Network Neutrality

Image by David Clow

Rogers Communications modified their packet inspection systems last year, and ever since customers have experienced degraded download speeds. It’s not that random users happen to be complaining about an (effectively) non-problem: Rogers’ own outreach staff has confirmed that the modifications took place and that these changes have negatively impacted peer to peer (P2P) and non-P2P applications alike. Since then, a Rogers Communications senior-vice president, Ken Englehart, has suggested that any problems customers have run into are resultant of P2P applications themselves; no mention is made of whether or how Rogers’ throttling systems have affected non-P2P traffic.

In this brief post, I want to quickly refresh readers on the changes that Rogers Communications made to their systems last year, and also note some of the problems that have subsequently arisen. Following this, I take up what Mr. Englehart recently stated in the media about Rogers’ throttling mechanisms. I conclude by noting that Rogers is likely in compliance with the CRTC’s transparency requirements (or at least soon will be), but that such requirements are ill suited to inform the typical consumer. 

Rogers’ Renewed Throttling Scheme

Last December I wrote about how Rogers’ throttling systems were causing significant problems for customers. Specifically, it seemed as though a badly tested update to the Rogers network mediation infrastructure had caused P2P download speeds to sharply fall, and non-P2P applications were also impacted. These problems were confirmed by Keith McArthur, Rogers’ senior director of social media and digital communications, when he wrote that:

As some of you are aware, Rogers recently made some upgrades to our network management systems that had the unintended effect of impacting non-p2p file sharing traffic under a specific combination of conditions. Our network engineering team is working on the best way to address this issue as quickly as possible. However, I’m not able to provide any updates at this time about when this will be fixed. Our network management policy remains unchanged. You can find details of our policy here (»www.rogers.com/web/content/netwo···nagement). We are working hard to ensure that there are no gaps between our policy and the technology that enables that policy.

While it was disturbing that it took months for an official Rogers representative to confirm the problem – and that even upon confirming the issue, no timeframe for resolving it was provided – at least the company publicly recognized the problem and stated that it would be fixed. Further, it seemed that the fix (whatever it entailed) would return the mediation of customers’ data traffic to a pre-September 2010 status. Unfortunately, rather than working to resolve the problem (and maintain the network management policy) Rogers has changed their policy. This change was needed to comply with a CRTC directive – ISPs must be transparent to their customers about Internet Traffic Management Practices (ITMPs) – but since the change has taken place I’ve not seen any suggestion that things will ‘return to the old normal.’

Public Statements and Policy Updates

The most recent CRTC investigation into ISP traffic management policies began after Justin McKillican filed a complaint alleging that Rogers had “introduced changes to its Internet traffic management practices (ITMP) which impacted downstream peer to peer (P2P) traffic without providing the 30 day notice required by Telecom Regulatory Policy 2009-657.” The CRTC’s response (.pdf) to Mr. McKillican and Rogers’ Ken Thompson (Director and Counsel Copyright and Broadband Law, Rogers Communications Incorporated) directed the company to revise its ITMP disclosures on Rogers web pages on the basis that, at the time of investigating Mr. McKillican’s complaint, the disclosure on Rogers’ website was non-compliant with the transparency requirements set down in 2009-657.

In an interview with Carrt.ca about Rogers’ throttling policies (Subscription required), Mr. Englehart stated that Rogers does not traffic shape downstream traffic. Further, he asserted that Rogers had already provided an explicit disclosure of their practices on their web site. The disclosure that had been available to the public for over a year was previously in conformance “with what the CRTC wanted so it’s strange that they’re now saying it needs more work given we did it in consultation with them.” In the interview, he asserted that only P2P was affected by the throttling mechanisms, though his statement stands at odds with Rogers’ actual traffic management policies that have recently been amended. Perhaps Mr. Englehart was unaware that the policy had been amended on the basis that newly deployed technical measures, but this seems unlikely given that the CRTC letter explicitly noted that there were changes to Rogers’ throttling systems.

The changes to Rogers’ traffic management policy are significant. An entirely new section – “Are there other applications that could be impacted by Rogers traffic management measures?” – has been introduced, following almost word-for-word what Bell Canada has published in the same section of their own traffic management policy. Bell (and, now, Rogers) recognizes that sometimes their DPI systems negatively impact non-P2P applications, and puts the onus on the consumer to get things working again. Specifically, users are instructed to setup applications so that they only use IANA-specified ports[1] (with Rogers providing a non-hyperlined URL to the official IANA list on their traffic management page). Specifically, Bell and Rogers customers are told to:

1. Close the affected application along with all P2P applications;
2. Ensure that non-P2P applications have their ports properly assigned;
3. Wait to ten minutes, and then restart the non-P2P application.

Knowing many Bell and Rogers customers, and just how tech-savvy they are, I cannot imagine that many end-users can actually modify port numbers for various programs. As such, the solutions these companies are providing assume that the people who either care enough to find a solution, or can solve it in the first place, tend to be reasonably technically inclined. At the same time, I fully recognize that the provided solutions will most likely comply with CRTC requirements. This suggests that ISPs are invested in making ITMP policies transparent as far as regulators are concerned, but are not so interested in making the entirety of those policies transparent to typical consumers as well.

Consumer vs Technical/Regulatory Transparency

For a system to be considered transparent to consumers it must be described so that non-experts can decode what is being described. Rogers is almost certainly not being transparent to consumers given the brevity of their ITMP policy and because customers must consult a massive text-based document (with little context), modify some applications’ port numbers, and only then have applications properly access the Internet. While such a list lets me set up port numbers on applications to avoid throttling, this is not the case with far less technically savvy individuals. What does the ‘regular consumer’ do when their particular application isn’t listed in the ports (as will happen, often) and they’re experiencing slowdown on non-P2P application traffic?

In essence, while ISPs have publicized how their traffic management policies impact traffic, in the cases of Bell and Rogers only technically savvy individuals can follow the suggested troubleshooting steps. So, while both companies are (arguably) within the confines of regulatory transparency that is required by the CRTC,[2] the transparency that these bodies require doesn’t necessarily mean that end-users without technical savvy will understand how to resolve problems. Similar to how long or complicated privacy policies are only understood by those trained to read and/or write them, I suspect that only those who already have a degree of technical awareness will understand what ISPs are doing to customer data traffic.

For a policy to be ‘consumer transparent’ it has to be non-technical, while specific enough to inform end-users what is going on. Much of Bell’s own ITMP policy is good, insofar as it is understandable and accessible to those who happen across the policy, but the troubleshooting approach that is provided is poor at best. The brevity of Rogers’ own policy, combined with the poor design decisions that reduce readability, means that Rogers has provided a policy that is less transparent to the consumer, while simultaneously meeting much of the CRTC’s own regulatory transparency requirements. Deep packet inspection and Quality of Service infrastructure regularly mediates Canadians’ digital communications. Given the importance of our digital systems I think that ISPs should remain compliant with technical and regulatory transparency requirements, but also ensure that their policies are also transparent and understandable to end-users.

Footnotes

[1] The Internet Assigned Numbers Authority (IANA) is responsible for allocating and maintaining a variety of numerical codes related to technical standards and protocols that undergird the Internet. To learn more about them, read their About page.

[2] Admittedly, in the case of Rogers the CRTC has taken issue with how ‘transparent’ their approach is. Given that Rogers’ policies are written similarly to Bell, I suspect this has more to do with the ease of finding and reading Rogers’ policies instead of what is written. See the below of how to navigate to a few Canadian ISPs’ traffic management pages:

Rogers

1. Go to the Rogers homepage
2. Select ‘Internet’ >> ‘Packages and Pricing’
3. Scroll to the bottom of the page and click on their Internet Traffic Management Practices and Legal Disclosure link
4. In the popup box, click the grey link in the third paragraph labeled ‘click here’.

Bell

1. Go to Bell’s homepage
2. Select ‘Internet’
3. Scroll down to the bottom of the page and click their Network Management link

Shaw

1. Go to their homepage
2. Select ‘Internet’
3. Select the link to their traffic management policies

Cogeco

1. Go to their homepage
2. Select ‘Internet’
3. Select ‘Internet Usage’
4. Select ‘Learn more about Internet traffic management
5. Select one of the six options to learn about, read it, and then either use your browser’s back button or the back button on the page and scroll back down to where you were on the page.

In the case of both Bell and Shaw, there is an easily found, easily accessed, and easily read traffic management policy. In the cases of Rogers and Cogeco it is more challenging to believe that a casual consumer would happen upon the traffic management policies. The text of Rogers’ ITMP policy is incredibly small – I need to move very close to the screen to read the grey 11 font text – and Cogeco’s is buried – multiple links have to be clicked to read the whole policy even after finding it. Neither of these two policies would pass a sniff test for being ‘consumer transparent’, even if they are seen as compliant with legal and regulatory transparency requirements.

Other posts you might be interested in:

1. Background to North American Politics of Deep Packet Inspection
2. Beyond Fear and Deep Packet Inspection
3. Choosing Winners with Deep Packet Inspection