Cover of the 2011 Winston Report (Winter)

Last year I was approached by the founder and editor in chief of The Winston Report to update and publish one of my postings on Canada’s forthcoming lawful access legislation. The Report is the quarterly journal of the Canadian Association of Professional Access and Privacy Administrators (CAPAPA). The updated piece that I contributed is more compact than what I originally wrote on this site, though I think that this makes it a stronger, more direct piece. I want to publicly thank Sharon Polsky for the opportunity that she provided to me, and for being so kind as to position my piece as the lead featured article in the Winter edition of the journal. I also want to thank my tireless editor, Joyce Parsons, for her incredible work strengthening my prose. A preprint version of my contribution, which retained a creative-commons license as part of my agreement with the editor in chief, is made available to you below under the normal Creative Commons Attribution, Noncommercial 2.5 Canada license.

Download pre-print .pdf version of (Un)Lawful Access:  Its Potentials, and its Lack of Necessity.

Other posts you might be interested in:

1. Lawful Access, Its Potentials, and Its Lack of Necessity
2. The Anatomy of Lawful Access Phone Records
3. (Un)Lawful Access: Vancouver Premiere & Panel Discussion

Image courtesy of UnlawfulAccess.Net

I’ll be presenting at a panel discussion on Canada’s forthcoming lawful access legislation this Thursday, January 12. It looks to be a terrific panel, and includes British Columbia’s Information and Privacy Commissioner, Elizabeth Denham, the BBCLA’s policy director, Michael Vonn, the producer of the documentary (Un)Lawful Access, Dr. Kate Milberry, and myself. Andrew Clement, professor at the University of Toronto and co-producer of (Un)Lawful Access will be moderating. In addition to a panel discussion, Drs. Milberry and Clement will be showing their documentary, (Un)Lawful Access, and the BCCLA will be revealing their report on lawful access. I’ve contributed research to the report, with my focus being on how lawful access powers are taken up and used by governments and authorities in the US and UK.

It should be a terrific event. If you’re in the area I highly recommend attending. Information is available at the event’s Facebook page and below:

Event Details

Do you think the Internet is a powerful tool for change?

The Conservative government is trying to push through a set of electronic surveillance laws that will invade your privacy and cost you money. The plan is to force every phone and Internet provider to allow “authorities” to collect the private information of any Canadian, at any time, without a warrant.

Find out more THIS THURSDAY at 6:30 PM.

SCREENING:

The Vancouver premiere of (Un)Lawful Access, a mini-documentary about the Conservative government’s proposed online spying legislation, and what Canadian experts have to say about it.

PANEL DISCUSSION:

• Elizabeth Denham, BC Privacy Commissioner
• Micheal Vonn, Policy Director of the BCCLA
• Christopher Parsons, University of Victoria
• Dr. Kate Milberry, producer of (Un)Lawful Access
• Andrew Clement, producer of (Un)Lawful Access (moderator)

Panelists will discuss the serious implications of Lawful Access and what we can do about it.

REPORT LAUNCH:

This event is also the launch of the BC Civil Liberties Association’s much-anticipated report – Moving Toward a Surveillance Society: Proposals to Expand “Lawful Access” – the most comprehensive to date. Co-authors Micheal Vonn and Christopher Parsons will be present to answer your questions.

Location: W2 Media Cafe, 111 West Hastings St.
DOORS: 6:30 PM
CASH BAR/REFRESHMENTS
ADMISSION: By donation (suggested $5-10)*

Send a message to the government at: http://stopspying.ca/

Hosted by OpenMedia.ca and W2 (http://creativetechnology.org/)

*OpenMedia.ca Allies enter free! See http://openmedia.ca/allies for more info on the Allies program.

Other posts you might be interested in:

1. Publication: (Un)Lawful Access, Its Potentials, and its Lack of Necessity
2. Lawful Access, Its Potentials, and Its Lack of Necessity
3. Letter to Stephen Harper on Lawful Access Legislation

In February I’m attending iConference 2012, and helping to organize a workshop titled “Networked Surveillance: Access Control, Transparency, Power, and Circumvention in the 21^st Century.” The workshop’s participants will consider whether networked surveillance challenges notions of privacy and neutrality, exploits openness of data protocols, or requires critical investigations into how these surveillance technologies are developed and regulated. Participants will be arriving from around the world, and speaking to one (or more) of the workshop’s four thematics: Access Control, Transparency, Power, and Circumvention. As part of the workshop, all participants must prepare a short position statement that identifies their interest in network surveillance while establishing grounds to launch a conversation. My contribution, titled “Transparent Practices Don’t Stop Prejudicial Surveillance,” follows.

Transparent Practices Don’t Stop Prejudicial Surveillance

Controversies around computer processing and data analysis technologies led to the development of Fair Information Practice Principles (FIPs), principles that compose the bedrocks of today’s privacy codes and laws. Drawing from lessons around privacy codes and those around Canadian ISPs’ surveillance practices, I argue that transparency constitutes a necessary but insufficient measure to mitigate prejudicial surveillance practices and technologies. We must go further and inject public values into development cycles while also intentionally hobbling surveillance technologies to rein in their most harmful potentialities.

Lesson Drawing from Privacy Principles and Codes

FIPs are used to make organizations accountable for how and why information is collected, for how information is processed, and for the accuracy of retained information. It is contestable that FIPs, however integrated into policy and law, are effective in preventing surveillance technologies and practices so much as they legitimize them. As noted by Rule, codes based on FIPs “help surveillance systems to achieve their intended ends more fairly and openly” but do not “help us decide when institutional appetites for personal information simply go too far.”[1] Privacy and data protection rules and laws may make data collection and processing activities more transparent while simultaneously failing to “significantly reduce or mitigate the amount of potentially damaging social sorting that occurs.”[2] Moreover, codes and principles are commonly bound within legal privacy protections that “tend to be more circumscribed than the subjective experience of violation associated with new forms of surveillance.”[3] The law simply doesn’t keep up with, or adequately address, the surveillance-related harms and injustices that people experience on a regular basis.

While codes based on FIPs might limit data collection and empower end-users when users know they are exchanging data with specific data collectors, such codes “work less well in systems in which devices blab information indiscriminately so that there’s no way to identify a class of information collectors who can be made subject to the rules.”[4] The Internet, and the devices that silently communicate with data collectors via the Internet, constitutes a space where FIPs minimally limit the spread of surveillance technologies and practices. Even if organizations are held accountable for the data they analyze and process, end-users’ abilities to ascertain who and what is collecting and processing information is limited. Formalized privacy rules, in other words, can influence the fairness of surveillance but are less likely to stop the surveillance practices themselves.

Other posts you might be interested in:

1. Review: Surveillance or Security?
2. Rendering CCTV (Somewhat) More Transparent
3. Technology and Politics in Tunisia and Iran: Deep Packet Surveillance

Image by Surian Soosay

Automattic  has a poor record of respecting its users’ privacy, insofar as the company has gradually added additional surveillance mechanisms into their products without effectively notifying users. Several months ago when I updated the WordPress Stats plugin I discovered that Automattic had, without warning, integrated Quantcast tracking into their Stats plugin. Specifically, there was no notice in the update, no clear statement that data would be sent to Quantcast, nor any justification for the additional tracking other than in a web forum where their CEO stated it would let Automattic “provide some cool features around uniques and people counting.” This constituted a reprehensible decision, but one that can fortunately be mediated with a great third-party plugin.

In this post, I’m going to do a few things. First, I’m going to recount why Automattic is not respecting user privacy by including Quantcast in its Stats plugin. This will include a discussion about why reasonable users are unlikely to realize that third-party tracking is appended to the Stats plugin. I’ll conclude by discussing how you can protect your web visitors’ own privacy and security by installing a terrific plugin developed by Frank Goossens.

WordPress and Quantcast

In early 2011, after a major redesign of my website, I activated the Ghostery plugin in my web browser and navigated to my site. The tool “tracks the trackers and gives you a roll-call of the ad networks, behavioral data providers, web publishers, and other companies interested in your activity.” Visually, the plugin causes a small notification box to appear in the upper right hand corner of websites that you browse to. Contained in this box are a list of the parties that are monitoring your movements across that particular website. When navigating to my own site I had expected to see WordPress Stats and perhaps some social sharing services listed. I did not expect to see Quantcast.

Quantcast’s cookies are used to monitor individuals who visit websites, and the company uses the information they collect to provide “audience composition reports.” Such reports are meant to help target online advertising and content development, but is predicated on the notion that the website owner is responsible for integrating the tracking system for the same owner’s benefit. Prior iterations of WordPress Stats did not include Quantcast tracking, and there was no notification or warning that updating the Stats plugin meant you were also forced to accept third-party tracking. Since the initial inclusion of Quantcast, the plugin’s description in the WordPress repository has been amended to include a small notice that reads “[a]s we are considering adding great new features, this plugin also puts a Quantcast tracking script on your page.”

While Automattic’s disclaimer may count as ‘notice’, it does not clarify what the additional tracking is actually meant for. Descriptions and notices around privacy policies and statements must be clear to be meaningful, and Automattic has had over a year to ascertain what “great new features” warrant transmitting website visitors’ information to Quantcast. To date, as far as I can tell, the company has not disclosed to its user base what precisely warrants sending information to Quantcast.

While there is a warning about Quantcast if you download the plugin from the repository, the support document for WordPress Stats that was updated December 21, 2011 – over a year after public complaints over Automattic’s failure to notify plugin users about the inclusion of Quantcast – still lacks any mention that a condition of using Stats is sending your site visitors’ information to a third-party. Perhaps most significantly, Automattic has recently introduced its Jetpack service. Jetpack is a bridge between self-hosted WordPress installs and Automattic’s cloud offerings, offerings that include WordPress Stats. To use WordPress Stats today you must use Jetpack. Unfortunately, Automattic has failed to notify Jetpack users of the third-party tracking accompanying the Stats plugin, as demonstrated in the lack of information about Quantcast in the following screenshot.

No mention of Quantcast tracking

It is utterly unreasonable to expect that users of the Stats plugin will hunt for a single sentence of text that discloses the inclusion of third-party surveillance with the Stats plugin. Moreover, if an enterprising user clicks on Automattic’s privacy policy linked at the bottom of the Jetpack screen they are unlikely to divine that Quantcast is associated with Automattic or the Stats plugin.

Automattic’s Privacy Policy #Fail

Let’s briefly look into Automattic’s privacy policy to determine whether a reasonable individual could ascertain Quantcast’s involvement with self-hosted versions of the Stats plugin. First, we see that Automattic

discloses potentially personally-identifying and personally-identifying information only to those of its employees, contractors and affiliated organizations that (i) need to know that information in order to process it on Automattic’s behalf or to provide services available at Automattic’s websites, and (ii) that have agreed not to disclose it to others.

Why, exactly, is Quantcast receiving any of my visitors’ personal information? We might assume that this happens so information can be processed “on Automattic’s behalf or to provide services available at Automattic’s websites.” Unfortunately, Automattic has not publicly clarified why they need this information processed. Instead, we are left with vague statements of providing “great new features.” From the privacy policy, we see that potentially personally-identifying and definitively personally-identifying information is also disclosed “in response to a subpoena, court order or other governmental request, or when Automattic believes in good faith that disclosure is reasonably necessary to protect the property or rights of Automattic, third parties or the public at large.” No subpoena, court order, or other government request is presumably requiring the link between WordPress Stats and Quantcast, nor do the tracking systems clearly “protect the property or rights of Automattic, third parties or the public at large.”

In the ‘Cookies’ section of the privacy policy, we find that “Automattic uses cookies to help Automattic identify and track visitors, their usage of Automattic website, and their website access preferences.” A reasonable person might believe that self-hosted installations of WordPress were not considered part of the Automattic website itself. Such a person might be quite wrong, however, based on Matt Mullenweg’s (Automattic’s CEO) comment about Automattic’s network, where he stated that “the bump you see in November is when we started tracking Polldaddy, ID, Gravatar, and WordPress.com Stats users in addition to WordPress.com visitors.” His comment suggests that Automattic considers self-hosted blogs as being part of the company’s network, though I doubt that this view is shared amongst self-hosted users. I should add that I have never received notice from Automattic informing me that this site is part of their network. No reasonable person is likely to come to this conclusion unless they’ve been watching the Automattic/Quantcast issue like a hawk.

Arguably the only section of the privacy policy that is suggestive of third-party tracking taking place is in the ‘Ads’ section. It reads:

Ads appearing on any of our websites may be delivered to users by advertising partners, who may set cookies. These cookies allow the ad server to recognize your computer each time they send you an online advertisement to compile information about you or others who use your computer. This information allows ad networks to, among other things, deliver targeted advertisements that they believe will be of most interest to you.

From reading this, it initially seems to be addressing advertisements that appear on Automattic’s own web properties. It is utterly unclear that the ads that are shown online are going to be tied to Quantcast cookies linked to the Stats plugin.

Overall, the Automattic privacy policy is absolutely insufficient in notifying users of third-party surveillance. Those who install the stats program – website owners and developers – cannot be reasonably expected to know of Quantcast’s inclusion. This is important because if those same users have privacy policies on their websites – perhaps assuring visitors that only WordPress Stats is used to collect information and no other tracking party or system is used – then those users may be violating local laws by establishing a false contractual privacy agreement between themselves and their website visitors.

WP DoNotTrack to the Rescue

Frank Goossens has stepped up to fix the problems that Automattic is responsible for. Last December he released his donottrack plugin in response to Automattic’s unwillingness to either remove or make optional Quantcast tracking. Months after he released his plugin Automatic modified their Quantcast code, mandating a new release of his plugin. In response Frank has released an updated version of his plugin, now titled WP DoNotTrack, and made it available in the WordPress.org repository.

Frank outlines several reasons for installing the plugin:

• make your WordPress blog/ site honour visitors who request not to be tracked, even if the 3rd parties you include do not (conditional privacy)
• stop any tracking by 3rd parties (absolute privacy)
• protect your blog from rogue plugins that dynamically add malicious external javascript to your wp-admin pages (security)
• limit the number of external servers that are called from your blog (performance)

There are full configuration instructions on his website and information in the FAQ that can help you determine what options you want to flag. If you decide to just use the default settings you’ll successfully block Quantcast tracking. I cannot recommend this plugin highly enough. Not only will it improve the privacy, security, and performance of your website, but it will also ensure that you’re not making false privacy claims to your website visitors.

Other posts you might be interested in:

1. The Geek, Restraining Orders, and Theories of Privacy
2. Weebly, Analytics, and Privacy Violations (Updated II)
3. Privacy Advocates and Deep Packet Inspection: Vendors, ISPs, and Third-Parties

Photo by mjecker

Canadian advocates, government officials, and scholars are all concerned about the forthcoming lawful access legislation. A key shared concern is that authorities could, under the legislation, access telecommunications subscription records without court oversight. Moreover, as a condition of accessing these records businesses might be served with gag orders. Such orders would prevent Canadians from ever knowing (outside of court!) that the government had collected large swathes of information about them. In response to concerns aired in public, the Public Safety Minister has insisted that the legislation would merely let police access “phone book” information from telecommunications providers.

I maintain that such assertions obfuscate the sheer amount of information contained in the records that authorities would collect. The aim of this post is to make clear just how much information is contained in a single lawful access “phone record”, demonstrating that the government is seeking information that grossly exceeds what is contained in the white or yellow pages today. As a result, I first provide an example phone record that resembles those in every phonebook in Canada and then offer an example of a lawful access record. Remember that such requests may be filed to multiple service providers (e.g. Internet service provider, web forum hosts, blogs, mobile phone companies, etc) and thus a swathe of records can be combined to generate a comprehensive picture of any particular individual. By the conclusion of the post it should be evident that information provided under lawful access powers is more expansive than the phone records government ministers allude to and lay bare those ministers’ technical obfuscations.

Phonebook Records, Today

In his response to the Information and Privacy Commissioner of Ontario, Vic Toews (Public Safety Minister) insisted that police would simply have access to “phone book” information under the forthcoming lawful access legislation. He asserted that, “Our proposed approach of linking an internet address to subscriber information is on par with the phone book linking phone numbers to an address.” While government officials insist Toews’ response obfuscates just how expansive lawful access records are from traditional phone records, it is arguably challenging for the lay public to grasp the amount of information contained in the proposed subscriber record fields. So, let’s consider the differences between a phone book record accessible in your home, today, using a phone book and “phone book” data the federal government wants to make available to authorities without a warrant. The following resembles a phone record reminiscent of one in a phone book today:

John Smith, 456 Westminister Ave . . . . . . (636)-421-6124

This record contains the listed name of an individual, the address associated with the phone number,  and the area and local code for the telephone service. Not all individuals provide full details in the phone books that are distributed each year. Some individuals have their addresses removed or substitute their full names with their initials. Such modifications are often the result of people feeling uncomfortable with fully disclosing their address, phone number, and name in one publicly accessible location. Using this information you can (potentially) learn where the individual associated with a phone number lives, but you do not necessarily discover the names of particular individuals living in the home, number of people in the home, and so forth. Thus, where multiple people share a single phone and address the subscriber record may be somewhat nebulous; while it should identify an individual at the address it is questionable whether that particular individual interests the authorities.

Phonebook Records, Tomorrow

The ‘phone records’ that Minister Toews is talking about are quite a bit larger, and far more descriptive, than those found in the local yellow or white pages. As I’ve depicted them, one line grows to six, and three data items explode to eleven descriptively rich fields. The expanded list will be available as phone records to authorities but not to individuals. This stands as a clear distinction between a phone record that individuals think of in phonebooks and the record that authorities will have access under lawful access legislation. An updated record might appear as follows:

John Smith, 456 Westminister Ave . . . . . . (636)-421-6124
jsmith@example.com . . . . . . . . . . . . I.P., 10.0.0.100
MIN, 250-5211-0091 . . .  . . . . . . SPID, 636-421-6124-00
ENS . . . . . . . . 1000 0010 0001 1010 0000 0101 0110 1111
IMEI, 35-209900-176148-23 . . . . . IMSI, 310-150-564857956
SIM . . . . . .. . . . . . . . . . . 894411 0112 12333344 4

Most of what is contained in these eleven fields will be foreign to the average user. In light of this, let’s turn to unpack the new record in a line-by-line format.

The first line is identical to your typical phone book record. Note that the phone number here would be a permanent number, such as the number to call if the mobile number identified in line three is inoperable. Obviously there may be instances where there isn’t a distinction between the phone numbers in those lines if the mobile subscriber either lacks a landline or alternate mobile phone. Further, where the telecommunications service provider, such as a web forum, only has a single phone number then a mobile number might be situated on this line.

Line two offers the email address and Internet Protocol address of the subscriber in question. Email addresses will be tied to particular accounts; you may have one email address for a web forum, another for purchases online, and yet another for personal correspondence from your Internet service provider. While a singular email address is given here, this is representative of a single subscriber record from a single telecommunications service provider. It is likely that different emails (and, thus, different ‘phone records’) are kept by each of the service providers you engage with on a daily basis. The Internet Protocol address is assigned to you by your Internet service provider and is an essential element to accessing the Internet itself. IP addresses identify where data originates from and should be sent towards. Your IP address is likely either dynamic (changes with some degree of frequency) or static (permanently assigned to your modem). Regardless, using an IP address authorities could identify your Internet service provider and, from there, demand that the Internet provider disclose which subscriber was assigned the IP address at some particular time. Given that many IP addresses are dynamic it is possible that different telecommunications service providers will have different addresses attached to your record instead of the singular address offered in the example line two.

The third line contains the Mobile Identification Number (MIN) and Service Provider Identifier (SPIN). This line is needed for subscriber records associated with mobile phone/device usage. The MIN uniquely identifies a mobile device on a mobile provider’s wireless network and can be used to dial to and from the device. While the record that I provide is accessible to the human eye, MINs are typically kept in a database in two components. The area code is often stored in a 10 bit MIN2 section and the local portion in a 24 bit MIN1 section. (See UK ESN/MIN Grabbing for more information on how these two sections are divided.) Unlike other serials and codes, which are engrained into the hardware of a device, a MIN is stored in a mobile providers’ database and can be changed. A SPIN is a unique number assigned to service providers so that telecommunications switch owners and service providers can enter financial relationships for the purposes of carrying traffic. The number identifies the company that ‘owns’ the account associated with the traffic. Thus, even when calling using a Rogers mobile phone on the AT&T network, the SPIN will help to ascertain that Rogers (and, ultimately, the account owner) is responsible for paying for using the AT&T network.

The fourth line holds the Electronic Serial Number (ESN), a number that is encoded into each mobile device as a 32-binary bit number. It is embedded into the device by the manufacturer and thus is not assigned by a mobile telephony/Internet company from whom a device is purchased. The ESN is often checked against the MIN to prevent fraud. Specifically, while an individual could try and have their MIN changed to try and receive free services, by correlating the MIN and ESN in the providers’ database the likelihood of successfully conducting fraudulent activities are diminished. Moreover, with the ESN it is possible to ascertain whether the same phone is being used across a set of wireless carriers’ networks.

The fifth line contains the International Mobile Equipment Identification (IMEI) and International Mobile Subscriber Identification (IMSI) numbers. These numbers are tied to mobile devices (e.g. phones, 3G-capable tablets). The following information can be derived from the IMEI number used in the example above, “35-209900-176148-23″: that the number was issued by the British Approvals Board for Telecommunications (“35″) and given allocation code “2099″. The “00″ reveals the period of time when the device was manufactured, “176148″ reveals the serial number issued to the model of device, and the “23″ reveals the version of software installed on the phone. The IMSI identifies the mobile country code (“310), mobile network code (“150″), and mobile subscription identification number (“564857956″). “310″ is the number associated with America, and “150″ with AT&T. As a result, with the IMEI and IMSI numbers you can ascertain when the device was made, serial of the device, version of its software, nation of usage-origin, carrier-of-origin, and the subscriber code of the carrier associated with the device.

Line six has the Subscriber Identification Module (SIM) number. This number, “894411 0112 12333344 4″ in our example, is broken into subcomponents to identify different bits of information. The first two digits (“89″) are associated with the telecom operators identifier. “44″ refers to the country code and “11″ to the network code the module is associated with. The next four digits (“0112″) indicate the month and year of the SIM’s manufacture and following two numbers (“12″) of the switch’s configuration code. The next six numbers disclose the SIM number itself and the last holds the digit to confirm the validity of the SIM serial itself.

Perhaps it needn’t be stated, but as should be clear there is a significant difference between a “phone record” in a phonebook and a “phone record” under the Canadian government’s proposed lawful access legislation. A phone number and address does not reveal the manufacturer of a mobile device, when it was made, when elements of the phone were provisioned, the provider of the telephone services, and so forth. Instead, the lawful access record affords a trove of data that is far in excess of what a citizen would find when they looked up a name, address, or phone number in the hardcopy phonebook that is delivered to their door each year.

Aggregating Records for Citizen Transparency

Not all telecommunications service providers could make available a full post-lawful access legislation “phone record.” However, once authorities have a single piece of information they can then move to other service providers to develop a full record, one that could subsequently be used to map a person’s presence on the Internet, their habits, and their activities. Using open source intelligence, the email address can be employed to determine what other services are attached to that email address, and using the IP address authorities can determine where a person is accessing the Internet from (i.e. was the IP address leased to a cafe? to a home? to a business? to a mobile network?) and the billing records associated with that IP address. If browsing from Starbucks, the cafe might be able to turn over a log of users who used their wireless network during the time authorities are interested. If browsing from home, or your own mobile device, then the subscriber records associated with that billing address might be available. And, if browsing from a friend’s phone or computer, then their information might be given to police regardless of your friend’s interest to the police.

Remembering back to the discussion of traditional phone records, it is possible that multiple people share the same account and thus what turns up in the phonebook remains somewhat ambiguous. This may remain so when dealing with communal Internet connections but is far less true when dealing with mobile devices. Phones have, for many people, become fetishes that are carried on one’s person and jealously protected from third-party intrusion. Thus, the ability to ascertain who owns, and is using, a particular mobile device is far less ambiguous than who subscribes to, and uses, a landline phone. Using contemporary policing technologies such as IMSI catchers, authorities can de-anonymize a crowd by catching the IMSI associated with each phone and immediately requesting subscriber data from mobile phone providers. While it may not be legal for authorities to engage in ruses to compel individuals to identify themselves when those individuals have done nothing wrong, with IMSI catchers no ruse is needed for the identification process to occur. The term “papers please” is a distinctly analogue notion, one that can be abandoned by authorities in possession of IMSI catchers and lawful access powers.

Surveillance is being automated, and vendors are accelerating the rates that records can be collected and analysed to meet the needs and expectations of the multibillion dollar surveillance complex that has significantly grown post-9/11. Developers are not about to slow the rate of their surveillance innovations in the face of regulation that permits more expansive surveillance, records collection, and correlation of online actions with those records. Technology, however, does not determine the course of society: technology and society are mutually entwined, with each influencing the other. While surveillance architectures are being developed, if their uses are either illegal or are accompanied by high administrative or financial burdens then the architecture can lay substantively dormant save for in truly exceptional times associated with incredibly significant events. Legal friction can encourage such high costs by outlawing particular ways of collecting subscriber information and requiring administrative burdens (e.g. the warranting process) to force authorities to intentionally assign resources to access subscriber records. Reducing legal and administrative frictions in an era where technical frictions are quickly becoming a thing of the past is a recipe for expanded government surveillance. Such surveillance can detrimentally affect individuals by chilling speech and association, harm businesses by increasing the costs of complying with regulation, and force citizens to pay for their own surveillance in increased service costs and by way of their charter rights. We must avoid such harms and, as such, retain administrative and legal frictions to ensure that strong oversight bodies exist and that appropriate frictions accompany novel policing and intelligence powers.

Other posts you might be interested in:

1. Lawful Access, Its Potentials, and Its Lack of Necessity
2. Publication: (Un)Lawful Access, Its Potentials, and its Lack of Necessity
3. Letter to Stephen Harper on Lawful Access Legislation

Image by mattwi1s0n

New surveillance powers are typically framed using benevolent and/or patriotic languages. In the United States, we see the PATRIOT Act, the Stored Communications Act, and National Security Letters. Powers associated with this surveillance assemblage have been abused and people have been spied upon in violation of the law, bureaucratic procedure, and regardless of demonstrating real and present dangers. The UK has the Regulation of Investigatory Powers Act (RIPA), which significantly expanded the capabilities of police and intelligence to monitor citizens in previously illegal ways. This legislation is also used improperly, as revealed in the yearly reports from the Interception Commissioner. In Canada, the Canadian government has publicly stated its intention to press ahead and introduce its lawful access legislation despite concerns raised by the public, members of the advocacy and academic community, and the information and privacy commissioners of Canada. Here, we can also expect uses of lawful access powers to overstep stated intents and infringe on Canadians’ rights, intrude upon their privacy, and injure their dignity.

Over the past months I’ve been actively involved in working with, and talking to, other parties about lawful access legislation. This has included speaking with members of the media, publishing an op-ed, and conducting various private discussions with stakeholders around Canada who are concerned about what this legislation may (and may not) mean. Today, in the interests of making public some of the topics of these discussions, I want to address a few things. First, I quickly summarize key elements of the lawful access legislation. Next, I note some of the potentials for how lawful access powers will likely be used. None of the potentials that I identify depend on ‘next generation’ technologies or data management/mining procedures: only technologies that exist and are in operation today are used as mini-cases. None of the cases that I outline offer significant insight into the operational working of stakeholders I’ve spoken with that can’t be reproduced from public research and records. I conclude by questioning the actual need for the expanded powers.

What is Lawful Access?

Lawful access legislation enhances policing and intelligence powers. As recognized by Ontario’s Information and Privacy Commissioner, Ann Cavoukian, “it is highly misleading to call it “lawful.” Let’s call it what it is – a system of expanded surveillance.” In general, there are three classes of access powers associated with such legislation: search and seizure provisions, interception of privacy communications powers, and production of subscriber data. On the basis of past lawful access legislation that has been tabled, but not passed, we can expect forthcoming legislation to ‘modernize’ the existing criminal code to accommodate several of these powers.

To begin, the legislation is expected to require telecommunications service providers (such as Internet service providers, web forums, bloggers, etc) to be able to decrypt any communications they are responsible for encrypting. Such encryption services might be used to ensure customer privacy, such as by offering secured communications between parties. While communications may generally be secure they cannot legally be made secure from the government by a service provider offering a turnkey encryption solution. In effect, communications will thus be pseudoencrypted: protected against adversaries with the same level of power as the services’ users, but unprotected against the more powerful agents such as the state.

In addition, telecommunications service providers (TSPs) will need the ability to retain data on subscribers for up to 90 days. TSPs may be served with preservation orders, which would require them to retain data on specific individuals. Preserved data would be transferred to authorities once they have secured a production order from a judge and issued the order to the TSP. The TSP could then delete/destroy the preserved data.

Whereas preservation orders are used to require storage of the content of communications, police can access subscriber information without first receiving a court order. A wide variety of information may be disclosed, including:

• name
• address
• telephone number
• electronic mail address
• Internet protocol address
• mobile identification number
• electronic serial number
• local service provider identifier
• international mobile equipment identity number
• international mobile subscriber identity number
• subscribe identity module card number associated with the subscribers’ service and equipment

This information lets authorities definitely identify individuals and the records held on them by the TSPs used in the communications process. Accompanying the no-warrant-required elements of the bills is a capacity for authorities to install ‘number recorders’ in TSPs’ communications hubs in exigent circumstances. As noted by the National Post’s Kathryn Blaze Carlson:

A number recorder, which records the telephone numbers associated with outgoing and incoming calls, would be installed remotely by a telecommunications provider at their call centre hub. The installation can last up to 60 days, but it could be extended to one year if a warrant is obtained and if the investigation involves organized crime or terrorism.

The legislation also introduces the ability to activate and/or monitor the signals emitted from location-enabled devices that Canadians carry with them or are in regular contact with. Police can do this today but lawful access legislation would permit them to activate disabled locational systems (e.g. your phone’s GPS) including in covert ways. Such actions could be undertaken with court supervision or, potentially, in instances of emergency or exigent circumstances. It should be noted that access to geolocatational information is more expansive than just your physical location at a particular time: the legislation is also intended to let authorities discover the location of ”transactions such as geo‐tagged comments or photos from private sector service providers.” (.pdf source).

It is unlikely that a targeted Canadian will be made aware of lawful access-enabled surveillance unless charges are brought to bear. As noted in the letter that was sent to the Prime Minister’s Office in August 2011 (.pdf), and re-confirmed in Blaze’s piece, there are elements of the legislation that impose ‘gag’ orders on anyone who is ordered to comply with lawful access powers. Specifically,

Clause 6(2) permits the government to impose, in regulations, sweeping and categorical confidentiality obligations on service providers that will apply across all interception warrants. Second, under Clause 71, any telecommunications service provider obligated to comply with a warrantless seizure request will be subject to the secrecy provisions in proposed section 7.4 of PIPEDA. Proposed section 7.4 of PIPEDA prevents organizations from disclosing the fact of their cooperation with state efforts to spy on their customers. The sweeping nature of the secrecy measures envisioned by these provisions is in stark contrast to existing practice, where gag orders must be requested from a judge and justified on a case by case basis. The problem with such measures is that they will prevent individuals from challenging abuses of the powers granted in this Bill.

Lawful Access, In Summary

As I wrote in an op-ed in the Vancouver Sun in October, this legislation can be summarized as requiring:

• Corporate surveillance. Internet service providers, mobile phone providers, and even the websites that Canadians visit could become agents of the state, forced to preserve records of Canadians’ actions at the request of authorities (Source);
• Minimal oversight. Audit powers will be offloaded to privacy commissioners without corresponding material or legislative resources to effectively conduct audits and limit abuse (Source);
• Warrantless disclosures. Internet users’ subscriber information will be disclosed to authorities, regardless of the information’s usefulness or uselessness to an investigation (Source);
• Secrecy orders. Authorities might collect Canadians’ private information without those Canadians ever knowing about the collection or the reasons for collecting it (.pdf Source).

Lawful Access in Practice

A large number of Canadians who look at these proposals may feel some unease but then quickly assert that the legislation is ultimately innocuous. The standard rhetoric is that “If you have nothing to hide then you shouldn’t fear this legislation.” Such a statement obfuscates the realities of both contemporary policing and what studies demonstrate about how people actually versus rhetorically understand privacy. To begin, contemporary policing is deeply invested in identifying deviant behaviour and acting upon it in an ‘actuarial’ manner. David Lyon, a world-leading scholar on the topic and issue of surveillance, presciently wrote the following back in 2003:

As with database marketing, the policing systems are symptomatic of broader trends. In this case the trend is towards attempted prediction and pre-emption of behaviours, and of a shift to what is called “actuarial justice” in which communications of knowledge about probabilities plays a greatly increased role in assessments of risk (Lyon 2003: 15-16).

Thus, mistakenly being situated in a wrong category can have significant implications on one’s life regardless of whether a person has ‘something to hide’ or not. The degree to which one is public is (arguably) secondary to the ‘types’ of people one knowingly and unknowingly associates with, whom their associates are connected to, and the risk profiles that are assigned to those communicative partners and their colleagues. To make this somewhat clearer, consider the following: In college/university/your private life you likely communicate with individuals who have, or presently do, agitate peacefully against certain state behaviours. You may or may not be aware that those individuals agitate. Perhaps you have/do engage in discussions with those people online, either on websites that those opposed to certain state behaviours, or in the comments section of newspaper articles, or other electronic formats. Should the police be interested in tracking the individuals invested in an issue (e.g. legalization of marijuana, legal issues surrounding sex work in Canada, protest against federal decisions concerning Sri Lanken immigrants, etc) then they may request available subscriber records for all who have participated in the online discussion.

Now, let’s again assume that you were not supportive of opposition to an official government position and thus aren’t necessarily of direct interest to authorities. Regardless, your subscriber data and that of everyone else engaged in these discussions might be requested by the police. No warrant is required to provide this information. Let’s assume that you used a unique pseudonym and throwaway email address. The authorities would gain access to your IP address and email address. They would get the same information for every participant of the discussion. With this information they could turn to whomever provided the email account, as well as contact the ISP who provisioned the IP address at the specific time that you posted your message. With information from the email provider they may be able to definitely identify the ISP that you use and, from there, your name, address, and so forth. Thus, you as ‘hungrybunny19′ are identified as ‘John Smith’ who was involved in discussion with individuals who authorities are interested in monitoring for some reason or another. John Smith, you, are subsequently added into a database as associating with persons the authorities find questionable. Mr. Smith will never know that he was added into such a database because the service provide could not legally disclose that the information had been released and, as a result, Mr. Smith’s life prospects may change for legally associating and speaking with those who were similarly engaged in legal speech and association.

Perhaps you insist that this doesn’t describe you: you would never communicate about anything in any electronic environment with any person that would ever be of interest to authorities (and, if you can make and stand by these claims, you’re vetting the people that you speak with using intelligence-service-level thoroughness!). Perhaps you have a cellular phone and you have passed near major events that the police have an interest in monitoring. For example: you may have been involved in peacefully assembling during the G20 in Toronto, been a passive spectator at the Vancouver riots, visited an Occupy camp, or may simply pass by union members who are protesting working conditions in a public space several times a day as you walk around your city conducting legitimate personal business. In all cases, the authorities may have an interest in monitoring individuals associated with such groups. Using a technology known in the United States as ‘Stingray’ or, more precisely, IMSI catcher surveillance equipment, police can impersonate a cellular tower and capture all the IMSI numbers within several kilometers of the catcher (.pdf source). The IMSIs, or International Mobile Subscriber Identity numbers, can be taken to a mobile phone provider and used to compel the subscriber data associated with the caught IMSI numbers. Thus, should one of these catchers be deployed by authorities ‘just in case’ an individual may find their personal information sent along to police on the basis of their physical presence during a legal public event. The capacity to acquire IMSI numbers en masse, combined with legal powers to compel subscriber information, creates the perfect framework for mass fishing expeditions based on where citizens are physically present.

Canadians may be uncomfortable with these propositions but immediately follow up with the position that such concerns are hyperbolic. Unfortunately, a brief reflection on the history of surveillance in Canada and present actions taken by our allies (depressingly) suggests that these concerns are practically banal. During the Vancouver Olympics authorities spent incredulous amounts of money on security, an element of which was allocated towards monitoring legal associations of citizens. As disclosed in memos there were no specific, credible, terror threats against the Vancouver Olympics. Despite these threat assessments, citizens who had specific political and economic concerns were routinely placed under surveillance. In effect, citizens conducting legal actions that might lead to disruptions of the games became targets of a surveillance apparatus designed to prevent the next Munich massacre. Surveillance and intelligence gathering did not solely focus on citizens involved in protesting government actions or others associated with the Olympics, but also their contacts, friends, students, former partners, and academic and professional acquaintances. Efforts were also made to recruit neighbours, friends, and acquaintances to spy on suspected activists, and the RCMP tried to legally shield itself from fulfilling FOI requests under the guise of operational security. Under lawful access legislation, the lines of inquiry could expand beyond police associations of people online – the aforementioned people communicating in Web forums – to using technologies like IMSI catchers to identify who is often nearby citizens-under-suspicion. Having coffee with a work friend who advocates for social justice on the weekends could lead to unsuspecting, and utterly uninvolved, citizens being stuck in the same net as their law-abiding colleagues who are caught in the web of actuarial justice.

Further, Canadian authorities have a history of monitoring those who are often the least-advantaged in our society. Consider that Military Intelligence places native communities under intense surveillance. As reported in the Globe and Mail, eight reports were generated in just 18 months. Surveillance was conducted to record Natives’ concerns surrounding new tax policies, potential to blockade Highway 401, and possible future protests, lobbying activities, and lawful associations. The group responsible for this surveillance was a counter-intelligence body charged with “identifying, investigating and countering threats to the security of the Canadian Forces and the Department of National Defence from foreign intelligence services, or from individuals/groups engaged of espionage, sabotage, subversion, terrorism, extremism or criminal activities.” At no point in the reports is it evident that native groups fell under the latter set of descriptors. With the introduction of lawful access legislation other authorities could have become involved in the surveillance and compelled telecommunications providers to disclose the contents of communications. Further, using previously mentioned tactics embedded in the legislation, subscriber information and who was communicating with who could have been determined without warrant or court oversight.

In short, it is entirely plausible that lawful access could be utilized to expand existing surveillance practices conducted by Canadian authorities. There are serious oversight concerns. Specifically, the Office of the Privacy Commissioner of Canada would be hamstrung in auditing the surveillance conducted and its motivations, and the legislation fails to extend the powers of that Office to accommodate the expansion of police powers. Further, where local or provincial police conduct surveillance, audit responsibilities would fall to provincial commissioners and they similarly lack the resources to mount full-scale audits of authorities’ proposed expansive surveillance practices. This position is forcefully stated the Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian. She poignantly writes that,

Canadians must press the federal government to publicly commit to enacting much-needed oversight legislation in tandem with any expansive surveillance measures. Intrusive proposals require, at the very least, matching legislative safeguards. The courts, affected individuals, future Parliaments and the public must be well informed about the scope, effectiveness and damaging negative effects of such intrusive powers.

The Need for Lawful Access

Over the past months I’ve had the opportunity to speak with counsellors, engineers, privacy officers, and policy staff for telecommunications service providers. This has ranged the gamut from ISPs to an ex-VoIP provider employee to webmasters responsible for large online environments to policy wonks for massive Internet-based corporations. The various parties I’ve spoken with have held varying opinions on the previously proposed lawful access legislation; everything from cost issues, to rights problems, to implementation woes, to issues of being identified as a ‘problem’ in the policing process.

All, however, have told me in almost every case that data is requested on exigent circumstances grounds it is, in fact, disclosed.

What, specifically, is the need driving the legislation then? Authorities have routinely insisted that lawful access powers would only be used when investigating the most serious of crimes (e.g. see this audio interview with the CBC’s ‘Spark’) but in other jurisdictions we regularly have seen expanded surveillance used to investigate less serious offences. For extensive documentation of such ‘expanded uses’, see Priest’s and Arkin’s Top Secret America: The Rise of the New American Surveillance State, allegations that the FBI conducted dragnet surveillance to trace bank robbers, claims that routine conversations lead individuals to be labeled as potential terrorists in government databases, inappropriate monitoring of hundreds of people each year, yearly monitoring of over 500,000 people’s communications records, or the usage of terror-based surveillance provisions to ensure children are registered in correct school districts. I cannot state emphatically enough: this is a very small sampling of how widely used lawful-access style legislation is used by our closest of close economic, political, and military allies. There is no reason that Canadian authorities won’t demonstrate the same types of behaviour.

British Columbia’s Information and Privacy Commissioner, Elizabeth Denham, has asserted that authorities have not demonstrated evidence that investigations have been thwarted under existing access powers. Authorities have failed to provide empirical data that reveal a clear and present need for enhanced powers contained in past, or forthcoming, lawful access legislation. Authorities have noted concerns with warranting processes and if these concerns are legitimate (insofar as they can be documented using empirical datasets) then perhaps Parliament should consider modifying the warranting process or increase resources so that warrants can be processed more rapidly. If, however, authorities are simply looking abroad and finding their power lacking in comparison – and cannot clearly outline why they need their compatriots’ powers to protect us from truly serious crimes – then they should not be granted expanded powers. Police and other authorities should not be permitted to infringe upon Canadians’ rights and further erode expectations of communicative privacy, associative privacy, or basic dignities on the basis of cross-jurisdictional envy.

Other posts you might be interested in:

1. Publication: (Un)Lawful Access, Its Potentials, and its Lack of Necessity
2. The Anatomy of Lawful Access Phone Records
3. (Un)Lawful Access: Vancouver Premiere & Panel Discussion

Photo by JolieNY

Mobile penetration is extremely high in Canada. 78% of Canadian households had a mobile phone in 2010, in young households 50% exclusively have mobiles, and 33% of Canadians generally lack landlines. Given that mobile phones hold considerably more information than ‘dumb’ landlines and are widely dispersed it is important to consider their place in our civil communications landscape. More specifically, I think we must consider the privacy and security implications associated with contemporary mobile communications devices.

In this post I begin by outlining a series of smartphone-related privacy concerns, focusing specifically on location, association, and device storage issues. I then pivot to a recent – and widely reported – survey commissioned by Canada’s federal privacy commissioner’s office. I assert that the reporting inappropriately offloads security and privacy decisions to consumers who are poorly situated to – and technically unable to – protect their privacy or secure their mobile devices. I support this by pointing to intentional exploitations of users’ ignorance about how mobile applications interact with their device environments and residing data. While the federal survey may be a useful rhetorical tool I argue that it has limited practical use.

I conclude by asserting that privacy commissioners, and government regulators more generally, must focus their attention upon the Application Programming Interfaces (APIs) of smartphones. Only by focusing on APIs will we redress the economics of ignorance that are presently relied upon to exploit Canadians and cheat them out of their personal information.

Mobile Privacy

The latest smart devices often spur national headlines and consume hours of television reporting and advertising. Consumers are typically sold of the ‘cool’ features of devices, such as video chats, new intuitive gestures, better screens and speakers, superior access to third-party applications, music services, and so forth. Rarely are security improvements or enhancements to user privacy anywhere near the popular marketing material. This isn’t to say that innovations in security aren’t regular: every generation of Apple’s iDevices have been accompanied by more sophisticated hardware- and software-based security innovations, and the same can be said for Android, Blackberry, and Nokia devices. Innovations in privacy are somewhat rarer. Some proponents of smartphone privacy, such as Apple, have chosen to walk away from strong privacy settings in preference for more ‘engaging’ interfaces. Contemporary conveniences have come at the cost of consumer privacy protections.

There are (at least) three key areas where mobile privacy commonly comes to the fore. The integration of GPS and wifi-based location tools with the core operating systems of contemporary phones has, and will continue to, raise serious concerns about locational privacy. In tying contact information with underlying APIs, along with weak consumer privacy protections, expectations of privacy in who we associate with are threatened. Finally, poor management of third-party applications’ access to stored data has, and will likely continue to, limit consumers’ abilities to secure their data or prevent borderline malicious surveillance processes from taking place.

I will note that many of the examples I draw on will refer to Apple’s iPhone, with far fewer examples drawn from other smart phones. This isn’t necessarily meant to single out Apple but is the result of conducting months of research on deficiencies associated with Apple products. Other devices – Android in particular! – have and will likely continue to manifest security vulnerabilities that infringe upon their users’ expectations of privacy.

Location Privacy

Where a mobile device happens to be on a regular and not-so-regular basis can reveal considerable amounts of information about an individual, especially when data is collected over extended periods of time. Using basic data mining (and common sense) it is possible to identify routine movement patterns, where someone is likely to be at any time of the day, where they live and work, whether they suffer from medical conditions requiring (semi-)regular treatment, when an abnormal life event occurs, and so on. While these movement patterns are revealed regardless of whether someone has a smartphone, feature and dumb phones are less able to disclose this information to non-carrier partners. All three types of phone will disclose the following to a carrier (and anyone it’s partnered with): information such as cell identification, signal level, angle of arrival, time of arrival, and time of difference to arrive can be used to calculate a phone’s position.[1] In the case of smartphones, third-party applications can typically access collected location information and transmit it back to its corporate servers. Further, on smart devices location information can be collected by identifying nearby wifi access points, by activating the GPS system, and/or by locating the phone in relationship to cellular towers.

Once movement location is collected it can have other data overlaid upon it to gain deeper insight into who is using the phone. Imposing demographic, psychographic, and consumer information over geolocational data can establish nuanced profiles.[2] Such profiles are not just geolocationally-sensitive but also vary over time. By integrating time as a variable the data miner can develop deeper insights about the device owner by integrating migratory patterns with behavioural and imputed racial characteristics (e.g. pinpointing a phone as at gay pride parades, carnival routes, or other cultural events that have publicly disclosed geo-temporal characteristics).[3]

In the case of the iPhone, Apple had initially required application developers to query the user every time before accessing the GPS sub-system or locating the phone using nearby wifi access points. This meant that a customer could sporadically disclose their location as they saw fit, trading their privacy for specific benefits. This capability, which was present in all versions of iOS prior to 3.2.1, has subsequently been replaced with a uniform opt-in/out mechanism. If a user selects “OK” once when an application asks to access a device location they must do the following to modify their configuration:

1. Open Settings;
2. Select General;
3. Open Location Services;
4. Turn off a particular application’s sharing of the device location.
5. Steps 1-4 must be repeated every time that a user wants to opt-out of location sharing again.

While this is an opt-in approach, it stands in stark contrast to Steve Jobs’ statements at the D8 conference. Specifically, Jobs stated that Apple has a “very different view of privacy than some of our colleagues in [Silicon] Valley. We take privacy extremely seriously. That’s one of the reasons we have the curated apps store. We have rejected a lot of apps that want to take a lot of your personal information and suck it up into the cloud. Privacy means that people know what they’re signing up for. In plain English, and repeatedly, that’s what it means. Ask them. Ask them every time. Make them tell you to stop asking them if they get tired of you asking them. Let them know precisely what you’re going to do with their data.” Evidently, Apple no longer takes privacy as seriously as it had in previous iterations of its business strategy.

In the case of Windows Phone 7 device, many of the applications will request access to location information as a precondition of installing the application. This is true for RSS feed readers, calendaring programs, and video games. Some applications, such as the BC Ferries Sailing Information app, prominently display an option on the main screen so that users can opt-out of location sharing at any time. Unlike Apple, however, Microsoft’s phone does not contain a setting page where users can opt-out of location sharing on a per-app basis. Instead, users must entirely disable or enable all location services. Many apps will let you subsequently opt-out of location sharing, but where to disable the feature varies depending on the application.

Smartphones also have a habit of turning their users into ‘warphoners’. To clarify, this means that the phones detect, store, and subsequently transmit information about the wifi access points the phones pass by (with geolocation information) to their respective corporations. Microsoft, Apple, and Google have all been ‘caught’ capturing locational information and sending it home to their servers. While Google’s database does limit some of the information it discloses, we can intuit its capabilities based on what was revealed about Microsoft’s own location database. Specifically, when researchers examined the Live.com database they found that some of its items moved from location to location. The Live.com database was tracking where mobile hotspots were and, thus, giving Microsoft and those accessing the database insight into the movements of not just mobile phone owners but also of non-Windows phone users who had mobile wifi access. On a contemporary smartphone there is no reason why a third-party application couldn’t also develop similar sniffing services that operated while the app was running.

Various privacy officials have stated that there is relatively little harm in access point information being captured. Unfortunately, few seem aware of how easy it is to collect a router’s MAC address. With this address it is possible to query publicly available databases that retain correlated MAC addresses and location information. Using this information, you can identify where an individual is physically situated.

Unfortunately, many data protection and privacy commissioners operate on complaints-based systems dependent on citizens identifying harms. Most citizens are poorly situated to trace the data flowing in and out of their phone, and have limited insight into what happens to data after it leaves their device. Those that know may be bound by non-disclosure agreements, limiting their ability to contribute to the public sphere. In light of these limitations commissioners and regulators must proactively engage with smartphone manufacturers. Government officials must ensure that APIs guarantee effective privacy controls over location information so that citizens can ‘control’ or be aware of the flow of their personal information.

Association Privacy

The fact that considerable amount of personal information is held on mobile phones is nothing new. There have been worries around what happens if a person loses their phone for years, and such anxieties will likely continue as long as humans outsource memory retention to semi-animate objects. What has changed with the rise of data-enabled devices is the ease of unknowingly losing your contact list without ever having physically lost hold of your phone. The loss of this information not only compromises contact details of associates and colleagues, but also sheds light upon who the device owner likely communicates with, has met, or generally has in their social network. Such revelations impact citizens’ association privacy, insofar as they cannot be sure that their communications device won’t indiscriminately disclose to parties-unknown about who the owners associate with. Such revelations can have chilling consequences and also lead to profiles being developed that negatively impact the device owners or others who have their information stored on the mobile device.

All smartphones have address books (or address book equivalents, in the case of Windows Phone). The iPhone, in particular, is well-known for letting third-party applications transmit copies of users’ address books. Apple installs their ‘Contacts’ app on all phones and it cannot be removed by the phone owner. In a report by the European Network and Information Security Agency (ENISA), it was noted that there was a serious privacy concern related to how third-party applications interact with the ‘Contacts’ application. The report’s authors write, “…in iOS, the address book is accessible to all apps. No special status is given to the user’s own contact details in the address book, meaning that, apart from the large amounts of personal data this exposes, the user’s own phone number is also accessible, which can be used for unsolicited marketing” (.pdf). Third-party application developers can access a considerable amount of personal information without first informing users of the access.

To be more specific, software engineer Nicholas Seriot writes that the following items are accessible through the Address Book database, which underlies the Contacts application:

• Names of contacts;
• User and contacts’ phone numbers;
• User and contacts’ email addresses;
• Notes field, “in which many Mac users store sensitive data such as door codes or bank accounts’” (.pdf)

These concerns are not just academic or hypothetical. In 2008, Aurora Feint was caught looking through the Address Book Database, sending it unencrypted to their servers, and subsequently matching the data against others users’ contact lists to inform users when their contacts/friends were also playing the game. In this case Apple did identify the problem and subsequently removed the application from their app store. Importantly, however, the problem was detected after it had previously been approved for sale within their curated environment and following considerable public outrage. Other companies have secretively collected data as well: MogoRoad collected Swiss phone numbers to subsequently call users (though not in contravention of Swiss law) (.pdf) and Storm8 collected users’ phone numbers and correlated them with users’ names, email address, and unique device identifiers.

Apple does note in their iOS Reference Library that “the Address Book database is ultimately owned by the user, so applications must be careful not to make unexpected changes to it. Generally, changes should be initiated or confirmed by the user.” Despite this suggestions, it remains possible for application developers to access, transmit, and modify information from the Address Book database without first requesting the user’s permission.

Of some concern is Apple’s more recent response when contacted about applications that transmit contact information without user consent. In their paper, “PiOS: Detecting Privacy Leaks in iOS Applications” [.pdf] researchers M. Egele, C. Kruegel, E. Kirda, and G. Vigna found that popular social network application Gowalla transmitted a user’s contact book, in its entirety, without the owner’s consent. When the authors contacted Apple about this indiscriminate appropriation of contact information the company suggested that the researchers direct their concerns directly to the application developer.

There are several problems with how Apple has established the API for their mobile environment. To begin, their API enables access to contacts information without imposing code-based restrictions. This is a serious deficit. Second, the information that is being shared is not exclusively owned or controlled by the phone owners. There is no ability for those in the ‘Contacts’ application to consent to the disclosure of their personal information to a third-party. Moreover, given their lack of consent or notice to the device owner, and given that we cannot reasonably expect that those included in the contacts book will be notified of disclosures, it is dubious that individuals in a person’s contact book will ever know to contact the application developer and have their personal information removed. Ignorance permeates all stages of the disclosure process, and this ignorance fuels the monetization of personal information.

Device Storage Privacy

Of course, there is even more information that is stored on these devices. In the case of iDevices there is a unified keyboard cache that is accessible to third-parties. The cache “contains all the words ever typed on the keyboard, except for the ones entered in the password field. This is supposed to help autocompletion but this mechanism effectively acts as a key-logger, storing potentially private and confidential names and numbers.” (source .pdf) As it stands, third-parties that access this information – without the owner knowing about this caching feature, or consenting to third-parties accessing it for non-cut/paste purposes – can uncover significant personal information about the owner. Have they recently been searching for medical products? Have they been visiting job search or infidelity websites? Have they input addresses, text messages, emails, or comments in web forums that could be sensitive? All this information is prospectively available.

Device storage is typically what people worry about when thinking of mobile security. Specifically, they establish passwords for their mobiles so that if the devices are lost then whoever finds the phone cannot immediately access its full contents. While physical access protection is important – and something that was specifically noted in the federal privacy commissioner’s recent survey – it is a very small part of a much larger device security and privacy framework. Simply setting a password protects you against the most obvious, if not the most common, sources of data appropriations, privacy infringements and security breaches.

Reporting on Perception-Based Studies

The purpose of walking through these security and privacy vulnerabilities isn’t intended to drive people away from smartphones or any other computing device. Rather, it is meant to underscore the current technical reality of owning and using the devices. Few people, even those who are technically savvy (myself included!), can limit the sharing of information if they are using certain smartphones. Privacy settings are not intended to maximize customer privacy but to facilitate perceptions that companies are meeting consumer privacy concerns. That these same companies enable the dissemination of personal information to third-parties, often without consumers learning about the dissemination or purposes of data collection, indicate the importance that Apple et al places on consumer privacy. Even for the interested consumer, many apps lack a privacy policy and neither Apple nor Google require developers to create or make available such policies. Indeed, to ‘simply’ access Apple’s own privacy policy from their iDevice consumers must do the following:

1. Select ‘Settings’
2. Select ‘General’
3. Select ‘About’
4. Select Legal
5. Press screen until copy option is available and copy the URL to the privacy policy
6. Click the ‘Home’ button
7. Open Mobile Safari
8. Select Address Bar and paste URL
9. Select ‘Go’

Given the reality that customers cannot secure their personal information, or effectively even be aware of when or where it is flowing, headlines concerning the Privacy Commissioner of Canada’ recent survey can be both misleading and harmful. CBC led their coverage of the report with an article entitled “Canadians lax about cellphone security“ and the Vancouver Sun with “Do a better job protecting mobile privacy, Canadians told.” The articles pick up on the fact that a minority of Canadians establish locking passwords or modify their privacy/sharing settings on their mobile devices. The actual study notes that those who store personal information on the devices are more likely to install a password (52% versus 33%) as are those who install applications beyond those installed on the phone by default (68% versus 27%). The report also notes that almost 60% of the people with GPS-enabled phones don’t actually have the GPS enabled. The majority is somewhat concerned about privacy issues stemming from location information but the survey fails to inquire whether their GPS-enabled devices are smartphones that can (and do) leak and collect location information based on other data sources.

While it is admirable that many people claim to modify their mobile device settings to limit data disclosure, such modifications have varying degrees of effect. In the case of an iPhone, key bits of data are being collected by third-parties without customers having any option to prevent the collection and subsequent dissemination of personal information. The iOS API itself permits for accessing the address book, and similar public calls can discretely be made to the wifi location system and the keyboard cache. The nature of iDevices make these actions possible. Thus, even if an iPhone user has a password their data is insecure from the companies invited onto the device. Further, establishing a password is insufficient to secure a mobile device: did the users of iDevices use more than the 4-digital password, which is required to initiate the full range of iDevice encryption? What did users of older devices, which no longer receive security updates, do with their devices? Use them? If so, did these same users identify themselves as taking actions to secure their privacy and believe it was effective?

The problem with the study, and with the subsequent headlines, is that it fails to adequately identify who an data thief might be and suggests that owners can genuinely protect their privacy if using their devices. Generally, individuals will assume that it’s a bad third-party, not Apple  or their favourite video game manufacturer, who is going to abscond with their personal information and that of their family, friends, and business contacts. When the hostile party is the operating system itself consumers can only save themselves by refusing to purchase or use the device, or by relying on government regulators to prevent the harm and force manufactures to sell devices that comply with Canadian law.

Undermining the Economic of Ignorance

The problem with studies like the Privacy Commissioner’s – if only for how the media will report on them – is that consumers come to believe that they are primarily responsible for security failures. This offloads a considerable amount of responsibility from government officers to a relatively impotent citizenry. Further, the survey offers a sense that device owners can take actions to significantly limit the primary vectors of information leakage. While they have some control over a few vectors they rarely have control of the primary means of information collection and dissemination.

There is a high level of friction when a customer must disable systems-level processes to use an application without disclosing location information. Performing such actions add considerable delays in accessing features of the phone and, as a result, most consumers simply will not disable location awareness on a regular basis. This is a behaviour we will see even if the device owners are uncomfortable with persistent disclosures. Such high levels of friction also indicate near-absolute absences of any genuine privacy-by-design features. Privacy-by-design does not simply mean that citizens can proactively protect their privacy but that user interfaces are configured to best let citizens control how and when they disclose personal information. Not only is it incredibly hard to limit the sharing of personal information using the devices’ options (varying UIs in the same operating system, single opt-in options, having to burrow through layers of settings to opt-out of features that can negatively impact the rest of the device’s operation, etc) but in many cases the dissemination of personal information cannot be blocked, no notice is given of disseminations, and data cannot be subsequently deleted from third-parties’ repositories. For many smart phones, APIs should stand for ‘Advanced Privacy Intrusions’ instead of ‘Application Programming Interfaces’.

Unwanted collection and dissemination of personal information, to say nothing of the lack of notice or inability to delete disseminated data, exploits users’ ignorance and impotence for economic gain. The smartphone ecosystem is substantially predicated on an economics of ignorance which, if unveiled and addressed by parties with significant direct market power, is reversible.

To be forthright: companies do not collect large sums of data and pay to store it in their databases for no reason. Corporations are not in the habit of intentionally increasing the costs of doing business without some profit-based rationale. After selling an app of $0.99 or less no company is interested in then developing an ever-larger server infrastructure to store collected personal information without anticipating a return on their investment. The issue, however, is that many apps lack discernible privacy policies and users – especially those in curated gardens – may ‘trust’ the applications they install on the basis that a ‘knowledgable’ party is believed to have rooted out bad or malicious applications. While this may be true in some cases, Apple’s integration of surreptitious data expropriation without consumer consent into their API clearly reveals that the gatekeepers who directly profit from application sales cannot be trusted. We cannot trust the fox to protect the henhouse from the other foxes!

Popular consumer surveys can be valuable. They are noticeably less helpful when delving deeper and deeper into technical matters, of which few members of the public should be expected to know much about. Consumers may be cognizant of superficial ways to protect their personal information on their devices. Those same knowledgable consumers are far less likely to know about the deeper vulnerabilities and intentionally designed weaknesses that pervade mobile devices. Consequently, privacy commissioners and government regulators more generally should take long, hard looks at how mobile operating systems are designed. They should ensure that the systems – and by extension the information environments they spawn – comply with Canadian law.

Commissioners should focus on the source of the worst privacy concerns which, in the case of smartphones, arguably originate in the design of operating system APIs that exploit citizens’ ignorance of how and when data is migrated off of their smartphones. While there is some value in evaluating how often people modify their sharing options on mobile phones it is as important to know why they don’t modify these settings - are they using devices where they don’t know how to do so, or find it tiresome to manage their privacy? If yes to either of the latter, then there has been a serious failure in designing the operating system’s graphic user interface. In the case of Apple and Microsoft, both of whom have almost entirely locked down basic facets of their operating system while investing heavily in designing their mobile environments, these are intentional (if correctable) errors.

If operating system manufacturers will not restrict indiscriminate and non-consensual sharing of personal information on their own then the Canadian government should step in. Government, using its regulatory powers, can resolve market imbalances by investing in the research to identify market problems and subsequently correcting information asymmetries that disrupt market processes and that infringe upon Canadian law. Such corrections might entail issuing fines on a per-device sold basis, publicly naming and shaming offending companies, or ever using federal dollars to deliver public warning announcements about the harms associated with specific smartphone operating systems.

Regardless of the solution, it should be significant enough to either rebalance the information assymetry between consumers and device manufacturers or disrupt the profitability of exploiting ignorance to extract personal information from mobile devices. Ultimately, commissioners and regulators must demand that device manufacturers either provide APIs that comply with Canadian law or change existing APIs in the face of prevalent privacy issues. Where neither of these conditions are met, OS vendors should be forced to suffer significant penalties. The only way to secure devices’ security and citizens’ privacy is to erode the economics of ignorance that application vendors and device manufacturers alike depend on to cheat Canadians out of their personal information.

References

[1] C. A. Ardagna et al. (2008). “Privacy-Enhanced Location Services Information,” in A. Acquisti, S. Gritzalis, C. Lambrinoudakis, and S. De Capitani di Vimercati (eds.). Digital Privacy: Theory, Technologies, and Practices. New York: Auerbach Publications.

[2] G. Elmer. (2004). Profiling Machines: Mapping the Personal Information Economy. Cambridge, Mass.: The MIT Press.

[3] See: D. Phillips’ and M. Curry’s “Privacy and the phonetic urge: Geodemographics and the changing spatiality of local practice.”

Other posts you might be interested in:

1. Decrypting Blackberry Security, Decentralizing the Future
2. Review: Surveillance or Security?
3. Twitter, Mobile Browsers, and Metadata Privacy

Photo by Chris Daniel

Those who create and author technical systems can and do impose their politics, beliefs, and inclinations onto how technology is perceived, used, and understood. On the Internet, this unfortunately means that the technically savvy often recommend choices to users who are less knowledgeable. A number of these recommendations are tainted by existing biases, legal (mis)understandings, or stakeholder gamesmanship. In the case of website development firms, such as Weebly, recommendations can lead users to violate terms of service and legal provisions to the detriment of those users. In essence, bad advice from firms like Weebly can lead to harms befalling their blissfully ignorant users.

In this short post, I talk about how Weebly blatantly encourages its customers to conduct surveillance on websites without telling them of their obligations to notify website visitors that surveillance is being conducted. I also note how the company deceives those visiting Weebly’s own properties by obfuscating whether information is collected and who is involved in the collection of visitors’ data. I conclude by briefly noting that Google ought to behave responsibly and publicly call out, and lean on, the company to ensure that Google’s Analytics product is used responsibly and in concordance with its terms of service.

What is Weebly Doing?

Weebly is a company driven to help people get online. To this end, they provide an easy to use interface that lets Weebly customers create websites. Its day-to-day functionality in designing and creating webpages have already been reviewed, so that’s not going to be something I address. Instead, I identify two problems: First, how the company instructs users to use Google Analytics; second, the company’s failure to disclose that they are applying Google Analytics to their users’ webpage without imposing privacy notices on users’ sites that disclose this practice.

When you sign up for a Weebly account, you can quickly learn how to start using Google Analytics to track your visitors by clicking on the prominently displayed ‘Support’ tab, and subsequently navigating to ‘Stats & SEO’ and ‘Add Google Google Analytics to a Site.’ Once there, customers are guided through the process of registering for a Google account, getting the code required to run Google Analytics and how to to paste the code into the Weebly website design wizard. Nowhere are Weebly customers informed that Google requires Analytics users to post a privacy policy, nor is there any suggestion that Google requires a particular bit of legalese before a user can legitimately run the product. I contacted Weebly last month and requested that they modify their FAQ to inform users that they needed to create a privacy policy when running Google’s product. Weebly has yet to respond. All the company would need to do is add the following line to their present support page:

Before publishing your website, you will also need to create a privacy policy to notify visitors that you are using Google Analytics. To do this, you will need to add another page (see the Create a New Page knowledge base article on how to do this), ensure that it is prominently displayed, and insert the following statement:

“This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”).  Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States . Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage.  Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google.  You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.  By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.”

Since I discovered what Weebly was(n’t) doing, I’ve contacted a variety of users who have followed the company’s instructions to install the Analytics product but whom had no idea that any kind of privacy policy or legal language was required to use the product. While it is disappointing that the company has yet to respond to me, change their privacy policy, or notify their users, it is perhaps unsurprising. Weebly themselves obfuscates their usage of the Google Analytics service. I identified their usage of Google Analytics by navigating around the Weebly website in Firefox with the Ghostery plugin installed after I had logged into their service. (Curiously, non-logged in users are also tracked by Google Analytics on the Weebly support page though not necessarily on other elements of the public website.) In their privacy policy, the company notes that:

Weebly may automatically receive and record information on our server logs from your browser, including your IP address, cookies, and the pages you request. We also may collect other use information as part of our analytics services, in order to improve the service.

Of course, this statement suggests that the company may not automatically receive and record the information. Clearly this is not the case, unless they decide to configure their systems to intentionally discard the information. ‘May’ then comes to mean ‘technically it is a possibility that we would not collect information, despite our lack of intentions to do that.’ It is, in effect, a term used to misguide anyone who actually reads their privacy policy. Moreover, they never once mention that at least some element of their analytics services are actually third-party owned and controlled. This is not a small matter, as Google themselves states that they may further transfer collected data to third-parties; users are not just entering an agreement with Weebly but with Google as well, though they never know that Google is a member of the user-Weebly relationship. Neither the Weebly support page, nor pages shown to logged in customers, have a separate privacy notice that indicates that the company is using Google’s third-party analytics engine. Consequently, users are not well informed about the surveillance that is being conducted and cannot reasonably consent to the surveillance on grounds that they lack the knowledge to consent. Further, no user can ever agree with Google’s statement that the company “may collect other use information as part of our analytics services, in order to improve the service.” In effect, we have a large and growing Web 2.0 company that seems to be intentionally misguiding its visitors and ‘educating’ its user base to similarly misguide their visitors.

This ‘misguidance’ is compounded by their possession of a TRUSTe privacy seal. The seal is intended to demonstrate the company’s commitment to privacy, though as discussed by Bennett and Raab (2006) “there is no provision in the TRUSTe program for an onsite examination of a site’s privacy practices as a precondition for receiving the TRUSTe mark. In the case of a privacy violation, licensee sites are contractually liable to a more comprehensive examination of its privacy practices. A TRUSTe-designated public accounting firm will then investigate the alleged violations. However, this comprehensive examination is only performed “for cause” at TRUSTe request in response to formally stated concerned about a licensed site’s compliance with the TRUSTe requirements” (165). In aggregate, Weebly is intentionally, and actively, contributing to not just the surveillance of visitors to its properties, but to masking its actual business practices whilst representing itself as a ‘privacy friendly’ corporation.

Of course, even if a Weebly customer does not sign up to Google Analytics that customers’ website visitors will regardless be monitored using the Google product. In my test, using the website ‘testingprivacy.weebly.com‘ and Ghostery, I found that both Google Analytics and Quantcast were in operation as soon as the site was published. I never added the required Analytics code, nor the Quantcast code, to the website. Both were running and transmitting data about visitors’ use patterns without any notice to those users or notification to site owners that such surveillance was taking place. Thus, not only could visitors not realize what was going on, but site owners themselves were not notified. This is clearly unethical behaviour that, at the very least, violates Google’s own terms of service. Specifically, any and all websites that run Google’s Analytics product must include a privacy policy that is placed in a “prominent position.” Moreover, the owner must use “reasonable endeavours” to bring the policy (and Google’s required text) to the website’s users. Weebly is not doing this on their users’ website and, thus, is arguably violating the terms of service that Google lays out for using the Analytics service. As far as I can tell, Quantcast lacks requirements similar to Google, and thus authorizes the use of Quantcast surveillance without requiring notice to website visitors.

Google Needs to Step Up

Weebly is not a small organization. The company’s web development platform is reportedly used by over 7 million people and has previously been recognized as one of Time’s top 50 websites. While Google could be excused for not noticing when individuals or small organizations are misusing their products, this is a case where a medium-to-large sized organization is flagrantly deceiving their users about the deployment of  a Google product. Google should step up and begin monitoring for such violations and in Weebly’s case put a moratorium on delivering statistics to the company on the basis that Weebly has already mislead users about the tracking mechanisms the company deploys. Further, Google should only enable Analytics for Weebly users if those users have published a privacy policy on their website.

Would this process be more onerous than Google’s current ‘please read a lot of legal text and then add something to your website’ whilst relying on ‘Scout’s honour’? Yes. Would doing so contribute to making people a little more aware of the magnitude of online surveillance? Yes. Would such an action comply with the Google’s mantra of ‘Do no evil?’ Yes.

Now, will a privacy policy stop people from using Analytics engines? Of course not, and that’s not the point. From a pedagogical point of view, the value of creating a privacy policy is that it makes website developed briefly reflect on their own data collection, retention, and analysis processes. They become aware of what it means to be engaged in surveillance. There isn’t anything necessarily wrong with using Analytics, but if people feel ‘awkward’ publishing a privacy policy on the basis that they don’t want visitors to know surveillance is being conducted then those same people should reflect on whether they even want to monitor their web visitors. True, this moment of reflection might be brief, and the depth of reflection quite shallow, but the simple awareness of one’s engagement in online surveillance establishes a helpful baseline from which subsequent discussions about online surveillance can be launched. While there is a pedagogical moment for otherwise ignorant users, when businesses are conducting deceptive practices the brunt of the law ought to be brought to bear and punishment meted out.

Google demands that a very low baseline be met as a condition of using Analytics to surveil web visitors: the company should be obliged to ensure that the baseline is met and, where it isn’t, apply consequences for violating Google’s terms of service. If Google can take a hard line on pseudonyms on their social networking service, why can’t they take a similar line concerning the use of the company’s older Analytics product?

Update (I)

David Rusenko, Weebly’s CEO, contacted me on August 16, 2011. Since I posted this piece, the company has modified a clause in their privacy policy to indicate that they will, and are, collecting information from web browsers and storing the information. The updated clause reads:

Weebly automatically receives and records information on our server logs from your browser, including your IP address, cookies, and the pages you request. We also collect other use information as part of our analytics services, in order to improve the service. However, we do not link such information to any personally identifiable information you submit while on our site.

Thus far this is the only change that has been made to the company’s privacy policy. I still do not believe that customers or visitors will read the following clause and realize that the company uses a third-party analytics engine (Google Analytics) to monitor online transactions, nor am I certain that this meets Google’s own requirements.

Weebly may use or share your personal information where it is necessary to complete a transaction, to operate or improve the Weebly products and services, or to do something that you have asked us to do. We use other third parties such as a credit card processing company to bill you for goods and services. These third parties are prohibited from using your personally identifiable information for promotional purposes.

This said, the company has stated to me that they will update their support page on setting up Google Analytics. Specifically, they will include instructions on constructing a privacy policy, to the advantage of those users who are simply following the company’s guidance. As for Weebly’s usage of Google Analytics and Quantcast on their customers’ websites, they intend to “make progress” in this area but maintain that this will take time given that it could significantly impact the design of their customers’ websites (i.e. adding privacy policies to each page). I look forward to seeing this progress.

I hope that the company makes further strides by modifying their privacy policy to indicate to visitors that Google Analytics and other third-party monitoring systems are in use. I also hope that Weebly fully commits to making prominent the use of similar monitoring systems on their customers’ web pages. As changes occur – further modifications to the privacy policy, updates to the support page on setting up analytics, and impositions of privacy policies on their customers’ web pages – I will update this post.

Update (II)

Since my last update, Weebly has further modified their privacy policy to clearly indicate that they are using Google Analytics. They have specifically added a section titled “Google Analytics” and include the language required by Google. This is an excellent step forward and makes very clear to their visitors that the company is using the third-party analytics system.

Book Source

C. J. Bennett and C. D. Raab. (2006). The Governance of Privacy: Policy Instruments in Global Perspective. Cambridge, Mass.: The MIT Press.

Other posts you might be interested in:

1. Google Analytics, Privacy, and Legalese
2. Deep Packet Inspection and the Confluence of Privacy Regimes
3. Privacy Issues Strike Street View (Again)

Photo by Jonathan McIntosh

For the past several years, public advocates, academics, the privacy commissioners of Canada, and members of the Canadian Parliament have all voiced concerns about proposed lawful access legislation. There are generally three types of ‘powers’ associated with such legislation: (1) enhanced search and seizure provisions; (2) increased interception of privacy communications powers; (3) production of subscriber data. During the last election cycle, Stephen Harper assured Canadians that within 100 sitting days lawful access provisions would be passed, along with other legislation, in an omnibus crime bill. Lawful access legislation has not been fully debated in the House or Senate, and has significant implications for the future of anonymity and privacy on the Internet, while simultaneously expanding police powers without a clearly demonstrated need to expand such powers.

Working from the most recent lawful access bills, which died when the last election was called, advocates and academics have come together to send a letter of concerns to Prime Minister Harper. Our concerns are as follows:

• The ease by which Canadians’ Internet service providers, social networks, and even their handsets and cars will be turned into tools to spy on their activities further to production and preservation orders in former Bill C‐51 – a form of spying that is bound to have serious chilling effects on online activity and communications, implicating fundamental rights and freedoms;
• The minimal and inadequate amount of external oversight in place to ensure that the powers allotted in these bills are not abused;
• Clause 16 of former Bill C‐52, which will allow law enforcement to force identification of anonymous online Internet users, even where there is no reason to suspect the information will be useful to any investigation and without adequate court oversight; and
• The manner in which former Bill C‐52 paves the way to categorical secrecy orders that will further obscure how the sweeping powers granted in it are used and that are reminiscent of elements of the USA PATRIOT Act that were found unconstitutional.

On a final note, we object that Canadians will be asked to foot the bill for all this, in what essentially amounts to a hidden e‐surveillance tax, and are concerned that compliance will further impede the ability of smaller telecommunications service providers to compete in Canada by saddling them with disproportionate costs.

It is of critical import that the lawful access provisions of the omnibus crime bill are shaved off into their own batch of legislation and are afforded their own debates and hearings. Failing to do otherwise would underplay how much the bills’ massive expansions of surveillance capacities might impact the Internet in Canada, and digital communications in this country more generally. If you want to learn more about the concerns listed above, you can read the full letter that was sent to the PMO (.pdf), and you can take action by voicing your concerns at the Stop Online Spying website. Sign the petition located there and then contact your MP: it is only by demonstrating public interest and concern in these bills that they might be clarified, reformed, and potentially prevented from being brought forward in the first place.

Other posts you might be interested in:

1. Publication: (Un)Lawful Access, Its Potentials, and its Lack of Necessity
2. (Un)Lawful Access: Vancouver Premiere & Panel Discussion
3. The Anatomy of Lawful Access Phone Records

Image by Kirk Lau

On Wednesday, July 27 2011, I’ll be talking at the forum to stop online spying. The forum is part of a larger national campaign to raise awareness about the potentials of state surveillance and the implications of the Government of Canada’s (expected) surveillance legislation that will be announced in the fall 2011 session. Amongst other provisions, the legislation is expected to significantly reduce the degree of judicial oversight surrounding government acquisition of subscriber data – data that users of the Internet provide to their ISP, chat services (e.g. MSN, AIM), social networking sites (e.g. Google+, Orkut, Facebook), and other online communications mediums.

I’ll be giving a short talk entitled “Creeping Towards a State of Surveillance” that is meant as an introduction to the gravity and nuances of surveillance legislation. In it, I’ll first talk about what constitutes surveillance and what constitutes function creep. From there, I’ll briefly discuss the challenges associated with classifying data as ‘public’ or ‘private’ and the deficits of ‘anonymizing’ data. This will focus on distinguishing between so-called traffic and content data types, and the kinds of private information that can be extracted from ‘mere’ traffic data. I’ll wrap things up with a quick overview of the positive, and problematic, aspects of audits, advocates, and government commissioners in restraining the state’s appetite for intelligence for so-called policing actions.

If you’re interested in coming out then head over to StopOnlineSpying.com and register. The talks start at 1:30 and run until 5:30, and are a non-partisan discussion of the forthcoming legislative agenda. It’s meant to be heavy on discussion and maximally accessible to people that don’t focus their lives studying privacy, democracy, or telecommunications and has a good mix of advocates and scholars. If you can’t make the forum, but are either bothered by or want to learn more about the Canadian government’s expanded surveillance laws, check out the national campaign.

Other posts you might be interested in:

1. Technology and Politics in Tunisia and Iran: Deep Packet Surveillance
2. Letter to Stephen Harper on Lawful Access Legislation
3. Review: Surveillance or Security?