Digitally Mediated Surveillance: From the Internet to Ubiquitous Computing

Digitally mediated surveillance (cyber-surveillance) is a growing and increasingly controversial aspect of every-day life in ‘advanced’ societies. Governments, corporations and even individuals are deploying digital techniques as diverse as social networking, video analytics, data-mining, wireless packet sniffing, RFID skimming, yet relatively little is known about actual practices and their implications. It is now over 15 years since the advent of the World Wide Web, and of widespread use of the Internet for electronic commerce, electronic government and social networking. The impending emergence of the ‘Internet of things’ promises (or threatens) to further insinuate digital surveillance capabilities into the fabric of daily life. Media alarmists have fueled a general popular understanding that one’s life is an open book when one goes online, making one increasingly subject to unwelcome intrusions. The reality is more complex and contingent on a variety of technological, institutional, legal and cultural factors.

In an effort to better understand and critique cyber-surveillance practices in the context of the wider theoretical and empirical literature on surveillance, we seek annotated bibliographies exploring a number of key topics, including:

• social networking (practices & platforms)
• search engines
• behavioural advertising/targeted marketing
• monitoring and analysis techniques (facial recognition, RFID, video
• analytics, data mining)
• Internet surveillance (deep packet inspection, backbone intercepts)
  resistance (actors, practices, technologies)

Each annotated bibliography will be 5000 words, and contain about 20 entries of 100-250 words in length. Entries will reflect both canonical and emergent debates and references. Bibliographies will include a clearly stated aim, an introduction with a preliminary discussion of the field. An example may be found here. They will be posted in web-friendly formatting for sharing widely among research and advocacy networks.

Completed bibliographies will serve as a resource for participants in the Cyber-Surveillance in Everyday Life International Workshop, hosted at the University of Toronto, May 12-15, 2011, and be publicly available via The New Transparency: Surveillance and Social Sorting website.

Annotated bibliographies will be guided by a subset of questions that inform the Cyber-Surveillance in Everyday Life Workshop, including:

1. We regularly hear about ‘cyber-surveillance’, ‘cyber-security’, and ‘cyber-threats’. What constitutes cyber-surveillance, and what are the empirical and theoretical difficulties in establishing a practical understanding of cyber-surveillance? Is the enterprise of developing a definition useful, or condemned to analytic confusion?
2. What are the motives and strategies of key DMS actors (e.g. surveillance equipment/systems/ strategy/”solutions” providers; police/law enforcement/security agencies; data aggregation brokers; digital infrastructure providers); oversight/regulatory/data protection agencies; civil society organizations, and user/citizens?
3. What are the relationships among key DMS actors (e.g. between social networking site providers)? Between marketers (e.g. Facebook and DoubleClick)? Between digital infrastructure providers and law enforcement (e.g. lawful access)?
4. What business models are enterprises pursuing that promote DMS in a variety of areas, including social networking, location tracking, ID’d transactions etc. What can we expect of DMS in the coming years? What new risks and opportunities are likely?
5. What do people know about the DMS practices and risks they are exposed to in everyday life? What are people’s attitudes to these practices and risks?
6. What are the politics of DMS; who is active? What are their primary interests, what are the possible lines of contention and prospective alliances? What are the promising intervention points and alliances that can promote a more democratically accountable surveillance?
7. What is the relationship between DMS and privacy? Are privacy policies legitimating DMS? Is a re-evaluation of traditional information privacy principles required in light of new and emergent online practices, such as social networking and others?
8. Do deep packet inspection and other surveillance techniques and practices of internet service providers (ISP) threaten personal privacy?
9. How do new technical configurations promote surveillance and challenge privacy? For example, do cloud computing applications pose a greater threat to personal privacy than the client/server model? How do mobile devices and geo-location promote surveillance of individuals?
10. How do the multiple jurisdictions of internet data storage and exchange affect the application of national/international data protection laws?
11. What is the role of advocacy/activist movements in challenging cyber-surveillance?

Those interested should submit a one page word (500 words max) proposal and initial working bibliography for the chosen area.

Successful proposals will demonstrate a familiarity with the relevant literatures and issues, and clear relation to a specified sub-set of the key topics and guiding questions listed above. The deadline for submissions is September 15 and acceptance notifications will be sent September 30, 2010. The deadline for completed annotated bibliographies is December 31, 2010.

The authors (at least three) invited to prepare annotated bibliographies will each be paid CA$2000, in two equal installments—the first upon acceptance of the assignment, and the balance upon satisfactory completion.

Selected authors will also be invited to participate in the Cyber-Surveillance in Everyday Life Workshop at the University of Toronto May 12-15, 2011, with the possibility of their expenses being covered.

For further information, please contact: cybersurveillanceworkshop@gmail.com.

Other posts you might be interested in:

1. Cyber-Surveillance in Everyday Life
2. The Role of Digital Surveillance in Stopping the Past’s Rebirth
3. Deep Packet Inspection and the Confluence of Privacy Regimes

I wanted to let readers know that the New Transparency Project is hosting an international workshop on the theme of Cyber-surveillance in everyday live May 12-15, 2011 at the University of Toronto. Given that topics to be explored in the workshop include social networking, search engines, behavioural advertising/marketing, internet surveillance somewhat generally, and modes of resistance I thought readers here might be interested. Below is the full call for papers, with abstracts due by Oct 1.:

Digitally mediated surveillance (DMS) is an increasingly prevalent, but still largely invisible, aspect of daily life. As we work, play and negotiate public and private spaces, on-line and off, we produce a growing stream of personal digital data of interest to unseen others. CCTV cameras hosted by private and public actors survey and record our movements in public space, as well as in the workplace. Corporate interests track our behaviour as we navigate both social and transactional cyberspaces, data mining our digital doubles and packaging users as commodities for sale to the highest bidder. Governments continue to collect personal information on-line with unclear guidelines for retention and use, while law enforcement increasingly use internet technology to monitor not only criminals but activists and political dissidents as well, with worrisome implications for democracy.

This international workshop brings together researchers, advocates, activists and artists working on the many aspects of cyber-surveillance, particularly as it pervades and mediates social life. This workshop will appeal to those interested in the surveillance aspects of topics such as the following, especially as they raise broader themes and issues that characterize the cyber-surveillance terrain more widely:

• social networking (practices & platforms)
• search engines
• behavioural advertising/targeted marketing
• monitoring and analysis techniques (facial recognition, RFID, video analytics, data mining)
• Internet surveillance (deep packet inspection, backbone intercepts)
• resistance (actors, practices, technologies)

A central concern is to better understand DMS practices, making them more publicly visible and democratically accountable. To do so, we must comprehend what constitutes DMS, delineating parameters for research and analysis. We must further explore the way citizens and consumers experience, engage with and respond to digitally mediated surveillance. Finally, we must develop alliances, responses and counterstrategies to deal with the ongoing creep of digitally mediated surveillance in everyday life.

The workshop adopts a novel structure, mainly comprising a series of themed panels organized to address compelling questions arising around digitally mediated surveillance that cut across the topics listed above. Some illustrative examples:

1. We regularly hear about ‘cyber-surveillance’, ‘cyber-security’, and ‘cyber-threats’. What constitutes cyber-surveillance, and what are the empirical and theoretical difficulties in establishing a practical understanding of cyber-surveillance? Is the enterprise of developing a definition useful, or condemned to analytic confusion?
2. What are the motives and strategies of key DMS actors (e.g. surveillance equipment/systems/ strategy/”solutions” providers; police/law enforcement/security agencies; data aggregation brokers; digital infrastructure providers); oversight/regulatory/data protection agencies; civil society organizations, and user/citizens?
3. What are the relationships among key DMS actors (e.g. between social networking site providers)? Between marketers (e.g. Facebook and DoubleClick)? Between digital infrastructure providers and law enforcement (e.g. lawful access)?
4. What business models are enterprises pursuing that promote DMS in a variety of areas, including social networking, location tracking, ID’d transactions etc. What can we expect of DMS in the coming years? What new risks and opportunities are likely?
5. What do people know about the DMS practices and risks they are exposed to in everyday life? What are people’s attitudes to these practices and risks?
6. What are the politics of DMS; who is active? What are their primary interests, what are the possible lines of contention and prospective alliances? What are the promising intervention points and alliances that can promote a more democratically accountable surveillance?
7. What is the relationship between DMS and privacy? Are privacy policies legitimating DMS? Is a re-evaluation of traditional information privacy principles required in light of new and emergent online practices, such as social networking and others?
8. Do deep packet inspection and other surveillance techniques and practices of internet service providers (ISP) threaten personal privacy?
9. How do new technical configurations promote surveillance and challenge privacy? For example, do cloud computing applications pose a greater threat to personal privacy than the client/server model? How do mobile devices and geo-location promote surveillance of individuals?
10. How do the multiple jurisdictions of internet data storage and exchange affect the application of national/international data protection laws?
11. What is the role of advocacy/activist movements in challenging cyber-surveillance?

In conjunction with the workshop there will be a combination of public events on the theme of cyber-surveillance in everyday life:

• poster session, for presenting and discussing provocative ideas and works in progress
• public lecture or debate
• art exhibition/installation(s)

We invite 500 word abstracts of research papers, position statements, short presentations, works in progress, posters, demonstrations, installations. Each abstract should:

• address explicitly one or more “burning questions” related to digitally-mediated surveillance in everyday life, such as those mentioned above.

• indicate the form of intended contribution (i.e. research paper, position statement, short presentation, work in progress, poster, demonstration, installation)

The workshop will consist of about 40 participants, at least half of whom will be presenters listed on the published program. Funds will be available to support the participation of representatives of civil society organizations.

Accepted research paper authors will be invited to submit a full paper (~6000 words) for presentation and discussion in a multi-party panel session. All accepted submissions will be posted publicly. A selection of papers will be invited for revision and academic publication in a special issue of an open-access, refereed journal such as Surveillance and Society.

In order to facilitate a more holistic conversation, one that reaches beyond academia, we also invite critical position statements, short presentations, works-in-progress, interactive demonstrations, and artistic interpretations of the meaning and import of cyber-surveillance in everyday life. These will be included in the panel sessions or grouped by theme in concurrent ‘birds-of-a-feather’ sessions designed to tease out, more interactively and informally, emergent questions, problems, ideas and future directions. This BoF track is meant to be flexible and contemporary, welcoming a variety of genres.

Timeline:

2010:

Oct. 1: Abstracts (500 words) for research papers, position statements, and other ‘birds-of-a-feather’ submissions

Nov. 15: Notification to authors of accepted research papers, position statements, etc. Abstracts posted to web.

2011:

Feb. 1: Abstracts (500 words) for posters

Mar. 1: Notification to authors of accepted posters.

Apr. 1: Full research papers (5-6000 words) due, and posted to web.

May 12-15 Workshop

Sponsored by: The New Transparency – Surveillance and Social Sorting.

International Program Committee: Jeffrey Chester (Center for Digital Democracy), Roger Clarke (Australian Privacy Foundation), Gus Hosein (Privacy International, London School of Economics), Helen Nissenbaum (New York University), Charles Raab (University of Edinburgh) and Priscilla Regan (George Mason University)

Organizing Committee: Colin Bennett, Andrew Clement, Kate Milberry & Chris Parsons.

University of Toronto & University of Victoria.

Other posts you might be interested in:

1. Call for Cyber-Surveillance Annotated Bibliographies
2. Reflections: Day Zero of ‘Life in a Digital Fishbowl’
3. Deep Packet Inspection and the Confluence of Privacy Regimes

Ole asserts that there are two key infotainment revenue streams that content providers, such as ISPs, maintain: the $150 Cable TV stream and the $50 Internet stream. Given that content providers are required to redistribute some of the $150/month to content creators (often between 0.40-0.50 cents of every dollar collected), Ole argues that ISPs should be similarly required to distribute some of the $50/month to content creators that make the Internet worth using for end-users. Unstated, but presumed, is a very 1995 understanding of both copyright and digital networks. In 1995 the American Information Infrastructure Task Force released its Intellectual Property and the National Information Infrastructure report, wherein they wrote;

…the full potential of the NII will not be realized if the education, information and entertainment products protected by intellectual property laws are not protected effectively when disseminated via the NII…the public will not use the services available on the NII and generate the market necessary for its success unless a wide variety of works are available under equitable and reasonable terms and conditions, and the integrity of those works is assured…What will drive the NII is the content moving through it.

Of course, the assertion that if commercial content creators don’t make their works available on the Internet then the Internet will collapse is patently false. As written about by Middleton in “What if there is no killer application?“, an early study in Littleton about how individuals use high-speed networks in the mid-90s found that customers were most engaged with amateur content production (i.e. that of their neighbours) and entranced by the communicative possibilities made available through broadband (i.e. e-mail and mailing lists). In essence, from this we can suggest that the empirical study demonstrated that the ideological and financial values placed on commercial cultural artifacts by bureaucrats and commercial content producers is less obvious than they (loudly) state. Further, the value of commercial content is arguably diminished even more in an environment where people spend increasing amounts of time engaging with the generative elements of the Internet, often referred to as amateur-dominated social media environments. In essence, the undertone that ISPs can only sell their data transmission services because of commercial content is at the very least shaky, and more likely to be empirically unsupportable if posed as a strong correlation between the value of transmission capabilities and commercial content availability.

Depressingly, Ole believes that a broadcast-based (historical) business model should be imposed on ISP transmission-based companies in an effort to regenerate the value of their (now somewhat devalued) intellectual properties. Specifically,

The ISP business model for the Internet could and should mimic that of Cable/ TV. Modern technology allows the ISP to identify what content is being used and then they can allocate the appropriate share to the creator or supplier of that content.

This would put ISPs in the situation of somehow being liable to the collection societies, and also require substantial telecommunications investment in labour and sunk capital to establish an (ineffective) network surveillance policy designed to monitor the amount of copywritten content flowing across Canada’s networks. Most likely, such a proposal would turn ISPs into content police and require the use of some kind of packet inspection equipment to survey Canadians’ data traffic, pick out that which is believed to be infringing, and pay some kind of monthly tax for the transport of customers’ content. This amounts to a suggestion that ISPs become content police on the basis that only by doing so would they evade being identified as encouraging copyright infringement. Ole is intimating that ISPs must implement surveillance one the networks if they are to avoid third-party liability.

There are systems on the market that claim they can analyze data traffic to develop ‘piracy’ indexes. CView is used by Virgin in the UK (though we’ve no idea how effective it is) and Audible Magic has been successful in forcing some ISPs and campuses to adopt their technology. In most cases, such content analysis technologies require the offloading of data traffic suspected of being infringing in high-traffic networks, doing a one-way hash of the data, checking the hash against known copywritten files’ signatures, and then aggregating the overall amount of infringement and particular cases of infringement on a per-file basis. This is substantial overhead for any party, especially one that is just trying to move data from one place to another. Moreover, any such massive dragnet analysis of content raises real questions of whether ISPs could then be considered ‘transport’ facilities; while presently there is substantial monitoring for particular protocol types, Canadian ISPs are not searching for particular content-types. This is an important distinction, insofar as ISPs can understand what application-types are generating traffic on their networks but not what those application-types are actually being used to transmit and receive. For all Canadian ISPs know, Canadians might have some strange obsession with massive downloading and sharing of Linux .ISO files and the entire Canadian population actually avoids downloading copywritten music.

There continue to be doubts concerning whether any kind of massive copyright-analysis engine could work – prominently by companies that actually sell the solutions and those that would be responsible for deploying these fears – and further whether such engines could ever competently detect fair use/fair dealing of some material. YouTube’s algorithms are relatively notorious for censoring uses of copywritten material falling under fair use and fair dealing provisions; what guarantee do citizens have that any algorithmic surveillance and monitoring system deployed on communicative networks would avoid the YouTube problem? Should the content creator-owner get restitution for fair dealing of works? How would this be adjudicated – by determining where the data was to and from (i.e. if to an educational institution, we must assume that it’s for fair dealing research purposes) or on a case-by-case challenge basis? Moreover, doesn’t the provision of funds for fair dealing uses modify the provisions of fair dealing, insofar as content creator-owners would receive a fiscal benefit even for fair dealing whereas presently fair dealing falls outside of their revenue traps?

Of course, even the suggestion that Canadian ISPs should be required to cough up money to content creator-owners is absurd in the face of a recent Federal Court of Appeals ruling that asserted that ISPs are not broadcasters. The question of ISPs’ status was punted to the Court by the CRTC, who wanted judicial guidance before it proceeds to determine whether ISPs can be legally required to establish copyright levies. Since ISPs fall under the Telecommunications, and not Broadcasting Act, they are seen as solved involved in providing,

the mode of transmission, they have no control or input over the content made available to Internet users by content producers and as a result, they are unable to take any steps to promote the policy described in the Broadcasting Act or its supporting provisions. Only those who “transmit” the “program” can contribute to the policy objectives.

Under this decision, so long as ISPs are not involved in discriminating against any particular content and thus making an input into the content made available on the Internet to and by users (i.e. so long as Canadian ISPs adhere to a form of network neutrality), any levy-based system is dead. The very system that Ole is advocating for has already fallen before the Court of Appeals.

Now, out of all of this, we might be expected to feel poorly for the content creator-owners that depend on selling and licensing content for their commercial success. I think that if we look at the history of these companies’ digital involvement, however, we quickly disenchant ourselves of this position. Major labels refused to license recordings to Napster and subsequently engaged in what Jessica Litman refers to as a process of “suing upstart new businesses into bankruptcy” to try and stem the Internet as a disruptive factor in their businesses. This saw content creator-owners financially assassinate Napster, Scour.com, iCraveTV, RecordTV, mp3.com, Aimster, Grokster, Streamcast, KaZaA, and others. Authors have gone after Google for the mere action of scanning books for search index purposes, a purpose that would enable authors to sell additional texts when the texts appeared through a Google book search. That the copying a text, even for fair-use purposes, is grounds for massive legal obstruction speaks volumes of content creator-owners general willingness to genuinely deal with the digital reality they are immersed in. Broadly, instead of working to establish a marketplace for digital manifestations of content creator-owner works there have been, and continue to be, mass efforts to shut down marketplaces that don’t grant total control to content owner-creators and their associated companies. As such, customers have become used to going to illicit sites that offer superior selection with fewer restrictions than label offerings. This indicates a failure in big content’s rent-seeking business model and the truth that modern customers are rational economic actors. It does not indicate that ISPs are somehow required to prop-up a rent-seeking model, nor a moral deficit on the part of customers.

Labels were, and remain, in a state of ontological insecurity that accompanies their plunging into a decade-long existential crisis: how can they maintain their rent-seeking behaviour in the face of disruptive technologies. Answers to this existential question are out of reach of most companies on the basis that their perception of the world markets preclude taking risks that could see a (necessary) cannibalization of short-term revenue streams for long-term survival. Unfortunately, while adherence to historical models was effective last decade in colonizing their futural existences – in assuring them of how to approach the world and guarantee particular revenue streams – that old model leaves them grasping at new rent-seeking behaviour instead of adopting novel business strategies. While we can all appreciate just how devastating existential crises can be on a personal level, when we consider the multi-billion dollar record industry we tend to have far less sympathy. Just as you or I are unable to let a crisis linger for a decade – we go to a therapist, get straightened out, and get back on our way – neither can these companies. At best we might feel pity as we watch them wallow in their crisis. At worst, we fear what they might crush as they roll around on the ground like starving dinosaurs and demolish other elements of civil society in their throes of panic and fear aimed at extinguishing the generativity seen as endangering their ontological security. They’ve already made a mess of copyright and cultural transmission possibilities; let’s hope they don’t damage the conditions of democratic communication itself while they’re working out their problems.

Other posts you might be interested in:

1. Comment: Canadian ISPs and Internet Traffic Management
2. Update: Associating Canadian ISPs with Anonymized Data Traffic Submissions
3. Deep Packet Inspection: What Innovation Will ISPs Encourage?

In the course of this post, I begin by outlining what constitutes personal information and then proceed to outline DoubleClick’s method of collecting personal information. After providing these outlines, I argue that online advertising systems do collect personal information and that the definitions that Google offers for what constitutes ‘personal information’ are arguably out of line with Canadian sensibilities of what is ‘personal information’. As a result, I’ll conclude by asserting that violations may in fact be occurring, with the argument largely emerging from Nissembaum’s work on contextual integrity. Before proceeding, however, I’ll note that I’m not a lawyer, nor am I a law student: what follows is born from a critical reading of information about digital services and writings from philosophers, political scientists, technologists and privacy commissioners.

Central to the claim that personal information is collected and used in ways that individuals do not anticipate or desire is identifying what the term ‘personal information’ refers to. Also, we have to consider the degrees of surveillance that individuals should expect experience in ‘public’ environments. These environments should be taken to include not just city parks and commercial stores, but also non-passworded/registration-free websites. The Information and Privacy Commissioner of Ontario (IPC), in their lengthy analysis of privacy and video surveillance in mass transit systems, argues that:

While the expectation of privacy in public spaces may be lower than in private spaces, it is not entirely eliminated. People do have a right to expect the following: that their personal information will only be collected for legitimate, limited, and specific purposes; that the collection of their personal information will be limited to the minimum necessary for the specified purposes; and that their personal information will only be used and disclosed for the specified purposes.

Moreover, there are socially-construed norms that ought to be recognized; humans are cognitively designed for the analogue world – this is one of the reasons why long-term storage of digitally externalized memory is so problematic – and as such analogue norms ought to carry over into the digital domain. In carrying over such norms, and considering the nature of information sharing in the analogue world, we need to focus on “not simply restricting the flow of information but ensuring that it flows appropriately,” [1] with “appropriately” a reference to making sure that data flows accord with contextualized social norms. In the social world there are finely calibrated sets of norms that govern the flow of personal information in distinct social contexts; such norms ought to be drawn into the digital instead of being repudiated in favour of an entirely novel set of norms that (negatively) rebalance power-relationships away from information/data holders in favour of data-aggregation bodies.

In thinking of a shopping environment that I physically walk into, precious little information is collected about me until I am involved in making a purchase (barring the introduction of high-tech analysis systems, such as behavioural recognition software tied to cameras, RFID scanners monitoring when shopping items are picked up, etc). Even where I am involved in multiple interactions with sales staff these are discrete, and not collated in a format that can be processed by a computer nor indexed to my name or a unique identifier. I am likely quickly forgotten about – retention of ‘collected’ data is incredibly limited, limited for the contextual needs of the sales situation. This is obviously different in a digital environment, where each page that is opened is logged, time on pages noted, entry and egress points monitored. The data collected in the digital environment is only ‘forgotten’ after a set period of time by the website administrator. This induces novel notion of ‘appropriate’ data durations; Daniel Solove in his book The Digital Person speaks to the dangers built into these data-drive dossiers that are compiled about individuals, and Viktor Mayer-Schonberger speaks to the risks of not forgetting in the digital era. In both authors’ texts, a resonating theme is that ‘appropriate’ data retention periods in a digital environment are radically, and often unnecessarily, different from their analogue precursors.

In the former sales situation, we have an instance of personal information (perhaps they ask your name) being retained for a limited period of time and for a legitimate, specific purpose (e.g. developing a relationship with an individual for sales purposes whilst in the store). It is subsequently disposed of following the conclusion of the transaction in most cases. This is directly at odds with the data collected in the server-based situation, where the smallest action is often recorded and used for extensive marketing and enhanced surveillance purposes.

Thus far, all that I have asserted is that more information is collected in a digital, and specifically sales, environment online than offline and that socially-construed norms from analogue contexts ought to be drawn to digital situations. As part of this, there is a recognition that ‘public’ online actions should not expect total privacy, but a lowered expectation of privacy does not equal an absolute dearth, or absence, of privacy. Let’s now move to outline what might constitute personally identifiable information.

In the interests of maintaining consistency (and avoid accusations of ‘cherry-picking’ from different government reports) we can turn to definitions of personal information in section 2(1) of Ontario’s Freedom of Information and Protection of Privacy Act that are prominently drawn on in the IPC’s analysis of the legitimacy of video surveillance. Personal information refers to recorded information about an identifiable individual and includes:

• information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual;
• information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved;
• any identifying number, symbol or other particular assigned to the individual (emphasis added);
• the address, telephone number, fingerprints or blood type of the individual;
• the personal opinions or views of the individual except if they relate to another individual;
• correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence (emphasis added);
• the views or opinions of another individual about the individual, and;
• the individual’s name if it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual.

The two boldfaced sections, above, are the domains within which personal information is most likely to be collected and used over the course of online transactions.

DoubleClick, an advertising company that is owned by Google, operates by depositing small persistent cookies (which contain unique alphanumeric codes) on individuals’ computers. Persistent cookies remain on your computer after you close it – and can be juxtaposed against session cookies that are deleted with the closure of the browser – and used to trace users as they move about the web and deliver targeted ads with the additional assistance of web beacons. Such beacons are usually 1×1 pixels in size and designed to blend into a website so that the end user never notices their existence. This cookie-beacon-advertising system is intended to be transparent to the consumer.

DoubleClick asserts that personal information includes (but is not limited to) “name, address, telephone number, email address, social security number, bank account number or credit card number.” Sensitive information – information the company does not share or collect – “categorically includes but is not limited to data related to an individual’s health or medical condition, sexual behavior or orientation, or detailed personal finances, information that appears to relate to children under the age of 13 at the time of data collection; and PII otherwise protected under federal or state law (for example, cable subscriber information or video rental records).” It’s key to note that in this latter reference, what the sensitive information protected by federal and state law, is solely in reference to American privacy laws.

If you will permit a brief detour, the federal Office of the Privacy Commissioner acknowledges that personal information is collected with RFID system when locational data is associated with an RFID chip’s unique identifier. I argue that the unique number associated with the RFID chip and the unique alphanumeric string associated with a cookie an analogous, and further that movement across the web constitutes digital “movement” paralleling physical movements that can be detected by proximity RFID readers. Just as a sales company tracking information in their ‘private’ space would be seen as collecting personal information, so should any web company that tracks users as they move through the company website.

On this basis, the association of where a customer moves online with a unique number constitutes the collection of personal information; DoubleClick’s assertion that they are simply collecting “non-personally identifiable information” in their daily business activities doesn’t hold water. Moreover, from the perspective of the IPC’s understanding of personal information, an identifying number or symbolic representation is being correlated with a distinct computer moving across the ‘net, and it is entirely possible that “private correspondence” is being identified insofar as what are (from a social-norms perspective) private data surfing actions are surveilled and included in a DoubleClick database for the purposes of advertising.

There are two immediate responses that come to mind after asserting the DoubleClick is collecting personal information. On the one hand, someone opposing this position might argue that no person is identified, but a computer represented by an IP address (and perhaps a host of computers that are sitting behind a NAT-enabled router) is instead identified. Alternately, one might maintain that on the basis that online advertising systems are widespread the usage of DoubleClick’s (and other advertising agencies’) services is thus legitimate. I’ll address these in turn.

To the first, the Office of the Privacy Commissioner of Canada has asserted that where there is an association of personal information with an IP address that the address constitutes personal information. To put it another way, the IP address itself, on its own, isn’t ‘personally identifiable information’ but when it is mashed together with other data sources then it can be seen as personal information and thus deserving protection. For those individuals who have opted out of receiving a DoubleClick cookie they are still targeted with ads, in part based on their IP address as well as the name of the site they are visiting, specific web page they are visiting, key values, operating system type, windows version, user’s local time, and the ‘non-personally identifiable’ information sent by the website itself. This involves a collection of information and associating it with an IP address, and this information in a unique configuration may constitute the collection of personal information, regardless of DoubleClick’s assertions otherwise.

To the second, social norms dictate that certain modes of surveillance are to be genuinely ‘expected’ but such norms do not mean that individuals entirely abandon their rights to privacy as soon as they leave their home(s). What is critical in determining whether a surveillance practice is being performed in such a way that it constitutes a privacy violation is whether or not “its use in a particular context, in a particular way is not overly unusual. One cannot generalize from the observation that certain installation in certain contexts are commonplace, accepted, and supported to the conclusion that all installations irrespective of contexts will not violate expectations of privacy.”[2] To put this in context, it can be read to say that simply because the installation and use of DoubleClick cookies is permissible under the context of American privacy norms (assuming that this is even the case) it cannot subsequently be asserted that these cookies are also permissible under the social contexts of Canadian or European privacy norms. Given that Canada and Europe have significantly stronger privacy protections that the United States – and if we suppose that the laws that are established are reflective of the dominant socio-political norms of a citizenry – it seems key that a normative needs to analysis be conducted to determine whether, after translating their analogue surveillance norms to a digital domain, Canadians and Europeans are would see the deposition of tracking cookies on their computer as normatively permissible.

So what is the takeaway from all of this? First, that it’s key to not just read how third-party groups that you may be working with (such as DoubleClick for advertising purposes) define and collect personal information. You have to go at least one more step to ensure that how these definitions are made and collections occur are in accordance with the laws and social norms of your nation. Second, that from the point of view of managing flows of information that end-users are interested in ensuring that their information flows in accordance with with their social norms, norms that are emergent from their analogue experiences and lives. Discounting such norms and demanding the individuals (for some reason…) simply adopt ‘digital norms’ misses the fact that humans remain analogue creatures, with analogue modes of dealing with the work as a key part of their social and biological characteristics. The failure of a web environment to recognize both of these points – that you need to check that collections of data are permissible and in accordance with social norms – and act on them threatens to undermine user trust, and even Google recognizes that in the absence of their end-users’ trust their business models would collapse.

[1] Nissembaum, Privacy in Context: Technology, Policy, and the Integrity of Social Life, p. 2.

[2] Nissembaum, Privacy in Context: Technology, Policy, and the Integrity of Social Life, p. 235.

Other posts you might be interested in:

1. Doubleclick + Adblock = I’m a Moral Monster?
2. Ontario Information and Privacy Commissioner, and DRM
3. Twitter and Statutory Notions of Privacy

Abstract:

Across the Internet, an arms race between agents supporting and opposing network-based surveillance techniques has quietly unfolded over the past two decades. Whereas the 1990s might be characterized as hosting the first round of the encryption wars, this paper focuses on the contemporary battlescape. Specifically, I consider how ISPs “secure” and “manage” their digital networks using contemporary DPI appliances and the ramifications that these appliances may have on the development, and our understanding, of the code-body. DPI networking appliances operate as surveillance devices that render the digital subject constituted by data packets bare to heuristic analyses, but, despite the ingenuity of these devices, some encryption techniques successfully harden otherwise soft digital flesh and render it opaque. Drawing on Kant and Derrida, I suggest that ISPs’ understanding of the Internet as one of packets arguably corresponds with a Kantian notion of reality-as-such and offers a limited and problematic conception of the code-body. Turning to Derrida, we move beyond protocol alone to consider the specters that are always before, and always after, the code-body; Derrida provides a way of thinking beyond Kantian conceptions of space and time and the reality-as-such code-body and lets us consider the holistic identity of the code-being. Further, Derrida lets us interrogate the nature of DPI networking appliances and see that they resemble thrashing zombie-like code-corpses that always try, but perpetually fail, to become fully self-animated. While Derridean insights suggest that ISPs are unlikely to be successful in wholly understanding or shaping code-bodies, these corporate juggernauts do incite identity transformations that are inculcated in cauldrons of risk and fear. Not even Derridean specters can prevent the rending of digital flesh or act as a total antidote to ISPs’ shaping of consumers’ packet-based bodily identity.

Link to article.

Other posts you might be interested in:

1. Comment: Canadian ISPs and Internet Traffic Management
2. Deep Packet Inspection and Law Enforcement
3. Digital Crises and Internet Identity Cards

Last Friday, Google announced that they had been inadvertently collecting some data packets sent via unencrypted wireless access points for the past three years. This admission came after the Street View program (again) came under criticism from German data protection authorities following Google’s (original, and earlier) admission that they had only been collecting information about wireless routers as they drove their cars around towns. Specifically, the original admission saw Google reveal they had collected the SSID and MAC addresses of routers. In layman’s terms, the SSID is the name of the wireless network that is usually given to the device during configuration processes following the installation of the device (e.g. Apartment 312, Pablo14, or any of the other names that are shown when you scan for wireless networks from your computer). The MAC address a unique number that is associated with each piece of Internet networking equipment; your wireless card in your computer, your LAN card, your router, and your iPhone all have unique numbers. After collecting both the SSID and MAC address of a wireless router the company identified the physical location of the device using a GPS system.

Google collects information about wireless networks and (almost more importantly) their physical location to provide a wifi-based geolocation system. Once they know where wireless routers are, and plot them on a map, you don’t need GPS to plan and trace a route through a city because a wireless card and low-powered computer will suffice. There are claims that this constitutes a privacy infringement, insofar as the correlation of SSID, MAC address, and physical location of the router constitute personal information. I’m not sure that I agree with this, as the Google service stands now.

Google’s collection does not generate information about an identifiable individual that could otherwise be understood as ‘private’, save for in cases where individuals sought to suppress their SSID and had that information collected by Google regardless of the individual’s intentions. We don’t know if Google did this or not; if they did then that might constitute a privacy violation. So far as we know, the information collected is not used to assign a unique number to an individual nor is there an effort to collate information around particular wifi access points. Also, as far as we know, Google is not taking the information provided by a wireless router to ‘track’ people as they move around; were this performed then that might constitute some form of tracking of individuals by proxy, and thus fall under the realm of a privacy infringement. Google’s unwillingness to perform this degree of surveillance is confirmed by Peter Fleischer, Google’s Global Privacy Council, who has effectively stated that such surveillance is impossible given how data has been gathered: “…we do not collect any information about householders, we cannot identify an individual from the location data Google collects via its Street View cars.” Given that privacy law tends to be driven by actual instantiations of violation – not the possibility of a violation following the aggregation of data – it doesn’t appear that a clear violation occurs with the collection of the SSID and MAC address alone.

The collection of the public information that a wireless router transmits, while creepy to some, doesn’t strike me as an actual privacy violation. If I stand on the street and take pictures of every car and person who walks up the street this might be seen as creepy, but it doesn’t constitute a privacy violation under Canadian privacy law (barring Quebec). Nor does the act of taking pictures of homes from the street; Google Street View wasn’t shut down because it didn’t clearly violate (non-Quebec) privacy regulations. While the wireless spectrum is less ‘visible’ than the shots we see in Street View it’s a very open question as to whether this spectrum’s invisibility to the human-eye means that wifi access point information is thus somehow private. As far as I can tell, the central issue with Google’s actions (in the Canadian situation) is that the company didn’t inform Canadian officials about this ‘added-feature’ of the Street View program on the basis that Google saw it as an entirely different process that was unrelated to Street View. To some this is going to be seen as a cop-out or lie, but it doesn’t strike me as necessarily untrue. Bell Canada ran into a similar experience with their deployment of Deep Packet Inspection; Bell saw the technology as used purely for billing and traffic management purposes and thus saw no underlying privacy issues with its usage. It should be noted that following the complaint against Bell that very little of the technology itself could be seen as privacy invasive: the most significant change to Bell’s operations included a minor addition to their online documentation.

Google’s most recent revelation, however, exits the ‘creepy’ stage and tentatively enters the ‘privacy invasive’ domain. While collecting information about wireless routers strikes me as OK (or, at least not bad), the collection of data packets while getting wifi information could be read as wiretapping of some ilk. The company has publicly declared that this collection was the accidental result of old code that was recycled for the wifi-collection program and that they will be bringing in outside consultants to confirm that the excess data is entirely removed from Google’s databases. Assuming that the company is telling the truth – and, to date, we have no reason to see them as lying – then this seems like a truly massive-scale error that is being corrected far later than it should. There are varying reasons for why this might not have been corrected previously: challenges in issuing new code to the Street View cars, poor cross- and inter-team communications (i.e. the groups actually dealing with the data sets just ignored the excess data instead of reporting its collection), or pure laziness. In effect, I would maintain we should avoid attributing to malice what we can more easily attribute to ignorance, laziness, and stupidity. This said, Alexander Hanff of Privacy International has a very different read on the collection of data packets transmitted on unencrypted wireless channels that is reasonably convincing. Even if he is right, however, I doubt that Google will ever admit that they were purposefully collecting the full data packets that were made available over unencrypted wifi routers.

In the best case scenario, the outcome of the accidental collection of payload data would include the following: a full accounting of the amount of data that was collected (i.e. are we talking about a packet or two of data, or thousands of packets per wireless access point, with the latter arguably being a very real and substantial privacy invasion regardless of the information being transmitted in the clear); the raising of public awareness of what it means to broadcast data in an unencrypted fashion. While the former might happen, the latter is almost certain to not. Raising awareness would mean that the public would understand that transmitting data over unencrypted channels is like choosing to send out private correspondence and responses to billing inquiries using postcards instead of envelopes. If someone happens to read your postcards then there hasn’t been an infringement of personal information, insofar as the transmitted of the information choose to correspond in an open fashion instead of using sealed envelops. Envelopes, in this example, means using some mode of encryption to demonstrate to those listening to data traffic that the packets are intended to be ‘private’ from external observation. It doesn’t matter if someone uses WEP, WPA, WPA2 (personal), WPA2 (enterprise) or alternate encryption system: if you aren’t encrypting your data, you’re transmitting your data on the equivalent of postcards. It’s not a violation for someone to read the content of your postcards, though it certainly may be ‘creepy’.

There have been some efforts to compare Google’s collection of wifi-based information with their (disastrous!) roll-out of Buzz, but I don’t think that that’s really an apples-to-apples comparison. Buzz leveraged already existing information – information that we knew Google had about particular individuals – to make it more publicly available. This went over poorly. In the case of the collection of wifi information, assuming that Google is telling the truth about their inability and unwillingness to map SSID information and MAC addresses to particular locations to follow people around, then this doesn’t constitute a form of surveillance and arguably doesn’t constitute a privacy violation given that the SSID and MAC are made publicly available whenever a wireless router broadcasts its name and status. If people have issues with this information ‘being public’ then I suggest that they go back to wired routers and disable their wifi access points. (And, I will note, that this just makes good security sense: there is almost no way to perfectly secure a wireless transmission – you can only make it more challenging to defeat the security – whereas wired communications are almost inherently more secure by nature of their design.) As for the data packets that the Street View cars were picking up, whether that genuinely constitutes a violation will be seen when the specific information that was collected is made available to the public, or at least announced in the consultant’s report.

Other posts you might be interested in:

1. IPv6 and the Future of Privacy
2. Facial Blurring = Securing Individual Privacy?
3. Cisco Brings Targeted Ads Home

Before I go any further, let me break down what an IP address is, the distinctions between versions 4 (IPv4) and 6 (IPv6), and then get to the heart of the privacy-related issues concerning the transition to IPv6. The technical infrastructure of the ‘net tends to be seen as dreadfully boring but, as is evidenced by the (possible) computer failures of Toyota vehicles, what goes on ‘under the hood’ of the ‘net is of critical importance to understand and think about. It’s my hope that you’ll browse away with concerns and thoughts about the future of privacy in an increasingly connected biodigital world.

An IP address is a number that is assigned to devices that participate in a computer network that uses the Internet Protocol (often as part of the TCP/IP protocol suite) to exchange data between members of the network. Each device on a network is assigned a unique number, which can be metaphorically thought of as the equivalent of a housing address – your IP address is where digital packets of information arrive, and where your own packages originate from. In the contemporary networking environment a house, or business, or particular government department might be assigned a single IP address that has to be shared amongst hosts of computers. In my home alone, there are at least 10 Internet-enabled devices that connect to my wireless and wired network, to say nothing of the dozens, hundreds, or thousands of devices that businesses and government find in their networks. To share that single IP address, routers that assign separate IP addresses to each member of those local area networks (LANs) have been developed. This means that in the local environment (i.e. the home, business, government agency) each computer has a unique number given to it by the router but that, once the data has passed beyond the local environment, data traffic is correlated with the single IP address assigned to the home, business, or agency. Practically all contemporary routers enable this sharing of IP addresses.[1]

It’s in light of this widespread ’sharing’ of IP addresses that the present IP addressing system has remained operable. I won’t bore you with the details, but there is a finite number of overall addresses that can be assigned to homes, businesses, and agencies, and we’re rapidly running out of those addresses. The absolute, precise, date of when the present, IPv4, system will run out of IP addresses is subject to debate: if I link to anything, then the various technical folk who read this will immediately write to me telling me I’m off by X days/months/years. In lieu of linking to a specific number, I’m going to say that in the next few years the IPv4 addressing spacing is likely to have been used up. Think of this as the equivalent of a real estate developer always extending beyond the city core, always extending the suburbs, until eventually the various cities’ suburbs start running into each other. Efforts to ‘build upwards’ are the rough equivalent of building apartment buildings and other high rises, where such building projects correlate with the deployment of LANs that see the mass sharing of particular IP addresses.

What does it mean to shift from the present addressing system (IPv4) to the ‘new’ system (IPv6)? To begin, it means that there is a lot more of IP real-estate; whereas IPv4 offers roughly 4.3 billion addresses, IPv6 provides 340 trillion trillion trillion (!) unique addresses. One can quickly appreciate the numerical difference. More significantly, it means that the system of LANs that we have today will no longer be required because of IP address scarcity. Each of the Internet-enabled devices  in my home could have its own IPv6 address – there is no real need to route all the data through a single IP address that is provided by my ISP.

In a situation where all Internet enabled devices have a constant address, the regular refrain “we don’t know who’s IP address we’re monitoring; it is possible that a set of users are sharing the same address!” is quickly disabused. With a persistent IP address, depending on the degree of algorithmic surveillance, it is possible to develop very, very good understandings of who is presumably the agent ‘using’ the IP address. Similar to how marketers can figure out who you are with very little information, advertising companies such as Doubleclick are in a comparable situation to develop very detailed, very personal, accounts of the individuals that regularly use Internet enabled devices.[2] In a situation where all devices have unique IP addresses, this could facilitate more accurate advertising (read: better targeted and more invasive), and that government agencies and ISPs alike could more accurately identify and track particular users online.

If this sounds like a kind of ‘privacy Chernobyl’ that puts issues like Facebook’s Beacon and Google’s Buzz to shame, you would be in good (?) company: journalists have been warning of the dangers of IPv6 since Bill Frezza’s 1999 piece “Where’s All the Outrage about IPv6 Privacy?”

Fortunately, the good engineers that develop Internet Protocols were aware of the potentially devastating consequences that static IP addresses for each device would have on anonymity online and, as a result, privacy. The Internet Protocol next generation (IPng) working group crafted a solution that involved creating;

pseudorandom interface identifiers and temporary addresses using an algorithm … The temporary address would not derive from a completely random generation process, which might result in two computers generating the same number, but instead would produce a temporary pseudo-random sequence dependent on both the globally unique serial number and a random component. The number would be globally unique because it would derive from the interface identifier and from the history of previously generated addresses, but would be difficult for an external node to reverse engineer to determine the source computer. [3]

In layman’s terms, this means that the engineers responsible for IPv6 were mindful of the surveillance capacities of the new Internet Protocol, and built privacy into a system that would otherwise lend itself to surveillance and authoritarian tendencies. The catch, however, is that is requires the parties responsible for assigning IP addresses to participate in the pseudo-anonymization process itself: it’s possible for ISPs to forcibly assign particular address to each and every device on their network.

(Before advancing any further I should note that I don’t know that ISPs have any such intentions: the following is ‘academic’, or theoretical, work.)

One might ask: “Chris, why would my ISP want to assign particular IP addresses to each device, instead of permitting for pseudo-anonymization? Are ISP’s privacy-haters?” No, person that I’m pretending to respond to, I’m not suggesting that ISP’s hate privacy, but instead that ISPs are in love with following the law.

In Canada, we’re looking at the re-re-re-introduction of lawful access legislation and associated electronic surveillance legislation. Presently, law enforcement claims they regularly run into challenges with monitoring presumed-criminals’ digital communications. In a domain where all devices are IP-enabled and have unique IP-addresses that are assigned by an IP provisioning body, such as an ISP, a license to wiretap a particular address would let law enforcement monitor when a particular device was engaged in the exchange of digital packets, regardless of whether the packets themselves were encrypted. The distinction between the IPv4 and IPv6 world: in an IPv4 world you can’t distinguish between users that share a common IP address (or so claims are made) as precisely as a judge might demand. IPv6 remedies this ‘worry’.

It’s a combination of the possibility to forcibly assign an IP address alongside the strong (governmental) security initiatives to ‘protect and secure’ the Internet that makes me claim that IP addresses could soon be very, very important from a privacy and security position. While the next generation protocol has reasonable privacy protections built in, various academic scholars (and, unofficially, several of Canada’s privacy commissioners) suggest that the ’security institutions’ are better at dissolving privacy protections than the privacy community is at enshrining privacy in law. Especially worrying in the case noted at the top of this post is that France – a member of the EU – is arguing that an IP addresses shouldn’t be considered personally identifiable information. The EU is recognized as imposing privacy protections on the rest of the world, and thus if France’s decision is upheld then the EU would be seen as ‘pushing’ the position that IP addresses are not personally identifiable information. While this position might be tenable in an IPv4 world, in an IPv6 world that sees security lobbies advocate for relatively static IP addresses the privacy of individuals would be significantly put at risk.

Maybe this is just doomsday talk – perhaps the security lobbies will avoid pushing for assigned IPv6 addresses, and demand that the full privacy protections of the IPv6 protocol are implemented. Unfortunately, as witnessed in Newman’s Protectors of Privacy and Ross’ 2009 piece “Privacy in the Digital Age: States, Private Actors, and Hybrid Arrangement,” the digital era’s privacy provisions are being rapidly eroded in a post-9/11 world. Unless there is a substantial change, unless privacy protections are genuinely entrenched in law with a strong civic commitment to privacy, unless IP addresses are recognized as always potentially personally identifiable information (at a minimum), then IP addresses are going to matter a whole lot more to security and marketing groups than they already do. And when marketers are interested in particular information, you can be sure that it’s not curiosity, but because they can leverage it to invade our minds and track our actions.

************

[1] Yes, businesses and government agencies may have multiple IP addresses assigned to them. I’ve intentionally simplified things for the purposes of analytic and metaphoric clarity.

[2] Phillips and Curry have a particularly good piece, titled “Privacy and the phenetic urge: geodemographics and the changing spatiality of local practice” in Surveillance as Social Sorting that outlines marketers’ capacity to draw detailed temporal-geographic patterns of mobilities.

[3] from  Laura Denardis’ Protocol Politics: The Globalization of Internet Governance

Other posts you might be interested in:

1. Privacy Issues Strike Street View (Again)
2. Deep Packet Inspection and the Confluence of Privacy Regimes
3. The Geek, Restraining Orders, and Theories of Privacy

The concept of IICs is not new: in 2001 (!) the Institute of Public Policy Research suggested that children should take ‘proficiency tests’ at age 11 to let them ‘ride freer’ on the ‘net. Prior to passing this ‘test’ children would have restrictions on their browsing abilities, based (presumably) on some sort of identification system. The IIC, obviously, didn’t take off – children aren’t required to ‘license up’ – but the recession of the IIC into the background of the Western cyberenvironment hasn’t meant that either research and design or infrastructure deployment for these cards has gone away. Who might we identify as a national leader of the IIC movement, and why are such surveillance mechanisms likely incapable of meeting stated national policy objectives but nevertheless inevitable?

I would suggest that, in the Western hemisphere, Spain has been incredibly ‘forward thinking’ about Internet authentication. The Spanish identity card was initially deployed by Franco to starve out rebels – during the guerrilla war rations were only provided to identity card holders – and gradually expanded into all reaches of Spanish society. Buying gas? Show the card. Subscribing to a magazine? Offer up your card. Unlike in the UK, US, or Australia, Spanish citizens accept the identity card as just another part of daily life, which has made Spain a delightful testing ground for the various companies involved in updating the card for the 21st century. Significantly, this receptiveness to the identity card meant that the transition to an electronic card was remarkably simple: the electronic national identity card (the DNIe) was introduced as a mere policy update to the existing card. There was no parliamentary debate or civil resistance over the shift to digital surveillance.*

The DNIe is designed with Internet authentication in mind. It interfaces with hardware dongles** to authenticate the holder with Spain’s national identity architecture. Using this authenticated system, authorities can monitor where Spaniards travel online, and the authentication facilitates ’secure and convient’ engagement with Spanish e-government services. In 2005, Vice President Maria Teresa Fernandez de la Vega noted that the DNIe was a “tool for guaranteeing the security, confidentiality, and integrity of citizens using the Internet”, in 2006 the government maintained that the DNIe was “key to solving the security-privacy binomial”, and by 2008 it was recognized that a key objective of the DNIe was to “bring the digital world into the old processes of identification and signature” (Source, p. 50). Spain is a leader in the discussions of interoperable identity card standards in Europe, has already exported its technology and standards to areas of Italy, and is aggressively marketing the card technology in Latin America. A substantial military-industrial complex backs the DNIe, and the complex is leveraging their political, symbolic, and monetary capital to push for a European-wide identity card, where each sovereign nation would possess an interoperable card, and each citizen required to carry their card to operate online.

The aim of identity cards – to provide security, identification, and signatures – is doomed to fail, but this prognosis is unlikely to prevent their ultimate spread throughout many ‘modern’ democracies. Bruce Schneier notes that for such identification mechanisms to succeed “we’d need agencies — real-world organizations — to provide Internet identity credentials based on other identification systems: passports, national identity cards, driver’s licenses, whatever”. Obviously, Spain has this infrastructure, though in establishing it identity theft becomes that much more profitable.***

Without some sort of a biometric check at the level of the card itself there isn’t anything that stops one citizen from using another citizen’s card….save for conventional societal norms and law. Lawrence Lessig recognizes that regulation of digital environments are dependent on architecture, markets, law, and norms. In including a biometric ‘check’ on the cards that is mandated by law, it is possible to regulate the card along the lines of architecture, markets, and law. Where Spain, in particular, has a social-normative expectation that cards are required for personal identification, the normative conditions for effective (rather than perfect) regulation are set.

‘Effective’ regulation, of course, doesn’t necessarily resolve either the ’security-privacy’ binomial or signature and identification demands of an identity card. A friend or colleague could log you in, should you forget your card at home, and few biometrics are nearly as effective as suggested by vendors or their media shills. Facial recognition is demonstrably terrible when put to empirical tests, cheap digital-fingerprint systems are easily foiled, and even many iris recognition systems are subverted with photographs of eyes. In essence: biometrics are vulnerable to considerable failure and the number of false positive and negatives render their value questionable as identifiers or signatures (Anderson, p457-82). Accompanying the surrender of authentication processes to government bodies (as in Spain) are considerable worries that the information suffer function and security creep (privacy protection tend  to get clawed back with each new ‘crisis’). The security-privacy binomial is not, and likely cannot, be met using the equivalent of the DNIe, nor can the signature and identification requirements. Even should some of these issues be minimally dealt with, it only increases effective regulation. Teens, criminals, and hackers will all subvert any identity authentication system – never underestimate the motivation to engage in underage drinking, commit larceny, or just tinker.

Now, you might be asking at this point: who is trying to push this policy again? It’s probably a politician, someone who sees identity systems as a great way of gaining political capital with the security-ignorant public, right? Wrong. It’s Marcus Ranum, the CSO of Tenable Network Security, who is well known for his contributions to the security field. At the same time, Microsoft is (again) backing the idea that some sort of authentication mechanism be built onto the ‘net to avoid a ‘cyberwar’ or ‘cybercatastrophe’, this time at the UN level. In Ranum’s case, he argues that anonymity has a temporal value in a few cases – Deepthroat needed anonymity at the time to prevent backlash, but after his death anonymity held no value – and in Microsoft’s opinion a license should be required to ensure that a computer and/or user is ‘fit to surf’.

Obviously, attempts to terminate anonymity and expand online surveillance are not new, nor are the efforts to technologically resist such terminations. If we dispose of the notion that governments are actually aiming to secure citizen’s lives, and instead better ‘embrace’ them for bureaucratic purposes, then the adoption of some sort of IIC makes good sense: it contributes to security theatre (therefore gaining, or at least not losing, votes), could theoretically centralize citizen information (imagine tying the IIC to census data on the backend of the system), and its potentials are only restricted by privacy advocates, ombudsmen, and law. The first tend to be poorly funded, the second often lacking teeth, and the last maleable. If we accept the proposition that modernity’s institutions are accompanied by identity and surveillance systems to more strategically ‘embrace’ citizens and non-citizens as they move through institutional webs (as suggested by Lyon, Torpey, Giddens, amongst many others) then there is considerable paradigmatic force behind instituting an online identity system.****

For the state to ‘embrace’ those passing through its digital conduits perfect compliance may be desired, but isn’t necessary: law, architecture, norms, and markets can propel mass adoption of any such card or system. Spain is incredibly optimistic that it can teach identity card policy and techniques to Europe, and one would expect various members of international copyright cartels to jump at the opportunity for enhanced surveillance that advances along a non-deep packet inspection (DPI) route (on the basis that DPI has, somewhat surprisingly, garnered incredibly high degrees of public resistance). Informally, I’ve been told that cartel members regularly meet with government leaders in Europe to advance the idea of identity cards to fight copyright infringement.

Given the possibility of law to mandate basic architecture, market, and legal conditions for regulating the digital, it is on the social-norms front that governments genuinely have to win the ‘hearts and minds’ of citizens. A key question is whether crises of digital security, and the electronic economy more widely, will be sufficient to soften up Western populations and make them receptive to yet more intrusive, yet modernizing, surveillance systems that embrace national citizenries.

Will an electronic equivalent of Chernobyl lead to a twisted, long-term, combination of the American iPatriot Act and Spanish identity card expertise? Is it only a matter of when, rather than if, IICs or their equivalent are commonplace in the West? I expect that ongoing paradigmatic forces of modernity almost (though not quite) necessitate the eventual attempts (and, ideally, failures) to banish anonymity and introduce IICs or their equivalents. Where do you, my readers, stand?

—————

* Information about Spain is derived from Pablo Ouziel’s unpublished (but digitally accessible) Master’s thesis, The Spanish Identity Card: Historical Legacies and Contemporary Surveillance.

** It should be noted that, as of 2009, there were substantial incompatibility problems between the dongles and computers. The infrastructure is being laid: it isn’t yet in operation.

*** That the central databases for the card are located in a police bunker, amongst a police force that has never truly ‘democratized’ following the transition to democracy raises its own concerns.

**** For more on this notion of nations ‘embracing’ their citizens, turn to Torpey’s The Invention of the Passport: Surveillance, Citizenship, and the State.

Other posts you might be interested in:

1. Identification, Identity Systems, and the REAL ID Act
2. Update: Mobiles and Your Identity
3. Technology – Questions of Digitizing Identity

To take the ‘effort’ to try and remain anonymous requires some kind of motivation, and in North America that motivation is sorely lacking. North America isn’t Iran or China or North Korea; Canadians, in particular, have a somewhat envious position where even with the government prorogued – a situation that, were it to happen in Afghanistan would have pundits and politicians worrying about possibilities of tyranny and violence – there isn’t a perception that Canadians ought to be fearful that proroguement heralds the beginning of a Canadian authoritarian state, or the stripping of Charter rights and freedoms. This said, I think that people in the West are realizing that, as their worlds are increasingly digitized, their ‘analogue’ expectations of privacy are not, and have not for some time, been precisely mirrored in the digital realm. This awareness is causing worry and consternation, but is not yet (and may never be) sufficient for wide-scale adoption of anonymization technologies. Instead, we have worry without (much) action.

But let me back up, just a bit. What motivated the creation of a digital architecture that can be used for limiting anonymity online? What sense of anonymity am I referring to?

To the latter question, I’m referring to the ability to be anonymous at the hardware level of the Internet – I’m interested in remaining ‘anonymous’ in the face of client-server transactions. I’m not calling into question the ability to ‘game’ the web as perceived on Facebook, Yahoo!, Yelp.*  Instead, I’m referring to particular individuals’ abilities to mask their presence or identity on a computer network.

What has driven the limitations upon online anonymity? To begin we need to acknowledge that the ‘net is, contrary to the early Internet Utopians, a perfect domain of control. With immense possibilities for control come opportunities of surveillance, surveillance that can deanonymize individuals and their actions. It isn’t that a particularly nefarious cabal has sought to do this: network engineers and administrators have deployed networking hubs and associated software-driven security appliances to better analyze data traffic and identify sources and destinations of data traffic for a long time to facilitate a fast, efficient Internet. We have witnessed incredible booms in the amount of traffic that is flowing across networks, with an increasing amount of that traffic is harmful to networks and individuals (e.g. DDOS attacks, email spam, phishing). To deal with these, along with other authentication, security, and traffic analysis challenges, network engineers and administrators have made network nodes ‘more intelligent’; intrusion detection systems operate at borders, email analysis often precedes mail hitting your inbox, and multiple levels of authentication and firewalls surround intranets. It’s important to note that networks have grown more intelligent, rather than recently become intelligent; network appliances have always had some ‘intelligence’ to them.** We might say that carapaces have slowly grown around networks as the nature of the network environment itself has evolved.

Given the technical element to data routing, network security, and data usage tracking, networking staff have implemented some technologies that, in the right hands, are as benign/beneficial as a scalpel in an experienced surgeon’s hands but, alternately, are as dangerous as the same scalpel in a psychopath’s grasp. Deep packet inspection (DPI) is one (of many!) such technologies. Last year, Sandvine noted that 160 ISPs purchase their equipment, with 90% of those ISPs using the equipment for some kind of traffic management purposes. This traffic management can extend to modifying the traffic speeds of particular applications, such as those used for P2P file-sharing, to discriminating between different tiers of service. Further, discrimination might mean impeding on some traffic – such as ’suspicious’ traffic as identified by network administrators – or applying an ‘economic’ management system that is dependent on tracking customer data use and charging for bandwidth use. As is obvious, some of the uses I just identified are clearly ‘acceptable’ – if network equipment generally can detect and limit/isolate computers operating in a botnet, that’s a plus as I read it – whereas others – behavioural advertising and carriers delaying competing services – are far less acceptable.

It is critical to identify what is seen as acceptable versus unacceptable uses of any particular networking technology. Targeting use is important, given that there is a lot that goes on behind the scenes that consumers and end-users are largely ignorant of and, to date, have had no issues remaining ignorant of. ‘Computer geeks’ have done their thing, the email has flowed, and everyone has been happy (save, perhaps, for the admins responsible for keeping things running at those moments when an attack overwhelms the network defences…). Because of a general lack of technical training, incredibly poor relationships between large telecommunications companies and end users, and increasing uses of network technologies for surveying and modifying traffic in obstrusive ways, the public is only now getting interested in how our digital networks operate. They’re a few decades late, and their late arrival is generating challenges for all involved. Citizens expect perfect (or, at least largely similar) correspondence between ‘analogue’ and ‘digital’ expectations of privacy, consumers want efficiency and speed, and administrators want secure networks. This is to say nothing of the corporations running the networks, who want to earn a reasonable rate of return on their investment. These concerns don’t necessarily fall into ‘either/or’ categories, but require a common language and commonly understood implementation strategy that is respected by all involved. Developing this language and consensus is, obviously, a daunting task.

Public interest in telecommunication networks is not inherently bad, and in fact is probably a good thing – more people should be involved in making technology increasingly democratic – but participation, at this point, requires that either incredibly good metaphors and analogies need to be deployed, or interested people need to learn something about the technologies in question. Arguably, the line should be drawn somewhere between those two alternatives.

It is even more important that the privacy advocates who are dealing with networking technologies develop an appreciation both for the real challenges faced by network administrators as well as the technical structures underpinning networks themselves. They need to realize that while they defend civil rights, they need to find ways of bringing consumer groups (and, ideally, network operators themselves) onside, as opposed to alienating the consumer and network operator to protect the citizen. We live in market societies: this means consumers have to be placated, or at least feel like they’re being placated. Such placations may often be symbolic, but the effort to recognize the bridge between these multiple agentic points of view must be recognized and, ideally, exploited by privacy advocates.

Further, it is key that privacy advocates possess the technical knowledge to parse what a well-meaning administrator tells them, so that they can subsequently craft their concerns, complaints, and issues in a language that can be accessible to the public and sensitive to the technical realities of the contemporary networked world. In the case of DPI, there are various ways that the technology can be used, and not all of them are harmful. The stance that any analysis of data packets, however transitory, constitutes a privacy infringement would require the abandoning of many incredibly valuable perimeter defences that most end-users are entirely ignorant of. We needn’t toss out the baby with the bathwater! Effectively, without appreciating the particularities of each device and its particular uses, advocates cannot precisely target their complaints for maximum effect: rather than targeting all cars, environmentalists often target vehicles below particular standards; they draw distinctions within a large category and frame solutions for both citizens, the environment, and consumers. Privacy advocates can learn a great deal about how to position issues from surrounding groups, and in many cases already have.

Networking technologies can often be designed to analyze and identify unique users. In many environments this is required for anything from law enforcement (e.g. CALEA), to billing, to traffic analysis purposes. The question is whether or not such analysis and identification, when performed by your Internet Service Provider (ISP), is appropriate or not. In the EU, there are questions over whether any use of DPI or DPI-like technologies constitute a privacy infringement. An element of such questions surrounds whether or not temporary analysis of data traffic constitutes wiretapping (I have doubts) and, implicitly, an element is about what kind of anonymity Internet users can expect. Should our ISP analyze traffic to identify dominant applications used and bandwidth those applications, in aggregate, are generating? Should our ISP be theoretically capable of revealing what particular users do with their Internet connections if law enforcement makes a legitimate request? Should our ISP identify the lowball percentage of data traffic that constitutes copyright infringing material?

It is, of course, when we get to these more precise questions that question of ‘what anonymity are we referring to?’ comes to the fore again, alongside the question ‘what conditions warrant deanonymization?’

The Information and Privacy Commissioner/Ontario maintains that pseudo-anonymity, rather than full blown anonymity, should be the expected and perceived norm of Ontarians in digital environments. By this, an individual can maintain anonymity until they perform some action that crosses the boundary of the law – at that point, it is imperative for a service provider to identify who that individual is so that the arm of the law can reach out and touch them. In effect, IPC/O’s position is that operating in the digital era does not mean that the state’s coercive powers ought to be diminished: the benefits of free, anonymous speech and association can be had, so long as this is done within the confines of the law.

At a broad, principled level the IPC/O’s position on anonymity raises concerns: what if we applied this same set of rules to an authoritarian environment, such as in China or Iran? However, if we move from ‘high-level’ theorizing and generalizations to ‘mid-level’ theorization and better contextualized generalizations the conditions of inquiry change; does the pseudo-anonymity offered in Ontario, which is (generally) an orderly and lawful province in an orderly and lawful nation, meet the expected freedom and association rights of Ontarians without detoothing the provinces and/or nation-state’s coercive power? Clearly this latter question is better contextualized than one would expect from a philosophical treatise on anonymity, and more likely to resonate both with (in this case) Ontarians and Canadians than a ‘high-level’ theory that has to apply universal statements to particular situations without becoming logically or practically incoherent.

Note that I’m not suggesting that we must avoid ‘high theoretical’ approaches to privacy and anonymity – I’m regularly involved in such discussions, and think that the principled position needs to be stated loudly because the speaker is often alone in the room – but that there is a danger in always assuming a ‘principled’ position that refuses compromise and reflective consideration in advocacy. Advocacy is not, as I’m regularly reminded, the same as scholarship. Are networking technologies like DPI likely to be ‘banned’ in the West? Unlikely – were an attempt made, network operators would point out to the public just how ingrained these technologies are in daily operations, and instead (continue to) focus on uses of the technology. If advocates adopt a nuanced and contextualized and principled position, from which they can insist that particular uses of the technology be banned, and frame the benefits of such bans to reach out to consumers and citizens alike, then I think that that advocates will have a stronger foot to stand on.

Concluding, and returning to anonymity more closely, I think that we need to distinguish various ways to ‘approach’ the topic of anonymity. We need to recognize different levels of theorizing about ‘what anonymity means’, analytically distinguish between the domains of expected anonymity (e.g. Internet versus Web versus particular sites on the Web), and collect empirical data that outlines the present practices that would anonymize and deanonymize individuals in each of these domains. After intensively investigating these practices, advocates and citizens alike can proceed to launch complaints, concerns, and raise issues in a highly contextualized, high targeted way that is likely to have superior results than broadly framed worries lacking analytic precision.*** These worries are not just ‘academic’: launching ill-formed complaints can lead to setting precedent that runs counter to privacy-protection, that undermines the instantiation of privacy principles in society and jurisprudence, and potentially waters down constitutional rights. Badly formed complaints don’t just run the risk of being ineffective: they run the greater risk of jeopardizing the principles that privacy advocates defend, principles that often includes anonymity in ‘public’ spaces like the Internet.

———

* I’ve begun differentiating between ‘first’ (hardware) and ’second’ (web-level) presence to mark off this distinction between spaces of anonymization.

** At some point, probably after my February exams, I’m hoping to write something on the use of the term ‘intelligence’ to refer to networks. I find the term incredibly offsetting and awkward.

*** As a note, I recognize that this is ‘ideal’ – often groups suspected of infringing individuals’ privacy are not forthcoming with information. In these cases, advocates should get as much of the best data that they can together and launch the complaint. I’m not suggesting that, where information to create one of these hyper-targeted complaints is unavailable that advocates shouldn’t complain, but that when the information is available the advocate ought to engage with all the available data in a charitable fashion. At the very least, they should try to seek out the information in a rigorous fashion before submitting the complaint.

Other posts you might be interested in:

1. Context, Privacy, and (Attempted) Blogger Anonymity
2. Privacy Advocates and Deep Packet Inspection: Vendors, ISPs, and Third-Parties
3. IPv6 and the Future of Privacy

The Iranian government quickly recognized the power of cheap social coordination technologies and, in response, drastically reduced the capacity of national Internet links – the government, in effect, closed the nation’s Internet faucet, which greatly reduced how quickly data could be transmitted to, and received from, the ‘net as a whole. This claim is substantiated by Arbor Networks’ (Internet) border reports, which demonstrate how, immediately after the presidential election, there was a plummet in the data traffic entering and exiting the nation. (It should be noted that Arbor is a prominent supplier of Deep Packet Inspection equipment.)

Prior to trying to dispel the Fear, Uncertainty, and Doubt (FUD) surrounding the contemporary Iranian ISP-surveillance system that is regularly propagated by the media, I need to give a bit of context on the telecommunications structure in Iran.

The Composition of Iranian Telecommunications

As in Western nation-states, there are a series of ISPs that Iranians can select to receive Internet. The catch is that all data traffic has to pass through the state controlled infrastructure of the Telecommunications Company of Iran (TCI). Household connections have a data-transfer ceiling: in the 2006 Ministry of Communications and Information Technology (MCIT) issued an order that forbade ISPs from providing Internet connectivity to households and public access points that exceeded 128 kilobytes/second. To put this in perspective for Canadians (and others in North America), Bell Canada’s slowest service plan is for up to 256 kilobytes/second (i.e. a 2 Mbps connection). Universities and private businesses in Iran can obtain high-speed access, though as a result of capping residential speeds there has been a substantial reduction in fibre-deployment (and increases in broadband speed), which was rapidly expanding from 2005 – 2007.

The limitation of bandwidth speeds was likely meant to hinder (as opposed to prevent) access to rich-format alternate media sources available on the ‘net (e.g. YouTube, media-heavy websites, etc); when it takes ten minutes to load a BBC broadcast, you go somewhere else to get news instead. The benefit of this strategy is that the government could escape claims that they were censoring content:  it was just delayed, and who minds waiting another few minutes for something they really care about?

Fear, Uncertainty, and Doubt and Iranian Digital Surveillance

The Wall Street Journal (WSJ) ran a piece last summer that accused Iranian officials of using Deep Packet Inspection (DPI) equipment purchased from Nokia-Siemens to survey and censor content. The Journal’s assertions were subsequently picked up by major media sources, and the blogosphere along with reputable journalism sites continue to reinforce the position of the WSJ. The problem, of course, is that that to date there has been little to no reputable reinforcement of the WSJ’s initial claim, and Nokia-Siemens has openly refuted the allegations.

The WSJ asserted that, “[e]very digitized packet of online data is deconstructed, examined for keywords and reconstructed within milliseconds. In Iran’s case, this is done for the entire country at a single choke point, according to networking engineers familiar with the country’s system.” Moreover,  ”Iran is “now drilling into what the population is trying to say,” said Bradley Anstis, director of technical strategy with Marshal8e6 Inc., an Internet security company in Orange, Calif. He and other experts interviewed have examined Internet traffic flows in and out of Iran that show characteristics of content inspection, among other measures.”

After the WSJ piece ran David Isenberg, Mark Hopkins, myself separately found fault with various elements of the story as reported. In summary, we argued that:

• tests for detecting DPI, presently, do not exist;
• Marshal8e6 is a spam/phishing company; there is no reason why they would have any particular insight into DPI, and a look at their website shows that their core business competencies are not in DPI-related activities;
• there is no evidence that the Iranian system uses DPI – all we really have is a lone, anonymous, engineer saying that everything is examined for keywords. Keep this point in mind, as we’ll be getting back to it;
• the WSJ’s primary source, Ben Roome over at Nokia-Siemens, maintains that the company sold only mobile technology capable of lawful access and did not sell DPI equipment. Further, Nokia-Siemens has actually exited the intelligence market, as recognized in the WSJ article.
• it is, quite simply, easier to leverage existing infrastructure rather than import and embed DPI appliances in an already functioning surveillance environment

It’s key to note before getting into the next section that neither myself nor Isenberg are making the claim that DPI isn’t in use, but instead that there is no clear reason to assume that Iranian authorities have incorporated DPI into their arsenal of surveillance technologies (Hopkins is making the full move to state DPI isn’t being used). DPI is expensive to install, and massive inspection comes with a substantial computational and other technical overheads – it’s for this reason that most DPI devices inspect elements of packet streams rather than streams in their entirety when they must be inspected in real-time. To use DPI for full-stream analysis when there are better tools for the job that already are built and running would be mind numbingly stupid, and we have no reason to believe that Iranian IT admins are stupid people.

The Composition of ISP Surveillance in Iran

A very good report on the status of Internet surveillance in Iran was released by ICTRC in 2005, and it’s nicely supplemented by the OpenNet Initiative’s (ONI) report on Iran. From these, we learn that the Iranian government  uses a series of techniques to filter and censor the ‘net. They include:

• the use of SmartFilter (which blocks particular websites and content) by all ISPs. The Telecommunications Company of Iran (TCI) itself has reassumed the role of centralized filtering from the ISPs, according to ONI, though some Iranians still see the old ‘access denied’ images that are branded by their ISP. ONI’s findings suggest that the technical difficulties of centralized filtering, identified in the ICTRC report, have likely been overcome.
• New ‘block sites’ are added to the ever-expanding list of blocked websites, many of which are aimed at countering ‘immoral’ inclinations or limiting dissident political communication.
• Internet ports are regularly closed by ISPs in accordance with government edicts. These ports are used to access proxy servers, such as TOR, which give Iranians access to the uncensored Internet.
• Prior to data exiting the Iranian telecom environment and entering the global Internet, all requests are passed through proxy servers that permit keyword filtering. Web searches containing particular words may be blocked, and because content is passing through proxy servers there is the possibility of monitoring all unencrypted  traffic, including chat conversations, email, and web browsing.

In the WSJ article an anonymous engineer stated that “We didn’t know they could do this much … Now we know they have powerful things that let them do very complex tracking on the network.” While the WSJ alleges that this is a reference to DPI, I would suggest that the engineer is probably referring to the Iranian government having backtracked on stated uses of their proxy-based surveillance architecture. You see, in 2006 the Communication and Information Technology Ministry announced that their surveillance apparatus:

…would block access to unauthorized websites, identify Internet users, and keep a record of the sites they visit. The system administrator would have access to this information.

The ministry subsequently denied that the filtering facility could identify users and track their browsing habits, and it stressed that it only wants to block access to pornography. There also were acknowledgements that the previous methodology was imperfect, and a “filtering databank” would be more precise and make fewer mistakes.

Given this broader context, from 2006, engineer’s statement – that they hadn’t thought the government’s apparatus was designed to massively identify users and record visited sites – makes quite a bit of sense; he didn’t know that the government had adjusted how they were using infrastructure already known to exist. If you recall, the engineer had made a reference ‘keyword filtering’, and it only requires a proxy to analyze text. DPI is not required. Further, when Marshal8e6 Inc. referred to content analysis having been performed, the corporation might have been referring to the proxy-based keyword analysis and not DPI surveillance. Given that an already impressive surveillance infrastructure utilizing proxy-based servers has existed for several years now, and is capable of the filtering being witnessed today, it’s unclear how the present monitoring of digital communications requires, or indicates the use of, DPI appliances. On the basis that sources for the article can easily be read as referring to already known t0 exist surveillance systems their statements shouldn’t be used to support the WSJ’s claim that Iran is using DPI, but that the proxy-system is more impressive than previously thought. The latter is an entirely reasonable claim; the former outlandish and requiring substantial reporting to guarantee accuracy.

Intelligence Through Social Networks

Given the supposition that DPI isn’t being used for surveillance purposes in Iran right now one might ask: how is it, then, that seemingly cautious protestors and organizers who practice ’safe computing’ (i.e. encrypt their data traffic) get caught? In response, I would suggest that rather than focusing on ‘how they broke the encryption’ there needs to be a focus on ‘where they find, and how did they exploit, weak links in the network?’

If just one person transmitted unencrypted data and compromised organizers’ names, then the authorities would have a place to start their investigations. Alternately, if someone in Iran routinely encrypts most of their data traffic they likely rise to the attention of network administrators. Administrators could very easily be under orders to pay attention to any non-encrypted data traffic that such persons of attention transmit to the ‘net, in the hopes of gaining content-based insight into what the encryption-user might be doing, saying, or who they are speaking with online. Moreover, even if you’re sending encrypted email to protect yourself against proxy-based traffic analysis, if your email is stored on an Iranian ISP’s server then the messages are unlikely to be secure when ‘at rest’ on the server itself. Protecting the data in transit isn’t sufficient when you can’t trust your ISP. Finally, there are reports of officer’s seizing people’s laptops, but occasionally leaving the people themselves alone, again negating the value of encrypted data transmissions if data at rest on the computers isn’t similarly secured.

There is often far more to gain in developing social profiles of people and their related associates than on combing through all the data collected of every person; the situation with the Christmas Day bomber last year demonstrates that an excess of particular information, and failure to develop a comprehensive network intelligence system that identifies key threats, is a critical limitation. Without a system that identifies possible ‘persons of interest’ agencies are limited in their abilities to target the ‘right’ person. In developing relationships of people, it is possible to create profiles and map out who is who in vast networks. With the potential to use social demographics to identify ‘key’ figures in any social organization the ‘danger’ in broadcasting oneself through Twitter, Facebook, or other social media environment arises from facilitating network-level intelligence: Who are the key broadcasters and rebroadcasters of messages? Who generates ideas that are rapidly disseminated through the population? Who are the (largely) passive listeners? The last group is probably non-deserving of immediate persecution, but they will be motivated to identify and listen to the first two groups. Thus, if you just watch to see who the ‘passives’ are almost all listening to, you can pick out ‘key’ members of any revolution that target them, weakening or extinguishing the winds of change. The weakest link in a revolution need not be the leaders, but can come from nuanced social profiling, and the Web 2.0 world arguably facilitates such social profiling in ways beyond even that Stasi’s wildest dreams.

Does this mean that even more advanced systems of digital analysis and aggregation won’t be deployed to identify particular patterns of communication in Iran? No. Does what I (or anyone else, for that matter) have definitely written prove that DPI technologies aren’t being used in Iran? No. What I have done, however, is suggest that existing proxy-based surveillance infrastructure can be leveraged in a manner that explains present censorship and content-blocking practices in Iran, and that traditional intelligence gathering processes are likely just being modernized for the social media world. Neither the preexisting surveillance and censorship, nor the intelligence gathering, requires DPI. In light of the evidence and argumentation I have offered, we ought to leverage Occam’s razor to conclude that proxy-based analysis, not DPI-facilitated surveillance, should be the focus of responsible attention to Iranian ISP surveillance practices.

Other posts you might be interested in:

1. Iran, Traffic Analysis, and Deep Packet Inspection
2. Deep Packet Inspection Canada
3. Virgin Media to Monitor Copyright Infringement