In February I’m attending iConference 2012, and helping to organize a workshop titled “Networked Surveillance: Access Control, Transparency, Power, and Circumvention in the 21^st Century.” The workshop’s participants will consider whether networked surveillance challenges notions of privacy and neutrality, exploits openness of data protocols, or requires critical investigations into how these surveillance technologies are developed and regulated. Participants will be arriving from around the world, and speaking to one (or more) of the workshop’s four thematics: Access Control, Transparency, Power, and Circumvention. As part of the workshop, all participants must prepare a short position statement that identifies their interest in network surveillance while establishing grounds to launch a conversation. My contribution, titled “Transparent Practices Don’t Stop Prejudicial Surveillance,” follows.

Transparent Practices Don’t Stop Prejudicial Surveillance

Controversies around computer processing and data analysis technologies led to the development of Fair Information Practice Principles (FIPs), principles that compose the bedrocks of today’s privacy codes and laws. Drawing from lessons around privacy codes and those around Canadian ISPs’ surveillance practices, I argue that transparency constitutes a necessary but insufficient measure to mitigate prejudicial surveillance practices and technologies. We must go further and inject public values into development cycles while also intentionally hobbling surveillance technologies to rein in their most harmful potentialities.

Lesson Drawing from Privacy Principles and Codes

FIPs are used to make organizations accountable for how and why information is collected, for how information is processed, and for the accuracy of retained information. It is contestable that FIPs, however integrated into policy and law, are effective in preventing surveillance technologies and practices so much as they legitimize them. As noted by Rule, codes based on FIPs “help surveillance systems to achieve their intended ends more fairly and openly” but do not “help us decide when institutional appetites for personal information simply go too far.”[1] Privacy and data protection rules and laws may make data collection and processing activities more transparent while simultaneously failing to “significantly reduce or mitigate the amount of potentially damaging social sorting that occurs.”[2] Moreover, codes and principles are commonly bound within legal privacy protections that “tend to be more circumscribed than the subjective experience of violation associated with new forms of surveillance.”[3] The law simply doesn’t keep up with, or adequately address, the surveillance-related harms and injustices that people experience on a regular basis.

While codes based on FIPs might limit data collection and empower end-users when users know they are exchanging data with specific data collectors, such codes “work less well in systems in which devices blab information indiscriminately so that there’s no way to identify a class of information collectors who can be made subject to the rules.”[4] The Internet, and the devices that silently communicate with data collectors via the Internet, constitutes a space where FIPs minimally limit the spread of surveillance technologies and practices. Even if organizations are held accountable for the data they analyze and process, end-users’ abilities to ascertain who and what is collecting and processing information is limited. Formalized privacy rules, in other words, can influence the fairness of surveillance but are less likely to stop the surveillance practices themselves.

Other posts you might be interested in:

1. Review: Surveillance or Security?
2. Rendering CCTV (Somewhat) More Transparent
3. Technology and Politics in Tunisia and Iran: Deep Packet Surveillance

Photo by Mark Surman

Digital literacy is a topic that is regularly raised at Internet-related events across Canada. As Garth Graham has noted, “some people will remain marginalized even when everyone is online. It’s not enough to give those who are excluded basic access to the technologies. It requires different social skills as much as different technical skills to come in from the cold of digital exclusion” (29). Perhaps in light of Canadians’ relative digital illiteracy, key Canadian policy bodies and organizations have seemingly abandoned their obligations to protect Canadian interests in the face of national and foreign belligerence. Bodies such as Industry Canada, the Canadian Radio-television Telecommunications Commission (CRTC), and the Canadian Internet Registry Authority (CIRA) are all refusing to take strong leadership roles on key digital issues that affect Canadians today.

In this post I want to first perform a quick inventory of a few ‘key issues’ that ought to be weighing upon Canadian policy bodies with authority over the Internet. I then transition to focus on what CIRA could do to take up and address some of them. I focus on this organization in particular because they are in the process of electing new members to their board; putting votes behind the right candidates might force CIRA to assume leadership over key policy issues and alleviate harms experienced by Canadians. I’ll conclude by suggesting one candidate who clearly understands these issues and has plans to resolve them, as well as how you can generally get involved in the CIRA elections.

Cornucopia of Concerns

Internet standards operate as highly visible examples of how technology has been shaped to interoperate in a transparent fashion. Common Internet protocols let networks connect with one another while simultaneously establishing common points of failure. A danger is that if these protocols are exploited then the Internet can be significantly damaged. In effect, where a central trusted node on the Internet is subject to onerous pressures the Internet – and by extension, entire regions that are serviced by these central nodes – is affected. The concerns I raise focus on three types of trust-holders: Internet service providers, DNS root authorities, and certificate authorities.

Internet service providers

Internet service providers, such as Rogers, Videotron, and Bell, receive a considerable amount of criticism from the public, advocacy organizations, industry, government, and the academy. In recent years, criticism has focused on ISPs’ imposition of usage based billing systems, integration and use of deep packet inspection devices, and redirection of traffic to their own web portals. Billing issues arose most recently with large ISPs, such as Bell Canada, demanding changes to how wholesale ISPs were charged for bandwidth volume. Such demands were exacerbated by proposals to charge consumers vastly more for bandwidth usage and what seemed to be anti-competitive efforts to squeeze companies who were competing for complementary products (e.g. cable TV, telephone or voice services) out of the market. The campaign against CRTC-approved changes to how wholesale ISPs were billed for bandwidth initiated a firestorm right at the moment of the last federal election. This arguably opened the policy window for the Canadian government to reject the CRTC’s findings and force the Commission to re-examine the issue.

While public advocates were successful in pushing against changes to the billing regimes, they were less successful in pushing against ISPs’ use of deep packet inspection technologies. ISPs won the right to manage their networks in a non-discriminatory manner and consumers were left on the hook to determine whether discrimination was occurring. This requires citizens, who lack clear insight into the network, to  do their own testing. As I’ve written previously,

The unjustified discrimination of data traffic may not be evident to all consumers, especially when they lack the skills associated with digital literacy to even register the occurrence of bandwidth or application discrimination. Without solid training, many people resort to subjective ‘smell tests’. This approach to identifying whether discrimination is occurring does not contribute to evidence-based, empirically sound, complaints systems or policy responses.

This is a particularly significant issue given that almost all of Canada’s dominant ISPs have violated the rules that the CRTC established concerning the use of deep packet inspection. A small handful of people – academics, advocates, and journalists – bring the public’s attention to the technology’s misuse, often showcasing the excellent work by citizens who are fed up with trying to resolve their own complaints or organized grassroots efforts to hold ISPs accountable.

The final point, that of redirecting traffic to ISPs’ web portals, is a common practice in Canada that is incredibly aggravating. Quite often, when someone in Canada mistypes a URL or a subpage in the domain that does not exist, they are redirected to a portal controlled by their ISP. This practice is formally known as ‘DNS hijacking‘ and involves your ISP intentionally interfering with web queries. These hijacks violate the Internet standards that are supposed to guide how networks interconnect and what constitute ‘legitimate’ modes of directing web traffic. In other areas of the world this is used for censorship purposes. In Canada its used to interfere with Canadians’ web traffic so that ISPs can try to generate some advertising dollars while offering their own degraded search capabilities.

DNS root authorities

Distributed Name Servers (DNS) make the Internet significantly easier for humans to navigate, but in the process of creating ease the DNS system generates choke points where control over communication and speech can be exerted. Paul Mockapetris developed DNS in 1983 to let names be translated to IP addresses and vice versa (for more, see RFCs 1034 and 1035). As a result, when you type a website’s IP address (e.g. 157.150.195.10) or its host name (e.g. UN.org) you are directed to the same location on the Internet – the United Nations’ homepage. The DNS system is, effectively, a massive database that lets individuals type human readable names into their web browsers and be directed to websites and services. A hierarchical network of nameservers facilitates this system.

At the top of the DNS hierarchy are root nameservers, which are authoritative for top-level domains (e.g. .com, .net, .org, .ca, .co.uk, etc). For a top-level domain to exist it must first be registered by one of the root nameservers. Below the root are authoritative DNS nameservers which are responsible for domains associated with distinct top level domains. For example the .com authoritative DNS nameservers translate the IP addresses and host names of all .com addresses, the .ca DNS nameservers translate IP addresses and host names of all .ca addresses, and so forth. Below these two levels are domain resolvers. Resolvers have a cache that can quickly translate human readable host names (e.g. UN.org) to machine-friendly IP addresses (e.g. 157.150.195.10). Because they are physically located near the device making the request they are faster to respond than authoritative nameservers, which are often geographically distant and experience longer queues to return name/IP address translations. Where the resolver closest the end-user (often run by the user’s ISP or business) hasn’t already cached the host name and IP address it immediately contacts other nameservers to get that information and subsequently directs the user to the site/data they are requesting. (For a quick audio-visual walkthrough of how the DNS system works, see this short (2:08 minute) video.)

There are a host of potential problems with the current DNS system:

• It is susceptible to DNS cache poisoning, where an attacker tricks a local resolver into mistranslating. This occurs when an attacker sends a translation request to a local resolver and then floods the resolver with faked resolution responses. If successful, this will cause the resolver to incorrectly direct all web traffic trying to access that host name to a non-legitimate IP address; while you might type ‘UN.org’ into your web browser you could be sent to a site hosting malware, a site that appears like the UN’s but disseminating false information, or so forth rather than arriving at 157.150.195.10. (For a video presentation of how DNS cache poisoning occurs, see the YouTube video “DNS Cache Poisoning Attack“.)
• It operates as a single point of exploitable failure. A case in point: in 2005 a novel poisoning attack was developed by Dan Kaminsky that threatened “to take down vast swaths of the Internet”.
• It didn’t have security designed into it when first developed and deployed because DNS is a trusting system. Domain Name System Security Extensions (DNSSEC) are meant to guarantee that “DNS resolvers receive correct IP addresses for their queries” by providing source authentication (resolvers can guarantee that the IP address information correlated with a host name came from a DNS authoritative nameserver) and integrity verification (resolvers can be assured that the information received from the nameserver hasn’t been tampered with in transit to the local resolver) (Landau 2010: 60). DNSSEC, in effect, alleviates some of the dangers posed by cache poisoning by reasserting the importance of a trusted hierarchy though it still relies on trusting security certificate providers (more on why that’s a problem in a minute).
• It operates as a hierarchy, creating crises between “centralized, hierarchical powers and distributed, horizontal networks” (Galloway 2004: 204). Case in point: assuming DNSSEC were deployed, if the authoritative DNS nameservers were modified so that UN.org didn’t resolve to 157.150.195.10 then all local resolvers would trust the modification. Thus, a government could act on an authoritative nameserver, forcing its owner to modify where packets were routed to, and the change would have global consequences. Importantly, such subterfuge would pass DNSSEC’s source authentication and integrity validation.

Moreover, as a central point of control foreign governments can exert pressure on root nameservers to forcibly redirect the traffic to some websites. The United States’s Immigrations and Customs Enforcement (ICE) has been seizing domain names and redirecting them on the basis of their violating American law since 2010. Such seizures have taken place regardless of whether the sites were legal in their country of operation. Such measures follow from President Bush’s “Enforcement of Intellectual Property Rights Act,” which asserts a need to combat copyright infringement on and off American soil. High-level political guarantees to ‘protect’ intellectual property have been made by the Obama administration as well, with Vice-President Biden asserting that the administration would aggressively use tactics to close websites that offered content illegally per American law.

The effect of ICE’s campaign has been that domains names are being redirected to servers owned by the United States government, even if the servers are located outside of the US. In effect, a foreign government is leveraging its influence and power over Verisign – which controls the authoritative domain rootserver for the .com, .org, and other top-level domains – to forcibly infringe upon website owners’ free speech rights on copyright grounds. Domain names themselves constitute speech acts (see: Chelsea and Westminster Hospital NHS Foundation Trust v. Frank Redmond, The Crown in the Right of the State of Tasmania trading as “Tourism Tasmania” v. Gordon James Craven, and Wal-Mart Stores, Inc. v. wallmartcanadasucks.com and Kenneth J. Harvey) and the seizure of these names without court proceedings has the effect of censoring particular speech (in the domain name) as well as muffling the speech contained at the website which the domain name points towards.

Importantly, because ICE is targeting authoritative name servers no person in the world can resolve the domain names after the seizure takes place. This limits the ability of commercial entities to conduct business both within the US but abroad as well, amounting to ICE-created and –enforced, site-specific, embargos. Further, the U.S. government’s actions threaten innovation by heightening the risks innovators assume by relying on a web presence to monetize/popularize their works. Finally, ICE’s actions supersede the decisions of foreign courts; where a supposedly ‘copyright infringing’ website is found legal outside of the US, ICE imposes American definitions of copyright upon all global Internet users. ICE is globalizing American copyright laws.

Certificate Authorities

Certificate authorities are critical to the Internet’s current security infrastructure. They provide certificates to companies and websites who meet identity and financial requirements. When you visit an https website a series of transactions take place to ensure that the communications channel is encrypted. Encryption prevents third-parties from listening in on the content of the communications. Specifically, when you visit a SSL-secured website the following occurs:

1. The web server transmits its public key with its certificate;
2. The web browser determines whether the certificate was issued by a trusted party – typically a certificate authority – and that the certificate remains valid and is related to the website in question;
3. The browser uses the public key to encrypt a symmetrical encryption key and sends it to the server with the encrypted URL as required, in addition to other encrypted http data;
4. The web server decrypts the key using its private key and uses the key to decrypt the URL and http data;
5. The server sends back the requested html document and data after encrypting it with the symmetric key;
6. The browser decrypts the document and data using its symmetric key.

To initiate the secure transmission process you need a trustworthy certificate authority. This effectively means that the authority must be ethical enough not to violate the trust put in it, be financially resolute enough to refuse bribes, and be willing to publicly fight against attempts by government to compel violations of trust. As written about by Soghoian and Stamm, governments can theoretically compel certificate authorities to issue fraudulent certificates, thus enabling state-actors to conduct ‘man-in-the-middle’ attacks, or those where a third-party injects themselves between the web server and web browser. As noted by Stevens et al.,

Any website secured using TLS can be impersonated using a rogue certificate issued by a rogue CA. This is irrespective of which CA issued the website’s true certificate and of any property of that certificate….Combined with redirection attacks where http requests are redirected to rogue web servers, this leads to virtually undetectable phishing attacks (pp. 36; .pdf source).

In essence this means that if a government forces a major trusted certificate authority to issue a valid (i.e. working) fraudulent (i.e. not issued to the website owner) certificate it can potentially intercept, decrypt, and analyze communications without either the web browser or web server knowing. This fear was made real a few months back and again last month, when certificates were issued for major communications companies such as Microsoft, Google, Mozilla, and Skype.

What can CIRA do?

To be clear from the outset: CIRA cannot resolve all of these issues, but they can assume a leadership role in addressing many of them. CIRA possesses a robust policy development framework (.pdf source) and in their recent survey found that Canadians were incredibly interested in – and concerned about – the safety, security, resilience of the Internet, as well as privacy issues. CIRA has publicly argued the DNSSEC, a security extension to DNS that prevents domain poisoning and domain hijacking, should be adopted by the federal government. At present, however, DNSSEC cannot be implemented where Canadian carriers are involved in domain hijacking. CIRA notes that such interferences strongly interfere with “the norms upon which the Internet was built” and that the “consensus from the international Internet community is that DNS redirection should be prohibited, with the exception of rare instances for purposes of law enforcement.” CIRA feels strongly enough about this issue to suggest that imposing legal liabilities on Canadian ISPs that persist in this practice may be appropriate.  (pp. 14-5; .pdf source).

CIRA’s record on copyright is somewhat more nebulous and could interfere with their strong demands to prevent DNS redirections. In their 2010 Digital Economy filing, the organization notes that updated copyright laws are important to “protect Canadians from illegal activity on-line just as they are protected from illegal activity off-line” (pp. 12; .pdf source). This is a worrying statement, insofar as it is unclear what direct harm Canadians have experienced as a result of the present copyright legislation. Indeed, when compounded with CIRA’s grudging acceptance of DNS redirections for law enforcement purposes it may be that the organization is supportive of American efforts to impose US copyright law throughout the world to ‘protect’ American (and, presumably, some Canadian) rights holders at the expense of judicial decisions in nations where websites are operated.

CIRA could, and should, clarify its position and clarify when a redirect is appropriate for law enforcement purposes. As they are likely aware, redirects are not a significant impediment on serious online crimes such as child pornography (.pdf source), and so it is important for the organization’s directors to explain to CIRA members and Canadians more generally how a redirect – as opposed to taking down servers hosting truly illegal, as opposed to infringing, content – resolves serious legal issues instead of making them more convenient to ignore. Filtering access to particular websites also often runs the risk of being used increasingly expansively. As noted by Villeneuve, filtering is seen as an inexpensive technical solution to the challenges posed by the ease of access to information on the Internet. Regardless of the initial reason for implementing Internet filtering there is increasing pressure to expand its use once filtering is in place. Any avocation for filtering or DNS redirections thus must be made with an awareness of its (in)effectiveness in stopping crimes and likely misuses over time.

It is especially important to work against the unilateral imposition of foreign copyright law on the workings of the Internet, and to ensure that dot-ca and Canadian-held dot-com, dot-org, and other top-level domains are not subjected to inappropriate censorship. CIRA is in the unique position to strongly and loudly argue against unilateral censorship at the root level; should nation-states compel their ISPs to block particular records that is one matter, but to forcibly modify the root is another. While CIRA has been notified of these issues and concerns they have yet to publicly address these issues (.pdf source). Their inaction is something that must change.

Finally, CIRA can and should establish itself as a certificate authority. In various public documents the organization has noted the need to establish a safe and secure Internet. Acting as a trust-agent for Canadians is certainly one way to accomplish this goal. CIRA already has a reasonably robust verification system for its members to ensure that only Canadians who hold a dot-ca domain can claim membership. It could leverage existing policies to become a trusted certificate authority and, ideally, welcome the chance to trial next-generation trust systems (such as www.convergence.io) as part of its mission.

A Technically Savvy, Politically Engaged, Candidate

Only one of the candidates who are seeking election to the CIRA board of directors this year has both the background and interest to push these particular issues to the forefront of CIRA’s agenda. Kevin McArthur is a developer, security researcher, and technical author who has been deeply invested in the network neutrality debate in Canada and at the forefront of examining recent violations of the certificate authority system. His aim is to get CIRA more involved in the issues and debates concerning the Canadian Internet while expanding the scope and role of the organization’s existing Internet Forums. As someone who has actually spent time working with technologies such as Voice over IP that are so vulnerable to network neutrality abuses and is responsible for websites that would suffer badly were they censored using a DNS hijack/redirect. His full portfolio is available at his CIRA election website and his publicly disclosed research efforts at his personal website.

CIRA and You

If you are a dot-ca domain name owner then you can take part in the upcoming CIRA elections. The final members slate has been established and has a series of variously interesting candidates. To take part in the election you must formally become a member; this involves more than just registering your domain. Specifically you must do the following:

1. Membership is free for all dot-ca owners. Sign up for membership. It can take up to a week or so for a membership to be awarded so register as soon as possible.
2. If you are already a member, verify that you can access your member account prior to the election itself. Your login can be tested at http://www.member.cira.ca.
3. Vote between September 21, 2011 – September 28, 2011. Visit https://elections.cira.ca during this time period to vote for your candidate.

The next handful of years promise to be incredibly important for the progression – or regression – of the Internet in Canada. Electing people to CIRA who are committed to advancing its mandate and ensuring the most secure, efficient, and trustworthy Internet ecosystem whilst understanding the full ramifications of their actions is essential. Take the time, sign up to become a member, and vote for the candidate you think will live up to these key principles.

Book Sources

A. R. Galloway. (2004). Protocol: How Control Exists After Decentralization. Cambridge, Mass.: The MIT Press.

G. Graham. (2011). “Towards a National Strategy for Digital Inclusion: Addressing Social and Economic Disadvantage in an Internet Economy” in M. Moll and L. R. Shade (eds.). The Internet Tree: The State of Telecom Policy in Canada 3.0. Ottawa: The Canadian Center for Policy Alternatives.

S. Landau. (2010). Surveillance or Security: The Risks Posed by New Wiretapping Technologies. Cambridge, Mass.: The MIT Press.

Other posts you might be interested in:

1. Draft: What’s Driving Deep Packet Inspection in Canada?
2. Review: Internet Architecture and Innovation
3. Background to North American Politics of Deep Packet Inspection

Image courtesy of the CCPA

I’m happy to let my readers know that Marita Moll’s and Leslie Shade’s (eds.) The Internet Tree: The State of Telecom Policy in Canada 3.0 is now available for purchase. The book interrogates how Canada’s digital future does, and should, look in coming days by discussing present policies and proposing policies to enhance Canada’s position in the digitally connected world. The editors have done an excellent job in contacting academics, advocates, and solicitors from around Canada to develop an exciting and accessible edited collection on Internet and broadband in Canada. It includes scholars such as Dwayne Winseck, Michael Geist, Catherine Middleton, and Richard Smith, along with contributions from Steve Anderson (Open Media), Michael Janigan (PIAC), and a host of graduate students and researchers.

The book is published through the Canadian Center for Policy Alternatives (CCPA). The publisher and editors describe that book as a collection in which:

… committed public interest advocates and academics present primers on provocative digital policy issues: broadband access, copyright, net neutrality, privacy, and security, along with a consideration of structures of participation in policy-making and communication rights.

Contributors to The Internet Tree argue for a digital economy strategy that casts a winning vote for openness, broadband as an essential service, and community engagement and inclusion.

The Internet Tree is available for just $14.95 and is supportive of digital economy strategies that are guided by the principles of openness, broadband as an essential service, community engagement and inclusion, national sovereignty, and digital literacy programs. My own contribution (“Is Your ISP Snooping On You?”) explains the technical and social concerns raised by deep packet inspection to someone who doesn’t know a coaxial cable from a fibre node, with other authors similarly working to explain issues to the layman while offering suggestions to alleviate, mediate, or overcome the challenges facing Canada’s digital ecosystem. It’s got a great set of authors and I’d highly recommend it as a complement to Open Media’s recently published report on digital networks in Canada.

Other posts you might be interested in:

1. Publication: (Un)Lawful Access, Its Potentials, and its Lack of Necessity
2. Dispelling FUD: Iran and ISP Surveillance
3. Boost Up Your Net With ISP Injections

Scholars and civil advocates will be meeting next month in Toronto at the Cyber-surveillance in Everyday Life workshop. Participants will critically interrogate the surveillance infrastructures pervading daily life as well as share experiences, challenges, and strategies meant to to rein in overzealous surveillance processes that damage public and private life. My contribution to the workshop comes in the form of a modest overview of literature examining Deep Packet Inspection. Below is an abstract, as well as a link to a .pdf version on the review.

Abstract

Deep packet inspection is a networking technology that facilitates intense scrutiny of data, in real-time, as key chokepoints on the Internet. Governments, civil rights activists, technologists, lawyers, and private business have all demonstrated interest in the technology, though they often disagree about what constitutes legitimate uses. This literature review takes up the most prominent scholarly analyses of the technology. Given Canada’s arguably leading role in regulating the technology, many of its regulator’s key documents and evidentiary articles are also included. The press has been heatedly interested in the technology, and so round out the literature review alongside civil rights advocates, technology vendors, and counsel analyses.

Downloadable .pdf version of the literature review.

Other posts you might be interested in:

1. Deep Packet Inspection and Law Enforcement
2. Is Iran Now Actually Using Deep Packet Inspection?
3. Deep Packet Inspection and the Confluence of Privacy Regimes

Image by United4Iran

For some time, I’ve been keeping an eye on how the Iranian government monitors, mediates, and influences data traffic on public networks. This has seen me write several posts, here and elsewhere, about the government’s usage of deep packet inspection, the implications of Iranian government surveillance, and the challenges posed by Iranian ISPs’ most recent network updates. Last month I was invited to give a talk at the Pacific Centre for Technology and Culture about the usage of deep packet inspection by the Iranian and Tunisian governments.

Abstract

Faced with growing unrest that is (at least in part) facilitated by digital communications, repressive nation-states have integrated powerful new surveillance systems into the depths of their nations’ communications infrastructures. In this presentation, Christopher Parsons first discusses the capabilities of a technology, deep packet inspection, which is used to survey, analyze, and modify communications in real-time. He then discusses the composition of the Iranian and Tunisian telecommunications infrastructure, outlining how deep packet inspection is used to monitor, block, and subvert encrypted and private communications. The presentation concludes with a brief reflection on how this same technology is deployed in the West, with a focus on how we might identify key actors, motivations, and drivers of the technology in our own network ecologies.

Other posts you might be interested in:

1. Is Iran Now Actually Using Deep Packet Inspection?
2. Iran, Traffic Analysis, and Deep Packet Inspection
3. Background to North American Politics of Deep Packet Inspection

Courtesy of the MIT Press

In Security or Security? The Real Risks Posed by New Wiretapping Technologies, Susan Landau focuses on the impacts of integrating surveillance systems into communications networks. Her specific thesis is that  integrating surveillance capacities into communications networks does not necessarily or inherently make us more secure, but may introduce security vulnerabilities and thus make us less secure. This continues on threads that began to come together in the book she and Whitfield Diffie wrote, titled Privacy on the Line: The Politics of Wiretapping and Encryption, Updated and Expanded Edition.

Landau’s work is simultaneously technical and very easy to quickly read. This is the result of inspired prose and gifted editing. As a result, she doesn’t waver from working through the intricacies of DNSSEC, nor how encryption keys are exchanged or mobile surveillance conducted, and by the time the reader finishes the book they will have a good high-level understanding of how these technologies and systems (amongst many others!) work. On the policy side, she gracefully walks the reader through the encryption wars of the 1990s,[1] as well as the politics of wiretapping more generally in the US. You don’t need to be a nerd to get the tech side of the book, nor do you need to be a policy wonk to understand the politics of American wiretapping.

Given that her policy analyses are based on deep technical understanding of the issues at hand, each of her recommendations carry a considerable amount of weight. As examples, after working through authentication systems and their deficits, she differentiates between three levels of online identification (machine-based, which relies on packets; human, which relies on application authentication; and digital, which depends on biometric identifiers). This differentiation lets her  consider the kinds of threats and possibilities each identification-type provides. She rightly notes that the “real complication for attribution is that the type of attribution varies with the type of entity for which we are seeking attribution” (58). As such, totalizing identification systems are almost necessarily bound to fail and will endanger our overall security profiles by expanding the surface that attackers can target.

Landau argues that key US intercept laws, such as CALEA, often add costs that delay the deployment of new products. Further, such laws act as market barriers to smaller competitors because they find it challenging to comply with laws that demand costly infrastructure investments that aren’t needed for day-to-day operations. To comply with CALEA, telecommunications carriers are increasingly purchasing expensive and fungible systems that integrate deep packet inspection technologies. To offset equipment costs, these same carriers are motivated to use their fungible equipment to prioritize and delay traffic. Landau takes a dim view of such repurposing, writing that:

There is no need to do deep packet inspection to determine traffic priority. The simple solution to the traffic congestion problem consists of IPv6, the long-delayed IP protocol, and Internet usage pricing. IPv6 has two fields, one for service … and one for the quality of service designated by the user … Instead of the ISP determining the traffic shaping, the customer can do so, and can pay for the privilege of employing the faster service (132).

Further, inserting surveillance equipment that can massively mediate data and voice communications introduces intentional vulnerabilities into the communications infrastructure. In effect, wiretapping creates risks to communication security and, by endangering the privacy of citizens’ communications, society’s social fabric. Given the widespread introduction of such vulnerabilities throughout American telecommunications networks, two things are required to ensure secure communications:

1. End-to-end encryption to guarantee message content;
2. Company practices that disallow divulging conversations and that disallow revealing that communications between parties even happened.

Extending her view of communications security beyond the borders of continental America, Landau argues that providing secure communications systems to NGOs and other ‘on the ground’ parties lets them communicate useful intelligence to the world without fearing retribution from local authorities. The US and UN alike have diminishing sites of presence throughout the world but NGOs continue to burrow into the world’s social fabric. The US is thus well served in pumping research dollars into projects such as Tor; only by doing so can America hope to have a informed perception of the world.

After arguing that DPI (and, by extension, technologies replicating DPI functionality) is effectively a totalizing surveillance apparatus, Landau writes:

The real issue about ubiquitous DPI would be a necessary reliance on anonymization tools such as Tor to hide transactional information. Anyone not using these privacy-preserving, security-protecting tools in the face of omnipresent DPI usage by communications providers would be endangering themselves, their companies, and anyone with whom they communicated. Looking purely from the vantage point of security, it is difficult to understand law enforcement’s push for the ubiquitous use of DPI. This is a short-term solution to enable wiretapping with severe long-term negative consequences for communications security (222).

Such long-term consequences arise because infrastructure can be exceedingly challenging to retrofit; once hardware is deployed in the field, networks configured, and policies set in place, modifying them can be devilishly difficult.[2] The potential consequence is that all ICT systems reliant on the Internet to communicate could be vulnerable to security exploits. Were such an exploit ever taken advantage of the public would reduce its trust in its communications systems. With a loss of trust, and subsequent loss of speech, the democratic spirit suffers.

So, what are the solutions? Landau recognizes that the network of yesterday is poorly suited for the needs of today and tomorrow. Rather than trying to retrofit security, authentication, and identification across the entire Internet, a more granular and modest approach is preferred. The widespread adoption and deployment of Software Defined Networks (SDNs) would enable a multifaceted security profile at the switch/node, providing authentication and identification for some, but not all, transactions and transmissions. Worrying that present and future security policies at nodes are subject to economic facts – vendors often receive a greater market share by getting to market first rather than by providing a secure product – Landau argues that all security-driven vendors should be somehow accountable for exploits of their systems. This would place economic risk on vendors, encouraging delays to market in order to resolve security deficits and avoid future economic losses.

The book concludes with a series of principles that are needed to ‘get communications security right. They are:

1. Wiretapping laws and technologies must be measured against the threats they pose to communications security. These laws and technologies should not be implemented if they would substantively threaten the “freedom, security, human dignity, or the consent of the governed” (251).
2. To preserve freedom for posterity, the following must be adopted:
   1. Interception technologies must be designed such that auditing functions are automatically on;
   2. The design of interception access should minimize flexibility to reduce risks that the system can be subverted;
   3. The system should be designated to have genuine two-factor control;
   4. The design should be subject to open public review before implementation in any public network.
3. Any suspension of communications’ privacy protections must only occur for extremely short durations (think measurable in hours or days, not weeks, months, or years) and only during periods of extreme danger. Audits and evaluations of the suspension(s) must follow.
4. Communications surveillance must not impede the working of the press, on the belief that a “nation is a democracy only so long as journalists’ communications are secure” (252).

On the whole, the book is excellent. Landau possesses a deep technical and policy understanding of American wiretapping, and brings both of these to bear in her evaluations and policy recommendations. Further, she is gifted in her ability to explain to the layperson and expert alike how policy and security intersect, with hosts of examples throughout the book to supplement her overall argument that intentional security deficits for wiretapping purposes are dangerous to communications security and communicative privacy. When Landau moves away from security, however, the text is on weaker footing. While the forth estate is an important element of a democracy, one can’t help but think of Herman and Chomsky’s Manufacturing Consent: The Political Economy of Mass Media (and the Propaganda Model more specifically) and feel that her trust and reliance on the American press is somewhat overstated. There are some sections that also seem particularly patriotic – private communications caused Americans to adopt the telegraph more rapidly than their surveilled European counterparts, as one example – which could have been more critical of both American and European communications history alike.

I should point out two caveats that might bother some readers. First, the book focuses on the reality of American surveillance. Landau’s justifications are that the wiretapping and surveillance are complex issues and need nuance, that US choices affect the rest of the world, and that communications intelligence and interference affects economics. A good place to start looking at the economic impacts are on the national, rather than international, level. Second, Landau argues that the line to draw is not between surveillance and civil liberties but between surveillance and security. If either of these conditions are particularly unpalatable, then the book may not be for you.

On the whole, I would highly recommend Susan’s book. It’s extremely well referenced, technically savvy, politically aware, and forward thinking. If you’re interested in the politics of security, what governments and technologists are up to in the field of communications security and communications infrastructure, or the implications of present communications infrastructures for the future of democracy, then you need to buy and read this book.

Footnotes:

[1] For an excellent overview of the encryption wars, see “The Encryption Wars: An interview with Jay Worthington” (link to .pdf).

[2] Her argument here closely follows that of Langdon Winner’s in The Whale and the Reactor

Other posts you might be interested in:

1. Technology and Politics in Tunisia and Iran: Deep Packet Surveillance
2. Transparent Practices Don’t Stop Prejudicial Surveillance
3. Decrypting Blackberry Security, Decentralizing the Future

Image by David Clow

Rogers Communications modified their packet inspection systems last year, and ever since customers have experienced degraded download speeds. It’s not that random users happen to be complaining about an (effectively) non-problem: Rogers’ own outreach staff has confirmed that the modifications took place and that these changes have negatively impacted peer to peer (P2P) and non-P2P applications alike. Since then, a Rogers Communications senior-vice president, Ken Englehart, has suggested that any problems customers have run into are resultant of P2P applications themselves; no mention is made of whether or how Rogers’ throttling systems have affected non-P2P traffic.

In this brief post, I want to quickly refresh readers on the changes that Rogers Communications made to their systems last year, and also note some of the problems that have subsequently arisen. Following this, I take up what Mr. Englehart recently stated in the media about Rogers’ throttling mechanisms. I conclude by noting that Rogers is likely in compliance with the CRTC’s transparency requirements (or at least soon will be), but that such requirements are ill suited to inform the typical consumer. 

Rogers’ Renewed Throttling Scheme

Last December I wrote about how Rogers’ throttling systems were causing significant problems for customers. Specifically, it seemed as though a badly tested update to the Rogers network mediation infrastructure had caused P2P download speeds to sharply fall, and non-P2P applications were also impacted. These problems were confirmed by Keith McArthur, Rogers’ senior director of social media and digital communications, when he wrote that:

As some of you are aware, Rogers recently made some upgrades to our network management systems that had the unintended effect of impacting non-p2p file sharing traffic under a specific combination of conditions. Our network engineering team is working on the best way to address this issue as quickly as possible. However, I’m not able to provide any updates at this time about when this will be fixed. Our network management policy remains unchanged. You can find details of our policy here (»www.rogers.com/web/content/netwo···nagement). We are working hard to ensure that there are no gaps between our policy and the technology that enables that policy.

While it was disturbing that it took months for an official Rogers representative to confirm the problem – and that even upon confirming the issue, no timeframe for resolving it was provided – at least the company publicly recognized the problem and stated that it would be fixed. Further, it seemed that the fix (whatever it entailed) would return the mediation of customers’ data traffic to a pre-September 2010 status. Unfortunately, rather than working to resolve the problem (and maintain the network management policy) Rogers has changed their policy. This change was needed to comply with a CRTC directive – ISPs must be transparent to their customers about Internet Traffic Management Practices (ITMPs) – but since the change has taken place I’ve not seen any suggestion that things will ‘return to the old normal.’

Public Statements and Policy Updates

The most recent CRTC investigation into ISP traffic management policies began after Justin McKillican filed a complaint alleging that Rogers had “introduced changes to its Internet traffic management practices (ITMP) which impacted downstream peer to peer (P2P) traffic without providing the 30 day notice required by Telecom Regulatory Policy 2009-657.” The CRTC’s response (.pdf) to Mr. McKillican and Rogers’ Ken Thompson (Director and Counsel Copyright and Broadband Law, Rogers Communications Incorporated) directed the company to revise its ITMP disclosures on Rogers web pages on the basis that, at the time of investigating Mr. McKillican’s complaint, the disclosure on Rogers’ website was non-compliant with the transparency requirements set down in 2009-657.

In an interview with Carrt.ca about Rogers’ throttling policies (Subscription required), Mr. Englehart stated that Rogers does not traffic shape downstream traffic. Further, he asserted that Rogers had already provided an explicit disclosure of their practices on their web site. The disclosure that had been available to the public for over a year was previously in conformance “with what the CRTC wanted so it’s strange that they’re now saying it needs more work given we did it in consultation with them.” In the interview, he asserted that only P2P was affected by the throttling mechanisms, though his statement stands at odds with Rogers’ actual traffic management policies that have recently been amended. Perhaps Mr. Englehart was unaware that the policy had been amended on the basis that newly deployed technical measures, but this seems unlikely given that the CRTC letter explicitly noted that there were changes to Rogers’ throttling systems.

The changes to Rogers’ traffic management policy are significant. An entirely new section – “Are there other applications that could be impacted by Rogers traffic management measures?” – has been introduced, following almost word-for-word what Bell Canada has published in the same section of their own traffic management policy. Bell (and, now, Rogers) recognizes that sometimes their DPI systems negatively impact non-P2P applications, and puts the onus on the consumer to get things working again. Specifically, users are instructed to setup applications so that they only use IANA-specified ports[1] (with Rogers providing a non-hyperlined URL to the official IANA list on their traffic management page). Specifically, Bell and Rogers customers are told to:

1. Close the affected application along with all P2P applications;
2. Ensure that non-P2P applications have their ports properly assigned;
3. Wait to ten minutes, and then restart the non-P2P application.

Knowing many Bell and Rogers customers, and just how tech-savvy they are, I cannot imagine that many end-users can actually modify port numbers for various programs. As such, the solutions these companies are providing assume that the people who either care enough to find a solution, or can solve it in the first place, tend to be reasonably technically inclined. At the same time, I fully recognize that the provided solutions will most likely comply with CRTC requirements. This suggests that ISPs are invested in making ITMP policies transparent as far as regulators are concerned, but are not so interested in making the entirety of those policies transparent to typical consumers as well.

Consumer vs Technical/Regulatory Transparency

For a system to be considered transparent to consumers it must be described so that non-experts can decode what is being described. Rogers is almost certainly not being transparent to consumers given the brevity of their ITMP policy and because customers must consult a massive text-based document (with little context), modify some applications’ port numbers, and only then have applications properly access the Internet. While such a list lets me set up port numbers on applications to avoid throttling, this is not the case with far less technically savvy individuals. What does the ‘regular consumer’ do when their particular application isn’t listed in the ports (as will happen, often) and they’re experiencing slowdown on non-P2P application traffic?

In essence, while ISPs have publicized how their traffic management policies impact traffic, in the cases of Bell and Rogers only technically savvy individuals can follow the suggested troubleshooting steps. So, while both companies are (arguably) within the confines of regulatory transparency that is required by the CRTC,[2] the transparency that these bodies require doesn’t necessarily mean that end-users without technical savvy will understand how to resolve problems. Similar to how long or complicated privacy policies are only understood by those trained to read and/or write them, I suspect that only those who already have a degree of technical awareness will understand what ISPs are doing to customer data traffic.

For a policy to be ‘consumer transparent’ it has to be non-technical, while specific enough to inform end-users what is going on. Much of Bell’s own ITMP policy is good, insofar as it is understandable and accessible to those who happen across the policy, but the troubleshooting approach that is provided is poor at best. The brevity of Rogers’ own policy, combined with the poor design decisions that reduce readability, means that Rogers has provided a policy that is less transparent to the consumer, while simultaneously meeting much of the CRTC’s own regulatory transparency requirements. Deep packet inspection and Quality of Service infrastructure regularly mediates Canadians’ digital communications. Given the importance of our digital systems I think that ISPs should remain compliant with technical and regulatory transparency requirements, but also ensure that their policies are also transparent and understandable to end-users.

Footnotes

[1] The Internet Assigned Numbers Authority (IANA) is responsible for allocating and maintaining a variety of numerical codes related to technical standards and protocols that undergird the Internet. To learn more about them, read their About page.

[2] Admittedly, in the case of Rogers the CRTC has taken issue with how ‘transparent’ their approach is. Given that Rogers’ policies are written similarly to Bell, I suspect this has more to do with the ease of finding and reading Rogers’ policies instead of what is written. See the below of how to navigate to a few Canadian ISPs’ traffic management pages:

Rogers

1. Go to the Rogers homepage
2. Select ‘Internet’ >> ‘Packages and Pricing’
3. Scroll to the bottom of the page and click on their Internet Traffic Management Practices and Legal Disclosure link
4. In the popup box, click the grey link in the third paragraph labeled ‘click here’.

Bell

1. Go to Bell’s homepage
2. Select ‘Internet’
3. Scroll down to the bottom of the page and click their Network Management link

Shaw

1. Go to their homepage
2. Select ‘Internet’
3. Select the link to their traffic management policies

Cogeco

1. Go to their homepage
2. Select ‘Internet’
3. Select ‘Internet Usage’
4. Select ‘Learn more about Internet traffic management
5. Select one of the six options to learn about, read it, and then either use your browser’s back button or the back button on the page and scroll back down to where you were on the page.

In the case of both Bell and Shaw, there is an easily found, easily accessed, and easily read traffic management policy. In the cases of Rogers and Cogeco it is more challenging to believe that a casual consumer would happen upon the traffic management policies. The text of Rogers’ ITMP policy is incredibly small – I need to move very close to the screen to read the grey 11 font text – and Cogeco’s is buried – multiple links have to be clicked to read the whole policy even after finding it. Neither of these two policies would pass a sniff test for being ‘consumer transparent’, even if they are seen as compliant with legal and regulatory transparency requirements.

Other posts you might be interested in:

1. Background to North American Politics of Deep Packet Inspection
2. Beyond Fear and Deep Packet Inspection
3. Choosing Winners with Deep Packet Inspection

Photo by Hamed Saber

I’ve previously written about whether the Iranian government uses deep packet inspection systems to monitor and mediate data content. As a refresher, the spectre of DPI was initially raised by the Wall Street Journal in a seriously flawed article several years ago. In addition to critiquing that article, last year I spent a while pulling together various data sources to outline the nature of the Iranian network infrastructure and likely modes of detecting dissident traffic.

Since January 2010, the Iranian government  may have significantly modified their network monitoring infrastructure. In short, the government seems to have moved from somewhat ham-fisted filtering systems (e.g. all encrypted traffic is throttled/blocked) to a granular system (where only certain applications’ encrypted traffic is blocked). In this post I’ll outline my past analyses of the Iranian Internet infrastructure and look at the new data on granular targeting of encrypted application traffic. I’ll conclude by raising some questions that need to be answered about the new surveillance system, and note potential dangers facing Iranian dissidents if DPI has actually been deployed.

The Iranian Telecommunications Infrastructure

As in most Western states, Iranian citizens can receive Internet service from a variety of Internet Service Providers (ISPs). Unlike many Western nations, however, all data traffic in and out of Iran must pass through state controlled infrastructure. As further evidence of the state’s influence over telecommunications in Iran,  in 2006 the Ministry of Communications and Information Technology (MCIT) issued an order forbidding ISPs from providing Internet connectivity to homes and public access points that exceeded 128 kilobytes/second. Universities and private businesses can obtain high-speed access.

Limiting broadband deployment hinders access to rich-format, non-state controlled/influenced, media sources. When it takes minutes to load a short YouTube video, or access a foreign nations’ news services, citizens who are not driven to access non-sanctioned material are likely to choose the ‘easy and fast’ options. The impact of delaying particular content transmissions (e.g. over-the-top Internet transmissions instead of broadcast transmissions) has been raised by O’Donnell in “Broadband Architectures, ISP Business Plans, and Open Access,” when writing that

…[t]he subtle manipulation of the technical performance of the network can condition users unconsciously to avoid certain “slower” web sites. A few extra milliseconds’ delay strategically inserted here and there, for example, can effectively shepherd users from one web site to another. (53)

O’Donnell is writing about what happens when ISPs in democratic nations delay content. Given that a few milliseconds can have significant effects on where people get their content from, several seconds or minutes’ delay, combined with an awareness that the state might be monitoring a user’s actions, presumably is even more effective in shepherding users away from over-the-top content and towards sanctioned broadcast-centric content. Of course, delaying data communications and the possibilities of surveillance will not convince all users to adopt state-sanctioned news sources, but not all individuals need to comply with a soft deployment of power for the deployment to be reasonably effective in influencing social order.

Iran and DPI 101

On June 22, 2009, the Wall Street Journal published an article arguing that the Iranian government was using DPI systems to monitor dissident communications. More specifically, the WSJ linked Nokia Siemens Networks’ sale of lawful access equipment for mobile services with the sale of equipment enabling whole-scale governmental monitoring and mediation of all wireline Internet transmissions. The authors of the WSJ article proposed that,

In Iran’s case, this is done for the entire country at a single choke point, according to networking engineers familiar with the country’s system.

In a previous post that analyzed the earliest reports of the Iranian government using DPI, and concluded by stating;

I worry that the WSJ is claiming that DPI is more effective in screening communications than it is in reality, much like we hear claims that CCTV is more effective than studies show. This isn’t discounting that DPI could, potentially, in an ideal world do what the WSJ is suggesting, but networking environments where admins are trying to regulate gigabytes of traffic each second are hardly these ideal environments for mass surveillance and content regulation using DPI appliances. Hopefully the pressure gets Nokia-Siemens or other network manufacturer to fess up about what they sold, but I’m not holding my breath.

On August 3, 2009, Arbor Networks released data suggesting that slow Internet speeds experienced during the attempted Green Revolution was likely caused by the government limiting available bandwidth between Iranian networks and the global Internet. The government may also have ramped up the SmartFilter system that all Iranian ISPs are required to implement. Further, the government might have extended the ‘blocked sites’ list, closed particular ports, or increased keyword filtering as data moved through government proxy servers before getting the web-at-large. The Iranian government is well known to have historically used these techniques to mediate Internet traffic. Indeed, these surveillance techniques were foreshadowed in 2006 by the Communication and Information Technology Ministry, when the Ministry announced that their surveillance apparatus would:

…would block access to unauthorized websites, identify Internet users, and keep a record of the sites they visit. The system administrator would have access to this information.

The ministry subsequently denied that the filtering facility could identify users and track their browsing habits, and it stressed that it only wants to block access to pornography. There also were acknowledgements that the previous methodology was imperfect, and a “filtering databank” would be more precise and make fewer mistakes.

Thus, building on independent reports, scholarly investigations, government statements, and technical analyses, it seemed unlikely that deep packet inspection was being used in Iran to mediate communications belonging to members of the Green Revolution in 2009 and early 2010. In the face of recent events, however, we may need to modify the position of ‘no DPI is used to monitor Internet access’ to ‘DPI or something with DPI-like functionality may be being discretely tested by the Iranian government.’

Deep Packet Inspection in Iran Today

In an interview on October 5, 2010, the vice-president of the Communications Infrastructure Company in Iran said that changes to the Iranian filtering system were coming. Filtering would continue to operate at the gateway layer, the point between the Iranian network infrastructure and the world-at-large. As such, filtering would not be happening at the access layer, a point that is much, much closer to where end-users actually sit in the network infrastructure. Of note, however, was that in the same interview the vice-president suggested that analysis and filtering might shift from the gateway to access layer at some later date. This is significant, insofar as more discrete analysis of traffic could be performed while linking communications traffic with the IP address assigned the modem-of-origin and billing information (e.g. real name, address) for that account. While such investigative work is possible when filtering at the gateway, moving analysis towards the access layer may provide faster correlations between ‘suspect’ traffic and the suspect in question. In effect, if the automated the surveillance system is tightly integrated with the subscriber databases, access layer monitoring could let government agents quickly identify prospective dissidents who are trying to evade state filters in violation of the law. Given that such capabilities exist (though aren’t implemented!) within the Canadian ISP infrastructure (i.e. tying DPI information to subscriber information) it’s entirely possible that a similar framework exists in Iran.

It would seem that whatever the vice-president was alluding to in October has recently become active and is operating at the access layer. One of Iran’s ISPs has begun blocking censorship circumvention tools, including Tor, Freegate, Ultrasurf, and Hot Spot Shield. While the throttling of encrypted communications has previously been reported on, in this case the ISP is specifically targeting particular applications that are encrypting traffic; not all SSL traffic is being throttled.  This is significant, as previously Iran’s innovative shift was to centralize all throttling and analysis at the gateway level. The capacity to identify encrypted traffic and take action on it is something many DPI appliances can do; many applications can effectively be ‘fingerprinted’ based on the ways of exchanging data packets and action then be taken on the packet flows. DPI isn’t necessarily the only way to identify these exchanges and take action on them but it is certainly one of the more effective strategies. Such access layer analysis will likely supplement already existing gateway surveillance, enabling a better multilayered surveillance aparatus.

Key Issues, Today

If DPI appliances are being used to monitor and impact data traffic by an Iranian ISP today, the first thing to ask is who has sold the equipment to Iran. As van Schewick notes in Internet Architecture and Innovation,

…when choosing to exclude an application in order to manage bandwidth, network providers may consider whether the application is easy to detect, whether their preferred vendors’ products can detect the application, or whether blocking or throttling the application has a noticeable effect on traffic. (350)

Given van Schewick’s comment, if Iranian ISPs are using DPI, which company or companies provide the capacity to identify and filter data traffic for Tor, Freegate, Ultrasurf, and other censorship evasion tools at an ISP-level? If only a few Western systems can effectively detect this traffic then we might identify who, exactly, sold what to the Iranian government/ISPs. Knowing the vendor and product could help put legal pressure on the vendor, both to prevent future sales and to reveal any flaws in how they mediate censorship evasion traffic.

Next, how quickly and easily can such identification systems, regardless of the underlying technology used in the identification, match up uses of evasion tools and ISP subscriber information? This is important because correlating evasion traffic with individual users heightens the potential for direct state coercion towards Iranian citizens. Further, if other ISPs have deployed similar systems in a passive mode then dissidents might be being mapped right now. Admittedly, if my own aim was to suppress (or identify) technically savvy members of a revolutionary body I would collect intelligence passively for as long as possible. Should the ISP cease its current actions, if it stops impeding the traffic flows of censorship evasion software, I would assume that the government had adopted a passive intelligence strategy to map problematic citizens/Internet subscribers.

Finally, are the tools presently deployed by the Iranian government capable of modifying unencrypted packet streams in a reasonably automated fashion? If so, when subscribers are caught using evasion tools can packet streams be modified such that malware (e.g. key logging software) is installed by taking advantage of browser exploits?

Regardless of whether deep packet inspection or some other monitoring system is being used to limit access to censorship evasion tools, the deployment of such systems constitutes a massive evolution of Iranian surveillance and mediation efforts. The government attacker, partnered with ISPs, has become an even greater threat than before to free speech and association advocates, to say nothing of the members of the Green Revolution, than ever before.

Other posts you might be interested in:

1. Technology and Politics in Tunisia and Iran: Deep Packet Surveillance
2. Iran, Traffic Analysis, and Deep Packet Inspection
3. Deep Packet Inspection and the Confluence of Privacy Regimes

Photo by StartTheDay

Funding, technical and political savvy, human resources, and time. These are just a few of the challenges standing before privacy advocates who want to make their case to the public, legislators, and regulators. When looking at the landscape there are regularly cases where advocates are more successful than expected or markedly less than anticipated; that advocates stopped BT from permanently deploying Phorm’s Webwise advertising system was impressive, whereas the failures to limit transfers of European airline passenger data to the US were somewhat surprising.[1] While there are regular analyses of how privacy advocates might get the issue of the day onto governmental agendas there is seemingly less time spent on how opponents resist advocates’ efforts. This post constitutes an early attempt to work through some of the politics of agenda-setting related to deep packet inspection and privacy for my dissertation project. Comments are welcome.

To be more specific, in this post I want to think about how items are kept off the agenda. Why are they kept off, who engages in the opposition(s), and what are some of the tactics employed? In responding to these questions I will significantly rely on theory from R. W. Cobb’s and M. H. Ross’ Cultural Strategies of Agenda Denial, linked with work by other prominent scholars and advocates. My goal is to evaluate whether the strategies that Cobb and Ross write about apply to the issues championed by privacy advocates in the UK who oppose the deployment of the Webwise advertising system. I won’t be working through the technical or political backstory of Phorm in this post and will be assuming that readers have at least a moderate familiarity with the backstory of Phorm – if you’re unfamiliar with it, I’d suggest a quick detour to the wikipedia page devoted to the company.

Before initiators and opponents actually start fighting about the agenda, issues must first be identified. Not all problems are deemed significant enough to warrant attention and others are seen as outside of the agenda-holder’s purview. How then do initiators, such as privacy advocates, successfully present issues and get them on the agenda?

Getting to the Agenda 101

A policy initiator has to successfully define their issue-of-interest to get it onto the agenda. Initiators must “connect a problem to cultural assumptions about threats, risk, and humans’ ability to control their physical and social environments” (Cobb and Ross 1997: 5). This often entails a three-step process:

1. A name must be given to the problem that resonates with the public. As an example: Deep Packet Inspection (DPI) is an illegitimate surveillance system that breaks the law and intrudes on personal privacy.
2. Having named the problem, a culprit must be shown as responsible for unfair treatment experienced by victims. In the UK, Phorm and BT are shown as mutually complicit in deploying a DPI-based advertising system, in secret and in contravention of wiretapping laws. Such surveillance offends citizens’ communicative dignities.
3. After naming the problem and blaming a party for the problem, initiators of a new policy must make arguments to attract support. These arguments should be framed to let members of the public impose their own meaning on the advocates’ message. Further, the arguments should reveal the social significance of the problem, appeal to the temporal relevance of the issue, frame the problem in non-technical language, and reveal the problem as categorically unique.

Per Cohen, Marsh, and Olsen (1972: 2), there are four separate policy ‘streams’ that policy initiators need to link together to get their issue onto the agenda; problems, solutions, participants, and choice opportunities. Kingdon (2002) compresses this set of windows, proposing that there are three ‘families’ of processes in federal agenda-setting processes: problems, policies, and politics. The success of the UK groups, then, has been dependent on framing their issue as a problem with a policy solution while linking with policy participants. Such participants must be able to affect the issue and willing to enact change. When analyzing policy windows it is critical to attend to the situational politics around prospective participants in the policy subsystem. If the situation prevents actors from acting then policy initiators may be unable to align policy windows and advance their issue to the governmental agenda. Effectively, even if privacy advocates frame their issue and identify a solution, the politics of the day may jeopardize attempts to put the issue on the government’s agenda.

Opposing Policy Initiators

How, exactly, are politics framed in a way that precludes actors from acting or policy windows from aligning? In Western democracies there are three typical choice-types available to those opposing advocates:

1. Low-cost strategies stressing non-recognition of the advocate position;
2. Medium-cost strategies attacking the advocates’ proposed policy;
3. Medium-cost strategies symbolically placating advocates [2]

I’ll consider the strategies in turn, in relation to BT-Phorm and UK privacy advocates. I’ll conclude the post by proposing a series of research questions that stem from the EU ultimately stepping in and placing Phorm on its agenda despite UK regulatory bodies’ unwillingness to take up Phorm as an actionable agenda item.

Low Cost Strategies

Opponents of policy initiators often hope that voices outside the halls of power will just go away if they’re ignored. Ignoring problems is meant to deflect advocates, though the tactic is less successful when opponents face highly motivated policy initiators. The case of Phorm serves as a good example. After trying to ignore complaints from the user community, BT eventually admitted that they had tested the Phorm advertising system. This disclosure was motivated both by technical analyses of the BT network, the leaking of internal BT documents discussing a trial of the Webwise system, and pressure exerted by privacy advocates.

The actual problems that users experienced, however, were isolated, and the number of people affected were limited; not all BT customers were unknowingly enrolled in the test and of those who were, not all suffered material degradations of their Internet service. On the basis of both points advocates were pushed aside; they weren’t advocating on the behalf of a large population, and within the trial population only a small number were materially affected by the advertising system. This technique of dismissing claims based on the population affected is formally referred to as “antipatterning”, and it sees opponents put pressure on advocates to demonstrate that their concerns extend beyond a small subset of individuals and that the problem is important enough to rise to the agenda.

Key to opponents’ low-cost strategies is a refusal to communicate with initiators. A traditional tactic is to use the legitimacy associated with communicating directly with another person as a bargaining chip; initiators must set aside certain facets of the problem, or the issue must be framed in an ‘appropriate’ way for the conversation to begin ‘in earnest’. This has the effect of conditioning the issue that advocates raise, coercing them to make the issue more amenable to the agenda that their opponents want the government to work with. The other advantage associated with not or minimally communicating with advocates is that the action forces advocates to expend precious resources to gain publicity and find allies. Both are needed for an advocate group to convince opponents and officials alike that the issue they are championing deserves to be placed on the agenda.

Middle-Cost: Attacking Advocates’ Proposed Policy

Where initiators are already regarded as highly legitimate (e.g. a well-known, financed, politically savvy privacy advocacy group) then opponents will focus their attacks on the groups’ proposed policy. Such attacks commonly revolve around disputing advocates’ facts or the logic of their arguments. When raising issues about the nature of a privately owned digital network this tactic is quickly used: How can advocates make the claims they are, given that they have never operated the massive network? Without logs (secret and proprietary corporate information) how can advocates support their worries?

In addition to challenging policy initiators based on factual and logical grounds, opponents can raise the spectre of costs: If advocates successfully place their issue on the agenda, the end-result could be higher costs for all users of a service. Alternately (and possibly more effectively), if advocates are successful then users might be denied some sort of a reward. In the case of many DPI-based advertising system users are promised additional security resulting from DPI analyses, reduced bills, and so forth. Given the ‘carrots’ associated with DPI, advocates must translate issues that the public often regards as ‘intellectual’ into ‘meat and potatoes’ problems – how does DPI affect the common citizen, in an embodied and direct manner, on a daily basis.[3]

When the advocates themselves lack a pre-existing legitimacy, or lack ‘protective credentials’ or positions (e.g. advanced degrees, employment in a field related to the issue, etc), opponents may work against the group itself and bypass a policy-based critique entirely. Such attacks are intended to reduce advocates’ credibility. Phorm arguably attempted this (too late!) when creating their ‘Stop Phoul Play’ website that sought to discredit privacy advocates. Phorm’s efforts fit nicely into Cobb’s and Ross’ expectations that the opponent would try and link policy initiators to negative stereotypes (as serial agitators and ‘privacy pirates’) but it is less clear to me that they sought to blame advocates for the problem itself.

Privacy advocates tend to frame issues so as to claim the high ground of the issue at hand, pointing to economic, physical, psychic, or other indignities resulting from the issues they are pushing onto the agenda. Per Cobb and Ross, opponents are driven to neutralize these claims and such attempts were evident in the Phorm saga. Opponents pointed to the use of ISP networks for the transport of copyrighted material, transport which opponents maintained raise costs of doing business and thus for providing consumers’ Internet service. On this basis, Phorm’s advertising was valuable in offsetting rising costs resulting from ‘piracy’ actions, actions Phorm associated with the privacy campaigners themselves.

Finally, outright deception is sometimes used in this middle-cost attack strategy. Deception can entail “lying, spreading rumors, or planting false stories in the media. Deception involves the dissemination of materials known to be inaccurate or of questionable veracity” (Cobb and Ross 1997: 33). Advocates in the UK experienced these kinds of actions by Phorm, including accusations that a lead advocate had been fined for tens of thousands of dollars for copyright infringement.

Thus, in aggregate, we can see that BT and Phorm reacted as an opponent using mid-cost strategies meant to undermine the problem’s legitimacy as a potential agenda item, and that the opponents also sought to undermine the legitimacy of the advocates advancing the issue. These mid-cost attacks were supplemented with attempts to placate advocates, and arguably were successful in removing an influential policy initiator (Privacy International) from the (public) policy landscape.

Middle-Cost: Symbolically Placating Avocates

Symbolic placation typically involves opponents adopting “a language emphasizing mutual interests, and the zero-sum vocabulary associated with adversarial conflict is set aside” (Cobb and Ross 1997: 34). While placating advocates has the effect of legitimizing their issues, it does so in a manner that lets opponents retain control of how, why, and when the issue is actually raised to the agenda. Placation often entails establishing committees of some sort to study the problem and is more generally meant to defuse conflicts and weaken the momentum initiators have developed.

A particularly common tactic is to reach out and co-opt advocates’ actual or potential allies, offering jobs, positions, and other benefits to ‘work with’ the opponents. Privacy International arguably suffered this tactic. Phorm hired Simon Davies (director of Privacy International) to evaluate the Phorm Webwise system, and subsequently leveraged the fact that Davies was associated with the company to strategically limit Privacy Internationals’ influence. Specifically, the report produced by Davies maintained that the advertising system had to be opt-in and resolve questions around the legality of communications intrusion before it went live, but Phorm focused on the fact that Privacy International was working with the company and had positively evaluated the system. Somewhat surprisingly, and pleasantly, the absence of Privacy International didn’t let BT’s and Phorm’s activities continue unrestrained; other UK privacy campaigners jumped in to fill the void.

We have yet to see the tactic of postponement – where opponents agree with the validity of the grievance but identify reasons for why it will take time to resolve the issue – or a focus on past accomplishments and trustworthiness to justify the continuing existence (as opposed to resolution) of the issue. We may see both of these sooner rather than later, when the EU concludes their own investigations into Phorm and BT, and the UK government runs out of avenues to appeal the impending EU decision.

Complicating Politics

Much of the agenda-setting literature focuses on the federal level of analysis, investigating how issues become important on a national scale. Most of the BT-Phorm issue has revolved around agendas at the national level in the UK, but (somewhat) recently the EU has put Phorm on its own supranational agenda. This adds a level of complexity to the efforts of the privacy advocates seeking to shape deep packet inspection as an agenda item. Advocates sought to motivate the UK national agenda that opponents were deeply involved with, and were only moderately successful in putting their issue on the agenda. More specifically, while advocates successfully initiated political discourse about the technology the companies associated with the advertising system have successfully delayed or stifled regulatory action. Whether the regulator is subject to capture or not remains an open question, but in the face of external supranational oversight a national(ist) regulatory body may attempt to justify its behaviour to retain its own political legitimacy. The body may reframe the issue, away from advocates, focusing on a need to protect sovereign decision-making capability instead of actually regulating the DPI-based practices themselves. Thus, while advocates may find an ally in a supranational body, this body’s potency may shift the terms of political avoidance to the maintenance of political and decisional sovereignty.

To better understand and evaluate the impacts of shifting the issue to a supranational agenda in contravention of the attention paid to the issue on the national agenda, it is important to gain perspective on why, exactly, UK regulatory bodies have been so tardy in responding to the issue. These bodies have not been actively engaged in either of the medium-cost attack strategies, instead adopting a low-cost strategy of simply avoiding the issue. Does the transition to a supranational level of analysis shift how the UK body perceives DPI as an agenda item? Does it change the kinds of tactics that it considers (e.g. moving from avoidance to either symbolic placation or launching an attack on the legitimacy of the issue as a problem, or the legitimacy of either advocates or the EU commissioner)? Does the body seek to reframe the issue from one of privacy and law to one of political sovereignty? What, specifically, motivates the subsequent tactics, or does a system of continued avoidance persist despite the elevation of the issue?

These are the kinds of questions that I will be pursuing in the coming months as I conduct research for my dissertation; as/if I develop responses, I’ll be writing about them here.

Books Cited:

R. W. Cobb and M. H. Ross (eds.). (1997). Cultural Strategies of Agenda Denial. Lawrence, Kansas: University Press of Kansas.

M. D. Cohen, J. G. Marsh and P. P. Olsen. (1972). ‘A Garbage Can Model of Organizational Choice’, Administrative Science Quarterly. 17(1). 1:25.

J. W. Kingdon. (2002). Agendas, Alternatives, and Public Policies (Second Edition). New York: Longman.

Footnotes:

[1] For an excellent discussion and evaluation on how the transfer game was lost, read Abraham’s Protectors of Privacy.

[2] There is a forth potential approach to opposing advocates, high-cost strategies that often rely on “electoral, economic, and legal threats, as well as economic sanctions or legal actions, arrest, imprisonment, and organized violence.” While such approaches are sometimes evidenced, they are exceptional and rare.

[3] Translating issues for the public may not always be successful, or a good use of resources for some privacy advocates. Where advocacy groups are resourced or experienced, or simply integrated into an existing policy community that is more receptive to their claims than the public, the groups may work within their policy group instead of trying to convince the public of the poignance of the issue. The choice made – to get mass support or work within an existing policy network and its subsystems – may relate to the characteristics of the advocacy group in question.

Other posts you might be interested in:

1. Deep Packet Inspection and the Confluence of Privacy Regimes
2. Privacy Advocates and Deep Packet Inspection: Vendors, ISPs, and Third-Parties
3. Draft: What’s Driving Deep Packet Inspection in Canada?

by Simon Tunbridge

There is an ongoing push to ‘better’ monetize the mobile marketplace. In this near-future market, wireless providers use DPI and other Quality of Service equipment to charge subscribers for each and every action they take online. The past few weeks have seen Sandvine and other vendors talk about this potential, and Rogers has begun testing the market to determine if mobile customers will pay for data prioritization. The prioritization of data is classified as a network neutrality issue proper, and one that demands careful consideration and examination.

In this post, I’m not talking about network neutrality. Instead, I’m going to talk about what supposedly drives prioritization schemes in Canada’s wireless marketplace: congestion. Consider this a repartee to the oft-touted position that ‘wireless is different’: ISPs assert that wireless is different than wireline for their own regulatory ends, but blur distinctions between the two when pitching ‘congestion management’ schemes to customers. In this post I suggest that the congestion faced by AT&T and other wireless providers has far less to do with data congestion than with signal congestion, and that carriers have to own responsibility for the latter.

Since the first generation iPhone was exclusively released to AT&T in the US, AT&T’s network woes have become almost legendary amongst smartphone users. Dropped calls. Slow downloads. Dead zones. From today’s vantage point, we often forget just how remarkable it is for a smartphone to properly display the web with a rich browser, let alone how significantly we have embraced ‘application-based’ computing on our smart devices. While these portable computers (with bolted on phone-capabilities) are delightful to use, wireless providers around the world often warn us about ‘data pigs’ who ‘hog’ all the bandwidth to the detriment of fellow wireless customers. How dare those paying a premium for wireless bandwidth use it!

To underscore the ‘dangers’ that these ‘pigs’ pose, the problems facing AT&T’s wireless network are regularly called forth by carriers and media to demonstrate just how bad things can get if networks are poorly provisioned. The problem is that, while there have been massive increases in the amount of wireless bandwidth that providers have to transit, data transmissions are not solely responsible for congestion on AT&T’s network. Let me explain.

AT&T’s network has experienced a 5000% increase in wireless data transit in the past few years. This growth has been fuelled by the hosts of smart devices brought to market since the release of the iPhone, with Apple’s products and Android-OS devices accounting for a considerable percentage of that growth. The story goes that, since smartphone ‘pigs’ are breaking the Internet for everyone, the pigs should have to pay extra for the privilege, with Rogers’ presently contemplating whether these customers should pay a surcharge if they want to evade network congestion. With the regularity that data congestion is written and spoken about by the media, congestion has become a ‘fact’ around which discussions about managed Internet services are oriented around. Congestion is the ‘fact’ that reinforces why consumers need to subsidize massive infrastructure investments. Congestion is also a fact that desperately needs public contestation.

What mobile providers are less likely to talk about are the technical difficulties facing AT&T around the smart devices they support. The iPhone, along with other smart devices including the Blackberry and those running Android, has historically been configured to drop data connections once any requested data is received, reinitiating a data connection when the device requires additional data. This technique conserves battery power but has the unfortunate effect of overloading the signalling channels that cell nodes use to set up data connections, signal phone calls, transmit SMS messages, receive voice messages, and so forth. Save for in extremely poorly provisioned areas, data capacity itself on the cell nodes is rarely a problem. Instead, older networks that didn’t see early adoption of heavy texting or data use (read: North American networks) must be upgraded to handle an ever-increasing number of devices that are rapidly connecting and disconnecting from the networks.

What does this mean for congestion, then? It means that while an incredible minority of users might be using truly “amazing” amount of data (read: 2+ GB/Month), simply having a contemporary, pre-iOS 4.2 Apple product on your person contributes to cellular ‘congestion’. (The same is true if you use a WebOS device, Android-based phone, or a Blackberry.) Why the distinction between versions of Apple’s operating system driving their mobile product lines? Because from Nokia Siemens Networks’ tests last month we’ve learned that the newest version of iOS corrects Apple devices’ signalling problems. Apple has implemented a signalling technique that both increases battery life whilst addressing the signal congestion problem; they’ve simultaneously made things better for both the consumer and the carrier.

To recap: Apple has largely corrected the congestion problems cause by their devices, when those devices are used in well-provisioned wireless networks. This was accomplished by upgrading iDevices’ operating systems, not by building out new carrier infrastructure. Imposing higher fees for carrying data, reducing data consumption, and so forth has a minimal effect on the kinds of signalling congestion caused by contemporary smart devices.

So, what lessons can we drawn from these actual, engineering-based, facts?

1. The language around congestion is unclear and needs to be better nuanced. Wireless providers use AT&T’s woes as demonstrations of what happens when the networks experience data congestion. Data congestion is great for carriers because it’s easy to ascribe responsibility for excess data usage: customer A has used a lot of data, caused congestion, and now has to pay for it (though the sidenote is that these customers are already paying for their bandwidth; when was the last time your wireless provider just gave away wireless bandwidth?). Our public debates need to incorporate the notion of signal congestion, where the devices sold to us by wireless providers are themselves responsible for congestion. If providers are selling (on long-term contracts) devices that they know cause signalling congestion, why should the customer ever have to pay extra for their faulty device to be made fully operable? While it might be acceptable for customers to cover come data congestion costs, carriers must be held responsible for selling devices that cause signal congestion.
2. We need engineers to take part in public discussions if we’re to understand the actual problems facing wireless providers. Engineers understand ‘network management’ a bit differently than most business executives; the former want the network to function at a technical level, whereas the latter want the network to be productive in a technical and economic sense – the network needs to be operable, but it also needs to be maximally profitable while operating. Before we can discuss (ir)rational economic and business practices, everyone needs to be on a common technical footing, and this means engineers with knowledge of the networks are essential for well-informed debate.
3. In the absence on engineers coming forward from within the wireless provider companies to correct the technical facts around signal and data congestion, some kind of oversight mechanism of wireless networks is required. Whether this is a federal institution, an international association, or something else isn’t key for my overarching point: we need someone to keep providers honest about what causes problems on their networks.
4. Before we talk about offering ‘prioritized service’ to smartphone customers, we desperately need to clarify whether this service is designed to monetize signalling congestion or data congestion. If it’s a case of the former, then we need to talk about providers’ responsibilities to offer fully functional and compatible smartphones; customers shouldn’t be punished financially for being sold technically limited devices. If signalling is the problem, then Rogers’ efforts constitute a monetization strategy designed to take advantage of archaic infrastructure that desperately would need updating. If, however, independent third-party engineers can examine the Rogers network and recognize that their customers are actually experiencing data congestion – that signalling congestion is an absolute non-issue for Rogers – then a discussion about data congestion can and should take place.

A key part of any debate, a part often unspoken, revolves around the framing of an issue. Framing constitutes what a news report/blog “presumes to be significant, how it certifies the relevant players, how it narrates the conflict. Each statement renders the others invisible. The frame is most powerful not for what it includes, but for what it leaves out as either insignificant or obvious” (Gillespie, Wired Shut, 2007. 134). Almost none of the congestion debates about wireless broadband have recognized signalling capacity or smart device adherence to signalling standards as key to the issue at hand. Instead we’ve seen a sloppy (and, in the case of carriers, likely intentional) conjoinment of signalling and data congestion, and this kind of thinking and discourse must stop. If wireless is truly different, then let’s get serious about it being different; let’s look at the technical differences, how congestion can happen at different points in the wireless network than in wireline networks, and what kinds of congestion are causing degraded customer experiences.

In effect: before we start talking about congestion and prioritization, let’s actually figure out what is causing the congestion, who’s responsible, and then get into a bigger discussion of what are responsible solutions to degraded mobile experiences. Doing anything else obscures the broader framework that congestion discussions take place within and severely limits critical engagements with the issue of mobile congestion.

Other posts you might be interested in:

1. Deep Packet Inspection and Mobile Discrimination
2. Some Data on the Skype iPhone Application
3. Traffic Management on Mobile Gets Regulated