Cover of the 2011 Winston Report (Winter)

Last year I was approached by the founder and editor in chief of The Winston Report to update and publish one of my postings on Canada’s forthcoming lawful access legislation. The Report is the quarterly journal of the Canadian Association of Professional Access and Privacy Administrators (CAPAPA). The updated piece that I contributed is more compact than what I originally wrote on this site, though I think that this makes it a stronger, more direct piece. I want to publicly thank Sharon Polsky for the opportunity that she provided to me, and for being so kind as to position my piece as the lead featured article in the Winter edition of the journal. I also want to thank my tireless editor, Joyce Parsons, for her incredible work strengthening my prose. A preprint version of my contribution, which retained a creative-commons license as part of my agreement with the editor in chief, is made available to you below under the normal Creative Commons Attribution, Noncommercial 2.5 Canada license.

Download pre-print .pdf version of (Un)Lawful Access:  Its Potentials, and its Lack of Necessity.

Other posts you might be interested in:

1. Lawful Access, Its Potentials, and Its Lack of Necessity
2. The Anatomy of Lawful Access Phone Records
3. (Un)Lawful Access: Vancouver Premiere & Panel Discussion

Image courtesy of UnlawfulAccess.Net

I’ll be presenting at a panel discussion on Canada’s forthcoming lawful access legislation this Thursday, January 12. It looks to be a terrific panel, and includes British Columbia’s Information and Privacy Commissioner, Elizabeth Denham, the BBCLA’s policy director, Michael Vonn, the producer of the documentary (Un)Lawful Access, Dr. Kate Milberry, and myself. Andrew Clement, professor at the University of Toronto and co-producer of (Un)Lawful Access will be moderating. In addition to a panel discussion, Drs. Milberry and Clement will be showing their documentary, (Un)Lawful Access, and the BCCLA will be revealing their report on lawful access. I’ve contributed research to the report, with my focus being on how lawful access powers are taken up and used by governments and authorities in the US and UK.

It should be a terrific event. If you’re in the area I highly recommend attending. Information is available at the event’s Facebook page and below:

Event Details

Do you think the Internet is a powerful tool for change?

The Conservative government is trying to push through a set of electronic surveillance laws that will invade your privacy and cost you money. The plan is to force every phone and Internet provider to allow “authorities” to collect the private information of any Canadian, at any time, without a warrant.

Find out more THIS THURSDAY at 6:30 PM.

SCREENING:

The Vancouver premiere of (Un)Lawful Access, a mini-documentary about the Conservative government’s proposed online spying legislation, and what Canadian experts have to say about it.

PANEL DISCUSSION:

• Elizabeth Denham, BC Privacy Commissioner
• Micheal Vonn, Policy Director of the BCCLA
• Christopher Parsons, University of Victoria
• Dr. Kate Milberry, producer of (Un)Lawful Access
• Andrew Clement, producer of (Un)Lawful Access (moderator)

Panelists will discuss the serious implications of Lawful Access and what we can do about it.

REPORT LAUNCH:

This event is also the launch of the BC Civil Liberties Association’s much-anticipated report – Moving Toward a Surveillance Society: Proposals to Expand “Lawful Access” – the most comprehensive to date. Co-authors Micheal Vonn and Christopher Parsons will be present to answer your questions.

Location: W2 Media Cafe, 111 West Hastings St.
DOORS: 6:30 PM
CASH BAR/REFRESHMENTS
ADMISSION: By donation (suggested $5-10)*

Send a message to the government at: http://stopspying.ca/

Hosted by OpenMedia.ca and W2 (http://creativetechnology.org/)

*OpenMedia.ca Allies enter free! See http://openmedia.ca/allies for more info on the Allies program.

Other posts you might be interested in:

1. Publication: (Un)Lawful Access, Its Potentials, and its Lack of Necessity
2. Lawful Access, Its Potentials, and Its Lack of Necessity
3. Letter to Stephen Harper on Lawful Access Legislation

In February I’m attending iConference 2012, and helping to organize a workshop titled “Networked Surveillance: Access Control, Transparency, Power, and Circumvention in the 21^st Century.” The workshop’s participants will consider whether networked surveillance challenges notions of privacy and neutrality, exploits openness of data protocols, or requires critical investigations into how these surveillance technologies are developed and regulated. Participants will be arriving from around the world, and speaking to one (or more) of the workshop’s four thematics: Access Control, Transparency, Power, and Circumvention. As part of the workshop, all participants must prepare a short position statement that identifies their interest in network surveillance while establishing grounds to launch a conversation. My contribution, titled “Transparent Practices Don’t Stop Prejudicial Surveillance,” follows.

Transparent Practices Don’t Stop Prejudicial Surveillance

Controversies around computer processing and data analysis technologies led to the development of Fair Information Practice Principles (FIPs), principles that compose the bedrocks of today’s privacy codes and laws. Drawing from lessons around privacy codes and those around Canadian ISPs’ surveillance practices, I argue that transparency constitutes a necessary but insufficient measure to mitigate prejudicial surveillance practices and technologies. We must go further and inject public values into development cycles while also intentionally hobbling surveillance technologies to rein in their most harmful potentialities.

Lesson Drawing from Privacy Principles and Codes

FIPs are used to make organizations accountable for how and why information is collected, for how information is processed, and for the accuracy of retained information. It is contestable that FIPs, however integrated into policy and law, are effective in preventing surveillance technologies and practices so much as they legitimize them. As noted by Rule, codes based on FIPs “help surveillance systems to achieve their intended ends more fairly and openly” but do not “help us decide when institutional appetites for personal information simply go too far.”[1] Privacy and data protection rules and laws may make data collection and processing activities more transparent while simultaneously failing to “significantly reduce or mitigate the amount of potentially damaging social sorting that occurs.”[2] Moreover, codes and principles are commonly bound within legal privacy protections that “tend to be more circumscribed than the subjective experience of violation associated with new forms of surveillance.”[3] The law simply doesn’t keep up with, or adequately address, the surveillance-related harms and injustices that people experience on a regular basis.

While codes based on FIPs might limit data collection and empower end-users when users know they are exchanging data with specific data collectors, such codes “work less well in systems in which devices blab information indiscriminately so that there’s no way to identify a class of information collectors who can be made subject to the rules.”[4] The Internet, and the devices that silently communicate with data collectors via the Internet, constitutes a space where FIPs minimally limit the spread of surveillance technologies and practices. Even if organizations are held accountable for the data they analyze and process, end-users’ abilities to ascertain who and what is collecting and processing information is limited. Formalized privacy rules, in other words, can influence the fairness of surveillance but are less likely to stop the surveillance practices themselves.

Other posts you might be interested in:

1. Review: Surveillance or Security?
2. Rendering CCTV (Somewhat) More Transparent
3. Technology and Politics in Tunisia and Iran: Deep Packet Surveillance

Image by Surian Soosay

Automattic  has a poor record of respecting its users’ privacy, insofar as the company has gradually added additional surveillance mechanisms into their products without effectively notifying users. Several months ago when I updated the WordPress Stats plugin I discovered that Automattic had, without warning, integrated Quantcast tracking into their Stats plugin. Specifically, there was no notice in the update, no clear statement that data would be sent to Quantcast, nor any justification for the additional tracking other than in a web forum where their CEO stated it would let Automattic “provide some cool features around uniques and people counting.” This constituted a reprehensible decision, but one that can fortunately be mediated with a great third-party plugin.

In this post, I’m going to do a few things. First, I’m going to recount why Automattic is not respecting user privacy by including Quantcast in its Stats plugin. This will include a discussion about why reasonable users are unlikely to realize that third-party tracking is appended to the Stats plugin. I’ll conclude by discussing how you can protect your web visitors’ own privacy and security by installing a terrific plugin developed by Frank Goossens.

WordPress and Quantcast

In early 2011, after a major redesign of my website, I activated the Ghostery plugin in my web browser and navigated to my site. The tool “tracks the trackers and gives you a roll-call of the ad networks, behavioral data providers, web publishers, and other companies interested in your activity.” Visually, the plugin causes a small notification box to appear in the upper right hand corner of websites that you browse to. Contained in this box are a list of the parties that are monitoring your movements across that particular website. When navigating to my own site I had expected to see WordPress Stats and perhaps some social sharing services listed. I did not expect to see Quantcast.

Quantcast’s cookies are used to monitor individuals who visit websites, and the company uses the information they collect to provide “audience composition reports.” Such reports are meant to help target online advertising and content development, but is predicated on the notion that the website owner is responsible for integrating the tracking system for the same owner’s benefit. Prior iterations of WordPress Stats did not include Quantcast tracking, and there was no notification or warning that updating the Stats plugin meant you were also forced to accept third-party tracking. Since the initial inclusion of Quantcast, the plugin’s description in the WordPress repository has been amended to include a small notice that reads “[a]s we are considering adding great new features, this plugin also puts a Quantcast tracking script on your page.”

While Automattic’s disclaimer may count as ‘notice’, it does not clarify what the additional tracking is actually meant for. Descriptions and notices around privacy policies and statements must be clear to be meaningful, and Automattic has had over a year to ascertain what “great new features” warrant transmitting website visitors’ information to Quantcast. To date, as far as I can tell, the company has not disclosed to its user base what precisely warrants sending information to Quantcast.

While there is a warning about Quantcast if you download the plugin from the repository, the support document for WordPress Stats that was updated December 21, 2011 – over a year after public complaints over Automattic’s failure to notify plugin users about the inclusion of Quantcast – still lacks any mention that a condition of using Stats is sending your site visitors’ information to a third-party. Perhaps most significantly, Automattic has recently introduced its Jetpack service. Jetpack is a bridge between self-hosted WordPress installs and Automattic’s cloud offerings, offerings that include WordPress Stats. To use WordPress Stats today you must use Jetpack. Unfortunately, Automattic has failed to notify Jetpack users of the third-party tracking accompanying the Stats plugin, as demonstrated in the lack of information about Quantcast in the following screenshot.

No mention of Quantcast tracking

It is utterly unreasonable to expect that users of the Stats plugin will hunt for a single sentence of text that discloses the inclusion of third-party surveillance with the Stats plugin. Moreover, if an enterprising user clicks on Automattic’s privacy policy linked at the bottom of the Jetpack screen they are unlikely to divine that Quantcast is associated with Automattic or the Stats plugin.

Automattic’s Privacy Policy #Fail

Let’s briefly look into Automattic’s privacy policy to determine whether a reasonable individual could ascertain Quantcast’s involvement with self-hosted versions of the Stats plugin. First, we see that Automattic

discloses potentially personally-identifying and personally-identifying information only to those of its employees, contractors and affiliated organizations that (i) need to know that information in order to process it on Automattic’s behalf or to provide services available at Automattic’s websites, and (ii) that have agreed not to disclose it to others.

Why, exactly, is Quantcast receiving any of my visitors’ personal information? We might assume that this happens so information can be processed “on Automattic’s behalf or to provide services available at Automattic’s websites.” Unfortunately, Automattic has not publicly clarified why they need this information processed. Instead, we are left with vague statements of providing “great new features.” From the privacy policy, we see that potentially personally-identifying and definitively personally-identifying information is also disclosed “in response to a subpoena, court order or other governmental request, or when Automattic believes in good faith that disclosure is reasonably necessary to protect the property or rights of Automattic, third parties or the public at large.” No subpoena, court order, or other government request is presumably requiring the link between WordPress Stats and Quantcast, nor do the tracking systems clearly “protect the property or rights of Automattic, third parties or the public at large.”

In the ‘Cookies’ section of the privacy policy, we find that “Automattic uses cookies to help Automattic identify and track visitors, their usage of Automattic website, and their website access preferences.” A reasonable person might believe that self-hosted installations of WordPress were not considered part of the Automattic website itself. Such a person might be quite wrong, however, based on Matt Mullenweg’s (Automattic’s CEO) comment about Automattic’s network, where he stated that “the bump you see in November is when we started tracking Polldaddy, ID, Gravatar, and WordPress.com Stats users in addition to WordPress.com visitors.” His comment suggests that Automattic considers self-hosted blogs as being part of the company’s network, though I doubt that this view is shared amongst self-hosted users. I should add that I have never received notice from Automattic informing me that this site is part of their network. No reasonable person is likely to come to this conclusion unless they’ve been watching the Automattic/Quantcast issue like a hawk.

Arguably the only section of the privacy policy that is suggestive of third-party tracking taking place is in the ‘Ads’ section. It reads:

Ads appearing on any of our websites may be delivered to users by advertising partners, who may set cookies. These cookies allow the ad server to recognize your computer each time they send you an online advertisement to compile information about you or others who use your computer. This information allows ad networks to, among other things, deliver targeted advertisements that they believe will be of most interest to you.

From reading this, it initially seems to be addressing advertisements that appear on Automattic’s own web properties. It is utterly unclear that the ads that are shown online are going to be tied to Quantcast cookies linked to the Stats plugin.

Overall, the Automattic privacy policy is absolutely insufficient in notifying users of third-party surveillance. Those who install the stats program – website owners and developers – cannot be reasonably expected to know of Quantcast’s inclusion. This is important because if those same users have privacy policies on their websites – perhaps assuring visitors that only WordPress Stats is used to collect information and no other tracking party or system is used – then those users may be violating local laws by establishing a false contractual privacy agreement between themselves and their website visitors.

WP DoNotTrack to the Rescue

Frank Goossens has stepped up to fix the problems that Automattic is responsible for. Last December he released his donottrack plugin in response to Automattic’s unwillingness to either remove or make optional Quantcast tracking. Months after he released his plugin Automatic modified their Quantcast code, mandating a new release of his plugin. In response Frank has released an updated version of his plugin, now titled WP DoNotTrack, and made it available in the WordPress.org repository.

Frank outlines several reasons for installing the plugin:

• make your WordPress blog/ site honour visitors who request not to be tracked, even if the 3rd parties you include do not (conditional privacy)
• stop any tracking by 3rd parties (absolute privacy)
• protect your blog from rogue plugins that dynamically add malicious external javascript to your wp-admin pages (security)
• limit the number of external servers that are called from your blog (performance)

There are full configuration instructions on his website and information in the FAQ that can help you determine what options you want to flag. If you decide to just use the default settings you’ll successfully block Quantcast tracking. I cannot recommend this plugin highly enough. Not only will it improve the privacy, security, and performance of your website, but it will also ensure that you’re not making false privacy claims to your website visitors.

Other posts you might be interested in:

1. The Geek, Restraining Orders, and Theories of Privacy
2. Weebly, Analytics, and Privacy Violations (Updated II)
3. Privacy Advocates and Deep Packet Inspection: Vendors, ISPs, and Third-Parties

Photo by mjecker

Canadian advocates, government officials, and scholars are all concerned about the forthcoming lawful access legislation. A key shared concern is that authorities could, under the legislation, access telecommunications subscription records without court oversight. Moreover, as a condition of accessing these records businesses might be served with gag orders. Such orders would prevent Canadians from ever knowing (outside of court!) that the government had collected large swathes of information about them. In response to concerns aired in public, the Public Safety Minister has insisted that the legislation would merely let police access “phone book” information from telecommunications providers.

I maintain that such assertions obfuscate the sheer amount of information contained in the records that authorities would collect. The aim of this post is to make clear just how much information is contained in a single lawful access “phone record”, demonstrating that the government is seeking information that grossly exceeds what is contained in the white or yellow pages today. As a result, I first provide an example phone record that resembles those in every phonebook in Canada and then offer an example of a lawful access record. Remember that such requests may be filed to multiple service providers (e.g. Internet service provider, web forum hosts, blogs, mobile phone companies, etc) and thus a swathe of records can be combined to generate a comprehensive picture of any particular individual. By the conclusion of the post it should be evident that information provided under lawful access powers is more expansive than the phone records government ministers allude to and lay bare those ministers’ technical obfuscations.

Phonebook Records, Today

In his response to the Information and Privacy Commissioner of Ontario, Vic Toews (Public Safety Minister) insisted that police would simply have access to “phone book” information under the forthcoming lawful access legislation. He asserted that, “Our proposed approach of linking an internet address to subscriber information is on par with the phone book linking phone numbers to an address.” While government officials insist Toews’ response obfuscates just how expansive lawful access records are from traditional phone records, it is arguably challenging for the lay public to grasp the amount of information contained in the proposed subscriber record fields. So, let’s consider the differences between a phone book record accessible in your home, today, using a phone book and “phone book” data the federal government wants to make available to authorities without a warrant. The following resembles a phone record reminiscent of one in a phone book today:

John Smith, 456 Westminister Ave . . . . . . (636)-421-6124

This record contains the listed name of an individual, the address associated with the phone number,  and the area and local code for the telephone service. Not all individuals provide full details in the phone books that are distributed each year. Some individuals have their addresses removed or substitute their full names with their initials. Such modifications are often the result of people feeling uncomfortable with fully disclosing their address, phone number, and name in one publicly accessible location. Using this information you can (potentially) learn where the individual associated with a phone number lives, but you do not necessarily discover the names of particular individuals living in the home, number of people in the home, and so forth. Thus, where multiple people share a single phone and address the subscriber record may be somewhat nebulous; while it should identify an individual at the address it is questionable whether that particular individual interests the authorities.

Phonebook Records, Tomorrow

The ‘phone records’ that Minister Toews is talking about are quite a bit larger, and far more descriptive, than those found in the local yellow or white pages. As I’ve depicted them, one line grows to six, and three data items explode to eleven descriptively rich fields. The expanded list will be available as phone records to authorities but not to individuals. This stands as a clear distinction between a phone record that individuals think of in phonebooks and the record that authorities will have access under lawful access legislation. An updated record might appear as follows:

John Smith, 456 Westminister Ave . . . . . . (636)-421-6124
jsmith@example.com . . . . . . . . . . . . I.P., 10.0.0.100
MIN, 250-5211-0091 . . .  . . . . . . SPID, 636-421-6124-00
ENS . . . . . . . . 1000 0010 0001 1010 0000 0101 0110 1111
IMEI, 35-209900-176148-23 . . . . . IMSI, 310-150-564857956
SIM . . . . . .. . . . . . . . . . . 894411 0112 12333344 4

Most of what is contained in these eleven fields will be foreign to the average user. In light of this, let’s turn to unpack the new record in a line-by-line format.

The first line is identical to your typical phone book record. Note that the phone number here would be a permanent number, such as the number to call if the mobile number identified in line three is inoperable. Obviously there may be instances where there isn’t a distinction between the phone numbers in those lines if the mobile subscriber either lacks a landline or alternate mobile phone. Further, where the telecommunications service provider, such as a web forum, only has a single phone number then a mobile number might be situated on this line.

Line two offers the email address and Internet Protocol address of the subscriber in question. Email addresses will be tied to particular accounts; you may have one email address for a web forum, another for purchases online, and yet another for personal correspondence from your Internet service provider. While a singular email address is given here, this is representative of a single subscriber record from a single telecommunications service provider. It is likely that different emails (and, thus, different ‘phone records’) are kept by each of the service providers you engage with on a daily basis. The Internet Protocol address is assigned to you by your Internet service provider and is an essential element to accessing the Internet itself. IP addresses identify where data originates from and should be sent towards. Your IP address is likely either dynamic (changes with some degree of frequency) or static (permanently assigned to your modem). Regardless, using an IP address authorities could identify your Internet service provider and, from there, demand that the Internet provider disclose which subscriber was assigned the IP address at some particular time. Given that many IP addresses are dynamic it is possible that different telecommunications service providers will have different addresses attached to your record instead of the singular address offered in the example line two.

The third line contains the Mobile Identification Number (MIN) and Service Provider Identifier (SPIN). This line is needed for subscriber records associated with mobile phone/device usage. The MIN uniquely identifies a mobile device on a mobile provider’s wireless network and can be used to dial to and from the device. While the record that I provide is accessible to the human eye, MINs are typically kept in a database in two components. The area code is often stored in a 10 bit MIN2 section and the local portion in a 24 bit MIN1 section. (See UK ESN/MIN Grabbing for more information on how these two sections are divided.) Unlike other serials and codes, which are engrained into the hardware of a device, a MIN is stored in a mobile providers’ database and can be changed. A SPIN is a unique number assigned to service providers so that telecommunications switch owners and service providers can enter financial relationships for the purposes of carrying traffic. The number identifies the company that ‘owns’ the account associated with the traffic. Thus, even when calling using a Rogers mobile phone on the AT&T network, the SPIN will help to ascertain that Rogers (and, ultimately, the account owner) is responsible for paying for using the AT&T network.

The fourth line holds the Electronic Serial Number (ESN), a number that is encoded into each mobile device as a 32-binary bit number. It is embedded into the device by the manufacturer and thus is not assigned by a mobile telephony/Internet company from whom a device is purchased. The ESN is often checked against the MIN to prevent fraud. Specifically, while an individual could try and have their MIN changed to try and receive free services, by correlating the MIN and ESN in the providers’ database the likelihood of successfully conducting fraudulent activities are diminished. Moreover, with the ESN it is possible to ascertain whether the same phone is being used across a set of wireless carriers’ networks.

The fifth line contains the International Mobile Equipment Identification (IMEI) and International Mobile Subscriber Identification (IMSI) numbers. These numbers are tied to mobile devices (e.g. phones, 3G-capable tablets). The following information can be derived from the IMEI number used in the example above, “35-209900-176148-23″: that the number was issued by the British Approvals Board for Telecommunications (“35″) and given allocation code “2099″. The “00″ reveals the period of time when the device was manufactured, “176148″ reveals the serial number issued to the model of device, and the “23″ reveals the version of software installed on the phone. The IMSI identifies the mobile country code (“310), mobile network code (“150″), and mobile subscription identification number (“564857956″). “310″ is the number associated with America, and “150″ with AT&T. As a result, with the IMEI and IMSI numbers you can ascertain when the device was made, serial of the device, version of its software, nation of usage-origin, carrier-of-origin, and the subscriber code of the carrier associated with the device.

Line six has the Subscriber Identification Module (SIM) number. This number, “894411 0112 12333344 4″ in our example, is broken into subcomponents to identify different bits of information. The first two digits (“89″) are associated with the telecom operators identifier. “44″ refers to the country code and “11″ to the network code the module is associated with. The next four digits (“0112″) indicate the month and year of the SIM’s manufacture and following two numbers (“12″) of the switch’s configuration code. The next six numbers disclose the SIM number itself and the last holds the digit to confirm the validity of the SIM serial itself.

Perhaps it needn’t be stated, but as should be clear there is a significant difference between a “phone record” in a phonebook and a “phone record” under the Canadian government’s proposed lawful access legislation. A phone number and address does not reveal the manufacturer of a mobile device, when it was made, when elements of the phone were provisioned, the provider of the telephone services, and so forth. Instead, the lawful access record affords a trove of data that is far in excess of what a citizen would find when they looked up a name, address, or phone number in the hardcopy phonebook that is delivered to their door each year.

Aggregating Records for Citizen Transparency

Not all telecommunications service providers could make available a full post-lawful access legislation “phone record.” However, once authorities have a single piece of information they can then move to other service providers to develop a full record, one that could subsequently be used to map a person’s presence on the Internet, their habits, and their activities. Using open source intelligence, the email address can be employed to determine what other services are attached to that email address, and using the IP address authorities can determine where a person is accessing the Internet from (i.e. was the IP address leased to a cafe? to a home? to a business? to a mobile network?) and the billing records associated with that IP address. If browsing from Starbucks, the cafe might be able to turn over a log of users who used their wireless network during the time authorities are interested. If browsing from home, or your own mobile device, then the subscriber records associated with that billing address might be available. And, if browsing from a friend’s phone or computer, then their information might be given to police regardless of your friend’s interest to the police.

Remembering back to the discussion of traditional phone records, it is possible that multiple people share the same account and thus what turns up in the phonebook remains somewhat ambiguous. This may remain so when dealing with communal Internet connections but is far less true when dealing with mobile devices. Phones have, for many people, become fetishes that are carried on one’s person and jealously protected from third-party intrusion. Thus, the ability to ascertain who owns, and is using, a particular mobile device is far less ambiguous than who subscribes to, and uses, a landline phone. Using contemporary policing technologies such as IMSI catchers, authorities can de-anonymize a crowd by catching the IMSI associated with each phone and immediately requesting subscriber data from mobile phone providers. While it may not be legal for authorities to engage in ruses to compel individuals to identify themselves when those individuals have done nothing wrong, with IMSI catchers no ruse is needed for the identification process to occur. The term “papers please” is a distinctly analogue notion, one that can be abandoned by authorities in possession of IMSI catchers and lawful access powers.

Surveillance is being automated, and vendors are accelerating the rates that records can be collected and analysed to meet the needs and expectations of the multibillion dollar surveillance complex that has significantly grown post-9/11. Developers are not about to slow the rate of their surveillance innovations in the face of regulation that permits more expansive surveillance, records collection, and correlation of online actions with those records. Technology, however, does not determine the course of society: technology and society are mutually entwined, with each influencing the other. While surveillance architectures are being developed, if their uses are either illegal or are accompanied by high administrative or financial burdens then the architecture can lay substantively dormant save for in truly exceptional times associated with incredibly significant events. Legal friction can encourage such high costs by outlawing particular ways of collecting subscriber information and requiring administrative burdens (e.g. the warranting process) to force authorities to intentionally assign resources to access subscriber records. Reducing legal and administrative frictions in an era where technical frictions are quickly becoming a thing of the past is a recipe for expanded government surveillance. Such surveillance can detrimentally affect individuals by chilling speech and association, harm businesses by increasing the costs of complying with regulation, and force citizens to pay for their own surveillance in increased service costs and by way of their charter rights. We must avoid such harms and, as such, retain administrative and legal frictions to ensure that strong oversight bodies exist and that appropriate frictions accompany novel policing and intelligence powers.

Other posts you might be interested in:

1. Lawful Access, Its Potentials, and Its Lack of Necessity
2. Publication: (Un)Lawful Access, Its Potentials, and its Lack of Necessity
3. Letter to Stephen Harper on Lawful Access Legislation

Image by mattwi1s0n

New surveillance powers are typically framed using benevolent and/or patriotic languages. In the United States, we see the PATRIOT Act, the Stored Communications Act, and National Security Letters. Powers associated with this surveillance assemblage have been abused and people have been spied upon in violation of the law, bureaucratic procedure, and regardless of demonstrating real and present dangers. The UK has the Regulation of Investigatory Powers Act (RIPA), which significantly expanded the capabilities of police and intelligence to monitor citizens in previously illegal ways. This legislation is also used improperly, as revealed in the yearly reports from the Interception Commissioner. In Canada, the Canadian government has publicly stated its intention to press ahead and introduce its lawful access legislation despite concerns raised by the public, members of the advocacy and academic community, and the information and privacy commissioners of Canada. Here, we can also expect uses of lawful access powers to overstep stated intents and infringe on Canadians’ rights, intrude upon their privacy, and injure their dignity.

Over the past months I’ve been actively involved in working with, and talking to, other parties about lawful access legislation. This has included speaking with members of the media, publishing an op-ed, and conducting various private discussions with stakeholders around Canada who are concerned about what this legislation may (and may not) mean. Today, in the interests of making public some of the topics of these discussions, I want to address a few things. First, I quickly summarize key elements of the lawful access legislation. Next, I note some of the potentials for how lawful access powers will likely be used. None of the potentials that I identify depend on ‘next generation’ technologies or data management/mining procedures: only technologies that exist and are in operation today are used as mini-cases. None of the cases that I outline offer significant insight into the operational working of stakeholders I’ve spoken with that can’t be reproduced from public research and records. I conclude by questioning the actual need for the expanded powers.

What is Lawful Access?

Lawful access legislation enhances policing and intelligence powers. As recognized by Ontario’s Information and Privacy Commissioner, Ann Cavoukian, “it is highly misleading to call it “lawful.” Let’s call it what it is – a system of expanded surveillance.” In general, there are three classes of access powers associated with such legislation: search and seizure provisions, interception of privacy communications powers, and production of subscriber data. On the basis of past lawful access legislation that has been tabled, but not passed, we can expect forthcoming legislation to ‘modernize’ the existing criminal code to accommodate several of these powers.

To begin, the legislation is expected to require telecommunications service providers (such as Internet service providers, web forums, bloggers, etc) to be able to decrypt any communications they are responsible for encrypting. Such encryption services might be used to ensure customer privacy, such as by offering secured communications between parties. While communications may generally be secure they cannot legally be made secure from the government by a service provider offering a turnkey encryption solution. In effect, communications will thus be pseudoencrypted: protected against adversaries with the same level of power as the services’ users, but unprotected against the more powerful agents such as the state.

In addition, telecommunications service providers (TSPs) will need the ability to retain data on subscribers for up to 90 days. TSPs may be served with preservation orders, which would require them to retain data on specific individuals. Preserved data would be transferred to authorities once they have secured a production order from a judge and issued the order to the TSP. The TSP could then delete/destroy the preserved data.

Whereas preservation orders are used to require storage of the content of communications, police can access subscriber information without first receiving a court order. A wide variety of information may be disclosed, including:

• name
• address
• telephone number
• electronic mail address
• Internet protocol address
• mobile identification number
• electronic serial number
• local service provider identifier
• international mobile equipment identity number
• international mobile subscriber identity number
• subscribe identity module card number associated with the subscribers’ service and equipment

This information lets authorities definitely identify individuals and the records held on them by the TSPs used in the communications process. Accompanying the no-warrant-required elements of the bills is a capacity for authorities to install ‘number recorders’ in TSPs’ communications hubs in exigent circumstances. As noted by the National Post’s Kathryn Blaze Carlson:

A number recorder, which records the telephone numbers associated with outgoing and incoming calls, would be installed remotely by a telecommunications provider at their call centre hub. The installation can last up to 60 days, but it could be extended to one year if a warrant is obtained and if the investigation involves organized crime or terrorism.

The legislation also introduces the ability to activate and/or monitor the signals emitted from location-enabled devices that Canadians carry with them or are in regular contact with. Police can do this today but lawful access legislation would permit them to activate disabled locational systems (e.g. your phone’s GPS) including in covert ways. Such actions could be undertaken with court supervision or, potentially, in instances of emergency or exigent circumstances. It should be noted that access to geolocatational information is more expansive than just your physical location at a particular time: the legislation is also intended to let authorities discover the location of ”transactions such as geo‐tagged comments or photos from private sector service providers.” (.pdf source).

It is unlikely that a targeted Canadian will be made aware of lawful access-enabled surveillance unless charges are brought to bear. As noted in the letter that was sent to the Prime Minister’s Office in August 2011 (.pdf), and re-confirmed in Blaze’s piece, there are elements of the legislation that impose ‘gag’ orders on anyone who is ordered to comply with lawful access powers. Specifically,

Clause 6(2) permits the government to impose, in regulations, sweeping and categorical confidentiality obligations on service providers that will apply across all interception warrants. Second, under Clause 71, any telecommunications service provider obligated to comply with a warrantless seizure request will be subject to the secrecy provisions in proposed section 7.4 of PIPEDA. Proposed section 7.4 of PIPEDA prevents organizations from disclosing the fact of their cooperation with state efforts to spy on their customers. The sweeping nature of the secrecy measures envisioned by these provisions is in stark contrast to existing practice, where gag orders must be requested from a judge and justified on a case by case basis. The problem with such measures is that they will prevent individuals from challenging abuses of the powers granted in this Bill.

Lawful Access, In Summary

As I wrote in an op-ed in the Vancouver Sun in October, this legislation can be summarized as requiring:

• Corporate surveillance. Internet service providers, mobile phone providers, and even the websites that Canadians visit could become agents of the state, forced to preserve records of Canadians’ actions at the request of authorities (Source);
• Minimal oversight. Audit powers will be offloaded to privacy commissioners without corresponding material or legislative resources to effectively conduct audits and limit abuse (Source);
• Warrantless disclosures. Internet users’ subscriber information will be disclosed to authorities, regardless of the information’s usefulness or uselessness to an investigation (Source);
• Secrecy orders. Authorities might collect Canadians’ private information without those Canadians ever knowing about the collection or the reasons for collecting it (.pdf Source).

Lawful Access in Practice

A large number of Canadians who look at these proposals may feel some unease but then quickly assert that the legislation is ultimately innocuous. The standard rhetoric is that “If you have nothing to hide then you shouldn’t fear this legislation.” Such a statement obfuscates the realities of both contemporary policing and what studies demonstrate about how people actually versus rhetorically understand privacy. To begin, contemporary policing is deeply invested in identifying deviant behaviour and acting upon it in an ‘actuarial’ manner. David Lyon, a world-leading scholar on the topic and issue of surveillance, presciently wrote the following back in 2003:

As with database marketing, the policing systems are symptomatic of broader trends. In this case the trend is towards attempted prediction and pre-emption of behaviours, and of a shift to what is called “actuarial justice” in which communications of knowledge about probabilities plays a greatly increased role in assessments of risk (Lyon 2003: 15-16).

Thus, mistakenly being situated in a wrong category can have significant implications on one’s life regardless of whether a person has ‘something to hide’ or not. The degree to which one is public is (arguably) secondary to the ‘types’ of people one knowingly and unknowingly associates with, whom their associates are connected to, and the risk profiles that are assigned to those communicative partners and their colleagues. To make this somewhat clearer, consider the following: In college/university/your private life you likely communicate with individuals who have, or presently do, agitate peacefully against certain state behaviours. You may or may not be aware that those individuals agitate. Perhaps you have/do engage in discussions with those people online, either on websites that those opposed to certain state behaviours, or in the comments section of newspaper articles, or other electronic formats. Should the police be interested in tracking the individuals invested in an issue (e.g. legalization of marijuana, legal issues surrounding sex work in Canada, protest against federal decisions concerning Sri Lanken immigrants, etc) then they may request available subscriber records for all who have participated in the online discussion.

Now, let’s again assume that you were not supportive of opposition to an official government position and thus aren’t necessarily of direct interest to authorities. Regardless, your subscriber data and that of everyone else engaged in these discussions might be requested by the police. No warrant is required to provide this information. Let’s assume that you used a unique pseudonym and throwaway email address. The authorities would gain access to your IP address and email address. They would get the same information for every participant of the discussion. With this information they could turn to whomever provided the email account, as well as contact the ISP who provisioned the IP address at the specific time that you posted your message. With information from the email provider they may be able to definitely identify the ISP that you use and, from there, your name, address, and so forth. Thus, you as ‘hungrybunny19′ are identified as ‘John Smith’ who was involved in discussion with individuals who authorities are interested in monitoring for some reason or another. John Smith, you, are subsequently added into a database as associating with persons the authorities find questionable. Mr. Smith will never know that he was added into such a database because the service provide could not legally disclose that the information had been released and, as a result, Mr. Smith’s life prospects may change for legally associating and speaking with those who were similarly engaged in legal speech and association.

Perhaps you insist that this doesn’t describe you: you would never communicate about anything in any electronic environment with any person that would ever be of interest to authorities (and, if you can make and stand by these claims, you’re vetting the people that you speak with using intelligence-service-level thoroughness!). Perhaps you have a cellular phone and you have passed near major events that the police have an interest in monitoring. For example: you may have been involved in peacefully assembling during the G20 in Toronto, been a passive spectator at the Vancouver riots, visited an Occupy camp, or may simply pass by union members who are protesting working conditions in a public space several times a day as you walk around your city conducting legitimate personal business. In all cases, the authorities may have an interest in monitoring individuals associated with such groups. Using a technology known in the United States as ‘Stingray’ or, more precisely, IMSI catcher surveillance equipment, police can impersonate a cellular tower and capture all the IMSI numbers within several kilometers of the catcher (.pdf source). The IMSIs, or International Mobile Subscriber Identity numbers, can be taken to a mobile phone provider and used to compel the subscriber data associated with the caught IMSI numbers. Thus, should one of these catchers be deployed by authorities ‘just in case’ an individual may find their personal information sent along to police on the basis of their physical presence during a legal public event. The capacity to acquire IMSI numbers en masse, combined with legal powers to compel subscriber information, creates the perfect framework for mass fishing expeditions based on where citizens are physically present.

Canadians may be uncomfortable with these propositions but immediately follow up with the position that such concerns are hyperbolic. Unfortunately, a brief reflection on the history of surveillance in Canada and present actions taken by our allies (depressingly) suggests that these concerns are practically banal. During the Vancouver Olympics authorities spent incredulous amounts of money on security, an element of which was allocated towards monitoring legal associations of citizens. As disclosed in memos there were no specific, credible, terror threats against the Vancouver Olympics. Despite these threat assessments, citizens who had specific political and economic concerns were routinely placed under surveillance. In effect, citizens conducting legal actions that might lead to disruptions of the games became targets of a surveillance apparatus designed to prevent the next Munich massacre. Surveillance and intelligence gathering did not solely focus on citizens involved in protesting government actions or others associated with the Olympics, but also their contacts, friends, students, former partners, and academic and professional acquaintances. Efforts were also made to recruit neighbours, friends, and acquaintances to spy on suspected activists, and the RCMP tried to legally shield itself from fulfilling FOI requests under the guise of operational security. Under lawful access legislation, the lines of inquiry could expand beyond police associations of people online – the aforementioned people communicating in Web forums – to using technologies like IMSI catchers to identify who is often nearby citizens-under-suspicion. Having coffee with a work friend who advocates for social justice on the weekends could lead to unsuspecting, and utterly uninvolved, citizens being stuck in the same net as their law-abiding colleagues who are caught in the web of actuarial justice.

Further, Canadian authorities have a history of monitoring those who are often the least-advantaged in our society. Consider that Military Intelligence places native communities under intense surveillance. As reported in the Globe and Mail, eight reports were generated in just 18 months. Surveillance was conducted to record Natives’ concerns surrounding new tax policies, potential to blockade Highway 401, and possible future protests, lobbying activities, and lawful associations. The group responsible for this surveillance was a counter-intelligence body charged with “identifying, investigating and countering threats to the security of the Canadian Forces and the Department of National Defence from foreign intelligence services, or from individuals/groups engaged of espionage, sabotage, subversion, terrorism, extremism or criminal activities.” At no point in the reports is it evident that native groups fell under the latter set of descriptors. With the introduction of lawful access legislation other authorities could have become involved in the surveillance and compelled telecommunications providers to disclose the contents of communications. Further, using previously mentioned tactics embedded in the legislation, subscriber information and who was communicating with who could have been determined without warrant or court oversight.

In short, it is entirely plausible that lawful access could be utilized to expand existing surveillance practices conducted by Canadian authorities. There are serious oversight concerns. Specifically, the Office of the Privacy Commissioner of Canada would be hamstrung in auditing the surveillance conducted and its motivations, and the legislation fails to extend the powers of that Office to accommodate the expansion of police powers. Further, where local or provincial police conduct surveillance, audit responsibilities would fall to provincial commissioners and they similarly lack the resources to mount full-scale audits of authorities’ proposed expansive surveillance practices. This position is forcefully stated the Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian. She poignantly writes that,

Canadians must press the federal government to publicly commit to enacting much-needed oversight legislation in tandem with any expansive surveillance measures. Intrusive proposals require, at the very least, matching legislative safeguards. The courts, affected individuals, future Parliaments and the public must be well informed about the scope, effectiveness and damaging negative effects of such intrusive powers.

The Need for Lawful Access

Over the past months I’ve had the opportunity to speak with counsellors, engineers, privacy officers, and policy staff for telecommunications service providers. This has ranged the gamut from ISPs to an ex-VoIP provider employee to webmasters responsible for large online environments to policy wonks for massive Internet-based corporations. The various parties I’ve spoken with have held varying opinions on the previously proposed lawful access legislation; everything from cost issues, to rights problems, to implementation woes, to issues of being identified as a ‘problem’ in the policing process.

All, however, have told me in almost every case that data is requested on exigent circumstances grounds it is, in fact, disclosed.

What, specifically, is the need driving the legislation then? Authorities have routinely insisted that lawful access powers would only be used when investigating the most serious of crimes (e.g. see this audio interview with the CBC’s ‘Spark’) but in other jurisdictions we regularly have seen expanded surveillance used to investigate less serious offences. For extensive documentation of such ‘expanded uses’, see Priest’s and Arkin’s Top Secret America: The Rise of the New American Surveillance State, allegations that the FBI conducted dragnet surveillance to trace bank robbers, claims that routine conversations lead individuals to be labeled as potential terrorists in government databases, inappropriate monitoring of hundreds of people each year, yearly monitoring of over 500,000 people’s communications records, or the usage of terror-based surveillance provisions to ensure children are registered in correct school districts. I cannot state emphatically enough: this is a very small sampling of how widely used lawful-access style legislation is used by our closest of close economic, political, and military allies. There is no reason that Canadian authorities won’t demonstrate the same types of behaviour.

British Columbia’s Information and Privacy Commissioner, Elizabeth Denham, has asserted that authorities have not demonstrated evidence that investigations have been thwarted under existing access powers. Authorities have failed to provide empirical data that reveal a clear and present need for enhanced powers contained in past, or forthcoming, lawful access legislation. Authorities have noted concerns with warranting processes and if these concerns are legitimate (insofar as they can be documented using empirical datasets) then perhaps Parliament should consider modifying the warranting process or increase resources so that warrants can be processed more rapidly. If, however, authorities are simply looking abroad and finding their power lacking in comparison – and cannot clearly outline why they need their compatriots’ powers to protect us from truly serious crimes – then they should not be granted expanded powers. Police and other authorities should not be permitted to infringe upon Canadians’ rights and further erode expectations of communicative privacy, associative privacy, or basic dignities on the basis of cross-jurisdictional envy.

Other posts you might be interested in:

1. Publication: (Un)Lawful Access, Its Potentials, and its Lack of Necessity
2. The Anatomy of Lawful Access Phone Records
3. (Un)Lawful Access: Vancouver Premiere & Panel Discussion

Photo by JolieNY

Mobile penetration is extremely high in Canada. 78% of Canadian households had a mobile phone in 2010, in young households 50% exclusively have mobiles, and 33% of Canadians generally lack landlines. Given that mobile phones hold considerably more information than ‘dumb’ landlines and are widely dispersed it is important to consider their place in our civil communications landscape. More specifically, I think we must consider the privacy and security implications associated with contemporary mobile communications devices.

In this post I begin by outlining a series of smartphone-related privacy concerns, focusing specifically on location, association, and device storage issues. I then pivot to a recent – and widely reported – survey commissioned by Canada’s federal privacy commissioner’s office. I assert that the reporting inappropriately offloads security and privacy decisions to consumers who are poorly situated to – and technically unable to – protect their privacy or secure their mobile devices. I support this by pointing to intentional exploitations of users’ ignorance about how mobile applications interact with their device environments and residing data. While the federal survey may be a useful rhetorical tool I argue that it has limited practical use.

I conclude by asserting that privacy commissioners, and government regulators more generally, must focus their attention upon the Application Programming Interfaces (APIs) of smartphones. Only by focusing on APIs will we redress the economics of ignorance that are presently relied upon to exploit Canadians and cheat them out of their personal information.

Mobile Privacy

The latest smart devices often spur national headlines and consume hours of television reporting and advertising. Consumers are typically sold of the ‘cool’ features of devices, such as video chats, new intuitive gestures, better screens and speakers, superior access to third-party applications, music services, and so forth. Rarely are security improvements or enhancements to user privacy anywhere near the popular marketing material. This isn’t to say that innovations in security aren’t regular: every generation of Apple’s iDevices have been accompanied by more sophisticated hardware- and software-based security innovations, and the same can be said for Android, Blackberry, and Nokia devices. Innovations in privacy are somewhat rarer. Some proponents of smartphone privacy, such as Apple, have chosen to walk away from strong privacy settings in preference for more ‘engaging’ interfaces. Contemporary conveniences have come at the cost of consumer privacy protections.

There are (at least) three key areas where mobile privacy commonly comes to the fore. The integration of GPS and wifi-based location tools with the core operating systems of contemporary phones has, and will continue to, raise serious concerns about locational privacy. In tying contact information with underlying APIs, along with weak consumer privacy protections, expectations of privacy in who we associate with are threatened. Finally, poor management of third-party applications’ access to stored data has, and will likely continue to, limit consumers’ abilities to secure their data or prevent borderline malicious surveillance processes from taking place.

I will note that many of the examples I draw on will refer to Apple’s iPhone, with far fewer examples drawn from other smart phones. This isn’t necessarily meant to single out Apple but is the result of conducting months of research on deficiencies associated with Apple products. Other devices – Android in particular! – have and will likely continue to manifest security vulnerabilities that infringe upon their users’ expectations of privacy.

Location Privacy

Where a mobile device happens to be on a regular and not-so-regular basis can reveal considerable amounts of information about an individual, especially when data is collected over extended periods of time. Using basic data mining (and common sense) it is possible to identify routine movement patterns, where someone is likely to be at any time of the day, where they live and work, whether they suffer from medical conditions requiring (semi-)regular treatment, when an abnormal life event occurs, and so on. While these movement patterns are revealed regardless of whether someone has a smartphone, feature and dumb phones are less able to disclose this information to non-carrier partners. All three types of phone will disclose the following to a carrier (and anyone it’s partnered with): information such as cell identification, signal level, angle of arrival, time of arrival, and time of difference to arrive can be used to calculate a phone’s position.[1] In the case of smartphones, third-party applications can typically access collected location information and transmit it back to its corporate servers. Further, on smart devices location information can be collected by identifying nearby wifi access points, by activating the GPS system, and/or by locating the phone in relationship to cellular towers.

Once movement location is collected it can have other data overlaid upon it to gain deeper insight into who is using the phone. Imposing demographic, psychographic, and consumer information over geolocational data can establish nuanced profiles.[2] Such profiles are not just geolocationally-sensitive but also vary over time. By integrating time as a variable the data miner can develop deeper insights about the device owner by integrating migratory patterns with behavioural and imputed racial characteristics (e.g. pinpointing a phone as at gay pride parades, carnival routes, or other cultural events that have publicly disclosed geo-temporal characteristics).[3]

In the case of the iPhone, Apple had initially required application developers to query the user every time before accessing the GPS sub-system or locating the phone using nearby wifi access points. This meant that a customer could sporadically disclose their location as they saw fit, trading their privacy for specific benefits. This capability, which was present in all versions of iOS prior to 3.2.1, has subsequently been replaced with a uniform opt-in/out mechanism. If a user selects “OK” once when an application asks to access a device location they must do the following to modify their configuration:

1. Open Settings;
2. Select General;
3. Open Location Services;
4. Turn off a particular application’s sharing of the device location.
5. Steps 1-4 must be repeated every time that a user wants to opt-out of location sharing again.

While this is an opt-in approach, it stands in stark contrast to Steve Jobs’ statements at the D8 conference. Specifically, Jobs stated that Apple has a “very different view of privacy than some of our colleagues in [Silicon] Valley. We take privacy extremely seriously. That’s one of the reasons we have the curated apps store. We have rejected a lot of apps that want to take a lot of your personal information and suck it up into the cloud. Privacy means that people know what they’re signing up for. In plain English, and repeatedly, that’s what it means. Ask them. Ask them every time. Make them tell you to stop asking them if they get tired of you asking them. Let them know precisely what you’re going to do with their data.” Evidently, Apple no longer takes privacy as seriously as it had in previous iterations of its business strategy.

In the case of Windows Phone 7 device, many of the applications will request access to location information as a precondition of installing the application. This is true for RSS feed readers, calendaring programs, and video games. Some applications, such as the BC Ferries Sailing Information app, prominently display an option on the main screen so that users can opt-out of location sharing at any time. Unlike Apple, however, Microsoft’s phone does not contain a setting page where users can opt-out of location sharing on a per-app basis. Instead, users must entirely disable or enable all location services. Many apps will let you subsequently opt-out of location sharing, but where to disable the feature varies depending on the application.

Smartphones also have a habit of turning their users into ‘warphoners’. To clarify, this means that the phones detect, store, and subsequently transmit information about the wifi access points the phones pass by (with geolocation information) to their respective corporations. Microsoft, Apple, and Google have all been ‘caught’ capturing locational information and sending it home to their servers. While Google’s database does limit some of the information it discloses, we can intuit its capabilities based on what was revealed about Microsoft’s own location database. Specifically, when researchers examined the Live.com database they found that some of its items moved from location to location. The Live.com database was tracking where mobile hotspots were and, thus, giving Microsoft and those accessing the database insight into the movements of not just mobile phone owners but also of non-Windows phone users who had mobile wifi access. On a contemporary smartphone there is no reason why a third-party application couldn’t also develop similar sniffing services that operated while the app was running.

Various privacy officials have stated that there is relatively little harm in access point information being captured. Unfortunately, few seem aware of how easy it is to collect a router’s MAC address. With this address it is possible to query publicly available databases that retain correlated MAC addresses and location information. Using this information, you can identify where an individual is physically situated.

Unfortunately, many data protection and privacy commissioners operate on complaints-based systems dependent on citizens identifying harms. Most citizens are poorly situated to trace the data flowing in and out of their phone, and have limited insight into what happens to data after it leaves their device. Those that know may be bound by non-disclosure agreements, limiting their ability to contribute to the public sphere. In light of these limitations commissioners and regulators must proactively engage with smartphone manufacturers. Government officials must ensure that APIs guarantee effective privacy controls over location information so that citizens can ‘control’ or be aware of the flow of their personal information.

Association Privacy

The fact that considerable amount of personal information is held on mobile phones is nothing new. There have been worries around what happens if a person loses their phone for years, and such anxieties will likely continue as long as humans outsource memory retention to semi-animate objects. What has changed with the rise of data-enabled devices is the ease of unknowingly losing your contact list without ever having physically lost hold of your phone. The loss of this information not only compromises contact details of associates and colleagues, but also sheds light upon who the device owner likely communicates with, has met, or generally has in their social network. Such revelations impact citizens’ association privacy, insofar as they cannot be sure that their communications device won’t indiscriminately disclose to parties-unknown about who the owners associate with. Such revelations can have chilling consequences and also lead to profiles being developed that negatively impact the device owners or others who have their information stored on the mobile device.

All smartphones have address books (or address book equivalents, in the case of Windows Phone). The iPhone, in particular, is well-known for letting third-party applications transmit copies of users’ address books. Apple installs their ‘Contacts’ app on all phones and it cannot be removed by the phone owner. In a report by the European Network and Information Security Agency (ENISA), it was noted that there was a serious privacy concern related to how third-party applications interact with the ‘Contacts’ application. The report’s authors write, “…in iOS, the address book is accessible to all apps. No special status is given to the user’s own contact details in the address book, meaning that, apart from the large amounts of personal data this exposes, the user’s own phone number is also accessible, which can be used for unsolicited marketing” (.pdf). Third-party application developers can access a considerable amount of personal information without first informing users of the access.

To be more specific, software engineer Nicholas Seriot writes that the following items are accessible through the Address Book database, which underlies the Contacts application:

• Names of contacts;
• User and contacts’ phone numbers;
• User and contacts’ email addresses;
• Notes field, “in which many Mac users store sensitive data such as door codes or bank accounts’” (.pdf)

These concerns are not just academic or hypothetical. In 2008, Aurora Feint was caught looking through the Address Book Database, sending it unencrypted to their servers, and subsequently matching the data against others users’ contact lists to inform users when their contacts/friends were also playing the game. In this case Apple did identify the problem and subsequently removed the application from their app store. Importantly, however, the problem was detected after it had previously been approved for sale within their curated environment and following considerable public outrage. Other companies have secretively collected data as well: MogoRoad collected Swiss phone numbers to subsequently call users (though not in contravention of Swiss law) (.pdf) and Storm8 collected users’ phone numbers and correlated them with users’ names, email address, and unique device identifiers.

Apple does note in their iOS Reference Library that “the Address Book database is ultimately owned by the user, so applications must be careful not to make unexpected changes to it. Generally, changes should be initiated or confirmed by the user.” Despite this suggestions, it remains possible for application developers to access, transmit, and modify information from the Address Book database without first requesting the user’s permission.

Of some concern is Apple’s more recent response when contacted about applications that transmit contact information without user consent. In their paper, “PiOS: Detecting Privacy Leaks in iOS Applications” [.pdf] researchers M. Egele, C. Kruegel, E. Kirda, and G. Vigna found that popular social network application Gowalla transmitted a user’s contact book, in its entirety, without the owner’s consent. When the authors contacted Apple about this indiscriminate appropriation of contact information the company suggested that the researchers direct their concerns directly to the application developer.

There are several problems with how Apple has established the API for their mobile environment. To begin, their API enables access to contacts information without imposing code-based restrictions. This is a serious deficit. Second, the information that is being shared is not exclusively owned or controlled by the phone owners. There is no ability for those in the ‘Contacts’ application to consent to the disclosure of their personal information to a third-party. Moreover, given their lack of consent or notice to the device owner, and given that we cannot reasonably expect that those included in the contacts book will be notified of disclosures, it is dubious that individuals in a person’s contact book will ever know to contact the application developer and have their personal information removed. Ignorance permeates all stages of the disclosure process, and this ignorance fuels the monetization of personal information.

Device Storage Privacy

Of course, there is even more information that is stored on these devices. In the case of iDevices there is a unified keyboard cache that is accessible to third-parties. The cache “contains all the words ever typed on the keyboard, except for the ones entered in the password field. This is supposed to help autocompletion but this mechanism effectively acts as a key-logger, storing potentially private and confidential names and numbers.” (source .pdf) As it stands, third-parties that access this information – without the owner knowing about this caching feature, or consenting to third-parties accessing it for non-cut/paste purposes – can uncover significant personal information about the owner. Have they recently been searching for medical products? Have they been visiting job search or infidelity websites? Have they input addresses, text messages, emails, or comments in web forums that could be sensitive? All this information is prospectively available.

Device storage is typically what people worry about when thinking of mobile security. Specifically, they establish passwords for their mobiles so that if the devices are lost then whoever finds the phone cannot immediately access its full contents. While physical access protection is important – and something that was specifically noted in the federal privacy commissioner’s recent survey – it is a very small part of a much larger device security and privacy framework. Simply setting a password protects you against the most obvious, if not the most common, sources of data appropriations, privacy infringements and security breaches.

Reporting on Perception-Based Studies

The purpose of walking through these security and privacy vulnerabilities isn’t intended to drive people away from smartphones or any other computing device. Rather, it is meant to underscore the current technical reality of owning and using the devices. Few people, even those who are technically savvy (myself included!), can limit the sharing of information if they are using certain smartphones. Privacy settings are not intended to maximize customer privacy but to facilitate perceptions that companies are meeting consumer privacy concerns. That these same companies enable the dissemination of personal information to third-parties, often without consumers learning about the dissemination or purposes of data collection, indicate the importance that Apple et al places on consumer privacy. Even for the interested consumer, many apps lack a privacy policy and neither Apple nor Google require developers to create or make available such policies. Indeed, to ‘simply’ access Apple’s own privacy policy from their iDevice consumers must do the following:

1. Select ‘Settings’
2. Select ‘General’
3. Select ‘About’
4. Select Legal
5. Press screen until copy option is available and copy the URL to the privacy policy
6. Click the ‘Home’ button
7. Open Mobile Safari
8. Select Address Bar and paste URL
9. Select ‘Go’

Given the reality that customers cannot secure their personal information, or effectively even be aware of when or where it is flowing, headlines concerning the Privacy Commissioner of Canada’ recent survey can be both misleading and harmful. CBC led their coverage of the report with an article entitled “Canadians lax about cellphone security“ and the Vancouver Sun with “Do a better job protecting mobile privacy, Canadians told.” The articles pick up on the fact that a minority of Canadians establish locking passwords or modify their privacy/sharing settings on their mobile devices. The actual study notes that those who store personal information on the devices are more likely to install a password (52% versus 33%) as are those who install applications beyond those installed on the phone by default (68% versus 27%). The report also notes that almost 60% of the people with GPS-enabled phones don’t actually have the GPS enabled. The majority is somewhat concerned about privacy issues stemming from location information but the survey fails to inquire whether their GPS-enabled devices are smartphones that can (and do) leak and collect location information based on other data sources.

While it is admirable that many people claim to modify their mobile device settings to limit data disclosure, such modifications have varying degrees of effect. In the case of an iPhone, key bits of data are being collected by third-parties without customers having any option to prevent the collection and subsequent dissemination of personal information. The iOS API itself permits for accessing the address book, and similar public calls can discretely be made to the wifi location system and the keyboard cache. The nature of iDevices make these actions possible. Thus, even if an iPhone user has a password their data is insecure from the companies invited onto the device. Further, establishing a password is insufficient to secure a mobile device: did the users of iDevices use more than the 4-digital password, which is required to initiate the full range of iDevice encryption? What did users of older devices, which no longer receive security updates, do with their devices? Use them? If so, did these same users identify themselves as taking actions to secure their privacy and believe it was effective?

The problem with the study, and with the subsequent headlines, is that it fails to adequately identify who an data thief might be and suggests that owners can genuinely protect their privacy if using their devices. Generally, individuals will assume that it’s a bad third-party, not Apple  or their favourite video game manufacturer, who is going to abscond with their personal information and that of their family, friends, and business contacts. When the hostile party is the operating system itself consumers can only save themselves by refusing to purchase or use the device, or by relying on government regulators to prevent the harm and force manufactures to sell devices that comply with Canadian law.

Undermining the Economic of Ignorance

The problem with studies like the Privacy Commissioner’s – if only for how the media will report on them – is that consumers come to believe that they are primarily responsible for security failures. This offloads a considerable amount of responsibility from government officers to a relatively impotent citizenry. Further, the survey offers a sense that device owners can take actions to significantly limit the primary vectors of information leakage. While they have some control over a few vectors they rarely have control of the primary means of information collection and dissemination.

There is a high level of friction when a customer must disable systems-level processes to use an application without disclosing location information. Performing such actions add considerable delays in accessing features of the phone and, as a result, most consumers simply will not disable location awareness on a regular basis. This is a behaviour we will see even if the device owners are uncomfortable with persistent disclosures. Such high levels of friction also indicate near-absolute absences of any genuine privacy-by-design features. Privacy-by-design does not simply mean that citizens can proactively protect their privacy but that user interfaces are configured to best let citizens control how and when they disclose personal information. Not only is it incredibly hard to limit the sharing of personal information using the devices’ options (varying UIs in the same operating system, single opt-in options, having to burrow through layers of settings to opt-out of features that can negatively impact the rest of the device’s operation, etc) but in many cases the dissemination of personal information cannot be blocked, no notice is given of disseminations, and data cannot be subsequently deleted from third-parties’ repositories. For many smart phones, APIs should stand for ‘Advanced Privacy Intrusions’ instead of ‘Application Programming Interfaces’.

Unwanted collection and dissemination of personal information, to say nothing of the lack of notice or inability to delete disseminated data, exploits users’ ignorance and impotence for economic gain. The smartphone ecosystem is substantially predicated on an economics of ignorance which, if unveiled and addressed by parties with significant direct market power, is reversible.

To be forthright: companies do not collect large sums of data and pay to store it in their databases for no reason. Corporations are not in the habit of intentionally increasing the costs of doing business without some profit-based rationale. After selling an app of $0.99 or less no company is interested in then developing an ever-larger server infrastructure to store collected personal information without anticipating a return on their investment. The issue, however, is that many apps lack discernible privacy policies and users – especially those in curated gardens – may ‘trust’ the applications they install on the basis that a ‘knowledgable’ party is believed to have rooted out bad or malicious applications. While this may be true in some cases, Apple’s integration of surreptitious data expropriation without consumer consent into their API clearly reveals that the gatekeepers who directly profit from application sales cannot be trusted. We cannot trust the fox to protect the henhouse from the other foxes!

Popular consumer surveys can be valuable. They are noticeably less helpful when delving deeper and deeper into technical matters, of which few members of the public should be expected to know much about. Consumers may be cognizant of superficial ways to protect their personal information on their devices. Those same knowledgable consumers are far less likely to know about the deeper vulnerabilities and intentionally designed weaknesses that pervade mobile devices. Consequently, privacy commissioners and government regulators more generally should take long, hard looks at how mobile operating systems are designed. They should ensure that the systems – and by extension the information environments they spawn – comply with Canadian law.

Commissioners should focus on the source of the worst privacy concerns which, in the case of smartphones, arguably originate in the design of operating system APIs that exploit citizens’ ignorance of how and when data is migrated off of their smartphones. While there is some value in evaluating how often people modify their sharing options on mobile phones it is as important to know why they don’t modify these settings - are they using devices where they don’t know how to do so, or find it tiresome to manage their privacy? If yes to either of the latter, then there has been a serious failure in designing the operating system’s graphic user interface. In the case of Apple and Microsoft, both of whom have almost entirely locked down basic facets of their operating system while investing heavily in designing their mobile environments, these are intentional (if correctable) errors.

If operating system manufacturers will not restrict indiscriminate and non-consensual sharing of personal information on their own then the Canadian government should step in. Government, using its regulatory powers, can resolve market imbalances by investing in the research to identify market problems and subsequently correcting information asymmetries that disrupt market processes and that infringe upon Canadian law. Such corrections might entail issuing fines on a per-device sold basis, publicly naming and shaming offending companies, or ever using federal dollars to deliver public warning announcements about the harms associated with specific smartphone operating systems.

Regardless of the solution, it should be significant enough to either rebalance the information assymetry between consumers and device manufacturers or disrupt the profitability of exploiting ignorance to extract personal information from mobile devices. Ultimately, commissioners and regulators must demand that device manufacturers either provide APIs that comply with Canadian law or change existing APIs in the face of prevalent privacy issues. Where neither of these conditions are met, OS vendors should be forced to suffer significant penalties. The only way to secure devices’ security and citizens’ privacy is to erode the economics of ignorance that application vendors and device manufacturers alike depend on to cheat Canadians out of their personal information.

References

[1] C. A. Ardagna et al. (2008). “Privacy-Enhanced Location Services Information,” in A. Acquisti, S. Gritzalis, C. Lambrinoudakis, and S. De Capitani di Vimercati (eds.). Digital Privacy: Theory, Technologies, and Practices. New York: Auerbach Publications.

[2] G. Elmer. (2004). Profiling Machines: Mapping the Personal Information Economy. Cambridge, Mass.: The MIT Press.

[3] See: D. Phillips’ and M. Curry’s “Privacy and the phonetic urge: Geodemographics and the changing spatiality of local practice.”

Other posts you might be interested in:

1. Decrypting Blackberry Security, Decentralizing the Future
2. Review: Surveillance or Security?
3. Twitter, Mobile Browsers, and Metadata Privacy

Photo by Mark Surman

Digital literacy is a topic that is regularly raised at Internet-related events across Canada. As Garth Graham has noted, “some people will remain marginalized even when everyone is online. It’s not enough to give those who are excluded basic access to the technologies. It requires different social skills as much as different technical skills to come in from the cold of digital exclusion” (29). Perhaps in light of Canadians’ relative digital illiteracy, key Canadian policy bodies and organizations have seemingly abandoned their obligations to protect Canadian interests in the face of national and foreign belligerence. Bodies such as Industry Canada, the Canadian Radio-television Telecommunications Commission (CRTC), and the Canadian Internet Registry Authority (CIRA) are all refusing to take strong leadership roles on key digital issues that affect Canadians today.

In this post I want to first perform a quick inventory of a few ‘key issues’ that ought to be weighing upon Canadian policy bodies with authority over the Internet. I then transition to focus on what CIRA could do to take up and address some of them. I focus on this organization in particular because they are in the process of electing new members to their board; putting votes behind the right candidates might force CIRA to assume leadership over key policy issues and alleviate harms experienced by Canadians. I’ll conclude by suggesting one candidate who clearly understands these issues and has plans to resolve them, as well as how you can generally get involved in the CIRA elections.

Cornucopia of Concerns

Internet standards operate as highly visible examples of how technology has been shaped to interoperate in a transparent fashion. Common Internet protocols let networks connect with one another while simultaneously establishing common points of failure. A danger is that if these protocols are exploited then the Internet can be significantly damaged. In effect, where a central trusted node on the Internet is subject to onerous pressures the Internet – and by extension, entire regions that are serviced by these central nodes – is affected. The concerns I raise focus on three types of trust-holders: Internet service providers, DNS root authorities, and certificate authorities.

Internet service providers

Internet service providers, such as Rogers, Videotron, and Bell, receive a considerable amount of criticism from the public, advocacy organizations, industry, government, and the academy. In recent years, criticism has focused on ISPs’ imposition of usage based billing systems, integration and use of deep packet inspection devices, and redirection of traffic to their own web portals. Billing issues arose most recently with large ISPs, such as Bell Canada, demanding changes to how wholesale ISPs were charged for bandwidth volume. Such demands were exacerbated by proposals to charge consumers vastly more for bandwidth usage and what seemed to be anti-competitive efforts to squeeze companies who were competing for complementary products (e.g. cable TV, telephone or voice services) out of the market. The campaign against CRTC-approved changes to how wholesale ISPs were billed for bandwidth initiated a firestorm right at the moment of the last federal election. This arguably opened the policy window for the Canadian government to reject the CRTC’s findings and force the Commission to re-examine the issue.

While public advocates were successful in pushing against changes to the billing regimes, they were less successful in pushing against ISPs’ use of deep packet inspection technologies. ISPs won the right to manage their networks in a non-discriminatory manner and consumers were left on the hook to determine whether discrimination was occurring. This requires citizens, who lack clear insight into the network, to  do their own testing. As I’ve written previously,

The unjustified discrimination of data traffic may not be evident to all consumers, especially when they lack the skills associated with digital literacy to even register the occurrence of bandwidth or application discrimination. Without solid training, many people resort to subjective ‘smell tests’. This approach to identifying whether discrimination is occurring does not contribute to evidence-based, empirically sound, complaints systems or policy responses.

This is a particularly significant issue given that almost all of Canada’s dominant ISPs have violated the rules that the CRTC established concerning the use of deep packet inspection. A small handful of people – academics, advocates, and journalists – bring the public’s attention to the technology’s misuse, often showcasing the excellent work by citizens who are fed up with trying to resolve their own complaints or organized grassroots efforts to hold ISPs accountable.

The final point, that of redirecting traffic to ISPs’ web portals, is a common practice in Canada that is incredibly aggravating. Quite often, when someone in Canada mistypes a URL or a subpage in the domain that does not exist, they are redirected to a portal controlled by their ISP. This practice is formally known as ‘DNS hijacking‘ and involves your ISP intentionally interfering with web queries. These hijacks violate the Internet standards that are supposed to guide how networks interconnect and what constitute ‘legitimate’ modes of directing web traffic. In other areas of the world this is used for censorship purposes. In Canada its used to interfere with Canadians’ web traffic so that ISPs can try to generate some advertising dollars while offering their own degraded search capabilities.

DNS root authorities

Distributed Name Servers (DNS) make the Internet significantly easier for humans to navigate, but in the process of creating ease the DNS system generates choke points where control over communication and speech can be exerted. Paul Mockapetris developed DNS in 1983 to let names be translated to IP addresses and vice versa (for more, see RFCs 1034 and 1035). As a result, when you type a website’s IP address (e.g. 157.150.195.10) or its host name (e.g. UN.org) you are directed to the same location on the Internet – the United Nations’ homepage. The DNS system is, effectively, a massive database that lets individuals type human readable names into their web browsers and be directed to websites and services. A hierarchical network of nameservers facilitates this system.

At the top of the DNS hierarchy are root nameservers, which are authoritative for top-level domains (e.g. .com, .net, .org, .ca, .co.uk, etc). For a top-level domain to exist it must first be registered by one of the root nameservers. Below the root are authoritative DNS nameservers which are responsible for domains associated with distinct top level domains. For example the .com authoritative DNS nameservers translate the IP addresses and host names of all .com addresses, the .ca DNS nameservers translate IP addresses and host names of all .ca addresses, and so forth. Below these two levels are domain resolvers. Resolvers have a cache that can quickly translate human readable host names (e.g. UN.org) to machine-friendly IP addresses (e.g. 157.150.195.10). Because they are physically located near the device making the request they are faster to respond than authoritative nameservers, which are often geographically distant and experience longer queues to return name/IP address translations. Where the resolver closest the end-user (often run by the user’s ISP or business) hasn’t already cached the host name and IP address it immediately contacts other nameservers to get that information and subsequently directs the user to the site/data they are requesting. (For a quick audio-visual walkthrough of how the DNS system works, see this short (2:08 minute) video.)

There are a host of potential problems with the current DNS system:

• It is susceptible to DNS cache poisoning, where an attacker tricks a local resolver into mistranslating. This occurs when an attacker sends a translation request to a local resolver and then floods the resolver with faked resolution responses. If successful, this will cause the resolver to incorrectly direct all web traffic trying to access that host name to a non-legitimate IP address; while you might type ‘UN.org’ into your web browser you could be sent to a site hosting malware, a site that appears like the UN’s but disseminating false information, or so forth rather than arriving at 157.150.195.10. (For a video presentation of how DNS cache poisoning occurs, see the YouTube video “DNS Cache Poisoning Attack“.)
• It operates as a single point of exploitable failure. A case in point: in 2005 a novel poisoning attack was developed by Dan Kaminsky that threatened “to take down vast swaths of the Internet”.
• It didn’t have security designed into it when first developed and deployed because DNS is a trusting system. Domain Name System Security Extensions (DNSSEC) are meant to guarantee that “DNS resolvers receive correct IP addresses for their queries” by providing source authentication (resolvers can guarantee that the IP address information correlated with a host name came from a DNS authoritative nameserver) and integrity verification (resolvers can be assured that the information received from the nameserver hasn’t been tampered with in transit to the local resolver) (Landau 2010: 60). DNSSEC, in effect, alleviates some of the dangers posed by cache poisoning by reasserting the importance of a trusted hierarchy though it still relies on trusting security certificate providers (more on why that’s a problem in a minute).
• It operates as a hierarchy, creating crises between “centralized, hierarchical powers and distributed, horizontal networks” (Galloway 2004: 204). Case in point: assuming DNSSEC were deployed, if the authoritative DNS nameservers were modified so that UN.org didn’t resolve to 157.150.195.10 then all local resolvers would trust the modification. Thus, a government could act on an authoritative nameserver, forcing its owner to modify where packets were routed to, and the change would have global consequences. Importantly, such subterfuge would pass DNSSEC’s source authentication and integrity validation.

Moreover, as a central point of control foreign governments can exert pressure on root nameservers to forcibly redirect the traffic to some websites. The United States’s Immigrations and Customs Enforcement (ICE) has been seizing domain names and redirecting them on the basis of their violating American law since 2010. Such seizures have taken place regardless of whether the sites were legal in their country of operation. Such measures follow from President Bush’s “Enforcement of Intellectual Property Rights Act,” which asserts a need to combat copyright infringement on and off American soil. High-level political guarantees to ‘protect’ intellectual property have been made by the Obama administration as well, with Vice-President Biden asserting that the administration would aggressively use tactics to close websites that offered content illegally per American law.

The effect of ICE’s campaign has been that domains names are being redirected to servers owned by the United States government, even if the servers are located outside of the US. In effect, a foreign government is leveraging its influence and power over Verisign – which controls the authoritative domain rootserver for the .com, .org, and other top-level domains – to forcibly infringe upon website owners’ free speech rights on copyright grounds. Domain names themselves constitute speech acts (see: Chelsea and Westminster Hospital NHS Foundation Trust v. Frank Redmond, The Crown in the Right of the State of Tasmania trading as “Tourism Tasmania” v. Gordon James Craven, and Wal-Mart Stores, Inc. v. wallmartcanadasucks.com and Kenneth J. Harvey) and the seizure of these names without court proceedings has the effect of censoring particular speech (in the domain name) as well as muffling the speech contained at the website which the domain name points towards.

Importantly, because ICE is targeting authoritative name servers no person in the world can resolve the domain names after the seizure takes place. This limits the ability of commercial entities to conduct business both within the US but abroad as well, amounting to ICE-created and –enforced, site-specific, embargos. Further, the U.S. government’s actions threaten innovation by heightening the risks innovators assume by relying on a web presence to monetize/popularize their works. Finally, ICE’s actions supersede the decisions of foreign courts; where a supposedly ‘copyright infringing’ website is found legal outside of the US, ICE imposes American definitions of copyright upon all global Internet users. ICE is globalizing American copyright laws.

Certificate Authorities

Certificate authorities are critical to the Internet’s current security infrastructure. They provide certificates to companies and websites who meet identity and financial requirements. When you visit an https website a series of transactions take place to ensure that the communications channel is encrypted. Encryption prevents third-parties from listening in on the content of the communications. Specifically, when you visit a SSL-secured website the following occurs:

1. The web server transmits its public key with its certificate;
2. The web browser determines whether the certificate was issued by a trusted party – typically a certificate authority – and that the certificate remains valid and is related to the website in question;
3. The browser uses the public key to encrypt a symmetrical encryption key and sends it to the server with the encrypted URL as required, in addition to other encrypted http data;
4. The web server decrypts the key using its private key and uses the key to decrypt the URL and http data;
5. The server sends back the requested html document and data after encrypting it with the symmetric key;
6. The browser decrypts the document and data using its symmetric key.

To initiate the secure transmission process you need a trustworthy certificate authority. This effectively means that the authority must be ethical enough not to violate the trust put in it, be financially resolute enough to refuse bribes, and be willing to publicly fight against attempts by government to compel violations of trust. As written about by Soghoian and Stamm, governments can theoretically compel certificate authorities to issue fraudulent certificates, thus enabling state-actors to conduct ‘man-in-the-middle’ attacks, or those where a third-party injects themselves between the web server and web browser. As noted by Stevens et al.,

Any website secured using TLS can be impersonated using a rogue certificate issued by a rogue CA. This is irrespective of which CA issued the website’s true certificate and of any property of that certificate….Combined with redirection attacks where http requests are redirected to rogue web servers, this leads to virtually undetectable phishing attacks (pp. 36; .pdf source).

In essence this means that if a government forces a major trusted certificate authority to issue a valid (i.e. working) fraudulent (i.e. not issued to the website owner) certificate it can potentially intercept, decrypt, and analyze communications without either the web browser or web server knowing. This fear was made real a few months back and again last month, when certificates were issued for major communications companies such as Microsoft, Google, Mozilla, and Skype.

What can CIRA do?

To be clear from the outset: CIRA cannot resolve all of these issues, but they can assume a leadership role in addressing many of them. CIRA possesses a robust policy development framework (.pdf source) and in their recent survey found that Canadians were incredibly interested in – and concerned about – the safety, security, resilience of the Internet, as well as privacy issues. CIRA has publicly argued the DNSSEC, a security extension to DNS that prevents domain poisoning and domain hijacking, should be adopted by the federal government. At present, however, DNSSEC cannot be implemented where Canadian carriers are involved in domain hijacking. CIRA notes that such interferences strongly interfere with “the norms upon which the Internet was built” and that the “consensus from the international Internet community is that DNS redirection should be prohibited, with the exception of rare instances for purposes of law enforcement.” CIRA feels strongly enough about this issue to suggest that imposing legal liabilities on Canadian ISPs that persist in this practice may be appropriate.  (pp. 14-5; .pdf source).

CIRA’s record on copyright is somewhat more nebulous and could interfere with their strong demands to prevent DNS redirections. In their 2010 Digital Economy filing, the organization notes that updated copyright laws are important to “protect Canadians from illegal activity on-line just as they are protected from illegal activity off-line” (pp. 12; .pdf source). This is a worrying statement, insofar as it is unclear what direct harm Canadians have experienced as a result of the present copyright legislation. Indeed, when compounded with CIRA’s grudging acceptance of DNS redirections for law enforcement purposes it may be that the organization is supportive of American efforts to impose US copyright law throughout the world to ‘protect’ American (and, presumably, some Canadian) rights holders at the expense of judicial decisions in nations where websites are operated.

CIRA could, and should, clarify its position and clarify when a redirect is appropriate for law enforcement purposes. As they are likely aware, redirects are not a significant impediment on serious online crimes such as child pornography (.pdf source), and so it is important for the organization’s directors to explain to CIRA members and Canadians more generally how a redirect – as opposed to taking down servers hosting truly illegal, as opposed to infringing, content – resolves serious legal issues instead of making them more convenient to ignore. Filtering access to particular websites also often runs the risk of being used increasingly expansively. As noted by Villeneuve, filtering is seen as an inexpensive technical solution to the challenges posed by the ease of access to information on the Internet. Regardless of the initial reason for implementing Internet filtering there is increasing pressure to expand its use once filtering is in place. Any avocation for filtering or DNS redirections thus must be made with an awareness of its (in)effectiveness in stopping crimes and likely misuses over time.

It is especially important to work against the unilateral imposition of foreign copyright law on the workings of the Internet, and to ensure that dot-ca and Canadian-held dot-com, dot-org, and other top-level domains are not subjected to inappropriate censorship. CIRA is in the unique position to strongly and loudly argue against unilateral censorship at the root level; should nation-states compel their ISPs to block particular records that is one matter, but to forcibly modify the root is another. While CIRA has been notified of these issues and concerns they have yet to publicly address these issues (.pdf source). Their inaction is something that must change.

Finally, CIRA can and should establish itself as a certificate authority. In various public documents the organization has noted the need to establish a safe and secure Internet. Acting as a trust-agent for Canadians is certainly one way to accomplish this goal. CIRA already has a reasonably robust verification system for its members to ensure that only Canadians who hold a dot-ca domain can claim membership. It could leverage existing policies to become a trusted certificate authority and, ideally, welcome the chance to trial next-generation trust systems (such as www.convergence.io) as part of its mission.

A Technically Savvy, Politically Engaged, Candidate

Only one of the candidates who are seeking election to the CIRA board of directors this year has both the background and interest to push these particular issues to the forefront of CIRA’s agenda. Kevin McArthur is a developer, security researcher, and technical author who has been deeply invested in the network neutrality debate in Canada and at the forefront of examining recent violations of the certificate authority system. His aim is to get CIRA more involved in the issues and debates concerning the Canadian Internet while expanding the scope and role of the organization’s existing Internet Forums. As someone who has actually spent time working with technologies such as Voice over IP that are so vulnerable to network neutrality abuses and is responsible for websites that would suffer badly were they censored using a DNS hijack/redirect. His full portfolio is available at his CIRA election website and his publicly disclosed research efforts at his personal website.

CIRA and You

If you are a dot-ca domain name owner then you can take part in the upcoming CIRA elections. The final members slate has been established and has a series of variously interesting candidates. To take part in the election you must formally become a member; this involves more than just registering your domain. Specifically you must do the following:

1. Membership is free for all dot-ca owners. Sign up for membership. It can take up to a week or so for a membership to be awarded so register as soon as possible.
2. If you are already a member, verify that you can access your member account prior to the election itself. Your login can be tested at http://www.member.cira.ca.
3. Vote between September 21, 2011 – September 28, 2011. Visit https://elections.cira.ca during this time period to vote for your candidate.

The next handful of years promise to be incredibly important for the progression – or regression – of the Internet in Canada. Electing people to CIRA who are committed to advancing its mandate and ensuring the most secure, efficient, and trustworthy Internet ecosystem whilst understanding the full ramifications of their actions is essential. Take the time, sign up to become a member, and vote for the candidate you think will live up to these key principles.

Book Sources

A. R. Galloway. (2004). Protocol: How Control Exists After Decentralization. Cambridge, Mass.: The MIT Press.

G. Graham. (2011). “Towards a National Strategy for Digital Inclusion: Addressing Social and Economic Disadvantage in an Internet Economy” in M. Moll and L. R. Shade (eds.). The Internet Tree: The State of Telecom Policy in Canada 3.0. Ottawa: The Canadian Center for Policy Alternatives.

S. Landau. (2010). Surveillance or Security: The Risks Posed by New Wiretapping Technologies. Cambridge, Mass.: The MIT Press.

Other posts you might be interested in:

1. Draft: What’s Driving Deep Packet Inspection in Canada?
2. Review: Internet Architecture and Innovation
3. Background to North American Politics of Deep Packet Inspection

Photo by Steve Rhodes

Elections Canada recently stated that sometime after 2013 it intends to trial online voting, a system that lets citizens vote over the Internet. Fortunately, they are just committing to a trial but if the trial is conducted improperly then Elections Canada, politicians, and the Canadian public may mistakenly come to think that online voting is secure. Worse, they might see it as a valid ‘complement’ to traditional voting processes. If Canadians en masse vote using the Internet, with all of its existing and persistent infrastructural and security deficiencies, then the election is simply begging to be stolen.

While quick comparisons between the United States’ electronic voting system and the to-be-trialed Canadian online voting system would be easy to make, I want to focus exclusively on the Canadian proposition. As a result, I discuss just a small handful of the challenges in deploying critical systems into known hostile deployment environments and, more specifically, the difficulties in securing the vote in such an environment. I won’t be writing about any particular code that could be used to disrupt an election but instead about some attacks that could be used, and attackers motivated to use them, to modify or simply disrupt the Canadian electoral process. I’ll conclude by arguing that Elections Canada should set notions of online voting aside; paper voting requires a small time investment that is well worth its cost in electoral security.

Why Online Voting?

In the 2011 federal election, Elections Canada issued a social media ban that prohibited Canadians from using public social media tools to report on election results before the last polling station had closed. This was meant to sustain Section 329 of the Elections Act by applying a law meant for analogue communications to popular public digital communications channels. This section, titled ‘Premature Transmission‘, states that

 No person shall transmit the result or purported result of the vote in an electoral district to the public in another electoral district before the close of all of the polling stations in that other electoral district.

In the aftermath of the election, Elections Canada prepared a report about the election and presented it to the Speaker. Such reports are produced after every election. Section 329 is specifically raised as a ‘key issue’ in the recently submitted report. While “Elections Canada has no information to suggest that there was widespread disregard for the rule” prohibiting premature transmissions of electoral results, it does acknowledge that “the growing use of social media puts in question not only the practical enforceability of the rule, but also its very intelligibility and usefulness in a world where the distinction between private communication and public transmission is quickly eroding. The time has come for Parliament to consider revoking the current rule” (49). Digital communications are demanding re-articulations and/or repeals of laws governing electoral policy.

The report also spells out a need to accommodate Canadians’ changing expectations of convenience as related to voting. Specifically, Canadians are increasingly online – demonstrated in part through their adoption of social media communications platforms – and consequently Elections Canada is interested in whether Internet voting could be “a complementary and convenient way to cast a ballot. The Chief Electoral Officer is committed to seeking approval for a test of Internet voting in a by-election held after 2013″ (10). Proposals to shift towards online voting raises considerable concerns, but to realize them we need to briefly talk about ‘hostile deployment environments.’

Hostile Deployment Environments

Smart engineers and developers are quite often poor security engineers and security developers, on the basis that the two categories of developers and engineers have radically different intentions, expectations, and aims. For the former, technical systems are meant to function even when experiencing a non-normal condition; people should still be able to read a file despite an error and systems should not fail and aggravate users. In essence, engineers and developers aim to provide systems that work and that continue to work in the face of (effectively) random errors or problems. These errors are unintentional, random, non-malicious, and ‘mere’ artifacts of working in the world.

Security engineers and developers tend to be different beasts. As noted by Bruce Schneier, they do “not care about how a system works” but “about how it doesn’t work.” They are interested in “how it reacts when it fails” and “how it can be made to fail” (2006: 51). In effect, a security engineer is worried about fail-states that are intentionally created, where what would be random environmental events are intentionally recreated, potentially over and over, to exploit the system’s reactions in a failure situation.

We can abstract away from computers to think about this analogously: When building a bridge, engineers are concerned with maximum fault tolerances related to load, shifts in the foundation, and environmental damage related to wind, weather, earthquakes, and other disasters. They plan accordingly, overbuilding elements of the structure to withstand statistically likely (and often unlikely) fault conditions. A security engineer, however, will wonder: what happens when I intentionally meet or exceed a designed fault condition? What happens when I damage a support that the engineers know (by the statistics and threat model they’ve adopted) “can’t” be weakened significantly? Does the bridge collapse, or become more vulnerable to other statistically expected environmental conditions? The model that the security engineer carries, in essence, is a critical interrogation of design intended to exploit non-perceived or minimized risk scenarios that a well-trained engineer or developer would never consider as prospective threats.

While most bridge builders assume they are building for a non-hostile environment – an environment where neither its occupants or ambient behaviours indicate ‘attacks’ in excess of regular statistical profiles – bridge builders in war zones have considerably different design condition. These latter builders know that bridges must be able to carry weight, fail ‘gracefully’ if damaged by artillery, bombs, or tank treads, and that bridges often adopt very different strategic values than in peace-time. Further, the builder may consider differing ‘fail’ conditions: perhaps a bridge should ‘fail’ such that while vehicles could no longer traverse it, it would break apart in a way allowing for foot passage. Perhaps the aim is that when a friendly military blows up a support column, the bridge breaks in a manner that is hard to clear away and thus limits invaders from crossing narrow parts of rivers or channels. In essence, the movement to a hostile (or non-hostile) working environment radically changes the characteristics of development and engineering. Designing online voting is like designing for a war situation: engineers must assume they are developing for a hostile space, within which it is very hard to get things to ‘fail’ properly when millions of devices have to be coordinated across non-secured systems situated around the country and that are maintained by a plethora of differentially skilled actors.

The Internet is Hostile

The Internet is not, and has not, been a safe place for a very long time. Its progenitor, ARPANET, was largely ‘secure’ because there were few individuals using computers and most were at least moderately trained. There are more and more products, books, and ‘gurus’ who sell, advise, and guide members of society about the value of the Internet, a value proposition that does not require any actual knowledge of the Internet itself. As as a result (and not necessarily a bad one!), today’s Internet is filled with a massive user base who use a plethora of devices and who often lack even basic computer awareness or training.

As a result, ‘securing’ the Internet is a Herculean task. It absolutely cannot be regarded as a ‘secure’ development environment, especially when dealing with matters that are highly sensitive to political, technical, and social fault conditions. Such conditions may be worse that a fail condition, on the basis that faults generate fear and concern without a clear indication that something has gone wrong. In the case of an election, a perceived exploitable fault condition threatens to undermine political legitimacy and politically-generated solidarity on grounds that electoral results might be questionable. Thinking back our bridge example, a ‘fail’ might be a bridge collapsing. A ‘fault’ might include cracks spanning the support columns that cause motorists to avoid using the bridge out of fear, even though the cracks do not endanger the bridge’s stability. If ‘faults’ cannot be corrected, then there may be general fear about the validity of an election even if the election is not manipulated. If a ‘fail’ condition occurs but is not detected, then there may be a perception of electoral legitimacy without the election actually being legitimate.

Abstractly, at least four things are required to establish the Internet a secure development environment for online voting:

1. Policy: a clear statement of what is meant to be achieved;
2. Mechanism: the ciphers, access controls, hardware tamper-resistance and other machinery that you assemble in order to implement the policy;
3. Assurance: the amount of reliance you can place on each particular mechanism;
4. Incentive: the motive that the people guarding and maintaining the system have to do their job properly, and also the motive that the attackers have to try to defeat the policy. (Anderson 2007: 4-6).

From a policy perspective, we can state that the aim of online voting is to increase voter turnout and, by extension, the legitimacy of the vote and inclusion of Canadians into the political process. As a result, mechanisms must be developed to guarantee this aim. Further, audit systems must be established to verify mechanisms and their correspondence with policy aims. Finally, incentive systems must be developed that guarantee the legitimacy of the mechanisms and audit features. To put some of this in perspective, consider the vastness of the system that must be brought into the secure development environment for online voting:

• every user’s computer and every computer attached to the common local routers. Not only the computer that you’re voting on in your home needs to be secure, but so do all the devices connected to you router (e.g. all other computers, all iDevices and wifi-connected mobile phones, appliances connected to the wifi router in your home, etc.). This means the hardware must be secure, that the operating system must be secure, and that all programs on the devices must be free of exploits.
• all levels of the telco/cableco system. This means both physical and electronic security must be guaranteed.
• citizens themselves must be entrusted to follow all the electoral roles; they cannot influence, threaten, or otherwise modify the course of their own or others’ electoral process.
• audit mechanisms must be built into the system, such that peripherals (e.g. printers, email systems) used to deliver audit documents cannot be compromised.
• bad actors cannot be introduced that could take advantage of privileged access to modify/disrupt data streams.

I have to stress that these are only a handful of the systems that must be drawn within the development environment. Elections Canada, to enable secure and reliable online voting, would have to guarantee that all technical systems associated with the process were secure from:

• zero-day attacks;
• malicious code intrusions (e.g. malware) that could take control of and modify electoral choices in real-time;
• distributed denial of service attacks that cut off certain areas of the network, potentially to prevent some of the electorate from voting online while enabling others to vote online (perhaps based on what computers were already under the control of attackers);
• audit mechanisms would need to ensure: the reliability of the person voting (are they who they say they are? were they coerced to vote in a particular way at their screen?), the reliability of input devices, the reliability of the transit mechanisms, the reliability of the encryption systems, the reliability of each device that took part in the online voting transaction, the accuracy of the audit system itself, the security of each DNS hub, and the appropriateness of ‘fail’ conditions built into each stage of the online voting system;
• impropriety by those who actually ran the electoral process itself.

If the government of Canada can figure out a way to actually harden communications in this manner, then our debt and cyber-security problems will be solved as well: we can sell our expertise abroad and the entire Internet would be safe from most of the ‘evil’ that makes the Internet an unsafe place. I have severe doubts that the Canadian government’s commitment to cyber-security, in the amount of $90 million over five years in addition to an ongoing commitment to $18 million dollars per year, is likely to even consider all these problems, let alone resolve them. Security is a multi-billion dollar business and the Canadian government is acting like a high-paying venture capitalist instead of a serious, committed, long-term player.

Risk and Online Elections

For many transactions we expect and accept certain levels of fraud. That the credit system itself is highly vulnerable is of considerable worry, but uncertainly around the legitimacy of credit-backed transactions is a market problem with implications for the capacity of state action. In the case of elections, however, increasing vulnerability can impact markets, environmental and foreign policy, trade negotiations, and ongoing political processes. In essence, while the market is essential to the business of the state, and significantly regulates the state, it lacks the sovereign powers of the state itself. Regardless of whether the state has seen itself ‘hollowed out’ over past decades, neither IBM nor Google have fleets of strategic bombers, the capacity to issue formal declarations of war, seize corporate property, or the other ‘strong’ expressions of sovereignty that states retain even today.

Humans assessments of risk are challenged in the contemporary world, insofar as some risks are highly elevated and given undue degrees of attention when they rapidly and prominently appear and other risks are pervasive, non-exceptional, and highly deadly. Examples of the former include the twin-tower attacks, the rare murder in Canadian cities, lightning strikes, or specialized harms towards particular individuals. Humans are biologically ill-equipped to deal with pervasive and/or non-obvious risks; when the red berries kill you over a ten-year period instead of within a day or two, we just don’t recognize the ‘badness’ of the ten-year-old poison berry. In a world with more and more ‘invisible’ harms – online fraud, environmental woes, pervasive harms from automotive vehicles, and so on – humans simply aren’t well-suited to gauge risk in an effective manner.

If regular citizens are bad at risk assessment, politicians and bureaucrats are worse. Remember that a primary aim of a politician is to be (re)elected. As a result, they are predominantly interested in what garners favour with a large number of constituents, with issues that can be translated into electoral votes often being selected for emphasis and personal attention. Consequently, being ‘strong against crime’ is seen by many as a positive stance to assume, with novel crimes such as digital intrusions, hacking, and virus writing increasingly common political targets. We are warned that cyber-wars, cyber-terrorism, and cyber-everything-else-bad-in-the-world are coming, and that to assuage them more money, more authority, and more power must be allocated to the government. Such efforts are often supported by bureaucratic staff, both on the basis of political pressure and because it can expand the importance, value, and budgets of their respective departments. Despite such allocations of power and wealth, digitally-mediated intrusions still occur at the highest levels of government: for all it’s ‘tough on crime’ talk there seems to be limited impact on reducing intrusions. Despite the regularity of attacks and the political rhetoric surrounding the ‘danger’ of online transactions for commercial enterprises, online voting – a key element of the Canadian democratic process – is being considered.

So, while the risks associated with carrying out online transactions are real and government sponsored prevention capabilities limited, some areas of the country have already chosen to adopt online voting. It will be tested in upcoming civil elections in Vancouver, with the chief election officer noting that “the model is “not without risk”. Potential risks include the possibility of personal identification numbers being stolen or mailed to the wrong person, and hacks or viruses impacting election results.” While the BC government has not approved online voting for the 2011 civic elections, the ministry of community, sport and cultural development is committed to making online voting a reality for the 2014 elections. Similar comments abound, with over-trusting/ignorant journalists beating the drum that online election systems should be as commonplace as online banking. Perhaps most concerning are statements like those of Prof. Dave Reynolds in his article at the Independent:

Even when I consider the threat of real, experienced, black hat hackers attempting to interfere with elections, I cannot help but think that if Canada can’t provide the security to protect an online voting system, then we have got some serious problems here. The government already offers online submission that is secure enough when you file your taxes, claim your EI, or apply for student loans, so it’s more than a bit ludicrous that haven’t already provided an online form that list less than half a dozen candidates and asks you to CHOOSE ONE.

Canada cannot secure its most important financial information from what may be its most significant state-level competitors. As noted before, financial information is absolutely essential to the continuance of a nation and has serious impacts on subsequent policy and political decisions, but lacks the equivalent significance of voting. Voting is not only used to put particular candidates in parliament but to encourage a sense of the government’s legitimacy. Even if the party you voted for doesn’t become a majority, (the idea is) by taking part in the electoral process and having your vote counted you exercise a key legitimizing element of your Charter rights. This links Canadians together, perhaps with their government, but certainly with one another as they mutually share a common patriotic principle: voting matters and it is an action that unites us regardless of political parties through shared Charter rights.[1] Banking lacks this functionality, as does tax filing, student loan applications, and so forth: voting is significantly more important for democratic legitimacy, even as it is potentially less important for how Canadians go about their daily lives.

It’s important to note that the inability to secure the Internet as a site for the government to conduct its most sensitive business is not a fault of the Canadian government any more than a fault of the individuals using the networks or the network providers offering network functionality. The Internet is, quite simply, a treacherous place to work and has been for a long, long time. We do not live in the world of superheroes – while we might impose or work through our uncertainties and fears through the worlds those heroes exist within, we should not fool ourselves into thinking that a Mr. Fantastic, Tony Stark or Hank Pym will ‘fix’ the Internet anytime soon. Quite simply, the underlying infrastructural qualities of the Internet that make it the wondrous playground that it is today also makes the Internet an incredibly unsafe environment to try to coordinate and secure millions of people’s unsecured systems, unsecured networks, and ill-educated citizens to carry out any action, including online voting. None of these characteristics are likely to change anytime soon.

Some Potential Attackers

What Elections Canada, politicians, and the electorate should all realize is this: state actors like the United States, Britain, China, France, Brazil, Israel, and every other nation with an Internet connection will have some interest in manipulating a Canadian election if chances of being caught are slim or delayed enough to not matter. State-level actors can throw millions or billions into a dedicated attack and have demonstrated a willingness to intentionally subvert sovereign policies where such actions are in their interests. Canada’s intelligence services have already indicated there are sympathies between Canadian politicians and foreign governments; there isn’t a need for a state actor to vote a nobody onto the ballot where they could merely get existing, sympathetic, politicians elected. Political change needn’t change overnight when a state measures its lifetime and processes in decades and centuries.

Corporations would also have strong motivations to interfere with an election. The ability to promote candidates who were appropriately ‘sensitive’ to corporate machinations could provide incredible competitive boosts and strategic advantages. Canada remains one of the wealthiest nations in the world and many of our industries are still relatively protected by foreign investment laws. Both local companies and international conglomerates would have strong interests in seeing politicians who were either protectionist or foreign-friendly as elected representatives.

Individuals may also be interested in interfering with electoral processes. Everything from petty grievances, to being paid to hack the election, to curiosity about their ability to interfere with national governance (think taking the hack of Time Magazine’s top 100 people to the international scale) could drive their actions. In an era of cheap botnets, poor general computer and network security, and the ability to effectively launch attacks from anywhere in the world, there are billions of potential bad-guys whose motives cannot be easily drawn into a threat analysis.

Importantly, we’re not constrained to just one actor being involved in hacking an election; there isn’t any good reason why all the above listed interests (plus potentially a few more added to the mix) couldn’t simultaneously be trying to influence the election, further muddying both the legitimacy and outcome. In effect, Elections Canada cannot secure an online electoral process, and that process is too important to risk to the Internet. Paper voting is annoying. It’s not necessarily as convenient or as fast as using a smartphone to move your money around using a banking app.  Voting is also one of the very few political expectations/hopes that are put on Canadians every few years. It is not too much to mail in a vote, go to a polling station, or (quite reasonably) abstain from voting for political, personal, or other reasons. It is too much to expect that we would endanger the entire electoral process just to attract those who are already unwilling to take a half-hour of their time every few years to cast a ballot.

[1] For a far elongated discussion of this notion of constitutional patriotism, I would direct you to either Habermas’ work, that of Jan-Werner Muller, or sections of my MA thesis.

Book Sources

R. Anderson. (2007). Security Engineering: A Guide to Building Dependable Distributed Systems (Second Edition).

B. Schneier. (2006). Beyond Fear: Thinking Sensibly About Security in an Uncertain World.

Other posts you might be interested in:

1. Online Data Storage and Privacy
2. Towards Progressive Internet Policy in Canada
3. The Book Industry Needs to Change! Why (most) authors and publishers need not fear online piracy

Photo by Jonathan McIntosh

For the past several years, public advocates, academics, the privacy commissioners of Canada, and members of the Canadian Parliament have all voiced concerns about proposed lawful access legislation. There are generally three types of ‘powers’ associated with such legislation: (1) enhanced search and seizure provisions; (2) increased interception of privacy communications powers; (3) production of subscriber data. During the last election cycle, Stephen Harper assured Canadians that within 100 sitting days lawful access provisions would be passed, along with other legislation, in an omnibus crime bill. Lawful access legislation has not been fully debated in the House or Senate, and has significant implications for the future of anonymity and privacy on the Internet, while simultaneously expanding police powers without a clearly demonstrated need to expand such powers.

Working from the most recent lawful access bills, which died when the last election was called, advocates and academics have come together to send a letter of concerns to Prime Minister Harper. Our concerns are as follows:

• The ease by which Canadians’ Internet service providers, social networks, and even their handsets and cars will be turned into tools to spy on their activities further to production and preservation orders in former Bill C‐51 – a form of spying that is bound to have serious chilling effects on online activity and communications, implicating fundamental rights and freedoms;
• The minimal and inadequate amount of external oversight in place to ensure that the powers allotted in these bills are not abused;
• Clause 16 of former Bill C‐52, which will allow law enforcement to force identification of anonymous online Internet users, even where there is no reason to suspect the information will be useful to any investigation and without adequate court oversight; and
• The manner in which former Bill C‐52 paves the way to categorical secrecy orders that will further obscure how the sweeping powers granted in it are used and that are reminiscent of elements of the USA PATRIOT Act that were found unconstitutional.

On a final note, we object that Canadians will be asked to foot the bill for all this, in what essentially amounts to a hidden e‐surveillance tax, and are concerned that compliance will further impede the ability of smaller telecommunications service providers to compete in Canada by saddling them with disproportionate costs.

It is of critical import that the lawful access provisions of the omnibus crime bill are shaved off into their own batch of legislation and are afforded their own debates and hearings. Failing to do otherwise would underplay how much the bills’ massive expansions of surveillance capacities might impact the Internet in Canada, and digital communications in this country more generally. If you want to learn more about the concerns listed above, you can read the full letter that was sent to the PMO (.pdf), and you can take action by voicing your concerns at the Stop Online Spying website. Sign the petition located there and then contact your MP: it is only by demonstrating public interest and concern in these bills that they might be clarified, reformed, and potentially prevented from being brought forward in the first place.

Other posts you might be interested in:

1. Publication: (Un)Lawful Access, Its Potentials, and its Lack of Necessity
2. (Un)Lawful Access: Vancouver Premiere & Panel Discussion
3. The Anatomy of Lawful Access Phone Records