For more information about the event, see Unlawfulaccess.ca, and register for the event on Facebook. You can also download/print/share copies of the poster for the event. This will be a really great event, and the mixture of formally separated technical and political panels should do a great job in outlining the range of issues that lawful access legislation touches upon.

Other posts you might be interested in:

1. (Un)Lawful Access: Vancouver Premiere & Panel Discussion
2. Lawful Access, Its Potentials, and Its Lack of Necessity
3. The Anatomy of Lawful Access Phone Records

Image by iDownloadBlog

Security, surveillance, and privacy researchers alike have been watching how authorities exploit cellular communications devices – often in secret, or absent sufficient oversight – for years. Research to-date has been performed by security researchers and hackers, social scientists, advocates, activists, and the curious, with contributions spanning hundreds of discreet investigations into technical capabilities and their social implications. Of late, a considerable amount of attention has been devoted to IMSI Catchers, which are devices that establish false mobile phone towers for the purpose of monitoring and tracking mobile phones without their users’ awareness.

Given the use of IMSI catchers by American authorities, a group of researchers and academics submitted an Amici Curiae (in their individual capacities) January 17, 2012 concerning the catchers. Specifically, the brief is in support of a defendant’s motion for disclosure of all relevant and helpful evidence withheld by the government based on a claim of privilege. The government, in this particular case, has admitted that the surveillance technologies used simulated a cell site but have refused to provide specific details of how this surveillance was conducted. We argue that a substantial amount of information surrounding IMSI catchers is already public and that, as a result, the secrets that the government is attempting to protect are already in the public domain. Moreover, the public interest is best served by “greater public discussion regarding these tracking technologies and the security flaws in the mobile phone networks that they exploit, not less.” 

I want to thank the primary draftees of the brief for their (as always) excellent work and for the opportunity to sign on to it. Bringing transparency to government surveillance systems – especially when the government tries to limit public attention after information about these systems is publicly available – is critical if we are to foster serious and critical discussions about authorities’ capacity, and potential, to monitor and track citizens. Democratic systems work best when all branches of government – including law enforcement – cannot inappropriately hide their actions from the public. With an awareness of their government’s actions, the public can drive how their government functions as opposed to things happening the other way around.

I would note that IMSI catchers are of particular importance to Canadians. If forthcoming lawful access legislation is passed, in a format similar or identical to its last drafting, then Canadian police, intelligence, and security officers would be permitted to collect IMSI numbers, using catchers, and subsequently compel subscriber information from Canadian mobile phone providers. All of this would happen without a warrant. It cannot be stated enough that legalizing this level of unsupervised surveillance would have significant chilling speech and association implications. Moreover, it would significantly expand what constitutes ‘legitimate’ government surveillance while simultaneously undermining key privacy rights and expectations. Thus, while this particular Amici Curiae was sent to an American court, citizens in the Canada and UK would all be well served if our respective governments were transparent about their (stated and intended) usage of surveillance equipment, such as IMSI catchers, to surreptitiously monitor citizens.

To download the Amici Curiae, click here.

Other posts you might be interested in:

1. The Anatomy of Lawful Access Phone Records
2. Lawful Access, Its Potentials, and Its Lack of Necessity
3. Mobile Security and the Economics of Ignorance

Photo by mjecker

Canadian advocates, government officials, and scholars are all concerned about the forthcoming lawful access legislation. A key shared concern is that authorities could, under the legislation, access telecommunications subscription records without court oversight. Moreover, as a condition of accessing these records businesses might be served with gag orders. Such orders would prevent Canadians from ever knowing (outside of court!) that the government had collected large swathes of information about them. In response to concerns aired in public, the Public Safety Minister has insisted that the legislation would merely let police access “phone book” information from telecommunications providers.

I maintain that such assertions obfuscate the sheer amount of information contained in the records that authorities would collect. The aim of this post is to make clear just how much information is contained in a single lawful access “phone record”, demonstrating that the government is seeking information that grossly exceeds what is contained in the white or yellow pages today. As a result, I first provide an example phone record that resembles those in every phonebook in Canada and then offer an example of a lawful access record. Remember that such requests may be filed to multiple service providers (e.g. Internet service provider, web forum hosts, blogs, mobile phone companies, etc) and thus a swathe of records can be combined to generate a comprehensive picture of any particular individual. By the conclusion of the post it should be evident that information provided under lawful access powers is more expansive than the phone records government ministers allude to and lay bare those ministers’ technical obfuscations.

Phonebook Records, Today

In his response to the Information and Privacy Commissioner of Ontario, Vic Toews (Public Safety Minister) insisted that police would simply have access to “phone book” information under the forthcoming lawful access legislation. He asserted that, “Our proposed approach of linking an internet address to subscriber information is on par with the phone book linking phone numbers to an address.” While government officials insist Toews’ response obfuscates just how expansive lawful access records are from traditional phone records, it is arguably challenging for the lay public to grasp the amount of information contained in the proposed subscriber record fields. So, let’s consider the differences between a phone book record accessible in your home, today, using a phone book and “phone book” data the federal government wants to make available to authorities without a warrant. The following resembles a phone record reminiscent of one in a phone book today:

John Smith, 456 Westminister Ave . . . . . . (636)-421-6124

This record contains the listed name of an individual, the address associated with the phone number,  and the area and local code for the telephone service. Not all individuals provide full details in the phone books that are distributed each year. Some individuals have their addresses removed or substitute their full names with their initials. Such modifications are often the result of people feeling uncomfortable with fully disclosing their address, phone number, and name in one publicly accessible location. Using this information you can (potentially) learn where the individual associated with a phone number lives, but you do not necessarily discover the names of particular individuals living in the home, number of people in the home, and so forth. Thus, where multiple people share a single phone and address the subscriber record may be somewhat nebulous; while it should identify an individual at the address it is questionable whether that particular individual interests the authorities.

Phonebook Records, Tomorrow

The ‘phone records’ that Minister Toews is talking about are quite a bit larger, and far more descriptive, than those found in the local yellow or white pages. As I’ve depicted them, one line grows to six, and three data items explode to eleven descriptively rich fields. The expanded list will be available as phone records to authorities but not to individuals. This stands as a clear distinction between a phone record that individuals think of in phonebooks and the record that authorities will have access under lawful access legislation. An updated record might appear as follows:

John Smith, 456 Westminister Ave . . . . . . (636)-421-6124
jsmith@example.com . . . . . . . . . . . . I.P., 10.0.0.100
MIN, 250-5211-0091 . . .  . . . . . . SPID, 636-421-6124-00
ENS . . . . . . . . 1000 0010 0001 1010 0000 0101 0110 1111
IMEI, 35-209900-176148-23 . . . . . IMSI, 310-150-564857956
SIM . . . . . .. . . . . . . . . . . 894411 0112 12333344 4

Most of what is contained in these eleven fields will be foreign to the average user. In light of this, let’s turn to unpack the new record in a line-by-line format.

The first line is identical to your typical phone book record. Note that the phone number here would be a permanent number, such as the number to call if the mobile number identified in line three is inoperable. Obviously there may be instances where there isn’t a distinction between the phone numbers in those lines if the mobile subscriber either lacks a landline or alternate mobile phone. Further, where the telecommunications service provider, such as a web forum, only has a single phone number then a mobile number might be situated on this line.

Line two offers the email address and Internet Protocol address of the subscriber in question. Email addresses will be tied to particular accounts; you may have one email address for a web forum, another for purchases online, and yet another for personal correspondence from your Internet service provider. While a singular email address is given here, this is representative of a single subscriber record from a single telecommunications service provider. It is likely that different emails (and, thus, different ‘phone records’) are kept by each of the service providers you engage with on a daily basis. The Internet Protocol address is assigned to you by your Internet service provider and is an essential element to accessing the Internet itself. IP addresses identify where data originates from and should be sent towards. Your IP address is likely either dynamic (changes with some degree of frequency) or static (permanently assigned to your modem). Regardless, using an IP address authorities could identify your Internet service provider and, from there, demand that the Internet provider disclose which subscriber was assigned the IP address at some particular time. Given that many IP addresses are dynamic it is possible that different telecommunications service providers will have different addresses attached to your record instead of the singular address offered in the example line two.

The third line contains the Mobile Identification Number (MIN) and Service Provider Identifier (SPIN). This line is needed for subscriber records associated with mobile phone/device usage. The MIN uniquely identifies a mobile device on a mobile provider’s wireless network and can be used to dial to and from the device. While the record that I provide is accessible to the human eye, MINs are typically kept in a database in two components. The area code is often stored in a 10 bit MIN2 section and the local portion in a 24 bit MIN1 section. (See UK ESN/MIN Grabbing for more information on how these two sections are divided.) Unlike other serials and codes, which are engrained into the hardware of a device, a MIN is stored in a mobile providers’ database and can be changed. A SPIN is a unique number assigned to service providers so that telecommunications switch owners and service providers can enter financial relationships for the purposes of carrying traffic. The number identifies the company that ‘owns’ the account associated with the traffic. Thus, even when calling using a Rogers mobile phone on the AT&T network, the SPIN will help to ascertain that Rogers (and, ultimately, the account owner) is responsible for paying for using the AT&T network.

The fourth line holds the Electronic Serial Number (ESN), a number that is encoded into each mobile device as a 32-binary bit number. It is embedded into the device by the manufacturer and thus is not assigned by a mobile telephony/Internet company from whom a device is purchased. The ESN is often checked against the MIN to prevent fraud. Specifically, while an individual could try and have their MIN changed to try and receive free services, by correlating the MIN and ESN in the providers’ database the likelihood of successfully conducting fraudulent activities are diminished. Moreover, with the ESN it is possible to ascertain whether the same phone is being used across a set of wireless carriers’ networks.

The fifth line contains the International Mobile Equipment Identification (IMEI) and International Mobile Subscriber Identification (IMSI) numbers. These numbers are tied to mobile devices (e.g. phones, 3G-capable tablets). The following information can be derived from the IMEI number used in the example above, “35-209900-176148-23″: that the number was issued by the British Approvals Board for Telecommunications (“35″) and given allocation code “2099″. The “00″ reveals the period of time when the device was manufactured, “176148″ reveals the serial number issued to the model of device, and the “23″ reveals the version of software installed on the phone. The IMSI identifies the mobile country code (“310), mobile network code (“150″), and mobile subscription identification number (“564857956″). “310″ is the number associated with America, and “150″ with AT&T. As a result, with the IMEI and IMSI numbers you can ascertain when the device was made, serial of the device, version of its software, nation of usage-origin, carrier-of-origin, and the subscriber code of the carrier associated with the device.

Line six has the Subscriber Identification Module (SIM) number. This number, “894411 0112 12333344 4″ in our example, is broken into subcomponents to identify different bits of information. The first two digits (“89″) are associated with the telecom operators identifier. “44″ refers to the country code and “11″ to the network code the module is associated with. The next four digits (“0112″) indicate the month and year of the SIM’s manufacture and following two numbers (“12″) of the switch’s configuration code. The next six numbers disclose the SIM number itself and the last holds the digit to confirm the validity of the SIM serial itself.

Perhaps it needn’t be stated, but as should be clear there is a significant difference between a “phone record” in a phonebook and a “phone record” under the Canadian government’s proposed lawful access legislation. A phone number and address does not reveal the manufacturer of a mobile device, when it was made, when elements of the phone were provisioned, the provider of the telephone services, and so forth. Instead, the lawful access record affords a trove of data that is far in excess of what a citizen would find when they looked up a name, address, or phone number in the hardcopy phonebook that is delivered to their door each year.

Aggregating Records for Citizen Transparency

Not all telecommunications service providers could make available a full post-lawful access legislation “phone record.” However, once authorities have a single piece of information they can then move to other service providers to develop a full record, one that could subsequently be used to map a person’s presence on the Internet, their habits, and their activities. Using open source intelligence, the email address can be employed to determine what other services are attached to that email address, and using the IP address authorities can determine where a person is accessing the Internet from (i.e. was the IP address leased to a cafe? to a home? to a business? to a mobile network?) and the billing records associated with that IP address. If browsing from Starbucks, the cafe might be able to turn over a log of users who used their wireless network during the time authorities are interested. If browsing from home, or your own mobile device, then the subscriber records associated with that billing address might be available. And, if browsing from a friend’s phone or computer, then their information might be given to police regardless of your friend’s interest to the police.

Remembering back to the discussion of traditional phone records, it is possible that multiple people share the same account and thus what turns up in the phonebook remains somewhat ambiguous. This may remain so when dealing with communal Internet connections but is far less true when dealing with mobile devices. Phones have, for many people, become fetishes that are carried on one’s person and jealously protected from third-party intrusion. Thus, the ability to ascertain who owns, and is using, a particular mobile device is far less ambiguous than who subscribes to, and uses, a landline phone. Using contemporary policing technologies such as IMSI catchers, authorities can de-anonymize a crowd by catching the IMSI associated with each phone and immediately requesting subscriber data from mobile phone providers. While it may not be legal for authorities to engage in ruses to compel individuals to identify themselves when those individuals have done nothing wrong, with IMSI catchers no ruse is needed for the identification process to occur. The term “papers please” is a distinctly analogue notion, one that can be abandoned by authorities in possession of IMSI catchers and lawful access powers.

Surveillance is being automated, and vendors are accelerating the rates that records can be collected and analysed to meet the needs and expectations of the multibillion dollar surveillance complex that has significantly grown post-9/11. Developers are not about to slow the rate of their surveillance innovations in the face of regulation that permits more expansive surveillance, records collection, and correlation of online actions with those records. Technology, however, does not determine the course of society: technology and society are mutually entwined, with each influencing the other. While surveillance architectures are being developed, if their uses are either illegal or are accompanied by high administrative or financial burdens then the architecture can lay substantively dormant save for in truly exceptional times associated with incredibly significant events. Legal friction can encourage such high costs by outlawing particular ways of collecting subscriber information and requiring administrative burdens (e.g. the warranting process) to force authorities to intentionally assign resources to access subscriber records. Reducing legal and administrative frictions in an era where technical frictions are quickly becoming a thing of the past is a recipe for expanded government surveillance. Such surveillance can detrimentally affect individuals by chilling speech and association, harm businesses by increasing the costs of complying with regulation, and force citizens to pay for their own surveillance in increased service costs and by way of their charter rights. We must avoid such harms and, as such, retain administrative and legal frictions to ensure that strong oversight bodies exist and that appropriate frictions accompany novel policing and intelligence powers.

No related posts.

Image by mattwi1s0n

New surveillance powers are typically framed using benevolent and/or patriotic languages. In the United States, we see the PATRIOT Act, the Stored Communications Act, and National Security Letters. Powers associated with this surveillance assemblage have been abused and people have been spied upon in violation of the law, bureaucratic procedure, and regardless of demonstrating real and present dangers. The UK has the Regulation of Investigatory Powers Act (RIPA), which significantly expanded the capabilities of police and intelligence to monitor citizens in previously illegal ways. This legislation is also used improperly, as revealed in the yearly reports from the Interception Commissioner. In Canada, the Canadian government has publicly stated its intention to press ahead and introduce its lawful access legislation despite concerns raised by the public, members of the advocacy and academic community, and the information and privacy commissioners of Canada. Here, we can also expect uses of lawful access powers to overstep stated intents and infringe on Canadians’ rights, intrude upon their privacy, and injure their dignity.

Over the past months I’ve been actively involved in working with, and talking to, other parties about lawful access legislation. This has included speaking with members of the media, publishing an op-ed, and conducting various private discussions with stakeholders around Canada who are concerned about what this legislation may (and may not) mean. Today, in the interests of making public some of the topics of these discussions, I want to address a few things. First, I quickly summarize key elements of the lawful access legislation. Next, I note some of the potentials for how lawful access powers will likely be used. None of the potentials that I identify depend on ‘next generation’ technologies or data management/mining procedures: only technologies that exist and are in operation today are used as mini-cases. None of the cases that I outline offer significant insight into the operational working of stakeholders I’ve spoken with that can’t be reproduced from public research and records. I conclude by questioning the actual need for the expanded powers.

What is Lawful Access?

Lawful access legislation enhances policing and intelligence powers. As recognized by Ontario’s Information and Privacy Commissioner, Ann Cavoukian, “it is highly misleading to call it “lawful.” Let’s call it what it is – a system of expanded surveillance.” In general, there are three classes of access powers associated with such legislation: search and seizure provisions, interception of privacy communications powers, and production of subscriber data. On the basis of past lawful access legislation that has been tabled, but not passed, we can expect forthcoming legislation to ‘modernize’ the existing criminal code to accommodate several of these powers.

To begin, the legislation is expected to require telecommunications service providers (such as Internet service providers, web forums, bloggers, etc) to be able to decrypt any communications they are responsible for encrypting. Such encryption services might be used to ensure customer privacy, such as by offering secured communications between parties. While communications may generally be secure they cannot legally be made secure from the government by a service provider offering a turnkey encryption solution. In effect, communications will thus be pseudoencrypted: protected against adversaries with the same level of power as the services’ users, but unprotected against the more powerful agents such as the state.

In addition, telecommunications service providers (TSPs) will need the ability to retain data on subscribers for up to 90 days. TSPs may be served with preservation orders, which would require them to retain data on specific individuals. Preserved data would be transferred to authorities once they have secured a production order from a judge and issued the order to the TSP. The TSP could then delete/destroy the preserved data.

Whereas preservation orders are used to require storage of the content of communications, police can access subscriber information without first receiving a court order. A wide variety of information may be disclosed, including:

• name
• address
• telephone number
• electronic mail address
• Internet protocol address
• mobile identification number
• electronic serial number
• local service provider identifier
• international mobile equipment identity number
• international mobile subscriber identity number
• subscribe identity module card number associated with the subscribers’ service and equipment

This information lets authorities definitely identify individuals and the records held on them by the TSPs used in the communications process. Accompanying the no-warrant-required elements of the bills is a capacity for authorities to install ‘number recorders’ in TSPs’ communications hubs in exigent circumstances. As noted by the National Post’s Kathryn Blaze Carlson:

A number recorder, which records the telephone numbers associated with outgoing and incoming calls, would be installed remotely by a telecommunications provider at their call centre hub. The installation can last up to 60 days, but it could be extended to one year if a warrant is obtained and if the investigation involves organized crime or terrorism.

The legislation also introduces the ability to activate and/or monitor the signals emitted from location-enabled devices that Canadians carry with them or are in regular contact with. Police can do this today but lawful access legislation would permit them to activate disabled locational systems (e.g. your phone’s GPS) including in covert ways. Such actions could be undertaken with court supervision or, potentially, in instances of emergency or exigent circumstances. It should be noted that access to geolocatational information is more expansive than just your physical location at a particular time: the legislation is also intended to let authorities discover the location of ”transactions such as geo‐tagged comments or photos from private sector service providers.” (.pdf source).

It is unlikely that a targeted Canadian will be made aware of lawful access-enabled surveillance unless charges are brought to bear. As noted in the letter that was sent to the Prime Minister’s Office in August 2011 (.pdf), and re-confirmed in Blaze’s piece, there are elements of the legislation that impose ‘gag’ orders on anyone who is ordered to comply with lawful access powers. Specifically,

Clause 6(2) permits the government to impose, in regulations, sweeping and categorical confidentiality obligations on service providers that will apply across all interception warrants. Second, under Clause 71, any telecommunications service provider obligated to comply with a warrantless seizure request will be subject to the secrecy provisions in proposed section 7.4 of PIPEDA. Proposed section 7.4 of PIPEDA prevents organizations from disclosing the fact of their cooperation with state efforts to spy on their customers. The sweeping nature of the secrecy measures envisioned by these provisions is in stark contrast to existing practice, where gag orders must be requested from a judge and justified on a case by case basis. The problem with such measures is that they will prevent individuals from challenging abuses of the powers granted in this Bill.

Lawful Access, In Summary

As I wrote in an op-ed in the Vancouver Sun in October, this legislation can be summarized as requiring:

• Corporate surveillance. Internet service providers, mobile phone providers, and even the websites that Canadians visit could become agents of the state, forced to preserve records of Canadians’ actions at the request of authorities (Source);
• Minimal oversight. Audit powers will be offloaded to privacy commissioners without corresponding material or legislative resources to effectively conduct audits and limit abuse (Source);
• Warrantless disclosures. Internet users’ subscriber information will be disclosed to authorities, regardless of the information’s usefulness or uselessness to an investigation (Source);
• Secrecy orders. Authorities might collect Canadians’ private information without those Canadians ever knowing about the collection or the reasons for collecting it (.pdf Source).

Lawful Access in Practice

A large number of Canadians who look at these proposals may feel some unease but then quickly assert that the legislation is ultimately innocuous. The standard rhetoric is that “If you have nothing to hide then you shouldn’t fear this legislation.” Such a statement obfuscates the realities of both contemporary policing and what studies demonstrate about how people actually versus rhetorically understand privacy. To begin, contemporary policing is deeply invested in identifying deviant behaviour and acting upon it in an ‘actuarial’ manner. David Lyon, a world-leading scholar on the topic and issue of surveillance, presciently wrote the following back in 2003:

As with database marketing, the policing systems are symptomatic of broader trends. In this case the trend is towards attempted prediction and pre-emption of behaviours, and of a shift to what is called “actuarial justice” in which communications of knowledge about probabilities plays a greatly increased role in assessments of risk (Lyon 2003: 15-16).

Thus, mistakenly being situated in a wrong category can have significant implications on one’s life regardless of whether a person has ‘something to hide’ or not. The degree to which one is public is (arguably) secondary to the ‘types’ of people one knowingly and unknowingly associates with, whom their associates are connected to, and the risk profiles that are assigned to those communicative partners and their colleagues. To make this somewhat clearer, consider the following: In college/university/your private life you likely communicate with individuals who have, or presently do, agitate peacefully against certain state behaviours. You may or may not be aware that those individuals agitate. Perhaps you have/do engage in discussions with those people online, either on websites that those opposed to certain state behaviours, or in the comments section of newspaper articles, or other electronic formats. Should the police be interested in tracking the individuals invested in an issue (e.g. legalization of marijuana, legal issues surrounding sex work in Canada, protest against federal decisions concerning Sri Lanken immigrants, etc) then they may request available subscriber records for all who have participated in the online discussion.

Now, let’s again assume that you were not supportive of opposition to an official government position and thus aren’t necessarily of direct interest to authorities. Regardless, your subscriber data and that of everyone else engaged in these discussions might be requested by the police. No warrant is required to provide this information. Let’s assume that you used a unique pseudonym and throwaway email address. The authorities would gain access to your IP address and email address. They would get the same information for every participant of the discussion. With this information they could turn to whomever provided the email account, as well as contact the ISP who provisioned the IP address at the specific time that you posted your message. With information from the email provider they may be able to definitely identify the ISP that you use and, from there, your name, address, and so forth. Thus, you as ‘hungrybunny19′ are identified as ‘John Smith’ who was involved in discussion with individuals who authorities are interested in monitoring for some reason or another. John Smith, you, are subsequently added into a database as associating with persons the authorities find questionable. Mr. Smith will never know that he was added into such a database because the service provide could not legally disclose that the information had been released and, as a result, Mr. Smith’s life prospects may change for legally associating and speaking with those who were similarly engaged in legal speech and association.

Perhaps you insist that this doesn’t describe you: you would never communicate about anything in any electronic environment with any person that would ever be of interest to authorities (and, if you can make and stand by these claims, you’re vetting the people that you speak with using intelligence-service-level thoroughness!). Perhaps you have a cellular phone and you have passed near major events that the police have an interest in monitoring. For example: you may have been involved in peacefully assembling during the G20 in Toronto, been a passive spectator at the Vancouver riots, visited an Occupy camp, or may simply pass by union members who are protesting working conditions in a public space several times a day as you walk around your city conducting legitimate personal business. In all cases, the authorities may have an interest in monitoring individuals associated with such groups. Using a technology known in the United States as ‘Stingray’ or, more precisely, IMSI catcher surveillance equipment, police can impersonate a cellular tower and capture all the IMSI numbers within several kilometers of the catcher (.pdf source). The IMSIs, or International Mobile Subscriber Identity numbers, can be taken to a mobile phone provider and used to compel the subscriber data associated with the caught IMSI numbers. Thus, should one of these catchers be deployed by authorities ‘just in case’ an individual may find their personal information sent along to police on the basis of their physical presence during a legal public event. The capacity to acquire IMSI numbers en masse, combined with legal powers to compel subscriber information, creates the perfect framework for mass fishing expeditions based on where citizens are physically present.

Canadians may be uncomfortable with these propositions but immediately follow up with the position that such concerns are hyperbolic. Unfortunately, a brief reflection on the history of surveillance in Canada and present actions taken by our allies (depressingly) suggests that these concerns are practically banal. During the Vancouver Olympics authorities spent incredulous amounts of money on security, an element of which was allocated towards monitoring legal associations of citizens. As disclosed in memos there were no specific, credible, terror threats against the Vancouver Olympics. Despite these threat assessments, citizens who had specific political and economic concerns were routinely placed under surveillance. In effect, citizens conducting legal actions that might lead to disruptions of the games became targets of a surveillance apparatus designed to prevent the next Munich massacre. Surveillance and intelligence gathering did not solely focus on citizens involved in protesting government actions or others associated with the Olympics, but also their contacts, friends, students, former partners, and academic and professional acquaintances. Efforts were also made to recruit neighbours, friends, and acquaintances to spy on suspected activists, and the RCMP tried to legally shield itself from fulfilling FOI requests under the guise of operational security. Under lawful access legislation, the lines of inquiry could expand beyond police associations of people online – the aforementioned people communicating in Web forums – to using technologies like IMSI catchers to identify who is often nearby citizens-under-suspicion. Having coffee with a work friend who advocates for social justice on the weekends could lead to unsuspecting, and utterly uninvolved, citizens being stuck in the same net as their law-abiding colleagues who are caught in the web of actuarial justice.

Further, Canadian authorities have a history of monitoring those who are often the least-advantaged in our society. Consider that Military Intelligence places native communities under intense surveillance. As reported in the Globe and Mail, eight reports were generated in just 18 months. Surveillance was conducted to record Natives’ concerns surrounding new tax policies, potential to blockade Highway 401, and possible future protests, lobbying activities, and lawful associations. The group responsible for this surveillance was a counter-intelligence body charged with “identifying, investigating and countering threats to the security of the Canadian Forces and the Department of National Defence from foreign intelligence services, or from individuals/groups engaged of espionage, sabotage, subversion, terrorism, extremism or criminal activities.” At no point in the reports is it evident that native groups fell under the latter set of descriptors. With the introduction of lawful access legislation other authorities could have become involved in the surveillance and compelled telecommunications providers to disclose the contents of communications. Further, using previously mentioned tactics embedded in the legislation, subscriber information and who was communicating with who could have been determined without warrant or court oversight.

In short, it is entirely plausible that lawful access could be utilized to expand existing surveillance practices conducted by Canadian authorities. There are serious oversight concerns. Specifically, the Office of the Privacy Commissioner of Canada would be hamstrung in auditing the surveillance conducted and its motivations, and the legislation fails to extend the powers of that Office to accommodate the expansion of police powers. Further, where local or provincial police conduct surveillance, audit responsibilities would fall to provincial commissioners and they similarly lack the resources to mount full-scale audits of authorities’ proposed expansive surveillance practices. This position is forcefully stated the Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian. She poignantly writes that,

Canadians must press the federal government to publicly commit to enacting much-needed oversight legislation in tandem with any expansive surveillance measures. Intrusive proposals require, at the very least, matching legislative safeguards. The courts, affected individuals, future Parliaments and the public must be well informed about the scope, effectiveness and damaging negative effects of such intrusive powers.

The Need for Lawful Access

Over the past months I’ve had the opportunity to speak with counsellors, engineers, privacy officers, and policy staff for telecommunications service providers. This has ranged the gamut from ISPs to an ex-VoIP provider employee to webmasters responsible for large online environments to policy wonks for massive Internet-based corporations. The various parties I’ve spoken with have held varying opinions on the previously proposed lawful access legislation; everything from cost issues, to rights problems, to implementation woes, to issues of being identified as a ‘problem’ in the policing process.

All, however, have told me in almost every case that data is requested on exigent circumstances grounds it is, in fact, disclosed.

What, specifically, is the need driving the legislation then? Authorities have routinely insisted that lawful access powers would only be used when investigating the most serious of crimes (e.g. see this audio interview with the CBC’s ‘Spark’) but in other jurisdictions we regularly have seen expanded surveillance used to investigate less serious offences. For extensive documentation of such ‘expanded uses’, see Priest’s and Arkin’s Top Secret America: The Rise of the New American Surveillance State, allegations that the FBI conducted dragnet surveillance to trace bank robbers, claims that routine conversations lead individuals to be labeled as potential terrorists in government databases, inappropriate monitoring of hundreds of people each year, yearly monitoring of over 500,000 people’s communications records, or the usage of terror-based surveillance provisions to ensure children are registered in correct school districts. I cannot state emphatically enough: this is a very small sampling of how widely used lawful-access style legislation is used by our closest of close economic, political, and military allies. There is no reason that Canadian authorities won’t demonstrate the same types of behaviour.

British Columbia’s Information and Privacy Commissioner, Elizabeth Denham, has asserted that authorities have not demonstrated evidence that investigations have been thwarted under existing access powers. Authorities have failed to provide empirical data that reveal a clear and present need for enhanced powers contained in past, or forthcoming, lawful access legislation. Authorities have noted concerns with warranting processes and if these concerns are legitimate (insofar as they can be documented using empirical datasets) then perhaps Parliament should consider modifying the warranting process or increase resources so that warrants can be processed more rapidly. If, however, authorities are simply looking abroad and finding their power lacking in comparison – and cannot clearly outline why they need their compatriots’ powers to protect us from truly serious crimes – then they should not be granted expanded powers. Police and other authorities should not be permitted to infringe upon Canadians’ rights and further erode expectations of communicative privacy, associative privacy, or basic dignities on the basis of cross-jurisdictional envy.

Other posts you might be interested in:

1. Publication: (Un)Lawful Access, Its Potentials, and its Lack of Necessity
2. (Un)Lawful Access Forum in Ottawa
3. The Anatomy of Lawful Access Phone Records

Photo by JolieNY

Mobile penetration is extremely high in Canada. 78% of Canadian households had a mobile phone in 2010, in young households 50% exclusively have mobiles, and 33% of Canadians generally lack landlines. Given that mobile phones hold considerably more information than ‘dumb’ landlines and are widely dispersed it is important to consider their place in our civil communications landscape. More specifically, I think we must consider the privacy and security implications associated with contemporary mobile communications devices.

In this post I begin by outlining a series of smartphone-related privacy concerns, focusing specifically on location, association, and device storage issues. I then pivot to a recent – and widely reported – survey commissioned by Canada’s federal privacy commissioner’s office. I assert that the reporting inappropriately offloads security and privacy decisions to consumers who are poorly situated to – and technically unable to – protect their privacy or secure their mobile devices. I support this by pointing to intentional exploitations of users’ ignorance about how mobile applications interact with their device environments and residing data. While the federal survey may be a useful rhetorical tool I argue that it has limited practical use.

I conclude by asserting that privacy commissioners, and government regulators more generally, must focus their attention upon the Application Programming Interfaces (APIs) of smartphones. Only by focusing on APIs will we redress the economics of ignorance that are presently relied upon to exploit Canadians and cheat them out of their personal information.

Mobile Privacy

The latest smart devices often spur national headlines and consume hours of television reporting and advertising. Consumers are typically sold of the ‘cool’ features of devices, such as video chats, new intuitive gestures, better screens and speakers, superior access to third-party applications, music services, and so forth. Rarely are security improvements or enhancements to user privacy anywhere near the popular marketing material. This isn’t to say that innovations in security aren’t regular: every generation of Apple’s iDevices have been accompanied by more sophisticated hardware- and software-based security innovations, and the same can be said for Android, Blackberry, and Nokia devices. Innovations in privacy are somewhat rarer. Some proponents of smartphone privacy, such as Apple, have chosen to walk away from strong privacy settings in preference for more ‘engaging’ interfaces. Contemporary conveniences have come at the cost of consumer privacy protections.

There are (at least) three key areas where mobile privacy commonly comes to the fore. The integration of GPS and wifi-based location tools with the core operating systems of contemporary phones has, and will continue to, raise serious concerns about locational privacy. In tying contact information with underlying APIs, along with weak consumer privacy protections, expectations of privacy in who we associate with are threatened. Finally, poor management of third-party applications’ access to stored data has, and will likely continue to, limit consumers’ abilities to secure their data or prevent borderline malicious surveillance processes from taking place.

I will note that many of the examples I draw on will refer to Apple’s iPhone, with far fewer examples drawn from other smart phones. This isn’t necessarily meant to single out Apple but is the result of conducting months of research on deficiencies associated with Apple products. Other devices – Android in particular! – have and will likely continue to manifest security vulnerabilities that infringe upon their users’ expectations of privacy.

Location Privacy

Where a mobile device happens to be on a regular and not-so-regular basis can reveal considerable amounts of information about an individual, especially when data is collected over extended periods of time. Using basic data mining (and common sense) it is possible to identify routine movement patterns, where someone is likely to be at any time of the day, where they live and work, whether they suffer from medical conditions requiring (semi-)regular treatment, when an abnormal life event occurs, and so on. While these movement patterns are revealed regardless of whether someone has a smartphone, feature and dumb phones are less able to disclose this information to non-carrier partners. All three types of phone will disclose the following to a carrier (and anyone it’s partnered with): information such as cell identification, signal level, angle of arrival, time of arrival, and time of difference to arrive can be used to calculate a phone’s position.[1] In the case of smartphones, third-party applications can typically access collected location information and transmit it back to its corporate servers. Further, on smart devices location information can be collected by identifying nearby wifi access points, by activating the GPS system, and/or by locating the phone in relationship to cellular towers.

Once movement location is collected it can have other data overlaid upon it to gain deeper insight into who is using the phone. Imposing demographic, psychographic, and consumer information over geolocational data can establish nuanced profiles.[2] Such profiles are not just geolocationally-sensitive but also vary over time. By integrating time as a variable the data miner can develop deeper insights about the device owner by integrating migratory patterns with behavioural and imputed racial characteristics (e.g. pinpointing a phone as at gay pride parades, carnival routes, or other cultural events that have publicly disclosed geo-temporal characteristics).[3]

In the case of the iPhone, Apple had initially required application developers to query the user every time before accessing the GPS sub-system or locating the phone using nearby wifi access points. This meant that a customer could sporadically disclose their location as they saw fit, trading their privacy for specific benefits. This capability, which was present in all versions of iOS prior to 3.2.1, has subsequently been replaced with a uniform opt-in/out mechanism. If a user selects “OK” once when an application asks to access a device location they must do the following to modify their configuration:

1. Open Settings;
2. Select General;
3. Open Location Services;
4. Turn off a particular application’s sharing of the device location.
5. Steps 1-4 must be repeated every time that a user wants to opt-out of location sharing again.

While this is an opt-in approach, it stands in stark contrast to Steve Jobs’ statements at the D8 conference. Specifically, Jobs stated that Apple has a “very different view of privacy than some of our colleagues in [Silicon] Valley. We take privacy extremely seriously. That’s one of the reasons we have the curated apps store. We have rejected a lot of apps that want to take a lot of your personal information and suck it up into the cloud. Privacy means that people know what they’re signing up for. In plain English, and repeatedly, that’s what it means. Ask them. Ask them every time. Make them tell you to stop asking them if they get tired of you asking them. Let them know precisely what you’re going to do with their data.” Evidently, Apple no longer takes privacy as seriously as it had in previous iterations of its business strategy.

In the case of Windows Phone 7 device, many of the applications will request access to location information as a precondition of installing the application. This is true for RSS feed readers, calendaring programs, and video games. Some applications, such as the BC Ferries Sailing Information app, prominently display an option on the main screen so that users can opt-out of location sharing at any time. Unlike Apple, however, Microsoft’s phone does not contain a setting page where users can opt-out of location sharing on a per-app basis. Instead, users must entirely disable or enable all location services. Many apps will let you subsequently opt-out of location sharing, but where to disable the feature varies depending on the application.

Smartphones also have a habit of turning their users into ‘warphoners’. To clarify, this means that the phones detect, store, and subsequently transmit information about the wifi access points the phones pass by (with geolocation information) to their respective corporations. Microsoft, Apple, and Google have all been ‘caught’ capturing locational information and sending it home to their servers. While Google’s database does limit some of the information it discloses, we can intuit its capabilities based on what was revealed about Microsoft’s own location database. Specifically, when researchers examined the Live.com database they found that some of its items moved from location to location. The Live.com database was tracking where mobile hotspots were and, thus, giving Microsoft and those accessing the database insight into the movements of not just mobile phone owners but also of non-Windows phone users who had mobile wifi access. On a contemporary smartphone there is no reason why a third-party application couldn’t also develop similar sniffing services that operated while the app was running.

Various privacy officials have stated that there is relatively little harm in access point information being captured. Unfortunately, few seem aware of how easy it is to collect a router’s MAC address. With this address it is possible to query publicly available databases that retain correlated MAC addresses and location information. Using this information, you can identify where an individual is physically situated.

Unfortunately, many data protection and privacy commissioners operate on complaints-based systems dependent on citizens identifying harms. Most citizens are poorly situated to trace the data flowing in and out of their phone, and have limited insight into what happens to data after it leaves their device. Those that know may be bound by non-disclosure agreements, limiting their ability to contribute to the public sphere. In light of these limitations commissioners and regulators must proactively engage with smartphone manufacturers. Government officials must ensure that APIs guarantee effective privacy controls over location information so that citizens can ‘control’ or be aware of the flow of their personal information.

Association Privacy

The fact that considerable amount of personal information is held on mobile phones is nothing new. There have been worries around what happens if a person loses their phone for years, and such anxieties will likely continue as long as humans outsource memory retention to semi-animate objects. What has changed with the rise of data-enabled devices is the ease of unknowingly losing your contact list without ever having physically lost hold of your phone. The loss of this information not only compromises contact details of associates and colleagues, but also sheds light upon who the device owner likely communicates with, has met, or generally has in their social network. Such revelations impact citizens’ association privacy, insofar as they cannot be sure that their communications device won’t indiscriminately disclose to parties-unknown about who the owners associate with. Such revelations can have chilling consequences and also lead to profiles being developed that negatively impact the device owners or others who have their information stored on the mobile device.

All smartphones have address books (or address book equivalents, in the case of Windows Phone). The iPhone, in particular, is well-known for letting third-party applications transmit copies of users’ address books. Apple installs their ‘Contacts’ app on all phones and it cannot be removed by the phone owner. In a report by the European Network and Information Security Agency (ENISA), it was noted that there was a serious privacy concern related to how third-party applications interact with the ‘Contacts’ application. The report’s authors write, “…in iOS, the address book is accessible to all apps. No special status is given to the user’s own contact details in the address book, meaning that, apart from the large amounts of personal data this exposes, the user’s own phone number is also accessible, which can be used for unsolicited marketing” (.pdf). Third-party application developers can access a considerable amount of personal information without first informing users of the access.

To be more specific, software engineer Nicholas Seriot writes that the following items are accessible through the Address Book database, which underlies the Contacts application:

• Names of contacts;
• User and contacts’ phone numbers;
• User and contacts’ email addresses;
• Notes field, “in which many Mac users store sensitive data such as door codes or bank accounts’” (.pdf)

These concerns are not just academic or hypothetical. In 2008, Aurora Feint was caught looking through the Address Book Database, sending it unencrypted to their servers, and subsequently matching the data against others users’ contact lists to inform users when their contacts/friends were also playing the game. In this case Apple did identify the problem and subsequently removed the application from their app store. Importantly, however, the problem was detected after it had previously been approved for sale within their curated environment and following considerable public outrage. Other companies have secretively collected data as well: MogoRoad collected Swiss phone numbers to subsequently call users (though not in contravention of Swiss law) (.pdf) and Storm8 collected users’ phone numbers and correlated them with users’ names, email address, and unique device identifiers.

Apple does note in their iOS Reference Library that “the Address Book database is ultimately owned by the user, so applications must be careful not to make unexpected changes to it. Generally, changes should be initiated or confirmed by the user.” Despite this suggestions, it remains possible for application developers to access, transmit, and modify information from the Address Book database without first requesting the user’s permission.

Of some concern is Apple’s more recent response when contacted about applications that transmit contact information without user consent. In their paper, “PiOS: Detecting Privacy Leaks in iOS Applications” [.pdf] researchers M. Egele, C. Kruegel, E. Kirda, and G. Vigna found that popular social network application Gowalla transmitted a user’s contact book, in its entirety, without the owner’s consent. When the authors contacted Apple about this indiscriminate appropriation of contact information the company suggested that the researchers direct their concerns directly to the application developer.

There are several problems with how Apple has established the API for their mobile environment. To begin, their API enables access to contacts information without imposing code-based restrictions. This is a serious deficit. Second, the information that is being shared is not exclusively owned or controlled by the phone owners. There is no ability for those in the ‘Contacts’ application to consent to the disclosure of their personal information to a third-party. Moreover, given their lack of consent or notice to the device owner, and given that we cannot reasonably expect that those included in the contacts book will be notified of disclosures, it is dubious that individuals in a person’s contact book will ever know to contact the application developer and have their personal information removed. Ignorance permeates all stages of the disclosure process, and this ignorance fuels the monetization of personal information.

Device Storage Privacy

Of course, there is even more information that is stored on these devices. In the case of iDevices there is a unified keyboard cache that is accessible to third-parties. The cache “contains all the words ever typed on the keyboard, except for the ones entered in the password field. This is supposed to help autocompletion but this mechanism effectively acts as a key-logger, storing potentially private and confidential names and numbers.” (source .pdf) As it stands, third-parties that access this information – without the owner knowing about this caching feature, or consenting to third-parties accessing it for non-cut/paste purposes – can uncover significant personal information about the owner. Have they recently been searching for medical products? Have they been visiting job search or infidelity websites? Have they input addresses, text messages, emails, or comments in web forums that could be sensitive? All this information is prospectively available.

Device storage is typically what people worry about when thinking of mobile security. Specifically, they establish passwords for their mobiles so that if the devices are lost then whoever finds the phone cannot immediately access its full contents. While physical access protection is important – and something that was specifically noted in the federal privacy commissioner’s recent survey – it is a very small part of a much larger device security and privacy framework. Simply setting a password protects you against the most obvious, if not the most common, sources of data appropriations, privacy infringements and security breaches.

Reporting on Perception-Based Studies

The purpose of walking through these security and privacy vulnerabilities isn’t intended to drive people away from smartphones or any other computing device. Rather, it is meant to underscore the current technical reality of owning and using the devices. Few people, even those who are technically savvy (myself included!), can limit the sharing of information if they are using certain smartphones. Privacy settings are not intended to maximize customer privacy but to facilitate perceptions that companies are meeting consumer privacy concerns. That these same companies enable the dissemination of personal information to third-parties, often without consumers learning about the dissemination or purposes of data collection, indicate the importance that Apple et al places on consumer privacy. Even for the interested consumer, many apps lack a privacy policy and neither Apple nor Google require developers to create or make available such policies. Indeed, to ‘simply’ access Apple’s own privacy policy from their iDevice consumers must do the following:

1. Select ‘Settings’
2. Select ‘General’
3. Select ‘About’
4. Select Legal
5. Press screen until copy option is available and copy the URL to the privacy policy
6. Click the ‘Home’ button
7. Open Mobile Safari
8. Select Address Bar and paste URL
9. Select ‘Go’

Given the reality that customers cannot secure their personal information, or effectively even be aware of when or where it is flowing, headlines concerning the Privacy Commissioner of Canada’ recent survey can be both misleading and harmful. CBC led their coverage of the report with an article entitled “Canadians lax about cellphone security“ and the Vancouver Sun with “Do a better job protecting mobile privacy, Canadians told.” The articles pick up on the fact that a minority of Canadians establish locking passwords or modify their privacy/sharing settings on their mobile devices. The actual study notes that those who store personal information on the devices are more likely to install a password (52% versus 33%) as are those who install applications beyond those installed on the phone by default (68% versus 27%). The report also notes that almost 60% of the people with GPS-enabled phones don’t actually have the GPS enabled. The majority is somewhat concerned about privacy issues stemming from location information but the survey fails to inquire whether their GPS-enabled devices are smartphones that can (and do) leak and collect location information based on other data sources.

While it is admirable that many people claim to modify their mobile device settings to limit data disclosure, such modifications have varying degrees of effect. In the case of an iPhone, key bits of data are being collected by third-parties without customers having any option to prevent the collection and subsequent dissemination of personal information. The iOS API itself permits for accessing the address book, and similar public calls can discretely be made to the wifi location system and the keyboard cache. The nature of iDevices make these actions possible. Thus, even if an iPhone user has a password their data is insecure from the companies invited onto the device. Further, establishing a password is insufficient to secure a mobile device: did the users of iDevices use more than the 4-digital password, which is required to initiate the full range of iDevice encryption? What did users of older devices, which no longer receive security updates, do with their devices? Use them? If so, did these same users identify themselves as taking actions to secure their privacy and believe it was effective?

The problem with the study, and with the subsequent headlines, is that it fails to adequately identify who an data thief might be and suggests that owners can genuinely protect their privacy if using their devices. Generally, individuals will assume that it’s a bad third-party, not Apple  or their favourite video game manufacturer, who is going to abscond with their personal information and that of their family, friends, and business contacts. When the hostile party is the operating system itself consumers can only save themselves by refusing to purchase or use the device, or by relying on government regulators to prevent the harm and force manufactures to sell devices that comply with Canadian law.

Undermining the Economic of Ignorance

The problem with studies like the Privacy Commissioner’s – if only for how the media will report on them – is that consumers come to believe that they are primarily responsible for security failures. This offloads a considerable amount of responsibility from government officers to a relatively impotent citizenry. Further, the survey offers a sense that device owners can take actions to significantly limit the primary vectors of information leakage. While they have some control over a few vectors they rarely have control of the primary means of information collection and dissemination.

There is a high level of friction when a customer must disable systems-level processes to use an application without disclosing location information. Performing such actions add considerable delays in accessing features of the phone and, as a result, most consumers simply will not disable location awareness on a regular basis. This is a behaviour we will see even if the device owners are uncomfortable with persistent disclosures. Such high levels of friction also indicate near-absolute absences of any genuine privacy-by-design features. Privacy-by-design does not simply mean that citizens can proactively protect their privacy but that user interfaces are configured to best let citizens control how and when they disclose personal information. Not only is it incredibly hard to limit the sharing of personal information using the devices’ options (varying UIs in the same operating system, single opt-in options, having to burrow through layers of settings to opt-out of features that can negatively impact the rest of the device’s operation, etc) but in many cases the dissemination of personal information cannot be blocked, no notice is given of disseminations, and data cannot be subsequently deleted from third-parties’ repositories. For many smart phones, APIs should stand for ‘Advanced Privacy Intrusions’ instead of ‘Application Programming Interfaces’.

Unwanted collection and dissemination of personal information, to say nothing of the lack of notice or inability to delete disseminated data, exploits users’ ignorance and impotence for economic gain. The smartphone ecosystem is substantially predicated on an economics of ignorance which, if unveiled and addressed by parties with significant direct market power, is reversible.

To be forthright: companies do not collect large sums of data and pay to store it in their databases for no reason. Corporations are not in the habit of intentionally increasing the costs of doing business without some profit-based rationale. After selling an app of $0.99 or less no company is interested in then developing an ever-larger server infrastructure to store collected personal information without anticipating a return on their investment. The issue, however, is that many apps lack discernible privacy policies and users – especially those in curated gardens – may ‘trust’ the applications they install on the basis that a ‘knowledgable’ party is believed to have rooted out bad or malicious applications. While this may be true in some cases, Apple’s integration of surreptitious data expropriation without consumer consent into their API clearly reveals that the gatekeepers who directly profit from application sales cannot be trusted. We cannot trust the fox to protect the henhouse from the other foxes!

Popular consumer surveys can be valuable. They are noticeably less helpful when delving deeper and deeper into technical matters, of which few members of the public should be expected to know much about. Consumers may be cognizant of superficial ways to protect their personal information on their devices. Those same knowledgable consumers are far less likely to know about the deeper vulnerabilities and intentionally designed weaknesses that pervade mobile devices. Consequently, privacy commissioners and government regulators more generally should take long, hard looks at how mobile operating systems are designed. They should ensure that the systems – and by extension the information environments they spawn – comply with Canadian law.

Commissioners should focus on the source of the worst privacy concerns which, in the case of smartphones, arguably originate in the design of operating system APIs that exploit citizens’ ignorance of how and when data is migrated off of their smartphones. While there is some value in evaluating how often people modify their sharing options on mobile phones it is as important to know why they don’t modify these settings - are they using devices where they don’t know how to do so, or find it tiresome to manage their privacy? If yes to either of the latter, then there has been a serious failure in designing the operating system’s graphic user interface. In the case of Apple and Microsoft, both of whom have almost entirely locked down basic facets of their operating system while investing heavily in designing their mobile environments, these are intentional (if correctable) errors.

If operating system manufacturers will not restrict indiscriminate and non-consensual sharing of personal information on their own then the Canadian government should step in. Government, using its regulatory powers, can resolve market imbalances by investing in the research to identify market problems and subsequently correcting information asymmetries that disrupt market processes and that infringe upon Canadian law. Such corrections might entail issuing fines on a per-device sold basis, publicly naming and shaming offending companies, or ever using federal dollars to deliver public warning announcements about the harms associated with specific smartphone operating systems.

Regardless of the solution, it should be significant enough to either rebalance the information assymetry between consumers and device manufacturers or disrupt the profitability of exploiting ignorance to extract personal information from mobile devices. Ultimately, commissioners and regulators must demand that device manufacturers either provide APIs that comply with Canadian law or change existing APIs in the face of prevalent privacy issues. Where neither of these conditions are met, OS vendors should be forced to suffer significant penalties. The only way to secure devices’ security and citizens’ privacy is to erode the economics of ignorance that application vendors and device manufacturers alike depend on to cheat Canadians out of their personal information.

References

[1] C. A. Ardagna et al. (2008). “Privacy-Enhanced Location Services Information,” in A. Acquisti, S. Gritzalis, C. Lambrinoudakis, and S. De Capitani di Vimercati (eds.). Digital Privacy: Theory, Technologies, and Practices. New York: Auerbach Publications.

[2] G. Elmer. (2004). Profiling Machines: Mapping the Personal Information Economy. Cambridge, Mass.: The MIT Press.

[3] See: D. Phillips’ and M. Curry’s “Privacy and the phonetic urge: Geodemographics and the changing spatiality of local practice.”

Other posts you might be interested in:

1. Decrypting Blackberry Security, Decentralizing the Future
2. Review: Surveillance or Security?
3. Twitter, Mobile Browsers, and Metadata Privacy

Courtesy of the MIT Press

In Security or Security? The Real Risks Posed by New Wiretapping Technologies, Susan Landau focuses on the impacts of integrating surveillance systems into communications networks. Her specific thesis is that  integrating surveillance capacities into communications networks does not necessarily or inherently make us more secure, but may introduce security vulnerabilities and thus make us less secure. This continues on threads that began to come together in the book she and Whitfield Diffie wrote, titled Privacy on the Line: The Politics of Wiretapping and Encryption, Updated and Expanded Edition.

Landau’s work is simultaneously technical and very easy to quickly read. This is the result of inspired prose and gifted editing. As a result, she doesn’t waver from working through the intricacies of DNSSEC, nor how encryption keys are exchanged or mobile surveillance conducted, and by the time the reader finishes the book they will have a good high-level understanding of how these technologies and systems (amongst many others!) work. On the policy side, she gracefully walks the reader through the encryption wars of the 1990s,[1] as well as the politics of wiretapping more generally in the US. You don’t need to be a nerd to get the tech side of the book, nor do you need to be a policy wonk to understand the politics of American wiretapping.

Given that her policy analyses are based on deep technical understanding of the issues at hand, each of her recommendations carry a considerable amount of weight. As examples, after working through authentication systems and their deficits, she differentiates between three levels of online identification (machine-based, which relies on packets; human, which relies on application authentication; and digital, which depends on biometric identifiers). This differentiation lets her  consider the kinds of threats and possibilities each identification-type provides. She rightly notes that the “real complication for attribution is that the type of attribution varies with the type of entity for which we are seeking attribution” (58). As such, totalizing identification systems are almost necessarily bound to fail and will endanger our overall security profiles by expanding the surface that attackers can target.

Landau argues that key US intercept laws, such as CALEA, often add costs that delay the deployment of new products. Further, such laws act as market barriers to smaller competitors because they find it challenging to comply with laws that demand costly infrastructure investments that aren’t needed for day-to-day operations. To comply with CALEA, telecommunications carriers are increasingly purchasing expensive and fungible systems that integrate deep packet inspection technologies. To offset equipment costs, these same carriers are motivated to use their fungible equipment to prioritize and delay traffic. Landau takes a dim view of such repurposing, writing that:

There is no need to do deep packet inspection to determine traffic priority. The simple solution to the traffic congestion problem consists of IPv6, the long-delayed IP protocol, and Internet usage pricing. IPv6 has two fields, one for service … and one for the quality of service designated by the user … Instead of the ISP determining the traffic shaping, the customer can do so, and can pay for the privilege of employing the faster service (132).

Further, inserting surveillance equipment that can massively mediate data and voice communications introduces intentional vulnerabilities into the communications infrastructure. In effect, wiretapping creates risks to communication security and, by endangering the privacy of citizens’ communications, society’s social fabric. Given the widespread introduction of such vulnerabilities throughout American telecommunications networks, two things are required to ensure secure communications:

1. End-to-end encryption to guarantee message content;
2. Company practices that disallow divulging conversations and that disallow revealing that communications between parties even happened.

Extending her view of communications security beyond the borders of continental America, Landau argues that providing secure communications systems to NGOs and other ‘on the ground’ parties lets them communicate useful intelligence to the world without fearing retribution from local authorities. The US and UN alike have diminishing sites of presence throughout the world but NGOs continue to burrow into the world’s social fabric. The US is thus well served in pumping research dollars into projects such as Tor; only by doing so can America hope to have a informed perception of the world.

After arguing that DPI (and, by extension, technologies replicating DPI functionality) is effectively a totalizing surveillance apparatus, Landau writes:

The real issue about ubiquitous DPI would be a necessary reliance on anonymization tools such as Tor to hide transactional information. Anyone not using these privacy-preserving, security-protecting tools in the face of omnipresent DPI usage by communications providers would be endangering themselves, their companies, and anyone with whom they communicated. Looking purely from the vantage point of security, it is difficult to understand law enforcement’s push for the ubiquitous use of DPI. This is a short-term solution to enable wiretapping with severe long-term negative consequences for communications security (222).

Such long-term consequences arise because infrastructure can be exceedingly challenging to retrofit; once hardware is deployed in the field, networks configured, and policies set in place, modifying them can be devilishly difficult.[2] The potential consequence is that all ICT systems reliant on the Internet to communicate could be vulnerable to security exploits. Were such an exploit ever taken advantage of the public would reduce its trust in its communications systems. With a loss of trust, and subsequent loss of speech, the democratic spirit suffers.

So, what are the solutions? Landau recognizes that the network of yesterday is poorly suited for the needs of today and tomorrow. Rather than trying to retrofit security, authentication, and identification across the entire Internet, a more granular and modest approach is preferred. The widespread adoption and deployment of Software Defined Networks (SDNs) would enable a multifaceted security profile at the switch/node, providing authentication and identification for some, but not all, transactions and transmissions. Worrying that present and future security policies at nodes are subject to economic facts – vendors often receive a greater market share by getting to market first rather than by providing a secure product – Landau argues that all security-driven vendors should be somehow accountable for exploits of their systems. This would place economic risk on vendors, encouraging delays to market in order to resolve security deficits and avoid future economic losses.

The book concludes with a series of principles that are needed to ‘get communications security right. They are:

1. Wiretapping laws and technologies must be measured against the threats they pose to communications security. These laws and technologies should not be implemented if they would substantively threaten the “freedom, security, human dignity, or the consent of the governed” (251).
2. To preserve freedom for posterity, the following must be adopted:
   1. Interception technologies must be designed such that auditing functions are automatically on;
   2. The design of interception access should minimize flexibility to reduce risks that the system can be subverted;
   3. The system should be designated to have genuine two-factor control;
   4. The design should be subject to open public review before implementation in any public network.
3. Any suspension of communications’ privacy protections must only occur for extremely short durations (think measurable in hours or days, not weeks, months, or years) and only during periods of extreme danger. Audits and evaluations of the suspension(s) must follow.
4. Communications surveillance must not impede the working of the press, on the belief that a “nation is a democracy only so long as journalists’ communications are secure” (252).

On the whole, the book is excellent. Landau possesses a deep technical and policy understanding of American wiretapping, and brings both of these to bear in her evaluations and policy recommendations. Further, she is gifted in her ability to explain to the layperson and expert alike how policy and security intersect, with hosts of examples throughout the book to supplement her overall argument that intentional security deficits for wiretapping purposes are dangerous to communications security and communicative privacy. When Landau moves away from security, however, the text is on weaker footing. While the forth estate is an important element of a democracy, one can’t help but think of Herman and Chomsky’s Manufacturing Consent: The Political Economy of Mass Media (and the Propaganda Model more specifically) and feel that her trust and reliance on the American press is somewhat overstated. There are some sections that also seem particularly patriotic – private communications caused Americans to adopt the telegraph more rapidly than their surveilled European counterparts, as one example – which could have been more critical of both American and European communications history alike.

I should point out two caveats that might bother some readers. First, the book focuses on the reality of American surveillance. Landau’s justifications are that the wiretapping and surveillance are complex issues and need nuance, that US choices affect the rest of the world, and that communications intelligence and interference affects economics. A good place to start looking at the economic impacts are on the national, rather than international, level. Second, Landau argues that the line to draw is not between surveillance and civil liberties but between surveillance and security. If either of these conditions are particularly unpalatable, then the book may not be for you.

On the whole, I would highly recommend Susan’s book. It’s extremely well referenced, technically savvy, politically aware, and forward thinking. If you’re interested in the politics of security, what governments and technologists are up to in the field of communications security and communications infrastructure, or the implications of present communications infrastructures for the future of democracy, then you need to buy and read this book.

Footnotes:

[1] For an excellent overview of the encryption wars, see “The Encryption Wars: An interview with Jay Worthington” (link to .pdf).

[2] Her argument here closely follows that of Langdon Winner’s in The Whale and the Reactor

Other posts you might be interested in:

1. Technology and Politics in Tunisia and Iran: Deep Packet Surveillance
2. Transparent Practices Don’t Stop Prejudicial Surveillance
3. Decrypting Blackberry Security, Decentralizing the Future

by Simon Tunbridge

There is an ongoing push to ‘better’ monetize the mobile marketplace. In this near-future market, wireless providers use DPI and other Quality of Service equipment to charge subscribers for each and every action they take online. The past few weeks have seen Sandvine and other vendors talk about this potential, and Rogers has begun testing the market to determine if mobile customers will pay for data prioritization. The prioritization of data is classified as a network neutrality issue proper, and one that demands careful consideration and examination.

In this post, I’m not talking about network neutrality. Instead, I’m going to talk about what supposedly drives prioritization schemes in Canada’s wireless marketplace: congestion. Consider this a repartee to the oft-touted position that ‘wireless is different’: ISPs assert that wireless is different than wireline for their own regulatory ends, but blur distinctions between the two when pitching ‘congestion management’ schemes to customers. In this post I suggest that the congestion faced by AT&T and other wireless providers has far less to do with data congestion than with signal congestion, and that carriers have to own responsibility for the latter.

Since the first generation iPhone was exclusively released to AT&T in the US, AT&T’s network woes have become almost legendary amongst smartphone users. Dropped calls. Slow downloads. Dead zones. From today’s vantage point, we often forget just how remarkable it is for a smartphone to properly display the web with a rich browser, let alone how significantly we have embraced ‘application-based’ computing on our smart devices. While these portable computers (with bolted on phone-capabilities) are delightful to use, wireless providers around the world often warn us about ‘data pigs’ who ‘hog’ all the bandwidth to the detriment of fellow wireless customers. How dare those paying a premium for wireless bandwidth use it!

To underscore the ‘dangers’ that these ‘pigs’ pose, the problems facing AT&T’s wireless network are regularly called forth by carriers and media to demonstrate just how bad things can get if networks are poorly provisioned. The problem is that, while there have been massive increases in the amount of wireless bandwidth that providers have to transit, data transmissions are not solely responsible for congestion on AT&T’s network. Let me explain.

AT&T’s network has experienced a 5000% increase in wireless data transit in the past few years. This growth has been fuelled by the hosts of smart devices brought to market since the release of the iPhone, with Apple’s products and Android-OS devices accounting for a considerable percentage of that growth. The story goes that, since smartphone ‘pigs’ are breaking the Internet for everyone, the pigs should have to pay extra for the privilege, with Rogers’ presently contemplating whether these customers should pay a surcharge if they want to evade network congestion. With the regularity that data congestion is written and spoken about by the media, congestion has become a ‘fact’ around which discussions about managed Internet services are oriented around. Congestion is the ‘fact’ that reinforces why consumers need to subsidize massive infrastructure investments. Congestion is also a fact that desperately needs public contestation.

What mobile providers are less likely to talk about are the technical difficulties facing AT&T around the smart devices they support. The iPhone, along with other smart devices including the Blackberry and those running Android, has historically been configured to drop data connections once any requested data is received, reinitiating a data connection when the device requires additional data. This technique conserves battery power but has the unfortunate effect of overloading the signalling channels that cell nodes use to set up data connections, signal phone calls, transmit SMS messages, receive voice messages, and so forth. Save for in extremely poorly provisioned areas, data capacity itself on the cell nodes is rarely a problem. Instead, older networks that didn’t see early adoption of heavy texting or data use (read: North American networks) must be upgraded to handle an ever-increasing number of devices that are rapidly connecting and disconnecting from the networks.

What does this mean for congestion, then? It means that while an incredible minority of users might be using truly “amazing” amount of data (read: 2+ GB/Month), simply having a contemporary, pre-iOS 4.2 Apple product on your person contributes to cellular ‘congestion’. (The same is true if you use a WebOS device, Android-based phone, or a Blackberry.) Why the distinction between versions of Apple’s operating system driving their mobile product lines? Because from Nokia Siemens Networks’ tests last month we’ve learned that the newest version of iOS corrects Apple devices’ signalling problems. Apple has implemented a signalling technique that both increases battery life whilst addressing the signal congestion problem; they’ve simultaneously made things better for both the consumer and the carrier.

To recap: Apple has largely corrected the congestion problems cause by their devices, when those devices are used in well-provisioned wireless networks. This was accomplished by upgrading iDevices’ operating systems, not by building out new carrier infrastructure. Imposing higher fees for carrying data, reducing data consumption, and so forth has a minimal effect on the kinds of signalling congestion caused by contemporary smart devices.

So, what lessons can we drawn from these actual, engineering-based, facts?

1. The language around congestion is unclear and needs to be better nuanced. Wireless providers use AT&T’s woes as demonstrations of what happens when the networks experience data congestion. Data congestion is great for carriers because it’s easy to ascribe responsibility for excess data usage: customer A has used a lot of data, caused congestion, and now has to pay for it (though the sidenote is that these customers are already paying for their bandwidth; when was the last time your wireless provider just gave away wireless bandwidth?). Our public debates need to incorporate the notion of signal congestion, where the devices sold to us by wireless providers are themselves responsible for congestion. If providers are selling (on long-term contracts) devices that they know cause signalling congestion, why should the customer ever have to pay extra for their faulty device to be made fully operable? While it might be acceptable for customers to cover come data congestion costs, carriers must be held responsible for selling devices that cause signal congestion.
2. We need engineers to take part in public discussions if we’re to understand the actual problems facing wireless providers. Engineers understand ‘network management’ a bit differently than most business executives; the former want the network to function at a technical level, whereas the latter want the network to be productive in a technical and economic sense – the network needs to be operable, but it also needs to be maximally profitable while operating. Before we can discuss (ir)rational economic and business practices, everyone needs to be on a common technical footing, and this means engineers with knowledge of the networks are essential for well-informed debate.
3. In the absence on engineers coming forward from within the wireless provider companies to correct the technical facts around signal and data congestion, some kind of oversight mechanism of wireless networks is required. Whether this is a federal institution, an international association, or something else isn’t key for my overarching point: we need someone to keep providers honest about what causes problems on their networks.
4. Before we talk about offering ‘prioritized service’ to smartphone customers, we desperately need to clarify whether this service is designed to monetize signalling congestion or data congestion. If it’s a case of the former, then we need to talk about providers’ responsibilities to offer fully functional and compatible smartphones; customers shouldn’t be punished financially for being sold technically limited devices. If signalling is the problem, then Rogers’ efforts constitute a monetization strategy designed to take advantage of archaic infrastructure that desperately would need updating. If, however, independent third-party engineers can examine the Rogers network and recognize that their customers are actually experiencing data congestion – that signalling congestion is an absolute non-issue for Rogers – then a discussion about data congestion can and should take place.

A key part of any debate, a part often unspoken, revolves around the framing of an issue. Framing constitutes what a news report/blog “presumes to be significant, how it certifies the relevant players, how it narrates the conflict. Each statement renders the others invisible. The frame is most powerful not for what it includes, but for what it leaves out as either insignificant or obvious” (Gillespie, Wired Shut, 2007. 134). Almost none of the congestion debates about wireless broadband have recognized signalling capacity or smart device adherence to signalling standards as key to the issue at hand. Instead we’ve seen a sloppy (and, in the case of carriers, likely intentional) conjoinment of signalling and data congestion, and this kind of thinking and discourse must stop. If wireless is truly different, then let’s get serious about it being different; let’s look at the technical differences, how congestion can happen at different points in the wireless network than in wireline networks, and what kinds of congestion are causing degraded customer experiences.

In effect: before we start talking about congestion and prioritization, let’s actually figure out what is causing the congestion, who’s responsible, and then get into a bigger discussion of what are responsible solutions to degraded mobile experiences. Doing anything else obscures the broader framework that congestion discussions take place within and severely limits critical engagements with the issue of mobile congestion.

Other posts you might be interested in:

1. Deep Packet Inspection and Mobile Discrimination
2. Some Data on the Skype iPhone Application
3. Traffic Management on Mobile Gets Regulated

Photo credit: Steve Keys

I’ve written a fair bit about mobile phones; they’re considerable conveniences that are accompanied by serious security, privacy, and technical deficiencies. Perhaps unsurprisingly, Apple’s iPhone has received a considerable amount of criticism in the press and by industry because of the Apple aura of producing ‘excellent’ products combined with the general popularity of their mobile device lines.

In this short post I want to revisit two issues I’ve previously written about: the volume of information that the iPhone emits when attached to WiFi networks and its contribution to carriers’ wireless network congestion. The first issue is meant to further document here, for my readers and my own projects, just how much information the iPhone makes available to third-parties. The second, however, reveals that a technical solution resolves the underlying cause of wireless congestion associated with Apple products. Thus, trapping customers into bucket-based data plans in response to congestion primarily served financial bottom lines instead of customers’ interests. This instance of leveraging an inefficient (economic) solution to a technical problem might, then, function as a good example of the difference between ‘reasonable technical management’ that is composed of technical and business goals versus the management of just the network infrastructure itself.

How Loud is Your iPhone?

I recently covered a technical paper on security vulnerabilities in the iOS architecture that examines how application developers can capture an iPhone’s unique identifier to both track the actions taken on a phone and correlate those actions with a particular user. To accomplish either of these consentless data collections, developers must make a few specialized API calls. Thus, while the iPhone makes the information available it doesn’t default to broadcasting it to the world at large; some degree of intentionality is required for application developers to access the information.

When sending data over a network a certain a degree of trust in the network and its administrator is required, and this is especially true when attaching iDevices to a network. Unlike many WiFi appliances and computers, Apple’s mobile consumer line defaults to associating a computer’s user account name with the class of mobile device. For example, when you first connect an iPhone to an Apple computer the device takes a name format of ‘Account User Name’s iPhone’; in my own case, this saw my iPhone named Christopher Parsons’ iPhone. Per Robert Graham over at Errata Security:

This name appears in many places. The first thing your phone needs is a network address, which it gets from the WiFi access-point via something called “DHCP”. The owner of the access-point can pull up the “DHCP Table” at any point in order to see who is connected. They will see your iPhone in that list.

Apple also sends out your name in what’s called “mDNS” packets every couple of minutes. Even though DHCP only makes your name visible at the start of the connection, mDNS will notify everyone on the local network every few minutes thereafter.

This effectively lets a network administrator – or any individual running packet sniffing applications to grab unencrypted data packets out of the air – correlate data traffic not only with particular devices (which is normal with all devices connected to a wireless network) but potentially with the actual individual. This latter correlation, of course, does depend on matching a face and a name, but with the prevalence of photo tagging and social media use more generally, there are good chances that a quick Google search of your name associated with key search terms will turn up your face.

In light of administrators’ abilities to closely identify who is using particular devices, Graham recommends modifying the name associated with the device or getting rid of the ‘iPhone/iPad/iPod Touch’ moniker. Of course, this assumes that the administrator is only examining the mDNS packets and not digging deeper into your unencrypted traffic. If they are digging deeper then renaming the device is insufficient; encryption and obfuscation practices would need to be adopted instead.

Where and why is this significant? If your employer has a ‘no iDevice’ policy at work then you need to think twice before connecting your Apple product to the corporate network. It is incredibly hard to mask that you are using an iPhone or other WiFi-enabled iDevice; the MAC Address and user-agent associated with the browser, along with the actual name of the device, give Apple’s products away very quickly. Encrypting and obfuscating traffic may work, but success is likely dependent on the technologies being used to monitor network traffic. It’s likely that the best way ‘around’ any such policy, then, is to use a 3G enabled device and forgo the corporate WiFi network entirely.

iPhone Gets Quieter at the Tower

Earlier this year I wrote that Apple’s breaking of the 3GPP protocol on the iPhone was the likely cause of many tower congestion problems. Because iOS violated 3GPP it more regularly signalled to AT&T’s towers than smart phones that met the protocol. It was the iPhone’s signalling promiscuity, rather than actual consumer data usage, that was primarily responsible for wireless networks’ woes. Rather than calling out Apple for poor protocol implementation, Apple and AT&T both publicly asserted that the problems were on AT&T’s end. Similar assertions are common internationally amongst wireless carriers selling the iPhone, and this rhetoric generally drives wireless providers’ arguments that wireless bandwidth is already in limited supply. Because of these ‘limits’, high-priced data buckets, throttling, and zealous ‘network management’ is being forced on mobile users.

Nokia Siemens Networks published results of their iOS 4.2 tests  late last month and noted that the newest version of Apple’s iOS corrects the oversignalling problem. Rather than switching between an active and inactive state, iOS devices can take advantage of an intermediate state which lets smart phones wake up quickly when they need to send/receive data while simultaneously reducing the devices’ number of signalling attempts. NSN, in its non-iPhone tests, found that introducing intermediate signalling behaviour results in longer battery life, with devices achieving an 11 hour battery life with the intermediate rest stage as opposed to 6 hour lifespans on the identical devices using active/passive signalling technologies.

What are the impacts of the update for iOS users then? Positively, they can expect longer battery life and more rapid data transit speeds. As an iPhone user myself that uses iOS 4.2 I can confirm that battery life is better than it was with prior operating systems. I haven’t detected a noticeable change in the rapidity of data transit in my daily uses.

Negatively, however, we’re unlikely to see a reversal of the rhetoric that smart phones are the bane of wireless infrastructures. AT&T’s network failures – a combination of infrastructural deficiencies and bad iOS signalling code – are unlikely to be massively ascribed to Apple now that the problem is fixed. Instead, AT&T will continue to support strawman arguments about why ‘all you can eat’ data plans are dangerous to offer, regardless of whether customers want them or not. Data plans will continue to increase in cost, despite decreasing delivery and network infrastructure expenses as mobile devices are updated to correct bad signalling behaviours, more efficiently compress data, and make better use of available spectrum.

Perhaps the most important part of this, however, is that code alone could resolve the fiasco around iOS signalling habits. The economic responses that AT&T and other wireless providers pushed onto their customers were exercises in testing the costs that the market would bear for wireless data, though this ‘test’ demanded first tricking customers about the market’s actual conditions. AT&T and other providers could have gone after smartphone developers – publicly extolling them to improve their signalling techniques, publicly criticizing developers’ lackadaisical response to the problem – but instead we witnessed an (effective) attempt to raise prices instead. This (again) reveals that wireless companies would rather artificially construct perceptions of data scarcity than focus on resolving the problems experienced by smartphone customers in a transparent, honest, and genuine manner. It also underscores Ohm’s point that ‘reasonable network management’ often incorporates financial motives at the expense of ‘pure’ technical solutions to managing the network.

If engineers alone were responsible for addressing Apple devices’ bad signalling behaviour, I doubt we would have seen a several year gap between the introduction of the iPhone and iOS and the correction of a significant problem it caused to wireless networks. Perhaps this constitutes another reason for instituting a neutral third-party to watch over how ISPs and wireless companies alike govern their networks!

Other posts you might be interested in:

1. Do You Know Who Your iPhone’s Been Calling?
2. Some Data on the Skype iPhone Application
3. Mobile Security and the Economics of Ignorance

Photo credit: Honou

Countries around the globe have been threatening Research in Motion (RIM) for months now, publicly stating that they would ban BlackBerry services if RIM refuses to provide decryption keys to various governments. The tech press has generally focused on ‘governments just don’t get how encryption works’ rather than ‘this is how BlackBerry security works, and how government demands affect consumers and businesses alike.’ This post is an effort to more completely respond to the second focus in something approximating comprehensive detail.

I begin by writing openly and (hopefully!) clearly about the nature and deficiencies of BlackBerry security and RIM’s rhetoric around consumer security in particular. After sketching how the BlackBerry ecosystem secures communications data, I pivot to identify many of the countries demanding greater access to BlackBerry-linked data communications. Finally, I suggest RIM might overcome these kinds of governmental demands by transitioning from a 20th to 21st century information company. The BlackBerry server infrastructure, combined with the vertical integration of the rest of their product lines, limits RIM to being a ‘places’ company. I suggest that shifting to a 21st century ‘spaces’ company might limit RIM’s exposure to presently ‘enjoyed’ governmental excesses by forcing governments to rearticulate notions of sovereignty in the face of networked governance.

Before I get any further, I need to add a pair of caveats. First: I don’t professionally manage BlackBerry devices or presently administrate an Enterprise Server. I do, however, have a decent high-level understanding of how the BlackBerry ecosystem is set up and how it functions as a cohesive system. Second, and perhaps more importantly, while I have family and friends who work at RIM absolutely nothing written here has been taken from conversations with them nor ‘cleared’ or edited by them. Everything written here has been taken exclusively from the following sources: conference presentations given by RIM Security, my own personal familiarity with the BlackBerry product lines, discussions with information technology staff who deploy BlackBerry products, academics who attend to mobile security issues, and personally performed online research. I have not communicated with anyone inside RIM – that I know personally or otherwise – about the specifics of what I have written here.

The Origins of the Blackberry

The first Blackberry was a glorified Pager that was released in 1999. RIM’s innovation was to combine corporate and wireless mailboxes by setting up a service that relied on their own Network Operations Center  and Blackberry Enterprise Software. Together, this infrastructure collected pager messages into a single mailbox and then pushed them to Blackberry devices. Messages were encrypted using triple DES encryption, with encryption keys supplied by the enterprise instead of RIM. This separation of data transit responsibilities and key provision meant that RIM could not decrypt messages while they rested on RIM’s servers. This basic infrastructure, now ingrained in the BlackBerry Enterprise Server (BES), is a lasting legacy that provides the real security that enterprise customers have come to expect from RIM products. In the absence of this infrastructure (as in the case of consumer BlackBerry use) the security of BlackBerry communications remains largely rhetorical; if governments strongly pressure RIM and wireless companies for consumer data they can usually (eventually) force RIM to turn over demanded information.

BlackBerry Internet Service

RIM’s BlackBerry Internet Service (BIS) is central to the provision of consumer BlackBerry offerings. Assuming that a customer purchases their device from a wireless phone carrier and use that carrier’s services exclusively (i.e. assuming that their phone isn’t hooked up to a BlackBerry Enterprise Server) then the BIS lets customers enjoy many of the corporate features of the BlackBerry without any of the security that is often associated with the BlackBerry. The following image displays the general structure of the BIS ecosystem:

Photo credit: Blackberryrocks.com

There are several benefits to using a BIS, including access to email, data compression and BlackBerry Messenger. In the case of email, it is as secured as the wireless provider makes it. This means that customers would enjoy levels of security equivalent to or exceeding that of enterprise customers if the provider deployed an asynchronous key infrastructure designed to prevent the provider from accessing their customers’ email in transit and at rest. Unfortunately, I’ve yet to find a single wireless network that provides this level of encryption for the transit of email. Instead, while the communication between the mobile device and the wireless networks’ server is likely encrypted – if using a GSM-based device, the A5 algorithm protects the customer’s data over the air – the rest of the data’s transit is likely unencrypted.[1] Since carriers are often obligated by national law to design networks to facilitate lawful access (e.g. CALEA in the US) government can gain access to carrier-mediated data communications. RIM is (somewhat) explicit about this in their BIS “Security Feature Overview” .pdf document, where they write that “Email messages and instant messages that are sent between the BlackBerry Internet Service and your BlackBerry device use the security features of the wireless network.” Effectively, consumers are prisoners to their wireless providers’ (often quite low) security standards.

Internet access is similarly passed through both the wireless provider’s networks and the BIS. Data is secured for the air using A5 in the case of GSM devices and then passed through the carrier’s servers and RIM’s own network. Where data is encrypted using SSL or some other form of encryption the data experiences two layers of encryption: it is encrypted over the air, and further encrypted using the web-based encryption standards. When the data passes through RIM’s servers it experiences data compression to reduce delays in accessing content. Compression is oftentimes significant; according to Rogers (.pdf) the same email message would be roughly 23KB if read on an iPhone 3G as compared to around 2KB when read on a BlackBerry Bold. Assuming both devices use similar 500MB data buckets this would mean that the iPhone could receive around 22,000 messages before exceeding the bandwidth allotment versus over 250,000 received on the BlackBerry. Significant compression is also noticed when browsing websites and sending/receiving pictures on a BlackBerry versus other mobile devices.

The third ‘key component’ of the consumer BlackBerry experience is the BlackBerry messaging service. Incredibly popular, this service is encrypted using a global key. This means that messages sent from a BlackBerry device are encrypted on the device, transmitted to the other device(s) the message is intended for, and decrypted upon arrival at recipient devices. Specifically, RIM has written that:

The BlackBerry device scrambles PIN messages using the PIN encryption key. By default, each BlackBerry device uses a global PIN encryption key, which allows the BlackBerry device to decrypt every PIN message that the BlackBerry device receives.

It is possible for RIM to decrypt messages that are encrypted with the global key, making them available to third parties if those parties come looking for them. As we will read shortly, RIM has capitulated to various governments by giving up keys enabling decryption of consumer BlackBerry messenger traffic. Importantly, the wireless provider cannot make this information available because they never have access to the global keys – your PIN to PIN messages are secure from your carrier’s surveillance mechanisms but vulnerable to RIM’s own actions.

What is the BlackBerry Enterprise Server

The BlackBerry Enterprise Server (BES) is typically deployed by corporations to secure their communications from public and private scrutiny. Below is a graphic demonstrating the BlackBerry communications architecture that includes a BES.

Photo credit: RIM UK

In this framework, communications are encrypted on the device according to the key management system used by the BES-owning organization. By encrypting communications before to exiting the device, intercepting the data at the wireless network is useless unless engaging in traffic analysis. When the data is passed into the Internet more generally it remains encrypted. The data is only decrypted when it gets behind the corporate firewall. Separate policies will manage encryption at-rest in the internal mail and messaging infrastructure that the organization maintains.

The result of this encryption policy is that email is not subject to access by government at the carrier level; government has to go to the group running the BES and demand the group hand over the data in question. This significantly changes the dynamics of the data request because carriers generally don’t care about the actual privacy of individuals on their network; so long as law enforcement is willing to pay for the effort of collecting and providing customer data the carrier is (generally) happy to help. This attitude changes when authorities come to a particular business or small group of users that are securing their communications using a BES; these groups are motivated to secure their communications (as demonstrated by setting up and running a BES in the first place) and have personal stakes in maintaining communicative security. As a result they are likely less happy than a carrier to cooperate with government agents.

What is key here, is that when running a BES neither RIM nor the wireless carrier can assist law enforcement in accessing email, Internet browsing (which can be encrypted by default) or BlackBerry messenger contents (assuming that the organization isn’t using the same global encryption key consumer messenger traffic relies on). If the BES and surrounding corporate IT infrastructure is outside a country’s legal reach then secured communications can be provided without worrying about government actually going after the mail or messaging servers themselves. Further, if a corporation’s legal assets and identity are also outside the nation, the government may be unable to legally compel the company to turn over the contents of BlackBerry communications. Needless to say, the full encryption of communications prevents the nation’s wireless carriers from effectively tapping BlackBerry device communications. Of course, this degree of security does depend on the device itself being protected from side-attacks, and protecting against these may limit the device’s full functionality.

Retrofitting Communicative Privacy and Security?

Over the past 24 months or so, various governments have decided that accessing secured BlackBerry communications is a national security priority. The actions taken by the Mumbai terrorists, who used BlackBerry devices to securely communicate with one another, have fuelled governmental demands to access privately secured data communications. What exactly has being demanded of RIM, why is it problematic to comply with these demands, and what is the next step from this point forward?

First, let’s showcase some of the countries demanding access to BlackBerry communications. The UAE has argued that BlackBerry devices pose ‘security risks’ on the basis that:

BlackBerry operates beyond the jurisdiction of national legislation, since it is the only device operating in the UAE that immediately exports its data offshore and is managed by a foreign, commercial organisation … As a result of how BlackBerry data is managed and stored, in their current form, certain BlackBerry applications allow people to misuse the service, causing serious social, judicial and national security repercussions.

Similarly, India remains ‘concern’ about their inability to decrypt secured BlackBerry communications. On the basis that encryption prevents rapid content penetration by government code-breakers, the Indian government sees BlackBerry communications as a national security issue. As noted by ZDnet, the general argument is that “India’s intelligence services need to be able to access encrypted data to prevent attacks in a ‘constant setting’: where attacks are likely and have occurred regularly.”

Other countries that have, or are presently, evaluating whether or not to let their businesses and citizens enjoy high levels of communicative security and privacy include:

• Kuwait. RIM has reportedly agreed to block thousands of pornographic websites after the government raise concerns about the cultural impact of these websites.
• Bahrain’s government successfully forced RIM to disable the messaging services for BlackBerry messaging chat groups on the basis that such groups could generate “chaos and confusion” as news was distributed via them. In effect, the BlackBerry limited the government’s ability to censor news that it didn’t want spread amongst its citizenry.
• Indonesia is concerned about BlackBerry encryption on the basis that the government is uncertain whether “data being sent through BlackBerrys can be intercepted or read by third parties outside the country.”
• Algeria, paralleling concerns raised by India, worries that the devices might be a “danger for our economy and our security.
• Lebanon is studying the security concerns around the BlackBerry.
• Tunisia has previously suspended email on the basis of security concerns.

Needless to say, this abbreviated list has a lot of nations citing ‘security concerns’ as driving the impairment of BlackBerry services. Also needless, but important, to note is that many of these same nations are well known for their efforts at censoring communications, oppressing their citizens, and regularly violating human rights.

What has RIM’s response been? In addition to blocking thousands of websites for the Kuwaiti government, RIM has provided decryption keys for the BlackBerry messenger service to India and believed to have provided them to Saudi Arabia as well. In the case of India, this apparently means that RIM is providing some kind of live access to BIS infrastructure that carries Indian messaging data. It’s important to carefully read and parse RIM’s official position regarding Saudi Arabia. Specifically, “RIM cannot accommodate any request for a copy of a customer’s encryption key, since at no time does RIM, or any wireless network operator or any third party, ever possess a copy of the key.” This seems deliberately nebulous, designed to confuse customers of the consumer line of BlackBerry services. While the company cannot crack Enterprise customers’ security on the basis that the BES architecture lacks back doors, the same cannot be said about wireless providers’ customers. Wireless providers’ customers use RIM’s BIS but are (arguably) not RIM customers themselves; RIM lacks a significant business relationship with them, save to potentially assist with hardware problems (and these are often dealt with at the provider level). Wireless customers using BlackBerry devices can almost certainly have their security and private infringed upon – RIM has effectively admitted as much by stating that they use a common global mode of encrypting messenger traffic (that they will disclose if forced) and that email data is subject to wireless companies’ own security policies (meaning it is subject to lawful access requests).

RIM has not yet capitulated to governments by redesigning their BES systems to provide governments access to BES-secured data. RIM repeatedly maintains in public that they cannot provide access to communications that are privately secured using the BES infrastructure, and that the company cannot monitor the content of BES-secured communications despite their flowing through RIM-based infrastructure. This stance may change, with evidence coming from the ongoing negotiations between RIM and the Indian government. The two parties are reportedly working towards some kind of an agreement that will give  the Indian government live access to data flows along BES environments. Presumably, this kind of ‘sneak peek’ would involve letting government officials look at data flows before they were encrypted going out of the enterprise, or after they had entered the corporate network. Alternately, all encryption keys might ‘just’ have to be registered with the national government. Save for in the last case, these ‘solutions’ would likely take the form of some kind of required plugin or module for Indian BES customers. Regardless, any agreement on any three of these lines will present BES customers and IT administrators with a myriad of security and confidentiality issues. It will only be a matter of time until some government official is bought out by a competing organization to perform corporate espionage or the government otherwise inappropriately uses their surveillance powers.

RIM and Single Points of Privacy Failure

Countries advocating for access to encrypted communications are demonstrating the danger of dependence on third-parties to route your communications: if the third-party is compromised then your communication may also be compromised. Many of the countries pressing RIM have already compromised their wireless carriers/ISPs, but RIM poses a somewhat unique danger insofar as it is a trusted and often extra-territorial third-party. RIM’s status alleviates some challenges of implementing and maintaining secure communications for some (typically business) individuals within the nation, but heightens problems for governments seeking access to all facets of their citizens’ communications. Countries are taking advantage of the fact that they can effectively shut down BlackBerry communications within their nations by placing pressure on regional wireless providers; such pressures threaten to deny RIM access to revenues and effectively force the company to the negotiating table. RIM is behaving as any ‘good’ profit-maximizing corporation would in light of threats its profits: it is negotiating deals that maximally enhance its balance sheet, principles and the privacy of wireless carriers’ customers be damned.

The Internet has demonstrated that it is an incredibly robust communications network, but one that does have weak links. Wherever there is a single, necessary, node that traffic must pass through there is a point of attack for government, a point where sovereign powers can be exercised to capture and interrogate citizens’ data traffic. The application of sovereign power demonstrates Goldsmith’s and Wu’s general thesis in Who Controls the Internet?, that the ‘net is becoming bordered as various powers mediate what kinds of data and data repositories are available to citizens. Of course, the general thesis must be nuanced: in each case where the BlackBerry network has come under fire from government we see governments at odds with other governments, governments trying to come to terms with private international data networks, and private corporations struggling to maintain product uniformity while accommodating regional law. In essence, we see governments struggling to adjust to a novel mode of network distributions, see them struggle to realize new approaches to govern communications traffic. Given the transformative nature of Internet governance generally, we would be well advised to take seriously Cowhey’s and Mueller’s (2009) conclusion that network governance has changed how the state system and communications networks interface. Specifically, they write that

…the Internet has not escaped governments, but the governance systems have changed. Changes in the rules of decision making and the forms of stakeholder participation will drive outcomes in novel directions even if the parameters of choice still remain under the control of governments (193).

Should facets of the BlackBerry system become more significantly decentralized we could see additional complications around the governance regime of mobile data communications. Such complications will contribute to additional anxieties around the range of actions available to the state in its self-expression of sovereignty. Whereas states have historically worked on places – a locale whose form, function, and meaning are self-contained within the boundaries of a physical contiguity – they are increasing being forced to work on spaces – instances of crystallized time that operate as a site of flows, and thus lack an international bounding of form, function and meaning associated with places (Castells 2001). The decentralization of BlackBerry services, a shift to a P2P-like infrastructure for their BIS and BES services, would limit states’ abilities to attend to places, undermining law’s ability to address BlackBerry security in a manner paralleling law’s limited capacity to end widespread P2P-enabled copyright infringement. Place has become a space of weakness, a point where time remains closely associated with matter and thus receptive to the “hard geophysical reality of places.” To achieve the advantages of decentralized virtualization places must give way to temporal structures associated with light-time and the manifestation of spaces that challenge geophysical locatedness (Virilio 2005: 117).

Even with the shift from places to spaces, the decentralization of BlackBerry security, and the modulation of state governance models, the switches of information transfers will remain privileged instruments of power. Thus, so long as RIM maintains vertical integration of their product lines the company will acts as a central point of power that is receptive to organized state power. Vertical integration is a problem; the company must shift from a single to pluralistic set of interrelated corporate nodes to transition from a places to spaces company. Disaggregating the vertical integration of the company would see it adopt a layered approach to its business, and manifest by the company spinning itself into a series of unique corporate bodies that maintain integration with other RIM-based corporate bodies without any particular body directly informing or integrating with one another in a centrally planned manner. Open protocols and APIs, instead of centralized corporate design, would be responsible for maintaining BlackBerry device and service integration. Under this framework a hardware, operating system, and network security corporation could emerge from the present whole that is Research in Motion.

Under this model the various corporations would contribute to a cohesive BlackBerry device, though no one party would own the entire stack. Google has demonstrated the viability of this approach, showing what a 21st century information company looks like and how it behaves (for much more on this, see Wu 2010). Exploring how RIM might implement a Google-like approach to corporate design and product architecture could simultaneously help confound sovereign authority and promote modular adjustments to facets of the BlackBerry infrastructure in ways that promote module innovation by giving developers free(r) rein over various ‘hidden components’ (those components that aren’t depended upon by other layers of the BlackBerry device stack). Such innovation and decentralization could continue to fulfill market demands of chasing after profits if open protocols and APIs are appropriately developed and propagated. Adopting this disaggregated approach, where RIM shifts from a places to a spaces company, would have the ultimate effect of challenging and undermining current structures of state sovereignty and accelerate the modulation of state power. By forcing states to engage with a better-entrenched networked governance structure that facilitates secured mobile communications the state might learn new modes of enacting governance requiring cooperation and compliance instead of blunt force. Without the tools of sovereignty the state typically wields, and the requirements to achieve cooperation and consensus, BlackBerry devices would enjoy enhanced security and their users superior communicative privacy. Importantly (for the RIM-spinoffs), the transition from a places to spaces corporation might be implemented whilst improving the conditions for modular innovation and enhancements to existing corporate profit logics.

Notes:

[1]  A5 encryption has serious deficiencies, which have been helpfully summarized by Harald Welte. In effect, A5 has long depended on security by obscurity to an extend and is quickly compromised in the face of a sufficiently motivated attacker.

Book Sources:

Cowhey, Peter and Mueller, Milton. (2009). “Delegation, Networks, and Internet Governance,” in M. Kahler (ed). Networked Politics: Agency, Power, and Governance. Ithaca: Cornell University Press.

Castells, Manuel. (2000). The Rise of the Network Society (Second Edition). Malden, MA: Blackwell Publishing.

Goldsmith, Jack and Wu, Tim. (2006). Who Controls the Internet? Illusions of a Borderless World. Toronto: Oxford University Press.

Virilio, Paul. (2005). The Information Bomb. New York: Verso.

Wu, Tim. (2010). The Master Switch: The Rise and Fall of Information Empires. New York: Alfred A. Knopf.

Other posts you might be interested in:

1. Mobile Security and the Economics of Ignorance
2. IPv6 and the Future of Privacy
3. Review: Surveillance or Security?

By Ninja M.

An increasing percentage of Western society is carrying a computer with them, everyday, that is enabled with geo-locative technology. We call them smartphones, and they’re cherished pieces of technology. While people are (sub)consciously aware of this love-towards-technology, they’re less aware of how these devices are compromising their privacy, and that’s the topic of this post.

Recent reports on the state of the iPhone operating system show us that the device’s APIs permit incredibly intrusive surveillance of personal behaviour and actions. I’ll be walking through those reports and then writing somewhat more broadly about the importance of understanding how APIs function if scrutiny of phones, social networks, and so forth is to be meaningful. Further, I’ll argue that privacy policies – while potentially useful for covering companies’ legal backends – are less helpful in actually educating end-users about a corporate privacy ethos. These policies, as a result, need to be written in a more accessible format, which may include a statement of privacy ethics that is baked into a three-stage privacy statement.

iOS devices, such as the iPhone, iPad, Apple TV 2.0, and iPod touch, have Unique Device Identifiers (UDIDs) that can be used to discretely track how customers use applications associated with the device. A recent technical report, written by Eric Smith of PSKL, has shed light into how developers can access a device UDID and correlate it with personally identifiable information. UDIDs are, in effect, serial numbers that are accessible by software. Many of the issues surrounding the UDID are arguably similar to those around the Pentium III’s serial codes (codes which raised the wrath of the privacy community and were quickly discontinued. Report on PIII privacy concerns is available here.).

Application developers can combine the device identifier with the following attributes: authenticated login information (e.g. a banking application can link the UDID with a full banking consumer profile), (nick)name of iOS device owner, type of connection (e.g. wifi versus 3G), model type (version of iPhone, iPad, iPod Touch), home address, phone number, and geolocation information (both GPS and Skyhook/Apple collected information). Significantly, there are no popups or warnings alerting users that this data is being collected – the actual API facilitates a level of data collection far exceeding what most consumers would expect, and stands in direct contrast with Steve Jobs’ statement at the most recent All Things D conference, which I’ve previously transcribed as follows:

We’ve always had a very different view of privacy than some of our colleagues in the Valley. We take privacy extremely seriously. That’s one of the reasons we have the curated apps store. We have rejected a lot of apps that want to take a lot of your personal data and suck it up into the cloud. Privacy means people know what they’re signing up for. In plain English, and repeatedly, that’s what it means. Ask them. Ask them every time. Make them tell you to stop asking if they get tired of your asking them. Let them know precisely what you’re going to do with their data.

Unless I’ve missed an entire regime of collection notices, I had no idea such information was being harvested by application developers until I’d read Smith’s report. Arguably of equal significance, where SSL encryption is used to transmit data Smith can determine the receiving host, but not what is actually transmitted to that host. Where traffic terminates at qwapi.com, the receiver is responsible for iAds, but it is less obvious who other receivers are, their need/desire for data, or their long-term data retention and processing policies. In essence, there’s no clear way of knowing what information is being hoovered up or what’s being done with it. ‘Free’ applications, in particular, are guilty of collecting UDID information, proving once again that if you’re not paying for a product – if you’re not a paying customer – you (and your personal information) are likely the actual product.

Also of interest in Smith’s report is that cookies are being placed in applications’ folders, and not Safari’s Cookies folder. This prevents end-users from easily removing the cookies using the iDevice’s options to do so (Settings>>Safari>>Clear History/Cookies/Cache). Combined with the incredible duration of these cookies – sometimes expiring only after 20 years – application developers can determine when an individual switches devices; when you switch (upgrade, use multiple iDevices, etc) the company puts a cookie with the same ID on the device as soon as you login, and adds the new device information to their customer databases. Given that the cookies have such excessive durations, it’s unlikely that new cookies will ever be issued to a user unless they create a separate, brand new, account. The ‘cookie problem’ is made even worse in light of Mobile Safari permitting the creation of client-side storage databases. These are often used by advertisers – Ars Technica has a walk through of Ringleader Digital’s system – to track users as they move around the Internet. Such databases are, for almost all intents and purposes, impossible to remove. The only way to ‘opt-out’ of them is to (a) realize what’s going on; (b) go to Ringleader’s website and have them place a unique identifier in the database they create on your device that indicates you’ve chosen to opt out of the tracking. After demonstrating technical ingenuity and a willingness to (in effect) exploit HTML 5 and Safari Mobile, you just have to trust them to do the right thing after you opt-out. Few users will likely ever know that these databases exist, let alone where and how to opt-out, and likely even fewer trust Ringleader to follow through with their privacy promises.

Requiring a unique identifier to avoid surveillance is less than promising, and lacks transparency from the end-user’s perspective. Moreover, Apple almost implies that this kind of behaviour is permissible, given that has developed its own opt-out system relying on similar mechanisms for their iAd advertising ecosystem. Further, Apple’s willingness to bury locational tracking information in the newest iteration of iOS – accessed through Settings >> General >> Location Services >> (Settings for applications) – shows that while Steve might talk about privacy, Apple certainly isn’t integrating an ethos of privacy by design in their products themselves, nor are they shaping the application ecosystem to respect privacy. In this way, Apple and Facebook appear to be closely aligned in how they ‘address’ privacy in their respective third-party application ecosystems.

Of course, the developers using UDIDs, setting near-permanent cookies, and deploying ‘zombie’ databases are all taking advantage of existing APIs. Such APIs are required to develop applications, and the application marketplaces are (arguably) what drive so much of iDevices’ desirability. The potentialities of APIs themselves, however, are reflections of a set of value decisions made by Apple (and by developers of APIs more generally). The UDID is not provided for nefarious reasons; arguably it is there so that developers have some kind of unique identifier that they can take advantage of instead of spending hundreds of hours creating a secured login and authentication system for each applications they produce. By making the UDID available Apple is reducing the ‘friction’ individuals experience when they actually use an application, which enhances the likelihood that individuals will actually try out the application in question. There are substantial costs entailed by field registration forms; each field significantly reduces the likelihood that a customer will actually go through with an identity-related transaction. Friction promotes consciousness about privacy and/or an awareness of the customer’s limited temporal resources.

In the process of developing a wider ecosystem – one that is dominantly intended to fuel the sales of hardware and secondarily to enhance revenue streams in the various iStores – Apple has a responsibility associated with their APIs. The ‘privacy’ policy that Apple makes available to users of iDevices is absurd; the last one was 57 pages long, on the iPhone screen, and has various buried clauses. Admittedly, I think that Apple is trying to do what their lawyers are telling them is right – if you read the privacy policy it broadly permits many of the surveillance processes discussed above (e.g. collection of locational information and other information) – but without a knowledge of the actual APIs an end-user is entirely unable to contextualize the policy. It is patently unreasonable to expect your end-users to be developers (or lawyers), with access to developer tools and time to competently play with them, just to understand your corporation’s privacy policy.

So, what is the solution then? In an ideal world Apple would genuinely adhere to what Steve Jobs stated in his All Things D interview: when an application on an iDevice wants any kind of personal information – and a unique signifier should constitute such information as soon as combined with information that can identify an individual – it will ask you. When the UDID, your mobile phone number, address, type of wireless connection used, and so forth is harvested, developers should be required to ask permission before grabbing it, and this requirement should be hardcoded into the developer API. Perhaps the Europeans will be able to force Apple (and other API developers whose APIs enable privacy invasive practices) to add this ‘friction’ to their ecosystem. Maybe there are grounds for a formal complaint to the Privacy Commissioner of Canada, on grounds that individuals cannot give meaningful consent to these collections of personal information, nor can they necessarily revoke this consent after having once given it. Both situations seems to demand the attention of Canadian regulators.

If you’re an application developer – today – what is the solution? Ideally, you implement an opt-in system but, failing that, developers should be required to adopt a three-layer privacy agreement with their end users, one that is prominently displayed at the first launch of the program and with each reinstallation/update. The first ‘layer’ should have understandable, actionable, privacy statements. We do X, we do not do Y and we believe in Z would all make good ‘privacy principle’ statements. These statements should be guided by an actual formal ethics of privacy – one that is embedded into the API, the code of the application, and the ecosystem more broadly – that when instantiated would curtail privacy invasive possibilities during the development stage.

The second layer may be more detailed, better integrating the principles and ethics with clear legal accountability. Whereas layer one might be a single page, layer two might be two or three pages, in a readable font and written at an accessible level of language; get a readability expert to go through it: if a child of thirteen years of age can’t understand it, you need to re-write the first layer, and if a seventeen year old can’t understand layer two, it needs a rewrite/edit.

The final layer will be the typical legalese, but contextualized by layers one and two. This should mean that individuals can actually frame some of the more obscure clauses should they read layer three…and if those individuals can’t, it should at least give opposing counsel and regulators grounds to argue that developers are(n’t) misleading their users.

Privacy policies are largely garbage from an end-user perspective: they’re almost entirely unreadable, unclear, and demand careful amounts of time and high degrees of education to parse. API developers need to adopt ethics of privacy, instil it throughout their code, and cut off those abusing the API in manners that clearly violate both the terms and spirit of the privacy ethic and policy. APIs should be run past privacy-minded technologists prior to being rolled out, and be modified where it is clear that the API permits and encourages invasive surveillance without the end-user’s consent. Ideally we’d see mass opt-in requirements for this kind of surveillance but I fear that this is unlikely, at least in the short term. Developing an ethic of privacy, combined with accessible three-layer privacy policies, might at least keep application and API developers honest at best, and give grounds for suit in front of the FTC, OPC, and EU Commission at worst.

Other posts you might be interested in:

1. iPhone Promiscuity
2. Mobile Security and the Economics of Ignorance
3. IPv6 and the Future of Privacy