Photo by Leon Lee

Research in Motion has a problem. For years they promoted themselves as a top-notch mobile security company. During those initial years most of their products were pitched at enterprise users.

Then RIM got into the consumer market.

Most consumers equate RIM’s products with security, email, BlackBerry Messenger (BBM), and a tepid suite of other smartphone features. Most of the people who report on the company tend to agonize over the fact that RIM complies with government surveillance laws. Such reports inevitably emerge each time that the public realizes that RIM meets its lawful access requirements for consumer-line products.

In this post, I want to briefly address some of the BBM-related security concerns and try to (again) correct the record surrounding the security promises of the messaging service. After outlining the deficits of consumer BBM products I briefly argue that we need to avoid fetishizing technology, encryption, or the law, and should instead focus on the democratic implications of the lawful access-style laws that governments use to access citizens’ communications.

In the interest of full disclose: I have family and friends who work at Research In Motion. I haven’t spoken to any of them concerning this post or its contents. None directly work on either BBM or RIM’s encryption systems.

The Origins of BBM Fears

Public commentators worry whenever RIM, or a government, admits that they have the capacity to decrypt personal BBM messages. Decryption is usually mandated because of lawful access requirements that RIM must comply with; the company doesn’t proactively make these messages available in the absence of legal pressures. What are lawful access laws? In general, they tend to grant governments access to citizens’ communications, typically by putting some kind of pressure on communications intermediaries (e.g. Facebook, ISPs, Twitter, RIM). For an overview of lawful access-style laws in the UK and US, see a report I’ve written on the subject, and for information on Canada’s recently tabled lawful access legislation see my earlier posts, or read the BCCLA’s report (.pdf) on the topic.

Governments target RIM on the basis that their service network is different from other mobile phone providers’. Specifically, the communications that are sent from, and often received by, BlackBerry devices will pass through RIM’s global service infrastructure. This infrastructure routes data  and, given its centrality to BlackBerry device functionality, it is recognized by governments as a communications site that falls within the purview of lawful access powers.

BBM Encryption

In addition to routing and compressing data traffic, RIM’s service offerings also include a measure of security in excess of the practices adopted by their competitors. BBM, as an example, is encrypted. However, it is encrypted using a  global key. RIM has written that,

The BlackBerry device scrambles PIN messages using the PIN encryption key. By default, each BlackBerry device uses a global PIN encryption key, which allows the BlackBerry device to decrypt every PIN message that the BlackBerry device receives.

This means that RIM can decrypt consumers’ messages that are encrypted with the global key. Consumer devices include all RIM offerings that are not integrated with a BlackBerry Enterprise Server (BES). The BES let’s administrators change the encryption key, which prevents RIM from using the global decryption key to get at the plaintext of BES-secured communication.

Many countries want access to consumer-level encrypted BBM communications. Of note, India had been threatening to expel RIM’s services from the country unless the company established a mechanism that let authorities decrypt and access BBM messages. Per a recent agreement between RIM and the Indian government, eight of India’s government organizations will have access to decrypted BBM messages. To access BBM messages,

The security agency concerned will first have to approach the Union Home Ministry and seek its permission to tap a particular BBM user’s number. The agency will then send a request to a service provider to access the data of the number. This will be followed by the operator connecting to the agency’s channel and divulging the user’s communication details.

BES policies will remain unchanged, with the Indian government agreeing that the only way to access BES-encrypted BBM, email, and Internet history will be through decrypted data stores that sit behind the BES. As a result, authorities will have to rely on warrants and other legal measures to compel BES-protected communications. This leaves businesses subject to the same laws they have always been subject to and means that RIM will not have to compromise on enterprise-level security.

Consumer BBM ‘Security’

Unfortunately, because RIM has failed to explain to non-enterprise consumers just how RIM’s services work, India’s ‘cracking’ of BBM has resulted in excessive concerns. Some worry about other countries – China, Pakistan, and so forth – compelling similar decryption compliance from RIM. They also worry that Canada or other Western nations could compel RIM to make decryption keys available, though they forget that Canada already (likely) has this capacity, as does the American government. RIM maintains a strong interest in lawful access legislation around the world and publicly recognizes that it is bound by the laws of countries where its products are offered.

The core technological issue, of course, is that BBM messages that rely on the consumer-provided BlackBerry Internet Service (BIS) have never been particularly secure. This insecurity was recognized, and written about, by the Communications Security Establishment Canada (CSEC) last year. CSEC identified the following security issues with BIS-based BBM/PIN-to-PIN communications:

1. PIN-to-PIN transmission security: PIN-to-PIN is not suitable for exchanging sensitive messages. Although PIN-to-PIN messages are encrypted using Triple-DES, the key used is a global cryptographic “key” that is common to every BlackBerry device all over the world. This means any BlackBerry device can potentially decrypt all PIN-to-PIN messages sent by any other BlackBerry device, if the messages can be intercepted and the destination PIN spoofed. Further, unfriendly third parties who know the key could potentially use it to decrypt messages captured over the air. Note that the “BlackBerry Solution Security Technical Overview” [1] document published by RIM specifically advises users to “consider PIN messages as scrambled, not encrypted”.
2. PIN Address Vulnerability: A BlackBerry device that has been used for PIN messaging should not be recycled for re-use. The reason is that the hard-coded PIN cannot be erased or modified, and therefore the PIN does not follow a user to a new device. Even after memory wiping and reloading, the BlackBerry device still has the same PIN identity and will continue to receive PIN messages addressed to that PIN. This can expose unsuspecting users of BlackBerry devices to potential information compromise in the following ways:
• A new owner of the recycled BlackBerry device could view PIN messages sent from a colleague of the previous owner who is unaware that the message is now going to the wrong recipient (recall that the PIN is a device ID, and not a user ID).
• A message sent by the BlackBerry device’s new owner contains a known PIN credential which might be mistakenly accepted as being from the previous owner (impersonation).
3. Bypass of Virus/Malware Scanning and Spam Filtering mechanisms: As described previously, PIN-to-PIN messaging bypasses all corporate e-mail security filters, and thus users may become vulnerable to viruses and malware code as well as spam messages if their PIN becomes known to unauthorized third parties.

In essence, CSEC and others who have probed the actual security guarantees of BIS-facilitated BBM messages have all come to the same conclusion: the offered security is better than absolutely nothing, but is absolutely insufficient to protect users from a moderately interested attacker. Certainly the government constitutes, at the absolute minimum, an interested attacker.

Don’t Focus On Technology and Exclude Law

The worries surrounding RIM’s making BBM communications available to law enforcement come from (at least) two general positions. The first tends to fetishize technology whereas the second attends to the democratic issues linked with lawful access laws themselves.

In speaking to the first: reporters who cover security and BlackBerry typically really don’t understand encryption. As soon as something is encrypted that means (to most reporters) that the communication is impenetrable. You often see articles that focus on how long it would take to brute force the decryption key, without any attention given to the various side-channel attacks that could leave the encryption intact while still gaining access to the plaintext. Consequently, whenever RIM ‘breaks’ their consumer products’ encryption the action is heralded as a serious moment.

Unfortunately, this reaction is naive and ignorant of the technical architecture of BBM and the BIS. Because of years of poor reporting on the topic of security generally, and BlackBerry security in particular, consumers and commentators are typically ill-positioned to really understand the compromise that RIM has made, or the actual levels of security that consumers enjoyed pre-compromise. In effect, the encryption that people thought was protecting them was marginal, at best, and is easily overcome at a technical level.

In speaking to the second position, however, there is a broader issue concerning the legitimacy of government surveillance. I would suggest that citizens cannot reasonably expect companies to regularly, and actively, ‘go to war’ with governments over the issues of citizens’ constitutional rights. While such opposition is often admirable (e.g. Twitter’s and Qwest’s opposition to overzealous US government surveillance), and is something we should praise, most companies will operate within the confines of the law as defined by legislative and judicial branches of the government. They will often obey the letter law, and not necessarily adhere to the normative ethos associated with basic law. Moreover, legal compliance is actually something that citizens tend to want: we want environmental regulations to be complied with, we want labor standards met, and so forth. The issue is (arguably) less with corporate compliance with governmental surveillance laws and more with the existence of those surveillance laws in the first place.

While companies that actively promote – and profit from – spying on the public should be shamed, we should resist focusing exclusively on companies who comply with lawful access provisions. Instead, we might focus on the excessive surveillance practices that the state claims are legitimate in the first place. This point, on the excesses of state power, is commonly lost on public commentators. While there is often a recognition that expanding the scope of lawful access powers are dangerous to civil rights, we rarely see a link between those laws and forced corporate compliance with them. This failure is dangerous and problematic, insofar as it distances the causal linkages and turns compliance into a “X company is bad” versus “X company has to do something we dislike because of Y questionable law.” Of course, the former narrative is easier to spin out rapidly, whereas the latter takes a bit of more time and nuance.

The expansions of lawful access powers are dangerous because the services that citizens use in their daily lives are run by corporations that are themselves bound by the laws of the land. Where those companies have operating footprints in countries which are strengthening lawful access powers, those companies may be forced to retrofit services to improve legal access to private communications. While companies can fight the good fight, and try to keep governments away from citizens’ communications, the same companies are typically required to comply with law at the end of the day.

We Need Democratic Narratives

In essence, there is a danger in fetishing BlackBerry Messenger security, or particular companies, or particular security promises. We should widen the narrative of lawful access discussions beyond technology and encryption to avoid emphasizing technology at the expense of democratic principles. Similarly, if we emphasize the roles of law, and its procedural legitimacy, we can potentially obfuscate the normative issues underlying our concerns with the law. These concerns are often not captured when we simply question procedural legitimacy.

I would suggest that it is more useful to take a holistic democratic accounting of lawful access laws and their implications. Where such laws are prospectively damaging to the fabric of the democracy, perhaps by threatening rights of free speech, association, and limitations of governmental search powers, then those are the areas that we as citizens, journalists, and commentators must focus our attention. Such democratic narrative can be supported by technological and legal facts and opinions, but critically the basic narrative is not on corporate products, whiz-bang technologies, nor legal minutia, but the very principles of a democracy. While we can all get lost in the expertise-languages associated with products, tech, and law, all citizens can engage in reasonable discussions of what they normatively expect their constitutional rights to mean in both theoretical and practical terms.

While the methods of engaging with the government vary – voting, writing government, publishing op-eds, or activism are all possibilities – what is key is that the citizenry become involved in the discourse surrounding governmental surveillance practices. Democracies live and die based on whether citizens are willing to defend their basic rights, the rights that enable their democracy in the first place. While attention to the technology undergirding those rights is important, we shouldn’t focus on technology (or the law used to undermine communications security) to the point where we forget the broader normative logics that are challenging the freedoms and rights that our democracies are based upon.

No related posts.

Photo by Kempton

Online voting is a serious issue that Canadians need to remain aware of and/or become educated about. I’ve previously written about issues surrounding Internet-based voting, and was recently interviewed about online elections in light of problems that the National Democratic Party (NDP) had during their 2012 leadership convention. While I’m generally happy with how the interview played out – and thankful to colleagues for linking me up with the radio station I spoke on – there were a few items that didn’t get covered in the interview because of time limitations. This post is meant to take up those missed items, as well as let you go and listen to the interview for yourself.

Public Dialogue Concerning the NDP Leadership ‘Attack’

There are claims that the attacks against the NDP’s online voting system were “sophisticated” and that “the required organization and the demonstrated orchestration of the attack indicates that this was a deliberate effort to disrupt or negate the election by a knowledgeable person or group.” Neither of these statements are entirely fair or particularly accurate. Publicly disclosed information indicates that around 10,000 IP addresses were used to launch a small Distributed Denial of Service (DDoS) attack against the voting system used during the NDP’s convention. To be clear: this is a relatively tiny botnet.

While such a botnet might justifiably overwhelm some small business networks, or other organizations that haven’t seen the need to establish protections against DDoS scenarios, it absolutely should not be capable of compromising an electoral process. Such a process should be significantly hardened: scalable infrastructure ought to have been adopted, and all services ought to be sitting behind a defensible security perimeter. To give you an understanding of just how cheap a botnet (of a much larger size) can be: in 2009, a 80,000-120,000 machine botnet would run around $200/day. You even got a 3-minute trial window! In 2010, VeriSign’s iDefence Intelligence Operations Team reported that a comparable botnet would run around $9/hr or $67/day.

If a few Google searches and a couple hundred dollars from a Paypal account can get you a small botnet (and give you access to technical support to help launch the attack, depending on who you rent your bots from) then we’re not dealing with a particularly sophisticated individual or group, or an individual or group that necessarily possesses very much knowledge about this kinds of attacks. Certainly the action of hiring a botnet demonstrates intent but it’s an incredibly amateurish attempt, and one that should have been easily stopped by the vendor in question.

The Vendor Was Unprepared

Perhaps the most damning piece of the story is that Scytl, the vendor the NDP choose to work with, was utterly unprepared for such an attack. The CBC notes this when they report that:

Scytl has never experienced an attack like this before, company spokeswoman Susan Crutchlow said .

“But this is not uncommon, I mean … this is just a common thing that is happening out in the industry,” Crutchlow said.

“Obviously, this has now allowed us to capture additional data to incorporate into the security measures of our system.”

That Scytl hadn’t experienced this kind of (amateur) attack is indicative of the company’s relatively low profile, and the low (online voting) profile of elections they have previously been involved with. Moreover, the company admits that this is a “common thing that is happening out in the industry” and yet was unprepared to address it in real time. This lack of preparedness is strongly suggestive that the company lacked the basic security measures that ought to have been in place.

The Significance of the DDoS Attack

While it’s pleasant that the vendor was able to “capture additional data” for their security responses in the future, their failure in this instance undermined the legitimacy of the leadership vote. Note that the company argues that “[t]he vote wasn’t compromised, Scytl says, pointing to an audit by Price Waterhouse Coopers during the convention. The attacker didn’t get through the site’s security system, and no ballots cast by credentialed NDP members were added, subtracted or changed.” It isn’t necessary to actually change ballots at the server. All that is required to threaten a vote’s legitimacy is to make voting inconvenient enough that people decide not to vote. In instances where people had intentionally waited until the convention to vote, and then were disincentivized from voting because of technical security problems, then the attacker successfully compromised some of the vote’s legitimacy.

Now, would the voters that decided not to vote have changed the outcome of the leadership vote? Perhaps not. But the instrumental outcomes of citizens of voting or not voting are beyond the point: casting a ballot is about participating in an electoral system and expressing your preferences for leadership in a responsible and democratic manner. Where citizens or NDP party members are prevented from voting, for whatever reasons, then the democratic, if not the instrumental, outcome and importance of the election is threatened. To preserve a democracy we must focus as much on its mechanisms for guaranteeing democratic legitimacy as the instrumental outcomes (i.e. who is elected) of those electoral processes.

In short,to guarantee legitimacy to a democratic system it doesn’t matter if your preferred candidate doesn’t win. If you’re casting a vote, you’re participating a democratic system and lending legitimacy to the process itself, regardless of the outcome. When you can’t cast a vote then you’re excluded from the system and thus unable to participate in legitimizing the process. Where technical instruments and services – such as online voting – endanger the legitimacy-enabling processes of a democracy, then those technical instruments must be set aside.

The Interview

If you’d like to listen to the 10 minute interview I had concerning online elections – which address divergent, and broader, points than those raised above – then either click on this link to on CKON’s website, or on this local link, to download a copy to your computer or stream it.

Other posts you might be interested in:

1. Online Voting and Hostile Deployment Environments
2. Canadian Sovereignty Online – one year later
3. Review of “Making Technology Democratic” by Richard E. Scolve

Image by pshegub

The Government of Canada has, at least temporarily, backed away from pushing through its tabled lawful access legislation. While many critiques of the legislation abound – some of which I’ve recently noted surrounding warrantless access to subscriber information – there have been limited critiques of the actual financial costs associated with the bill. While some public commentators have suggested that the legislation will threaten small Internet service providers’ financial viability, there has yet to be a formal, detailed, and public financial accounting of lawful access-related costs.

I’m incapable of offering this accounting. The same is true for every other Canadian, whether they are a government bureaucrat, private citizen, corporate agent, or government Minister, because the legislation itself remains murky. Thus, rather than suggest that the legislation will cost X dollars, in this post I outline why people cannot cost out the bill if they solely rely on existing public information.

I begin this post by quickly outlining what the Canadian government suggests that the legislation will cost. Having done so, I move to critique the origins of the government’s numbers. This entails first examining the issue of interception capabilities, second, of storage costs, and third, of the status of Telecommunication Service Providers’ existing lawful access capacities. I conclude by noting the lack of clarity surrounding C-30′s breadth and the need for clarity during the legislative, rather than regulation-setting, stage of the bill’s development.

The Government of Canada’s Estimated Costs

In February 2012, the Canadian government announced that the lawful access legislation would cost roughly $80 million dollars over 4 years, with costs running around $6.7 million/year afterwards. When confronted about the origins – and veracity – of these numbers the Parliamentary Secretary to the Minister of Transport, Infrastructure and Communities asserted that they are based on Bill C-30 as it is written today (video interview). The government’s expected costs stand in contrast to corporations’ estimates, insofar as some members of the Canadian Wireless Telecommunications Association have told their president that costs could run as high as millions of dollars, per member. The government hasn’t disavowed these numbers, with the Minister of Public Safety instead asserting that cost estimates “would be best coming from the internet service providers. I wouldn’t want to presume what it would cost a smaller internet service provider or a larger one. Simply, I don’t know.”

As I will discuss in what follows, Canadians have very good reasons to doubt the estimate that has been provided by the government. This said, Canadians also have good reason to question the figures that companies and industry associations are presently providing. When a piece of surveillance legislation, CALEA, was passed in the United States in the mid-90s, corporations estimated costs at between $3 and $5 billion dollars. The federal government asserted that costs would only be $500 million to $1 billion. A decade later the U.S. Department of Justice, Office of the Inspector General Audit Division, stated that it was skeptical as to whether CALEA’s implementation cost can be determined with any degree of specificity,” whereas industry lowered costs to around $1.3-1.7 billion. Importantly, a full decade later, the Inspector General could not determine actual compliance with CALEA. While the FBI asserted high levels of compliance it lacked an audit structure that could confirm (or refute) the data it presented.

CALEA only applied to some telecommunications companies. Over a decade later full compliance didn’t exist. The Canadian Government is proposing a rapid integration of surveillance equipment into Telecommunication Service Providers’ networks; in 18 months, TSPs operating in Canada are expected to be compliant with the legislation unless granted an extension by the Minister of Public Safety.

Required Interception Capabilities

The present legislation is unclear concerning what, specific, interception capabilities TSPs will be required to implement. In the United States, CALEA was meant to make Internet service providers (ISPs) capable of monitoring 10% of the nation’s telephone lines. The legislation tabled in Canada lacks this specificity. Let’s now turn to consider some elements of the legislation and their associated, potential, costs.

Per section 7, interception equipment must be able to isolate an individual’s data stream. It must also be capable of isolating particular elements of an individuals’ data from the aggregate data that they are transmitting via the TSP. This effectively means that John Doe would have to be picked out of Shaw’s hundreds of thousands of customers and, if required by the authorities, only his Facebook data might be captured amidst all the data transmissions John Doe is involved in. In effect, section 7 requires that interception equipment be capable of targeting specific individuals and specific flows of data. Of concern, however, is the degree of granularity to which subscriber data streams may need to be separated. Will this be at the level of “all Facebook traffic” or “all Facebook traffic communications with X other user,” or some other level of data segregation?

Per section 8, interception capabilities cannot degrade over time. This can lead to costs on the basis that equipment may have to be replaced or upgraded as new means of data obfuscation become more common.

Per section 9, interception capabilities must continue to meet government requirements as a TSP upgrades their service. This includes a TSP expanding their service: if there is a ten-fold increase in subscribers, the TSP will be likely be required to target a similar percentage of their subscriber-base. While the legislation makes note that Section 9 may legally require purchasing more licenses, it fails to note that maintaining interception capabilities may demand entirely new equipment if equipment that was previously purchased can’t scale to the new user base. The implications of this section are manyfold. First, if a startup or company suddenly goes viral, then it has to not just deal with the basic business costs of rapid corporate expansion (i.e. providing the business service to new customers) but also with extensive surveillance-related costs that act as a drag on the business’ bottom line. Second, this section imposes a barrier to innovation in Canada, insofar as next-generation startups and technology entrepreneurs may be motivated to launch their product/service in a nation lacking the proposed surveillance laws and corresponding obligations.

Per section 11, new software that is deployed must remain compliant with interception demands. This means that innovative expansions of service must first meet Canadian surveillance law prior to being made available to customers. While new products and services might be available to non-Canadian customers, there may be delays while licenses, capacities, and so forth are purchased/developed to surveil Canadians. This could threaten digital innovation in Canada and would, one expects, stand in opposition to the government’s oft-promised-but-never-delivered Digital Economy Strategy.

Per section 14, the Minister can order a greater than existing global number of intercepts; the government will either pay the TSP’s costs in upgrading their maximum total possible intercepts or will provide the equipment to the TSP. To clarify: if a TSP was monitoring 5% of its subscriber-base as required by C-30 related regulations, but the government demands that 10% be monitored, then government will pay for, or will provide, the equipment to meet this new global maximum. Thus, even if the initial regulations establish a hard number of minimum and/or maximum intercepts that businesses must be capable of meeting, those costs may not be the ‘final’ costs if the government decides it wants to pay from its own purse for surveillance in excess of ‘normal’ government regulations.

In aggregate, what does this mean? It means that we cannot know costs of this legislation because it’s unclear just how granularly TSPs must segregate their customers’ data for law enforcement/intelligence purposes. Different levels of granularity are accompanied by different levels of expense. If interception cannot degrade over time then TSPs will need to pay to keep pace with next-generation communication standards: they cannot purchase equipment now and rely on it indefinitely. It’s unclear how quickly companies would have to ‘catch up’ to new communications processes and standards.

Requiring new software to be compliant with C-30 increases development costs and could lead to geoblocking Canadians from internationally popular services that do not comply with Canadian surveillance laws. Imagine if Skype and other ‘free’ VoIP clients refused to comply and were consequently barred from the Canadian marketplace: the basic costs of communications throughout Canada would increase, reducing capital that businesses could commit towards innovation, research, and marketing of next-generation products. Finally, the Minister has the right to demand greater-than-required-by-regulation interception capabilities. This prevents any final, definitive, costing because we can never know when the Minister may decide that TSPs must exceed ‘normal’ interception requirements.

Costs of Data Storage

While TSPs are required to develop and maintain interception capabilities under Bill C-30, they are also required to retain or preserve intercepted data if served with a preservation demand. A preservation demand can be issued if an officer has reason to suspect that a crime has been, or will be, committed in Canada. They can also be issued if an officer is working with a foreign government/agency to assist them in identifying/tracking a person who has committed an offence in that foreign jurisdiction. If data is preserved on grounds that it may be related to a Canadian Criminal Code infraction then the TSP must retain data for 21 days; after that time data can expire, or be deleted. In the case of foreign offences, data can be deleted 90 days after the demand is submitted. Officers can establish conditions around the preservation – such as preventing the TSP from disclosing that it has received a preservation demand – and can revoke such conditions at any time.

There are considerable costs associated with preservation demands. Data storage for large firms is expensive, even when they purchase redundant disk space in volume. Unlike a ‘regular’ customer, TSPs are unlikely to purchase hard drives from Futureshop or other popular computer retailer: to meet basic disaster management, recovery, and preservation requirements they will presumably adopt enterprise storage solutions. Such solutions are can be incredibly expensive, in terms of hardware, staff to manage the equipment, service and insurance fees, electrical and housing expenses, and so forth.

Almost unquestionably, C-30 will require TSPs to provision disks to be capable of interception, up the number of interceptions that are set down in the regulations that will follow the bill. Thus, even if TSPs are not actively intercepting/storing data right now, the potential capacity to store that data must exist. At the moment, the government is not specific about what amounts, or types, of data would be subject to intercept. Consequently, any company’s ability to cost potential expenses is nigh impossible: if a TSP is expected store up to 10% of their customers’ communications at any one time, and presently lack a short/medium-term enterprise storage solution that meets this criteria, then new storage solutions must be procured and deployed. Moreover, as more data transits through TSPs’ networks the potential capacity demands will proportionately increase, placing TSPs in a situation where increasing the subscriber base, and speeds of data transit, are accompanied by storage costs that have no inherent value for the company, save for complying with Canadian law.

The need to potentially store large quantities of consumer data, in an era where data usage is exploding, could place incredibly high costs on TSPs if they must maintain data storage capabilities. This said, the government might only be expecting an incredibly tiny number of interceptions at any one time; they might be imagining monitoring less than a hundredth of a percentage point of a TSP’s subscriber base at any particular time. Without knowing the specific interception requirements, or kinds/amounts of data that the government wants TSPs to store when served with a preservation demand, costing data storage expenses is practically impossible.

Existing Corporate Capacities

To evaluate how much interception equipment will cost TSPs depends on clarifying Bill C-30 to understand what the government wants, and doesn’t want, companies to do when intercepting material. Evaluating equipment costs also demands that we, or the government, account for TSPs’ existing interception equipment. Further, we must evaluate whether present equipment must be replaced or scaled to meet lawful access obligations. For large Canadian Internet service providers, it’s possible that they may not need to purchase additional interception equipment. This said, if new government regulations surrounding C-30 are more demanding than present capacities, then large ISPs may be forced to scale existing infrastructures or, if that isn’t possible, adopt new interception processes, practices, and technologies.

While equipment costs are one element of interception- and storage-related costs, we cannot forget that maintaining ‘ever-green’ interception capabilities will require technical training, policy evaluation, and new technologies as dominant data flows (e.g. social network traffic, encrypted and anonymized P2P, TOR traffic, etc) change. Depending on how onerous data flow isolation demands are, deep packet inspection equipment may be (effectively) mandated as a go-to surveillance technology, even for ISPs that have deliberately resisted installing the technologies to date. Even companies that have deployed deep packet inspection systems may need to expand their existing surveillance infrastructures if present capacities cannot intercept and mine the aggregate number of connections that are established, by regulation, after the legislation is passed.

All of this having been written, more than just ISPs may have obligations under by Bill C-30. Non-ISP TSPs may be faced with interception and storage related costs that exceed present demands from law enforcement, and these costs may be out of touch with TSPs’ business practices and models. As a result, services that are offered by TSPs may need to be retrofitted to enable interception and, depending on the nature of any such retrofits, costs may rapidly explode.

In aggregate, what this means is that costing Bill C-30 would require a total understanding of existing interception capacities, as they relate to the regulations that the government will establish following the passage of the Bill. Unless the government has silently canvassed all TSPs that operate in Canada, and has their regulations for the Bill already waiting in the wings, the government cannot legitimately cost out the actual interception costs because they do not comprehensively understand TSPs’ existing interception capacities.

Breadth of C-30

The proposed lawful access legislation threatens to impose surveillance obligations on a vast range of companies and services. TSPs are “a person that, independently or as part of a group or association, provides telecommunication services.” These services are “provided by means of telecommunications facilities” that the provider either “owns, leases or has any other interest in or right respecting the telecommunications facilities and any related equipment used to provide the service.” Such facilities route telecommunications data, which is itself defined as “data related to the telecommunications functions of dialling, routing, addressing or signalling that identifies or purports to identify the origin, type, direction, data, time, duration, size, destination or termination of a telecommunication generated or received by means of a telecommunications facility or the type of telecommunications service used.” Taken together, this will mean that Voice over Internet Protocol (VoIP), social networking services, and all other parties that offer telecommunications services to the public may constitute TSPs for the purposes of this legislation.

It remains unclear how fiercely the Canadian government will require foreign-run services to comply with Canadian law: will Skype need to comply with Canadian regulation? Facebook? The next-generation communications system/service that isn’t yet invented? Will failing to comply mean that the service/company is barred from doing business in Canada? We may discover that, in the regulations phase, certain services are more explicitly exempted or drawn into the framework of this legislation, but the challenge is predicting what might occur at that stage. As it stands, many companies will seemingly be affected by the legislation: how will the government address the almost-certain high levels of non-compliance?

Without fully accounting for who is(n’t) affected by obligations under C-30, it is functionally impossible to predict lawful access’ aggregated costs to businesses, the government, or Canadians. Unless the government has an internal memo stating who is, and isn’t, meant to be targeted by the legislation then it is dubious that any numbers presented by the government, today, are very accurate.

The Need for Clarity in the Legislation

Throughout this post the common thread has been a lack of clarity in the legislation. Canadians, and I strongly suspect the government, cannot evaluate the economic costs of this legislation until there is clear understanding of what are, and are not, the specific obligations imposed on specific industries/companies. Similarly, without knowing just how much data might have to be preserved at any time, the government and corporations cannot estimate the basic costs for data storage. It’s possible that estimated costs might be deferred somewhat because of existing, or latent, interception and storage capacities but if the government’s regulations exceed TSPs’ present interception capabilities then there will be minimal deferrals of cost. Finally, the very breadth of the legislation limits estimates of its fiscal costs.

Given the high levels of ambiguity surrounding the Canadian Government’s lawful access legislation, Canadians are right to be suspicious of the low figure of $80 million dollars. Costs will likely escalate, rapidly, though whether the government or corporations will pay for the heightened expenses is questionable. What isn’t questionable is that Canadians will have to, in aggregate, pay millions or billions of dollars to enhance existing government surveillance capabilities. Such costs are disproportionate with the need of the legislation and, quite likely, will hinder or limit innovation and corporate expansion in Canada.

I suspect that the legislation’s cost cannot be ‘simply’ narrowed to the dimensions of financial or civil rights implications within Canada: costs may also be born out in Canadian businesses’ basic capabilities to compete in a global marketplace, insofar as the government is imposing higher costs on businesses rather than trying to encourage business to move money into innovative ICT strategies that would showcase Canadian talent and expertise. If this is the Canadian digital economy strategy – to handicap Canadian businesses and encourage the adoption of revenue negative ICT surveillance technologies – then the Government of Canada’s legislation will likely hit the mark. If they aim for a different strategy then clarity must be brought to the legislation; such clarity should not be left to the regulation-setting phase of Bill C-30. The Canadian Government has yet to demonstrably provide data to Canadians that breaks down expected lawful access-related costs and we, as Canadian, have a right to know just how much our self-funded surveillance may actually cost us.

Other posts you might be interested in:

1. The Issues Surrounding Subscriber Information in Bill C-30
2. Lawful Access, Its Potentials, and Its Lack of Necessity
3. The Anatomy of Lawful Access Phone Records

Other posts you might be interested in:

1. (Un)Lawful Access: Vancouver Premiere & Panel Discussion
2. (Un)Lawful Access Forum in Ottawa
3. Letter to Stephen Harper on Lawful Access Legislation

Image by Taku

Crossing international borders can be worrying, especially for those carrying confidential or privileged information on their electronic devices. While I’ve seen a variety of documents and advisories explaining how to deal (or not deal) with American border authorities, there hasn’t been what I consider a decent guide for dealing with the Canadian Border Services Agency (CBSA). As of today, this deficit has been significantly remedied.

For the past several months, Greg McMullen has been working on a handbook to help Canadians (and non-Canadians) navigate officials’ demands for electronic devices at Canada’s national borders. The BCCLA has funded his work, and the handbook is intended for educational and discussion purposes; it isn’t intended to replace legal counsel or constitute firm legal advice. The handbook is written for a general audience and does a nice job of walking readers through what rights they enjoy at the border, CBSA policies, best practices, and what to do if you have been subject to a search.

I’d highly recommend the handbook, which is available through the BCCLA and also available for download through my website.

Other posts you might be interested in:

1. Technology Fix: Pocket Mac and Blackberry Devices
2. Solved: Bluetooth Devices Not Connecting to OSX
3. Mobile Security and the Economics of Ignorance

Image by yum9me

The most recent version of the Canadian Government’s lawful access legislation is upon us. The legislation expands the powers available to the police, imposes equipment- and training-related costs on Telecommunications Service Providers (TSPs), enables TSPs to voluntarily provide consumer information to authorities without a warrant, forces TSPs to provide subscriber data without warrant, and imposes gag orders on TSPs who comply with lawful access powers. Economic and civil rights costs are, as of yet, murky. Despite being an extremely lengthy piece of legislation, Bill C-30 lacks the specificity that should accompany serious expansions to Canadian policing and intelligence gathering powers.

In this post, I first outline a ‘subscriber data regime’ to discuss what does – and may – be entailed in accessing Canadians’ subscriber data. Second, I explain how subscriber data can be used for open-sourced intelligence gathering. Third, I argue that an administrative process of expanding subscriber identifiers is inappropriate. Finally, I articulate why warrants are so important, and why court approval should precede access to subscriber data. In aggregate, this post explicates the concerns that many civil advocates, academics, and technical experts have with access to subscriber information, why Canadians should be mindful of these concerns, and why Canadians should rebuff current efforts to expand warrantless access to subscriber information.

Building a Subscriber Regime

The Government of Canada is attempting to create a subscriber data regime. Specifically, the Government is seeking powers that will let authorities collect certain identifiers (prescribed information) and, with those identifiers in hand, force TSPs to disclose names, addresses, phone numbers, and other personal information. Authorities can then link prescribed identifiers to personally identifiable information. This power can, and will, be used to expand the state’s surveillance capacity: such information will not simply provide ‘clarity’ to police about individuals but will enable authorities to more intensely understand the relationships between Canadians. Specifically, the legislation reads:

16. (1) On written request by a person designated under subsection (3) that includes prescribed identifying information, every telecommunications service provider must provide the person with identifying information in the service provider’s possession or control respecting the name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address and local service provider identifier that are associated with the subscriber’s service and equipment.

What this means is that after TSPs receive ‘prescribed identifying information’ they will be compelled to  make available a series of data fields. TSPs will need to disclose name, address, telephone number, e-mail address, and the SPIN number along with IP address. At this stage, we do not know what ‘prescribed information’ encompasses; the definition for this term will be developed after legislation is passed. While this is not unusual for government legislation – it is, in fact, the norm for regulations to ‘spell out’ what legislation practically means – it is deeply concerning with regards to surveillance legislation. In essence, deferring what constitutes ‘prescribed identifying information’ to the regulation phase prevents citizens from knowing what identifiers the state wants to use to track and identify citizens. Presumably authorities would be able to approach a TSP with the subscriber information TSPs are themselves required to disclose (e.g. email, IP address, name, etc) in order to add to the amount of subscriber information held by authorities. In addition, however, authorities could approach TSPs with other technical numbers and identifiers that are embedded in the devices we use so long as they are defined as ’prescribed identifying information’. In this scenario, authorities would link identifiers not mentioned in the legislation to subscriber data: the data records associated with subscriber profiles developed by authorities thus can be expected to far exceed the six identifiers specifically noted in the legislation.

To make this more concrete, let’s turn to the IMSI numbers associated with each mobile phone. If authorities approach your mobile phone provider with the IMSI number associated with your device (presuming that an IMSI number was amongst the ‘prescribed identifying information’) the provider would be legally required to provide your subscriber information. If authorities came with a phone number and demanded subscriber information associated with the phone number the IMSI number would not be amongst the data your phone provider would be compelled to disclose. While this is a step in the right direction – IMSI numbers were included amongst the subscriber information that would have been disclosed under previous versions of the lawful access legislation – this step doesn’t preclude authorities from capturing your IMSI as a means of identifying you. IMSI catchers can capture these unique mobile identifiers. Such devices ”establish false mobile phone towers for the purpose of monitoring and tracking mobile phones without their users’ awareness” and are used by American law enforcement and intelligence agencies to monitor and track citizens. Given that phones have almost become fetishes for most of the Canadian public, insofar as they are persistently carried on one’s person and jealously protected from third-party intrusions,

the ability to ascertain who owns, and is using, a particular mobile device is far less ambiguous than who subscribes to, and uses, a landline phone. Using contemporary policing technologies such as IMSI catchers, authorities can de-anonymize a crowd by catching the IMSI associated with each phone and immediately requesting subscriber data from mobile phone providers. While it may not be legal for authorities to engage in ruses to compel individuals to identify themselves when those individuals have done nothing wrong, with IMSI catchers no ruse is needed for the identification process to occur. The term “papers please” is a distinctly analogue notion, one that can be abandoned by authorities in possession of IMSI catchers and lawful access powers (Source).

As the lawful access legislation has been presented to Canadians we cannot state that the door is closed to law enforcement using IMSI catchers to gather unique identifying information. In fact, it is highly likely that the removal of key mobile identifiers is meant to ensure that authorities have first collected these numbers before being able to compel subscriber information from TSPs. The removal of IMSI numbers, amongst others, then cannot be understood as a ‘privacy protective’ measure. Instead, there simply isn’t a great value in preemptively possessing the IMSI, IMEI, or other mobile-related identifiers.

The significance of not knowing what constitutes prescribed information cannot be overstated: it means that Canadians are ignorant of existing identifiers that authorities want to use to unmask individuals online, and in the physical world. Moreover, it means that experts and the public alike cannot predict how the state will expand the subscriber regime as novel technologies are developed and deployed. While certainly true that many Canadians may not appreciate the role of identifiers, and their linkage with individual behaviours, this shouldn’t stand as a reason for the government to hide what identifiers it wants to use to deanonymize individuals. Only when technical experts know which identifiers interest the government can they offer thoughts and warnings about how those identifiers can – and likely will – be used by law enforcement and Canadian intelligence.

IMSI catchers are an issue today but, as technology advances, new identifiers that enable novel tracking and surveillance capacities will emerge. This means that an unfolding regime of subscriber data may develop: this will constitute a system of ever-increasing unique identifiers that, on their own, are not necessarily revealing until aggregated with additional subscriber information and open-source intelligence. How this regime will expand is thus contingent on both what systems and codes are associated with ‘prescribed identifying information’ and how subscriber data and prescribed identifiers are used by authorities.

Using Subscriber Data

Government and police briefings concerning access to subscriber data have left the the Canadian public with more political spin than technical fact. I want to fill this absence by providing some of the facts that authorities have not provided to Canadians. Specifically, I touch on the mass automation of contemporary surveillance operations, the types of TSPs that may be compelled to provide information and the implications of such disclosures, and the usage of subscriber data (when combined with open source data) to create relational information graphs that identify links between Canadians, the power structures between dialogical and associative partners, and the significance of graphing this information.

Police chiefs have, along with the government, insisted that Bill C-30 does not include provisions for warrantless access to the content of communications. They are absolutely correct: this legislation will not let the authorities snoop through your email, SMS messages, or other electronic communications to read the content of the communication without a warrant.

What the government, and its officials, have been less open in saying is this: most contemporary policing and intelligence gathering does not begin with wiretaps or interception and analysis of the contents of communications. No, it is the patterns of communications, the individuals you communicate with, and the frequency of communications that are most important in the preliminary stages of professional intelligence gathering. In an era of social networking, public communication on news websites, and prominent use of Internet forums to talk about specific (and often sensitive/politically charged) topics there is less and less need for police to obtain warrants to develop preliminary profiles on Canadians.

So, what does it mean if the authorities gain access to some of your subscriber data? In what follows, I offer a handful of examples to underscore the potential ways that the subscriber elements the government is interested in might be used.

1. Wikipedia/website activity: If you are not a registered member of Wikipedia, then the edits and content additions you contribute are publicly tagged to your IP address. This IP address is publicly searchable. The public attachment of the address is meant to identify you across the site and establish some level of accountability for even anonymous Wikipedians. While such accountability is useful to identify and stymie ‘bad editors’ it can also be used to monitor Canadian citizens’ activities on Wikipedia. Why is this significant? Imagine that your IP address has been turned over by a web forum that predominantly communicates about your local Occupy movement. With the IP in hand, the authorities (a) go to your ISP to identify you as an individual; (b) identify that on Wikipedia you have been editing articles on firebombs, chemical explosives, anarchism, black block tactics, and academic freedom. While this might suggest that you are ‘of interest’ to police – and thus worth monitoring, if not charging with a specific criminal offence – it might mask the truth that you are really a graduate student who is a subject matter expert on militant advocacy in Canada. You’ve been profiled based on actions online, with certain conclusions derived from your online behaviour that would not bear out were you subject to a specific investigation. While some of the confusion might ‘work itself out’ in a court process, should you simply be monitored this profile could develop and build over time. This inappropriate characterization could lead to serious life consequences as the hidden profile influences your relations with the state over months or years.
2. P2P leaks: When individuals in Canada connect to a P2P sharing service they will typically reveal their IP address to other sharing partners. Some of this information has been aggregated online, enabling law enforcement to retroactively check whether your IP address is linked with the transfer of copyrighted materials. From this it is possible to link individuals to certain profiles based on their viewing habits; large companies specialize in segmenting markets to understand the psychographic profiles of audience members. (Alternately, authorities could monitor P2P services for particular files – perhaps a popular new movie – and, with the IP address in hand, deanonymize an individual to bring copyright infringement charges to bear.) Combined with other information obtained through open-source intelligence the authorities may derive insights into your personality – and add that to a police-owned profile – that historically would have been challenging (if not impossible) to assemble.
3. Geolocation: While authorities lack GPS-level geographic information when they request IP address information, they can identify the general geographic region that a person is operating from. While there are technologies that will obfuscate this level of geographic surveillance, and while IP-based geolocational awareness has limitations, these weaknesses do not prevent authorities from provisionally integrating geographic information with IP-based subscriber data. While some TSPs may have your full contact information for billing purposes (e.g. your ISP will have a full home address to send you bills each month) others, such as Facebook, Google, or prominent Web forums, likely will not. Consequently, while these latter TSPs cannot precisely identify your location they can make available sufficient information to narrow the physical search parameters.
4. Pairing of associations: Assuming that the authorities have an IP address, they may then turn to TSPs such as Twitter and Facebook to verify or flesh out other subscriber data they have collected. The issue, however, is as follows: If multiple people share the same IP address – perhaps because a variety of individuals in an apartment share a common wireless router – then authorities will not just learn about person X that they are interested in, but also about persons A, B, C, and D who have logged into the same social networking sites with different credentials but the same IP address. This can have the effect of drawing together a host of subscriber records that would not be available when ‘just’ going to an ISP, where there might only be a single account holder. Moreover, where person X is suspected of some crime – and thus has a negative intelligence or policing profile – being associated with that person could be detrimental to persons A, B, C, and D, who may have no significant relationship to person X. Nevertheless, A through D may now fall within the auspice of the investigation and have their own subscriber information collected as part of ‘routine’ intelligence gathering in the lead up to either a policing or national-security driven action.
5. Institutional associations: Where you are using an IP address, or email account, that is associated with a particular institution then more is revealed than ‘just’ the identifier itself. Instead, what is revealed is a (semi-)unique identifier plus a link between that identifier, available subscriber information (perhaps including telephone number and address), and potentially a place of work or organization that the individual is associated with. Thus, the email account or IP block that an individual is associated with can carry a wider breadth of information than may be initially apparent from the legislation itself: while some people may have a hotmail account and browse the Internet from public libraries (which may obfuscate organizational ties somewhat), for people who register for Internet services using organizational email accounts (e.g. XXX@uvic.ca, or YYY@IBM.co.uk) or IP space assigned through their organization/employer, then authorities may learn substantially more than ‘basic’ subscriber information. Remember that the information in the phone book lacks awareness of where you work or what organizations you are associated with: the same cannot necessarily be said of the identifiers the government is after in Bill C-30.
6. Confusing common sources: If your IP address, email, or other identifying information can be linked with pseudonyms that a person uses online then it becomes possible to monitor the Web for every instantiation of that pseudonym. Of course, there are problems where different people use common pseudonyms; a historical search could aggregate the different uses of the pseudonym into a common profile or record. This may contaminate the inferences that can be derived, both in terms of the content of the open-sourced communication (i.e. public forum posts) and in terms of evaluating who the pseudonym is associated with (i.e. Usage A of the pseudonym may be linked with soccer moms, whereas Usage B may be linked with Al-Qaeda sympathizers). Either machine-based or human-based oversight would then be required to ascertain whether the common pseudonym is used by different entities and, if so, to disassociate the information into separate profiles to avoid inappropriately confusing inferences.

As should be evident, the information that the government is interested in does not simply clarify small bits about you, but instead can be leveraged to extend and enhance ‘open source’ means of profiling individuals. Effectively, it will be used with other available information to reveal core elements of Canadians’ biographical lives.

While law enforcement has indicated that access to subscriber information would largely be used to resolve ‘serious’ cases, Professor Geist has documents indicating that this stated position is disingenuous. Specifically, law enforcement has been prevented from getting subscriber records where no crime was clearly committed as well as in cases where authorities wanted access to the information to return stolen property. In the former case, the government should not have gotten access to the subscriber information on the basis that there was no significant grounds under which authorities should have had access to the data. As for the latter example, I suggest that while returning stolen property is part of the duty of law enforcement, where the powers to carry out that duty excessively infringe on civil liberties then our liberties ‘trump’ making officers’ duties easier.

One thing that various police chiefs have stated in press briefings is that analyzing subscriber information is not simple or fast. They equate accessing and tracking IP addresses to accessing and monitoring license plates. Such equivocations are highly disingenuous because they are predicated on Canadians not understanding the nature of contemporary IP address and license plate surveillance technologies. In terms of license plates, police forces around Canada are trialling Automatic License Plate Recognition (ALPR) systems. ALPR systems can capture and map thousands of license plates per hour, far in excess of what a human officer could identify and track. The historical method of surveilling vehicles’ plates – where an officer themselves looks at a plate and, from there, evaluates whether the vehicle is of interest – is receding behind us and is being replaced with a system of widespread, ubiquitous surveillance.

Just as technical infrastructures are arising to monitor, map, and data mine license plate movements, similar technologies exist to massively search the Internet for items related to IP addresses, pseudonyms, email accounts, and names that are of interest to authorities. While particularly impoverished policing bodies may have to manually look up IP addresses, email accounts, and so forth, well resourced organizations will not be similarly handicapped. The technologies that will facilitate this automated massive surveillance are not distant or near-future technologies: the equipment, systems, and services are already available for purchase, and in use, by government agencies in the United States and further abroad.

Information collected about particular subscribers will not necessarily be held in isolation of other subscribers’ information; contemporary intelligence and policing investigations rely on the ability to map relationships, identify key hubs of communications networks, and ascertain power relationships between associated individuals and organizations (Danezis and Clayton 2008). Companies like Amesys and Siemens (amongst a host of others) already provide services and systems that automatically develop relationships between tracked individuals. With the addition of open-source intelligence from social networks and the web generally authorities can develop rich profiles on individuals and the groups they associate with. Such ‘social network analysis’ enables authorities to identify relationships and organizations before the individuals who are themselves communicating and associating with one another come to the realization they compose an organization (Strandburg 2008). This is a significant predictive capability. Moreover, the challenge in systematically picking terrorists and similar rare, though high profile, criminals out of the noise of the Internet is suggestive that social analysis tools will be used where they are more accurate: where there is a broader understanding of communications between individuals involved in more common, and less serious, criminal activities. In effect, pot growers should fear the automated surveillance capabilities that Bill C-30 may promote instead of  potential terrorists.

Administrative versus Legislative Surveillance

While lawful access legislation is presently before parliamentarians, the key elements of the bill will be developed during a regulation process. As noted previously, this is normal for most legislation, insofar as corporations and individuals alike need to know how legislation is practically meant to be implemented. What remains unclear is just what constitutes ‘prescribed information’ or the rate at which new data fields may be added to the initial list. Canadian citizens need to know this information because, without it, we cannot ascertain what methods the police are likely using to surveil the Canadian public. While I don’t need to know that authorities are(n’t) using IMSI catchers in particular, I can derive that insight if part of the prescribed information includes IMSI numbers. Similarly, if some of the prescribed information includes Twitter account numbers, Facebook identifiers, BBM codes, or other identifiers then I can ascertain the means of government surveillance and which TSPs the government is likely going to for subscriber information.

A citizenry has to know what the government is surveilling in order to make a judgement about the appropriateness of the surveillance. Democratic bodies are dependent on free speech and freedom to associate with individuals in order to engage with controversial ideas that may, eventually, be adopted by the public at large. In an era where the Canadian Government identifies environmental, native, and other advocacy and dissident groups as ‘extremist’ – and where these groups’ projects advance environmental responsibility, compliance with human rights, and governmental transparency – we must know what the government’s agents are doing to track, trace, and monitor citizens who most need protection from their own government. While the aims of these groups and organizations may not always (or even often) resonate with many Canadians, they should not be prejudicially profiled and targeted by authorities simply for exercising basic rights of speech, association, and engaging in peaceful civil disobedience.

In contrast, legislative surveillance extensions would constitute public extensions of authorities’ powers; all citizens (and residents of Canada generally) can know about new surveillance powers on the basis of what is declared in a new law or amendment that is tabled in the parliament. Administrative surveillance that is dependent on a regulatory process is far less transparent, and far less likely to be known to the public or to the groups most concerned about unjust, discriminatory, surveillance practices and tactics. In the US we see authorities creep forward with new means of surveilling the public, often in contravention to public norms or interests. We should set aside administrative extensions of subscriber information and instead require that extensions be tabled and debated in parliament. Such public transparency would prevent either government or Canadian authorities from subtly or secretly extending the range of identifiers that would subsequently be used to access Canadians’ personal information that is held by TSPs.

Importance of Warrants

Many of the concerns surrounding subscriber data, and its uses, might be managed were access to subscriber data linked with strong judicial oversight. Unfortunately, the government  insists that subscriber information is not particularly sensitive and, in light of claimed (though not substantiated) problems in accessing subscriber data, has decided that warrantless access is appropriate. This position is problematic for two reasons: first, it will lead to retroactive bias confirmation and, second, it removes a critical check for intelligence gathering operations.

To begin, warrants limit police power and discretion, and they also have the effect of limiting hindsight confirmation. Police and intelligence officers have considerable powers in excess of what ‘normal’ citizens enjoy: authorities can detain, injure, or otherwise harm Canadians in ways that are typically illegal. Warrants force law enforcement to believe that the application of their special powers merits the overhead associated with exercising them. In effect, warrants add a level of friction to the process of evidence and intelligence collection by forcing officers to consider the relative value of the search or intelligence gathering action in relation to the resources expended in filling out a warrant request.

Moreover, the warranting process means that police cannot exercise their powers based on hunches. When police request a warrant they are stating to a judge that there is a reasonable expectation of X and that, to prevent or respond to X, they require the power to access subscriber information. A judge looks at that request and balances whether it is valid given the evidence that the authorities have assembled to date. Prior to collecting some evidence to present to a judge, a hunch is typically insufficient to convince a justice that search or access powers are appropriate. The issue, however, is that when you know something in hindsight (i.e. Person A was selling narcotics) you are likely to state that this something was what provoked the search/access to subscriber data in the first place (Solove 2011). Warrants prevent such post-hoc justifications. They force authorities to collect evidence and to be held accountable before they use subscriber data to aggregate information and build profiles on Canadian citizens.

In cases where subscriber data is being accessed for intelligence, rather than investigative, purposes it is particularly important that oversight exists at the outset of the data collection. While police may be challenged over their collection of information if subscriber data is brought to court – perhaps on grounds that the reasons to collect the data were insufficient (though this is unlikely given the grounds under which authorities can collect subscriber information under this legislation) – intelligence bodies that may never take direct action on information gathered are unlikely to be similarly challenged. Intelligence organizations, then, may develop profiles and relationship maps that link Canadians without affected individuals ever knowing that these profiles and relational mappings are responsible for difficulties at borders or when applying for sensitive jobs.

Moreover, Canadians cannot be certain that the profiles which lead them to experience difficulties are fair or accurate representations. It’s entirely possible that a poor analysis, or inappropriate profiling, that has been linked to a initial terror or criminal investigation could lead to Canadians suffering significant hardships. At issue is the inability to question or know about the source of the problem; in essence, it’s the problem of creating a Kafkaesque surveillance environment. With judicial approval there is at least the potential for overzealous intelligence gathering to be narrowed and restrained at the outset of an investigation. This potential is largely extinguished if judicial oversight is not added into Bill C-30′s subscriber data provisions during the amendment-setting stage.

Conclusion

I hope that it has become apparent that warrantless access to subscriber information is a very significant, and serious, matter. It is true that the information on its own, from a single TSP, provides limited insight into any Canadian’s biographical core. However, when subscriber data is integrated with information from across the web and other data sources (e.g. driving records, CPIC, border databases, etc) it becomes clear how these basic identifiers can catalyze citizen profiles. It should be clear that the warrantless facets of the legislation are deeply concerning and indicate a basic failure on the part of the government to recognize the social value of warrants. Moreover, the potential to expand what constitutes identifiers under administrative rather than legislative grounds raises the prospect of surveillance creep over time.

Canadian police chiefs have insisted that Canadians should celebrate C-30 because the legislation will make police accountable for the reams of subscriber information they have been semi-secretly accessing for years. I say that this ‘audit by legislative hostage taking’ is inappropriate: if Canadian policing bodies have been collecting this data, then they should make it available to Canadians. Citizens have a right to understand how police have conducted surveillance in this country, and police have no right to insist that minimal levels of transparency into their practices are contingent on the public expanding the authorities’ powers. Were police serious about becoming transparent they would not only be pushing for strong third-party audits of their access to subscriber data, but would be howling for the government to include a disclosure clause. Such a clause could require the same third-party auditor to notify each Canadian whose subscriber information was accessed by authorities. This notification could occur either after the investigation had concluded or after 1 year if no investigation was pending. To date, no federal politician or law enforcement official has come out for such strong disclosure requirements.

Further, Canadian police and our elected officials have failed to provide a rationale for this legislation beyond a handful of scare stories. On the one hand we are told of the number of times police are accessing subscriber data, but on the other we are not given data that would let us audit or confirm police statements that 5% of requests for subscriber data are rebuffed by TSPs. Citizens in a democracy do not have to trust the police nor the government: it is for this reason that good democracies retain potent ATIP, FOI, and other disclosure mechanisms to prevent authorities and the government from acting against the interests of the population. While the authorities certainly have a difficult job and we may want to trust them, there is no reason why we should have to trust them. Even more critically, when a nation is debating significant expansions to policing capabilities the citizens absolutely need not trust the authorities. In such cases, the public deserves raw data so they can evaluate it and thus indicate to their representatives whether they support or oppose the extension of powers. Canadian police and the government are failing their constituents and stakeholders by refusing to make available this information.

Police and intelligence bodies have challenging jobs, jobs made harder with the advent of digital systems and the preponderance of communications platforms, networks, and protocols. Canadians should be proud that, despite these challenges, our police are stopping terrorists and catching the child pornographers who reside in our nation. If new resources are genuinely required then the authorities should be permitted to make their case, but they should be required to make it by providing clear empirical data, and by proposing legislation that works as a scalpel to address their problems, rather than demanding the equivalen fo legislative chainsaws and sledgehammers to address isolated and specific difficulties. Canadians are not opposed to the police conducting their business and keeping us safe but do require evidence-based policy proposals rather than proposals based on rhetoric and fear mongering. We have yet to see the government or authorities engage in a substantive discussion about why authorities genuinely need of many of the powers in C-30. Until our representatives come forward with evidence supporting these new powers, the Canadian public should oppose efforts to needlessly expand authorities’ powers, especially given that these powers threaten the core civil rights that undergird our democracy.

Text References + Bibliography:

G. Danezis and R. Clayton. (2008). “Introducing Traffic Analysis,” in A. Acquisti et al. (eds). Digital Privacy: Theory, Technologies, and Practices. New York: Auerback Publications. Pp. 95-116.

W. Diffie and S. Landau. (2007). Privacy on the Line: The Politics of Wiretapping and Encryption (Updated and Expanded Edition). Cambridge, Mass.: The MIT Press.

G. Elmer. (2004). Profiling Machines: Mapping the Personal Information Economy. Cambridge, Mass.: The MIT Press.

D. Solove. (2004). The Digital Person: Technology and Privacy in the Information Age. New York: New York University Press.

D. Solove. (2011). “The Suspicionless-Searches Argument,” in D. Solove. Nothing to Hide: The False Tradeoff between Privacy and Security. New Haven: Yale University Press. Pp. 123-133.

J. J. Strandburg. (2008). “Surveillance of Emergent Associations: Freedom of Association in a Network Society,” in A. Acquisti et al. (eds). Digital Privacy: Theory, Technologies, and Practices. New York: Auerback Publications. Pp. 435-457.

Other posts you might be interested in:

1. Unpacking the Potential Costs of Bill C-30
2. Privacy Issues Strike Street View (Again)
3. The Anatomy of Lawful Access Phone Records

Photo by The Planet

Lawful access legislation is upon Canadians. Introduced by Minister Toews as ‘with the government or with the child-pornographers’ legislation, lawful access will radically expand the scope of Canadians’ personal information that government authorities can collect without a warrant. Personal information would be turned over to the government under new powers regardless of whether an individual’s actions had violated the Criminal Code. Lawful access powers will be granted to formal policing organizations, including municipal, provincial, and federal police, to Canada’s spy agency, CSIS, and to the Competition Bureau. Since the legislation has been tabled, media and experts alike have been scratching their heads to understand the significance of changes between the previous and current versions of the bill. In a subsequent post, I’ll be writing about how the delimited subscriber information fields that authorities want to access is excessive, and I will demonstrate how these fields will be used and can be abused.

In this post, however, I am taking a step back from the legislation proper. Rather than talk about lawful access, I want to make available a book chapter, written for the Canadian Centre for Policy Alternatives, that unpacks some of the surveillance capacities within Canada’s current telecommunications networks. The chapter, titled “Is Your ISP Snooping On You?” (.pdf) first appeared in The Internet Tree: The State of Telecom Policy in Canada 3.0. Specifically, the chapter focuses on a technology that is popularly called ‘deep packet inspection.’ Canadian network agents, such as Internet Service Providers, have deployed these technologies to manage their networks, throttle some kinds of data traffic (e.g. P2P file sharing-related traffic), and track subscriber usage of the networks. This same technology, however, has significant privacy and surveillance implications, insofar as it examines the depths of a data transmission: it is the metaphorical equivalent of not just looking at a postcard, but examining the photo and colour of ink on the postcard to make decisions about how to deliver/treat the message on the card. It is with these network-based technologies in mind that we should reflect on the significance of expanded police access to digital transmissions.

Why is deep packet inspection significant? Because lawful access in Canada might be understood as ‘level one’ of a three-stage surveillance process. The United Kingdom is arguably at ‘level two’ at the moment, on the basis that it possesses an embedded surveillance culture and infrastructure that sees over half a million requests for ‘transactional’ (i.e. everything but the words/pictures of a postcard) data each year. The third level, also being contemplated in the UK, would see deep packet inspection devices repurposed/installed by law enforcement and national security organizations to monitor, mine, and mediate data transmissions between UK citizens in near-real time. Canada isn’t at level three – we’re not even at level two just yet – but our ISPs have experience with embedding technologies that make level-two and -three scenarios possible. Thus, to understand the potential surveillance trajectory associated with lawful access, Canadians must understand existing Canadian network configurations to recognize that this legislation is the first of many stages, and question whether we really want to start down this path in the first place.

Download a copy of “Is your ISP Snooping On You” (.pdf)

Other posts you might be interested in:

1. Publication: Is Your ISP Snooping On You?
2. Publication: (Un)Lawful Access, Its Potentials, and its Lack of Necessity
3. Announcement: Lawful Access Report Now Available

Image by AJ Cann

Last year the British Columbia Civil Liberties Association (BCCLA) approached me to prepare a report around forthcoming lawful access legislation. Specifically, I was to look outside of Canada to understand how lawful access powers had been developed and used in foreign jurisdictions. An early version of that research report was provided to the BCCLA mid-last year and was used to support their recent, formal, report on lawful access legislation. The BCCLA’s formal report, “Moving Towards a Surveillance Society: Proposals to Expand “Lawful Access” in Canada” (.pdf) provides an excellent, in-depth, analysis of lawful access that accounts for some of the technical, social, and legal problems associated with the legislation.

Today I am releasing my report for the BCCLA, titled “Lawful Access and Data Preservation/Retention: Present Practices, Ongoing Harm, and Future Canadian Policies” (.pdf link). I would hasten to note that all research and proposals in my report should be attributed to me, and do not necessarily reflect the BCCLA’s own positions. Nothing in my report has been changed at the suggestion or insistence of the BCCLA; it is presented to you as it was to the BCCLA, though with slight updates to reflect the status of the current majority government.

In the report, I look to the United Kingdom and United States to understand how they have instantiated lawful access-style powers, the regularity of the powers’ usage, and how the powers have been abused. I ultimately conclude by providing a series of proposals to rein in the worst of lawful access legislation, which includes process-based suggestions (e.g. Parliamentary hearings on the legislation) and more gritty auditing requirements (e.g. a specific series of data points that should be collected and made public on a yearly basis).  It’s my hope that this document will elucidate some of the harms that are often bandied about when speaking of lawful access-powers. To this end, there are specific examples of harms throughout the document, all of which are referenced, with the conclusion being that citizens are not necessarily safer as a result of expanded security and intelligence powers that come at the cost of basic charter, constitutional, and human rights.

Download .pdf version of “Lawful Access and Data Preservation/Retention: Present Practices, Ongoing Harm, and Future Canadian Policies“

Other posts you might be interested in:

1. (Un)Lawful Access Forum in Ottawa
2. Publication: (Un)Lawful Access, Its Potentials, and its Lack of Necessity
3. Letter to Stephen Harper on Lawful Access Legislation

Photo by Kirk Lau

Last year a group of academics, technologists, and members of the public sent a public letter (.pdf) to the Canadian Internet Registration Authority (CIRA), Canadian Radio-television Telecommunications Commission (CRTC) and Canadian Parliament. The letter raised concerns in light of the US government’s unilateral pre-trial domain seizures. Specifically, we asked that these institutions develop a plan by December 31, 2011 that would ensure that Canadians would retain a right to self-determination when it comes to digital policy; we wanted these bodies to plan how to limit the harms generated by US domain seizures of web properties.

To date we have not formally heard from any of these institutions. Unfortunately, domain seizures and US digital imperialism has gotten worse, not better, in the interim. In response, a group of us associated with Digital Policy Canada have prepared another public letter for CIRA’s Canadian Internet Forum. It is titled, “Canadian Sovereignty Online – one year later,” (.pdf) and in the letter we argue that Canadian domains could be seized by the American government on copyright infringement grounds, even if a Canadian were legally (under Canadian law) making content available.

To achieve digital autonomy – and thus defend Canada’s sovereign rights – we believe that CIRA should embark not only on policy development, but also technical development of tools that can protect Canadian interests when they are challenged. We also believe that CIRA should invest in educational processes to raise awareness about the threats and challenges facing the contemporary Internet and DNS ecosystem. Such a three-pronged effort would entrench and support national self-determination surrounding sovereign digital policy actions, while also educating Canadians about digital sovereignty. In aggregate, these efforts will serve to protect Canada’s long-term cultural, economic, and political interests, and we maintain that the means of doing so are within CIRA’s organizational mandate.

Click here to download a full copy of the public letter (.pdf)

Other posts you might be interested in:

1. Online Voting and Hostile Deployment Environments
2. The Danger Online Voting Poses to Democratic Legitimacy
3. Towards Progressive Internet Policy in Canada

For more information about the event, see Unlawfulaccess.ca, and register for the event on Facebook. You can also download/print/share copies of the poster for the event. This will be a really great event, and the mixture of formally separated technical and political panels should do a great job in outlining the range of issues that lawful access legislation touches upon.

Other posts you might be interested in:

1. (Un)Lawful Access Panel at University of Victoria
2. Announcement: Lawful Access Report Now Available
3. (Un)Lawful Access: Vancouver Premiere & Panel Discussion