The Issues Surrounding Subscriber Information in Bill C-30

SIMThe most recent version of the Canadian Government’s lawful access legislation is upon us. The legislation expands the powers available to the police, imposes equipment- and training-related costs on Telecommunications Service Providers (TSPs), enables TSPs to voluntarily provide consumer information to authorities without a warrant, forces TSPs to provide subscriber data without warrant, and imposes gag orders on TSPs who comply with lawful access powers. Economic and civil rights costs are, as of yet, murky. Despite being an extremely lengthy piece of legislation, Bill C-30 lacks the specificity that should accompany serious expansions to Canadian policing and intelligence gathering powers.

In this post, I first outline a ‘subscriber data regime’ to discuss what does – and may – be entailed in accessing Canadians’ subscriber data. Second, I explain how subscriber data can be used for open-sourced intelligence gathering. Third, I argue that an administrative process of expanding subscriber identifiers is inappropriate. Finally, I articulate why warrants are so important, and why court approval should precede access to subscriber data. In aggregate, this post explicates the concerns that many civil advocates, academics, and technical experts have with access to subscriber information, why Canadians should be mindful of these concerns, and why Canadians should rebuff current efforts to expand warrantless access to subscriber information.

Continue reading

Is Your ISP Snooping On You?

The Planet Data CenterLawful access legislation is upon Canadians. Introduced by Minister Toews as ‘with the government or with the child-pornographers’ legislation, lawful access will radically expand the scope of Canadians’ personal information that government authorities can collect without a warrant. Personal information would be turned over to the government under new powers regardless of whether an individual’s actions had violated the Criminal Code. Lawful access powers will be granted to formal policing organizations, including municipal, provincial, and federal police, to Canada’s spy agency, CSIS, and to the Competition Bureau. Since the legislation has been tabled, media and experts alike have been scratching their heads to understand the significance of changes between the previous and current versions of the bill. In a subsequent post, I’ll be writing about how the delimited subscriber information fields that authorities want to access is excessive, and I will demonstrate how these fields will be used and can be abused.

In this post, however, I am taking a step back from the legislation proper. Rather than talk about lawful access, I want to make available a book chapter, written for the Canadian Centre for Policy Alternatives, that unpacks some of the surveillance capacities within Canada’s current telecommunications networks. The chapter, titled “Is Your ISP Snooping On You?” (.pdf) first appeared in The Internet Tree: The State of Telecom Policy in Canada 3.0. Specifically, the chapter focuses on a technology that is popularly called ‘deep packet inspection.’ Canadian network agents, such as Internet Service Providers, have deployed these technologies to manage their networks, throttle some kinds of data traffic (e.g. P2P file sharing-related traffic), and track subscriber usage of the networks. This same technology, however, has significant privacy and surveillance implications, insofar as it examines the depths of a data transmission: it is the metaphorical equivalent of not just looking at a postcard, but examining the photo and colour of ink on the postcard to make decisions about how to deliver/treat the message on the card. It is with these network-based technologies in mind that we should reflect on the significance of expanded police access to digital transmissions.

Why is deep packet inspection significant? Because lawful access in Canada might be understood as ‘level one’ of a three-stage surveillance process. The United Kingdom is arguably at ‘level two’ at the moment, on the basis that it possesses an embedded surveillance culture and infrastructure that sees over half a million requests for ‘transactional’ (i.e. everything but the words/pictures of a postcard) data each year. The third level, also being contemplated in the UK, would see deep packet inspection devices repurposed/installed by law enforcement and national security organizations to monitor, mine, and mediate data transmissions between UK citizens in near-real time. Canada isn’t at level three – we’re not even at level two just yet – but our ISPs have experience with embedding technologies that make level-two and -three scenarios possible. Thus, to understand the potential surveillance trajectory associated with lawful access, Canadians must understand existing Canadian network configurations to recognize that this legislation is the first of many stages, and question whether we really want to start down this path in the first place.

Download a copy of “Is your ISP Snooping On You” (.pdf)

Announcement: Lawful Access Report Now Available

SpiesLast year the British Columbia Civil Liberties Association (BCCLA) approached me to prepare a report around forthcoming lawful access legislation. Specifically, I was to look outside of Canada to understand how lawful access powers had been developed and used in foreign jurisdictions. An early version of that research report was provided to the BCCLA mid-last year and was used to support their recent, formal, report on lawful access legislation. The BCCLA’s formal report, “Moving Towards a Surveillance Society: Proposals to Expand “Lawful Access” in Canada” (.pdf) provides an excellent, in-depth, analysis of lawful access that accounts for some of the technical, social, and legal problems associated with the legislation.

Today I am releasing my report for the BCCLA, titled “Lawful Access and Data Preservation/Retention: Present Practices, Ongoing Harm, and Future Canadian Policies” (.pdf link). I would hasten to note that all research and proposals in my report should be attributed to me, and do not necessarily reflect the BCCLA’s own positions. Nothing in my report has been changed at the suggestion or insistence of the BCCLA; it is presented to you as it was to the BCCLA, though with slight updates to reflect the status of the current majority government.

In the report, I look to the United Kingdom and United States to understand how they have instantiated lawful access-style powers, the regularity of the powers’ usage, and how the powers have been abused. I ultimately conclude by providing a series of proposals to rein in the worst of lawful access legislation, which includes process-based suggestions (e.g. Parliamentary hearings on the legislation) and more gritty auditing requirements (e.g. a specific series of data points that should be collected and made public on a yearly basis).  It’s my hope that this document will elucidate some of the harms that are often bandied about when speaking of lawful access-powers. To this end, there are specific examples of harms throughout the document, all of which are referenced, with the conclusion being that citizens are not necessarily safer as a result of expanded security and intelligence powers that come at the cost of basic charter, constitutional, and human rights.

Download .pdf version of “Lawful Access and Data Preservation/Retention: Present Practices, Ongoing Harm, and Future Canadian Policies

Canadian Sovereignty Online – one year later

internet down :(  Last year a group of academics, technologists, and members of the public sent a public letter (.pdf) to the Canadian Internet Registration Authority (CIRA), Canadian Radio-television Telecommunications Commission (CRTC) and Canadian Parliament. The letter raised concerns in light of the US government’s unilateral pre-trial domain seizures. Specifically, we asked that these institutions develop a plan by December 31, 2011 that would ensure that Canadians would retain a right to self-determination when it comes to digital policy; we wanted these bodies to plan how to limit the harms generated by US domain seizures of web properties.

To date we have not formally heard from any of these institutions. Unfortunately, domain seizures and US digital imperialism has gotten worse, not better, in the interim. In response, a group of us associated with Digital Policy Canada have prepared another public letter for CIRA’s Canadian Internet Forum. It is titled, “Canadian Sovereignty Online – one year later,” (.pdf) and in the letter we argue that Canadian domains could be seized by the American government on copyright infringement grounds, even if a Canadian were legally (under Canadian law) making content available.

To achieve digital autonomy – and thus defend Canada’s sovereign rights – we believe that CIRA should embark not only on policy development, but also technical development of tools that can protect Canadian interests when they are challenged. We also believe that CIRA should invest in educational processes to raise awareness about the threats and challenges facing the contemporary Internet and DNS ecosystem. Such a three-pronged effort would entrench and support national self-determination surrounding sovereign digital policy actions, while also educating Canadians about digital sovereignty. In aggregate, these efforts will serve to protect Canada’s long-term cultural, economic, and political interests, and we maintain that the means of doing so are within CIRA’s organizational mandate.

Click here to download a full copy of the public letter (.pdf)

(Un)Lawful Access Forum in Ottawa

I’ll be speaking at a forum about Canada’s forthcoming lawful access legislation on February 8 at St. Paul University. From 6pm-7pm there will be the formal book launch of the Canadian Centre for Policy Alternatives’ recent title, The Internet Tree: The State of Telecom Policy in Canada 3.0. Those attending the forum may be particularly interested in the two chapters on surveillance (one of which I authored). The lawful access event runs from 7-10PM. From 7:00-7:30 the organizers will be showing the mini-documentaries “(Un)Lawful Access” and “Moving Towards a Surveillance Society.” Following this, there will be two panels to discuss the expected legislation. The first (which I’m on) runs from 7:30-8:30 and discusses the technical elements of the forthcoming legislation. The panel is composed of myself, Kirsten R. Embree, Stephen McCammon, and John Lawford. The second panel runs from 8:45 to 9:30, and focuses on the political dimensions of the legislation. Panelists include Charlie Angus and Elizabeth May, with Michael Geist moderating. The final 30 minutes are devoted to summarizing the forum, outlining actions that are taking place, and suggesting continuing activities.

For more information about the event, see Unlawfulaccess.ca, and register for the event on Facebook. You can also download/print/share copies of the poster for the event. This will be a really great event, and the mixture of formally separated technical and political panels should do a great job in outlining the range of issues that lawful access legislation touches upon.

Amici Curiae on IMSI Catchers

Image by iDownloadBlog

Security, surveillance, and privacy researchers alike have been watching how authorities exploit cellular communications devices – often in secret, or absent sufficient oversight – for years. Research to-date has been performed by security researchers and hackers, social scientists, advocates, activists, and the curious, with contributions spanning hundreds of discreet investigations into technical capabilities and their social implications. Of late, a considerable amount of attention has been devoted to IMSI Catchers, which are devices that establish false mobile phone towers for the purpose of monitoring and tracking mobile phones without their users’ awareness.

Given the use of IMSI catchers by American authorities, a group of researchers and academics submitted an Amici Curiae (in their individual capacities) January 17, 2012 concerning the catchers. Specifically, the brief is in support of a defendant’s motion for disclosure of all relevant and helpful evidence withheld by the government based on a claim of privilege. The government, in this particular case, has admitted that the surveillance technologies used simulated a cell site but have refused to provide specific details of how this surveillance was conducted. We argue that a substantial amount of information surrounding IMSI catchers is already public and that, as a result, the secrets that the government is attempting to protect are already in the public domain. Moreover, the public interest is best served by “greater public discussion regarding these tracking technologies and the security flaws in the mobile phone networks that they exploit, not less.”

Continue reading