Internet

APIs, End-Users, and the Privacy Commons

/ Christopher Parsons / 3 Comments

Mozilla is throwing their hat into the ‘privacy commons‘ ring. Inspired by Aza Rankin’s ‘Making Privacy Policies Not Suck‘, Mozilla is trying to think through a series of icons intended to educate users about websites’ privacy policies. This is inspirational, insofar as a large corporation is actually taking up the challenge of the privacy commons, but at the same time we’ve heard that a uniform privacy analysis system is coming before….in 1998. A working draft for the Platform for Privacy Preferences (P3P) was released May 19, 1998 during the still heady-times of people thinking that Privacy Enhancing Technologies (PETs) could secure people’s online privacy or, at least, make them aware of privacy dangers. The P3P initiative failed.

Part of the reason behind P3P’s failure was the length of its documentation (it was over 150% the length of Alice in Wonderland) and the general challenge of ‘properly’ checking for privacy compliance. Perhaps most importantly, when the P3P working group disbanded in 2007 they noted that a key reason behind their failure was “insufficient support for curent Browser implementors”. Perhaps with Mozilla behind the project, privacy increasingly being seen as space of product competition and differentiation, and a fresh set of eyes that can learn from the successes of the creative commons and other privacy initiatives, something progressive will emerge from Mozilla’s effort.

Continue reading

Will Copyright Kill eHealth?

/ Christopher Parsons

bodyworldsThere is a metric ton of cash that’s being poured into eHealth initiatives, and to date it doesn’t appear that governments are recognizing the relationship between copyright law and eHealth. That makes a lot of sense in some ways – when most of us think ‘medicine’ and ‘doctor’ we think about privacy as one of, if not the, key issues (while, other than hopefully curing whatever is making us ill!). In this light, we wonder about the security of databases, the willingness of healthcare providers to limit access to records, and so forth. People in Canada are worried enough about privacy that, on the Ontario Government’s eHealth Ontario site, ‘Privacy and Security‘ are front and center as a main link on their homepage. When we turn to British Columbia’s October 23, 2009 Heath Sector Information Management/Information Technology Strategy and search for ‘privacy’ we see that the term appears on 18 of the report’s 55 pages. Moving over to the Ontario Information and Privacy Commissioner’s May 2, 2006 presentation on health information and electronic health records we, again, see emphases on the privacy and security concerns that must be posed alongside any movement to massively digitize the healthcare infrastructure.

What we see less of in the eHealth debate are the prevalent dangers accompanying threats to cut citizens off of the ‘net as a consequence of copyright infringement. It’s this issue that I want to briefly dwell on today, in part to start ramping up some thoughts on the wide-ranging effects of three-strikes laws that are starting to be adopted and/or seriously discussed in various jurisdictions around the world.

Continue reading

Update to Virgin Media and Copyright DPI

/ Christopher Parsons / 3 Comments

virginmedialogoRecently, I’ve heard back from Detica about CView and wanted to share the information that Detica has been provided. CView is the copyright detection Deep Packet Inspection (DPI) appliance that Virgin Media will be trialling, and is intended to measure the amount of copyright infringing files that cross Virgin’s network. This index will let Virgin determine whether the content deals they sign with content producers have a noticeable impact on the amount of infringing P2P traffic on their network. Where such deals reduce infringements, then we might expect Virgin to invest resources in agreements with content producers, and if such agreements have no impact then Virgin’s monies will likely be spent on alternate capital investments. I’ll note up front that I’ve sent some followup questions to seek additional clarity where the answers I received were somewhat hazy; such haziness appears to have been from a miscommunication, and is likely attributable to a particular question that was poorly phrased. Up front, I will state that I’m not willing to release the name of who I’m speaking with at Detica, as I don’t think that their name is needed for public consumption and would be an inappropriate disclosure of personal information.

The key question that is lurking in my own mind – if not that of others interested in the CView product – is whether or not the appliance can associate inspected data flows with individuals. In essence, I’m curious about whether or not CView has the ability to collect ‘personally identifiable information’ as outlined by the Privacy Commissioner of Canada in her recent findings on Bell’s use of DPI. In her findings, the Commissioner argues that because Bell customers’ subscriber ID and IP address are temporarily collated that personal information is being collected that Bell does collect personal information.

Continue reading

The Geek, Restraining Orders, and Theories of Privacy

/ Christopher Parsons / 5 Comments

restrainingorderI’ve been reading some work on privacy and social networks recently, and this combined with Ratliff’s “Gone Forever: What Does It Really Take to Disappear” has led me to think about whether a geek with a website that is clearly their own (e.g. Christopher-Parsons.com) should reasonably expect restraining laws to extend to digital spaces. I’m not really talking at the level of law necessarily, but at a level of normativity: ought a restraining order limit a person from ‘following’ me online as it does from being near me in the physical world?

Restraining orders are commonly issued to prevent recurrences of abuse (physical or verbal) and stalking. While most people who have a website are unable to track who is visiting their webspace, what happens when you compulsively check your server logs (as many good geeks do) and can roughly correlate traffic to particular geo-locations. As a loose example, let’s say that you were in a small town, ‘gained’ an estranged spouse, and then notice that there are regular hits to your website from that small town after you’ve been away from it for years. Let’s go further and say that you have few/no friends in that town, and that you do have a restraining order that is meant to prevent your ex-spouse from being anywhere near you. Does surfing to your online presence (we’ll assume, for this posting, that they aren’t commenting or engaging with the site) normatively constitute a breach of an order?

Continue reading

Background to North American Politics of Deep Packet Inspection

/ Christopher Parsons

crtc566The CRTC is listening to oral presentations concerning Canadian ISPs’ use of Deep Packet Inspection (DPI) appliances to throttle Canadians’ Internet traffic. Rather than talk about these presentations in any length, I thought that I’d step back a bit and try to outline some of the attention that DPI has received over the past few years. This should give people who are newly interested in the technology an appreciation for why DPI has become the focus of so much attention and provide paths to learn about the politics of DPI. This post is meant to be a fast overview, and only attends to the North American situation given that it’s what I’m most familiar with.

Massive surveillance of digital networks took off as an issue in 2005, when the New York Times published their first article on the NSA’s warrantless wiretapping operations. The concern about such surveillance brewed for years, but (in my eyes) really exploded as the public started to learn about the capacities of DPI technologies as potential tools for mass surveillance.

DPI has been garnering headlines in a major way in 2007, which has really been the result of Nate Anderson’s piece, “Deep packet inspection meets ‘Net neutrality, CALEA.” Anderson’s article is typically recognized as the popular news article that put DPI on the scene, and the American public’s interest in this technology was reinforced by Comcast’s use of TCP RST packets, which was made possible using Sandvine equipment. These packets (which appear to have been first discussed in 1981) were used by Comcast to convince P2P clients that the other client(s) in the P2P session didn’t want to communicate with Comcast subscriber’s P2P application, which led to the termination of the data transmission. Things continued to heat up in the US, as the behavioural advertising company NebuAd began partnering with ISPs to deliver targeted ads to ISPs’ customers using DPI equipment. The Free Press hired Robert Topolski to perform a technical analysis of what NebuAd was doing, and found that NebuAd was (in effect) performing a man-in-the-middle attack to alter packets as they coursed through ISP network hubs. This report, prepared for Congressional hearings into the surveillance of Americans’ data transfers, was key to driving American ISPs away from NebuAd in the face of political and customer revolt over targeted advertising practices. NebuAd has since shut its doors. In the US there is now talk of shifting towards agnostic throttling, rather than throttling that targets particular applications. Discrimination is equally applied now, instead of honing in on specific groups.

In Canada, there haven’t been (many) accusations of ISPs using DPI for advertising purposes, but throttling has been at the center of our discussions of how Canadian ISPs use DPI to delay P2P applications’ data transfers. Continue reading

Deep Packet Inspection and Law Enforcement

/ Christopher Parsons / 4 Comments

rcmpCandace Mooers asked me a good question today about deep packet inspection (DPI) in Canada. I’m paraphrasing, but it was along the lines of “how might DPI integrate into the discussion of lawful access and catching child pornographers?” I honestly hadn’t thought about this, but I’ll recount here what my response was (that was put together on the fly) in the interests of (hopefully) generating some discussion on the matter.

I’ll preface this by noting what I’ve found exceptional in the new legislation that was recently presented by the Canadian conservative government (full details on bill C-47 available here, and C-46 here) is that police can require ISPs to hold onto particular information, whereas they now typically required a judicial warrant to compel ISPs to hold onto particular data. Further, some information such as subscriber details can immediately be turned over to police, though there is a process of notification that must immediately followed by the officers making the request. With this (incredibly brief!) bits of the bills in mind, it’s important for this post to note that some DPI appliances are marketed as being able to detect content that is under copyright as it is transferred. Allot, Narus, ipoque, and more claim that this capacity is built into many of the devices that they manufacture; a hash code, which can be metaphorically thought of like a digital fingerprint, can be generated for known files under copyright and when that fingerprint is detected rules applied to the packet transfer in question. The challenge (as always!) is finding the processor power to actually scan packets as they scream across the ‘net and properly identify their originating application, application-type, or (in the case of files under copyright) the actual file(s) in question.

Continue reading