Technology

Practical Steps Towards Telecommunications Transparency

/ Christopher Parsons

CorporationLast month I, along with a series of academic researchers and civil liberties organizations, asked Canada’s leading Telecommunications Services Providers (TSPs) to disclose how, why, and how often they provide telecommunications information pertaining to their subscribers to state agencies. We received responses from ten of sixteen companies a little over a month later. Many of the companies steadfastly refused to provide any information beyond assertions that they protected Canadians’ privacy, that they were largely prohibited from providing any specific information because of national security or confidentiality of investigative techniques reasons, and that the signatories to the letter would be better suited contacting the government directly.

Less directly, I’ve heard from a series of high-profile figures in Canada’s telecommunications industry and national security community. Some figures in the telecommunications industry expressed concern about Canadians’ privacy but indicated that they lacked the time, inclination, resources, or sufficient buy-in to ascertain what they could do to render their companies’ practices more transparent. TELUS is on record as stating they would “request the Government to clarify and limit the scope of current confidentiality requirements and to consider measures to facilitate greater transparency.” Members of the national security community worried about enhancing Canadians’ trust in what they do, but remained uncertain about what they could specifically recommend to their peers. Almost all the people I’ve spoken with have indicated that they would appreciate some kind of practical ‘here’s what could be done’ document that they could use to develop an internal business case for an expanded transparency regime.

This post offers some guidance for how companies can improve their transparency practices, along with why particular proposals should be adopted. Specifically, I identify three things that companies do in the order of least to most challenging tasks. They could disclose data retention periods, make their lawful access handbooks available to the public, and produce full-bodied transparency reports. Critically, the first two of these proposals would just require publicizing documentation that Canada’s TSPs already retain. After outlining all three proposals, I conclude by explaining why corporate transparency needs to be complemented by government accountability.

Continue reading

The Murky State of Canadian Telecommunications Surveillance

/ Christopher Parsons

Telephone PoleOn January 20, 2014 the Citizen Lab along with leading Canadian academics and civil liberties groups sent letters to Canada’s most prominent Internet service providers. We asked the companies to reveal the extent to which they voluntarily, and under compulsion, disclose information about their subscribers to state agencies, as well as for information about business practices and data retention periods. The requested information would let researchers, policy analysts, and civil liberties groups better understand the current telecommunications landscape and engage in evidence-based policy analysis of current and proposed government surveillance activities. The companies were asked to provide responses by March 3, 2014.

A considerable amount of attention has been given to state access to telecommunications data since January 20. Organizations such as the Globe and Mail wrote that Canadians deserve to know who is listening to their communications, and reporting by The Wire Report found that while telecommunications companies believed they might not be able to respond to all the questions in the letters, at least some responses might be provided without running afoul of government gag laws. However, The Wire Report also found that some sources believed they were forbidden from disclosing any information about the assistance they provide to government agencies, with one stating they were “completely resigned.”

At the same time as the letters were being examined by the companies, a series of high-profile telecommunications-related stories broke in the media. In the United States, leading telecommunications carriers released ‘transparency reports’ that put some information in the public arena concerning how often the companies disclose information to American state agencies. In Canada, there were revelations that the Communications Security Establishment Canada (CSEC) had surreptitiously monitored the movements of Canadians vis-a-vis mobile devices that connected to wireless routers. These revelations sparked renewed interest in the origins of CSEC’s data, whether Canadian telecommunications companies either voluntarily or under compulsion provide data to CSEC, the nature of CSEC’s ‘metadata’ collection process, and the rationales driving data exchanges between telecommunications companies and state agencies more generally. The Office of the Privacy Commissioner of Canada also tabled a report that outlined a series of ways to improve accountability and transparency surrounding state access to telecommunications data. Finally, MP Charmaine Borg, the New Democratic Party Member of Parliament for the riding of Terrebonne—Blainville in Quebec, issued a series of questions to the federal government that are meant to render transparent how federal agencies request information from telecommunications companies.

Continue reading

More Voices Call for Transparency in Canadian Telecommunications

/ Christopher Parsons

Ottawa - HDRLast week I, along with a collection of Canadian experts and civil liberties groups, sent letters to many of Canada’s leading telecommunications companies. Those letters ask the companies to explain why, how often, and under what conditions they provide information to government authorities. Such information is pressing given the routine reappearance of telecommunications surveillance legislation on the government’s Order Paper. Specifically, lawful access legislation has been introduced by successive federal governments, with the requested power extensions justified on grounds that authorities cannot effectively police online criminal behaviour, on grounds that telecommunications companies do not always provide subscriber information when government authorities request it, and on grounds that such legislation will prevent terrorism/serious crimes/kidnapping/pedophilia/cyber bullying.

Only with empirical data about how, and why, state authorities presently access telecommunications data will Canadians be able to knowledgeably ascertain whether these expanded state powers are needed. Moreover, with data in hand about companies’ disclosures of subscriber information consumers can make informed choices when choosing their telecommunications providers. Specifically, such information would let consumers compare companies’ privacy practices and choose companies’ services based on privacy (along with other consumer) grounds. While many have been supportive of this public letter initiative, almost all the people that I have spoken to about the letters have voiced their skepticism that the companies would be motivated to respond. I remain optimistic that the companies will respond to demonstrate their privacy bona fides and tell their side of the story. Moreover, the requests for information about how and why state agencies access telecommunications data have been amplified today from two different sources. Continue reading

Towards Transparency in Canadian Telecommunications

/ Christopher Parsons / 2 Comments

Ethernet CablesTelecommunications services providers that offer Internet and phone service play central roles in the daily lives of Canadians. The services that these companies provide are essential for contemporary living; we rely on these services to access our email, make or receive our phone calls and text messages, check and update our social media feeds, and figure out how to get where we are going by way of GPS. Our lives are predominantly channeled through these companies’ digital networks, to the extent that Canadian telecommunications service providers are functionally the gatekeepers Canadians must pass by before accessing the Internet, or phone networks, at large. Today, Canadian scholars and civil liberties organizations have come together to ask that many of Canada’s most preeminent telecommunications companies disclose the kinds, amounts, and regularity at which state agencies request telecommunications data pertaining to Canadians.

Canadian state agencies often request access to the subscriber and telecommunications data held by these Canadian companies, as befits the companies’ privileged roles in our lives. [1] Sometimes access is gained using a court order, sometimes it is not. Sometimes requests are for circumspect amounts of information, and other times for greater volumes of data. To date, however, interested Canadians have had only vague understandings of how, why, and how often Canadian telecommunications providers have disclosed information to government agencies. Given the importance of such systems to Canadians’ lives, and the government’s repeated allegations that more access is needed to ensure the safety of Canadians, more data is needed for scholars, civil rights organizations, and the public to understand, appreciate, and reach informed conclusions about the legitimacy of such allegations.

Our call for telecommunications transparency is in line with actions taken in the United States, where politicians such as Representative Markey have successfully asked telecommunications service providers to explain the types of requests made by American state agencies for telecommunications data, the regularity of such requests, and the amounts of data disclosed. [2] Moreover, American companies are developing more and more robust ‘transparency reports’ to clarify to their subscribers how often, and on what grounds, the companies disclose subscriber information to American state authorities. There is no reason why similar good practices cannot be instantiated in Canada as well.

Over the past decade, Canadians have repeatedly heard that law enforcement professionals and state security agents need enhanced access to telecommunications data in order to go about their jobs.[3] And Canadians have read about how our own signals intelligence service, the Communications Security Establishment Canada, has been and continues to be involved in surveillance operations that ‘incidentally’ capture Canadians’ personal information. [4] Despite these developments in Canada, there is not a substantially greater degree of actual transparency into how and why Canadian telecommunications service providers disclose information to agents of the Canadian government.

It is in light of this ongoing lack of transparency surrounding telecommunications providers’ disclosure of information to state authorities that we, a series of academics and civil rights groups, have issued public letters to many of Canada’s largest or most significant Internet and mobile communications providers. We hope that Canada’s telecommunications community will welcome these letters in the spirit they are intended: to make clearer to Canadians the specific conditions under which the Canadian government can and does access telecommunications information pertaining to Canadians, the regularity at which such access is granted, and the conditions under which telecommunications companies disclose information to state agencies.

The responses to these letters will enable superior scholarly analyses of Canadian state agency practices, evaluations of proposed federal legislation, and analysis of government agencies to currently access data that is held or transmitted by Canadian telecommunications companies. These responses will also better comparisons between the Canadian and American situations; too often, scholars, advocates, and policy analysts have been forced to transpose American realities onto what might be occurring in Canada. With real Canadian data in hand, it will be possible to more affirmatively differentiate between the state surveillance practices in Canada and the US, as well as to assess existing and proposed mechanisms that state agencies use to access telecommunications data pertaining to Canadians.

These letters were issued by letter mail and, where possible, by e-mail on January 20, 2014. We have requested that the companies respond, or provide a commitment to respond, by March 3, 2014. Below are .pdf copies of the letters that we sent; we look forward to hearing back from the recipients.

Letters sent to Canadian telecommunications service providers

  1. Nicholas Koutros and Julien Demers, “Big Brother’s Shadow: Historical Decline in Reported Use of Electronic Surveillance by Canadian Federal Law Enforcement,” SSRN, February 3, 2013, accessed December 13, 2013, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2220740; Andrea Slane and Lisa Austin, “What’s in a Name? Privacy and Citizenship in the Voluntary Disclosure of Subscriber Information in Online Child Exploitation Investigations,” Criminal Law Quarterly (57) (2011); Ian Kerr and Daphne Gilbert, “The Role of ISPs in the Investigation of Cybercrime,” in Information Ethics in the Electronic Age: Current Issues in Africa and the World, ed. Johannes J. Britz and Tom Mendina (Jefferson, North Carolina: McFarland & Company Inc, 2004).  ↩
  2. Eric Litchblau, “More Demands on Cell Carriers in Surveillance,” New York Times, July 8, 2012, accessed January 19, 2014, http://www.nytimes.com/2012/07/09/us/cell-carriers-see-uptick-in-requests-to-aid-surveillance.html; Brian X. Chen, “A Senator Plans Legislation to Narrow Authorities’ Cellphone Data Requests,” New York Times, December 9, 2013, accessed January 19, 2014, http://www.nytimes.com/2013/12/09/technology/a-senator-plans-legislation-to-narrow-authorities-cellphone-data-requests.html.  ↩
  3. Jesse Kline, “Vic Toews draws line on lawful access: You’re with us, or the child pornographers,” National Post, February 14, 2012, accessed January 19, 2014, http://fullcomment.nationalpost.com/2012/02/14/vic-toews-draws-line-on-lawful-access-youre-with-us-or-the-child-pornographers/; Jane Taber, “New cyberbullying laws should pass this spring, Justice Minister says,” The Globe and Mail, January 9, 2014, accessed January 19, 2014, http://www.theglobeandmail.com/news/politics/new-cyberbullying-laws-should-pass-this-spring-justice-minister-says/article16253334/.  ↩
  4. Ian MacLeod, “Spy agency admits it spies on Canadians ‘incidentally’,” Ottawa Citizen, January 6, 2014, accessed January 19, 2014, http://www.ottawacitizen.com/news/agency+admits+spies+Canadians+incidentally/9356255/story.html.  ↩

[box style=”blue”]Note: This post first appeared on the Citizen Lab website[/box]

A National ID Card By Stealth? The BC Services Card – Privacy Risks, Opportunities & Alternatives

/ Christopher Parsons

2013-National-ID-Card-by-Stealth-coverThe policies, politics, and technologies associated with Canadian identity documents and their surrounding data architectures are incredibly important issues because of their capacities to reconfigure the state’s relationship with its residents. The most recent such system, the BC Services Card, is designed to expand digital service delivery options that are provided to residents of British Columbia by the provincial government and by corporations. The government, to date, remains uncertain about what services will be associated with the Card. It also remains uncertain about how data linked to the Card’s usage will be subsequently be data mined, though promises that such mining efforts will be exciting and respective of people’s privacy.

Vague statements and broad policy potentials are the very things that make people concerned about identity systems, especially systems that are untested, expensive, and designed with unclear intentions, objectives, or benchmarks.

To try and unpack the policy issues associated with the Services Card, Dr. Kate Milberry and I have written a report wherein we suggest that the Services Card may operate as a kind of ‘proto Pan-Canadian’ identity card. Specifically, the Card is designed to be massively interoperable with other province’s (similar) identity document systems as well as with the federal government’s digital delivery service. Similarly, the Card is meant to interoperate with private businesses’ services. To this end, the lead vendor for the project, SecureKey, has already secured telecommunications and financial organizations as key service delivery partners.

The Services Card isn’t necessary good nor evil. But it is a system that has received little public attention, little external technical scrutiny, and even less external policy critique. The province of British Columbia, and indeed residents of other provinces that are taking up the SecureKey offering, need to be properly consulted on the appropriateness, desirability, and feasibility of the Services Card architecture. To date, this has not been performed in British Columbia nor by the Government of Canada. The document that Dr. Milberry and I have written is meant to contribute to the (limited) public discussion. Hopefully the provincial and federal governments pay attention.

Funding for this report was secured by the British Columbia Civil Liberties Association (BCCLA), and provided for through the Office of the Privacy Commissioner of Canada’s Contributions Program. The text in the report is reflective of the BCCLA’s position towards the Services Card; the report does not, however, necessarily reflect the position of the Privacy Commissioner of Canada. The executive summary, and download link, of  the report follows.

Executive Summary

For the last several years, British Columbia has been developing the technical infrastructure and legal framework for a comprehensive integrated identity system as part of its “technology and transformation” approach to governance. Otherwise known as “Government 2.0” or e-government, this approach will aggregate the personal information of citizens in order to link and share this data across government bodies. The BC Services Card is the latest in a series of major information technology projects that is part of the Government 2.0 mandate. It is a mandatory provincial ID card that enables access to a range of government services, beginning with health care and driver licencing. The BC Services Card is a key element of unprecedented changes in the way the province collects, accesses and shares personal information, including highly sensitive health information, amongst departments, agencies and even private contractors.

The card is just part of BC’s wide-ranging vision for integrated identity and information management—a vision that scales and interoperates on a federal level. Indeed, the system is not only envisioned to extend to other provinces, in essence forming a pan-Canadian identity architecture, but the ID card is expressly intended to provide authentication conducted by the private sector and facilitation of commercial transactions governed by PIPEDA and applicable provincial private sector privacy legislation. The importance of developments with the BC card for national identity management cannot be overstated: the BC Services Card model is interoperable with the federal system, and thus a (proto) Canadian ID card, and is also meant to be used for commercial and e-commerce transactions. Thus, developments in BC have critically important implications for ID systems provincially and federally, and involve both the public and private sector.

This report examines the normative, technical and policy implications of the BC Services Card and the federal and commercial implications of the technical systems underlying the Services Card. Throughout the report, the ID system is examined from the perspectives of security, privacy and civil liberties, and generally echoes the Information and Privacy Commissioner for BC’s call for broad and meaningful public consultation before Phase II of the card program is implemented. Emergent from the analysis of the Services Card is a call for the Office of the Privacy Commissioner of Canada to work with provincial privacy commissioners to issue a joint resolution on the applicable privacy and security standards for the provincial systems on the basis that they will ultimately compose the national federated system. The report concludes with provincial and federal recommendations for designing an identity system that is secure, privacy-protective, trusted and fit for purpose.

Download: A National ID Card By Stealth? The BC Services Card – Privacy Risks, Opportunities & Alternatives

The Politics of Deep Packet Inspection: What Drives Surveillance by Internet Service Providers?

/ Christopher Parsons / 1 Comment

UVic CrestToday, I am happy to make my completed doctoral dissertation available to the public. The dissertation examines what drives, and hinders, wireline network practices that are enabled by Deep Packet Inspection (DPI) routers. Such routers are in wide use by Internet service providers (ISPs) in Canada, the United States, and United Kingdom, and offer the theoretical capacity for service providers to intrusively monitor, mediate, and modify their subscribers’ data packets in real or near-real time. Given the potential uses of the routers, I was specifically interested in how the politics of deep packet inspection intersected with the following issues: network management practices, content control and copyright, advertising, and national security/policing.

Based on the potential capabilities of deep packet inspection technologies – and the warnings that such technologies could herald the ‘end of the Internet’ as it is know by citizens of the West – I explored what has actually driven the uptake of the technology in Canada, the US, and the UK. I ultimately found that though there were variations in different states’ regulatory processes, regulators tended to arrive at common conclusions. Regulatory convergence stands in opposition to the divergence that arose as elected officials entered into the DPI debates: such officials have been guided by domestic politics, and tended to reach significantly different conclusions. In effect, while high-expertise regulatory networks reached common conclusions, elected political officials have demonstrated varying degrees of technical expertise and instead have focused on the politics of communications surveillance. In addition to regulators and elected officials, court systems have also been involved in adjudicating how, when, and under what conditions DPI can be used to mediate data traffic. Effectively, government institutions have served as the primary arenas in which DPI issues are taken up, though the involved government actors often exhibited their own interests in how issues were to be taken up or resolved. The relative role of these different state bodies in the case studies arguably reflects underlying political cultures: whereas regulators are principally involved in the Canadian situation, elected officials and courts play a significant role in the US, whereas the UK has principally seen DPI debates settled by regulators and elected officials.

Ultimately, while there are important comparative public policy conclusions to the dissertation, such conclusions only paint part of the picture about the politics of deep packet inspection. The final chapter of the dissertation discusses why the concepts of surveillance and privacy are helpful, but ultimately insufficient, to appreciate the democratic significance of deep packet inspection equipment. In response, I suggest that deliberative democratic theory can provide useful normative critiques of DPI-based packet inspection. Moreover, these critiques can result in practical policy proposals that can defray DPI-based practices capable of detrimentally stunting discourse between citizens using the Internet for communications. The chapter concludes with a discussion of how this research can be advanced in the future; while I have sought to clear away some of the murk concerning the technology, my research represents only the first of many steps to reorient Internet policies such that they support, as opposed to threaten, democratic values.

Formal Abstract:

Surveillance on the Internet today extends beyond collecting intelligence at the layer of the Web: major telecommunications companies use technologies to monitor, mediate, and modify data traffic in real time. Such companies functionally represent communicative bottlenecks through which online actions must pass before reaching the global Internet and are thus perfectly positioned to develop rich profiles of their subscribers and modify what they read, do, or say online. And some companies have sought to do just that. A key technology, deep packet inspection (DPI), facilitates such practices.

In the course of evaluating the practices, regulations, and politics that have driven DPI in Canada, the US, and UK it has become evident that the adoption of DPI tends to be dependent on socio-political and economic conditions. Simply put, market or governmental demand is often a prerequisite for the technology’s adoption by ISPs. However, the existence of such demand is no indication of the success of such technologies; regulatory or political advocacy can lead to the restriction or ejection of particular DPI-related practices.

The dissertation proceeds by first outlining how DPI functions and then what has driven its adoption in Canada, the US, and UK. Three conceptual frameworks, path dependency, international governance, and domestic framing, are used to explain whether power structures embedded into technological systems themselves, international standards bodies, or domestic politics are principally responsible for the adoption or resistance to the technology in each nation. After exploring how DPI has arisen as an issue in the respective states I argue that though domestic conditions have principally driven DPI’s adoption, and though the domestic methods of governing DPI and its associated practices have varied across cases, the outcomes of such governance are often quite similar. More broadly, I argue that while the technology and its associated practices constitute surveillance and can infringe upon individuals’ privacy, the debates around DPI must more expansively consider how DPI raises existential risks to deliberative democratic states. I conclude by offering some suggestions on defraying the risks DPI poses to such states.

Download ‘The Politics of Deep Packet Inspection: What Drives Surveillance by Internet Service Providers?’ (.pdf)