Privacy & Surveillance

Posts under this category name relate to privacy generally, rather than distinguishing between the various ‘kinds’ of discussing or recognizing privacy.

Publication: Is Your ISP Snooping On You?

/ Christopher Parsons / 3 Comments

Internet_TreeI’m happy to let my readers know that Marita Moll’s and Leslie Shade’s (eds.) The Internet Tree: The State of Telecom Policy in Canada 3.0 is now available for purchase. The book interrogates how Canada’s digital future does, and should, look in coming days by discussing present policies and proposing policies to enhance Canada’s position in the digitally connected world. The editors have done an excellent job in contacting academics, advocates, and solicitors from around Canada to develop an exciting and accessible edited collection on Internet and broadband in Canada. It includes scholars such as Dwayne Winseck, Michael Geist, Catherine Middleton, and Richard Smith, along with contributions from Steve Anderson (Open Media), Michael Janigan (PIAC), and a host of graduate students and researchers.

The book is published through the Canadian Center for Policy Alternatives (CCPA). The publisher and editors describe that book as a collection in which:

… committed public interest advocates and academics present primers on provocative digital policy issues: broadband access, copyright, net neutrality, privacy, and security, along with a consideration of structures of participation in policy-making and communication rights.

Contributors to The Internet Tree argue for a digital economy strategy that casts a winning vote for openness, broadband as an essential service, and community engagement and inclusion.

The Internet Tree is available for just $14.95 and is supportive of digital economy strategies that are guided by the principles of openness, broadband as an essential service, community engagement and inclusion, national sovereignty, and digital literacy programs. My own contribution (“Is Your ISP Snooping On You?”) explains the technical and social concerns raised by deep packet inspection to someone who doesn’t know a coaxial cable from a fibre node, with other authors similarly working to explain issues to the layman while offering suggestions to alleviate, mediate, or overcome the challenges facing Canada’s digital ecosystem. It’s got a great set of authors and I’d highly recommend it as a complement to Open Media’s recently published report on digital networks in Canada.

Vancouver’s Human Flesh Search Engine

/ Christopher Parsons / 20 Comments

Photo by Richard Eriksson

I don’t like violence, vandalism, or other actions that generally cause destruction. Certainly there are cases where violent social dissent is a sad but important final step to fulfil a much needed social change (e.g. overthrowing a ruinous dictator, tipping the scale to defend or secure essential civil rights) but riotous behaviour following a hockey game lacks any legitimating force. Unfortunately, in the aftermath of game seven between the Vancouver Canucks and Boston Bruins a riot erupted in downtown Vancouver that caused significant harm to individuals and damage to the urban environment.

The riot itself is a sad event. What is similarly depressing is the subsequent mob mentally that has been cheered on by the social media community. Shortly after the riot, prominent local bloggers including Rebecca Bollwitt linked to social media websites and encouraged readers/visitors to upload their recordings and identify those caught on camera. In effect, Canadians were, and still are, being encouraged by their peers and social media ‘experts’ to use social media to locally instantiate a human flesh search engine (I will note that Bollwitt herself has since struck through her earliest endorsement of mob-championing). Its manifestation is seemingly being perceived by many (most?) social media users as a victory of the citizenry and inhabitants of Vancouver over individuals alleged to have committed crimes.

Perhaps unsurprisingly, I have significant issues with this particular search engine. In this post, I’m going to first provide a brief recap of the recent events in Vancouver and then I’ll quickly explain the human flesh search engine (HFSE), both how it works and the harms it can cause. I’m going to conclude by doing two things: first, I’m going to suggest that Vancouver is presently driving a local HFSE and note the prospective harms that may befall those unfortunate enough to get caught within its maw. Second, I’m going to suggest why citizens are ill-suited to carry out investigations that depend on social media-based images and reports.

Continue reading

Released: Literature Review of Deep Packet Inspection

/ Christopher Parsons

Scholars and civil advocates will be meeting next month in Toronto at the Cyber-surveillance in Everyday Life workshop. Participants will critically interrogate the surveillance infrastructures pervading daily life as well as share experiences, challenges, and strategies meant to to rein in overzealous surveillance processes that damage public and private life. My contribution to the workshop comes in the form of a modest overview of literature examining Deep Packet Inspection. Below is an abstract, as well as a link to a .pdf version on the review.

Abstract

Deep packet inspection is a networking technology that facilitates intense scrutiny of data, in real-time, as key chokepoints on the Internet. Governments, civil rights activists, technologists, lawyers, and private business have all demonstrated interest in the technology, though they often disagree about what constitutes legitimate uses. This literature review takes up the most prominent scholarly analyses of the technology. Given Canada’s arguably leading role in regulating the technology, many of its regulator’s key documents and evidentiary articles are also included. The press has been heatedly interested in the technology, and so round out the literature review alongside civil rights advocates, technology vendors, and counsel analyses.

Downloadable .pdf version of the literature review.

Security, Hierarchy, and Networked Governance

/ Christopher Parsons

UnlockedThe capacity for the Internet to route around damage and censorship is dependent on there being multiple pathways for data to be routed. What happens when there are incredibly few pathways, and when many of the existing paths contain hidden traps that undermine communications security and privacy? This question is always relevant when talking about communications, but has become particularly topical given recent events that compromised some of the Internet’s key security infrastructure and trust networks.

On March 22 2011, Tor researchers disclosed a vulnerability in the certificate authority (CA) system. Certificates are used to encrypt data traffic between parties and to guarantee that security certificates are actually issued to the parties holding them. The CA system underpins a massive number of the Internet’s trust relationships; when individuals log into their banks, some social networking services, and many online email services, their data traffic is encrypted to prevent a third-party from listening into the content of the communication. Those encrypted sessions are made possible by the certificates issued by certificate authorities. The Tor researchers announced that an attacker had compromised a CA and issued certificates that let the attacker impersonate the security credentials associated with many of the world’s most prominent websites. Few individuals would ever detect this subterfuge. In effect, Tor researchers discovered that a central element of the Internet’s trust network was broken.

In this post I want to do a few things. First, I’ll briefly describe the attack and its accompanying risks. This will, in part, see me briefly discuss modes of surveillance and motivations for different gradients of surveillance. I next address a growing problem for today’s Internet users: the points of trust we depend on, such as CAs and the DNS infrastructure, are increasingly unreliable. As a result, states can overtly or subtly manipulate to disrupt or monitor their citizens’ communications. Finally, I suggest that in spite of these points of control, states are increasingly limited in their capacities to unilaterally enforce their will. As a consequence of networked governance, and its accompanying power structures, citizens can impose accountability on states and limit their ability to (re)distribute power across and between nodes of networks. Thus, networked governance not only transforms state power but redistributes (some) power to non-state actors, empowering those actors to resist illegitimate state actions.

Continue reading

Technology and Politics in Tunisia and Iran: Deep Packet Surveillance

/ Christopher Parsons
Middleeast-IranFor some time, I’ve been keeping an eye on how the Iranian government monitors, mediates, and influences data traffic on public networks. This has seen me write several posts, here and elsewhere, about the government’s usage of deep packet inspection, the implications of Iranian government surveillance, and the challenges posed by Iranian ISPs’ most recent network updates. Last month I was invited to give a talk at the Pacific Centre for Technology and Culture about the usage of deep packet inspection by the Iranian and Tunisian governments.

Abstract

Faced with growing unrest that is (at least in part) facilitated by digital communications, repressive nation-states have integrated powerful new surveillance systems into the depths of their nations’ communications infrastructures. In this presentation, Christopher Parsons first discusses the capabilities of a technology, deep packet inspection, which is used to survey, analyze, and modify communications in real-time. He then discusses the composition of the Iranian and Tunisian telecommunications infrastructure, outlining how deep packet inspection is used to monitor, block, and subvert encrypted and private communications. The presentation concludes with a brief reflection on how this same technology is deployed in the West, with a focus on how we might identify key actors, motivations, and drivers of the technology in our own network ecologies.

Note: For more information on the Iranian use of deep packet inspection, see ‘Is Iran Now Actually Using Deep Packet Inspection?

Review: Surveillance or Security?

/ Christopher Parsons / 1 Comment

surveillance-or-security-the-risks-posed-by-new-wiretapping-technologiesIn Security or Security? The Real Risks Posed by New Wiretapping Technologies, Susan Landau focuses on the impacts of integrating surveillance systems into communications networks. Her specific thesis is that  integrating surveillance capacities into communications networks does not necessarily or inherently make us more secure, but may introduce security vulnerabilities and thus make us less secure. This continues on threads that began to come together in the book she and Whitfield Diffie wrote, titled Privacy on the Line: The Politics of Wiretapping and Encryption, Updated and Expanded Edition.

Landau’s work is simultaneously technical and very easy to quickly read. This is the result of inspired prose and gifted editing. As a result, she doesn’t waver from working through the intricacies of DNSSEC, nor how encryption keys are exchanged or mobile surveillance conducted, and by the time the reader finishes the book they will have a good high-level understanding of how these technologies and systems (amongst many others!) work. On the policy side, she gracefully walks the reader through the encryption wars of the 1990s,[1] as well as the politics of wiretapping more generally in the US. You don’t need to be a nerd to get the tech side of the book, nor do you need to be a policy wonk to understand the politics of American wiretapping.

Given that her policy analyses are based on deep technical understanding of the issues at hand, each of her recommendations carry a considerable amount of weight. As examples, after working through authentication systems and their deficits, she differentiates between three levels of online identification (machine-based, which relies on packets; human, which relies on application authentication; and digital, which depends on biometric identifiers). This differentiation lets her  consider the kinds of threats and possibilities each identification-type provides. She rightly notes that the “real complication for attribution is that the type of attribution varies with the type of entity for which we are seeking attribution” (58). As such, totalizing identification systems are almost necessarily bound to fail and will endanger our overall security profiles by expanding the surface that attackers can target.

Continue reading