Privacy & Surveillance

Posts under this category name relate to privacy generally, rather than distinguishing between the various ‘kinds’ of discussing or recognizing privacy.

Ontario Information and Privacy Commissioner, and DRM

/ Christopher Parsons

200903201224.jpgIn his recent discussion with Ann Cauvoukian, Jesse Brown seems to have touched on a nerve. In the interview, the Commissioner discusses the use of self-encrypting/decrypting security systems that are meant to meet her ‘PET Plus’ program; she wants to ensure that measures are embedded in surveillance technologies that secure individuals’ privacy while at the same time enabling police to perform their duties. In the case of cameras, this will mean that all bodies on the screen are barely visible – not blurred, but almost erased from a non-decrypted viewing. Individuals are only revealed on film when a decryption algorithm is applied; until then, those individuals hold a spectre-like existence.

Russell McOrmond has taken a strong stance against this, arguing that the Commissioner’s efforts would make first-party/content owners subservient to third party agents who hold decryption keys. It is important to note that, as the Commissioner has presented her ideas, the police, or some other authority, would be the only group who would have access to these keys. This would limit the use of CCTV by employees to illegitimately survey clients/patrons/etc. Surprisingly quickly, Ken Anderson (Assistant Commissioner, Privacy, Ontario) has jumped into the discussion.

Continue reading

Update: More on Quebec EDLs

/ Christopher Parsons

200903191537.jpgQuebec formally announced that EDLs will be available for Quebecers on Monday, with Jean Charest using a relatively bogus financial argument to support EDLs.* Says he:

“If there are five people, five kids and two parents, if they had to all pay for a passport it would be an expensive requirements for them to come here” (Source)

Not withstanding Charest’s poor math (I count seven people in his ‘equation’), the costs that he is referencing are for the people coming to Quebec, not the costs of Quebecer’s traveling to the US. Were he really concerned about costs, he could adopt the line that the OPC and IPC (Ontario) have been pushing: Canadian’s should have their passport’s subsidized, and the lifetime of these documents extended. Were he honestly concerned about the privacy concerns, he would be pushing passports, not EDLs. Fortunately, of course, Charest is a stanch ‘supporter’ of privacy:

“[Privacy is a serious issue. We believe we need to do what has to be done to protect the privacy of individuals” (Source)

Continue reading

Update: EDLs in Saskatchewan

/ Christopher Parsons

200903121823.jpgSome interesting news coming out of Saskatchewan: the government is looking to put the brakes on Enhanced Drivers License (EDLs). While headlines are saying that this is dominantly because of privacy concerns, I think that cost is probably a deeper reason for turning away these licenses. Crown Corporations Minister Ken Cheveldayoff is on record saying:

The criteria from homeland security has been changing. The costs have been increasing and if they go to a point where it just doesn’t make sense anymore then we’re not going to move forward. (Source)

It seems as though costs have risen from $50 – $80 dollars, without a clear sign of that stopping. Cost (financial and political) really seems to be the force keeping these licenses out of the hands of the public.

This being said, I should be fair and point out that the Privacy Commissioner of Saskatchewan hasn’t received the Privacy Impact Assessment from Sask. Government Insurance (Source). The Commissioner wasn’t outright opposed to the EDLs, and is instead suggesting that the province look to its neighbors for ways of tweaking the Bill 72 legislation.To me, this suggests looking to BC and Ontario. I don’t know exactly what the consequences of this kind of ‘tweaking’ would be, especially given how limited those governments incorporated suggested privacy protections, but it would be nice to see documents that really put the Commissioner’s cards (and desired changes) on the table. Seems like a FOI moment….

Thoughts: Google and ‘Interest Based’ Advertising

/ Christopher Parsons

200903121245.jpgPrivacy. Privacy, Privacy, Privacy.

Google is persistently in the limelight for it’s ‘invasions’ of personal privacy. I’ve made references to Google and privacy in a variety of blog posts, but whenever I think about Google my mind returns to a comment from Peter Fleischer, the chief privacy officer for Google. In a post in 2007, he wrote (in his personal blog) that:

. . . privacy is about more than legal compliance, it’s fundamentally about user trust. Be transparent with your users about your privacy practices. If your users don’t trust you, you’re out of business (Source)

Perhaps naively, I think that this statement is accurate – look at the nightmares that Facebook, NebuAd, and Phorm (to name a few) all have when they ‘invade’ customers’ privacy without being fully transparent about what, and why, they are engaging in their practices. What’s more, as soon as you establish an ‘it’s our way, or no way’ approach, you immediate establish a hostile environment between you and your users. In business, your users are your lifeblood; alienate them only if you really like polishing your resume.

Continue reading

Announcement: Working Paper on DPI Now Available

/ Christopher Parsons / 2 Comments

200902241130.jpg

Last year I spent some time and put together a working paper entitled, “Deep Packet Inspection in Perspective: Tracing its lineage and surveillance potentials,” for the New Transparency Project (of which I’m a student member). The document has gone live as of today – if you have any comments/thoughts concerning it feel free to send them my way! The abstract is below:

Internet Service Providers (ISPs) are responsible for transmitting and delivering their customers’ data requests, ranging from requests for data from websites, to that from file-sharing applications, to that from participants in Voice over Internet Protocol (VoIP) chat sessions. Using contemporary packet inspection and capture technologies, ISPs can investigate and record the content of unencrypted digital communications data packets. This paper explains the structure of these packets, and then proceeds to describe the packet inspection technologies that monitor their movement and extract information from the packets as they flow across ISP networks. After discussing the potency of contemporary packet inspection devices, in relation to their earlier packet inspection predecessors, and their potential uses in improving network operators’ network management systems, I argue that they should be identified as surveillance technologies that can potentially be incredibly invasive. Drawing on Canadian examples, I argue that Canadian ISPs are using DPI technologies to implicitly ‘teach’ their customers norms about what are ‘inappropriate’ data transfer programs, and the appropriate levels of ISP manipulation of consumer data traffic.

DPI Deployed for Mobile Advertising

/ Christopher Parsons

200902181453.jpgDeep Packet Inspection is being deploying by an increasing number of operators for a host of purposes, including content analysis, flow analysis, network management (broadly stated), network management as integrated with policy management, and behavioural advertising (to name a few). While BT, in the UK, has openly admitted to working with Phorm to bring behavioral advertising to its consumers, it now appears as though network owners are going to be analyzing Internet traffic from mobiles, as well as desktop and notebook computers.

The Guardian is reporting that in a recent GSMA trial to collect information of where mobile users’ are browsing, that “the UK’s five networks – 3, O2, Orange, T-Mobile and Vodafone – used deep packet inspection technology to collect data covering about half the UK’s entire mobile web traffic” (Source). There is no indication that this is presently being associated with customers’ geolocation, but this does suggest that DPI is gaining increasing acceptance in the UK as a means of tracking what people are doing. Apparently the weak regulatory responses in the UK are spurring companies to deploy DPI before they are left behind the rest of the pack.

Continue reading