announcement

Is Your ISP Snooping On You?

/ Christopher Parsons

The Planet Data CenterLawful access legislation is upon Canadians. Introduced by Minister Toews as ‘with the government or with the child-pornographers’ legislation, lawful access will radically expand the scope of Canadians’ personal information that government authorities can collect without a warrant. Personal information would be turned over to the government under new powers regardless of whether an individual’s actions had violated the Criminal Code. Lawful access powers will be granted to formal policing organizations, including municipal, provincial, and federal police, to Canada’s spy agency, CSIS, and to the Competition Bureau. Since the legislation has been tabled, media and experts alike have been scratching their heads to understand the significance of changes between the previous and current versions of the bill. In a subsequent post, I’ll be writing about how the delimited subscriber information fields that authorities want to access is excessive, and I will demonstrate how these fields will be used and can be abused.

In this post, however, I am taking a step back from the legislation proper. Rather than talk about lawful access, I want to make available a book chapter, written for the Canadian Centre for Policy Alternatives, that unpacks some of the surveillance capacities within Canada’s current telecommunications networks. The chapter, titled “Is Your ISP Snooping On You?” (.pdf) first appeared in The Internet Tree: The State of Telecom Policy in Canada 3.0. Specifically, the chapter focuses on a technology that is popularly called ‘deep packet inspection.’ Canadian network agents, such as Internet Service Providers, have deployed these technologies to manage their networks, throttle some kinds of data traffic (e.g. P2P file sharing-related traffic), and track subscriber usage of the networks. This same technology, however, has significant privacy and surveillance implications, insofar as it examines the depths of a data transmission: it is the metaphorical equivalent of not just looking at a postcard, but examining the photo and colour of ink on the postcard to make decisions about how to deliver/treat the message on the card. It is with these network-based technologies in mind that we should reflect on the significance of expanded police access to digital transmissions.

Why is deep packet inspection significant? Because lawful access in Canada might be understood as ‘level one’ of a three-stage surveillance process. The United Kingdom is arguably at ‘level two’ at the moment, on the basis that it possesses an embedded surveillance culture and infrastructure that sees over half a million requests for ‘transactional’ (i.e. everything but the words/pictures of a postcard) data each year. The third level, also being contemplated in the UK, would see deep packet inspection devices repurposed/installed by law enforcement and national security organizations to monitor, mine, and mediate data transmissions between UK citizens in near-real time. Canada isn’t at level three – we’re not even at level two just yet – but our ISPs have experience with embedding technologies that make level-two and -three scenarios possible. Thus, to understand the potential surveillance trajectory associated with lawful access, Canadians must understand existing Canadian network configurations to recognize that this legislation is the first of many stages, and question whether we really want to start down this path in the first place.

Download a copy of “Is your ISP Snooping On You” (.pdf)

Announcement: Lawful Access Report Now Available

/ Christopher Parsons

SpiesLast year the British Columbia Civil Liberties Association (BCCLA) approached me to prepare a report around forthcoming lawful access legislation. Specifically, I was to look outside of Canada to understand how lawful access powers had been developed and used in foreign jurisdictions. An early version of that research report was provided to the BCCLA mid-last year and was used to support their recent, formal, report on lawful access legislation. The BCCLA’s formal report, “Moving Towards a Surveillance Society: Proposals to Expand “Lawful Access” in Canada” (.pdf) provides an excellent, in-depth, analysis of lawful access that accounts for some of the technical, social, and legal problems associated with the legislation.

Today I am releasing my report for the BCCLA, titled “Lawful Access and Data Preservation/Retention: Present Practices, Ongoing Harm, and Future Canadian Policies” (.pdf link). I would hasten to note that all research and proposals in my report should be attributed to me, and do not necessarily reflect the BCCLA’s own positions. Nothing in my report has been changed at the suggestion or insistence of the BCCLA; it is presented to you as it was to the BCCLA, though with slight updates to reflect the status of the current majority government.

In the report, I look to the United Kingdom and United States to understand how they have instantiated lawful access-style powers, the regularity of the powers’ usage, and how the powers have been abused. I ultimately conclude by providing a series of proposals to rein in the worst of lawful access legislation, which includes process-based suggestions (e.g. Parliamentary hearings on the legislation) and more gritty auditing requirements (e.g. a specific series of data points that should be collected and made public on a yearly basis).  It’s my hope that this document will elucidate some of the harms that are often bandied about when speaking of lawful access-powers. To this end, there are specific examples of harms throughout the document, all of which are referenced, with the conclusion being that citizens are not necessarily safer as a result of expanded security and intelligence powers that come at the cost of basic charter, constitutional, and human rights.

Download .pdf version of “Lawful Access and Data Preservation/Retention: Present Practices, Ongoing Harm, and Future Canadian Policies

(Un)Lawful Access Forum in Ottawa

/ Christopher Parsons

I’ll be speaking at a forum about Canada’s forthcoming lawful access legislation on February 8 at St. Paul University. From 6pm-7pm there will be the formal book launch of the Canadian Centre for Policy Alternatives’ recent title, The Internet Tree: The State of Telecom Policy in Canada 3.0. Those attending the forum may be particularly interested in the two chapters on surveillance (one of which I authored). The lawful access event runs from 7-10PM. From 7:00-7:30 the organizers will be showing the mini-documentaries “(Un)Lawful Access” and “Moving Towards a Surveillance Society.” Following this, there will be two panels to discuss the expected legislation. The first (which I’m on) runs from 7:30-8:30 and discusses the technical elements of the forthcoming legislation. The panel is composed of myself, Kirsten R. Embree, Stephen McCammon, and John Lawford. The second panel runs from 8:45 to 9:30, and focuses on the political dimensions of the legislation. Panelists include Charlie Angus and Elizabeth May, with Michael Geist moderating. The final 30 minutes are devoted to summarizing the forum, outlining actions that are taking place, and suggesting continuing activities.

For more information about the event, see Unlawfulaccess.ca, and register for the event on Facebook. You can also download/print/share copies of the poster for the event. This will be a really great event, and the mixture of formally separated technical and political panels should do a great job in outlining the range of issues that lawful access legislation touches upon.

Creeping Towards a State of Surveillance

/ Christopher Parsons

internet down :( On Wednesday, July 27 2011, I’ll be talking at the forum to stop online spying. The forum is part of a larger national campaign to raise awareness about the potentials of state surveillance and the implications of the Government of Canada’s (expected) surveillance legislation that will be announced in the fall 2011 session. Amongst other provisions, the legislation is expected to significantly reduce the degree of judicial oversight surrounding government acquisition of subscriber data – data that users of the Internet provide to their ISP, chat services (e.g. MSN, AIM), social networking sites (e.g. Google+, Orkut, Facebook), and other online communications mediums.

I’ll be giving a short talk entitled “Creeping Towards a State of Surveillance” that is meant as an introduction to the gravity and nuances of surveillance legislation. In it, I’ll first talk about what constitutes surveillance and what constitutes function creep. From there, I’ll briefly discuss the challenges associated with classifying data as ‘public’ or ‘private’ and the deficits of ‘anonymizing’ data. This will focus on distinguishing between so-called traffic and content data types, and the kinds of private information that can be extracted from ‘mere’ traffic data. I’ll wrap things up with a quick overview of the positive, and problematic, aspects of audits, advocates, and government commissioners in restraining the state’s appetite for intelligence for so-called policing actions.

If you’re interested in coming out then head over to StopOnlineSpying.com and register. The talks start at 1:30 and run until 5:30, and are a non-partisan discussion of the forthcoming legislative agenda. It’s meant to be heavy on discussion and maximally accessible to people that don’t focus their lives studying privacy, democracy, or telecommunications and has a good mix of advocates and scholars. If you can’t make the forum, but are either bothered by or want to learn more about the Canadian government’s expanded surveillance laws, check out the national campaign.

Forthcoming Talk at Social Media Camp Victoria

/ Christopher Parsons / 2 Comments

Social-Media-LandscapeOn October 3 I’ll be presenting at Social Media Camp Victoria with Kris Constable about a few risks to privacy associated with social media. Kris is a leading Canadian privacy advocate and expert in information security and the operator of PrivaSecTec.

I’ll be talking about the use of traffic analysis and data mining practices that can be used to engage in massive surveillance of social networking environments and the value of drawing links between users rather than investigating the content of communications. The argumentative ‘thrust’ is that freedoms of expression and association may offer a approach to secure privacy in the face of weakened search laws. The full abstract can be read below.

Abstract:

Citizens are increasingly moving their communications and forms of expression onto social media environments that encourage both public and private collaborative efforts. Through social media, individuals can reaffirm existing relationships, give birth to new and novel communities and community-types, and establish the classical political advocacy groups that impact government decisions and processes. In coming together online for their various reasons, citizens expect that their capacity to engage with one another should, and in some respect does, parallel their expectations of privacy in the analogue world.

In this presentation, I first outline expectations and realities of privacy on and offline, with an emphasis on data traffic (i.e. non-content) analysis born from Signal Intelligence (SIGINT), and SIGINT’s use in civilian governmental practices. I then proceed to outline, in brief, how social media generally can be used to identify associations and a few reasons why such associations can undermine the communicative privacy expected and needed for the long-term survival of vibrant constitutional democracies. Rather than ending on a note of doom and gloom, however, I suggest a novel way of approaching privacy-related problems stemming from massive traffic data analysis in social media networks. While the language of freedom from unjustified searches is often used to resist traffic analysis, I draw from recent privacy scholarship to suggest that freedom of expression and association offers a novel (and possibly superior) approach to defending privacy interests in social media from SIGINT-based surveillance.