Unpacking the Potential Costs of Bill C-30

Expense Sheet The Government of Canada has, at least temporarily, backed away from pushing through its tabled lawful access legislation. While many critiques of the legislation abound – some of which I’ve recently noted surrounding warrantless access to subscriber information – there have been limited critiques of the actual financial costs associated with the bill. While some public commentators have suggested that the legislation will threaten small Internet service providers’ financial viability, there has yet to be a formal, detailed, and public financial accounting of lawful access-related costs.

I’m incapable of offering this accounting. The same is true for every other Canadian, whether they are a government bureaucrat, private citizen, corporate agent, or government Minister, because the legislation itself remains murky. Thus, rather than suggest that the legislation will cost X dollars, in this post I outline why people cannot cost out the bill if they solely rely on existing public information.

I begin this post by quickly outlining what the Canadian government suggests that the legislation will cost. Having done so, I move to critique the origins of the government’s numbers. This entails first examining the issue of interception capabilities, second, of storage costs, and third, of the status of Telecommunication Service Providers’ existing lawful access capacities. I conclude by noting the lack of clarity surrounding C-30’s breadth and the need for clarity during the legislative, rather than regulation-setting, stage of the bill’s development.

Continue reading

Is Your ISP Snooping On You?

The Planet Data CenterLawful access legislation is upon Canadians. Introduced by Minister Toews as ‘with the government or with the child-pornographers’ legislation, lawful access will radically expand the scope of Canadians’ personal information that government authorities can collect without a warrant. Personal information would be turned over to the government under new powers regardless of whether an individual’s actions had violated the Criminal Code. Lawful access powers will be granted to formal policing organizations, including municipal, provincial, and federal police, to Canada’s spy agency, CSIS, and to the Competition Bureau. Since the legislation has been tabled, media and experts alike have been scratching their heads to understand the significance of changes between the previous and current versions of the bill. In a subsequent post, I’ll be writing about how the delimited subscriber information fields that authorities want to access is excessive, and I will demonstrate how these fields will be used and can be abused.

In this post, however, I am taking a step back from the legislation proper. Rather than talk about lawful access, I want to make available a book chapter, written for the Canadian Centre for Policy Alternatives, that unpacks some of the surveillance capacities within Canada’s current telecommunications networks. The chapter, titled “Is Your ISP Snooping On You?” (.pdf) first appeared in The Internet Tree: The State of Telecom Policy in Canada 3.0. Specifically, the chapter focuses on a technology that is popularly called ‘deep packet inspection.’ Canadian network agents, such as Internet Service Providers, have deployed these technologies to manage their networks, throttle some kinds of data traffic (e.g. P2P file sharing-related traffic), and track subscriber usage of the networks. This same technology, however, has significant privacy and surveillance implications, insofar as it examines the depths of a data transmission: it is the metaphorical equivalent of not just looking at a postcard, but examining the photo and colour of ink on the postcard to make decisions about how to deliver/treat the message on the card. It is with these network-based technologies in mind that we should reflect on the significance of expanded police access to digital transmissions.

Why is deep packet inspection significant? Because lawful access in Canada might be understood as ‘level one’ of a three-stage surveillance process. The United Kingdom is arguably at ‘level two’ at the moment, on the basis that it possesses an embedded surveillance culture and infrastructure that sees over half a million requests for ‘transactional’ (i.e. everything but the words/pictures of a postcard) data each year. The third level, also being contemplated in the UK, would see deep packet inspection devices repurposed/installed by law enforcement and national security organizations to monitor, mine, and mediate data transmissions between UK citizens in near-real time. Canada isn’t at level three – we’re not even at level two just yet – but our ISPs have experience with embedding technologies that make level-two and -three scenarios possible. Thus, to understand the potential surveillance trajectory associated with lawful access, Canadians must understand existing Canadian network configurations to recognize that this legislation is the first of many stages, and question whether we really want to start down this path in the first place.

Download a copy of “Is your ISP Snooping On You” (.pdf)

Recommended Books from 2011 Readings

BookDespite some cries that the publishing industry is at the precipice of financial doom, it’s hard to tell based on the proliferation of texts being published year after year. With such high volumes of new works being produced it can be incredibly difficult to sort the wheat from the chaff.  Within scholarly circles it (sometimes) becomes readily apparent what books are above middling quality by turning to citation indices, but outside of such (often paywall protected) circles it can be more challenging to ascertain what texts are clearly worth reading and which are not.

While I can hardly claim to speak with the weight of scholarly indices, I do read (and rate) a prolific number of texts each year. In what follows, I offer a list of the ‘best’ books that I read through 2011. Some are thought-provoking, others were important in how I understood various facets of the policy process, and still others offer interesting tidbits of information that have until now been hidden in shadow. For each book I’ll identify it’s main aim and a few points about what made the book compelling enough to get onto my list. Texts are not arranged in any particular ranking order and all should be available through your preferred book seller.

Continue reading

Online Voting and Hostile Deployment Environments

Voting requiredElections Canada recently stated that sometime after 2013 it intends to trial online voting, a system that lets citizens vote over the Internet. Fortunately, they are just committing to a trial but if the trial is conducted improperly then Elections Canada, politicians, and the Canadian public may mistakenly come to think that online voting is secure. Worse, they might see it as a valid ‘complement’ to traditional voting processes. If Canadians en masse vote using the Internet, with all of its existing and persistent infrastructural and security deficiencies, then the election is simply begging to be stolen.

While quick comparisons between the United States’ electronic voting system and the to-be-trialed Canadian online voting system would be easy to make, I want to focus exclusively on the Canadian proposition. As a result, I discuss just a small handful of the challenges in deploying critical systems into known hostile deployment environments and, more specifically, the difficulties in securing the vote in such an environment. I won’t be writing about any particular code that could be used to disrupt an election but instead about some attacks that could be used, and attackers motivated to use them, to modify or simply disrupt the Canadian electoral process. I’ll conclude by arguing that Elections Canada should set notions of online voting aside; paper voting requires a small time investment that is well worth its cost in electoral security.

Continue reading

Weebly, Analytics, and Privacy Violations (Updated II)

Failing StreetThose who create and author technical systems can and do impose their politics, beliefs, and inclinations onto how technology is perceived, used, and understood. On the Internet, this unfortunately means that the technically savvy often recommend choices to users who are less knowledgeable. A number of these recommendations are tainted by existing biases, legal (mis)understandings, or stakeholder gamesmanship. In the case of website development firms, such as Weebly, recommendations can lead users to violate terms of service and legal provisions to the detriment of those users. In essence, bad advice from firms like Weebly can lead to harms befalling their blissfully ignorant users.

In this short post, I talk about how Weebly blatantly encourages its customers to conduct surveillance on websites without telling them of their obligations to notify website visitors that surveillance is being conducted. I also note how the company deceives those visiting Weebly’s own properties by obfuscating whether information is collected and who is involved in the collection of visitors’ data. I conclude by briefly noting that Google ought to behave responsibly and publicly call out, and lean on, the company to ensure that Google’s Analytics product is used responsibly and in concordance with its terms of service.

Continue reading

Letter to Stephen Harper on Lawful Access Legislation

SurveillanceFor the past several years, public advocates, academics, the privacy commissioners of Canada, and members of the Canadian Parliament have all voiced concerns about proposed lawful access legislation. There are generally three types of ‘powers’ associated with such legislation: (1) enhanced search and seizure provisions; (2) increased interception of privacy communications powers; (3) production of subscriber data. During the last election cycle, Stephen Harper assured Canadians that within 100 sitting days lawful access provisions would be passed, along with other legislation, in an omnibus crime bill. Lawful access legislation has not been fully debated in the House or Senate, and has significant implications for the future of anonymity and privacy on the Internet, while simultaneously expanding police powers without a clearly demonstrated need to expand such powers.

Working from the most recent lawful access bills, which died when the last election was called, advocates and academics have come together to send a letter of concerns to Prime Minister Harper. Our concerns are as follows:

  1. The ease by which Canadians’ Internet service providers, social networks, and even their handsets and cars will be turned into tools to spy on their activities further to production and preservation orders in former Bill C‐51 – a form of spying that is bound to have serious chilling effects on online activity and communications, implicating fundamental rights and freedoms
  2. The minimal and inadequate amount of external oversight in place to ensure that the powers allotted in these bills are not abused
  3. Clause 16 of former Bill C‐52, which will allow law enforcement to force identification of anonymous online Internet users, even where there is no reason to suspect the information will be useful to any investigation and without adequate court oversight and
  4. The manner in which former Bill C‐52 paves the way to categorical secrecy orders that will further obscure how the sweeping powers granted in it are used and that are reminiscent of elements of the USA PATRIOT Act that were found unconstitutional.

On a final note, we object that Canadians will be asked to foot the bill for all this, in what essentially amounts to a hidden e‐surveillance tax, and are concerned that compliance will further impede the ability of smaller telecommunications service providers to compete in Canada by saddling them with disproportionate costs.

It is of critical import that the lawful access provisions of the omnibus crime bill are shaved off into their own batch of legislation and are afforded their own debates and hearings. Failing to do otherwise would underplay how much the bills’ massive expansions of surveillance capacities might impact the Internet in Canada, and digital communications in this country more generally. If you want to learn more about the concerns listed above, you can read the full letter that was sent to the PMO (.pdf), and you can take action by voicing your concerns at the Stop Online Spying website. Sign the petition located there and then contact your MP: it is only by demonstrating public interest and concern in these bills that they might be clarified, reformed, and potentially prevented from being brought forward in the first place.