Surveillance

The Anatomy of Lawful Access Phone Records

/ Christopher Parsons / 5 Comments

ACL 2006 - Phonebook Canadian advocates, government officials, and scholars are all concerned about the forthcoming lawful access legislation. A key shared concern is that authorities could, under the legislation, access telecommunications subscription records without court oversight. Moreover, as a condition of accessing these records businesses might be served with gag orders. Such orders would prevent Canadians from ever knowing (outside of court!) that the government had collected large swathes of information about them. In response to concerns aired in public, the Public Safety Minister has insisted that the legislation would merely let police access “phone book” information from telecommunications providers.

I maintain that such assertions obfuscate the sheer amount of information contained in the records that authorities would collect. The aim of this post is to make clear just how much information is contained in a single lawful access “phone record”, demonstrating that the government is seeking information that grossly exceeds what is contained in the white or yellow pages today. As a result, I first provide an example phone record that resembles those in every phonebook in Canada and then offer an example of a lawful access record. Remember that such requests may be filed to multiple service providers (e.g. Internet service provider, web forum hosts, blogs, mobile phone companies, etc) and thus a swathe of records can be combined to generate a comprehensive picture of any particular individual. By the conclusion of the post it should be evident that information provided under lawful access powers is more expansive than the phone records government ministers allude to and lay bare those ministers’ technical obfuscations.

Continue reading

Lawful Access, Its Potentials, and Its Lack of Necessity

/ Christopher Parsons

Image by mattwi1s0n

New surveillance powers are typically framed using benevolent and/or patriotic languages. In the United States, we see the PATRIOT Act, the Stored Communications Act, and National Security Letters. Powers associated with this surveillance assemblage have been abused and people have been spied upon in violation of the law, bureaucratic procedure, and regardless of demonstrating real and present dangers. The UK has the Regulation of Investigatory Powers Act (RIPA), which significantly expanded the capabilities of police and intelligence to monitor citizens in previously illegal ways. This legislation is also used improperly, as revealed in the yearly reports from the Interception Commissioner. In Canada, the Canadian government has publicly stated its intention to press ahead and introduce its lawful access legislation despite concerns raised by the public, members of the advocacy and academic community, and the information and privacy commissioners of Canada. Here, we can also expect uses of lawful access powers to overstep stated intents and infringe on Canadians’ rights, intrude upon their privacy, and injure their dignity.

Over the past months I’ve been actively involved in working with, and talking to, other parties about lawful access legislation. This has included speaking with members of the media, publishing an op-ed, and conducting various private discussions with stakeholders around Canada who are concerned about what this legislation may (and may not) mean. Today, in the interests of making public some of the topics of these discussions, I want to address a few things. First, I quickly summarize key elements of the lawful access legislation. Next, I note some of the potentials for how lawful access powers will likely be used. None of the potentials that I identify depend on ‘next generation’ technologies or data management/mining procedures: only technologies that exist and are in operation today are used as mini-cases. None of the cases that I outline offer significant insight into the operational working of stakeholders I’ve spoken with that can’t be reproduced from public research and records. I conclude by questioning the actual need for the expanded powers.

Continue reading

Mobile Security and the Economics of Ignorance

/ Christopher Parsons

Day 24/ Mon 17 Aug 09 Mobile penetration is extremely high in Canada. 78% of Canadian households had a mobile phone in 2010, in young households 50% exclusively have mobiles, and 33% of Canadians generally lack landlines. Given that mobile phones hold considerably more information than ‘dumb’ landlines and are widely dispersed it is important to consider their place in our civil communications landscape. More specifically, I think we must consider the privacy and security implications associated with contemporary mobile communications devices.

In this post I begin by outlining a series of smartphone-related privacy concerns, focusing specifically on location, association, and device storage issues. I then pivot to a recent – and widely reported – survey commissioned by Canada’s federal privacy commissioner’s office. I assert that the reporting inappropriately offloads security and privacy decisions to consumers who are poorly situated to – and technically unable to – protect their privacy or secure their mobile devices. I support this by pointing to intentional exploitations of users’ ignorance about how mobile applications interact with their device environments and residing data. While the federal survey may be a useful rhetorical tool I argue that it has limited practical use.

I conclude by asserting that privacy commissioners, and government regulators more generally, must focus their attention upon the Application Programming Interfaces (APIs) of smartphones. Only by focusing on APIs will we redress the economics of ignorance that are presently relied upon to exploit Canadians and cheat them out of their personal information.

Continue reading

Review: Islands of Privacy

/ Christopher Parsons

Image Courtesy of University of Chicago Press

Christena Nippert-Eng’s Islands of Privacy is an interview-intensive book that grapples with how her sample group of Chicago residents attempt to achieve privacy, and the regular issues they face in maintaining privacy on a day-to-day basis. She finds a strong correlation between those who have had their privacy violated and those who want to secure and defend privacy as a concept and important element of their lived experience. 74 interviews were conducted with residents of Chicago and she makes very clear that her findings and conclusions are consequently highly contingent: other populations across America and the world would likely result in very different understandings of what constitutes privacy and a violation.

Privacy is defined quite early as “about nothing less than trying to live both as a member of social units – as part of a number of larger wholes – and as an individual – a unique, individuated self” (6). Further, privacy is identified as something to be managed: it exists by managing public information. Information is seen by participants as inherently public, with effort required to make it private, though interviewed subjects do not necessarily stick to this understanding of privacy throughout their interviews. On the whole, the approach to privacy remains wrapped up in the language on control, seclusion, and selective sharing of information; in this sense, Nippert-Eng’s work can be seen as a fusion of Westin’s Privacy and Freedom and key tenets of Nissembaum’s work in Privacy in Context: Technology, Policy, and the Integrity of Social Life.

Continue reading

Weebly, Analytics, and Privacy Violations (Updated II)

/ Christopher Parsons / 1 Comment

Failing StreetThose who create and author technical systems can and do impose their politics, beliefs, and inclinations onto how technology is perceived, used, and understood. On the Internet, this unfortunately means that the technically savvy often recommend choices to users who are less knowledgeable. A number of these recommendations are tainted by existing biases, legal (mis)understandings, or stakeholder gamesmanship. In the case of website development firms, such as Weebly, recommendations can lead users to violate terms of service and legal provisions to the detriment of those users. In essence, bad advice from firms like Weebly can lead to harms befalling their blissfully ignorant users.

In this short post, I talk about how Weebly blatantly encourages its customers to conduct surveillance on websites without telling them of their obligations to notify website visitors that surveillance is being conducted. I also note how the company deceives those visiting Weebly’s own properties by obfuscating whether information is collected and who is involved in the collection of visitors’ data. I conclude by briefly noting that Google ought to behave responsibly and publicly call out, and lean on, the company to ensure that Google’s Analytics product is used responsibly and in concordance with its terms of service.

Continue reading

Letter to Stephen Harper on Lawful Access Legislation

/ Christopher Parsons / 1 Comment

SurveillanceFor the past several years, public advocates, academics, the privacy commissioners of Canada, and members of the Canadian Parliament have all voiced concerns about proposed lawful access legislation. There are generally three types of ‘powers’ associated with such legislation: (1) enhanced search and seizure provisions; (2) increased interception of privacy communications powers; (3) production of subscriber data. During the last election cycle, Stephen Harper assured Canadians that within 100 sitting days lawful access provisions would be passed, along with other legislation, in an omnibus crime bill. Lawful access legislation has not been fully debated in the House or Senate, and has significant implications for the future of anonymity and privacy on the Internet, while simultaneously expanding police powers without a clearly demonstrated need to expand such powers.

Working from the most recent lawful access bills, which died when the last election was called, advocates and academics have come together to send a letter of concerns to Prime Minister Harper. Our concerns are as follows:

  1. The ease by which Canadians’ Internet service providers, social networks, and even their handsets and cars will be turned into tools to spy on their activities further to production and preservation orders in former Bill C‐51 – a form of spying that is bound to have serious chilling effects on online activity and communications, implicating fundamental rights and freedoms
  2. The minimal and inadequate amount of external oversight in place to ensure that the powers allotted in these bills are not abused
  3. Clause 16 of former Bill C‐52, which will allow law enforcement to force identification of anonymous online Internet users, even where there is no reason to suspect the information will be useful to any investigation and without adequate court oversight and
  4. The manner in which former Bill C‐52 paves the way to categorical secrecy orders that will further obscure how the sweeping powers granted in it are used and that are reminiscent of elements of the USA PATRIOT Act that were found unconstitutional.

On a final note, we object that Canadians will be asked to foot the bill for all this, in what essentially amounts to a hidden e‐surveillance tax, and are concerned that compliance will further impede the ability of smaller telecommunications service providers to compete in Canada by saddling them with disproportionate costs.

It is of critical import that the lawful access provisions of the omnibus crime bill are shaved off into their own batch of legislation and are afforded their own debates and hearings. Failing to do otherwise would underplay how much the bills’ massive expansions of surveillance capacities might impact the Internet in Canada, and digital communications in this country more generally. If you want to learn more about the concerns listed above, you can read the full letter that was sent to the PMO (.pdf), and you can take action by voicing your concerns at the Stop Online Spying website. Sign the petition located there and then contact your MP: it is only by demonstrating public interest and concern in these bills that they might be clarified, reformed, and potentially prevented from being brought forward in the first place.