Technology

Privacy Advocates and Deep Packet Inspection: Vendors, ISPs, and Third-Parties

/ Christopher Parsons / 11 Comments

sandvinetestnetwork[I recently posted a version of this on another website, and thought that it might be useful to re-post here for readers. For a background on Deep Packet Inspection technologies, I’d refer you to this.]

There is a very real need for various parties who advocate against Deep Packet Inspection (DPI) to really work through what Packet Inspection appliances have done, historically, so that their arguments against DPI are as precise as possible. Packet Inspection isn’t new, and it’s not likely to be going away any time soon – perimeter defences for networks are essential for mitigating spam and viruses (and rely on Medium Packet Inspection).

I’m in no way an expert in the various discussions surrounding DPI (though I try to follow the network neutrality, privacy, and communications infrastructure debates), but I have put together a paper that attempts to clarify the lineage of DPI devices and (briefly) suggest that DPI can be understood as a surveillance tool that is different from prior packet inspection technologies. From a privacy perspective (which is where I sit in relation to the deployment of DPI), it’s important for privacy advocates to understand that approaching the issue from a principle-based approach is fraught with problems at legal, theoretical, and practical levels. The complexities of developing a principle-based approach is one of the reasons why many contemporary privacy scholars (myself included) have opted for a ‘problem-based’ approach to identifying privacy infringements. What, exactly, do most advocates mean when they say that their privacy is ‘violated’? I don’t think that a clear position comes out in the advocate position (maybe it does, and I’m just not aware of it) – they appear to allude to a fundamental right to privacy, while pointing to specific instances as ‘violations’ of that right. The worry with principled approaches is that they are challenged to fully capture what we mean when we say something is private, and equally challenged to capture contextualized social norms of privacy (e.g. streetview in the US versus Japan, bodily privacy in differing cultures, etc etc).

Continue reading

Thoughts: P2P, PET+, and Privacy Literature

/ Christopher Parsons

p2pwindowPeer-to-peer (P2P) technologies are not new and are unlikely to disappear anytime soon. While I’m tempted to talk about the Pirate’s Bay, or ‘the Pirate Google‘ in the context of P2P and privacy, other people have discussed these topics exceptionally well, and at length. No, I want to talk (in a limited sense) about the code of P2P and how these technologies are (accidentally) used to reflect on what privacy literature might offer to the debate concerning the regulation of P2P programs.

I’ll begin with code and P2P. In the US there have been sporadic discussions in Congress that P2P companies need to alter their UIs and make it more evident what individuals are, and are not, sharing on the ‘net when they run these programs. Mathew Lasar at Ars Technica has noted that Congress is interested in cutting down on what is termed ‘inadvertent sharing’ – effectively, members of Congress recognize that individuals have accidentally shared sensitive information using P2P applications, and want P2P vendors to design their programs in a way that will limit accidental sharing of personal/private information. Somewhat damningly, the United States Patent and Trademark Office declared in 2006 that P2P applications were “uniquely dangerous,” and capable of causing users “to share inadvertently not only infringing files, but also sensitive personal files like tax returns, financial records, and documents containing private or even classified data” (Source).

Continue reading

Update: EDLs in New Brunswick

/ Christopher Parsons

200904021515.jpgA few days ago I posted that Nova Scotia and New Brunswick both might be moving away from EDLs because of their costs and/or privacy issues. While the article discussed the issue was problematic (because of persistent factual errors), it appears as though the author was on target concerning New Brunswick’s concerns with the technology: EDLs will not be coming to my birthplace .

This means that both New Brunswick and Saskatchewan will not be going forward with EDLs, though Alberta. Quebec, Manitoba, Ontario, and B.C. are all going ahead with EDLs. I’ll be curious to see if the rest of the Atlantic provinces follow New Brunswick’s lead, and how this might shape the national discourse on EDLs.

Note: EDLs in New Brunswick and Nova Scotia?

/ Christopher Parsons

200903230015.jpgThere is a fairly confusing article on EDLs that was published by the Times & Transcript’s Alan Cochrane. It’s absolutely rife with inaccuracies about the technologies about EDLs, which contributes to the rampant misinformation about these identification pieces. Before I get to that, I want to note pieces of information that look interesting, though their accuracy has to be taken as questionable given the sloppy work done throughout the article.

Of interest:

  1. Apparently the New Brunswick government’s support of EDLs has ‘waned’ after receiving some report or another. While the reporter doesn’t mention the report by name, I have a suspicion that it’s the report commissioned by the Atlantic registrars of motor vehicles that was referenced in the May 9, 2008 press release of the Council of Atlantic Premiers. That report has not been disclosed to the public. (I lack anything that would substantiate or disprove the claim that New Brunswick’s interest has waned; I also don’t know what the report stated and so can’t know if it would influence the government’s position.)
  2. Service Nova Scotia has stated that the province is looking into EDLs, but as of yet does not have a deployment timeline. (I lack information that would substantiate or disprove this claim.)
  3. Manitoba is taking applications for EDLs right now, and will begin shipping them in 2 weeks. (This definitely seems on the money, and we can presume that it is accurate.)
  4. Continue reading

Ontario Information and Privacy Commissioner, and DRM

/ Christopher Parsons

200903201224.jpgIn his recent discussion with Ann Cauvoukian, Jesse Brown seems to have touched on a nerve. In the interview, the Commissioner discusses the use of self-encrypting/decrypting security systems that are meant to meet her ‘PET Plus’ program; she wants to ensure that measures are embedded in surveillance technologies that secure individuals’ privacy while at the same time enabling police to perform their duties. In the case of cameras, this will mean that all bodies on the screen are barely visible – not blurred, but almost erased from a non-decrypted viewing. Individuals are only revealed on film when a decryption algorithm is applied; until then, those individuals hold a spectre-like existence.

Russell McOrmond has taken a strong stance against this, arguing that the Commissioner’s efforts would make first-party/content owners subservient to third party agents who hold decryption keys. It is important to note that, as the Commissioner has presented her ideas, the police, or some other authority, would be the only group who would have access to these keys. This would limit the use of CCTV by employees to illegitimately survey clients/patrons/etc. Surprisingly quickly, Ken Anderson (Assistant Commissioner, Privacy, Ontario) has jumped into the discussion.

Continue reading

Update: EDLs in Saskatchewan and Quebec

/ Christopher Parsons

200903161147.jpgAs I noted a few days ago, the Saskatchewan government is debating whether or not they want to implement EDLs given the privacy and financial risks that accompany the licenses. It seems as though the Office of the Privacy Commissioner of Canada is supporting this hesitancy, with the assistant privacy commissioner;

. . . is applauding the province’s decision to back away from the enhanced licences until legislation addresses concerns about how personal information is used and how vulnerable it is to hackers.

“It’s highly significant,” Bernier said in an interview with The Canadian Press. “The province seems to come to the conclusion … that the cost-benefit analysis is not convincing.” (Source)

It will be interesting to see whether or not Saskatchewan reintroduces EDL legislation after Ontario’s information and privacy commissioner manages to implement an ‘on/off’ switch that she has been talking about with Jesse Brown for the past few weeks. My suspicion is that they will, but that they will let Ontario do the heavy lifting in this area (I expect that Ontario’s influence with DHS will be more substantial than Saskatchewan, but maybe that isn’t/won’t be the case).

Continue reading