Wednesday, May 2, 2007

Sleepwalking into a surveillance state

Montreal Mirror
Government and corporate threats to online privacy are the topics of a major
Montreal conference

by PATRICK LEJTENYI (Cover story Montreal Mirror April 26- May 2, 2007)

If the federal Liberal MP for NDG-Côte-des-Neiges, Marlene Jennings, gets her way, she may very well become the toast of the town for law enforcement officials. Last month, she re-introduced Bill C-416, the Modernization of Investigative Techniques Act-more commonly known as the Lawful Access Bill-as a private members' bill in the House of Parliament. The bill would impose requirements on telecommunication service providers (TSPs) with 100,000 clients or more that would force them to hand over user data to law enforcement agencies based on a "single phone call," says Michael Geist, the Canada Research Chair of Internet and E-commerce Law at the University of Ottawa and author of the Law Bytes column. It's something the RCMP, for one, has been quietly lobbying the Conservative government to enact. But the law, says Geist, is neither necessary nor effective, and may even be dangerous. It's a hot and ongoing topic in the field, and one that will be discussed at a major conference in Montreal next week.

Look who's watching

The 17th annual Conference on Computers, Freedom & Privacy, taking place at the Bonaventure Hilton from May 1-4, will host all manner of government officials, security experts, privacy advocates and hackers and will talk about everything from anonymity to no-fly lists to identity management to digital distribution. Thematically, the conference title pretty much says it all.

Jennings says the legislation, which was first introduced in November 2005 but died on the order paper thanks to the January 2006 election, is a necessary step in keeping up with the digital times and that privacy worries have been taken into account.

"There were major consultations in 2003," she tells the Mirror. "We spoke with over 300 groups and stakeholders, including law enforcement, department officials, businesses and civil liberties and privacy groups. We were very open to suggestions."

There are two parts to the Lawful Access Bill, says Jennings. The first is to "ensure that TSPs and Internet service providers (ISPs) have the technical capabilities so that when law-enforcement officials get wiretap warrants, they are able to use technological surveillance information. But they have to get a legal warrant before. It's the same criteria as a wiretap." In effect, TSPs and ISPs have to be able to make sure law enforcement has the technological capability to carry out surveillance on suspects' wireless communications.

The second provision is designed to make law enforcement officials' jobs easier. "Law enforcement officials are authorized to request the name, address, ISP address or phone number of individuals already under investigation, if they already have one of those identifiers." She argues that this kind of information is, in some circumstances, already available
in the public sphere in the form of phone books. Internal and external auditing procedures will ensure that the law is not abused.

But Geist isn't buying it. "The privacy community has been pretty consistent in its criticism" of the bill, he says. "Many of us are deeply troubled. Our prime concern is the lack of oversight. At a time when surveillance is increasing, this isn't the time to be decreasing oversight. And auditing is not oversight." The current legislation leaves too much opportunity for abuse, he says. "We've seen it in the U.S."

When asked about Jennings' assertion that any request has to be approved by a court order, Geist says, "She needs to read the bill." The bill allows for orders when there are "reasonable grounds to suspect" an individual is up to something nefarious, according to the University of Ottawa's Canadian Internet Policy and Public Interest Clinic. "For law enforcement, Christmas
has come early," says Geist. "They're asking for powers without showing any real need for them."

Switching fears

Indeed, Eugene Oscapella, a lawyer and criminology professor at the University of Ottawa, and a conference speaker, says that law enforcement has more powers than it already needs, and much of it stems from the futile war on drugs-and the war on terror.

"There's been an enormous increase in state surveillance," he says. "There's sniffer dogs, random drug tests, informants-and all this needs massive monitoring to be even remotely successful. We stop maybe 10 per cent of drugs from coming into the country, which leads to further calls for greater surveillance powers."

The years of vigorous anti-drug rhetoric has, says Oscapella, "softened up the public enough to switch to a new environment," namely to further surrender our rights out of fear of the terrorist bogeyman. "The same dynamic is going to apply. And we're going to make the same mistakes.

"We've got a public that's accustomed to these kinds of intrusions, so it's very easy to transfer them to another area."

Of course, an event like September 11 makes all that transferring easier. It's not difficult to imagine a future where personal data of all Canadians are contained in one massive database containing our social insurance number, voiceprints and even consumer habits. "There are fairly weak controls against that in place," he says. "And the federal Privacy Commissioner has no legal authority to prevent data linkage."

(Online identity management is big business. Conference speaker Stefan Brands, the president of Montreal-based Credentica and an adjunct professor of cryptology at McGill, says this is going to be the Internet's "next big bang." His research, funded by Nokia, is trying to develop a tamper-proof one-stop user identity program similar to Microsoft's Passport. He says the
technology exists, but the big obstacle is overcoming consumer antipathy to putting all their online identity eggs into one digital basket.)

Oscapella thinks Canada isn't at the same stage as the U.K., with its stringent anti-terror laws and 4.2-million cameras, some of which have audio capability, or the U.S.'s Terrorism Information Awareness project (formerly known as Total Information Awareness, until changed to sound less totalitarian). But, says Geist, "In many ways it is not apt to make comparisons. There isn't the same kind of privacy legislation in those countries, and many would argue that they've gone too far. Comparative reviews miss the point. Canadian legislation needs to reflect our needs and our values."

Nevertheless, says Oscapella, the risk is real that "We are sleepwalking into a surveillance state."

Coding like it's Nineteen Eighty-Four

Of course, there are surveillance states and there are surveillance states, and there are almost always ways to get around them. Both Geist and Oscapella say that as bad as the risks are now, they are nowhere near as invasive or far-reaching as government firewalls in places like China and Iran. Built with the assistance of big Western companies like Google, Yahoo!, Microsoft and Cisco, totalitarian regime firewalls have become targets of interest to people like Oxblood Ruffin, a Munich-based human rights hacker.

Ruffin (a pseudonym, obviously), who will also be speaking in Montreal, says his organization, Hacktivismo, uses "technology to improve human rights." Hardly the malicious, spotty-faced teenager of pop culture lore-he says the term hacker has been mangled; its original meaning was open-source code improvement-Ruffin has been at the forefront of open-source programming dedicated to improving Internet access to end-users behind the Firewall Curtain.

Limiting Internet use is, he says, "a developing-country, southern-hemisphere issue." One way he's helped is by releasing Torpark, an anonymous, free portable browser based on Mozilla's Firefox. It can be downloaded and runs off a USB stick, and leaves no tracks behind in a
computer's browser. Ideal, he says, for looking at official forbidden sites.

It's not perfect, of course. "If you're a user in China or Iran, and you're already a government suspect, and the government is already looking at you, you probably don't want to use it," he says. "Nothing is entirely foolproof. But if you're a pre-suspect, if the government doesn't know who you are, it's quite safe. You can operate under their radar. It really depends on what level of awareness the government has of you."

Ruffin, like most human rights activists, is extremely critical of Western companies that collude with totalitarian regimes, and dismisses their arguments justifying their actions.

"There tend to be two arguments," he says. "The first is, to do business in China, you have to abide by the law of the land, and if they don't, they can't do business there. The second is, it's better to be there than to not be there, engagement is better than non-engagement. But international law trumps domestic law. Just because something is tolerated in China or Iran,
should it be tolerated elsewhere? In some countries, it's legal to have sex with children. It's a gross and disgusting analogy, but it's still valid. As for engagement, that argument's entirely theoretical. It tends to be advanced more by corporations than governments."

But corporations can also do more to change an unpleasant regime than other governments. South Africa's Apartheid regime collapsed in part, he says, thanks to disinvestment on the part of large American corporations like GM. "Corporations operating in China, especially IT corporations, are propping up censorship," he says. "If Google were to say, very politely to avoid
humiliating the Chinese authorities, 'We made a stupid decision and we can't come back until there's more flexibility and we can offer the same services here as we can in the West, sorry, see you around, thanks, goodbye,' the Chinese government would have a serious freak-out."

But he isn't banking on it. In fact, in a few years, the Chinese might not even need Western companies to keep their populations docile. He says Chinese companies have been exporting censorship technologies to pariah countries like Zimbabwe.

Hacking away at controls

Hacktivism is also being applied to the entertainment industry here, thanks to fans who want free music. The U.S.'s Digital Millennium Copyright Act (DMCA) of 1998, which allows media publishers to install anti-copy-ware and anti-access-ware programs into products like DVDs and CDs, is severely curtailing online innovation, especially when it comes to Web 2.0,
user-generated content.

To Mark Perry (also to speak next week), an associate professor in the Faculties of Computer Science and Law at the University of Western Ontario, this kind of intellectual property law limits one of the greatest freedoms democracies enjoy, parody. While Viacom might be trying to cripple YouTube for posting unauthorized copyrighted material, policing user-generated content sites like YouTube is an exercise in futility.

"I consider YouTube a conduit rather than a publisher," says Perry. "It's like a post office, it's just providing a means of communication. There's just too much content to control, it's enormous. YouTube can't possibly edit all the material.. And besides, we don't want to stop a conduit because the material is useful-well, some of it is useful, anyway."

There are rumours that the federal Conservative government wants to adopt legislation similar to the DMCA in the form of Bill C-60, but Perry urges caution. "That's probably not the way they want to go if we want to promote fair use or fair dealing," he says. "In the U.S., they're realizing that it's probably not a brilliant piece of legislation."

The economic paradigm is shifting, says Perry. "Publishers and users are going to be part and parcel of the same thing," he says. Meanwhile, self-avowed "technological anarchists," like Labrador's Andrew Abbass, are busy creating their own digital rights management systems for independent artists to control distribution of their works that would cost pennies per user to maintain.

As for Marlene Jennings' Bill C-416, it probably won't be passed, like most private members' bills-although she'd be more than willing to hand it over to the Conservatives if it meant it would be enacted. But Michael Geist doesn't think that's going to happen.

"The Conservatives are very strong on law and order, but I don't think they'll raise the issue because it's not the kind of issue a minority government is likely to introduce," he says. "I think this bill is a disservice to the Liberals, because for people like me, it's not a vote-getter."

For all his criticisms, Geist is no rabid anti-government activist. "The government has played a role over the past decade in the Internet, including in designing privacy legislation," he says. "So it's appropriate for the government to think about what role it should play in the next
decade-namely, preserving the ability to speak freely and enhancing user-generated content."

For more info visit
www.cfp2007