The Surveillance Society is already here

Canadians often look at intrusive, anti-privacy surveillance in other countries, and at things like the NSA and Patriot Act in the United States and think we are above that. But it is becoming apparent that Canada is just as bad. We need to do better than this and move the pendulum back towards individual rights and freedoms, and away from a surveillance society that does very little if anything to actually protect us.

For example, it recently came to light that the Communications Security Establishment, or CSE, Canada’s equivalent of the NSA, monitors and stores emails sent to Canadian government agencies.

This kind of surveillance is usually justified as being necessary to deal with terrorism and threats to national security, and its effects are downplayed by comments like its just metadata, or Canadians aren’t targeted. But there does not seem to be any evidence that all this surveillance and collection actually prevents anything bad from happening. Metadata is every bit as personal, private, and informative as the data itself. Who is targeted does not change the fact that personal information on citizens is being collected and retained, and that this information has the potential to be abused and used for undesirable purposes.

Mathew Ingram puts it well in an article in the Globe entitled We can’t accept Internet surveillance as the new normal.

The only good news is that the ongoing revelations about the nature and type of spying – largely because of Edward Snowden – are creating a growing public backlash, and tech companies are working to make it harder to intercept communications. Bill C-51, the anti-terrorism bill currently in the hearing stage is a case in point, which has attracted a huge amount of criticism – both over a lack of oversight, and as to the intrusiveness and potential abuse of authority that could result.

See, for example, this Huff Post article entitled Edward Snowden Warns Canadian To Be ‘Extraordinarily Cautious’ Over Anti-Terror Bill, and Michael Geist’s article entitled Why The Anti-Terrorism Bill is Really an Anti-Privacy Bill: Bill C-51′s Evisceration of Privacy Protection 

There is even a website dedicated to stopping the bill.

Cross-posted to Slaw.

Police want your texts

Today’s Slaw post

A CNET article entitled Cops to Congress: We need logs of Americans’ text messages says that “State and local law enforcement groups want wireless providers to store detailed information about your SMS messages for at least two years — in case they’re needed for future criminal investigations.”

This issue keeps coming up – the Canadian lawful access attempts are another example.

Attempts to force the preservation of this type of communication is tremendously invasive and wrong on many levels. To me, it is no different than asking phone companies to record and save phone conversations or the post office to copy mail – “in case they’re needed for future criminal investigations.”

Reports share concerns over Bill C-30

For the London Free Press – August 9, 2012 – Read this on Canoe

Proposed federal ‘lawful access’ legislation designed to provide police greater accessibility to information comes under fire from both the federal and provincial commissioners

The Federal and Ontario privacy commissioners both recently released their annual reports. Their reports contained some common themes, even though the privacy laws they enforce and their application are quite different.

Both expressed concern about the proposed federal “lawful access” legislation, Bill C-30. It’s designed to provide police with much greater ability to access and track information about individuals through communication technologies such as the Internet and smartphones, without a warrant or any judicial authorization.

The law includes the ability to obtain a wide range of information, and will require Internet service providers to invest in systems to retain more information in case it’s later required for an investigation.

Both commissioners are concerned that the bill is too invasive and privacy unfriendly.

The commissioners also are concerned about the use of biometrics. Biometrics consists of personal information obtained through the scanning of physical features such as your face or your fingerprints.

The federal privacy commissioner has released a guidance document called Data at Your Fingertips: Biometrics and the Challenges to Privacy about the benefits and drawbacks of biometrics.

Ontario’s privacy commissioner stated “fortunately, privacy solutions exist, but they must be embedded early into the biometric matching system to be effective. When deployed properly, Biometric Encryption (BE) defeats many of the major privacy concerns surrounding the collection and (mis)use of biometrics: there is no retention of a biometric image or template, which significantly enhances security and diminishes the risk of data-matching against other databases. BE can be deployed with no meaningful loss of system functionality.”

In other words, don’t store the biometric image itself, and make sure that biometric identifiers cannot be reversed into the biometric image. After all, if a credit card number is compromised, you can get a new one. But if your fingerprint or iris scan is compromised, you can’t get a new one.

It’s crucial for any use of biometrics as an identifier to be designed with privacy and security issues in mind.

But designing privacy into new products and services is not just for biometrics. Both commissioners also talked about the importance of implementing privacy considerations directly into the design of any program or service where personal data is being collected or used. The federal privacy commissioner has on different occasions been critical of some social media providers, for example, for not considering privacy issues before launching new services.

The Ontario privacy commissioner has labeled this approach privacy by design that is a “pre-emptive approach that requires the integration of privacy considerations into new programs and databases from the outset, and not as an afterthought.”

The Ontario commissioner has written several papers on privacy by design that are a worthwhile read for anyone creating a new product or service that uses personal information.

Lawful Access bill – a very bad idea

The Canadian federal government is re-introducing a “lawful access” bill that will give police the ability to get certain information about us from our Internet Service Providers without a warrant.  It will also require anyone who offers telecommunications services to build in a backdoor to give police access for wiretap purposes.

This bill is an affront to privacy and should not be passed.  For some insight into the details and why it is a bad idea, and links to other material take a look at:

And sign the online petition at Open

And by the way, I’m tired of the political rhetoric and hyperbole that surrounds so much proposed legislation.  Public Safety Minister Vic Toews has been widely quoted as responding to an opposition question on the bill by saying  “He can either stand with us or with the child pornographers”.    Really?  We deserve better than that.

The laws that govern us deserve rational debate and intelligent discussion about why they are needed, whether the proposals will help address that, what the collateral damage might be, whether the benefits are worth the costs, etc.  


Surveillance by Design

That’s the title of my Slaw post for today.  It reads as follows.

Ann Cavoukian – the Ontario Privacy Commissioner – has written an excellent op-ed in the Financial Post entitled Beware of ‘Surveillance by Design’.

It starts off with:

I feel the need to raise a growing concern regarding the lack of understanding of a key privacy issue – the ease of data linkages in an ever-increasing online world.

In this day and age of 24/7 online expanded connectivity and immediate access to digitized information, new analytic tools and algorithms now make it possible, not only to link a number with a name, but also to combine information from multiple sources, ultimately creating an accurate profile of a personally identifiable individual.

The Commissioner weighs in on the controversial Alberta Leon’s case that decided license plates are not personal information – which differs from other provinces.

She also expresses her concerns about the pending federal “lawful access” laws, saying that:

In my view, this represents a looming system of “surveillance by design,” that should concern us all in a free and democratic society.

Legislators have too many control issues

That’s the title of my Slaw post for today.  It reads as follows.

The trend to more invasive surveillance and control by North American governments (indeed, by many countries that we consider civilized democracies), or their granting of too much control to others is disturbing. Too many things are making creeping (and sometimes creepy) inroads into privacy rights, along with the usual specious “if you’ve got nothing to hide… ” argument. Too many things are tending towards shoot first, ask questions later. And governments are too eager to look to ISP’s and others who run the internet pipes to control what flows through.

Some examples:

The proposed US SOPA (Stop Online Piracy Act) that is being loudly opposed. It has been characterised as net censorship, an attempt to regulate the internet, and breaking the internet as we know it. It could result in entire web sites being taken down based merely on an allegation that one post or comment infringes copyright.

The proposed Canadian Lawful Access legislation that would allow much more invasive internet information to be given to authorities without warrants. This resulted in a lengthy letter by the Privacy Commissioner to the Ministers responsible.

The increasing use of license plate cameras by police, such as in the Washington DC area. In its simplest, most privacy friendly form, car mounted or fixed cameras read car license plates and flag any that are contained in a database of stolen or suspect vehicles. No record is kept of any plates other than those of interest. But it has come to light that some of the systems store the details of every single plate that they capture, and retain that for long periods of time.


Why Lawful Access is Awful Access

The Canadian government is expected to propose a bill shortly that would allow law enforcement unfettered access without judicial oversight (ie without a warrant) to certain information about you from your ISP, phone company, or other online service provider. 

David Fraser has posted a good piece explaining what it is about that I encourage you to read.  As David puts it, the concept is “inconsistent with your rights to privacy and is dangerous to the free and open internet. ”

For more information, look at what I have written about it before.  Also look at which is campaigning against the proposed law.

Laws requiring data retention ill-advised

I’m not a fan of laws that require entities such as ISP’s to retain data about its customers so law enforcement can get to it.  To me, that flies in the face of privacy principles that say one should only retain personal information (both quantity and duration) to the extent it is required to fulfil the purpose of the services being offered.

I’m not convinced that the benefit to law enforcement outweighs the negative aspects of this – which range from costs to the entity retaining, the risk of abuse, and the risk of exposing it.   It is hard enough to protect the information that entities need, let alone information they don’t need.  And the more information you have, the more you are a target for malfeasers trying to get at it.

Mike Masnick of Techdirt has a post worth reading on the subject.  He refers to a researcher and author who says that a current US bill, the “Protecting Children from Internet Pornographers Act”  should be called the  “Forcing Your Internet Provider to Spy On You Just In Case You’re a Criminal Act of 2011”.

Unfortunately, we are heading down the same path here in Canada with the proposed lawful access statute.

Proposed Internet Surveillance bill ill advised

Michael Geist has written a good article in the Ottawa Citizen disucssing why the proposed “lawful access” internet surveillance law should not be passed.

From teh article:

Lawful access raises genuine privacy and free speech concerns, particularly given the fact the government has never provided adequate evidence on the need for it, it has never been subject to committee review, and it would cost millions to implement yet there has been no disclosure on who would actually pay for it. Given this, it is not surprising that every privacy commissioner in Canada has signed a joint letter expressing their concerns.

Like David Fraser and Michael, I have ranted on this before.   I have a real problem with legislation that erodes privacy and requires ISP’s or others to retain information for the sole purpose of government access to it. And when that access is not tempered by the need for a warrant.

Issues include erosion of privacy, the potential for misuse of the information (intentionally, accidentally, or creeping uses) the costs of ISP’s to comply, and whether the measures will actually have any meaningful impact on crime.

Harper Government should consider NDP tech policies

That’s the title of my Slaw post for today.  It reads as follows.

For the record, I don’t support the NDP, and their fiscal policies are plain scary. But that doesn’t mean that their viewpoints on everything ought to be ignored. The NDP tech policies on issues such as net neutrality, usage based billing, and copyright are in many ways more compelling than the Conservative policies. Now that the Conservatives have a majority and don’t have to fight for their existence every day – lets hope they take a step back, take a deep breath, and take a fresh approach to tech issues.

The prosperous future of Canada is to a great extent dependant on the use of technology, the internet and wireless access, and all things digital. That is true for consumers, for business, and for innovators. It is important to have policies that foster that. That point will no doubt be made repeatedly at the Canada 3.0 Conference taking place today and tomorrow.

On the proposed lawful access bill for example. Either drop it all together, or take another serious look at it. Mr. Harper has said that the rights of ordinary citizens should be more valued than the rights of criminals. So recognize that individuals have privacy rights that ought to trump the ability for law enforcement to go on random warrant-less fishing expeditions into our digital lives. If that isn’t a good enough reason, recent data breaches should teach us that the easiest way to prevent a data breach is not to have the data in the first place. Don’t tempt fate by requiring service providers to retain information on customers that is not needed to provide their services. As well, requirements to retain data are in effect an additional tax on the tech sector.

Copyright reform has been a hot topic for years, with many controversial bills being drafted but never passed. One of the issues that concern many of us are provisions that support digital locks. Those provisions do more harm than good, and in essence turn copyright policymaking over to rights holders. There is also the appearance – reinforced by recent wikileaks documents – that too much consideration is being given to the pressures of foreign entertainment lobbies and governments. The NDP policy on copyright merits consideration when drafting the next bill, as it seems to take a more balanced made in Canada consumer friendly approach.