Back to the main point: A few of my friends have been asking me about Canada's proposed Bill C-30, which aims to update the capability for law enforcement agencies to monitor electronic communications (presumably with the intent of catching bad guys). The Canadian media has largely reported a simplistic view of C-30 as a means to eavesdrop on citizens' use of the Internet - tracking our emails, online chats, browsing history, etc. My friends have picked up on this, of course, which makes me wonder what illicit business they're mired in when I'm not around to remove viruses from their kids' PCs. This post is for them.
If you want some outstanding analysis of what C-30 means for Canada, Michael Geist's blog is where you need to be. But for the purposes of this discussion, there are only a few things you need to know:
- C-30 is incredibly flawed and has been pulled back to committees for re-work (thanks, in part, to people like Michael Geist).
- Notwithstanding its flaws, C-30 would not normally allow law enforcement to access your Internet usage details. Outside of the privacy concerns, this would be hugely impractical from a technical perspective. A more appropriate means to that end (provided for in C-30), would involve the Internet equivalent of a wire-tap to be placed on your Internet traffic - with a court order.
- C-30 would compel ISPs (Internet Service Providers) to hand over your subscriber information for the asking - without a court order.
When you access the Internet, you have an IP address assigned to you by your ISP. That IP address is like a fingerprint - no one else in the entire world has the same IP address as you do while you're accessing the Internet. It has various uses, but it basically ensures that your Internet traffic - be it web surfing or emailing or gaming or whatever - is managed separately from all other Internet traffic. Law enforcement cares about this precisely because it is a fingerprint, and fingerprints are useful things for solving crimes.
So here lies the problem. In the real world (outside the Internet), citizens in a democratic society do not normally provide their fingerprints to the authorities. And citizens are not compelled to do this outside of due process. Privacy is a right, even when you have nothing to hide. In the real world, the authorities investigate things, develop evidence, and can only invade a citizen's privacy when there is a clear, legal need to do so. Said another way, someone needs to be a suspect in a crime before they need to provide a fingerprint.
But under Bill C-30, this process gets somewhat reversed. Let's take a hypothetical example: You love your LOLcats and you post regularly on LOLcats forums under the pseudonym MoarCatsPleez. Using a pseudonym is smart because you don't want anyone knowing your real name on such a site, right? It just so happens that the LOLcats forum stamps each user's post with their IP address in addition to the current date and time. In a moment of weak judgement, you make a post that calls for the immediate euthanizing of all dogs to make more room in the world for cats. A Government Agent, a fellow cat lover with a higher tolerance for dogs, happens to read your post and grows alarmed at the laws that might be broken when militant LOLcats activists heed your cry and start hunting dogs. Under C-30, that Agent could simply ask your ISP for all the personal details attached to the IP address associated with your anti-dog post - i.e. who you are and where you live. While you were only joking about dog assassination, the wheels were set into motion to make your life problematic.
In that example, a more proper process would be for that Government Agent to take their concerns to a judge and argue for a court order to get access to your subscriber information. That approach, at least, ensures the Agent's concerns and evidence are solid enough before anyone's privacy - your privacy - was breached in the name of criminal investigation. This is one of C-30's basic flaws: lack of due process to protect Canadians' right to privacy. C-30 has numerous other flaws which, taken as a whole, gives the government undue powers for investigating Canadian citizens without the messy details of evidence and due process.
So there's your primer on C-30, IP addresses, and why it all matters. But it's only part of the story. In an upcoming post, I'll talk about how you can protect your online privacy and anonymity while continuing to enjoy all that LOLcats has to offer.