Friday, March 02, 2012

On the Down-Low - Part 1

So I've been an IT Guy for almost 30 years and yet the vast majority of my friends are decidedly Non-IT Guys. That I don't socialize within my own caste is a subject for another day, but the significance here is that I end up doing tech support for my circle of friends and family. I don't actually mind, but I do find it almost wondrous that my friends in, say, the grocery business seldom offer quid pro quo in the form of free steaks. Admittedly, I'm often paid in bottles of Scotch for my efforts - and that ain't bad.

Back to the main point: A few of my friends have been asking me about Canada's proposed Bill C-30, which aims to update the capability for law enforcement agencies to monitor electronic communications (presumably with the intent of catching bad guys). The Canadian media has largely reported a simplistic view of C-30 as a means to eavesdrop on citizens' use of the Internet - tracking our emails, online chats, browsing history, etc. My friends have picked up on this, of course, which makes me wonder what illicit business they're mired in when I'm not around to remove viruses from their kids' PCs. This post is for them.

If you want some outstanding analysis of what C-30 means for Canada, Michael Geist's blog is where you need to be. But for the purposes of this discussion, there are only a few things you need to know:
  1. C-30 is incredibly flawed and has been pulled back to committees for re-work (thanks, in part, to people like Michael Geist).
  2. Notwithstanding its flaws, C-30 would not normally allow law enforcement to access your Internet usage details. Outside of the privacy concerns, this would be hugely impractical from a technical perspective. A more appropriate means to that end (provided for in C-30), would involve the Internet equivalent of a wire-tap to be placed on your Internet traffic - with a court order.
  3. C-30 would compel ISPs (Internet Service Providers) to hand over your subscriber information for the asking - without a court order.
Let's focus on this subscriber info stuff and pretend that you get your Internet service from Bell. Under C-30, Bell would be compelled to hand over your name, your address, your phone number, and your IP address to any law enforcement officer who asked. While perhaps not as damning as handing over the icky details around your fascination with LOLcat websites, this is very worrisome stuff.

When you access the Internet, you have an IP address assigned to you by your ISP. That IP address is like a fingerprint - no one else in the entire world has the same IP address as you do while you're accessing the Internet. It has various uses, but it basically ensures that your Internet traffic - be it web surfing or emailing or gaming or whatever - is managed separately from all other Internet traffic. Law enforcement cares about this precisely because it is a fingerprint, and fingerprints are useful things for solving crimes.

So here lies the problem. In the real world (outside the Internet), citizens in a democratic society do not normally provide their fingerprints to the authorities. And citizens are not compelled to do this outside of due process. Privacy is a right, even when you have nothing to hide. In the real world, the authorities investigate things, develop evidence, and can only invade a citizen's privacy when there is a clear, legal need to do so. Said another way, someone needs to be a suspect in a crime before they need to provide a fingerprint.

But under Bill C-30, this process gets somewhat reversed. Let's take a hypothetical example: You love your LOLcats and you post regularly on LOLcats forums under the pseudonym MoarCatsPleez. Using a pseudonym is smart because you don't want anyone knowing your real name on such a site, right? It just so happens that the LOLcats forum stamps each user's post with their IP address in addition to the current date and time. In a moment of weak judgement, you make a post that calls for the immediate euthanizing of all dogs to make more room in the world for cats. A Government Agent, a fellow cat lover with a higher tolerance for dogs, happens to read your post and grows alarmed at the laws that might be broken when militant LOLcats activists heed your cry and start hunting dogs. Under C-30, that Agent could simply ask your ISP for all the personal details attached to the IP address associated with your anti-dog post - i.e. who you are and where you live. While you were only joking about dog assassination, the wheels were set into motion to make your life problematic.

In that example, a more proper process would be for that Government Agent to take their concerns to a judge and argue for a court order to get access to your subscriber information. That approach, at least, ensures the Agent's concerns and evidence are solid enough before anyone's privacy - your privacy - was breached in the name of criminal investigation. This is one of C-30's basic flaws: lack of due process to protect Canadians' right to privacy. C-30 has numerous other flaws which, taken as a whole, gives the government undue powers for investigating Canadian citizens without the messy details of evidence and due process.

So there's your primer on C-30, IP addresses, and why it all matters. But it's only part of the story. In an upcoming post, I'll talk about how you can protect your online privacy and anonymity while continuing to enjoy all that LOLcats has to offer.


Gmossiipedia said...

This seems strikingly similar to the SOPA crap and the other things rolling around on the Congress floor. The wording is a little different but it's the government spying on you on the behalf of it's corporate backers.

I think that the biggest problem with all of these bills is that they are too vague. Whenever you deal with free speech, things like vagueness and specifics are a blessing and a curse.

In the end, all the bills, since they will go through eventually, should focus on catching the big fish; like Kim Dotcom, if he is guilty. Do not focus on the every man. Once you start going after the every man, you just created a new, unwinnable war that will cost billions with little to no results.

Crazylegs said...

You're right, Gmossii, C-30 is very much like SOPA (or at least some aspects of SOPA). Basically, every odious piece of Canadian legislation aimed at controlling the Internet and its content will have a dopplelganger in the U.S. (and vice versa).

I agree that the goal has to be catching the Big Fish. Going after the little guys (hello MPAA!) costs us too much for too little. And the smart guys, typically the Big Fish, will always find a way to win when we apply old concepts of security and copyright to New Media.