Saturday, March 10, 2012

On the Down-Low - Part 2

Part 1 of this discussion talked about one aspect of Canada's proposed Bill C-30: access to subscriber information. This is the information known by your ISP that links your Internet identity to your real identity, regardless of what you do on the Internet. In this installment, let's talk about another big concern arising out C-30: access to your Internet usage or, as the Bill states, "enabling authorized persons to exercise their authority to intercept communications". And by authorized persons, C-30's definition casts a pretty wide net:
  • the Canadian Security Intelligence Service under the Canadian Security Intelligence Service Act
  • a police service, including any related to the enforcement of any laws of Canada, of a province or of a foreign jurisdiction
  • the Commissioner of Competition under the Competition Act
In the legislation, itself, interception is a really big topic involving all kinds of requirements for ISPs to manage their operations and all kinds of powers for the Government to exploit and direct those operations. Many of the requirements are silly or onerous on the ISPs, themselves, and Michael Geist's blog talks about these problems much more eloquently than I could. Suffice to say, C-30 in its current form is the very definition of Big Brother.

But what I want to concentrate on in this space is C-30's impact on you and I, the Customers of the ISPs and users of the Internet. When you hear the Media use terms like intercept, deep-packet inspection, and Internet tracking, what does this really mean?

Fundamentally, this is all an exercise in Internet eavesdropping. It's seeing a transcript of every website you visit, every Facebook post you make, every chat session you might have, every email you send or receive - everything you do on the Internet. This is scary stuff if you have an expectation of privacy.

Before we go any further, we need to balance off the scary stuff with some good intentions. The goal for C-30 is to provide better tools for law enforcement to do investigations in the Internet Age. On that point, I support the idea of C-30. In some ways, C-30 tries to formalize some practises that, today, are accomplished on a more voluntary basis between ISPs, the police, and the courts. That various Canadian police associations support C-30 is no surprise, because it will help them do their jobs more effectively. But C-30, in its current form, is a bit of a disaster (in my opinion) in that it solidly trumps the right to privacy and due process with the state's right to know. And while the police might appreciate C-30 as a tool, democracy is a messy business, unfortunately. I'm sure they would also find it useful to have a key to everyone's home as an investigative tool, but that ain't gonna happen, either.

Bill C-30 does provide a lovely opportunity to consider the larger topic of privacy on the Internet - whether it's the police or the bad guys who might be listening. So the real question remains: How can we preserve our expectation of electronic privacy when the barbarians seem to be climbing the gates?

Outside of any legal rights, the basic technical answers are obfuscation and encryption. Those, in themselves, are a big, geeky topics full of really hard math that require very smart people to figure out all the details. But all you need to consider is the best means to protect your Internet privacy is to hide what you're doing in a way that it cannot be discovered (or intercepted) by the wrong prople. And the fundamental way to hide what you're doing is through encrypting what you're doing and hiding your identity.

The good news: There are a myriad of technqiues and software products (many are free!) that will provide you with all the capabilities you need. The bad news: The more airtight you want your privacy, the more geek-savvy you'll need. But let's throw caution to the wind and see what shadows we can throw over our online activities.

Email is one tool that has many options for ensuring the bad guys will never gain access to the recipes you share with your sibling or the hundreds of Justin Bieber fan letters you write. Those options include:
  • Use plugin serrvices for your email client software to encrypt your email with technology based on PGP (Pretty Good Privacy).The downside here is that your email recipients need to play this game, too.
  • Use a disposable email service such as Malinator or Hushmail. These service use various techniques for keeping your email encrypted and seemingly anonymous.
Make sure that your important web browsing is encrypted and, therefore, unreadable by prying eyes. The standard for browser encryption is call SSL/TLS (Secure Socket Layer). Look at the URL you are accessing. If it starts with HTTPS, then your browser session is being encrypted. A great example is likely your bank's online banking site, which should be using encryption for all of your personal banking functions. Now if the URL starts with HTTP, there is no encryption happening. So if you land on a webpage that asks for personal information and you notice the URL starts with HTTP, you are not protected! Beyond your bank's online banking service, many popular websites offer, at least, the option of using SSL encryption:
  • Make sure your Facebook access is always SSL-encrypted.
  • Ditto if you hang out on Twitter.
  • If you use any of the popular free email services like Gmail, Hotmail, or Yahoo, they use SSL by default.
  • More and more websites are giving you the option to access their services using your social media identity. Yahoo mail, for example, will let you access their service using your Facebook or Google (Gmail) account information. While this may be convenient, you are also extending your identity across different websites and different sets of 'free' services - and this means your online activity is just a little more trackable!
With the possible exception of the disposable email services, all of these hints and tips are simply aimed at hiding the information you access online. SSL encryption makes sure that no one else can 'see' your banking information or your Facebook status, but this still leaves the question of hiding your Internet identity from your real identity (there's that subscriber information problem again!). So while it's good and useful that your Twitter feed is encrypted, your ISP still knows that your IP address is accessing the Twitter website. While no one can read your encrypted Tweets, they can still know that you - the REAL you - are a Twitter user.

If you're uncomfortable with the idea that your ISP (or someone else) can possibly know the websites you visit, then you can consider using TOR to give you total anonymity for all of your web browsing habits. The TOR website delves into the details, the basic premise of this (free) service is to leverage a sort of Internet-with-an-Internet. Referred to as onion routing by the lonelier geeks among us, TOR is a series of encrypted 'tunnels' that traverse the public Internet and make it impossible for anyone to follow your web browsing activities. Rather than directly accessing, for example, TOR would send your website request through these tunnels to strip away your true IP address and website destination. In the end, you get to go to Twitter and no one can follow you there.

Finally, let's talk about non-technical means to protect your Internet privacy. While there are lots of technical tools available to keep on the down-low, the complete solution needs to include education and legislation. To keep informed and get involved in the privacy debate, here a few resources to consider:

OpenMedia is a grassroots organization dedicated to an open and affordable Internet as well as good digital policy for Canadians.

Electronic Frontier Foundation (EFF) is a sort of international flavour of OpenMedia, but with a wider mandate that adds free speech and consumer rights to the digital discussion.

And while I've mentioned him already, check out Michael Geist's blog. He is a law professor at the University of Ottawa and, arguably, Canada's premier analyst and commentator on issues in the digital realm.

No comments: