Tuesday, March 13, 2012

I Want to Believe

Not only is the universe stranger than we imagine, it is stranger than we can imagine.
Sir Arthur Eddington
English astronomer (1882 - 1944)
Sometimes you think you have everything figured out. Sometimes you're wrong. I got a phone call out of the blue a few days ago. It was my mother and it went something like this:
Mom: "I was wondering if you ever watched that TV show 'The X-Files'".
Me, hestitantly: "Ummm, sure. Like a hundred years ago. It's been off the air awhile..."
Mom: " Well I thought you did and that's what I told your Aunt Gloria when she dropped off these X-Files things. She just wanted someone to have them who would appreciate them."
Me, confused: "Ummm, okay? Aunt Gloria?"
Mom: "Oh yes, she was a huge fan of 'The X-Files'. It was her favourite show, you know. She collected these X-Files things."
Me, still confused: "I had no idea... so she collected things?"
Mom, almost chirpy now: "Oh she did! She's just cleaning out her closets and she had these things and so I said you probably watched that show, so you'd appreciate them. I have them here for you. There's a shirt and some books and some dolls..."
Me, totally weirded out: "You mean figurines? The TV characters?"
Mom, still chirpy: "Oh sure, but they're dolls. I call them dolls."
Me, thinking about eBay: "Okay, well, I'll pick them next time I'm over..."
So my Aunt, in her late 60's, is an X-Files fan. She lives in the same town as I do and in all the years I've known her (like, all my life) we have never spoken of the X-Files. I have never heard her mention X-Files. Or aliens. Or ghosts. Or creatures in the sewers. I had no inkling that she was into sci-fi genre entertainment, let alone 'The X-Files'. I have never known her to watch much television, to be honest.
Truth be told, I did a little googling on the subject of X-Files figurines and had visions that maybe my Aunt's 'dolls' were the limited-edition 12" figurines that demand a few hundred dollars apiece by collector's (not that I would have sold them). But, of course, they aren't. Hers - now mine - are the more pedestrian 6" figurines that might go for $15 out on eBay.
Still, I'm mystified and impressed. The truth is out there, and often surprising.

Saturday, March 10, 2012

On the Down-Low - Part 2

Part 1 of this discussion talked about one aspect of Canada's proposed Bill C-30: access to subscriber information. This is the information known by your ISP that links your Internet identity to your real identity, regardless of what you do on the Internet. In this installment, let's talk about another big concern arising out C-30: access to your Internet usage or, as the Bill states, "enabling authorized persons to exercise their authority to intercept communications". And by authorized persons, C-30's definition casts a pretty wide net:
  • the Canadian Security Intelligence Service under the Canadian Security Intelligence Service Act
  • a police service, including any related to the enforcement of any laws of Canada, of a province or of a foreign jurisdiction
  • the Commissioner of Competition under the Competition Act
In the legislation, itself, interception is a really big topic involving all kinds of requirements for ISPs to manage their operations and all kinds of powers for the Government to exploit and direct those operations. Many of the requirements are silly or onerous on the ISPs, themselves, and Michael Geist's blog talks about these problems much more eloquently than I could. Suffice to say, C-30 in its current form is the very definition of Big Brother.

But what I want to concentrate on in this space is C-30's impact on you and I, the Customers of the ISPs and users of the Internet. When you hear the Media use terms like intercept, deep-packet inspection, and Internet tracking, what does this really mean?

Fundamentally, this is all an exercise in Internet eavesdropping. It's seeing a transcript of every website you visit, every Facebook post you make, every chat session you might have, every email you send or receive - everything you do on the Internet. This is scary stuff if you have an expectation of privacy.

Before we go any further, we need to balance off the scary stuff with some good intentions. The goal for C-30 is to provide better tools for law enforcement to do investigations in the Internet Age. On that point, I support the idea of C-30. In some ways, C-30 tries to formalize some practises that, today, are accomplished on a more voluntary basis between ISPs, the police, and the courts. That various Canadian police associations support C-30 is no surprise, because it will help them do their jobs more effectively. But C-30, in its current form, is a bit of a disaster (in my opinion) in that it solidly trumps the right to privacy and due process with the state's right to know. And while the police might appreciate C-30 as a tool, democracy is a messy business, unfortunately. I'm sure they would also find it useful to have a key to everyone's home as an investigative tool, but that ain't gonna happen, either.

Bill C-30 does provide a lovely opportunity to consider the larger topic of privacy on the Internet - whether it's the police or the bad guys who might be listening. So the real question remains: How can we preserve our expectation of electronic privacy when the barbarians seem to be climbing the gates?

Outside of any legal rights, the basic technical answers are obfuscation and encryption. Those, in themselves, are a big, geeky topics full of really hard math that require very smart people to figure out all the details. But all you need to consider is the best means to protect your Internet privacy is to hide what you're doing in a way that it cannot be discovered (or intercepted) by the wrong prople. And the fundamental way to hide what you're doing is through encrypting what you're doing and hiding your identity.

The good news: There are a myriad of technqiues and software products (many are free!) that will provide you with all the capabilities you need. The bad news: The more airtight you want your privacy, the more geek-savvy you'll need. But let's throw caution to the wind and see what shadows we can throw over our online activities.

Email is one tool that has many options for ensuring the bad guys will never gain access to the recipes you share with your sibling or the hundreds of Justin Bieber fan letters you write. Those options include:
  • Use plugin serrvices for your email client software to encrypt your email with technology based on PGP (Pretty Good Privacy).The downside here is that your email recipients need to play this game, too.
  • Use a disposable email service such as Malinator or Hushmail. These service use various techniques for keeping your email encrypted and seemingly anonymous.
Make sure that your important web browsing is encrypted and, therefore, unreadable by prying eyes. The standard for browser encryption is call SSL/TLS (Secure Socket Layer). Look at the URL you are accessing. If it starts with HTTPS, then your browser session is being encrypted. A great example is likely your bank's online banking site, which should be using encryption for all of your personal banking functions. Now if the URL starts with HTTP, there is no encryption happening. So if you land on a webpage that asks for personal information and you notice the URL starts with HTTP, you are not protected! Beyond your bank's online banking service, many popular websites offer, at least, the option of using SSL encryption:
  • Make sure your Facebook access is always SSL-encrypted.
  • Ditto if you hang out on Twitter.
  • If you use any of the popular free email services like Gmail, Hotmail, or Yahoo, they use SSL by default.
  • More and more websites are giving you the option to access their services using your social media identity. Yahoo mail, for example, will let you access their service using your Facebook or Google (Gmail) account information. While this may be convenient, you are also extending your identity across different websites and different sets of 'free' services - and this means your online activity is just a little more trackable!
With the possible exception of the disposable email services, all of these hints and tips are simply aimed at hiding the information you access online. SSL encryption makes sure that no one else can 'see' your banking information or your Facebook status, but this still leaves the question of hiding your Internet identity from your real identity (there's that subscriber information problem again!). So while it's good and useful that your Twitter feed is encrypted, your ISP still knows that your IP address is accessing the Twitter website. While no one can read your encrypted Tweets, they can still know that you - the REAL you - are a Twitter user.

If you're uncomfortable with the idea that your ISP (or someone else) can possibly know the websites you visit, then you can consider using TOR to give you total anonymity for all of your web browsing habits. The TOR website delves into the details, the basic premise of this (free) service is to leverage a sort of Internet-with-an-Internet. Referred to as onion routing by the lonelier geeks among us, TOR is a series of encrypted 'tunnels' that traverse the public Internet and make it impossible for anyone to follow your web browsing activities. Rather than directly accessing www.twitter.com, for example, TOR would send your website request through these tunnels to strip away your true IP address and website destination. In the end, you get to go to Twitter and no one can follow you there.

Finally, let's talk about non-technical means to protect your Internet privacy. While there are lots of technical tools available to keep on the down-low, the complete solution needs to include education and legislation. To keep informed and get involved in the privacy debate, here a few resources to consider:

OpenMedia is a grassroots organization dedicated to an open and affordable Internet as well as good digital policy for Canadians.

Electronic Frontier Foundation (EFF) is a sort of international flavour of OpenMedia, but with a wider mandate that adds free speech and consumer rights to the digital discussion.

And while I've mentioned him already, check out Michael Geist's blog. He is a law professor at the University of Ottawa and, arguably, Canada's premier analyst and commentator on issues in the digital realm.

Friday, March 02, 2012

On the Down-Low - Part 1

So I've been an IT Guy for almost 30 years and yet the vast majority of my friends are decidedly Non-IT Guys. That I don't socialize within my own caste is a subject for another day, but the significance here is that I end up doing tech support for my circle of friends and family. I don't actually mind, but I do find it almost wondrous that my friends in, say, the grocery business seldom offer quid pro quo in the form of free steaks. Admittedly, I'm often paid in bottles of Scotch for my efforts - and that ain't bad.

Back to the main point: A few of my friends have been asking me about Canada's proposed Bill C-30, which aims to update the capability for law enforcement agencies to monitor electronic communications (presumably with the intent of catching bad guys). The Canadian media has largely reported a simplistic view of C-30 as a means to eavesdrop on citizens' use of the Internet - tracking our emails, online chats, browsing history, etc. My friends have picked up on this, of course, which makes me wonder what illicit business they're mired in when I'm not around to remove viruses from their kids' PCs. This post is for them.

If you want some outstanding analysis of what C-30 means for Canada, Michael Geist's blog is where you need to be. But for the purposes of this discussion, there are only a few things you need to know:
  1. C-30 is incredibly flawed and has been pulled back to committees for re-work (thanks, in part, to people like Michael Geist).
  2. Notwithstanding its flaws, C-30 would not normally allow law enforcement to access your Internet usage details. Outside of the privacy concerns, this would be hugely impractical from a technical perspective. A more appropriate means to that end (provided for in C-30), would involve the Internet equivalent of a wire-tap to be placed on your Internet traffic - with a court order.
  3. C-30 would compel ISPs (Internet Service Providers) to hand over your subscriber information for the asking - without a court order.
Let's focus on this subscriber info stuff and pretend that you get your Internet service from Bell. Under C-30, Bell would be compelled to hand over your name, your address, your phone number, and your IP address to any law enforcement officer who asked. While perhaps not as damning as handing over the icky details around your fascination with LOLcat websites, this is very worrisome stuff.

When you access the Internet, you have an IP address assigned to you by your ISP. That IP address is like a fingerprint - no one else in the entire world has the same IP address as you do while you're accessing the Internet. It has various uses, but it basically ensures that your Internet traffic - be it web surfing or emailing or gaming or whatever - is managed separately from all other Internet traffic. Law enforcement cares about this precisely because it is a fingerprint, and fingerprints are useful things for solving crimes.

So here lies the problem. In the real world (outside the Internet), citizens in a democratic society do not normally provide their fingerprints to the authorities. And citizens are not compelled to do this outside of due process. Privacy is a right, even when you have nothing to hide. In the real world, the authorities investigate things, develop evidence, and can only invade a citizen's privacy when there is a clear, legal need to do so. Said another way, someone needs to be a suspect in a crime before they need to provide a fingerprint.

But under Bill C-30, this process gets somewhat reversed. Let's take a hypothetical example: You love your LOLcats and you post regularly on LOLcats forums under the pseudonym MoarCatsPleez. Using a pseudonym is smart because you don't want anyone knowing your real name on such a site, right? It just so happens that the LOLcats forum stamps each user's post with their IP address in addition to the current date and time. In a moment of weak judgement, you make a post that calls for the immediate euthanizing of all dogs to make more room in the world for cats. A Government Agent, a fellow cat lover with a higher tolerance for dogs, happens to read your post and grows alarmed at the laws that might be broken when militant LOLcats activists heed your cry and start hunting dogs. Under C-30, that Agent could simply ask your ISP for all the personal details attached to the IP address associated with your anti-dog post - i.e. who you are and where you live. While you were only joking about dog assassination, the wheels were set into motion to make your life problematic.

In that example, a more proper process would be for that Government Agent to take their concerns to a judge and argue for a court order to get access to your subscriber information. That approach, at least, ensures the Agent's concerns and evidence are solid enough before anyone's privacy - your privacy - was breached in the name of criminal investigation. This is one of C-30's basic flaws: lack of due process to protect Canadians' right to privacy. C-30 has numerous other flaws which, taken as a whole, gives the government undue powers for investigating Canadian citizens without the messy details of evidence and due process.

So there's your primer on C-30, IP addresses, and why it all matters. But it's only part of the story. In an upcoming post, I'll talk about how you can protect your online privacy and anonymity while continuing to enjoy all that LOLcats has to offer.