Site icon Liquidmatrix Security Digest

Security and the Common Carrier

EDIT: This ended up way longer than I thought it would. Please feel free to go below the fold if you’re interested in a very long rant from me.

There’s an astoundingly dumb private member’s bill – wait – there are several astoundingly dumb private members’ bills before the Canadian House of Commons.

The one that I’m cranked about today is discussed in a great piece at Michael Geist’s site – C-427 – The Clean Internet Act.

The bill itself includes (and I am not making this up):

  • an ISP licensing system to be administered by the CRTC that is defined so broadly that it would seemingly capture anyone offering a wifi connection
  • a “know your subscriber” requirement where ISPs would be required to deny service to past offenders (though the ISP would escape liability if upon learning of an offending customer, it terminated service and notified the Minister of Industry)
  • a new power that would allow the Minister of Industry to order an ISP to block access to content that promotes violence against women, promotes hatred, or contains child pornography. ISPs that fail to block face possible jail time for the company’s directors and officers.
  • the Minister of Industry can prescribe special powers to facilitate searches of electronic data systems (ie. lawful access)

You’ll find that in the past, we’ve all been cranked over C-416 – The Modernization of Investigative Techniques Act – which I apparently haven’t written anything about. I’ll let Michael Geist weigh in again with his article Liberals Try To Resuscitate Big Brother Plan for the Internet

Last introduced by the Liberals in the fall of 2005, MITA mandates the installation of new surveillance technologies within Canadian networks along with additional legal powers to access surveillance and subscriber information. Often referred to as the “lawful access” initiative, the legislation would compel Internet service providers to install new interception capabilities as they upgrade their networks. The country’s major ISPs, who provide service to the majority of Canadians, would eventually be capable of intercepting data and isolating specific subscribers.

Among the most troubling aspects of Bill C-416 is a series of new powers that are not accompanied by any judicial oversight. Law enforcement authorities, including the police, CSIS agents, and even Competition Bureau authorities, will have the right to obtain ISP subscriber information simply upon request without a warrant.

My frustration is really with the notion of the common carrier and the disrespect that some western powers (ahem UK and USA) have for their own citizenry.

You see, we need the common carrier in order to function as a society. The common carrier concept is represented most easily by the domestic postal service — you can send pretty much anything from point to point domestically without the carrier having to know what’s inside. Of course this has potential mis-use problems — I don’t want to think about the number of ‘bad things’ (bad being defined as contrary to Criminal Code) which are handled daily by Canada Post. But it also has upsides — I can send something reasonably confidential from point A to point B without having to concern myself that the government or other “interested” parties are going to be having a peak at it. If they need to have a look at my mail, they get a warrant and my mail gets searched the same way my house does. This is the way things are supposed to work. It’s a balance between privacy and the legitimate needs of law enforcement. Without the common carrier – and untraceable funds transfer – you NEED to have a dictatorship with a brutally repressive national police force and jackboots. You can’t get one without the other.

What these turkeys (one from each side of the floor) are trying to do is to toss the common carrier concept on it’s head as it relates to the Internet — simply because the Internet is new and different and they can’t seem to wrap their heads around the notion that the Internet is a communications medium that has commonality with all of the physical point-to-point (face to face) and point-to-multipoint (postal mail) as well as the electronic point-to-point (telephony) and point-to-multipoint (broadcasting) communications methods. It doesn’t require new laws, only the adaptation of existing laws to new circumstance. Manslaughter is manslaughter, whether achieved with a club fashioned from the femur of a mastadon or with a technological contrivance such as a gun. All you need is the presence of mind to actually see that one of these things is so damn similar to the other that you can just apply an old law. Identity theft on the Internet is only different from con-artist fraud in scale – not in scope, not in investigation and not in enforcement – and scale can be managed without writing new law.

How does all of this relate to security?

Simple really — the harder governments work to restrict the ability of security folks to provide their businesses with confidentiality, the harder it is to operate a business which is able to effectively comply with the regulators appointed by those self-same governments. It’s governmental policy conflict at it’s finest.

Here’s a test case to consider…

I work at a Canadian company which does happen to handle Personally Identifiable Information. Under certain federal Acts, I’m required to inform my users when their data is lost, stolen, compromised or subpoenaed.

I find myself in the position of wanting to use an outsourcer for some function which will require that the outsourcer maintain some of my customer’s data at their location – which is in the USA.

I can’t permit this to happen.

Because the USA PATRIOT Act has a “no notification” secret subpoena / warrantless search provision which places me in the position of having no confidence that my customer’s data has not been viewed, siezed or otherwise handled by an unauthorized (from my perspective) organization. It’s like a Schrodinger’s box where all of the quantum states of the cat result in my cat having a “opened by the US Government” sticker which disappears upon entry into my frame of reference – I can’t know if the sticker was there or not.

In this case, have I ensured the confidentiality of the data that I was entrusted with? Nope. Not even a little bit. YET THIS CASE STUDY HAPPENS TO PIPEDA PROTECTED DATA EVERY SINGLE DAY.

What kind of government do you want? And more importantly — how can we as a society ensure a balance between privacy and the legitimate needs of law enforcement.

I hope you’ll comment, but feel free to stomp me with the jackboots. It’s a friday after all.

[tags]c416, c427, USA PATRIOT, PIPEDA, ranting[/tags]

Exit mobile version