How New Internet Spying Laws Will Actually ENABLE Stalkers, Spammers, Phishers And, Yes, Pedophiles & Terrorists

from the not-as-simple-as-you-might-think dept

There's proposed legislation in the US (sponsored by Lamar Smith) and in Canada (sponsored by Vic Toews) and in the UK that uses various flimsy justifications for the mass collection of data on telecommunications users. The data covered by these proposals varies, but includes things like URLs, phone calls, text/instant/email messages, and other forms of communication. Some of this proposed legislation deals with communication metadata, e.g., sender, recipient, time, etc.; some of it deals with communication content, e.g., the full text of messages.

I'm going to gloss over the specifics for two reasons: first, they've been covered exhaustively elsewhere, and second, I think it's an absolute certainty that whatever these proposals contain, the next ones will contain more.

The putative reasons given for these proposals are the usual Four Horseman of the Infocalypse: terrorists, pedophiles, drug dealers, and money launderers. One would think, given the hysteria being whipped up by the proponents of these bills, that one could hardly walk down the street without being offered raw heroin by a grenade-throwing child pornographer carrying currency from 19 different countries.

Of course, everyone who's actually studied terrorists, pedophiles, drug dealers and money launderers in the context of telecommunications knows full well that nothing in these bills will actually help deal with them. The very bad people who are seriously into these pursuits are not stupid, and they're not naive: they use firewalls, encryption, and tunneling. They use strong operating systems and robust application software. They use rigorous procedures guided by a strong sense of self-preservation and appropriate paranoia. They're not very likely to be caught by any of the measures in these bills because they'll (a) read the text and (b) evade the enumerated measures.

Yes, there are occasional exceptions: every now and then, a clueless newbie or a careless dilettante turns up when they're caught. And of course when that happens, there's always a press conference announcing the event, and many claims that it's a "major blow against crime" and a flood of self-congratulatory press releases. But it doesn't mean anything, except that someone was either stupid...or careless...or was set up.

The unpleasant reality that these bills are trying to avoid is that catching very bad people requires diligence, patience, expertise and intelligence, aka "competent police work." There's no substitute and there are no shortcuts. This means that these bills will achieve very few of their stated goals; that is, the benefit to society from them will be minimal, if any.

But what about the cost?

I don't mean the financial cost, although that will be high -- much higher than those proposing such legislation are prepared to admit; I mean the cost to society as a whole.

If such legislation passes, then everyone will know that every ISP is building a database -- a highly useful database for very bad people. It's the sort of thing that some very bad people have been trying to construct for years, often at considerable expense and effort. How very nice of someone else to build it for them, saving them the cost and trouble -- because they, and/or their agents, will of course target it for acquisition. And given the parade of security breaches and dataloss incidents we see on a daily basis, it's certain they'll get it. (My bet is that they'll get it before it's even finished. Any takers?)

There's an old military saying -- a bit of inter-service trash talk: "The Air Force builds weapons; the Navy builds targets".

Politicians who propose such measures appear to be thinking that they're building a weapon -- a weapon that law enforcement agencies can use to pursue people who've committed, or are suspected of committing, crimes. But they're not. They're building a target. They're building the mother lode for stalkers, pedophiles, spammers, identity thieves, child pornographers, blackmailers, extortionists, and yes -- terrorists. A Techdirt story just a few days ago gave some rather creepy examples of what Target's data mining can do...and they're just trying to sell you stuff. Imagine what very bad people are capable of, given far richer data and the rather obvious inclination to break the law at will.

What's worse than building a target? Telling everyone you're building a target. What's worse than telling everyone you're building a target? Telling everyone where it is. What's worse than telling everyone where it is? Telling them what's in it. Yet that's exactly what these bills would do: force the construction of a target, inform everyone that it exists, where it is, and what's in it.

I'm sure that the very bad people these bills allegedly target are delighted. I'll bet they're having a hard time not expressing their enthusiastic support. But my guess is that most of them will heed Napoleon's sage advice: "Never interrupt your enemy when he is making a mistake."

I'm not the only one who's observed that these databases are targets, not weapons. So has Ontario Information and Privacy Commissioner Ann Cavoukian:

"This is going to be like the Fort Knox of information that the hackers and the real bad guys will want to go after. This is going to be a gold mine. [...] The government will say that they can protect the data, and they can encrypt it. Are you kidding me? The bad guys are always one step ahead."

But this is not the worst of it -- that is, the certainty that very bad people will find ways to acquire these databases and to correlate them with each other and with still more databases isn't the endgame.

Particularly talented intruders will not only get it, they'll monitor it in real time. How do you feel about someone knowing where you bank, that you've made three phone calls to stores today, and that you have a Visa card with the following number that you just used from a hotel room 300 miles from home? How do you feel about the web browsing of your teenage daughter being observed by someone who's also reading her instant messages and listening to her VOIP calls, and has the IP address she's using in her college dorm room?

And even this is STILL not the worst of it. Given the rampant Internet and computer illiteracy that we see every day out of law enforcement, private investigators, journalists, and others around the world -- such as the clueless people behind these bills -- it's only going to be a short time until "the logs say X" becomes semantically equivalent in the vernacular to "X is true". And it is at that point that some of the more talented very bad people won't just acquire this data: they'll modify it.

Filed Under: canada, data retention, lamar smith, lawful access, uk, us, vic toews

'Lawful Access' Rhetoric Rings Hollow When The Facts Are Wrong

from the muddled-analogies dept

Ever since our Public Safety Minister made the infamous claim that his opponents were standing "with the child pornographers", support for Canada's proposed "lawful access" legislation—which would force ISPs to turn customer information over to police without a warrant, and install network surveillance equipment—has been characterized by two things: sensationalism and a lack of clarity. This is hardly surprising in a debate that opened with accusations of supporting child porn (a seeming corollary of Godwin's Law) and nowhere is it better exemplified than Lorna Dueck's tragically confused column in Friday's Globe and Mail.

[Full disclosure: I work for one of the Globe's main competitors, but not in an editorial capacity.]

Dueck makes the bizarre claim that what should be a discussion about protecting children was "transformed" into a debate about privacy, as though there is no room to consider both. She then attempts to brush off all concerns about the bill, claiming it is akin to driving your car:

The car is your private property and you know how to use it, but some people keep making the road dangerous. You appreciate the radar gun or spot checks at the side of the road, and you take down a licence-plate number when a driver needs to be reported. It's a public service that keeps us safe. That's how police see access to your IP address – it will help them to identify lawbreakers.

The metaphor fits for why Bill C-30 is applauded by those on the front lines of child protection. Like using a radar gun, hackers employed by the police have developed software that catches images of child sexual exploitation. It's illegal images that are being tracked. Police will take that digital evidence to ask who's trading this, and that leads to an IP address – the licence plate of your car, if you will.

Unfortunately, Dueck has things backwards. C-30 is not about making IP addresses more accessible. Although the text of the bill does include them as one of the pieces of information that ISPs must hand over without a warrant, that is rarely, if ever, how online investigations proceed. Rather, police monitor networks to collect IP addresses that are exchanging child pornography, then investigate those addresses. In a way, IP addresses already do work like license plates (including the fact that they are not enough to positively identify an individual user/driver).

Currently, only a warrant can compel an ISP to hand over information, but they can also choose to cooperate with police. There are conflicting accounts as to how this plays out: supporters of the bill (including some police) claim that criminals are going uncaught thanks to the difficulty of obtaining warrants, while opponents, like Ontario's Privacy Commissioner, claim that ISPs already comply with the vast majority of warrantless requests when child pornography is involved. The truth is probably somewhere in the middle.

Bill C-30 would force ISPs to hand over customer information without the warrant. Amusingly, Dueck's car analogy could have been more appropriate if she used it correctly, since the police do not need a warrant to trace a license plate back to its owner. But even this misses the key point that vehicles are publicly licensed by the government, while ISPs are private companies offering a service to private citizens. It's well-established that there is no right to drive anonymously, but C-30 legislates the end of anonymity online, and sets a disturbing precedent against the right to privacy when using any form of communication. Should the police be able to obtain customer information from printing shops without a warrant, just because some people distribute obscene or libelous flyers? That is a far more analogous question, and one that underlines the fundamental concept of privacy that C-30 violates.

We all want to prevent the exploitation of children, but the proposed methods for doing so would have unintended consequences, and that conversation can't be hidden behind emotionally charged rhetoric. An urgent goal does not justify a reckless solution—nor a reckless column that confuses the facts. Dueck calls the conflict over C-30 a "sideshow" and hopes to "elevate the debate", but in fact all she has done is join one of the existing sides—those who let the emotional resonance of child pornography override their sobriety, and believe that laudable motives excuse them from examining their methods or even understanding the details of the problem.

Filed Under: canada, child porn, internet, lawful access, spying, surveillance, vic toews

Vic Toews Apparently Not A Fan Of Others Seeing His Personal Data

from the is-he-for-child-porn? dept

You may recall that Canadian Minister of Public Safety Vic Toews announced Canada's "lawful access" (read: government monitoring of the internet) bill by saying that if you weren't in favor of the bill, you supported child porn. Over the weekend, he also seemed to admit that he didn't even understand the bill he was supporting.

That was pretty ridiculous, and a Twitter meme was developed in which lots of people shared info with Toews about things that were going on in their lives. Of course, it was only a matter of time until someone did the opposite... and started revealing info about Toews. Indeed, late last week, a Twitter account calling itself Vikileaks showed up on the scene... leaking info about things like Toews' divorce. After that created a lot of press attention and controversy, the anonymous person behind the account shut it down. However, Brendan noted that for a while it appeared to be blocked in Canada, but not elsewhere. He provided a screenshot from Canada where it says no such account exists, as well as one via a proxy which shows the account. If the user deleted the account, it's possible that it was a caching issue...

Either way, it appears that Toews is not at all happy that his own personal info is being shared. There were some claims that the account holder was accessing the account from within the Canadian House of Commons (something the user denied), leading Toews to demand an investigation into who was behind the account. Of course, as the report notes, it may be difficult to impossible to get any useful info, since all House of Commons traffic shows up as coming from one of just four IPs, so zeroing in on the particular user may not be possible.

But, no matter, Toews wants an investigation (at taxpayer expense). And who gets to investigate those who abuse Toews' lawful access proposal to access private info of citizens? Perhaps, rather than chasing down a ghost, Toews would be better served to think a little more seriously about the complaints people have raised about government over-surveillance.

Filed Under: canada, internet, lawful access, spying, surveillance, vic toews

Canadians Respond To Internet Spying Bill By 'Revealing All' To Politician Backing It

from the internet-memes-against-internet-regulation dept

We recently wrote about a new effort in Canada around "lawful access" (a nice way of saying internet spying by government). The really ridiculous part was that the Public Safety Minister pushing the bill, Vic Toews pulled out the ridiculous logical fallacy that anyone against the bill was "for child pornography." That, of course, is insane. But, because this is the internet, it responds as it does best, by creating a meme. Tons of people on Twitter are revealing all sorts of random information with Toews on Twitter using the hashtag #TellVicEverything. Apparently a bunch of people are leaving him voicemails as well. Watching the Twitter feed is fun, as you find out when people go to sleep, when they wake up and when they have trouble sleeping. Then there are some amusing confessional tweets, like the person who confesses using zucchini instead of meat in spaghetti sauce, or the person who admits to lying to a telemarketer when asked if he's "busy." Who knows if Toews will back down, but when you become a national joke, perhaps it's time to rethink your legislative strategy.

Filed Under: canada, legal access, monitoring, spying, vic toews

Canadian Politician: You're Either In Favor Of Letting The Gov't Spy On Your Internet Usage... Or You're For Child Pornography

from the kicking-puppies dept

Up in Canada, they're pushing for a new "lawful access" bill, which is basically a "government can spy on your internet usage" bill. Michael Geist has a full and complete run down about the new effort and why it's crazy. But, the insane part came out of the introduction when Public Safety Minister Vic Toews apparently told people: "You can stand with us, or you can stand with the child pornographers," according to Dale Smith, a journalist who was present. In other words, like Lamar Smith here in the US, he's trying to push through a widespread internet surveillance bill by hiding behind claims that those against it are somehow "for" child porn.

This is beyond ridiculous, and an incredibly cynical political move that assumes that people are stupid. These kinds of arguments may have worked in the past, but I'm increasingly skeptical that they'll continue to work in the future. More and more people are learning about the details of these kinds of bills, and making ridiculous claims and false dilemmas won't cut it, and only call more attention to the ridiculousness of what's actually in the bill.

And, thankfully, some of that pushback comes in the form of people openly mocking such ridiculous claims. Smith points to an amusing response from Lukas Neville: "You can stand with false dilemmas, or you can stand with kicking puppies." Count me in for kicking puppies.

Filed Under: canada, internet, lawful access, spying, surveillance, vic toews