For anyone who, in the capacity of supporting the passing of Bill C-30 by the Canadian federal government – a law that will allow police unfettered access to any individual’s electronic information like your browsing history, private emails, financial information, credit card numbers and personal contacts without any need for a warrant – wishes to know what that might be like, consider Anonymous’ public posting of private information to show the effect it can have on individuals subject to this legislation tabled by Minister of Public Safety Vic Toews. The Minister has assured Canadians that this information is really no different from what can be found in a phone book. I beg to differ and I think Anonymous reveals quite clearly how this is a lie and how such targeting of private information is damaging. I think this legislation is badly flawed and very dangerous.
Michael Geist, who holds the Canada Research Chair in Internet and e-commerce Law at the University of Ottawa, Faculty of Law, writes in the Ottawa Citizen,
The bill is badly in need of fixing: the oversight of surveillance capabilities remains underdeveloped, the costs associated with surveillance equipment is a giant question mark, and the fears of surveillance misuse based on the experience in other jurisdictions continues to cause concern.
I suspect Vic might now agree with that assessment but whether or not he can divert a majority government from passing this awful Bill remains to be seen.
Now we learn from the latest news that this Bill will cost Canadian taxpayers 80 million dollars to implement and an additional 7 million dollars a year. Not only do we have to pay for that start up expense as taxpayers when services are being cut elsewhere to address the federal deficit, but the ISPs will pass along any capital and staffing expenditures directly to their subscribers.That’s called adding insult to injury: we’re going to pay twice for police to invade our privacy! What could possibly go wrong?
tildeb
Questionable Motives 
This type of legislation fails even before it has begins – it has been invented by people who have no idea how technology really works.
Even if they could decrypt the traffic – which they cannot (trust me on this), who’s going to read it. If your bank can’t make accurate fraud assessments on your account (how many times have they called you to confirm a transaction) – they how can the government possibly automatically censor traffic.
AK47 for Sale…
Nuclear Bomb for sale…
Opps looks like some spooks somewhere are going to get a false positive…. from this comment.
Lets say the government can decrypt comment forms of internet traffic for example SSL or PGP mails, what are they going to do if I double or triple encrypt it. They would have to find a pattern in a pseudo-random sting that has been decrypted from another pseudo random string. What are they going to do if I write my own encryption algorithm – are they going to brute force my keys… hmm good luck with that. What if I choose to use a onetime pad to encrypt my data….. How about stenography, or deniable plausibility (hidden encrypted hard drives) – who is going to have the time to find that? What about The Onion Ring (ToR) and other similar projects?
The budget isn’t big enough, the performance of the network would be degraded to such an extent that it wouldn’t work – because decrypting data packets and inspecting them would make them latent.
Quite simply this is nonsense legislation, scare mongering – at best it the well meaningful trying to improve national security, in a very misguided way. At worst it is politicians creating a cottage industry to give their mates security companies a boost in sales.
If this bill gets passed, all that will really happen is the privacy of non-tech savvy will be eroded further, and the privacy of the tech savvy criminals will get tighter more covert and harder to detect.
Comment by misunderstoodranter — February 23, 2012 @ 3:20 pm |
The legislation is to make ISPs grant to police access to any targeted private data they wish. The scary part is that out of something like 28,000 requests already made by police without a warrant, the ISPs have met 100% of these requests. We actually need legislation to protect our privacy from the police!
Comment by tildeb — February 23, 2012 @ 4:17 pm |
I think you will find that most data privacy legislation will grant access to the police or a higher national security authority anyway – data privacy doesn’t apply to those suspected of criminal activity, and neither do warrants either (under some circumstances).
If the police want to legally intercept your internet traffic they can do already – they don’t need the ISP’s permission. Government listening posts and taps have been in position since telecommunications were invented, some of these posts listen your traffic at aggregation points in the infrastructure anyway. The requirement to have a warrant is just bureaucracy to pacify the public and to maintain the illusion that we live in a free and democratic society.
The type of legislation that your post refers to is about getting the ISPs to do the crunching and filtering that is needed to be able to target individuals in the first place. [I think this is more about making money for someone than anything to do with privacy or security].
However, my objection to this type of legislation is based on the need for the majority to have a private life. As soon as the ISP gets involved directly as a part of the function of delivering telecommunications, it will involve the routine and automated scanning and profiling of traffic, which will degrade everyone’s privacy. Luckily for us, the ability to scan internet traffic on mass is ‘currently’ not practicable [but it may not always be that way] – the volumes are enormous, and are increasing year on year.
I really don’t care that the police can intercept my traffic directly (good luck to them if they can decrypt it!) – what I am concerned about though is the automatic scanning and profiling of internet traffic. As this has the potential to go very wrong.
What would happen if the system that is used for targeting individuals that was ordered to be put into operation by the telecommunications industry by the government was itself compromised – and profiling data was leaked or stolen for malicious purposes?
The ability to target data either on the wire, or at rest is almost pointless anyway, because the really serious hard core criminals will use security practices that will prevent eavesdropping anyway. So really this legislation is about ‘buying’ kit from someone, for the purposes of enforcing legal intercept (which can be done already if need be) and is likely to be utterly useless anyway.
[apologies for the typos in the last comment I left… I was in a rush…]
Comment by misunderstoodranter — February 25, 2012 @ 3:26 pm |
The ability to target data either on the wire, or at rest is almost pointless anyway, because the really serious hard core criminals will use security practices that will prevent eavesdropping anyway.
That’s assuming that the enemy is competent.
In real life, the enemy can make the most childishly silly security decisions. The Imperial Japanese Navy did it during WW2, Russian generals did it in WW1 and the Taliban and Iraqi forces would leave unencrypted hard drives just lying around. People who should know better leave the metaphorical back door open all the time.
A good spy novel will always make gathering information seem like a game of chess where cunning and sophisticated technology are needed to even begin to crack the case. It’s what the general pubic expects. Yet elementary, low tech investigation can deliver the goods.
Many times in movies, I see the Mafia boss bring out some geek with a bug detector to sweep the room before he reveals his cunning plan. Yet there are real life situations where the FBI (for example) has a bug in a regular Mafia haunt collecting valuable information that will put important people away for a long time – and nary a geek to be seen.
Dizzying levels of Incompetence can happen to any organization.
A cheap, half-baked, understaffed, amateurish intel gathering operation can take advantage of such incompetence.
We have morons, they have morons too. 😉
Comment by Cedric Katesby — February 26, 2012 @ 11:56 am |
Not that I support the idea of police being allowed to snoop unfettered or anything like that. Heck no.
Comment by Cedric Katesby — February 26, 2012 @ 11:59 am |
“In real life, the enemy can make the most childishly silly security decisions.”
In real life, we all use encryption daily without realizing it – when was the last time you opened a packet analyzer, and checked that the data packets leaving your home network over TLS were in fact encrypted – and encrypted to the right level, using a certificate from a trusted source? Or when was the last time someone sent you and encrypted ZIP file or PGP message?
My point is that security is an arms race – it is fast becoming a commodity, and something as easy to implement as TLS or PGP can make something that was once easy to intercept and eavesdrop to something that requires a lot of effort or high risk of detection.
We have taken for granted the last couple of decades, data encryption used to be something that military did; now we all do it – and we all have the ability and tools to do it. We switch it on and off daily without understanding it or having to think about it very much.
This is why this legislation is naïve as well as unnecessary.
Comment by misunderstoodranter — March 4, 2012 @ 4:09 pm |
This type of legislation fails even before it has begins – it has been invented by people who have no idea how technology really works.
(…Sticks hand up…)
In real life, we all use encryption daily without realizing it…
Are you saying that “the government” can’t read my emails (for example) without a lot of effort or high risk of detection? I always assumed that it was very easy. That’s why I never write anything I would consider incriminating.
Comment by Cedric Katesby — March 6, 2012 @ 6:33 am |
It is extremely easy to read any internet traffic that is not encrypted – which is why when you use your credit card online it is important to ensure that the site you are using has been enabled with encryption (https). However, as soon as you encrypt your traffic, it becomes very difficult to filter it, and decode it – which is my point. If it was easy to decode encrypted messages – internet commerce would stop. So the government is stuck between a rock and hard place.
If the government starts profiling (using systems that invoke filters on key words or phrases) they will be faced with four major challenges:
1) False positives (AK47 for sale anyone – opps another spook just got an alarm)
2) Consumer paranoia leading to more people encrypting
3) The inability to profile traffic based on the fact it is encrypted
4) The security of the profiling data they collect.
Once you encrypt data, you have to use cryptanalysis to able to decipher it, the cryptanalysis would need to:
a)Identify the algorithm that is used to encrypt the data with (that might not be that hard if you catch the negotiation stages of a communication) but it would be really hard if you had no idea how it was encrypted to begin with – because all you have to analyse is what looks like random junk.
b)The key that is used by the encryption algorithm to both encrypt and decrypt the messages sent – this again is very hard to do, and requires a huge amount of computing resource for just one message, let alone millions.
Most encrypted transmissions are broken at source or destination – where keys that are used to decipher the messages are vulnerable if they are poorly protected. A few other types of attack focus on the attacker having some idea of what the key might be (a guess) or an idea of what the plain text was before it was encrypted (known plaintext attack).
What people forget is that the traffic on the internet is massive – looking for a particular message is like trying to find a needle in a stack of needles – adding encryption to the mix makes this search incredibly expensive.
Unfortunately governments don’t like this – which is why they tried to ban or restrict the export of some encryption products. But the cat is out of the bag now – and encryption is such a fundamental part of the infrastructure of the net that preventing its use would be almost impossible.
But more fundamentally, I can right now with a handful of freely accessible utilities send messages to you that the government could spend years trying to break into only to find that I was sharing some trivial piece of knowledge with you…. It just isn’t worth the effort.
ISPs just pass traffic around – so if you and me set up and SSL encrypted tunnel between us we can message each other freely, knowing that the ISP cannot read the messages – this is because the maths that encode the messages are located at the end points… they do not belong to the ISP. The only way the ISP could decrypt it would be if we had to share our encrypting secrets with the ISP as part of some law. But even then, I can encrypt a message and put that inside another encrypted message and so on.
Laws like this are wishful thinking…. Dreamt up by the misunderstanding of how the internet works, and how it is (not) governed.
Comment by misunderstoodranter — March 6, 2012 @ 4:32 pm |
That was very informative. Most of it was completely new to me. Thanks.
However, as soon as you encrypt your traffic, it becomes very difficult to filter it, and decode it – which is my point.
Point taken. I only wanted to mention that the “bad guy” sometimes fails to take even this elementary step. Should that happen, then a snoop could take advantage of such a mistake. Yet if there is no group out there doing this then the opportunity is lost.
If the government starts profiling…
I agree. For the reasons you gave, profiling wouldn’t work. I was thinking more about targeted monitoring of known suspects. Yet such monitoring has certain physical limits.
Even if they could decrypt the traffic – which they cannot (trust me on this), who’s going to read it.
This, for me at least, is the most important problem. Sifting through data with a real pair of eyes takes manpower and time. The sheer volume of data out there to be gathered simply screams out for a filtering system. The same issue pops up with drone surveillance. Lots of video footage, lots of potential skullduggery caught on tape but unless somebody watches it and says “Hey, we have a live one” then the feed might as well never have been set up in the first place for all the good it will do.
After the Tube bombings in London, there was a court case (IIRC) where domestic intelligence had to justify their actions not to follow up on a suspicious group that was, in fact, going through with a terrorist action. They had the names, the licence plates, had them tailed and even had cell phone conversations recorded. The pieces were all there (looking back with 20/20 hindsight) but they stopped following them due to budget and manpower concerns. At the time, it was decided that there were bigger fish to fry. One of the striking things that came out of it all was that, in order to put a tail on a suspect and keep it there for 24hrs a day, it took a team of about sixty people to maintain. Hollywood makes it seem so easy and cheap in comparison.
Comment by Cedric Katesby — March 7, 2012 @ 1:08 am |
“That was very informative. Most of it was completely new to me. Thanks.”
No worries… if you have an interest have a look at the books and articles written by “Bruce Schneier” he is a very strong critical thinker on all things security… for more advanced security have a good read of “Ross Anderson’s” book titled “Security Engineering”
Comment by misunderstoodranter — March 7, 2012 @ 4:15 pm |
It’s happening here as well: http://www.bbc.co.uk/news/uk-politics-17576745
Comment by misunderstoodranter — April 1, 2012 @ 3:29 pm |