Thursday, December 10, 2009

Telco and ISP snooping? Don't hate the player, hate the game

The 'net and twitter have been all abuzz this past week with revelations about telco and ISP cooperation with law enforcement. We've seen Wikileaks post the internal policies of MySpace and Cryptome's posting of Yahoo!'s internal policies.

Blame for this appears to be laid at the feet of the service providers.

I'm all in favour of privacy and completely in favour of government restraint. I'm even more keen on court oversight and requirements that warrants be produced in order for cops and national security types to get access to customer information. I'm also in favour of transparently and accountability. But I haven't seen much nuance in any of the online discussion of this topic. Perhaps that's just the analytical limitations of twitter and the general tone of much of the blogosphere.

Two important issues are being missed. First: just about any time you interact with any business these days, a data trail of some sort is left. If you buy a book using any credit or debit card, there's a record that can connect that purchase to you. If you check out a book from the library, there's a record. If you use a transponder-based tolling system, there's a record of where you were, when and maybe where you are going. If you use any loyalty program to collect points on your purchases, there's an even denser data trail. Your mobile phone provider knows where you phone is at all times and who you have called. This is not unique to online companies. It's simply the reality of our digital lives. Some information collection or retention may be gratuitous, but more often than not it is essential to provide the service that users are asking for. It is not unreasonable, however, to question how much information is collected and how long it is retained. Fair information practices demand that service providers only collect the amount of information necessary to provide the service and that they keep it for only as long as they need to in order to provide the service.

The second, and more important, issue: love it or loathe it, it is the law. If a third party has information about you, the government can get access to it with a court order, a warrant or a subpoena. The third party can sometimes go to court to challenge the legality of the request, but it seldom has enough information to do so. And in many cases, it really has no ability to do so. The fact is, if there is a lawful demand for information, the service provider has to comply or face criminal sanctions itself.

And that's not just unique to the US and the USA Patriot Act. In Canada, take a look at the Anti-Terrorism Act, the Criminal Code, the Canadian Security Intelligence Service Act or the National Defence Act. European democracies have similar rules, too. These companies are generally following their legal obligations. If you have a problem with that, energies and outrage might be more usefully channelled to changing those laws.

ISPs and telcos may influence the laws, but they generally don't make they rules they have to abide by. In short: don't hate the player, hate the game.


Peter J. Hillier, CD, CISSP said...

You can't compare what's happening in the US (and the history of how lawful access and the patriot acts evolved) to what's happening in Canada. Fact is, the TSP's have said no to the first two iterations of the legislation, which both died due to changes in Government. Now the Crown separated TALEA as an appropriation bill to demonstrate there is money on the table. All of a sudden the TSPs are on board, so you can blame the players!

Anonymous said...

Any reason why in your artcile as you reference documents that we should "Check out" that you didn't link?

privacylawyer said...

Thanks for pointing that out, Anon. They are now linked.

Steve Meltzer said...

"Hate the game" or change the game? The Google CEO recently was quoted as saying "if you have something you don’t want anyone to know, maybe you shouldn’t be doing it". Essentially, you are saying the same thing. Don't hate Google (or in your post the Telcoms) hate the fact that you are, by engaging the services through use of technology, acquiescing in to the game. Perhaps there is a way to change the game (through legislation), but that won't happen with mere acquiescence.

privacylawyer said...

Steve: Absolutely, change the game. Or if anyone is going to point fingers, they need to point them to legislators as well as service providers.

"The game" allows law enforcement to compel the production of evidence, including digital evidence. That's just reality. The only way to change that reality is to change the game.

Realistically, the situation is not ever going to go away. But what can be realistically demanded is court oversight, and checks and balances on law enforcement and national security agencies' powers.

Peter J. Hillier, CD, CISSP said...

So, because it's de rigueur we should move forward? Frankly I don't trust the "adult's" of Government to be able to monitor these activities to the extent they need to be.

Murray said...

"Don't hate the player, hate the game"? What up gangsta? Kidding aside, interesting arguments on both side and something to keep tabs on.

On a sidenote, I agree partly with Zuckerberg's statement, some personal accountability is needed -though many people are not as informed as they need to be to make proper judgements. Protection from above is needed.