Saturday, September 17, 2011

What lawful access is all about

Yesterday, I posted about three new public service announcements made by OpenMedia.ca, which are part of a campaign against "lawful access". (Canadian Privacy Law Blog: OpenMedia.ca launches "lawful access" PSAs).

The ads themselves will probably raise awareness about lawful access, but don't do a good job of really explaining what lawful access is. The ads suggest that police will be able to read your e-mail, intercept your calls and watch your online shopping without a warrant. That's not the case.

We don't really know what the Harper Government(TM) plans to put in the legislation when it is introduced later this year, but we can take a look at what has been put forward by the liberals and the conservatives over the past few years. In short, the police will be able to go to your ISP, your phone company or any other online service provider and get the following information about you:

  • name,
  • address,
  • telephone number and
  • electronic mail address,
  • Internet protocol address,
  • mobile identification number,
  • electronic serial number,
  • local service provider identifier,
  • international mobile equipment identity number,
  • international mobile subscriber identity number and
  • subscriber identity module card number that are associated with the subscriber’s service and equipment.

All they would need is one piece of that puzzle and the service provider has to provide all the other pieces. If they have your IP address, they get your address. If they have your name, they get your phone's built-in identifier.

So why does this matter? The Internet is not quite like the real world. When you go to a library, you don't have to provide ID or leave a record of what you looked at or that you were even there. When you step into a store in the real world, you don't necessarily leave a trace of what you perused and what you bought (if you paid cash). You can send an anonymous letter to the editor of your local newspaper to voice an unpopular opinion without giving your name or any other identifying information. (They probably will not publish it, but that's beside the point.) But the Internet doesn't work like that.

Every device on the network (phone, computer, etc) has an IP address. IP addresses can be tied to an individual computer or a range of computers sitting behind a firewall or a router. Every mobile device, such as a cell phone or a smart phone, has a number of unique identifiers that it chirps out to the network that it's attached to. Every interaction that you have online, you can assume is being logged in some fashion in connection with that IP address. Many e-mails you send include in the headers the IP address of the computer it was written on.

It's just the nature of how networks work. That IP can perhaps be traced to you, to your household or to your employer. In most cases, where residential internet accounts are concerned, they are connected to the name and address of the account holder. With phones, that identifier is connected to the individual who owns the phone.

In short: Everywhere you go on the internet or with your mobile phone, you leave digital footprints. That's the nature of the modern, networked world. So what protects your privacy when you do anything online? The fact that whoever allocated that IP address or provides your cell phone service has to keep it confidential unless a judge decides that the public interest (or the state interest) overrides your privacy interest. That's why we have a Charter of Rights and Freedoms in Canada and why we have an independent judiciary. There is no absolute anonymity online, but there is effective privacy by obscurity because anyone who can connect your IP address to an individual is bound to keep it confidential unless a judge says otherwise.

However, the Harper Government's lawful access bill proposed to take that important balance away. It would give police forces and national security folks virtually unfettered powers to connect those otherwise anonymous footprints to an actual person (or small group of persons).

That is inconsistent with your rights to privacy and is dangerous to the free and open internet. Whoever is elected needs to know that privacy is something that all Canadians value.

1 comment:

Anonymous said...

1. I'd allow it if judges could then have real-time access to, and records were kept of, everything that these "officials" were looking at, so they could know they were being watched as well, otherwise these powers could cause great harm.

but,

2. There IS anonymity online, and these laws will just help it grow.
There are anonymizing services, proxies, email and web forwarders, virtual private networks, onion routing networks, usenet, freenet, encrypted peer-to-peer, libraries, public wi-fi, mesh networks, or any one of many other such technologies to come.

3. Regardless, eventually one angry couple will both claim that the infringement was the fault of the other party and the judge will have to declare that an IP address is not a person. If only we could just get this to court!

This is a collective delusion of grandeur shared between the media industry and government officials.