Skip to content


The Ploys of Summer

This summer’s web forecast: partly spammy, with a high probability of fraud.

Maybe it’s the desperation of a recession-racked global economy; or the result of a people on holiday with a lot of time on their hands; or maybe the con-artist community feels that during the summer months, our defences are down, our sun-addled brains more susceptible to being hood-winked.  Whatever the cause, I have been “blessed” of late with an unprecedented assault of phishing scams and other fraudulent spam messages — 60 or so in the last month alone.

© carlos_bcn - Fotolia.com

© carlos_bcn - Fotolia.com

Some are laughably amateurish, like the mispelled requests to update my account information for credit cards that I don’t have and banks whose services I do not use.  A number of apparently undiscriminating ”investors” want to invest in my “country or company”.  And of course I have “won” a number of international lotteries and promotional sweepstakes that I have never heard of, let alone entered.

Some are merely bizarre, like the dozen or so broken English messages and come-ons I have received from the likes of Aminata, Lissy, Faith, Favour and Jennifer – all apparently lonely single ladies looking for lifelong friendship and affection and wanting to send me pictures.  What I have done to become so popular, I have no idea.

The bulk of these attempted frauds are all variations of the grand-daddy of them all: the infamous “Nigerian” scam.  I have received a litany of sob-stories and offers smacking of illicit financial opportunism, each offering to advance to me sums of money.  A Japanese trust account manager, sitting on a multimillion dollar account of a deceased woman with no beneficiaries wants my help in getting the funds out of the country.  A posh-sounding but terminal Margaret Lindley Gisborne, of St. Peters Yacht Basin in Newcastle, wants me to take her substantial estate and use it for good works. One of the scams even offers to have me help get millions out of a Nigerian account, proving that the classics have real staying power.

More seriously, a number of the scams are truly scary, since they look eerily legitimate and come from companies with which I, and others, actually do business.  A raft of these have related to eBay and a number of chartered banks, again seeking account updates and confirmations under various pretenses.  It strikes me that many recipients, motivated by panic that their accounts had been frozen or credit suspended, and fooled by legitimate-looking features like accurate logos and links to privacy policies, might be persuaded to voluntarily submit sensitive personal and financial information.  All customers need to remember that legitimate and responsible businesses do not generally cold-call or electronically contact customers and invite them to enter such information.  And businesses that do so merely serve to lend credibility to the scammers.

But the undisputed winner of this summer’s Grande Cajones award goes to the electronic highwaymen behind a phishing scheme masquerading as a Royal Bank of Canada notice alerting customers to – wait for it – a phishing scam.  To better protect customers, “the bank” announces that it has “updated [its] new SSL servers to give our customers a better, fast and secure online banking service.”  In light of this recent server update, recipients are requested to update their account information — by clicking through a spoofed RBC link.

Update 12 September:  A recent CNet story outlines the proportion of various businesses that are targeted by phishers.

Posted in Blogellany, Internet, Privacy.


Foreign Ownership and the Elephant in the Room

Are Canadian companies better-equipped or more trustworthy when it comes to complying with Canadian content regulations?  That’s the question that no one seems to be asking in the current debate over altering foreign ownership rules for communications companies in Canada.

As widely expected, Industry Minister Tony Clement has confirmed that the government will proceed with revisions to the foreign ownership rules for telecommunications carriers in Canada, following a brief public consultation. 

This was hardly surprising, given recent statements before the Standing Committee on Industry, Science and Technology , the speech from the throne and other public pronouncements since the cabinet reversal of the CRTC’s decision finding that new wireless entrant Globalive did not pass muster from a Canadian ownership perspective.

What is somewhat surprising is that the government is apparently still focused on revising the Canadian ownership requirements only for telecommunications services, not broadcasting – contrary to the pleas of some industry players and the Chairman of the CRTC.  In his appearance before the Industry Committee, Von Finckenstein argued (among other things) that, given the degree of technological and corporate convergence in the communications sector, it made little sense to impose different ownership rules on each sector.

Let’s put aside, for the moment, broadcasters themselves – the folks that actually acquire, produce and transmit content – as content originators seem to be sacrosanct: foreign ownership and control for them is, apparently, unthinkable.  Turning instead to broadcasting distributors – the folks that aggregate, package and deliver the majority of that content to us – Von Finckenstein’s arguments make a lot of sense.

Increasingly, broadcasting distribution and telecommunications services are being provided over the same physical networks, to the same customer bases, by the same companies.  Clement and others have dismissed these convergence concerns by suggesting that these assets and associated operations could be readily spun out into separate corporations, allowing for application of differing foreign ownership rules.  Easier said than done.

More fundamentally, why should these two sectors be treated differently?  There appear to be two possible arguments. 

First, there is the problem that in order to open up foreign ownership rules on the broadcasting side – even just for broadcasting distributors – amendments would be required to the Broadcasting Act, including the broad requirement that the Canadian broadcasting systems should be “effectively owned and controlled by Canadians.”  Seems to me that there can still be Canadian ownership and control well below the current 80% Canadian ownership threshold.  Moreover, if the government believes that greater foreign investment will be beneficial to Canadians, having “a net positive effect on overall productivity growth” (as Clement said before the Industry Committee), then the need for legislative reform shouldn’t stand in the way.  Nor should the fear that opening up the Broadcasting Act to revision would open a Pandora’s Box, with calls for other fundamental changes to the framework.  In my view, the arrival of the digital age calls into question many of the objectives and much of the machinery of the Act, and a broader review is, in fact, overdue.  I say, “Bring it.”

The second, and more problematic, argument for letting current ownership rules for distributors stand is that that broadcasting distributors play important roles in the selection, packaging and promotion of Canadian content, and that this is not a role that should be entrusted to non-Canadians.  The role played by distribution undertaking is certainly important, but the fallacy here is that only Canadians can fulfill this role. 

As Samuel Johnson famously observed, “Patriotism is the last resort of the scoundrel”.

Let’s stop kidding ourselves.  Canadian distributors don’t preserve and promote Canadian services out of the goodness of their hearts or because true patriot love courses through the veins of their CEOs.  Some of the Canadian services we see are distributed in accordance with market demand, but a large proportion is provided simply in order to comply with carriage terms and linkage rules mandated by the CRTC.  A foreign-controlled company can do this just as well as a Canadian one.  And we’ve seen many examples of certified Canadian licensees who have attempted to evade the spirit, if not the letter of CRTC Cancon rules.

It has been oft said that you can’t legislate culture; yet, we might as well face the truth: this is exactly what Canadian broadcasting regulation attempts to do.  Canadian broadcasting distributors, like other companies – Canadian or otherwise - are first and foremost businesses, and they make decisions in order to maximize profits – in fact, they are legally obligated to shareholders to do so.  To treat them otherwise is folly.

Make no mistake: if there are public policy directions that we want communications companies to follow in Canada, we need to set in place clear, tailored rules and obligations to accomplish this, backing these up with effective enforcement — no matter what colour flag the company is wrapped in.

Posted in Broadcasting, Telecommunications.

Tagged with .


A Tale of Two Regulators

Being so close to our neighbours to the South, we in Canada are always comparing notes with the United States — and the net neutrality debate is no exception.  So I expect that more than a few observers on this side of the border will have read with great interest today the news that the U.S. Court of Appeals has vacated (thats U.S. legalspeak for overturned, made void, annulled) a 2008 FCC ruling that took Comcast to task for slowing down Peer-to-Peer traffic carried over its network.

Interestingly, the FCC ruling in question was almost moot when it was issued, as Comcast has already agreed to adopt a new system for managing bandwidth demand.  So other than a stern talking to, Comcast emerged from the FCC investigation with mainly some reporting requirements, and the threat of an injunction, should it fail to make the required disclosures or to make the traffic management changes to which it had agreed. 

iStock_000001026903XSmallStill, in making its order, the FCC asserted jurisdiction over network management practices.  That didn’t sit well with Comcast, which appealed the decision, contending, among other things, that the FCC failed to justify exercising its jurisdition over network management practices.

Which brings us, some 18 months later, to today’s decision of the United States Court of Appeals for the District of Columbia Circuit in the case of Comcast Corporation v. Federal Communications Commission

The FCC had defended its authority to regulate ISP traffic management practices by relying on s. 4(i) of the Communnications Act of 1934, which empowers the Commission to “perform any and all acts, make such rules and regulations, and issue such orders, not inconsistent with this chapter, as may be necessary in the execution of its functions.”  The power relied upon by the FCC is considered to be an “ancillary” power, i.e. one that confers no powers on its own, but is only validly applied to the extent that it is “reasonably ancillary to the … effective performance of its statutorily mandated responsibilities.”

And therein lies the rub: the Court of Appeals found that there were no such statutorily mandated responsibilities to which orders relating to ISP traffic management could reasonably be considered to be ancillary.  The court underlined that the each new application of ancillary powers has to be considered on its own terms; so even if the courts had earlier endorsed the use of ancillary powers to take other regulatory action respecting broadband services (e.g. requiring them to be unbundled), this did not mean open season on any further regulatory measures.

 For its part, the FCC issued a short statement indicating that it was bowed, but not beaten.  The FCC says it remains committed to ensuring an open Internet, and suggested that while the court didn’t like its approach in the Comcast case, it might have other tricks up its sleeve that would pass legal muster.

So, what does all this mean for Canadian ISPs and Internet users?  Let’s just say that while our dollars may be more or less at parity (at least as I write this), our regulatory frameworks for telecommunications differ in some significant ways.

The U.S. Communications Act is a fairly detailed, prescriptive statute, that grants to the FCC specific powers with respect to each of a number of types of electronic communications (e.g. “common carrier services”, radio transmissions, “cable services”).  By contrast, the Telecommunications Act is a much more general, purposive statute, which confers on the CRTC a number of broad order and rule-making powers, to be exercised in pursuit of a number of broadly-worded policy objectives.  Within this broad framework, the CRTC has been granted a wide discretion as to how to use its powers to achieve the telecommunications policy objectives set out in the Act.  Canadian courts have also tended to defer to the CRTC as an expert, specialized tribunal, and courts are therefore more reluctant to interfere with CRTC decisions on appeal

More particularly, in the Canadian statute “telecommunications” and “telecommunications service” are defined in broad enough terms to clearly include an Internet access services (whereas our friends to the South have to wrestle with whether Internet services are “telecommunications services” or “information services”.).  The CRTC also has a broad power to impose conditions on the offering and provision of telecommunications services (s. 24) and the Act prohibits the provision of such a service in a manner that unjustly discriminates against, or unduly prefers, any person (s. 27).  The Act also prohibits common carriers (which includes incumbent cable and ILEC Internet service providers) from controlling the content or influencing the meaning or purpose of telecommunicaitons that they carry (s. 36).  Indeed, each of these provisions was considered by the CRTC in issuing its traffic management decision last fall. 

All told, the CRTC would appear to be in good stead to take regulatory action with respect to traffic management practices, should it consider it necessary to do so, rendering a Comcast-like decision from a Canadian court very unlikely. 

Funny, that: Canadians more clearly and comprehensively regulated than Americans.  Who knew?

Posted in Uncategorized.

Tagged with , , , , .


Communications Regulation is a Full-Time Job

Sometimes we end up making the right decisions for the wrong reasons.

Yesterday, Treasury Board President Stockwell Day announced the elimination of 245 Governor in Council appointments to a range of federal agencies and tribunals.  Apparently, most were vacant at the time of the announcement.

Among the eliminated (and vacant) positions were 6 spots at the CRTC: the six positions for Part-Time Commissioners, established by the Canadian Radio-television and Telecommunications Commission Act.  The last Part-Time Commissioner was Peter Menzies, who began CRTC life as a Part-Timer in 2007, but was appointed as a Full-Time Commissioner in June of 2009.

iStock_000007915525XSmallTechnically, yesterday’s announcement just indicates the current Government’s intention not to fill these positions.  The CRTC Act still explicitly provides for the appointment of such members, so future governments could repopulate the Part-Time Commissioner pool — unless the legislation is amended.

Let’s hope that future governments stay the course on this one.  The elimination of Part-Time Commissioners is a good decision for a number of reasons — but the meagre associated cost savings, touted by the government as being the prime motivator for the head-count reductions, are well down the list.

The Part-Time Commissioner positions were originally envisioned as a means to ensure that regional interests were represented in CRTC decision — at least with respect to broadcasting matters, since Part-Time members are empowered to act on broadcasting matters only.  Prior to the enactment of the current Act, the Part-Timers had even fewer powers: they could vote on the making of regulations and the revocation of licences, but were only “consulted” (i.e. no voting power) with respect to the issuance, amendment of renewal of licences.

With the introduction of Regional (Full-Time) Commissioners in the 1991 Broadcasting Act, the writing was on the wall for Part-Time Commissioners, as regional input and representation was achieved without the need for the Part-Time member structure.  Eliminating these positions only makes sense – and likely should have been done in 1991.

In addition, eliminating Part-Time appointments helps contain the CRTC to a more manageable 13 member board, as compared to a potential 19 member structure.  Even at 13, hearing panels and deliberations can get a bit unwieldy.  Consensus and efficiency is better achieved with smaller boards.  Similar tribunals manage with far fewer Commissioners, including the FCC, which gets by with only 5 Commissioners (and handles a broader mandate, too boot – including spectrum regulation).

But perhaps the best reason for eliminating these appointments is to better equip the CRTC to deal with an increasingly converged world.  And with departmental oversight for telecommunications and broadcasting divided between Industry Canada and Canadian Heritage and no national digital strategy, the CRTC is, by necessity, the  front-line body left to grapple with convergence

Significantly, although the CRTC is the supervising authority for both broadcasting and telecommunications in Canada, the Part-Timers were only ever empowered to take decisions on broadcasting matters.  This led to decisions under the Broadcasting Act and the Telecommunications Act being taken by two different pools of Commissioners.  In an era where the major policy issues tend to raise mixed issues affecting content and carriage, such as the recent debate over the use of Internet Traffic Management Practices, it is important that the same body of Commissioners make decisions under both statutes.

A single pool of decision makers, considering both broadcasting and telecommunications matters, provides greater opportunities for converged thinking and better allows for the pursuit of a unified and comprehensive vision for communications regulation.  In addition, with a single pool of decision makers, it is easier for the regulator to achieve symmetry and consistency between policies and decisions affecting competing platforms. 

Buh-bye, Part-Time Commissioners.  Don’t let the door hit you on the way out.

Posted in Broadcasting, Internet, Telecommunications.

Tagged with , .


More Fame & Shame

More tales of best practices and gaffes from the world ‘o privacy.

Fame:  The “i’s” have it.  Little “i’s” to be precise.   Gold star to the advertising industry for its latest move to transparency. 

articleInline-v2The industry recently announced the creation and planned implementation of a standardized icon, for use on online ads, that will direct users to a page explaining how the advertiser uses their web surfing history and demographic profile to serve them ads.  Of course, the proof will be in the pudding, as the ultimate success of the program will depend heavily on the number of ads that will sport the  icon and the content of the explanations themselves.  To be truly useful to Internet users, such adds should be succinct, in plain language, and as specific – and forthcoming - as possible.

It is expected that the “little i’s” will start cropping up on some online adds this summer.

Shame: Shame to American Express in relation to a glitch that saw at least one cardholder logging in to his online account, only to be confronted with the account information of another cardholder.  News report here

Amex earns a spot on the shame list not so much for the online glitch itself (regrettably, these things happen), but for completely and repeatedly fumbling the ball when it was notified - 6 times – of the problem but apparently did nothing about it.  It took more than half a dozen interactions with different Amex representatives and more than three weeks before the problem – a glitch based on what was apparently nearly-identical logon information – was fixed.  One has to wonder whether anything at all would have been done had the cardholder in question not been so diligent in pursuing the matter.

Despite the best of systems, training and process controls, there will inevitably be privacy breaches on occasion.  Clearly, organizations must strive to keep such breaches to an absolute minimum; however, the real mark of an organization that takes its privacy obligations seriously is the speed and energy that it devotes to fixing problems when they are discovered.  The Amex incident is a cautionary tale for any large organization to ensure that the front line customer service representatives (in-house, outsourced or offshore) are able to recognize a serious privacy concern and escalate the matter immediately to an appropriate resource.

Posted in Privacy.

Tagged with .


Raising the Bar on Universal Service

With a proceeding kicked off late last week, the CRTC raised the possibility of mandating that high-speed Internet access be made available to all Canadians, possibly on a subsidized basis.

In the more technical parlance of the CRTC, it has called for comments as to whether high-speed access should be included as part of the Basic Service Objective (BSO), which sets a minimum standard for the scope of services that incumbent service providers are mandated to provide.  The Commission has also called for comments on broad issues concerning both the existing obligation to serve and the local service subsidy regime.

Currently, the core transmission functions of Canada’s BSO contemplate only single line residential service, with basic dial-up capability.  This is the service that incumbent telephone companies are required to provide to subscribers within (or just beyond) the reach of their current network.  This is also the service that is subsidized, at least for high cost (read rural) serving areas.

To be clear, the Commission is just seeking comments at this time, but some might wonder whether, in placing consideration of broadband as part of the BSO on the agenda, the fix is in.

Broadband is rapidly becoming at least as important a link to the social and economic world as the telephone.  Increasingly, Canadians are making the Internet their first stop for a range of important information and services, as well as a tool to connect with others and access entertainment and cultural content.  Other countries, including Spain and Finland have already recognized the importance of a high-speed Internet connection and have announced their intention to make broadband (well, at least 1 Meg) part of their equivalent BSO.  A Constitutional Court in France has even declared Internet access a basic human right, although the right does not necessarily extend to a right to broadband service.

Meanwhile, the prevalence of Plain Old Telephone Service (POTS) is declining in the face of both broadband and wireless technologies.  Through VOIP technologies, broadband networks are increasingly supplanting older switched telephone networks, even for voice telephony.  Of course, wireless equivalents are also replacing wireline telephony in many countries (Canada? Not so much).  In the U.S., AT&T is arguing that old-fashioned wireline telephony is yesterday’s technology, and should no longer be required to be provided by incumbent carriers.  Others are suggesting that the Universal Service Fund, which subsidizes the provision of wireline telephony in high-cost serving areas, should be scrapped as being an outmoded white elephant.  Still others are proposing that the Fund be redirected instead to subsidizing the cost of broadband for low-income Americans.

On this side of the border, one can debate (and we can be sure many parties will debate) whether Canada needs to impose an obligation to serve at all, or needs to continue to subsidize service to some areas.  However, if the CRTC does conclude that there is any requirement to mandate or subsidize a telecommunications service, one that is essential to connect Canadians to the world and to each other, it seems increasingly clear that it makes no sense to focus on an increasingly outmoded, declining technology.   It would be like mandating horse-watering stations in the era of the motorway.

If there is to continue to be a universal service; it must be some form of broadband.  And frankly, even 1 Meg is too slow.

Posted in Internet, Telecommunications.

Tagged with , , , .


Privacy Diary – Fame and Shame

With this post, I’m starting a new occasional feature here at Elderblog.

A few recent personal experiences provided me with some real-world examples of managing privacy, both from a personal and corporate perspective.  Some provide good examples of best privacy practices; some fall clearly into the “how not to do it” bin.  I have decided to post these observations here, bestowing Fame or Shame on the responsible parties.  So, here goes:

Fame:  A shout-out to the Washington Post for a clear and helpful interactive subscriber registration form.  I recently subscribed to the Post’s daily eMail news summary, and was impressed with its registration form, which provides helpful pop-up explanations of the purposes for which most of the information is sought, including a link to the Post’s overall privacy policy.  While the privacy policy is, frankly, in need of an update (the posted version is 6 years old), the Post still gets high marks for transparency, clarity and ease of use.

Shame:  A “what were they thinking” shrug to MBNA Canada, for a cold-calling campaign to sign up new users for its platinum Mastercard.  Stike one: MBNA (or rather, it’s third party agent) called my Do Not Call List registered number to convince me to apply for a credit card.  CRTC rules define “solicitation” as the selling or promoting of a product or service, which would include a credit card. 

Strike two: in addition to sending me an application form, the rep started asking me some rather personal questions, like length of residence at my current address, size of my mortgage, etc.  When I objected to providing that kind of information over the phone (remember, he had called me – I didn’t know him from Adam), he tried to reassure me by noting that he wasn’t asking me for an credit card numbers or anything like that.  He did, however, want to ask me my date of birth, mother’s maiden name, etc. – all information that other service providers might use to authenticate me for online or telephone transactions.

Strike three: the MBNA website and privacy policy provides no indication of the type of information that it will and won’t solicit over the phone (although it does provide similar information re unsolicited eMail).  When I called MBNA to inquire, after a few questions about the nature of the offer being put forward, the customer service rep allowed that it was probably one of MBNA’s calling campaigns through a third party outsourced call centre, and that they had to take some of that information to prequalify me for the card.  However, I got the clear impression that he really didn’t know if the call was legit or not.

Ironically, MBNA’s security and privacy pages spend a lot of virtual ink on fraud, phishing and identity theft, even providing tips to users about how to avoid these problems.  Meanwhile, they are sending mixed messages by cold-calling potential customers and asking them for precisely the type of information that MBNA warns its customers not to provide online.  The type of personal information in question could be used by unscrupulous types for “pretexting” – impersonating an individual online or by phone using key identifying information.  If enough information can be pulled together, that individual can find themselves a victim of identity theft.

As MBNA should know, phishing can also occur by phone.  In fact, earlier this week, I got one of those fraudulent calls by someone purporting to be calling about the outstanding balance with “my credit card company”.  When I asked him on behalf of which specific bank he was calling, he hung up.

Companies need to be aware of phishing scams, and in order to better protect customers, must avoid any behaviours that could also be used by phishing fraudsters.  In this way, it becomes easier for individuals to separate legitimate business communications from scams.

Posted in Privacy, Uncategorized.

Tagged with , , .


Sounds Good — On Paper

The Washington Post reported today that for 4 years, the FBI illegally collected over 2,000 telephone call records from U.S. carriers.  Apparently, in some cases, the agency simply persuaded carriers to divulge the information, but in most of the cases, FBI personnel invoked bogus emergencies as a way of obtaining the data.  To make matters worse, FBI officials later issued subpoenas purporting to justify the requests.  Worse still, the FBI apparently knew about the faked emergencies, were advised by internal counsel of the illegality, and still did nothing to stop the practice.  A U.S. Department of Justice report, due to be published later this month, is expected to conclude that the FBI frequently obtained subscriber data through falsified “emergency” requests.

The FBI scam is particularly galling given that the agency was seeking to side-step a process that had already been significantly watered down by the USA Patriot Act in the wake of the World Trade Center attacks.  Before 9/11, call detail records were obtained by grand jury subpoena or through “national security letters” (NSLs) issued by senior FBI headquarters officials.  Post 9/11, the Patriot Act allowed such NSLs to be issued by low-ranking FBI personnel in regional offices, and for a wider range of circumstances — but still required a clear link to an ongoing terrorism investigation.  Instead of adhering to this weaker procedural standard, the FBI instead developed a practice of requesting (and obtaining) on an “emergency” basis call records of the subjects of “pending terrorism investigations.”

fingers crossedBack on this side of the 49th parallel, “exigent circumstances” exceptions have long been a feature in Canada’s Criminal Code, allowing for warrantless searches, wiretaps and disclosure of personal information, including telephone call records and Internet logs.  For example, s. 184.4 currently provides that private communications may be intercepted without warrant where law enforcement has reasonable grounds to believe that the interception is immediately necessary to prevent an unlawful act that would cause serious harm to any person or property.  Interestingly, though, there is no need for a peace officer to do anything further — no subsequent authorization or approval is required, nor is the Minister of Public Safety even required to report on the number of “exigent circumstances” interceptions in his annual report. 

The validity of s. 184.4 is unclear at this time.  At least one Superior Court has ruled that this provision is unconstitutional, while another Province’s court has found the opposite.  Parliament also took some initial steps to try to strengthen the procedural protections in s. 184.4 in the form of Bill C-31, which would have narrowed the grounds for use of the exemption, required follow up paperwork and included exigent interceptions in the Minister’s annual reporting obligations.  But like all of the government’s “law and order” legislation, Bill C-31 died on the order paper when Parliament was prorogued late last year.

Still, a similar “exigent circumstances” regime was included in ss. 16 and 17 of Bill C-47 (see previous post on this bill generally), which would have required telecommunications service providers to provide law enforcement, on request, with a range of information respecting the name, address, telephone number and electronic eMail address of any subscriber. 

That provision included two avenues for police to obtain the information, neither requiring a warrant:  the first was open only to a small number of “designated persons” appointed by the heads of CSIS, the RCMP or the Competition Bureau (or their designates) to present the service provider with an explicit written request, in clear performance of a duty or function under a specified law.  The second avenue required only a verbal request (accompanied by the name, rank and badge number of the requesting officer), employing the same “exigent circumstances” test as s. 184.4 of the Criminal Code. 

But what is really interesting is that Bill C-47 required customer data requests, both regular and exigent to be “papered” after the fact, presumably to provide some procedural comfort to those concerned with civil liberties.  The process was to work like this:

  1.  The officer that made an “exigent” request reports the request to another designated official in his or her law enforcement or national security agency
  2.  That designated official provides a written confirmation to the telecom service provider that the request was made in exceptional circumstances, as contemplated under the bill
  3. For both regular and exigent requests, the designated official creates a record of the request, identifying the legal duty or function in the performance of which the request was made, describing the relevance of the information sought to the performance of that duty or function and generally providing other support for the request.  If the request was exigent, the report was to indicate how the criteria were met. 
  4. Such records were to be retained for posterity and possible internal audit.
  5. Information received from service providers was not to be used for any purpose other than the purpose for which it was originally obtained, or for “a use consistent with that purpose.”
  6. Regular internal audits are to be conducted by each of CSIS, the RCMP, any provincial/municipal policy service and the Competition Bureau to ensure compliance with the above regime.
  7. Where an internal audit is made, a report is to be made to the responsible minister – if the agency head thinks that is necessary.  If such a report is provided to the responsible minister, a copy is also to be provided to the Privacy Commissioner of Canada, the Security Intelligence Review Committee, or relevant provincial authorities, as applicable.
  8. The Privacy Commissioner or the Security Intelligence Review Committee, as applicable, may conduct their own audits.

Although, at first blush, these recording and reporting requirements may seem to offer some protection, more cynical readers will be forgiven for observing that behind the procedural smoke and mirrors (including vague usage safeguards and “optional” reports to the Minister), this process – with the possible exception of Privacy Commissioner or SIRC audits – amounts to little more than the honour system.

Back to today’s Washington Post story, it is pretty clear that south of the border, the honour system didn’t work out so well.  Perhaps Canadians should keep this in mind —  if and when Bill C-47 rises from the ashes of the second session of the 4oth Parliament.

Posted in Lawful Access, Privacy, Security Matters, Telecommunications.

Tagged with , , , , , , , .


Will That Be Frisk or Scan?

Over the holidays, I had the opportunity to see Up In The Air, the new George Clooney flick about an über frequent flyer with some serious intimacy issues.  In one particular scene that will resonate with frequent air travellers, Clooney describes the road warrior’s approach to maximum efficiency in navigating the pre-boarding security process.  As of this week, Clooney’s character would face some serious new challenges to his streamlined method. 

In a well-publicized incident on Christmas Day, a would-be terrorist managed to board a Detroit-bound flight with a quantity of concealed explosive concealed in his underwear.  Then, early in the New Year, the U.S. Transportation Security Agency issued a new security directive to all air carriers operating flights to the U.S., requiring beefed up security procedures including the increased use of enhanced screening technologies. 

Not surprisingly, Canada announced two days later that it would be installing full body scanners at major Canadian airports to better detect objects, including weapons and explosives, that could be concealed under clothing, but would not be noticed by metal detectors (such as ceramic weapons, or liquid and plastic explosives).  In a comment that says much about Canada-U.S. relations on security matters, Transport Minister John Baird suggested in a CBC interview that in fact, Canada had little choice but to introduce the technology given the U.S. directive (ignoring the fact that Canada had been trialling the technology in Kelowna for the past year, and was considering a full rollout anyway).

Of course, in addition to the potential for increased wait times for Mr. Clooney and concerns about the health effects of radiowave screening (Health Canada says the effect is limited – less radio exposure than a cellphone), full body scanning obviously raises significant privacy issues.

An image of the outline of our body – some have termed it a “virtual strip search” – would clearly be considered to be sensitive personal information under Canadian law, so the question to be answered are whether the collection, use and disclosure of such images will be made in accordance with privacy law requirements.  The Privacy Commissioner of Canada seems to think it will be.

Many privacy advocates here, and in other countries employing scanning technology, have objected strongly to scanning, arguing that the intrusive technology is not really required, in that it may do little to enhance air safety.  Some have argued that even with the technology, some key terrorist incidents may not have been prevented.  Moreover, there is significant mistrust in some quarters over the potential retention and use of body scan images, and the lack of government transparency in this regard. 

mmw_smallIn addition, there would appear to be some dispute as to exactly how much is revealed by body scannersSome manufacturers claim their scanning products provide “no anatomical details”, thereby assuaging some privacy concerns; however, other reports – and available still images - indicate that breasts and genitalia can clearly be seen.  Still other reports suggest that the equipment will also reveal other personal anatomical details, such as breast enlargements and body piercings (although, it seems to me, the metal detectors should already be chiming away when such, uh, personal jewellry is detected). 

It seems to me that in order to be at all effective, the scanned image must be able to show the Full Monty — let’s remember where the Christmas bomber concealed his explosives.  And even at that, scanners will still not prevent the truly dedicated from smuggling on board weapons or explosives, since body scanning technology- which produces an image of the body’s surface – would not detect items hidden inside body crevices or cavities (giving new meaning to the term “concealed weapon”).

As is often the case with security measures, it may be that the new scanning procedure is as much about appearances – providing comfort to travellers – as it is about actually detecting suspected terrorists and preventing them from boarding aircraft.

Putting aside for the moment the necessity or efficacy of the technology, the government deserves some credit for consulting early on with the Office of the Privacy Commissioner of Canada, which has apparently blessed Canada’s approach, following analysis of privacy impact assessments.  Consistent with the approach suggested by the OPC in its 2007 submission to the Air India inquiry on the privacy implications of airport security measures, travellers will be subjected to scanning selectively, as a secondary screening method only.  Moreover, travellers selected for enhanced screening will be given the option of being scanned by the new millimetre wave technology or submitting to a physical search. 

In fact, the government appears to have gone even further in an attempt to minimize the privacy intrusiveness inherent in the technology.  First, no one is able to view both a traveller and his or her scanned image at the same time.  Security agents operating the scanner at the security queue see only a blocky, cartoon-like image that shows the areas of the body where items may be hidden.  Agents viewing the more detailed scans are located in a separate room, where they cannot view the individual being screened, other than through the scanned image.  Second, the images are ephemeral, being deleted as soon as the screening is completed – no transmission or recordings are made, and no images are printed.

Some may feel that body scans are less intrusive than a “pat-down” search because they do not involve any physical contact; others may consider them to be more intrusive because they generate an image of an essentially naked human body – although to me, the beings depicted in the images being circulated look more like faceless, featureless aliens. 

At least now, thanks to Canadian privacy law, if selected for secondary screening, we will have the choice of frisk or scan. 

Or the choice that we’ve always had — to stay home, fully clothed, with all our piercings and body augmentations safely concealed.

Posted in Privacy, Security Matters.

Tagged with , , , , .


The (Increasingly) Long Arm of the Law

As announced earlier this week, today the government tabled new legislation that would require Internet service providers to report sites featuring child pornography.  While the big picture objective of the bill – the reduction of the availability of material exploiting children - is an eminently worthy one, the means to achieve this goal bear some further scrutiny. 

The bill is certainly noteworthy for its timing, as part of a cluster of “law and order” bills that have been introduced or given focused attention by the government in 2008 since whiffs of a potential election have been in the air.  Getting tough with criminals does seem to play well with electors in the heartland.

More substantively, the bill is noteworthy as the latest move to deputize telecommunications service providers with respect to the detection and investigation of the law.See no evil, hear no evil, speak no evil - Asian man

Once upon a time, telecommunications providers were considered by be “common carriers”, a common law concept that originated with early public transport providers, but evolved to encompass telephone companies and Internet service providers.  A key component of the operation of a common carrier is that is does not involve itself in anyway with the content of the containers that it is shipping, in the case of a transport provider, or in the electronic age, with the content of the messages or other intelligence that it is transmitting.  Particularly with the rise in influence and usage of Internet-based communications, this long-established principle seems to be under attack.

 

One of the first instances of the erosion of the “don’t ask, don’t tell” principle that guided telecommunications providers for many years was the introduction of the Anti-Terrorism Act in 2001.  That statute imposes a positive duty on persons, including telecommunications service providers, to notify law enforcement and national security agencies of information that may come to light respecting transactions respecting ”terrorist property”, a broadly defined term which encompasses virtually any personal or real property that could conceivably used by a terrorist group.

More recently, Bill C-47, the Technical Assistance for Law Enforcement in the 21st Century Act, which is currently in Committee, contain proposed provisions that would require – without a warrant - the delivery by telecommunications service providers to law enforcement agencies of a broad range of subscriber information.  The bill would also require service providers to preserve data on law enforcement request, including web logs and content, such that they could later be reviewed by law enforcement (this time with a warrant).  The bill further requires these “common carriers” to effectively build “peepholes” into their networks to facilitate the interception of private communications by law enforcement (again, with a warrant).  See my earlier post on this subject.

Today’s bill adds to this trend, requiring Internet service providers to report to police IP addresses or URLs where child pornography may be available to the public.  The duty to report arises both where the ISP is advised of the existence of such material, or where they otherwise “has reasonable grounds to believe that their Internet service is being or has been used to commit a child pornography offence.”  The ISP must preserve for 21 days all computer data relating to the reported sites.  Failure to comply with these requirements could net the offending ISP a fine of up to $100,000.

On its face, there seem to be a number of concerns in this bill for ISPs, not the least of which is what would constitute reasonable grounds for thinking a child pornography offence is or has been committed?  When there’s a $100,000 on the line, there may be a tendency to err on the side of caution, which could result in a lot of non-criminal activity being “reported”.

Is this the thin edge of the wedge for ISPs as p0lice informants?  Will the trend toward mandatory disclosures and deputization be extended to other crimes?  In our desire to protect ourselves from horrific and repugnant crimes, we as a society need to exercise extreme caution in addressing the balance between safety/security and privacy, lest the pendulum swing too far and we find ourselves in an Orwellian surveillance state.

Posted in Lawful Access, Privacy, Security Matters, Telecommunications.

Tagged with , , , .