A Privacy Discussion Hiding as a National Security One
I’ve promised myself to start being more direct in my opinions. You’re going to read a much more raw account of my position here than you usually would. Please let me know what you think by responding below.
Public Safety Canada is currently wrapping up a public consultation on the national security framework (it ends 15-Dec-2016) and while I was initially hopeful, the bottom started dropping out when I read the section entitled, “Investigative Capabilities in a Digital World”.
Making complex issues relatable is difficult. Adding the complex technologies underpinning the already complex issues and you get a recipe for disaster.
Public Safety adverts disaster in their wording and explanations but not by much.
Starting with the second paragraph of the preamble, all possibility of a balanced discussion is tossed out the window. The second paragraph states, “The same technologies we enjoy and rely on everyday — smartphones, laptops and the like — can also be exploited by terrorists and other criminals to coordinate, finance and carry out their attacks or criminal activities.”
On first blush, that sounds balanced. Except that the number of successful uses of these technologies is exponentially higher than the negative ones. This statement needs at least some additional context. Ironically — you’ll see why in a few sentences — a real world analogy would work great here:
“…and just like with a car or vehicle, sometimes you can get hurt or bad people can use them to do bad things”
But there is not such comparison made and the reader is left with feeling that our technologies are doing as much bad as good.
The preamble does do a good job in laying out the current concerns of Canada’s investigative agencies. However the wording is leaning towards a conclusion that additional controls are required. No where does it state that the status quo or even a rolling back of existing tools is a viable option.
Don’t mistake that suggestion for a lack of concern or appreciation for the role of our investigative agencies. They do play a critical role in keeping Canadians safe.
The challenge here is that in order to have an open and honest discussion about these issues, we need to understand them in their entirety. A biased introduction from one side doesn’t do anyone any favours.
One of the biggest challenges is that the consultation resorts to using physical analogies for digital challenges. The digital world is fundamentally different than the physical. Analogies hide the nuance and complexity inherent to the digital world and based a decision on the analogy will result in unintended consequences.
After the preamble the basic areas of the consultation are “defined”. I use quotes because the definition are vague and again often fall back to analogies muddying the issues.
Basic Subscriber Information
Basic Subscriber Information (BSI) is a prime example. Compared to an entry in a phone book or a license plate number, the consultation positions basic subscriber information (BSI) as potentially sensitive but still a low risk. Ending on the note that some countries even allow law enforcement access to this information without a court order.
Why wouldn’t you agree with this risk assessment? After all phone books and license plate numbers are public sources of information!
Let’s be crystal clear, basic subscriber information is personally identifiable information (PII) and should be protected as such. Because it’s not concretely defined in the consultation, we’re left to wondering what exactly falls under the term BSI. Is information like an IP address included?
This lack of clarity is dangerous because — for example — IP address inclusion would radically change what information can be complied and inferred from this data point. In addition users can have different IP addresses at different times or more than one IP address at a particular time.
Not collecting BSI in the first place is the safest route for Canadians. If required — and yes, actually required not just convenient —if must be protected as PII. At a minimum, that means encrypting it in transit, encrypting it at rest, using strong access controls, etc.
This information should only be available to law enforcement with an appropriately scoped court order.
Intercepting communications has been an important tool for investigative agencies. It is becoming increasingly difficult for the agencies to keep pace as new communications systems are developed. The questions in the consultation around this issue are framed with an implied acceptance that this is a capability that should continue. The only question being how.
I don’t think that’s true.
Modern communications run primarily over the internet in some shape or form. That opens them up to entirely new threats that legacy phone systems never directly faced. In order to maintain their integrity and security, communications should be encrypted end-to-end.
This makes centralized interception difficult and essentially useless when achieved. Some of our communications are already encrypted end-to-end and more are doing so each year. We should be pushing for all of them to implement this design.
Security is all about trade offs and in this case, the trade off is that millions and millions of daily communications by Canadians would be secure from malicious actors, cybercriminals, and prying eyes.
I’m not willing to sacrifice the security of Canadian’s communications to help assist a small number of investigations.
We need do everything we can to encourage Canadians to use secure communications online. Mandating intercept capabilities means that technologies will require a backdoor. A backdoor that holds no guarantee that only “good guys” would have access. In fact, we know that malicious actors will gain access, it’s only a matter of time.
Besides the cat is already out of the bag, secure communications technology is available freely around the world. It makes no sense to weaken Canadian systems in order to solve an edge case.
Encryption is a deeply technical subject. The computer science and mathematical concepts behind it are complex. It is critical to understand that the math behind cryptography systems is well vetted and throughly tested.
The cryptography community has proven that once a master key or approved back door in implemented in a system, that cryptographic system is left vulnerable, weaker, and unreliable.
Ask any engineer implementing encryption systems and you’ll quickly discover that there’s almost nothing worse than an unreliable encryption system,
As part of national security framework, we should encourage Canadians to use end-to-end encryption for data in transit and strong encryption for data at rest.
Again, this technology is readily and freely available from numerous international sources. Weakening Canadian encryption in any manner provides a leg up for Canada’s economic competitors and creates an unnecessary risk to the digital lives of Canadian’s.
What data should be captured and how long it should be kept are critical questions in the digital world. The security minded answer is, “Capture as little data as you can and keep it for as short a period as you data”.
Data that you capture & store is data at risk.
This runs counter to the current thinking of “store is all and search or sort as needed”. Obviously balance is needed. Unfortunately the right balance is specific to each situation.
General guidelines in this area should be to capture only what’s required (no saving for a rainy day) and keep it for as short a period of time while it’s directly relevant to the business at hand.
Starting from this angle provides the best change of finding the right balance of the investigative requirements, personal privacy, and data security.
The consultation requested comment on 13 specific areas of concern across the four categories above. I’ve copied the questions and my answers below.
When answering, I tried to strike a balance between the investigative agencies roles, my stance on personal privacy, and my understanding of digital security. If you’re wondering about my credentials in these areas, it might help to read a bit of my history and education.
1. What do you think?
[Question from Public Safety] How can the Government address challenges to law enforcement and national security investigations posed by the evolving technological landscape in a manner that is consistent with Canadian values, including respect for privacy, provision of security and the protection of economic interests?
[My response] Balanced and regular consultation is key to ensuring the the challenges to law enforcement and national security investigations are properly addressed. This includes equal weighting between the requests made by law enforcement, the perceived needs of law enforcement, the individual’s right to privacy, and a realistic understanding of the core tenants of a modern approach to digital security.
Technology is changing rapidly and the right balance for investigative agencies and the community today may not be the same tomorrow.
[Question from Public Safety] In the physical world, if the police obtain a search warrant from a judge to enter your home to conduct an investigation, they are authorized to access your home. Should investigative agencies operate any differently in the digital world?
[My response] Investigations in the digital world have to operate differently. Drawing an analogy to a physical search of a home is a false equivalency and frankly, extremely misleading.
Digital devices connect to numerous external services providing any manner of service to the user. To grant blanket access to search a digital device would be more accurately compared to a search warrant granting the police permission to search not only someone’s home but also their work, the homes of the friends & family, their bank, and any businesses that they’ve interacted with.
The scopes are not at on the same level and treating them as such would clearly violate individual’s privacy, whether the target of the search or someone connected digitally to them.
In addition, concepts that apply to physical searches such as permitting the submission of things found in plain view (e.g., searching for item A and finding unrelated but objectionable item B on the coffee table) cannot apply in the digital world.
In a search is conducted on a device it must have a specific, narrow scope. Other applications or data cannot be permitted to be a result of a search and investigative agencies should be strictly prohibited from searching additional areas of the device.
Searching digital devices should be narrowly scoped with specific intentions.
[Question from Public Safety] Currently, investigative agencies have tools in the digital world similar to those in the physical world. As this document shows, there is concern that these tools may not be as effective in the digital world as in the physical world. Should the Government update these tools to better support digital/online investigations?
[My response] This question is too vague to be of any use though I will attempt to answer it anyway. The tools available for investigations in the digital world tend to default to “sweep it all, search it later”. While technically the easiest solution, this approach ensures that the potential for abuse is always present during an investigation and afterwards while the data is retained.
A common technique of duplicating the entire contents of a device or capturing an entire network stream means that data well outside the scope of the investigation will be on record and available to investigative agencies.
Any and all of the data captured and stored is at risk of a breach. Cyberattack and breach numbers consistently show that it’s extremely difficult to prevent data leakage…and that’s not even counting direct abuse of privileged access.
The easiest way to prevent this risk to Canadians is not to capture or store the data in the first place.
With that caveat understand, I do support the improvement of investigative tools. They should be more precise and have strong privacy protections built in from the ground up.
[Question from Public Safety] Is your expectation of privacy different in the digital world than in the physical world?
[My response] Yes, my expectation of privacy is different in the digital world because it is fundamentally different than the physical world. As a technologist with an understanding of how the underpinning layers of our digital world work, I am more aware than most of the trail we leave behind in the digital world.
In my opinion, most Canadians do not have this type of specialized knowledge and would have a higher expectation of privacy in the digital world when compared to the physical world (which they have a firm understanding of).
Again, I feel this question is misleading. It’s too broad and poorly conceived.
2. Basic Subscriber Information (BSI)
[Question from Public Safety] Since the Spencer decision, police and national security agencies have had difficulty obtaining BSI in a timely and efficient manner. This has limited their ability to carry out their mandates, including law enforcement’s investigation of crimes. If the Government developed legislation to respond to this problem, under what circumstances should BSI (such as name, address, telephone number and email address) be available to these agencies?
For example, some circumstances may include, but are not limited to: emergency circumstances, to help find a missing person, if there is suspicion of a crime, to further an investigative lead, etc…
[My response] Without actual statistics on the number of cases truly impeded or dropped due to a lack of timely access to BSI, it’s impossible to provide an informed opinion to this question. It’s the job of our law enforcement to advocate for tools to do their jobs to the best of their abilities. However it’s our jobs as citizens to ensure that those tools strike a balance between law enforcement’s effectiveness and our rights and privileges.
BSI should only be accessible to investigative agencies with a lawfully executed warrant. Any self regulation (such as a senior officer sign off) is insufficient a control against abuse.
In the stated examples, obtaining a warrant should not be an onerous activity for investigative agencies.
Additionally clear and consistent rules should be in place for time that service provides can retain BSI and what data that are permitted to capture or analyze.
[Question from Public Safety] Do you consider your basic identifying information identified through BSI (such as name, home address, phone number and email address) to be as private as the contents of your emails? your personal diary? your financial records? your medical records? Why or why not?
[My response] It’s curious that IP address assignment is left out of the listing of BSI as most investigative agencies consider IP address part of that information. The individual data points listed are not particular sensitive but when combined with other data, the aggregate quickly increases in sensitivity.
I would consider all of this data as personally identifiable information (PII) and therefore treat is as sensitive. It should only be stored when necessarily, appropriately protected when stored (via access control, encryption, etc.), and only released to investigative agencies with an narrowly scoped and lawful warrant.
The data in the analogies drawn above is also sensitive and each data type requires a different set of protections and controls specific to the situation.
[Question from Public Safety] Do you see a difference between the police having access to your name, home address and phone number, and the police having access to your Internet address, such as your IP address or email address?
[My response] Yes, there is a difference. As previously stated, the digital world is fundamentally different to the physical one. An email address has different sensitivities to an IP address though both can be used to correlate activities with data from 3rd party systems.
IP addresses pose an additional challenges due to the timelines associated with their assignment. A user doesn’t own the address, it’s temporarily associated with a device connected to a network. A device can have multiple IP addresses concurrently or change addresses regularly. Due to the technical underpinnings, an IP address is a unique data point and should be treated as such.
Trying to compare it to a name, phone number, or even an email address is misleading.
While a user will share their email address quite freely, access to that email account is a different matter. A user is rarely aware of their IP address at any point in time and it must require a higher standard like a warrant to obtain.
3. Interception Capability
[Question from Public Safety] The Government has made previous attempts to enact interception capability legislation. This legislation would have required domestic communications service providers to create and maintain networks that would be technically capable of intercepting communications if a court order authorized the interception. These legislative proposals were controversial with Canadians. Some were concerned about privacy intrusions. As well, the Canadian communications industry was concerned about how such laws might affect it.
[My response] Given the strength of the backlash on previous pushes, why is the wording in this consultation decided pro-intercept? This doesn’t strike me as a balanced attempt at information gathering.
Domestic communications providers should not be required to provider intercept capabilities and in fact should be severely restricted to what data they can collect, analyze, and retain on their customers and their activities.
Modern communications are increasingly conducted over the internet, this puts them at risk from actors sharing the network…in other words; the entire planet. Adding interception capabilities to Canadian networks puts them at risk that is disproportionate to the advantages to investigative agencies.
This expanded risk along with the risk of insiders abusing privileged access makes this a trade off that is not in the best interests of Canadians.
[Question from Public Safety] Should Canada’s laws help to ensure that consistent interception capabilities are available through domestic communications service provider networks when a court order authorizing interception is granted by the courts?
[My response] Canada’s laws should ensure that interception capabilities are NOT available in any form beyond specific endpoints where the communication originated or terminated. Canada’s laws should ensure that communications service providers are building networks that are secure as possible from all manner of threat actors.
Building in what amounts to a back door undermines the growing economic backbone of Canadian life. Canadian networks should be secure by design, our laws should reflect this.
I do not believe that reducing the security of Canadian’s day-to-day digital lives is a fair trade off to increase the possibility that it would improve national security or ease law enforcement investigations.
[Question from Public Safety] If the Government were to consider options to address the challenges encryption poses in law enforcement and national security investigations, in what circumstances, if any, should investigators have the ability to compel individuals or companies to assist with decryption?
[My response] Encryption is foundational piece of digital security. Any attempt to provide access to law enforcement would weaken it’s structure and devalue it as a security control. End-to-end encryption of communications should be encouraged and quickly be the norm in order to strengthen the security of Canadians.
The only viable scenario to provide access to law enforcement is with an encryption at rest scenario. In the case when a user manages their own encryption keys — in extreme cases — a higher standard of warrant should be available to investigative agencies to gain access to the key.
[Question from Public Safety] How can law enforcement and national security agencies reduce the effectiveness of encryption for individuals and organizations involved in crime or threats to the security of Canada, yet not limit the beneficial uses of encryption by those not involved in illegal activities?
[My response] They cannot. That’s not how the technology works. It’s a trade off that must be accepted and should be accepted given the benefits of the technology.
Millions and millions of transactions and communications that benefit Canadians are completed everyday. Their safety and integrity is paramount.
This is the trade off required by a modern and free society.
In addition, encryption technologies are freely and widely available. Restricting access to Canadians only harms law-abiding citizens. It’s won’t slow down criminal or malicious activity in the slightest.
5. Data Retention
[Question from Public Safety] Should the law require Canadian service providers to keep telecommunications data for a certain period to ensure that it is available if law enforcement and national security agencies need it for their investigations and a court authorizes access?
[My response] Any data stored is data at risk. In this case “Telecommunications data” is too broadly defined to make a proper assessment. The introduction to this consultation lists phone data as number dialled and length of call then only specifies “internet records of this kind”.
Are the internet records under consideration similar to the recent UK legislation? A phone record of number <> number and duration reveals a small amount of information.
An internet record could contain significantly more information.
A reasonable balance must be found with respect to the amount of information captured and stored vs the risk that data poses to individual’s privacy. Regardless of the level of information, a warrant must be required to access it.
Whether or not the service provider stores the data for it’s own use is a separate issue.
[Question from Public Safety] If the Government of Canada were to enact a general data retention requirement, what type of data should be included or excluded? How long should this information be kept?
[My response] If the Government of Canada enacted a general data retention requirement, it should set a “must delete” retention period somewhere between 30–90 days. This would create a reasonable balance between risk and access while ensuring that all Canadian providers treated Canadian data in the same manner.
Data included should be kept to a minimum. For phone records: source, destination, duration. For internet records: source IP, destination IP, data length. Nothing more.