To help answer these questions, in 2011 the Citizen Lab set up a publicly announced project called RIM Check, a specially designed website in which users of RIM products were encouraged to fill out a series of questions about their usage. The website would collect the IP address and information about the device used, hopefully showing the route the request took based on the type of BlackBerry product being used. Our theory was that if RIM made arrangements with certain countries the exit point from the RIM network might show up on a server in a particular jurisdiction where it should not be. We also monitored for content filtering over the BlackBerry network.
Although rarely mentioned at the time, the RIM controversy went beyond the interception of data. A BlackBerry is also used to surf the Web, and in many of the countries where RIM was being pressured Internet filtering is de rigueur. A Kuwaiti newspaper reported that RIM agreed to filter access to 3,000 pornographic websites at the regime’s request, and some users reported to us that RIM was already filtering access to Web content in the U.A.E. and Pakistan. Preliminary tests done in Indonesia suggested it might be going on there too. Although the data from the RIM Check project was too unreliable to draw firm conclusions (and we never published a final report for that reason), it did raise critically important questions and considerable public awareness about the issue.
However much our RIM Check project was a thorn in the company’s side, it must have been only a minor irritation compared with the real deal: the demands being made on RIM by governments for access to its encrypted data streams were jeopardizing the company’s “secret sauce,” calling into question one of its most marketable components, its supposedly “unbreakable” communications network. Unfortunately, RIM’S strategy consisted mostly of saying as little as possible in the hope that the controversy would magically disappear, and its attitude about the issue was plainly visible when co-founder Mike Lazaridis petulantly terminated an interview with the BBC after being asked whether the company had secretly made arrangements to share its data with governments in the Middle East, India, and elsewhere. “C’mon, this is a national security issue, turn that off,” Lazaridis barked, ripping off his microphone and leaving his seat while the cameras rolled. Naturally, the video went viral.
• • •
Lazaridis’s comments about the matter being a “national security issue” are telling. The trend towards “other requests” is part of the securitization of cyberspace, the slow transformation of an issue into a matter of national security, with new policies and controls attached. As the Internet has become an integral part of everyday life, how it is constituted and by whom has become a critical issue. Securitization opens the door to clandestine arrangements, over-classification, and lack of accountability. Often operating in the shadows and not subject to rules and regulations, those in favour of securitization insist that national security requires that governments have the freedom to manoeuvre and make rapid responses to immediate threats, even at the expense of cyberspace users’ rights.
These shifting forces become more pronounced during major events. Terrorist attacks – like 9/11 or the London Underground bombings – are like political earthquakes that unsettle the existing system of checks and balances and trigger an avalanche of legislation that under normal conditions would seem excessive. A few short weeks after 9/11, governments around the world passed anti-terror legislation with most of the statutes featuring similar fundamental components: beefed-up domestic policing powers, relaxed restrictions on the sharing of information between domestic law enforcement and foreign intelligence services; new requirements on the private sector to retain and share with security services the data they control; and, most importantly, a loosening of the requirements for judicial oversight into matters of law enforcement and intelligence. A June 2012 Human Rights Watch (HRW) report found that 144 countries have passed anti-terror laws since September 11, 2001, most of them covering a wide range of activities far beyond what is generally understood as terrorism and allowing for much wider latitude and action on the part of law enforcement and intelligence agencies. As the report noted, when viewed as a whole these laws “represent a broad and dangerous expansion of government powers to investigate, arrest, detain, and prosecute individuals at the expense of due process, judicial oversight, and public transparency. Such laws merit close attention, not only because many of them restrict or violate the rights of suspects, but also because they can be and have been used to stifle peaceful political dissent or to target particular religious, ethnic, or social groups.” We still live in the shadow of 9/11 as the endless war on terror proves, and an open cyberspace may become the ultimate victim.
Cyberspace securitization is reinforced by international cooperation: governments and industry leaders share best practices and information, and develop new laws based on mutual experiences. Such international co-operation can lead to greater openness and mutual transparency, but the opposite is just as likely: international institutions can become the loci for the imposition of illiberal policies and greater government control. As HRW found, one of the chief reasons so many countries adopted anti-terror legislation after 9/11 is that the UN Security Council passed several resolutions urging member states to do so. This led to what HRW calls a “flood of new and revised laws that granted special law-enforcement and other prosecutorial powers to the police and other authorities.”
Security and surveillance practices are also reinforced by networks of telecommunications companies that work in collaboration with government agencies, share expertise, develop standards and solutions, and harmonize practices. One such network is the Alliance for Telecommunications Industry Solutions (ATIS), a North America–focused consortium with more than 180 members from law enforcement and industry, including Public Safety Canada, Department of National Defence (Canada), the FBI’S Electronic Surveillance Technology Section, AT&T, Microsoft, Bell Canada, and Verizon. ATIS hosts a number of committees and subcommittees, some of which focus specifically on developing standards for lawful intercept, such as the cumbersomely titled Packet Technologies and Systems Committee’s Lawfully Authorized Electronic Surveillance (LAES) subcommittee, currently working on standards for Voice over Internet Protocol (VOIP) services. ATIS has a counterpart in Europe called the European Telecommunications Standards Institute (ETSI), whose meetings are also attended by the world’s largest telecommunications companies, and law enforcement and intelligence agencies such as Public Safety Canada and the United Kingdom’s Government Communications Headquarters. Such regular meetings help explain how and why countries like the United States, Canada, Australia, and the United Kingdom are all tilting towards shared policies around surveillance practices. The inside-the-club nature of the meetings – journalists and regular citizens cannot apply for membership in ETSI – may help explain why they’re also gravitating towards limiting the basic judicial protections at the core of liberal democracy.
The Council of Europe’s Convention on Cybercrime – an international convention meant to coordinate law enforcement practices among member states – is another case in point, and dozens of governments party to this agreement (including many non-European states like Canada and the U.S.) are in the process of ratifying it through national legislatures. In Britain, the proposed Communications Data Bill – an update to the Regulation of Investigatory Powers Act (RIPA) – would require ISPs and other telecommunications companies to store a wider range of communication data (such as use of social networking sites, VOIP services, and email) accessed in near-real time by law enforcement without a warrant. Under the bill, ISPs would have to route data via a “black box” that will separate “content” from “header data” and also have the capability to decrypt encrypted communications (such as transmissions over encrypted SSL – Secure Sockets Layer – channels). The bill has been widely criticized across the private sector, civil society, and inside the government itself. Wikipedia’s Jimmy Wales threatened to encrypt all communications to the U.K., and stated: “It is not the
sort of thing I’d expect from a Western democracy. It is the kind of thing I would expect from the Iranians or the Chinese.” Dominic Raab, a Conservative MP, said: “The use of data mining and black boxes to monitor everyone’s phone, email and web-based communications is a sobering thought that would give Britain the most intrusive surveillance regime in the West.”
The necessity to conform to the Convention on Cybercrime has often been cited by Canada’s Conservative government as the impetus behind “lawful access” bills in Canada, the latest manifestation of which was Bill C-30 – the so-called Protecting Children from Internet Predators Act. That bill was politically mishandled, with Public Safety Minister Vic Toews infamously declaring in Parliament that you are “either with us or with the child pornographers,” leading to a major public backlash that included a prominent Twitter “#TellVicEverything” campaign in which users tweeted inane details of their daily lives. While the government shelved the bill, lawful access legislation will invariably return in another guise. The central components of the proposed legislation included expanding police powers, imposing equipment and training costs on telecoms and ISPs, enabling telecoms and ISPs to voluntarily provide consumer information to authorities without a warrant, forcing telecom companies and ISPs to provide detailed subscriber data without a warrant, and imposing gag orders on telecoms and ISPs that comply with lawful access powers. Taken together, it is as if the bill would legislate “other requests” as the domestic and international legal and operational norm.
While the bill’s explicit details were ominous enough, a revelation that emerged almost by accident during the public debate was even more troubling. In making the case for the powers outlined in the proposed law, its backers accidentally let slip that Bill C-30 would legislate warrantless informal sharing of information that was already going on between telecom companies and law enforcement and intelligence agencies. From documents released under federal access to information laws, University of Victoria doctoral student and Internet privacy expert Christopher Parsons found that in 2010 the RCMP contacted ISPs for user name and address information more than 28,000 times without a warrant, with the ISPs complying nearly 95 percent of the time. Although meant to be a consolation to the bill’s critics, the revelation instead confirmed their worst fears: Canadian telecommunications companies and ISPs were already sharing data with law enforcement and intelligence agencies outside of judicial review! The bill would simply legislate that existing practice into law. “Other requests,” it seems, have been the norm in Canada for some time.
As I ponder these issues, I think of Public Safety Canada’s “Building Resilience Against Terrorism, Canada’s Counter-terrorism Strategy,” released in February 2012. This document warns of “extremism” and the possibility of “low-level violence by domestic issue-based groups” and appears to open the door to the surveillance of legitimate non-governmental advocacy organizations. The strategy also details the need to monitor “vulnerable individuals” who may be drawn into politically motivated violence. I wonder what such a policy could lead to when government agencies are empowered to access personal data from private companies. Where are the protections against abuse, the checks against politically motivated witch hunts?
The downloading of lawful access responsibilities to the private sector almost certainly will be reinforced by the opening up of new markets for the commercial exploitation of data. As companies are forced to surveil/police their networks and data, products and services are emerging that enable them to do so more effectively and efficiently. The American privacy researcher Chris Soghoian has studied how new policing responsibilities are affecting corporate behaviour, and how some companies derive revenues from charging fees for “lawful access.” He notes that the volume of requests received by one U.S.–based wireless carrier, Sprint, grew so large that its 110-member electronic surveillance team could not keep up. As a result, Sprint automated the process by developing an interface that gives government agents direct access to users’ data: George Orwell’s 1984 in one fell swoop. Of course, Sprint charges a fee for this access, a fee that law enforcement agencies from the police to the FBI are more than willing to pay. In 2011, the Sprint direct-access interface was used by law enforcement agents more than 8 million times!
• • •
While the securitization of cyberspace manifests itself in new laws and informal practices, part of the growing surge of “other requests” has to do with the incentives facing companies that own and operate cyberspace: when pressed with content take-down requests, the companies often opt for the cheap and easy solution rather than demanding due process, risking expensive legal battles, or getting expelled from lucrative markets. There are, of course, legitimate reasons for companies to comply with local laws and with law enforcement and intelligence agencies in the countries in which they operate. But increasingly such co-operation takes place in countries that do not have, or are watering down, legal checks and balances over cyber security. Also, many of these countries have a much broader notion of what constitutes a security threat, and too often human rights activists, political opposition groups, and free-speech advocates are included. In short, complying with “local law” can mean colluding with some very nasty regimes.
The trend towards “other requests” in cyberspace policing is a disturbing descent into the world of black code. We live in an era of unprecedented access to information, and many political parties campaign on platforms of transparency and openness. And yet, at the same time, we are gradually shifting the policing of cyberspace to a dark world largely free from public accountability and independent oversight. In entrusting more and more information to third parties, we are signing away legal protections that should be guaranteed by those who have access to our data. Perversely, in liberal democratic countries we are lowering the standards around basic rights to privacy just as the centre of cyberspace gravity is shifting to less democratic parts of the world.
Underpinning this state intrusion (with self-interested or directed corporate backing) is a bald-faced public relations campaign that says essentially this: “If you’ve got nothing to hide, you’ve got nothing to worry about.” While it is abundantly clear that a generation raised on and through social media is extraordinarily lax about personal privacy; that, indeed, seems to make a point of “going public” as often as possible; that has shelved the secretly written diary stored in a personal lock-box for “Look at me!” Facebook exposure, it is also true that I don’t have a single friend, or know a single person of any age, who doesn’t have secrets that they want and need to keep to themselves. (Indeed, I wouldn’t trust any other such person; it is what makes them individual and interesting.) And yet, this campaign has been and continues to be extraordinarily successful. Like bystanders refusing to get involved when they witness that a crime is afoot, we have collectively stood by as cyberspace has been, and continues to be, compromised.
Long ago, the Canadian prime minister Pierre Elliott Trudeau may have insisted that “the state has no business in the bedrooms of the nation,” but the same does not hold true for privacy online. Today, our private chats are considered fair game, our need for online anonymity voided in the interests of “national security” and control over cyberspace. And so, we have the growing norm of “other requests,” a phenomenon that clearly illustrates why it is so important to lift the lid on cyberspace, to ask who controls the domain and what are they doing with our data? What happens to our email after we hear the woosh of it leaving our screens? Is it shared with anyone without our consent? Under what circumstances? Many of the companies that own and operate the complex services and infrastructure of cyberspace reassure us that their services are secure and that our data remains confidential, but the devil is in the details, in those lengthy end-user licence agreements we agree to before using our BlackBerry, iPhone, or Gmail accounts. Take, for example, the Internet Services Privacy Policy of Rogers Yahoo! (my own ISP), which states the following: “Personal information col
lected for the Internet Service may be stored and processed in Canada, the United States or other countries and may be subject to the legal jurisdiction of these countries.” Other countries? Really? My data can be processed in another country and subject to its laws? Which countries? Whose laws?
In the universe of “other requests,” one can only guess.
8.
Meet Koobface: A Cyber Crime Snapshot
“I own them!” Nart Villeneuve said triumphantly.
“What do you mean, you own them?” I asked.
“Their entire database. The mother ship. Victims, referrals, revenues, cellphone numbers. Everything!”
“How?”
“Even bad guys have to back up their data.”
There is a 1960s episode of Star Trek in which the main characters, Captain Kirk and Spock, are confronted by their evil doppelgängers, physically identical to them in every way. Fifty years later, Facebook, the world’s largest social networking community, has been confronted by just such a doppelgänger: Koobface.
Black Code: Inside the Battle for Cyberspace Page 13