ISPs — you can’t trust ’em

myblogdammit.net isn’t meant to replace freedom of speech advocacy site p2pnet.net, which I founded 10 years ago and  had to stop publishing because of serious health problems.

However, myblogdammit IS my blog, dammit, and that I stopped running p2pnet doesn’t in any way mean I’ve  lost interest in the rights of freedom of speech, freedom of  expression, and/or the way the authorities in the shape of governments and their various enforcement agencies and tame corporations believe they can with absolute impunity eavesdrop on our private  conversations anytime they claim it’s necessary.

To digress briefly the FBI’s interest in Christopher Soghoian‘s 122-page doctoral dissertation at Indiana University is huge.

Published this August and entitled, the spies we trust: third-party service providers and law enforcement surveillance, it sparked  tremendous interest within the Federal Bureau of investigation — but  their interest was anything but academic.

My  own fascination with Soghoian’s thoughts and ideas started back in December, 2009, when p2pnet  featured  the prequel to  his doctoral dissertation which’d first appeared in slight paranoia.

I was turned onto it by Chris Parsons [see below], himself a political science doctoral candidate at the University of Victoria  on Vancouver Island,  where we both live.

This time around, Soghoian quotes Albert Gidari Jr’s keynote Address tp Hein Onine, Companies Caught in the Middle“ to wit:

“Service providers] have, last time I looked, no line entry in any government directory; they are not an agent of any law enforcement agency; they do not work for or report to the FBI; and yet, you would never know that by the way law enforcement orders them around and expects blind obedience.”

And it seems  not only hasn’t  the unholy situation change much,  it hasn’t changed at all.

My friend, DPI expert  Chris Parsons, was once again responsible  for telling me about Soghoian’s mind-boggling  work.

Normally, in a post like this where I quote from the source, I wouldn’t include acknowledgments, but this case, I will because they’re not only extremely interesting, they’re highly relevant

Soghoian says  >>> First, I would like to thank L. Jean Camp, who selflessly put herself at risk in order to save me from two extremely unpleasant encounters with the FBI. I will be indebted to her forever.

I would also like to thank Stephen Braga and Jennifer Granick, two stellar attorneys who came to my defense in 2006 after the FBI took an interest in my work, raiding my home at 2AM and seizing my personal documents and computers. Their expert assistance led to the return of my possessions in just three weeks and the closing of the FBI’s criminal and TSA’s civil investigations without any charges filed.

Jennifer Granick came to my assistance a second time (and was joined by Steve Leckar) in 2010 after the Federal Trade Commission’s Inspector General investigated me for using my government badge to attend a closed-door surveillance industry conference. It was at that event where I recorded an executive from wireless carrier Sprint bragging about the eight million times his company had obtained GPS data on its customers for law enforce- ment agencies in the previous years.
I am immensely indebted to Al Gidari, who knows more about law enforcement surveil- lance than anyone else outside of the government. The breadcrumbs he has left behind have been more useful than any other single source of data.

I would also like to thank Kevin Bankston, David Sobel, Marcia Hoffmann and Cather- ine Crump, who were exposing and fighting government surveillance long before I took an interest in the topic. They helped me to learn the obscure art of the FOIA request, and inspired a number of my own requests, several of which have borne useful fruit.

Nabiha Syed has also been extremely generous with her time, helping me with my clumsy efforts to engage in pro se FOIA litigation.

I am, of course, not the only researcher or activist interested in Internet surveillance. Caspar Bowden, Ian Brown, Duncan Campbell, Eric King, Christopher Parsons

Aaron Martin, Julian Sanchez and Marcy Wheeler have done their own share of muckraking and expert analysis, pointing me to resources and critiquing my own theories.

Tim Sparapani, during his time working as a Washington lobbyist for Facebook, unin- tentionally taught me how to stand up to bogus legal threats from a large corporation. For this lesson, I thank him. I suspect that it will be a skill that will pay dividends in the future.

The stimulating conversations I’ve had with Paul Ohm have forced me to rethink my previously black and white view of the world, in which I demonized anyone who had at one point chosen to work for the Department of Justice, particularly in the area of computer crime.

Likewise, my friendship and collaboration with Stephanie Pell has been a wonderful surprise. I would have never expected to befriend a former national security prosecutor, let alone be repeatedly welcomed into her home. Stephanie has helped me to better un- derstand the law enforcement perspective and forced me to be far more pragmatic in my interactions with people in Washington.

Jim Green introduced me to the Washington handshake, opened doors that I never knew existed and has been an absolutely fantastic mentor in the ways of Washington. I would have never predicted that I’d be able to find common ground with a telecom industry lobbyist, let alone be able to honestly describe him as a friend. This city can bring people together in strange ways.

I spent one year at the Federal Trade Commission, and thus have several people to thank there. While the agency’s powers are often limited, Commissioner Pamela Jones Harbour was willing to use her bully pulpit to pressure companies to put privacy first.

She taught me that a single speech can be an extremely effective way to nudge industry to protect consumers, particularly when regulators have limited powers. I would also like to thank David Vladeck, Chris Olsen and the entire Division of Privacy and Identity Protection. My time at the FTC was by far the most rewarding, yet most frustrating year of my life thus far. I created constant headaches for management, and no doubt annoyed many people with my habitual lateness, my refusal to submit to the background check required of all federal employees, my shorts and sandals, and the flood of new cases I proposed. I greatly appreciate the patience and goodwill that everyone at the FTC showed me.

My research into government surveillance first began during a one-year fellowship at the Berkman Center, during which they gave me the impossible task of trying to measure the scale of government surveillance. Thankfully, they were not upset when I failed. As a member of the Berkman community, numerous doors have opened for me. For this, and the countless stimulating conversations I had during my year in Cambridge, I am very thankful.

I am immensely indebted to Paul Syverson, who, during an evening chat in Bloom- ington, gave me the best advice of my entire academic career. Had I not followed it, I am certain that I would not have lasted this long in academia.

Marc Rotenberg first introduced me to writing FTC complaints and using them to frame the policy debate. The path I now follow as a privacy activist in Washington DC is one that Marc played a major role in establishing and legitimizing. Watching him in action has been highly educational.

At the beginning of my graduate studies in Indiana, Fred Cate was critical, and reason- ably so, of my reckless approach to activism and the lack of focus in my academic research. In the years since, he has become one of my strongest supporters, and, quite amusingly, has also become a vocal opponent of security theatre, long after I stopped harassing the

Transportation Security Administration.
Markus Jakobsson has been a fantastic academic advisor, who has been there for advice when I needed it, but hands off enough to let me find my own direction. Most surprising, he willingly remained my advisor long after my focus strayed away from our shared in- terest in phishing and fraud. Were it not for his support, and repeated prodding, I would never have finished.

Geoffrey Fox kindly volunteered to chair my dissertation committee after university rules prohibited Markus from continuing to formally occupy the role. In doing so, Geof- frey freed me from a nightmare of red tape, frustration, and numerous arguments with university officials.
Over the past several years, my activism and research have not been entirely focused on the issue of government surveillance. Derek Bambauer, Kelly Caine, Allan Friedman, Ashkan Soltani, Sid Stamm and Harlan Yu have helped me out countless times with many other privacy and security related projects.

Finally, over the last few years, a large number of individuals have leaked information to me. In some cases, these leaks were to score political points, to harm their competitors, or in a few cases, because they are alarmed by the government’s actions or surveillance powers. Whatever the reasons, these leaks have been extremely helpful, and so while I cannot for obvious reasons name my sources, I would like to thank them here.”

Back to the the final  document, Soghoian  states, “Third party facilitated surveillance has become a routine tool for U.S. law enforcement agencies, enough so that major providers like AT&T, Verizon, Google, and Facebook all have dedicated teamswho collectively receive and respond to approximately one and a half million requests each year.

“While this practice is common, there is little public data quantifying the degree to which companies are forced to spy on their customers. As such, the true scale of law enforcement surveillance, although widespread, remains largely shielded from Congress, the general public, and the court

He concludes, “In this dissertation, I have documented the central role that third party communications service providers now play in the surveillance of their customers by law enforce- ment agencies. Quite simply, these firms power the surveillance state in which we now live. Without their assistance, the government would be wholly unable to get the depth of data it desires, at the scale it now demands. For large companies, surveillance is now an inescapable responsibility. Often, their assistance is required by law, and when it isn’t, the government can usually apply sufficient pressure to get the companies to bend.

“Over the past few decades, the scale of electronic communications surveillance has quietly grown from a few thousand requests to more than one and a half million requests each year. During this time, the government has gained access to new sources of data and economies of scale made possible through the shift to automated surveillance. Meanwhile, the public, Congress, and the courts remain largely in the dark. Those who have watched the expansion of the surveillance state and who understand its scale — the surveillance teams within the companies, their lawyers, and law enforcement officials — rarely talk. For the companies that collect consumers’ data and the government agencies that seek to obtain it, there is little to be gained by discussing such topics. The companies fear scaring away consumers, while those in the government wish to avoid educating criminals and the general public about the reach and limitations of their surveillance capabilities.

“Year after year, the number of surveillance requests received by the companies grows at double-digit rates, while at the same time, the incentives of the companies and government are aligned to shield this information from the public. With every new free communications service, social app, or mobile technology, more private data about individuals ends up in the hands of companies. Eventually, law enforcement agencies will demand this data and the companies will be obligated to hand it over, often without ever telling the impacted users.

“Companies can take steps to limit the extent to which they actively facilitate govern- ment surveillance, should they wish to do so. Minimal data retention policies can be adopted, strong encryption built into products, and legal teams directed to fight on be- half of users. Unfortunately, few companies have taken such steps, particularly those in heavily regulated markets or those that collect and monetize user data. Fighting the gov- ernment — or even prioritizing the privacy of users over the surveillance apparatus — is bad for business.

“The symbiotic surveillance alliance between the large companies and the government has been able to exist and frankly, to fester, because of secrecy. This is because the public does not know how much of their data is collected and retained by these companies, and because they do not understand how much of it or how frequently it is delivered to the government. Under such conditions, starved of sunlight, it is no surprise that the interests of users are not represented.

“If there is any hope that politicians and the courts will take on law enforcement interests, it will be as a result of increased transparency. Once those in power learn how much of their own communications, location data, and other private information has ended up in government databases, they may be more likely to act. This dissertation is just one step along the path to exposing and restraining the surveillance apparatus.

He also includes  a  highly appropriate quote from  George Orwell’s animal Farm:

“ …the creatures outside looked from pig to man,  and from man to  pig,  and from pig to man again:  but already it was impossible to tell which was which,”

And  in his paper Soghoian states,“Telecommunications carriers and service providers now play an essential role in facilitating modern surveillance by law enforcement agencies. The police merely select the individuals to be monitored, while the actual surveillance is performed by third parties: often the same email providers, search engines and telephone companies to whom con- sumers have entrusted their private data. Assisting Big Brother has become a routine part of business.

“While communications surveillance is widespread, the official government reports barely scratch the surface. As such, the true scale of law enforcement surveillance has long been shielded from the general public, Congress, and the courts. However, recent disclosures by wireless communications carriers reveal that the companies now receive approximately one and a half million requests from U.S. law enforcement agencies per year.

“In addition to forcing companies to disclose the user data they already have, compa- nies are also regularly compelled to modify their products in order to facilitate govern- ment surveillance. Some have been required to build surveillance capabilities directly into their products, while others have been forced to repurpose existing features in commercial products for surveillance.

“In spite of the government’s ability to compel assistance, many companies have a sur- prising amount of freedom to design privacy enhancing features into their products, in- cluding minimal data retention policies and data encryption. Likewise, where the law is vague, companies can adopt strict, pro-privacy legal positions, forcing the government to obtain a warrant and providing users with notice when their data is disclosed to the police.

“Although companies are able to build privacy protections into their products and em- brace pro-privacy legal theories, few do so, and those that do, rarely discuss it. Significant differences exist regarding the extent to which service providers protect the privacy of their customers, yet there is no real way for consumers to learn these differences and compare providers. The market for privacy, at least with regard to government access, simply does not exist.

It  couldn’t happen here in Canada?

But it already has. Well-known  well-known Ottawa law professor  Michael Geist  says in his Toronto Star column, “Privacy International, one of the world’s leading privacy organizations, last year released the results of a multi-year investigation into the shadowy world of the commercial surveillance industry. Dubbed’ Big Brother Inc.’

“The investigation placed the spotlight on dozens of companies that specialize in covert surveillance technologies that are typically sold directly to governments and law enforcement agencies.

“While governments in Asia and the Middle East have provided a ready market for technologies that can monitor Internet activities, Canada’s new online surveillance legislation features provisions that appear to open the door to bringing such tools here.

“The Privacy International investigation revealed that surveillance companies commonly promote virtually unlimited monitoring capabilities to governments and police agencies. For example, Italian-based Innova offers “solutions for the interception of any kind of protocols and IP-based communication, such as web browsing, email and web-mails, social networks, peer–to-peer communication, chat and videochat.”

“Endace Accellerated, a New Zealand-based company, promotes the “power to see all for Government” and the U.K.-based Gamma Group offer “turnkey lawful interception projects” that includes SMS interception, speech identifying tools, and data retention.

“In all, the investigation demonstrated how online surveillance has become a massive global industry that makes it easy for law enforcement agencies to implement surveillance capabilities.

“Several Canadian companies, including B.C.-based Vineyard Networks, which specializes in deep packet inspection of Internet traffic — a form of filtering that examines data for viruses or spam — for lawful interception purposes, were included in the report. Yet more important than the Canadian surveillance industry is the potential market in Canada for surveillance technologies.

“Most of the attention on the recent introduction of Internet surveillance legislation has focused on the mandatory disclosure of Internet and telephone subscriber information without court oversight. But just as troubling is the plan to create a massive new surveillance infrastructure within the Canadian Internet.

“Bill C-30 requires Internet providers to acquire the ability to engage in multiple simultaneous interceptions and gives law enforcement the power to audit their surveillance capabilities. Should it take effect, the bill would create a new regulatory environment for Internet providers, requiring them to submit a report within months of the law taking effect describing their equipment and surveillance infrastructure. Moreover, they would actively work with law enforcement to test their facilities for interception purposes and even provide the name of employees involved in interceptions to allow for possible RCMP background checks.

“In addition to the surveillance requirements, the bill would also give the government the power to install its own equipment directly onto private Internet provider networks. Section 14(4) provides:

“The Minister may provide the telecommunications service provider with any equipment or other thing that the Minister considers the service provider needs to comply with an order made under this section.

“This amounts to government power to decide what specific surveillance equipment must be installed on private Internet provider and telecom networks by allowing it to simply take over the Internet provider or telecom network and install its own equipment.

“With ongoing doubts about the ability of Canadian Internet providers to pay the multi-million dollar costs associated with new surveillance equipment (and some speculation the government is prepared to provide tens of millions of dollars in assistance), the government may ultimately shift toward a model in which it buys the surveillance equipment and uses Section 14(4) to require the Internet providers to install it. If that is what the government has in mind, Bill C-30 will soon look like a giant Canadian ‘open for business’ sign to Big Brother Inc.”

And you thought the only privacy invaders were the likes of Facebook, Google, Yahoo  et al?

Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. His blog is here  (http://www.michaelgeist.ca/)

 RSS feed http://www.myblogdammit.net

Follow me on Twitter@jonnewton8