Security Versus Surveillance After Snowden

Just published in the latest issue of the open-access Surveillance & Society journal is a piece I originally wrote while attending the Surveillance Studies Network conference in Barcelona in 2014. By that point, nearly a year after the first Snowden disclosures, the most significant revelations had come out and it was possible to take stock of their impact. I was studying the Canadian telecom policy at the time, attending industry conferences and international events like NANOG and the IETF. At both kinds of meetings, discussions of privacy, surveillance and Snowden were unavoidable that year. We had entered the post-Snowden era, and this was evident beyond conferences’ discussion topics.

When the first Snowden disclosures happened in June 2013, conflicts between the NSA and private industry had cooled (and relations warmed), following mid-1990s fights over the clipper chip. Many information security practitioners in 2013 had not been involved in these political battles from twenty years ago. Some infosec professionals had started out as troublesome hackers, but the NSA now saw domestic hackers as less of a threat and more of a recruitment opportunity, with the head of NSA (Gen. Hayden) giving a keynote at Def Con in 2012. Individuals from the NSA had also participated at the IETF, and many in the private sphere had come to see themselves as essentially fighting on the same side as government. The biggest enemies were foreign state-backed hackers (“advanced persistent threats”), concern over which had reached an all-time high in 2013, particularly through the threat emanating from China. Snowden changed all that; Chinese hackers dropped from the headlines, the IETF took a public stand, and the NSA took a “time out” from hacker conferences. It wasn’t just that the Five Eyes were carrying out mass surveillance — they were doing so by compromising the security of technologies, institutions, and people they claimed to protect.

As many (including Snowden) argued, secret government surveillance in a democracy is a political issue, and the disclosures brought secret programs to public attention to make an informed policy debate possible. But other than the USA Freedom Act, meaningful political action did not materialize, and in the United States the debate largely centered on the question of whether Americans were illegitimately spied upon by their own government (as opposed to larger questions of international mass surveillance and governments compromising technologies used by their own citizens). But some institutional relationships and technologies were immediately altered because of Snowden, and the practical consequences of changes undertaken in the private sector and civil society have been more significant than political reforms.

Post-Snowden security responses include Google securing its own international links, a wider shift toward encrypting web traffic (through HTTPS), or Apple’s post-Snowden security upgrade, which set off a massive legal fight with the FBI over an iPhone in 2016. It’s not that mass surveillance has become more difficult across the board — Apple now faces new concerns about iPhone security and the privacy compromises it has made to enter into the Chinese market, but the company’s pre-Snowden cooperation with U.S. authorities is over.

More broadly I hope this piece will be useful in distinguishing between different kinds of security: cyber, national, and information technology (IT), and how these relate to privacy and surveillance. Before Snowden, many in Five Eyes nations saw national, cyber, and IT security as working together. After Snowden, IT security has become a form of resistance against surveillance tied to national security and cyber security projects.

All good things…

Since 2012, I’ve been working on my PhD dissertation research into Canadian internet policy at the University of Alberta’s Department of Sociology. This month I successfully defended the dissertation (pdf), which addresses the theme of this blog — intermediation. This includes an analysis of the political economy of Canadian telecom, competition regulation, public connectivity, privacy, security and lawful access, copyright, net neutrality, and alternative or public approaches to connectivity.

An enormous thanks to all those who have helped me get to this point by sharing what you know about these topics. Many people have told me things that do not appear in the final thesis, but rest assured every interaction I’ve had over the years has helped to inform my understanding to get to this point. It’s been really great hearing from internet pioneers, Canadian telecom professionals, public servants, policy experts, and all those who help make this connected world what it is.

So what’s next? I plan to continue pursuing all the topics that have animated this research. We’re still talking through many of the same telecom and internet policy debates as when I started, and ISPs are still crucial gatekeepers and mediators of connectivity. The blog will keep its focus, though there may be some changes in frequency as I move on to new professional responsibilities at UBC. However, I imagine in the future I will be thinking more about Silicon Valley companies and the business model we might call platform capitalism, so the nature of the intermediaries I focus on may change. I will also be keenly looking for approaches to connectivity that are more locally-oriented, and alternatives to the giant firms that currently dominate connectivity and our online experiences.

ISPs as Providers of Equitable Connectivity

Recently in the news — Canadians love connectivity and they want it cheaper. We can see this either as an indicator of increasing competition in the sector (thanks to Freedom Mobile), or a sign of how high rates and data caps make Canadians scramble for a deal when it’s offered.

The focus now is on mobile plans, but we’re not having the discussion about an affordable option for residential broadband. As announced in last year’s federal budget, affordable government-approved broadband for low-income Canadians may eventually become available. While there are strong parallels between this approach and 20th century efforts to achieve universal service through cross-subsidization, this will likely not be a universal program. Rather than imposing some sort of “skinny basic” for the internet, the federal Cabinet has made affordable internet a priority, allocated money, and left us waiting on the details.

In a previous post, I wrote about the CRTC’s universal service objective, and how the Commission likes to stay out of setting retail prices for broadband (unless we’re talking about an IPTV service). The CRTC does regulate wholesale internet rates to promote competition, and this is supposed to control prices, but part of the rationale for not intervening directly on retail pricing was to avoid doing something that would “inadvertently hinder the development of further private and public sector initiatives” on affordability. Well, the federal government’s $2.6 million annual program announced last March, can be seen as a public program to nudge private sector initiatives along. The money is meant to help support ISPs that offer low-priced connectivity to low-income families, who will also receive refurbished computers.

This is similar to what Rogers and TELUS have been doing already in select markets, and these companies may end up being able to roll their existing programs into whatever is finalized as the government’s plan with little effort. But if other providers do join (or are compelled to participate in a mandatory program), then this becomes more of an industry norm than a distinguishing virtue. Rogers and TELUS have been trying to behave and stand out as good corporate citizens (Bell’s distinctive efforts in this regard have been championing the issue of mental health).

The discussion is understandably focused on the incumbents here, but let’s not forget there are a host of organizations and ISPs that have long been devoted to a more equitable distribution of connectivity in society: FreeNets & community networks (NCF, VCN, ViFA, Chebucto), publicly-funded rural broadband (like SuperNet, or one-time funding programs like Connecting Canadians and Connect to Innovate), First Nations initiatives, as well as public internet access sites. The federal government’s affordable access program for low-income households was criticized for being developed independent of groups that have been advocating for affordable connectivity in recent years, and following this criticism the proposal was sent back to the design stage to gestate further.

Personally, I love to see programs targeted for low-income Canadians that need them most, but the shelved affordable access proposal was a feather-light welfare policy. This was not the state using the market to achieve a public good — this was the state trying to achieve a public good without imposing any undue burdens on the market, with the private sector invited to participate. It would have encouraged a form of cross-subsidization, where ISPs use wealthier subscribers to subsidize poorer ones. In the monopoly era, cross-subsidization is how universal service (a phone in every home) was achieved. The telco companies had their regional monopolies, and one justification for this monopoly power was that you could take profits from urban areas to subsidize connectivity for more expensive (or less profitable) rural areas. After the monopoly era ended, we shifted to the cultivation of competition and deference to market forces. The societal benefits of internet access for everyone are clear, but the distribution of connectivity is still treated as a corporate responsibility.

This Liberal government is taking its time on this issue — perhaps they see flaws in the previous approach but are reluctant to push a more robust policy.  In the meantime, telecom companies may be less willing to develop their own affordable access programs knowing they may have to adjust to whatever shape government policy takes.

Competition Regulation and Internet Policy

If you’re interested in domestic internet governance in Canada, you need to know something about competition regulation. The same is true in much of the rest of the world where the telecom industry underwent liberalization (was opened to market competition) and also exhibits high levels of concentration and regulatory concerns about market power. For instance, Uta Meier-Hahn’s survey of network operators found that competition regulation was one the most common forms of interconnection regulation reported by participants. Here in Canada, telecom competition has been regulated ever since we moved away from monopoly control. This is why it’s inaccurate to describe what happened in the 1990s as deregulation. The neoliberal fantasy may have been to get government out of the way and turn everything over to market forces, but government decided it was going to take some purposeful regulation to get us there, and we never got there.

I’d like to distinguish between two basic kinds of competition regulation that matter: positive and negative (modifying this previous contrast I used to talk about ISP responsibilities). The first mode of regulation is the set of regimes, like mandated wholesale, that specify how competitors are required to behave and relate to one another, and other ways of addressing imbalances or insufficient competition in the market. This includes the way that smaller companies or “new entrants” are given certain advantages and protection (“set-asides”) in spectrum auctions. All of there rules are justified as promoting more, better, or fairer competition — they are positive forms of regulation, in that they create, cultivate, and encourage that which is desirable. They are premised on the idea that competition is a problem and that liberalization is incomplete. In other words, the market is not competitive enough and whatever the goal that the policy transformation of the 1990s was meant to achieve, has not been reached. The state can structure and configure conditions so as to improve things, or to set up market actors in a way that increases competitiveness. These are the kinds of competition regulation that matter most in the day-to-day of the telecom industry, and are often structured through a system of CRTC decisions (ISED when it pertains to spectrum).

The second set of regulations are essentially negative — they ward off the undesirable. Where positive regulations try to seed and fertilize the field (giving more fertilizer to the plants that need it the most), negative regulations tear out the weeds. This metaphor helps to show how this distinction is not entirely neat, since tearing out weeds creates better conditions for growth (there is a positive aspect to negative regulation and vice versa), but hopefully you get the idea — this is a heuristic. Both are forms of regulatory action, but the first promotes the good while the second restricts the bad. Negative regulations focus on what will not be tolerated and work to eliminate or prohibit these. They impose sanctions or consequences for undesirable conduct, drawing lines across which market actors shall not cross.

Canada’s Competition Bureau is a key actor when it comes to these negative forms of regulation, not only in the way it punishes abuses of market power (albeit rarely in telecom) but also the distinctions it makes when approving or rejecting mergers. There is a positive dimension here, in that a merger or consolidation can be approved along with conditions that are meant to promote competition, and the Bureau generally holds that mergers are good for competitiveness, but it also draws lines that big businesses wishing to swallow competitors will not cross. These lines can be quite permissive, as in Bell’s recent acquisition of MTS, but with so few major players left in the telecom market, further consolidation among these giant firms (the recurrently raised prospect of a Bell-TELUS merger) would be tricky. While positive regulations try to foster competition, negative regulations prevent us from slipping back to monopoly.

This is why issues around concentration of power and competition are so fundamental for internet governance — domestically, they make the difference between a world of multiple interconnected networks, and a world under monopolistic control. On that note, Dwayne Winseck and his team at the Canadian Media Concentration Research Project have been an important resource for tracking shifts in consolidation and concentration in Canadian media, ISPs included. With the latest annual update just released, I encourage you to check it out for lots of details and background. One of the takeaways is that when it comes to internet access in Canada, things are holding relatively steady. This means that the positive regulations aren’t being very successful in effecting change in the market, while the negative ones help maintain the status quo.

Review of Susan Landau’s — Surveillance or Security?

I’ve been going through my files recently, and discovering some that I had forgotten. A couple of times now I’ve had submissions to journals fall into a void. Ideally, when this happens the piece can still find a home somewhere else, but this was a review of book from 2010 written in 2012, and in 2013 Snowden changed the world and I felt the need move on. Still, Landau’s book remains valuable and some of these issues are even more salient today (also of note, in the 1990s Landau co-wrote Privacy on the Line with Whitfield Diffie).

Book Review: Landau, Susan. 2010. Surveillance or Security?: The Risks Posed by New Wiretapping Technologies. Cambridge, MA: MIT Press.

The choice between security and civil liberties remains a commonplace way of framing many surveillance debates. Susan Landau’s argument in Surveillance or Security? is that many surveillance technologies and systems not only compromise privacy, but may actually make us less secure. This thesis, while worth repeating, will not be novel for some readers familiar with surveillance and security debates. However, readers who are already well-versed in criticisms of the freedom-security opposition will still find a great deal of value in Landau’s book, including the nuance of her more policy and technology-specific arguments and the wealth of detail she provides on various electronic surveillance practices. The patience and clarity with which Landau walks readers through this detail is commendable, and the book makes many technical and legal matters understandable to those unfamiliar with telecommunications, electronic surveillance, or U.S. law. Despite this, reading Surveillance or Security? from beginning to end requires a considerable interest in the subject matter, and much of its detail will be superfluous to those interested in more general surveillance questions or electronic surveillance in a non-U.S. context.

The nuance of Landau’s argument preserves a legitimate and lawful role for surveillance by state actors, and her critique is targeted specifically at emerging forms of surveillance made possible in the age of digital networks. Of greatest concern is the ability to embed surveillance capabilities into our increasingly-capable communications infrastructures. Justifications for expanded or “modernized” police and national security surveillance capabilities are often premised on the need to bring telephone-era laws and abilities up to date with the internet. Landau provides a very effective introduction to telephone and packet-switching networks, the development of the internet, and the contemporaneous changes to U.S. surveillance law and practice. In the process, she shows how the nature of communication and surveillance has been transformed, and how inappropriate the application of telephone-era surveillance logic can be for internet architecture. While telephone and packet-switching networks are now deeply integrated, the reader will learn just how difficult “wiretapping the internet” is when compared to traditional telephone wiretaps. On the other hand, the book also discusses the vast amounts of information available about our digital flows, and how these possibilities of data collection introduce new dangers.

The most forceful of Landau’s arguments are against the embedding of surveillance capabilities into our networked communications infrastructure, as this amounts to an “architected security breach” (p.234) that can be exploited or misused. The main example provided by the author of such modern wiretapping gone wrong is the activation of surveillance capacities embedded in the software of an Athens mobile phone network during 2004 and 2005, wherein parties unknown targeted the communications of Greek government officials. While this case of wiretapping was highly selective, Landau also cites the current U.S. “warrantless wiretapping” program to illustrate the dangers of overcollection. A third case, the FBI’s misuse of “exigent letters” to acquire telephone records after September 11, shows how the risk of overcollection is exacerbated when wiretapping cannot be audited and fails to require “two-organizational control”. In the exigent letters case, FBI investigators and telephone company employees working closely alongside one other were able to nullify institutional boundaries and circumvent legal requirements. From these cases, Landau concludes that “making wiretapping easy from a technical point of view makes wiretapping without proper legal authorization easy” (p.240). Among her chief concerns is the historical propensity to take advantage of surveillance-ready technologies to target journalists and political opponents, and the possibility of “nontargets” being caught up through overcollection.

Surveillance or Security? offers solutions as well as warnings, and these are primarily oriented towards safeguarding communications security. As a general prescription, Landau argues for partitioning our networks to a greater and more sophisticated degree. This includes increased use of identity authentication and attribution for particular networks, and keeping others entirely inaccessible from the public internet. But Landau expressly opposes building identity authentication and surveillance mechanisms (such as deep packet inspection) into the internet itself. Overall, this is a sensible solution that can address “digital Pearl Harbor” fears while preserving the general openness of the internet. Our networks already have “walled gardens” for governments and corporations, and Landau calls for more effective partitions as well as open public vetting of security mechanisms (pp.240-241). Sanctioned wiretaps should also be auditable and not under the independent control of any one organization.

Ultimately, questions about how the internet should be designed and governed boil down to what we value in the network. Many have pointed out that that the values which drove the development of the internet did not include ensuring its security, so that concerns over identification, authentication, malware and cyberattack surfaced later in its development and are difficult to resolve. The debate over whether internet governance and internet architecture needs to be revised in the interests of security continues to this day, but the choice is not simply between security and openness. Rather, “security” can point to a whole host of challenges, some of which can be in opposition to one another. Landau does indeed distinguish between different security threats, but while there is a chapter entitled Who are the intruders?, no equivalent breakdown is given of “whose security” is of primary interest. Instead, Landau treats personal security, national security, and corporate security as compatible and amenable to some of the same solutions. She explicitly values personal privacy and the open innovation made possible by the internet, but also warns against growing foreign threats to the economy and critical infrastructure of the United States. The closing sentence of the book calls for communication security “to establish justice, maintain domestic tranquility, and provide for common defense” (p.256), and it is in the tensions between these three objectives that the supposedly false choice between freedom and security materializes once again.

Landau promotes the value of privacy and journalistic freedom, puts the danger of terrorism “in context” (p.222), and warns against heavy-handed approaches to illegal file-sharing (pp.34-35). But in debating the appropriateness of embedded surveillance or privacy-enhancing cryptography, the reader also learns that “we must weight the costs” (p.35) or the advantages against the disadvantages (p.219) of such technologies and practices. The problem is that different readers may have rather different conception of who is denoted by the “we” in such a formulation, and where the costs accrue. If the security threat is the “havoc” that can be wreaked through an internet connection multiplied by the size of the cyber-capable Chinese army (as Landau suggests in the epilogue, p.255), then Richard Clarke and Robert Knake’s (2010) proposal to embed surveillance and filtering at internet service providers (ISPs) to deal with foreign cyberattacks might seem quite reasonable (such surveillance would receive “rigorous oversight by an active Privacy and Civil Liberties Protection Board to ensure that neither the ISPs nor the government was illegally spying on us” [Clarke & Knake 2010, p. 162]). The principles which guide Landau’s judgments are those embodied in the U.S. Constitution, the open and innovative possibilities of our networks, the right to privacy in communication, and the need to be protected from electronic “intruders” and “threats”. But in making these various appeals Landau is also providing the means to undercut her argument against embedded surveillance, if one values a particular type of security or fears a threat to security over others. She closes with an appeal to consider communications security as vital to both national and personal security, to democracy as well as defense (p.256), but the argument that embedded surveillance makes us less secure is on weaker footing when faced with the catastrophic specter of a cyber-war with China.

In the end, readers may find themselves confronting the dilemma identified by Jonathan Zittrain (2008, pp.60-61), who argues that “the cybersecurity problem defies easy solution, because any of the most obvious solutions to it will cauterize the essence of the Internet”. Like Zittrain, Landau thinks we can improve cybersecurity without sacrificing the internet’s propensity for openness and innovation, but at times she seems to address her arguments more at U.S. policy makers, security officials, and American citizens than at a general readership. The book includes a chapter devoted to analyzing “the effectiveness of wiretapping” in the furtherance of national security and criminal investigations, and the threat of China’s espionage and cyberattack capabilities looms large against a “United States that is being weakened by the very information technologies that brought the nation such wealth” (p.171). Landau’s approach may appeal to those Americans in greatest need of convincing, but it marginalizes arguments based on more critical premises, such as the potential of open networks and private communications to facilitate valuable forms of disruption and social change.

Surveillance or Security? focuses on the U.S. because the complexity of wiretapping policy is better explored through one nation’s economic and legal perspective, and Landau claims that “it should not be hard to reinterpret the issues from the perspective of other nations” (p.10). The networks that constitute the internet certainly warrant analysis on the level of the nation-state, in particular due to the increased assertion of territorially-based state power over and through the internet. The U.S. also deserves study in its own right by anyone interested in global telecommunications, not only because of the influential role of the U.S. in the history of telecom, but because the world’s telecom networks remain disproportionately dependent on U.S.-based institutions and infrastructure. The layout of global fiber-optic cable makes the U.S. “a communications transit point for the entire world” (p.87), and the overall layout of the World Wide Web also remains largely U.S.-centric.

However, many of the details of U.S. wiretapping legislation and practice will not be of interest either to the general reader or to the scholar interested in broader questions of surveillance and telecommunication. The book’s detailed analysis of the U.S. case is therefore its greatest strength, or, for a more general audience, its greatest weakness. Among other strengths are the clarity of Landau’s descriptions of network architecture and internet history, which do not presume prior knowledge on the reader’s part. Surveillance or Security? is clear and approachable, and contributes some much-needed scholarship on the intersection between state and private institutions underpinning contemporary surveillance systems. At its best, it pours cold water on the need to overhaul the internet and expand the scope of electronic surveillance, but Landau is not above fanning the flames to give the issue of communication security some added urgency. In between, surveillance scholars will find plenty of value in the book’s well-researched detail and Landau’s considerable expertise.

One of the headings in the book, What it means to “get communication security right”, remains an open question, with governments moving slowly on the issue, and private institutions largely pursuing their own policies. While it seems clear that securing our communications networks will not be quick or easy, a more immediate concern are poorly-considered proposals to embed and institutionalize surveillance regimes and their attendant harms. Surveillance or Security? contributes to an important conversation, injects caution into a frequently overheated discussion, and offers much of substance for those acquainting themselves with communications security and surveillance.

References

Clarke, Richard. A., & Knake, Robert. (2010). Cyber War: The Next Threat to National Security and What to Do About It. New York: Ecco.

Landau, Susan. 2010. Surveillance or Security?: The Risks Posed by New Wiretapping Technologies. Cambridge, MA: MIT Press.

Zittrain, Jonathan. 2008. The future of the internet–and how to stop it. New Haven: Yale University Press.

 

Bell, the British Columbia Telephone Company, and Cold War Surveillance

Late last year, a story broke about a researcher trying to get the Privy Council Office to release a secret surveillance order from the 1950s. This once again demonstrated why news investigations are vital for holding government accountable: the day after the CBC published its story the PCO decided to release the file, and Dennis Molinaro could finally get to finishing a journal article on the topic. More recently, he published the source documents he got from the PCO as a pdf, which if you’re a security & surveillance geek like me makes for great reading alongside his journal article (big up Dr. Molinaro!).

As a result, our understanding of Canadian state surveillance and Cold War security practices has had a significant boost. Something I discovered a couple of years ago was the difficulty of figuring out what police telephone surveillance in Canada was like prior to the era of the Privacy Act (the 1970s and earlier). These documents give us only a view into one particular surveillance program, and only in its early years. The file deals with the period around 1954 when the RCMP’s very very secret PICNIC program needed to be reauthorized, and there was a need to expand its wiretapping beyond Bell to other companies. Interestingly, one option (initially favored by Bell’s lawyer) was to use section 382 of the Railway Act, which allowed the government to take control of telephone infrastructure (“place at the exclusive use of the Government of Canada any electric telegraph and telephone lines, and any apparatus and operators which it has”), but this also required and Order in Council. To put the program on firmer legal footing, the government wanted the company’s cooperation in accepting warrants under the Official Secret Act (something the British Columbia Telephone Company was already happy to do). Some readers may wonder how railway regulation got connected to this mess, and maybe I’ll explain the pre-CTRC link between rail and telecom in another blog post. However, the government of the day, under Prime Minister Louis St Laurent, feared that using the Railway Act as a “cover plan” to govern surveillance was too much of a stretch, though they seemed prepared to go that route if Bell didn’t see things their way, and prepared some dubious legal justifications for doing so.

Bell’s position gave the government significant “difficulties”, and I would love to know the company’s reasoning. Presumably, using the Railway Act as a secret justification would simply have been easier, without having to bother with the paperwork of warrants. But the company was persuaded to agree with the government’s view, and the resulting surveillance regime targeted “subversives” and national security threats, where warrants were written for “a given area” rather than individuals, and seems to have carried on through the 1970s. This was the decade when Canada’s initial privacy and wiretapping laws were developed, replacing the previous jurisdictional patchwork.

The documents released by the PCO give us a fascinating insight into early domestic telecom surveillance in Canada, but this was certainly not representative of how police investigations were carried out in Canada. The RCMP’s (variously renamed) Special Branch/Security Service carried out tasks currently performed by CSIS, with a list of targets informed by a Cold War ideology that saw homosexuals, anti-war activists, and unions as a national security threat. Today, the internet and international terror networks are sometimes blamed for making foreign and domestic communications indistinguishable, but during the Cold War domestic surveillance was routinely carried out under the presumption that the targets were actually foreign agents or channels for foreign influence.

PICNIC was surveillance that was never intended to see the light of day, and it seems that early criminal investigations by Canadian police using wiretaps were also generally not meant to be revealed as evidence in court (it was apparently against RCMP policy to use wiretaps in 1973 and 1974, but they were still used for criminal intelligence). Molinaro writes about how “The monitoring of Canadians required a close level of partnership with corporate society; in this case, with telecommunications companies like Bell Canada”. However, I was reminded of a 1977 wiretapping story where the RCMP finally decided to use wiretap evidence in a drug case, and an officer explained in court about his routine practice of looking like a Bell employee and simply breaking into an apartment building’s terminal room with a screwdriver whenever he needed to tap a phone. In these cases, police did what they wanted with the phone network and there’s no indication that company executives ever complained (if they were even aware).

Kind of reminds me of this other time Canadian police decided to hack the phone network without permission

 

The CRTC and the Public

Summer is drawing to a close, so it’s back to the usual schedule for me. There was no blog post last month, but if you were paying attention you will know the news that the CRTC has a new Chair. Jean-Pierre Blais is out and Ian Scott is in. I have little basis for predicting what happens next (though the status quo tends to be the safest bet), so let’s look back before we look forward.

Blais’ term was served in the context of the internet era. Blais was the first Chair to grapple with a more mature ‘internet ecosystem’ — that is to say, a political economy that is showing some stability around a limited number of giant players: content providers (Facebook, Google/Alphabet, Netflix) and incumbent ISPs. In this respect, he recognized a need to deal with certain issues (net neutrality), and generally avoided making big, stupid mistakes.

But as many described it, Blais’ term can be defined by the CRTC’s focus on putting consumers first, which means the industry didn’t always get to decide what was in a consumer’s interest, and incumbents didn’t always get their way in the decisions. This should be situated in a wider context, stretching back to the origins of the CRTC’s regulation of Canadian telecom.

In a Globe and Mail article from (Aug. 6) 1976, titled The ‘consumer’s empty chair’, Geoffrey Stevens writes about the CRTC’s new objectives. 1976 was the year the CRTC first assumed responsibility for telecom regulation, which was previously handled by the Canadian Transport Commission (CTC). The change was meant to herald a new era of openness, and would “facilitate the involvement of the public in the regulatory process”, allowing interveners like consumer groups to participate “in an informed way”. It would be a move away from the “court-like atmosphere” of the CTC and towards something more informal. Also, copies of applications would be disclosed to parties that might want to intervene, and telecom companies like Bell would have to disclose information in public that they would previously file in confidence to the CTC (justifications for costs and prices).

The last of these was particularly irksome to Bell, whose lawyer subsequently warned the CRTC that such disclosures would hurt the company, and if all competitors had to similarly disclose they would be “hurting each other”. Well, more than forty years later confidential submissions and costing information remains a controversial issue, and Stevens’ question about the “consumer’s empty chair” remains outstanding: who will represent the public interest before the CRTC (or who will pay for the public’s lawyers)? There has certainly been progress, and much of it has been during Blais tenure. In addition to PIAC, there are now a significant number of new individuals and organizations participating in CRTC proceedings through different means. This allows the CRTC to claim broader legitimacy for its decisions, but participants are far from equal, and the Commission gets to decide how much to weigh their opinions. It’s still public participation bolted onto a complex regulatory apparatus, without much in the way of support (or a CRTC website that people can effectively use).

At a time when the FCC is experiencing somewhat of a crisis over transparency and openness to the public, the CRTC is in better shape, but still has a long way to go. Over to you Mr. Scott.

CSE’s Cyber Shakeup

The House of Commons is now on summer break, but before everyone headed off, the The Trudeau/Goodale Liberals introduced a monumental rework of Canadian intelligence and security institutions. This accomplishes some of what the Liberals previously indicated, but as Wesley Wark points out, such substantial changes to Canada’s national security bureaucracy are surprising. The implications are complex, with major reform for those overseeing CSIS and CSE (two new institutions: the National Security and Intelligence Review Agency and the Intelligence Commissioner) and changes to CSE’s mandate.

Experts and politicians have some time to chew on this bill’s different aspects, and for all things CSE, an important view is the Lux Ex Umbra blog. However, here I want to offer a couple of thoughts on the cyber aspects of the reforms.  As others have pointed out, these reforms will help to normalize certain types of acts (network exploitation and attack). One argument is that Canada’s new framework will help normalize in the international arena what a lot of states have been doing covertly, under dubious legal authority — “effects” like hacking and exerting influence in various domestic and foreign jurisdictions. The Canadian approach could either be a model for others interested in legal reform, or contribute to making these actions more acceptable and legitimate around the world. Domestically, this is also a normalization of the sorts of things that CSE has done, or wanted to do, for some years now.

There’s an upside and downside here. If you assume that this is the sort of stuff the Five Eyes and CSE would be doing anyway, it’s good to have it under an explicit legal framework that can “reflect the reality of global communications today and participation in international networks such as Five Eyes”. From this view, the reforms are an improvement in accountability and oversight. On the other hand, if you think this is precisely the sort of thing governments should reject (and the focus should be purely on cyber defence and passive techniques), then the last thing we should do is put a government stamp on it. Instead of updating the law to legitimate what has been going on, we need to stop the most controversial activities revealed by Snowden (weakening crypto, hacking Google data links and compromising LinkedIn accounts of Belgian telecom engineers).

In Canada, we have never had a debate about these questions. The national security consultation that ostensibly informs this move was not designed to ask them. Canada’s role in the Five Eyes is not under revision, and Bill C-59 is meant to better “align ourselves” with these cyber “partners”. The partners are meeting this week, amid an active push by allies (specifically, Australia) to get Canada’s cooperation in countering encryption. There’s little indication where Canada stands on these questions today. However, given what appears to be our holding-steady with the Five Eyes and C-59’s new legal framework, CSE can still end up promoting insecurity, in secret, at our allies’ request.

Ultimately, the success of C-59 will depend on how effective the new accountability mechanisms are. Canada’s previous experience includes government assurances about legal compliance and oversight, while routine illegality and surprising legal interpretations are carried out in secret. Some of this previous experience (like the CSIS ODAC database) is addressed in C-59, but on the must fundamental question — what kind of security will Canada promote in the world? — we seem to be doing what Canada has done since we hitched our national security to the U.S. in late WWII: defaulting to our allies. We may have some bold new security legislation (and a Minister of Foreign Affairs who recently made big statements about the need to “set our own clear and sovereign course“),  but old concerns about the lack of a distinctly Canadian approach to international and cyber security are as relevant as ever.

On Infrastructure

Shaun Stanley/Durango Herald

Recently, I was reading through an edited collection titled The turn to infrastructure in Internet governance. Few of the chapters held my interest for long, and for a book supposedly about the infrastructure ‘turn’, too many of the topics had already been well-covered in the internet governance literature (like organizations devoted to internet governance and the DNS). In the book’s introductory chapter, DeNardis and Musiani write:

…there is increasing recognition that points of infrastructural control can serve as proxies to regain (or gain) control or manipulate the flow of money, information, and the marketplace of ideas in the digital sphere. We call this the “turn to infrastructure in Internet governance.” As such, the contributions in this volume… depart from previous Internet governance scholarship, by choosing to examine governance by Internet infrastructure, rather than governance of Internet infrastructure. (p.4)

I largely want to put aside the question of how well the contributions in the book achieve this, and just focus on the topic of ‘governance by infrastructure’, and what this means. First, governance by infrastructure necessarily implies governance of infrastructure, but the emphasis shifts to particular features of infrastructure as points of control through which various social processes can be governed. So what do we mean by infrastructure? For DeNardis and Musiani, citing Bowker and colleagues:

the term “infrastructure” first suggests large collections of material necessary for human organization and activity—such as buildings, roads, bridges, and communications networks. However, “beyond bricks, mortar, pipes or wires, infrastructure also encompasses more abstract entities, such as protocols (human and computer), standards, and memory,” and in the case of the Internet, “digital facilities and services [ . . . such as] computational services, help desks, and data repositories to name a few… Infrastructure typically exists in the background, it is invisible, and it is frequently taken for granted. (p.5)

When it comes to the internet, infrastructure is more than just the ‘plumbing’ — it includes ‘abstract entities’ and social organizations, and this inclusive understanding might lead us to see all sorts of traditional internet governance studies as studies of infrastructure. So let’s try to narrow the focus to what makes infrastructure distinctive, besides the fact that it is frequently invisible.

Common definitions of the term discuss infrastructure as foundations, frameworks, and whatever provides support for something. There is a lot of overlap with the definitions of a public service or utility here, and this is why we typically think of electricity, water, and roads as infrastructure — without the underlying support of these systems or networks, countless social processes would grind to a halt. The early internet supported particular and specialized kinds of activities, but today it’s easy to see our digital networks as underpinning communications and social relationships in general, and therefore functioning as a kind of public good.

By seeing the internet as infrastructure, we might ‘turn’ to look at all of the ways it contributes to our daily lives. Much of this support is effectively invisible, and only comes to our attention when it stops working. The closer we get to the future promised by the Internet of Things, the more disruption will be experienced by these outages. This is reflected in the classification of telecom network as “critical infrastructure” — a category that has been the focus of government concern  in recent years, leading to a proliferation of partnerships, policies, frameworks, and standards.

Critical infrastructure is governed so that it does not break, or that it continues to provide essential services with minimal interruption. This is a developing and little-publicized topic (given the overlap with national security) so this sort of ‘governance-of-infrastructure’ has actually not received much internet governance scholarship. In contrast, the ‘governance-by-infrastructure’ that DeNardis and Musiani identify is about more than keeping the lights on and the data packets moving, and if we’re going to take this infrastructure turn seriously, one of the most important places to look is at ISPs as points of control. The idea that society can be governed by ISP responsibilities is now an old one, but remains a common approach. ISPs have obligations to connect to each other (or other institutions), and are called upon to monitor, increase, shape, limit or filter connectivity. Google and Facebook may have become massive operators of infrastructure, but last-mile and middle-mile networks remain essential chokepoints for internet governance.

ISPs are inextricably dependent on material infrastructure, since they are fundamentally in the business of moving packets to and from customers through a physical connection. Even wireless ISPs are limited by the laws of physics, as only so much information can be carried through the air (where it is also susceptible to interference). Accordingly, wireless ‘spectrum’ is carefully divided between intermediaries and managed (in Canada) by ISED as a precious resource – with spectrum licenses auctioned to intermediaries for billions of dollars (licenses that come with public obligations). Owning license for spectrum is quite a different matter from actually using it, and to serve millions of customers, further billions of dollars must be invested in a system of towers and their attendant links. The wired infrastructure of ‘wireline’ ISPs can be even more expensive, since cable must run to each individual customer, requiring kilometers of trench-digging, access to existing underground conduits, or the use of privately-owned utility poles. This means that the rights-of-way which secured the early development of telephone networks remain important for anyone deploying wired infrastructure, further privileging incumbents who own conduit or have access to utility poles. These rights-of-way are also one of the only ways municipal governments can control telecom infrastructure, by negotiating or referring to municipal access agreements. However, struggles between municipalities and intermediaries over access to right-of-way can also be quite contentious, and may also be adjudicated by the CRTC.

Finally, as with all things, I’m interested in the language we use to discuss these topics. Calling something infrastructure implies something different than utilities or ‘public works‘, but all three indicate a relation to an underlying public interest. Since so much of it lies in private hands, infrastructure is currently the preferred expression, but even this term reminds us that we all jointly depend on these corridors, poles, pipes, electronics, and the people who keep it all running.

 

 

Canada’s Net Neutrality Code

Last week the CRTC released an important net neutrality policy (Telecom regulatory Policy 2007-104) that got a lot of people talking. There’s been coverage by Dwayne Winseck, Michael Geist [1 & 2], Timothy Denton, Peter Nowak [1 & 2], and foreign reporting that understandably used the FCC’s approach in the U.S. for contrast. Jean-Pierre Blais reflected on the process in a recent interview (in which he also stated that the recent basic service decision was as close as the CRTC could come to recognizing broadband as a human right).

I’ve written about differential pricing before, and feel no need to summarize the decision here, or the decision-making framework it establishes, but there are some elements that stood out for me. First, this is the CRTC’s most explicit discussion of net neutrality ever. The term net neutrality didn’t even appear once in the earlier decision on differential pricing, and there has previously been a tendency to frame these topics in the regulatory language of ITMPs. Now the CRTC has embraced common lingo, and the latest regulatory policy is expressly “part of the broader public policy discussion on net neutrality. The general concept of net neutrality is that all traffic on the Internet should be given equal treatment by ISPs” [10]. Elaborating its definition of net neutrality, the CRTC states that “net neutrality principles have been instrumental in enabling the Internet to grow and evolve as it has”. These principles include innovation without permission, consumer choice, and low cost of innovation (low barriers to entry)[11]. Here we have the CRTC laying out some internet values — what made the internet so successful and what needs to be preserved (see Timothy Denton’s laudatory post). This document is remarkable because it lays out something approaching an ideal vision for Canadian telecom, with the internet as a central part. There were elements of this in the 2009 ITMP decision, which together with the recent differential pricing decisions (and subsection 27(2) of the telecom Act) now “effectively constitute Canada’s net neutrality code” [156].

For the rest of this post, I’d like to take a closer look at what the CRTC imagines or desires for Canadian telecom, specifically the roles of different actors and their relations. First, ISPs are common carriers [22], which generally means they are prohibited from discriminating or picking favorites among content. Chairman Blais has since said he thinks this CRTC decision will “reinforce the fact” that ISPs are “mere conduits”, playing a limited role in carrying information from one place to another. Once ISPs start making decisions about content they become gatekeepers to that content, and other concerns come into play (including net neutrality and copyright). Differential pricing can be used for just such a gatekeeping function, which would have “negative long-term impacts on consumer choice” as the CRTC predicts ISPs would make deals “with only a small handful of popular, established content providers – those with strong brands and large customer base” [67].

The scenario that worries the CRTC is one where vertically-integrated ISPs use their control over internet traffic to direct consumers to their own content or that of their partners. Differential pricing is one way of controlling consumer behavior, but arguments in favor of the practice say that it provides consumers with choice, and allows ISPs to innovate and compete through these offerings. In response to these arguments, the CRTC was forced to lay out its vision for innovation and competition. Unsurprisingly, the CRTC’s vision is for ISPs to engage in the noblest form of competition: facilities-based competition: “when ISPs compete and differentiate their services based on their networks and the attributes of the services on those networks, such as price, speed, volume, coverage, and the quality of their networks” [46]. The most important innovations aren’t “marketing practices” like zero-rating, but improvements to ISPs’ networks [59]. ISPs should focus on the internet’s plumbing, and consumers will choose the superior network.

While ISPs are imagined to be competing for customers based on the quality of their networks, competition for services is best served by the “open-nature of the Internet”, which allowed “today’s large, established content providers” to grow and innovate. “In the Commission’s view, new and small content providers should enjoy the same degree of Internet openness in order to innovate, compete, and grow their businesses” [56]. Since ISPs are envisioned as pipes, innovation in content should come from the edges of the network (or at least, that possibility should remain open). Content providers need to be able to enter the market and practice ‘permissionless innovation’, by giving consumers what they want without needing to cut a deal with each ISP that controls the last mile [11].

If we are trying to achieve something like a level playing field for content providers, then we can’t ignore the massive advantages that established content giants currently enjoy, and I wonder what else we might do to lower barriers to entry? Perhaps the whole idea of an ‘eyeball network‘ is an obstacle, where the network’s users are imagined principally as consumers watching a one-way information flow. This may be fine if it’s easy for a new content provider to compete for eyeballs, but that’s not the case today unless a you’re depending on an established content service (YouTube, Netflix) as an intermediary by having them carry your stuff. If we wanted to develop new ‘content’ in Canada, we need to recognize that in much of the country incumbent ISPs already act as the gatekeepers. If I wanted to start a new content service from my metaphorical garage, I would only be able to reach the global internet on my incumbent’s terms. These terms might include prohibitions on uses of their network, and the ISP’s control over addressing through NAT (imagine a world where every device could have a unique IP address…). Now imagine if I could easily get fibre to an internet exchange where I could connect to various international carriers… As with facilities-based competition, I think it’s important to try to imagine what an ideal world would look like when we’re talking about innovating and accessing diverse content over those facilities. As with facilities-based competition, I worry that the CRTC is most concerned with preventing existing concentrations of power from getting worse, than taking active steps to realize a specific vision.