Review of Susan Landau’s — Surveillance or Security?

I’ve been going through my files recently, and discovering some that I had forgotten. A couple of times now I’ve had submissions to journals fall into a void. Ideally, when this happens the piece can still find a home somewhere else, but this was a review of book from 2010 written in 2012, and in 2013 Snowden changed the world and I felt the need move on. Still, Landau’s book remains valuable and some of these issues are even more salient today (also of note, in the 1990s Landau co-wrote Privacy on the Line with Whitfield Diffie).

Book Review: Landau, Susan. 2010. Surveillance or Security?: The Risks Posed by New Wiretapping Technologies. Cambridge, MA: MIT Press.

The choice between security and civil liberties remains a commonplace way of framing many surveillance debates. Susan Landau’s argument in Surveillance or Security? is that many surveillance technologies and systems not only compromise privacy, but may actually make us less secure. This thesis, while worth repeating, will not be novel for some readers familiar with surveillance and security debates. However, readers who are already well-versed in criticisms of the freedom-security opposition will still find a great deal of value in Landau’s book, including the nuance of her more policy and technology-specific arguments and the wealth of detail she provides on various electronic surveillance practices. The patience and clarity with which Landau walks readers through this detail is commendable, and the book makes many technical and legal matters understandable to those unfamiliar with telecommunications, electronic surveillance, or U.S. law. Despite this, reading Surveillance or Security? from beginning to end requires a considerable interest in the subject matter, and much of its detail will be superfluous to those interested in more general surveillance questions or electronic surveillance in a non-U.S. context.

The nuance of Landau’s argument preserves a legitimate and lawful role for surveillance by state actors, and her critique is targeted specifically at emerging forms of surveillance made possible in the age of digital networks. Of greatest concern is the ability to embed surveillance capabilities into our increasingly-capable communications infrastructures. Justifications for expanded or “modernized” police and national security surveillance capabilities are often premised on the need to bring telephone-era laws and abilities up to date with the internet. Landau provides a very effective introduction to telephone and packet-switching networks, the development of the internet, and the contemporaneous changes to U.S. surveillance law and practice. In the process, she shows how the nature of communication and surveillance has been transformed, and how inappropriate the application of telephone-era surveillance logic can be for internet architecture. While telephone and packet-switching networks are now deeply integrated, the reader will learn just how difficult “wiretapping the internet” is when compared to traditional telephone wiretaps. On the other hand, the book also discusses the vast amounts of information available about our digital flows, and how these possibilities of data collection introduce new dangers.

The most forceful of Landau’s arguments are against the embedding of surveillance capabilities into our networked communications infrastructure, as this amounts to an “architected security breach” (p.234) that can be exploited or misused. The main example provided by the author of such modern wiretapping gone wrong is the activation of surveillance capacities embedded in the software of an Athens mobile phone network during 2004 and 2005, wherein parties unknown targeted the communications of Greek government officials. While this case of wiretapping was highly selective, Landau also cites the current U.S. “warrantless wiretapping” program to illustrate the dangers of overcollection. A third case, the FBI’s misuse of “exigent letters” to acquire telephone records after September 11, shows how the risk of overcollection is exacerbated when wiretapping cannot be audited and fails to require “two-organizational control”. In the exigent letters case, FBI investigators and telephone company employees working closely alongside one other were able to nullify institutional boundaries and circumvent legal requirements. From these cases, Landau concludes that “making wiretapping easy from a technical point of view makes wiretapping without proper legal authorization easy” (p.240). Among her chief concerns is the historical propensity to take advantage of surveillance-ready technologies to target journalists and political opponents, and the possibility of “nontargets” being caught up through overcollection.

Surveillance or Security? offers solutions as well as warnings, and these are primarily oriented towards safeguarding communications security. As a general prescription, Landau argues for partitioning our networks to a greater and more sophisticated degree. This includes increased use of identity authentication and attribution for particular networks, and keeping others entirely inaccessible from the public internet. But Landau expressly opposes building identity authentication and surveillance mechanisms (such as deep packet inspection) into the internet itself. Overall, this is a sensible solution that can address “digital Pearl Harbor” fears while preserving the general openness of the internet. Our networks already have “walled gardens” for governments and corporations, and Landau calls for more effective partitions as well as open public vetting of security mechanisms (pp.240-241). Sanctioned wiretaps should also be auditable and not under the independent control of any one organization.

Ultimately, questions about how the internet should be designed and governed boil down to what we value in the network. Many have pointed out that that the values which drove the development of the internet did not include ensuring its security, so that concerns over identification, authentication, malware and cyberattack surfaced later in its development and are difficult to resolve. The debate over whether internet governance and internet architecture needs to be revised in the interests of security continues to this day, but the choice is not simply between security and openness. Rather, “security” can point to a whole host of challenges, some of which can be in opposition to one another. Landau does indeed distinguish between different security threats, but while there is a chapter entitled Who are the intruders?, no equivalent breakdown is given of “whose security” is of primary interest. Instead, Landau treats personal security, national security, and corporate security as compatible and amenable to some of the same solutions. She explicitly values personal privacy and the open innovation made possible by the internet, but also warns against growing foreign threats to the economy and critical infrastructure of the United States. The closing sentence of the book calls for communication security “to establish justice, maintain domestic tranquility, and provide for common defense” (p.256), and it is in the tensions between these three objectives that the supposedly false choice between freedom and security materializes once again.

Landau promotes the value of privacy and journalistic freedom, puts the danger of terrorism “in context” (p.222), and warns against heavy-handed approaches to illegal file-sharing (pp.34-35). But in debating the appropriateness of embedded surveillance or privacy-enhancing cryptography, the reader also learns that “we must weight the costs” (p.35) or the advantages against the disadvantages (p.219) of such technologies and practices. The problem is that different readers may have rather different conception of who is denoted by the “we” in such a formulation, and where the costs accrue. If the security threat is the “havoc” that can be wreaked through an internet connection multiplied by the size of the cyber-capable Chinese army (as Landau suggests in the epilogue, p.255), then Richard Clarke and Robert Knake’s (2010) proposal to embed surveillance and filtering at internet service providers (ISPs) to deal with foreign cyberattacks might seem quite reasonable (such surveillance would receive “rigorous oversight by an active Privacy and Civil Liberties Protection Board to ensure that neither the ISPs nor the government was illegally spying on us” [Clarke & Knake 2010, p. 162]). The principles which guide Landau’s judgments are those embodied in the U.S. Constitution, the open and innovative possibilities of our networks, the right to privacy in communication, and the need to be protected from electronic “intruders” and “threats”. But in making these various appeals Landau is also providing the means to undercut her argument against embedded surveillance, if one values a particular type of security or fears a threat to security over others. She closes with an appeal to consider communications security as vital to both national and personal security, to democracy as well as defense (p.256), but the argument that embedded surveillance makes us less secure is on weaker footing when faced with the catastrophic specter of a cyber-war with China.

In the end, readers may find themselves confronting the dilemma identified by Jonathan Zittrain (2008, pp.60-61), who argues that “the cybersecurity problem defies easy solution, because any of the most obvious solutions to it will cauterize the essence of the Internet”. Like Zittrain, Landau thinks we can improve cybersecurity without sacrificing the internet’s propensity for openness and innovation, but at times she seems to address her arguments more at U.S. policy makers, security officials, and American citizens than at a general readership. The book includes a chapter devoted to analyzing “the effectiveness of wiretapping” in the furtherance of national security and criminal investigations, and the threat of China’s espionage and cyberattack capabilities looms large against a “United States that is being weakened by the very information technologies that brought the nation such wealth” (p.171). Landau’s approach may appeal to those Americans in greatest need of convincing, but it marginalizes arguments based on more critical premises, such as the potential of open networks and private communications to facilitate valuable forms of disruption and social change.

Surveillance or Security? focuses on the U.S. because the complexity of wiretapping policy is better explored through one nation’s economic and legal perspective, and Landau claims that “it should not be hard to reinterpret the issues from the perspective of other nations” (p.10). The networks that constitute the internet certainly warrant analysis on the level of the nation-state, in particular due to the increased assertion of territorially-based state power over and through the internet. The U.S. also deserves study in its own right by anyone interested in global telecommunications, not only because of the influential role of the U.S. in the history of telecom, but because the world’s telecom networks remain disproportionately dependent on U.S.-based institutions and infrastructure. The layout of global fiber-optic cable makes the U.S. “a communications transit point for the entire world” (p.87), and the overall layout of the World Wide Web also remains largely U.S.-centric.

However, many of the details of U.S. wiretapping legislation and practice will not be of interest either to the general reader or to the scholar interested in broader questions of surveillance and telecommunication. The book’s detailed analysis of the U.S. case is therefore its greatest strength, or, for a more general audience, its greatest weakness. Among other strengths are the clarity of Landau’s descriptions of network architecture and internet history, which do not presume prior knowledge on the reader’s part. Surveillance or Security? is clear and approachable, and contributes some much-needed scholarship on the intersection between state and private institutions underpinning contemporary surveillance systems. At its best, it pours cold water on the need to overhaul the internet and expand the scope of electronic surveillance, but Landau is not above fanning the flames to give the issue of communication security some added urgency. In between, surveillance scholars will find plenty of value in the book’s well-researched detail and Landau’s considerable expertise.

One of the headings in the book, What it means to “get communication security right”, remains an open question, with governments moving slowly on the issue, and private institutions largely pursuing their own policies. While it seems clear that securing our communications networks will not be quick or easy, a more immediate concern are poorly-considered proposals to embed and institutionalize surveillance regimes and their attendant harms. Surveillance or Security? contributes to an important conversation, injects caution into a frequently overheated discussion, and offers much of substance for those acquainting themselves with communications security and surveillance.

References

Clarke, Richard. A., & Knake, Robert. (2010). Cyber War: The Next Threat to National Security and What to Do About It. New York: Ecco.

Landau, Susan. 2010. Surveillance or Security?: The Risks Posed by New Wiretapping Technologies. Cambridge, MA: MIT Press.

Zittrain, Jonathan. 2008. The future of the internet–and how to stop it. New Haven: Yale University Press.

 

Bell, the British Columbia Telephone Company, and Cold War Surveillance

Late last year, a story broke about a researcher trying to get the Privy Council Office to release a secret surveillance order from the 1950s. This once again demonstrated why news investigations are vital for holding government accountable: the day after the CBC published its story the PCO decided to release the file, and Dennis Molinaro could finally get to finishing a journal article on the topic. More recently, he published the source documents he got from the PCO as a pdf, which if you’re a security & surveillance geek like me makes for great reading alongside his journal article (big up Dr. Molinaro!).

As a result, our understanding of Canadian state surveillance and Cold War security practices has had a significant boost. Something I discovered a couple of years ago was the difficulty of figuring out what police telephone surveillance in Canada was like prior to the era of the Privacy Act (the 1970s and earlier). These documents give us only a view into one particular surveillance program, and only in its early years. The file deals with the period around 1954 when the RCMP’s very very secret PICNIC program needed to be reauthorized, and there was a need to expand its wiretapping beyond Bell to other companies. Interestingly, one option (initially favored by Bell’s lawyer) was to use section 382 of the Railway Act, which allowed the government to take control of telephone infrastructure (“place at the exclusive use of the Government of Canada any electric telegraph and telephone lines, and any apparatus and operators which it has”), but this also required and Order in Council. To put the program on firmer legal footing, the government wanted the company’s cooperation in accepting warrants under the Official Secret Act (something the British Columbia Telephone Company was already happy to do). Some readers may wonder how railway regulation got connected to this mess, and maybe I’ll explain the pre-CTRC link between rail and telecom in another blog post. However, the government of the day, under Prime Minister Louis St Laurent, feared that using the Railway Act as a “cover plan” to govern surveillance was too much of a stretch, though they seemed prepared to go that route if Bell didn’t see things their way, and prepared some dubious legal justifications for doing so.

Bell’s position gave the government significant “difficulties”, and I would love to know the company’s reasoning. Presumably, using the Railway Act as a secret justification would simply have been easier, without having to bother with the paperwork of warrants. But the company was persuaded to agree with the government’s view, and the resulting surveillance regime targeted “subversives” and national security threats, where warrants were written for “a given area” rather than individuals, and seems to have carried on through the 1970s. This was the decade when Canada’s initial privacy and wiretapping laws were developed, replacing the previous jurisdictional patchwork.

The documents released by the PCO give us a fascinating insight into early domestic telecom surveillance in Canada, but this was certainly not representative of how police investigations were carried out in Canada. The RCMP’s (variously renamed) Special Branch/Security Service carried out tasks currently performed by CSIS, with a list of targets informed by a Cold War ideology that saw homosexuals, anti-war activists, and unions as a national security threat. Today, the internet and international terror networks are sometimes blamed for making foreign and domestic communications indistinguishable, but during the Cold War domestic surveillance was routinely carried out under the presumption that the targets were actually foreign agents or channels for foreign influence.

PICNIC was surveillance that was never intended to see the light of day, and it seems that early criminal investigations by Canadian police using wiretaps were also generally not meant to be revealed as evidence in court (it was apparently against RCMP policy to use wiretaps in 1973 and 1974, but they were still used for criminal intelligence). Molinaro writes about how “The monitoring of Canadians required a close level of partnership with corporate society; in this case, with telecommunications companies like Bell Canada”. However, I was reminded of a 1977 wiretapping story where the RCMP finally decided to use wiretap evidence in a drug case, and an officer explained in court about his routine practice of looking like a Bell employee and simply breaking into an apartment building’s terminal room with a screwdriver whenever he needed to tap a phone. In these cases, police did what they wanted with the phone network and there’s no indication that company executives ever complained (if they were even aware).

Kind of reminds me of this other time Canadian police decided to hack the phone network without permission

 

Lawful Access Consultation 2016

Another federal government consultation has recently wrapped up, this time with Public Safety asking about national security. Like other ongoing consultations, this one was criticized (for example, by Christopher Parsons and  Tamir Israel) as framing the policy issue in a way that the government prefers, and trying to legitimate some ideas that should have been discredited by now. I would say that the consultation framed the issue very much as Public Safety (for instance, the RCMP) would prefer, repeating old rationales, and seeing the world from a perspective where the ability to exercise sovereign will over information flows is paramount. The Green Paper provided for background reading foregrounds the concerns of law enforcement & security agencies, is peppered with the words “must” and “should”, advancing some dubious assumptions. Public Safety asked for feedback on terrorism-related provisions (including C-51), oversight, intelligence as evidence, and lawful access. The last of these has seen a number of previous consultations, but is back in the news as police make their case for the issue of “going dark” (which has become part of the RCMP’s “new public narrative” for a set of concerns that were once broadly talked about as lawful access).

I let this one get away from me, so I didn’t have anything ready for Dec. 15 when the online submission closed. Regardless, I’ve decided to complete most of the questions related to the topic of Investigative Capabilities in a Digital World as a blog post. I don’t feel particularly bad for missing the deadline, since several of these questions border on ridiculous. For a true public consultation on what has long been a very contentious issue, it would be important for the questions to be informed by the arguments on both sides. Privacy experts would have asked very different questions about privacy and state power, and on a number of topics Public Safety seems to be trying to avoid mentioning the specific policies that are at stake here.

How can the Government address challenges to law enforcement and national security investigations posed by the evolving technological landscape in a manner that is consistent with Canadian values, including respect for privacy, provision of security and the protection of economic interests?

When I think of Canadian values, “privacy, provision of security and the protection of economic interests” are not what come to mind. When I ask my students what they associate with Canada, these particular values have never come up in an answer. I think we should consider democracy as a fundamental value, and understand that state secrecy is antithetical to democracy. When it comes to the relationship between citizens and the state, Canadian values are enshrined in the Charter, and the Supreme Court is ultimately responsible for interpreting what is consistent with the Charter. Therefore, Canadians deserve to understand what is being done in their name if we are to have a meaningful democracy, and this includes the existence of an informed, independent judiciary to decide what government actions are consistent with Canadian values.

In the physical world, if the police obtain a search warrant from a judge to enter your home to conduct an investigation, they are authorized to access your home. Should investigative agencies operate any differently in the digital world?

If we accept the digital/physical distinction, the answer is a definite yes — investigations carried out today operate differently than they did in the simpler, more “physical” 1980s. But it is important to keep in mind that analogies between the digital and physical environment can be misleading and dangerous. When it comes to the “digital world”, I prefer to talk about it in digital terms. The stakes are different, as are the meaning of terms like “to enter”. If we must make these comparisons, here is what treating these two “worlds” as analogous would mean:
The police can enter my home with authorization, and seize my computer with authorization. I am not required to make my computer insecure enough for the police to easily access, just as I am not required to keep my home insecure enough for the police to easily access. I am not required to help the police with a search of my home, and so I should not be required to help police search my computer. If I have a safe with a combination lock in my home, I cannot be compelled by police to divulge the combination, so by analogy, I should not be compelled to divulge a password for an encrypted disk.

But analogies can only take us so far. A computer is not a home. Metadata is not like the address on a physical envelope. We need to understand digital information in its own terms. To that end, some of the more specific questions found further in this consultation can produce more helpful answers. Before we get to these however, this consultation requires me to answer a couple more questions based on the presumption of digital dualism.

This question is hard to answer without knowing what it means to “update these tools”, and seems to be intended to produce a “yes” response to a vague statement. Once again, digital/physical comparisons confuse more than they clarify — these are not separate worlds when we are talking about production orders and mandating the installation of hardware. We can talk about these topics in their own terms, and take up these topics one at a time (see further below).

If we could only get at the bad guys in the digital world, but there's all this code in the way!
If we could only get at the bad guys in the digital world, but there’s all this code in the way!

Is your expectation of privacy different in the digital world than in the physical world?

My answer to this question has to be both yes and no.

No, because I fundamentally reject the notion that these are separate worlds. I do not somehow enter the “digital world” when I check my phone messages, or when I interact with the many digitally-networked physical devices that are part of my lived reality. Privacy law should not be based on trying to find a digital equivalent for the trunk of a car, because no such thing exists.

Yes, expectations of privacy differ when it comes to “informational privacy” (the language of Spencer), because the privacy implications of digital information need to be considered in their own terms. Governments and public servants do Canadians a disservice with phonebook analogies, license plate analogies, or when they hold up envelopes to explain how unconcerned we should be about government access to metadata (all recurring arguments in the surveillance/privacy debate). In many cases, the privacy implications of access to digital information are much more significant than anything we could imagine in a world without digital networks and databases of our digital records.

Basic Subscriber Information (BSI)

 

As the Green Paper states, nothing in the Spencer decision prevents access to BSI in emergencies, so throwing exigent circumstances into the question confuses the issue, and once again seems designed to elicit a particular response that would be favorable to police and security agencies. In the other examples, “timely and efficient” is the problem. Agencies understandably want quicker and easier access to personal information. The Spencer decision has made this access more difficult, but any new law would still ultimately have to contend with Spencer. Government, police, and security agencies seem to be in a state of denial over this, but barring another Supreme Court decision there is no going back to a world where the disclosure of “basic” metadata avoids section 8 of the Charter, or where private companies can voluntarily hand over various kinds of personal information to police without fear of liability.
If the process of getting a court order is more onerous than police would like, because it would be easier to carry out preliminary investigations under a lesser standard, it is not the job of government to find ways to circumvent the courts. If the process takes too long, there are ways to grant the police or the courts more resources to make it more efficient.
There are ways to improve the ability of police to access metadata without violating the Charter, but any changes to the existing disclosure regime need to be accompanied by robust accountability mechanisms. Previous lawful access legislation (Bill C-30) was flawed, but it at least included such accountability measures. In their absence, we only know that in a pre-Spencer world, police and government agencies sought access to Canadian personal information well over a million times a year without a court order, and that a single court order can lead to the secret disclosure of personal information about thousands of Canadians. Police and security agencies have consistently advocated for these powers, but failed to document and disclose how they actually use them. This needs to change, and the fear of disclosing investigative techniques cannot be used to prevent an informed discussion about the appropriateness of these techniques in a democratic society.
Do you consider your basic identifying information identified through BSI (such as name, home address, phone number and email address) to be as private as the contents of your emails? your personal diary? your financial records? your medical records? Why or why not? 
The answer to this question depends on an exhaustive list of what counts as BSI. It is important to have a clear definition of what counts as BSI, because otherwise we might be back in the pre-Spencer postion where police are able to gain warantless access to somebody’s password using powers that were meant for “basic identifying information”.
The answer to this question also depends on an explanation of what is done with this “basic” information. As was recognized in Spencer, we can no longer consider the privacy impact of a piece of personal information in isolation. This is how lawful access advocates prefer to frame the question, but this is not how investigations work in practice. BSI is useful only in combination with other information, and if we are talking about metadata (a term that curiously, never appears in the Green Paper) it is now increasingly-understood that metadata can be far more revealing than the content of a personal communication, when it is used identify people in large datasets, determine relationships between individuals, and patterns of life.
So in short, yes — I am very concerned about BSI disclosures, particularly when I don’t know what counts as BSI, and what is being done with this information.
Do you see a difference between the police having access to your name, home address and phone number, and the police having access to your Internet address, such as your IP address or email address?
I see an enormous difference. As previously discussed, these are not analogous. An IP address is not where you “live” on the internet — it is an identifier that marks interactions carried out through a specific device.

Interception Capability

This is not a question… Yes all of this is true.
Should Canada’s laws help to ensure that consistent interception capabilities are available through domestic communications service provider networks when a court order authorizing interception is granted by the courts?
The key word here is “consistent”, and the question of what standard will be required. It would be very easy for government to impose a standard that large telecom incumbents could meet, but which would be impossible for smaller intermediaries. As things are, the incumbents handle the vast majority of court orders, so I would love to see some recent statistics on problems with ‘less consistent’ intermediaries, particularly if this is a law that might put them out of business.

Encryption

I think the answer to this has to be never. People cannot be forced to divulge their passwords — in our society they can only be put in prison for very long periods of time. In other cases, assisting with decryption means forcing Apple to break through their own security (which was meant to keep even Apple out), or driving companies out of business unless they make products with weak security. This does not work in a world where a single individual can create an encryption app.

How can law enforcement and national security agencies reduce the effectiveness of encryption for individuals and organizations involved in crime or threats to the security of Canada, yet not limit the beneficial uses of encryption by those not involved in illegal activities?

By doing anything other than mandating insecurity for everyone. The answer cannot be to make technology insecure enough for the state to exploit, because this makes everyone insecure, except for those who use good encryption (which has become too commonplace to stamp out).

 

The final two questions deal with data retention, a topic I’ll leave for a later time…

Canada’s Cyber Security Seeks Public Input — Here’s Mine

cybThe Government of Canada is carrying out a public consultation on cyber security. Specifically, the consultation is being administered by Public Safety Canada’s National Cyber Security Directorate (NCSD). NCSD’s role is sometimes described as cyber policy and coordination, such as designing and implementing Canada’s Cyber Security Strategy, and the consultation asks for the public’s help in addressing some really thorny cyber security challenges.

On its face, it’s hard to know what to make of this consultation. PSC/NCSD wants to hear from “experts, academics, business leaders, and provincial, territorial and municipal governments” on the topic, but they also want “all citizens to get involved in a discussion about the security and economic dimensions of Canada’s digital future.” There are four main topics the government is consulting on, and a workbook has also been created to accompanies the process. The workbook breaks the consultation down into trends, themes, and related questions for consideration, but the contents seem designed to steer answers in particular directions, and the one topic that doesn’t include any specific questions is Canada’s “way forward”, the outlines of which seem to have already been decided.

Some of the questions in the workbook are ones that I imagine Government would love an innovative answer for (How can public and private sector organizations help protect themselves from cybercrime… and what tools do they need to do so?), while others seem loaded to produce a particular response (with “example” answers provided). I only hope that the responses to this consultation won’t be quantified as statistics (since this isn’t a methodologically-sound survey), or used to support decisions that have already been made. So let’s give them the benefit of the doubt and assume that NCSD really does want some help from Canadians in dealing with one of society’s most important challenges, and they’re open to all sorts of ideas.

To that end, I’ve provided my response to the consultation’s four “topic areas”:

The Evolution of the Cyber Threat
I think a lot of this has been covered in broad strokes by Canada’s Cyber Security Strategy and related documents. The threat has certainly evolved, in terms of actors, motives, and potential harm. State actors are increasingly involved around the world, and there are dedicated industries of criminals profiting from vulnerabilities. The most interesting way that I think the cyber threat has evolved in recent years is a recognition of the Five Eyes (Canada’s alliance with the US, UK, Australia and New Zealand) as a security threat. This recognition has certainly not come from the Canadian government, or even much of the Canadian population (as we really have yet to talk about this issue). Instead, the changing nature of the threat has been expressed most publicly by the likes of Microsoft and Google, after they learned through the Snowden documents that the Five Eyes were compromising their infrastructure and the relationships of trust these companies have established with their users.

The Increasing Economic Significance of Cyber Security
I don’t consider this to be much of a topic in need of public consultation, since it seems like Public Safety is already aware that cyber security is vital to the economy. It’s hard to put a dollar value on security, but it’s pretty obvious that the value of maintaining information security and the “losses” that result from various kinds of threats are enormous. Huge numbers are estimated and cited to justify the need for cyber security,  and I’m not sure that we need more accurate numbers (since we know they’re big), or that bigger numbers will compel action. We can talk about how better to communicate the seriousness of the issue, but I’m more interested in finding perspectives other than the economic lens to talk about threats. Government ideas about the value of the internet in Canada too often lapse into talk of the “digital economy”, and harms that don’t involve children are often expressed in economic terms. As people like Ron Deibert point out, we need to think more about the democratic/political dimensions of cyber security. This means articulating the value of connectivity in a way that doesn’t translate into dollars, but instead relates to our values as Canadians (like those “rights and freedoms” mentioned at the end of the workbook).

The Expanding Frontiers of Cyber Security
While the workbook discusses this in terms of the need for “cyber security [to] evolve at the same rate as new technologies” (p. 17), I want to use this topic to discuss the expanding scope of cyber security.

cyber

The workbook defines cyber security as “the protection of digital information and the infrastructure on which it resides. Cyber security addresses the challenges and threats of cyberspace in order to secure the benefits and opportunities of digital life” (p. 5). The first part of this definition is relatively straight-forward, and encompasses the domain of IT security. However, cyber security is not limited to these concerns, and Canada’s closest allies have used the language of cyber security to justify creating and preserving technological vulnerabilities in the service of strategic objectives. Meanwhile, it seems that Public Safety Canada considers “threats of cyberspace” to include more than just threats to digital information and infrastructure.

Internationally, cyber security now includes a variety of concerns, including over public order and morality. For instance, in Canada cyberbullying is sometimes listed as a cyber security threat alongside phishing and malware (particularly in Get Cyber Safe resources). Cyberbullying can certainly involve personal information being compromised, but it can also refer to the hateful and abusive comments found in many online media. The danger is that cyber security can be equated with online “safety”, which can mean safety from content that might insult, harm, or disturb.

The more concerning expansion of cyber security is as a justification for whatever actions serve national security or the priorities of state agencies. This is a worry because the goals of some state “partners” in cyber security are not to provide the public with the most secure technologies. In the US for instance, secret efforts to make commercial technologies (the same technologies widely used by Canadians) more vulnerable and less secure were justified as part of an ostensibly-defensive cyber security program (the CNCI). As discussed below, there is no reason to believe that Canadian agencies are an exception to the same tendencies demonstrated by their closest international allies in cyber security.

One the few things that all cyber security threats have in common is that they all involve a computer, or digital networks. Since we are supposedly moving towards a world covered in networked computers, the potential for cyber security’s expansion is a major cause for concern. I feel a lot more comfortable talking about information (IT), network, or computer security, because at least there the subject matter is relatively defined. Cyber security is more of a mixed bag, and I hope that the Government of Canada will keep the expansionist tendency of cyber security in check. Focus on the threats we know and are having difficulty defending against, don’t go looking for new forms of troublesome conduct involving a computer that can be listed as a cyber security threat, and let’s talk about whether the government’s idea of cyber security includes purposefully maintaining certain kinds of insecurity.

Canada’s Way Forward on Cyber Security
As part of Canada’s way forward, we need to take an explicit position on the extent to which we want to promote information/IT security at the expense of other conceptions of security, particularly those  favored by police and national security agencies. It seems disingenuous to promote the security of information and infrastructure, without acknowledging the limits that government agencies are comfortable allowing such developments. Police in Canada and around the world are well aware of this conflict, particularly after the Snowden revelations led to widespread adoption of more secure technologies, which are now an obstacle to their ability to investigate crime. The recent showdown between Apple and the FBI is a recent manifestation of this tension, and Canada should not simply sit on the sidelines and wait for these new “crypto wars” to play out in the US and Europe.

We also need to discuss our membership in the Five Eyes, because Canadians have never had a real opportunity to do so. Predicated on a secret treaty, the Five Eyes often acts as a coordinated group and an exclusive club, supposedly based on its members’ “common Anglo-Saxon culture, accepted liberal democratic values and complementary national interests”. Originally formed to further intelligence collection and the sharing of information in the interests of national security, today the Five Eyes also includes collaboration of a more defensive nature in the realm of cyber security. We know that Canada’s membership in the Five Eyes can be a privacy threat to Canadians, because of last year’s revelation that CSE had for years violated the law by sharing Canadians’ personal information with these allies. We know that the Five Eyes can pose a security threat to our information infrastructure, because of documents revealed by Edward Snowden showing how the NSA worked to weaken the security of commonly-used systems in order to more easily obtain intelligence (efforts in which Canada appears to have been complicit).

In the US, the Snowden disclosures resulted in the President’s Review Group on Intelligence and Communications Technologies recommending the separation of the NSA’s offensive and defensive roles, through the creation of a new agency to take over the NSA’s defensive “information assurance” mission. Canada has yet to acknowledge the contradiction at the heart the Five Eyes – where government agencies work simultaneously (or at cross-purposes) to both secure infrastructure and make it more vulnerable. In the US, the NSA is currently merging its offensive and defensive capabilities. This NSA reorganization contradicts the recommendations of the President’s Review Group, strains trust with non-government partners, but is at least being openly acknowledged and discussed. In Canada, a similar process of merging offensive and defensive capabilities may very well be underway at CSE, but this is just what we can deduce from five-year old Snowden documents, and the government’s position on this topic is limited to CSE’s statements about the same news story.

Can the Canadian government be a trusted partner in cyber security when it has never even acknowledged its role (or the conduct of its closest allies) in making information infrastructure less secure? Is it permissible to have one cyber security agency (CCIRC) responding to threats and vulnerabilities, some of which may have been created or kept secret by CSE and its Five Eyes allies? These are not hypothetical questions — just last week CCIRC issued an advisory to correct a vulnerability that the NSA had likely exploited for over a decade. If the attributions of security experts are correct, this means that the Canadian public is being notified about a security vulnerability that was kept secret and exploited by our closest cyber security ally, and we are learning about it through foreign actors whose motivations are unknown, but presumably do not include a desire to make our infrastructure more resilient.

Certainly, most Canadians have more to fear from more mundane threats, like phishing, ransomware, and others listed as part of the government’s consultation. But I wanted to focus on the Five Eyes because these are precisely the sorts of blind spots that need to be uncovered through public consultation. If government agencies will not acknowledge this threat, either because of secrecy or the failure to recognize what those outside government perceive, then it becomes the responsibility of Canadians to point out how the government’s version of reality is different than the one we are reading about in the news. However, at that point we are no longer having a shared discussion of cyber security, but two parallel discussions, with very different ideas of what constitutes a cyber threat.

These tensions at the heart of cyber security are not going anywhere, but by acknowledging them, the Government of Canada can at least take an explicit policy position, rather than the implicit one we can deduce from its former conduct. The Government of Canada has already taken the historic step of suspending metadata sharing with the Five Eyes until it is confident that this no longer threatens the privacy of Canadians. Before Canada resumes its full participation in a secretive alliance that works to both strengthen and weaken the security of systems we depend on, we need a stated position on such conduct. Specifically, are security vulnerabilities ever acceptable or desirable? Is it ever appropriate for government agencies such as CSE and the RCMP to use vulnerabilities that might otherwise be disclosed and corrected? What should we do when our closest cyber security allies are repeatedly found exploiting vulnerabilities and weakening security?

In response to the last of these questions, I would answer that Canada needs to either openly declare its support for government efforts to compromise security, including any limits or conditions, or it needs to publicly oppose these efforts. Only by working to strengthen IT security against all threats can the Government of Canada be a trusted partner in cyber security. To take no position at all by failing to acknowledge the issue is untenable, will weaken trust in government, and will continue the post-Snowden bifurcation of security into two separate discussions — one that includes government as a partner and one that does not.

Telecom Responsibilization: Internet Governance, Surveillance, and New Roles for Intermediaries

I’ve just had my most recent article published in the Canadian Journal of Communication. From the abstract:

This article foregrounds internet intermediaries as a class of actors central to many governance and surveillance strategies, and provides an overview of their emerging roles and responsibilities. While the growth of the internet has created challenges for state actors, state priorities have been unfolded onto the private institutions that provide many of the internet’s services. This article elaborates responsibilization strategies implicating internet intermediaries, and the goals that these actors can be aligned toward. These include enrolling telecom service providers in law enforcement and national security-oriented surveillance programs, as well as strategies to responsibilize service providers as copyright enforcers. But state interests are also responsive to pressures from civil society, so that “internet values” are increasingly channelled through the formal political processes shaping internet governance.

This particular work took more time and revision than anything else I’ve had appear in print. I began working on it prior to my PhD research (and before Snowden), germinating in a conversation I had with my supervisor. I was trying to explain some of my interests in how intermediaries end up serving state surveillance and security objectives, and how “deputization” didn’t seem to be an adequate way of describing the process. He proposed I look at the notion of “responsibilization”, even if what I was describing ran counter to some of the neoliberal logic often associated with the concept.

In the end, the article became a way for me to engage and disengage with different theoretical commitments, while working through some particular cases of intermediary obligations that I was interested in (graduated response, lawful access, interconnection). I’m using the piece as a way to talk about something that many people have pointed out: the importance of intermediaries in contemporary power relations. However, my focus is not just on the power that these companies have over our lives, but the potential for intermediaries to become instruments of power. This leads numerous actors (state and non-state), with particular visions of how to shape or order society, to treat intermediaries as “points of control” (Zittrain, 2003).

The idea of responsibilization is a useful way to understand certain relationships between state and private actors, but it is a concept that deserves some elaboration and careful qualification. Responsibilization has frequently been presented as an aspect of neoliberal governance, corresponding with an emphasis on individual responsibility for one’s conduct and well-being, and the increased involvement of private actors in domains that were previously a responsibility of the state (Burchell, 1996, p. 29). Under this definition, the state’s enlistment, partnering with, or outright deputizing of intermediaries can be seen as a way to devolve state responsibilities and regulatory powers onto private actors. Yet there is nothing particularly new about telecom providers being aligned toward state goals, or accepting obligations towards some sort of public good (security, surveillance, universal service). Also, rather than a shrinking neoliberal state transferring responsibilities to the private sector, responsibilization can actually represent an extension of state power — reaching deeper into civil society by enlisting key network nodes.

Responsibilization and Social Theory

If we understand responsibilization as a technique of government that can be independent of neoliberalism, we can think about how it might be compatible with more generalizable social theories. Originally, I was interested in exploring how the responsibilization of intermediaries could be treated as a combination of Castells’s “programming power” and “switching power”. Abandoning Castells, I then moved further in the direction of governmentality literature and the work of Mitchell Dean. Dean’s work became invaluable as I was thinking through the role of state power and its relationship to all that we now sometimes refer to as civil society. In particular, I was strongly influenced by Dean‘s analysis of what he calls “liberal police”, which operates (in part) through an “unfolding” of governmental programs into civil society.

In regards to surveillance studies, responsibilization seems quite compatible with Haggerty and Ericson’s (2000) well-known idea of “the surveillant assemblage”, referring to the “disconnected and semi-coordinated character of [contemporary] surveillance” that allows actors to “combine and coordinate different monitoring systems that have diverse capabilities and purposes” (Haggerty and Ericson, 2006, p. 4). Responsibilization describes one important means by which the surveillant assemblage can become coordinated, and while Haggerty and Ericson tend to emphasize the decentralized and diffuse character of contemporary surveillance, they also recognize that “powerful institutions” can remain “relatively hegemonic” to the extent that they can “harness the surveillance efforts of otherwise disparate technologies and organizations” (Haggerty and Ericson, 2006, p. 5). The state remains in a privileged position to coordinate various aspects of the surveillant assemblage, whether through the force of law or less coercive means (such as moral suasion and appeals to patriotic duty).

Where else might the idea of responsibilization bear fruit? The distinctions I make about different types of responsibilization in the published article may certainly be applicable beyond telecom, and I think we can find plenty of examples of responsibilization operating as a technique of governance if we detach the concept from certain presumptions about neoliberalism.

In summary…

Our daily experiences are increasingly being governed through intermediaries, often in ways that we don’t appreciate. Proposed solutions to social problems, threats, immorality, and disorder now often argue for better governance of intermediaries. Battles over the shape of digital society often come in the form of battles over the responsibilities we should impose on intermediaries, or debates about the responsibilities that intermediaries should willingly accept.

 

Still sorting out the post-Snowden balance

The ongoing fight between Apple and the FBI, in which a growing number of companies have declared their own interest and support, is the latest constitutive moment for what it means to live in the “post-Snowden” era. This is because the fight is a direct consequence of changes made by Apple following the Snowden disclosures, and because it is now being used as a way to stabilize some sort of “balance” between government and industry, after the massive shake-up of this relationship in late 2013/early 2014. The shift that occurred included major tech companies treating their own government as an adversary to defend against. Now, Apple has reportedly decided that its own engineers must also be part of this threat model. After Snowden, the company decided that it no longer wanted to be able to unlock phones for the government. Now, the challenge is to develop security that the company cannot even help the government break through some indirect means.

The term “post-Snowden” has gotten a lot of use in the last couple of years, but the Apple-FBI battle demonstrates the real shift to which it refers. Perhaps in a few years, the impact of the Snowden disclosures will be forgotten, in much the same way as the crypto war of the 1990s faded from memory as the relationship between industry and government got cosy after 9/11. But the world did change in a variety of substantial ways as a consequence of Edward Snowden’s actions, and we are still grappling with the legacy of those changes.

The Snowden disclosures were a truly international story with many local manifestations. Just as NSA-affiliated surveillance infrastructure had been extended around the globe, scandal touched the various nations implicated in the documents, and opened the door to local investigations. News stories broke one after another, with governments as either targets or practitioners of surveillance. Canada, as a member of the exclusive “Five Eyes” surveillance club, was reminded that it too had an agency with a mandate similar to the NSA (CSEC, now CSE). More clearly than ever, citizens understood that the surveillance infrastructures of intelligence agencies had global reach. Canada hasn’t seen public battles between government and industry like the one currently involving Apple, and discussions of government surveillance have been more muted than in the US, but a series of Snowden-related stories in this country have also fed into long-standing concerns about surveillance and privacy.

I want to spend more time on how the Snowden disclosures impacted Canada in a later post, but for now I’ll just briefly reflect on my own experiences studying the telecom industry during this period.

I began attending meetings of network operators and engineers in 2012. The first of Snowden’s revelations hit in June 2013, and by the fall of 2013, the topic of state surveillance was a regular part of conference conversations and presentations, if not the actual topic of presentations themselves. At the October 2013 NANOG conference, the internet’s North American engineers cheered the resistance of Snowden’s email provider to disclosure demands by the US government (Ladar Levison had built what was meant to be a secure email provider, but the FBI ordered him to hand over the encryption keys. Attendees applauded his efforts to make the FBI’s job as difficult as possible). At the IETF in Vancouver the following month, participants overwhelmingly voted to treat pervasive surveillance by state intelligence agencies as a technical attack on the internet, and debated how to protect against it. At a Canadian industry conference in April 2014, an executive with an incumbent ISP argued that service providers had an opportunity to gain a competitive advantage by offering better security, and showed a photo of Snowden as an answer to the question of why we care about privacy and security. Interestingly, Canadian government agencies reportedly joined Canadian companies in touting the country’s privacy and security advantages to customers concerned by surveillance in the US.

After Snowden, corporate management and operational decisions took time to shift, but the change in discussions and governance forums was more immediate. It wasn’t just that private intermediaries suddenly had a new threat to worry about, but that the nature of their role, and their relationship to their users/customers had changed. Snowden’s revelations included the fact that the NSA had been undermining the very internet infrastructure that the agency had been tasked with protecting, but also the suggestion that it had done so with intermediaries acting as private partners. Best exemplified by early reports of the PRISM program, some intermediaries were now seen as complicit in this global spying apparatus. As a consequence, companies began limiting cooperation with government agencies and issuing transparency reports about the nature and extent of their information disclosures.

The Snowden disclosures contributed to cynicism and distrust of both government and private industry, and trust is key for companies that have built a business model around securing personal information. Companies such as Apple are positioning themselves as trusted stewards of personal information, with the recognition that customers often do not trust government assurances that they will only access such data in limited and justified circumstances. The most recent moves by Apple are an attempt to move data even further out of the reach of these providers themselves. Such an approach will not be possible for companies that depend on access to this data as part of their business model (for advertising purposes), but for those selling hardware and online services, building walls against governments is now often more desirable than negotiating access.

From one perspective, the Apple-FBI fight is about setting a precedent for government power in the post-Snowden era. But I would say that it is an indicator of a loss of government power, a shift in the orientation of the US tech industry to the state, and one of the continuing consequences of Snowden’s decision to shake up the world.

Telecom Companies as Privacy Custodians (Rogers and Telus tower dumps)

Yesterday, Justice Sproat of the Ontario Superior Court released a decision in a case involving Rogers, TELUS, and the Peel Regional Police. Back in 2014, the police force had requested “tower dump” data from these companies in order to identify some robbery suspects. The orders were so broad (the broadest ever, to the knowledge of the TELUS deponent) that the telecom companies opposed them in court. Despite the fact that the production orders were then withdrawn by police, the judge heard the case anyhow, and was able to offer guidance for police and telecom companies dealing with similar cases in the future.

David Fraser has provided a legal analysis of the decision, which found that “the Production Orders were overly broad and that they infringed s. 8 of the Charter” [42]. For me the most interesting aspects are what this decision tells us about the roles and responsibilities of intermediaries as privacy custodians. The decision states (on the issue of whether the companies have standing in the case) that Rogers and TELUS “are contractually obligated” to “assert the privacy interests of their subscribers” [38]. That is to say, the relationship these companies have with their customers creates obligations to protect subscriber information, and this protection includes defending subscribers against unconstitutional court orders. It is not reasonable to expect individual subscribers to defend their privacy interests in such cases — the intermediary should stand between the individual and the state as a privacy custodian (and this means making determinations about which police requests and court orders are unconstitutional).

Also of particular interest is the judge’s recommendation that police should request “a report based on specified data instead of a request for the underlying data itself”, unless this “underlying data” is required for some reason [65]. This means that instead of asking companies such as Rogers and TELUS for the personal information of tens of thousands of subscribers, so that the police can determine which subscribers to investigate further (presumably those in the proximity of more than one crime scene), the telecom companies could do this work themselves, and disclose only the information of subscribers that meet particular criteria. In effect, this type of practice would require and entrust intermediaries to do as much of the initial investigatory work as possible, handing over only the information that police need to proceed further. This particular guideline is meant to limit the privacy impact of such disclosures, since the judge notes that personal information in the hands of police can be vulnerable to being “hacked” [20], and that police in possession of such data are not subject to conditions on data retention [59-60].

For me, the unanswered question is: why Rogers and TELUS? There are larger players than TELUS in Ontario, but this is a company that has pushed back before against such overreach. If the police had no idea who the suspects or their mobile providers were, did they obtain production orders for all mobile providers, and only Rogers and TELUS pushed back? If so, did other companies fail their customers as privacy custodians by not opposing such orders?

Copyright trolls and online identification

My previous post dealt with copyright surveillance and algorithmic judgement, and here I want to focus on a particular kind of copyright surveillance and enforcement that has achieved a special sort of notoriety in recent years: copyright trolling.

Some of this is based on my most recent article, The Copyright Surveillance Industry, which appears in the open-access journal Media and Communication. I’m  also working on a future piece that deals with copyright enforcement, privacy, and how IP addresses and persons become linked.

Why this matters

First, copyright trolling is having an enormous impact, with hundreds of thousands of defendants named in US and German lawsuits in just a few years. Precedent-setting cases in other countries (such as Australia and Canada) have been determining whether this practice (sometimes called “speculative invoicing”) can spread into new jurisdictions. Some legal scholars have described copyright trolling as a “blight“, an abuse of the legal system, or a kind of “legal ransom“. Defendants must choose whether to pay what the troll demands, or face the prospect of an expensive (and sometimes embarrassing) legal fight. Balganesh makes a strong argument that this exploitative, profit-based use of the legal system disrupts the traditional “equilibrium” of copyright’s underenforcement.

Studying copyright trolling cases can also help us come to terms with the question of personal identification and attribution on the internet – what it means to connect traces of online activity to human bodies and the devices with which they interact. The thorny question of how to link persons to digital flows has been a topic of intense interest for a variety of surveillance institutions, including advertisers and intelligence agencies. Legal institutions around the world have been struggling with related questions in trying to assign responsibility for data communicated over the internet. Copyright trolling is just one example of this problem, but it’s one that is currently playing out in a number of countries on a massive scale.

What is a copyright troll?

Copyright trolls are the products of contemporary copyright regimes, internet technologies, and creative legal entrepreneurs. No one self-identifies as a troll, so the label is pejorative, and used to criticise certain kinds of copyright plaintiffs.

The term is derived from “patent trolls”: patent-owning entities that demand payments from companies allegedly infringing their patents. Like patent trolls, copyright trolls demand payments following alleged infringement of copyright. The difference is that a typical patent troll does not produce anything of value, and simply generates income through settlements and lawsuits. While the term “copyright troll” is usually reserved for law firms engaging in “trollish” practices, these firms represent copyright owners that do produce creative work for sale. It is typically the law firms that drive trolling practices. Some reserve the term “troll” strictly to describe those legal firms that acquire the ability to sue from copyright owners under certain terms (namely, to pass along a percentage of any settlements received to the copyright owner). The law firms can then exercise their copyright enforcement power autonomously.

The line between what is and is not a troll is more difficult to draw in copyright than patent law, since the law firms involved can point to a legitimate business that they are protecting and particular works being “pirated”. This has not stopped a number of authors from trying to come up with a workable way of delineating trolls from other plaintiffs, but these definitions end up encompassing only a particular slice of trolling operations (given their variability and opportunistic adaptability). There are varying degrees of autonomy that trolling law firms exercise: while some have a free hand in pursuing their legal strategies, others take direction from copyright owners. Because of this, I avoid labelling any specific companies as copyright trolls. Instead (and largely in agreement with Sag, 2014), I refer to copyright trolling as a practice – one that threatens large numbers of individuals with copyright infringement claims, with the primary goal of profiting from settlements rather than proceeding to trial on the merits of a case (see Curran, 2013, p. 172).

How copyright trolling works

In theory, copyright trolling can develop wherever a copyright owner stands to profit from initiating lawsuits against alleged infringers. The now-infamous Righthaven attempted to build its business model around suing people who were sharing news articles. Currently, Canadian government lawyers are accusing Blacklock’s Reporter of being a copyright troll, after the site filed suit against several departments and agencies for unauthorized sharing of the site’s articles. My focus here will be on the most common form of copyright trolling — suing people accused of file-sharing copyrighted works. Because the defendants in these cases are listed as “Does” until identified, and plaintiffs typically file suit against multiple (sometimes hundreds or thousands) of defendants at once, these cases can be called Multi-defendant John/Jane Doe Lawsuits. They begin with the collection of IP addresses tied to alleged infringement, proceed to the identification of internet subscribers assigned those IP addresses (discovery), and conclude with claims made against these subscribers in the hope of reaching settlements or (if defendants do not respond) default judgements.

A copyright surveillance company is used to monitor file-sharing networks (principally BitTorrent), where IP addresses of those engaged in file-sharing can be recorded. Just as the activities and IP addresses of downloaders and uploaders are largely visible on BitTorrent, so are the activities of copyright surveillance companies. This is because collecting information on file-sharing cannot be achieved without some level of interaction: connections need to be established with file-sharers so that their IP addresses can be recorded. Once a copyright surveillance company has collected the IP addresses involved in sharing a particular file, it hands them over to a law firm. While there are allegations that a particular German-based copyright surveillance company has been the driving force behind many US copyright trolling cases, typically the surveillance company exits the picture once IP addresses have been collected.

The next step is to identify the persons “behind” these IP addresses, and the only way to make this link is through the cooperation or forced compliance of an ISP. Since blocks of IP addresses are assigned to particular ISPs, a law firm can determine which ISPs’ customers to pursue by checking their list of recorded IP addresses. Copyright trolls have to be selective, targeting particular ISPs on the basis of geography (jurisdiction) or other factors. ISPs vary in their levels of cooperation with copyright owners that seek to identify allegedly infringing subscribers. In some cases it has been possible to get an ISP to forward a settlement letter without disclosing the identity of the subscriber (for instance, by abusing Canada’s notice-and-notice system), but in general the troll must obtain a court order for the ISP to identify its subscribers. In the UK and Canada, a court order used in a lawsuit to compel information from a third party like an ISP is known as a Norwich order. In the US, courts can issue subpoenas for ISP records.

It is this “discovery phase” of a lawsuit that has generated the most public information about how copyright trolling operates, since as previously mentioned, the plaintiffs in these cases generally avoid proceeding to trial. Instead, they use the legal system to identify individuals who can credibly be threatened by a large penalty if they do not settle an infringement claim. ISPs are effectively caught between the plaintiff and the alleged infringers during the discovery phase, and can behave in a number of different ways. In the US, Verizon has recently opposed a particularly burdensome subpoena from Malibu Media. In Australia, a group of ISPs have jointly opposed efforts to identify thousands of their subscribers in a precedent-setting case that continues to unfold. In Canada, Bell, Videotron and Cogeco complied with a court order to identify subscribers in 2012, but TekSavvy took a different approach in a subsequent case involving the same copyright owner — Voltage Pictures. TekSavvy claimed it could not oppose the motion to identify its subscribers (an argument disputed by Knopf), but it did go further than the Canadian incumbents in the previous case, and CIPPIC was granted intervenor status to argue against disclosure and for the privacy interests of subscribers.

Once IP addresses have been linked to subscriber names and addresses, the trolling operation can begin collecting settlements from defendants. Subscribers who ignore the copyright owner’s demands may end up subject to a default judgement, and those who protest their innocence may end up in a lengthy back-and-forth with lawyers, which in the US has included forensic examination of computers and polygraph tests.

IP addresses

In copyright trolling, the main challenge is linking IP addresses to corresponding subscriber information, which often requires a court order. But once this link is made, what does it mean? Is it evidence that the subscriber infringed copyright?

In criminal internet investigations (such as child pornography), IP addresses are only ever used as supporting evidence. IP addresses do not identify people, but they do become a crucial piece of information in tying people to digital flows and fragments. In a criminal case, the knowledge provided by this association can open the door to a further search of a property and computer hardware, ultimately leading to a conviction. It a copyright trolling lawsuit, an IP address leads to the disclosure of subscriber information, which leads to the subscriber receiving a settlement offer/demand (unless the copyright owner chooses not to send one, after discovering the subscriber’s identity). It is all well and good to argue that an IP address does not identify a person, until you are a person at the receiving end of one of these letters. At that point, you, as an identified person, have some decisions to make.

I will spend more time talking about IP addresses specifically in a subsequent post, as these digital identifiers are important in a variety of contexts besides copyright trolling. In the meantime, I’ll be paying attention to the drawn-out saga of the Teksavvy – Voltage case and how courts around the world learn from each other in dealing with copyright trolling.

The Copyright Surveillance Industry

My most recent publication The Copyright Surveillance Industry, appears in a special surveillance-themed issue of the open-access journal Media and Communication. In it, I examine the industry that has developed to monitor the unauthorized use and distribution of copyrighted works online. The same companies often help to facilitate copyright enforcement, targeting either allegedly infringing content, or the persons allegedly engaged in infringement. These enforcement actions include sending vast numbers of algorithmically-generated takedown requests to service providers, blocking uploaded content that matches the characteristics of certain files, or the lawsuits filed by “copyright trolls” and law firms engaged in “speculative invoicing”.

The scale and scope of the copyright surveillance industry

An interesting fact about the copyright surveillance industry, given the scale of its interventions (for example, hundreds of millions of Google takedown requests and copyright trolls targeting hundreds of thousands of defendants in both the US and Germany) is the industry’s relatively small size. It is certainly much smaller than the multi-billion dollar industry which develops technological defenses against infringement (known as digital rights management [DRM]), or the billions of dollars flowing through police, security, and military-serving surveillance companies. Copyright surveillance companies with just a handful of employees can leverage algorithmic methods to achieve online coverage on a massive scale. While some of their methods are closely guarded (notably, copyright trolls typically avoid proceeding to trial where their evidence would be subject to scrutiny), small teams of academics working with limited resources to track online file-sharing have achieved similar results.

The first wave of copyright surveillance companies were founded in 1999 and 2000, during the rapid rise of Napster. As file-sharing moved to other platforms, new firms sprang up and some were bought out by larger players. In 2005 MediaDefender (one of the more notable firms at the time, with major music, film, and software clients) was bought for $43 million. Another notable surveillance company, Media Sentry, was bought for $20 million in the same year. This appears to have been a time when enthusiasm for the industry was high. Four years later Media Sentry was sold to MediaDefender’s owner for less than $1 million. Subsequent acquisitions have involved undisclosed amounts of money, but this is generally an industry that deals in millions and tens of millions of dollars, and in which a large company might have several dozen employees.

Today, larger and more notable copyright surveillance companies include Irdeto and MarkMonitor – both the product of industry mergers and buyouts. MarkMonitor, which bought the prominent tracking firm DtecNet in 2010, was reported to have 400 employees in five countries in 2012. Irdeto entered the copyright surveillance market in 2011 when it bought the monitoring firm BayTSP and its 53 employees. These companies offer copyright monitoring and enforcement as just part of their “anti-piracy” or “brand protection” services. There are also smaller and more dedicated companies such as Evidenzia in Germany and Canipre in Canada, and more shadowy players such as Guardaley and its various alleged “shell companies“. Copyright owners (or the law firms that represent them), will seek out and hire these firms. Alternately, surveillance companies drum up business by approaching content owners, informing them that their content is being “pirated”, and offering their services.

Algorithmic surveillance

I’ll discuss copyright trolling and identification based on IP addresses in a subsequent post, but I want to take this post to discuss the sort of algorithmic surveillance commonly used in copyright enforcement. We see algorithmic surveillance wherever there is lots of data to scan and not enough discerning sets of eyeballs to go around, but the copyright surveillance industry has, since its beginnings, been driven by the need to comb through vast online domains, and to do so quickly and inexpensively (ideally, with as little human intervention and supervision as possible).

Much of what is reported, removed, blocked, or flagged as a result of these algorithms is rather uncontroversial from the perspective of copyright law. That is to say, a court might support the algorithm’s judgement that a particular act or piece of content counts as copyright infringement. But algorithms inevitably make mistakes, some of which are so ridiculous that it is clear no thinking human was involved in the process. These include misidentifying promotional content such as official websites and advertisements as copyright infringement. In at least one instance, a copyright enforcement company misidentified their own notices of infringement as actual instances of infringement and issued a takedown notice for them, resulting in a sort of algorithmic feedback loop. These automated misidentifications also result in removing legitimate content belonging to other copyright owners. In one 2011 case, Warner Brothers was accused of repeatedly and willfully issuing mistaken takedown requests. In response, the company essentially argued that it believed its identifications were accurate at the time, and mistakes were not willful because the volume of infringement meant that human beings were unable to fully supervise its automated monitoring.

While there are plenty of examples of algorithms behaving badly in the world of copyright enforcement, it is important to remember that what counts as copyright infringement is often not an easy determination to make. Courts continue to struggle with copyright law’s grey areas, with judges disagreeing on a variety of issues. This is particularly the case with various kinds of “user-generated content“, such as mashups, home videos, or parodies uploaded to YouTube. To make things worse, copyright owners often tolerate or even encourage unauthorized uses of their work (such as fan videos and other forms of fan culture) online. Expecting algorithms to adjudicate what counts as infringement in these circumstances has more to do with the business models of the web and media industries than copyright law. The same can be said for the expectation that users can identify which of their actions count as infringement in advance, and that users who are mistakenly targeted can appeal algorithmic errors when they occur. Ultimately however, copyright law supports and legitimates these practices, given that the potential penalties for not playing ball with copyright owners far exceed the consequences for abuse or automated carelessness in copyright enforcement.

Internet and digital technologies have opened new possibilities for individuals to create, consume, and distribute content. However, areas of contact between individuals and copyright owners have also increased. Legal and extra-judicial copyright enforcement mechanisms are being employed on a mass scale, based on questionable identifications of individuals and content, and often with limited recourse for those affected. We are likely to see continued calls to make the algorithms involved more accountable, and for ways to determine who can be held accountable for an algorithm’s decisions.