Uncategorized – Page 5 – Mike Zajko: Tech and Society

Telecom Companies as Privacy Custodians (Rogers and Telus tower dumps)

Yesterday, Justice Sproat of the Ontario Superior Court released a decision in a case involving Rogers, TELUS, and the Peel Regional Police. Back in 2014, the police force had requested “tower dump” data from these companies in order to identify some robbery suspects. The orders were so broad (the broadest ever, to the knowledge of the TELUS deponent) that the telecom companies opposed them in court. Despite the fact that the production orders were then withdrawn by police, the judge heard the case anyhow, and was able to offer guidance for police and telecom companies dealing with similar cases in the future.

David Fraser has provided a legal analysis of the decision, which found that “the Production Orders were overly broad and that they infringed s. 8 of the Charter” [42]. For me the most interesting aspects are what this decision tells us about the roles and responsibilities of intermediaries as privacy custodians. The decision states (on the issue of whether the companies have standing in the case) that Rogers and TELUS “are contractually obligated” to “assert the privacy interests of their subscribers” [38]. That is to say, the relationship these companies have with their customers creates obligations to protect subscriber information, and this protection includes defending subscribers against unconstitutional court orders. It is not reasonable to expect individual subscribers to defend their privacy interests in such cases — the intermediary should stand between the individual and the state as a privacy custodian (and this means making determinations about which police requests and court orders are unconstitutional).

Also of particular interest is the judge’s recommendation that police should request “a report based on specified data instead of a request for the underlying data itself”, unless this “underlying data” is required for some reason [65]. This means that instead of asking companies such as Rogers and TELUS for the personal information of tens of thousands of subscribers, so that the police can determine which subscribers to investigate further (presumably those in the proximity of more than one crime scene), the telecom companies could do this work themselves, and disclose only the information of subscribers that meet particular criteria. In effect, this type of practice would require and entrust intermediaries to do as much of the initial investigatory work as possible, handing over only the information that police need to proceed further. This particular guideline is meant to limit the privacy impact of such disclosures, since the judge notes that personal information in the hands of police can be vulnerable to being “hacked” [20], and that police in possession of such data are not subject to conditions on data retention [59-60].

For me, the unanswered question is: why Rogers and TELUS? There are larger players than TELUS in Ontario, but this is a company that has pushed back before against such overreach. If the police had no idea who the suspects or their mobile providers were, did they obtain production orders for all mobile providers, and only Rogers and TELUS pushed back? If so, did other companies fail their customers as privacy custodians by not opposing such orders?

Digital Sovereignty

In the 1990s, it became quite common to hear arguments about the ‘decline of the state’, and the accompanying loss (or diffusion) of sovereignty. Evidence for such arguments included the end of the Cold War, globalization, the growth of corporate power, and the internet. Today, many people still see the internet as an ungoverned, lawless place that no government can control, but academics have been arguing against this notion long before the Snowden disclosures. Today, the idea that the internet is immune to state sovereignty is presented as a ‘cyber-utopian’ fantasy that can be dispelled with countless examples of government power from around the world.

In Canada, IXmaps was born of pre-Snowden revelations of mass internet surveillance by the NSA on US soil. It has long been clear that the NSA has secretly exercised sovereignty over internet traffic which passes through the US, but might originate or terminate elsewhere (including Canada). One response has been to call for Canada’s federal government to promote “national network sovereignty”, which would “repatriate” the data of Canadians by keeping it within the nation’s borders. The Snowden disclosures have certainly strengthened desires to keep data contained by territory, but the idea of a sovereign Canadian network seems about as likely as a national broadband utility or Canada leaving the Five Eyes.

The Chinese state, which provided some of the earliest examples of just how sovereignty could be exercised over the internet through its “Great Firewall”, is now strengthening calls for “cyber sovereignty”. By this, President Xi Jinping means the “right” of each nation to govern its own patch of the internet, free from interference by other states.

Meanwhile, in the US and UK (and to a lesser extent, Canada), governments, police, and security services have complained about their inability to access communications — because of encryption. While the word ‘sovereignty’ is rarely used, the argument is that law and order in today’s society extends only as far as the state’s ability to access data. If a court orders that data should be accessible to police, but encryption makes this technically impossible, then the law becomes powerless in the digital age. Just as state sovereignty has traditionally meant a domestic monopoly over violence, sovereignty today has been equated with a monopoly over secrets. Only the state has the ultimate right to secrecy. The rest of us can maintain secrets, but only if government has a means to demand access.

Companies like Apple and Google, (whom some have called “internet sovereigns”) have pushed back, and in the US and UK their arguments have either been quite persuasive, or government arguments for backdoor access have not been persuasive enough. The limits of state sovereignty against encryption, originally tested by the controversy over the Clipper Chip in the 1990s, have largely held firm. While according to Mitchell Dean, the liberal order presupposes state sovereignty (and not the sovereign rights of service providers), sovereignty remains “an aspiration, a more or less accomplished fact” (p. 140). In regards to the internet and encryption, state sovereignty has been accomplished to a much more limited degree than many governments would like. But this has less to do with the incompatibility of state sovereignty and the internet, than with the fact that sovereignty is “an always open question, a matter of historical, political, linguistic and symbolic construction and contestation” (p. 141).

The current period seems to be a critical time for such contests, and as with the Clipper Chip, the outcome won’t be determined by the question of whether state sovereignty is fundamentally compatible or incompatible with a given technology.

Copyright trolls and online identification

My previous post dealt with copyright surveillance and algorithmic judgement, and here I want to focus on a particular kind of copyright surveillance and enforcement that has achieved a special sort of notoriety in recent years: copyright trolling.

Some of this is based on my most recent article, The Copyright Surveillance Industry, which appears in the open-access journal Media and Communication. I’m also working on a future piece that deals with copyright enforcement, privacy, and how IP addresses and persons become linked.

Why this matters

First, copyright trolling is having an enormous impact, with hundreds of thousands of defendants named in US and German lawsuits in just a few years. Precedent-setting cases in other countries (such as Australia and Canada) have been determining whether this practice (sometimes called “speculative invoicing”) can spread into new jurisdictions. Some legal scholars have described copyright trolling as a “blight“, an abuse of the legal system, or a kind of “legal ransom“. Defendants must choose whether to pay what the troll demands, or face the prospect of an expensive (and sometimes embarrassing) legal fight. Balganesh makes a strong argument that this exploitative, profit-based use of the legal system disrupts the traditional “equilibrium” of copyright’s underenforcement.

Studying copyright trolling cases can also help us come to terms with the question of personal identification and attribution on the internet – what it means to connect traces of online activity to human bodies and the devices with which they interact. The thorny question of how to link persons to digital flows has been a topic of intense interest for a variety of surveillance institutions, including advertisers and intelligence agencies. Legal institutions around the world have been struggling with related questions in trying to assign responsibility for data communicated over the internet. Copyright trolling is just one example of this problem, but it’s one that is currently playing out in a number of countries on a massive scale.

What is a copyright troll?

Copyright trolls are the products of contemporary copyright regimes, internet technologies, and creative legal entrepreneurs. No one self-identifies as a troll, so the label is pejorative, and used to criticise certain kinds of copyright plaintiffs.

The term is derived from “patent trolls”: patent-owning entities that demand payments from companies allegedly infringing their patents. Like patent trolls, copyright trolls demand payments following alleged infringement of copyright. The difference is that a typical patent troll does not produce anything of value, and simply generates income through settlements and lawsuits. While the term “copyright troll” is usually reserved for law firms engaging in “trollish” practices, these firms represent copyright owners that do produce creative work for sale. It is typically the law firms that drive trolling practices. Some reserve the term “troll” strictly to describe those legal firms that acquire the ability to sue from copyright owners under certain terms (namely, to pass along a percentage of any settlements received to the copyright owner). The law firms can then exercise their copyright enforcement power autonomously.

The line between what is and is not a troll is more difficult to draw in copyright than patent law, since the law firms involved can point to a legitimate business that they are protecting and particular works being “pirated”. This has not stopped a number of authors from trying to come up with a workable way of delineating trolls from other plaintiffs, but these definitions end up encompassing only a particular slice of trolling operations (given their variability and opportunistic adaptability). There are varying degrees of autonomy that trolling law firms exercise: while some have a free hand in pursuing their legal strategies, others take direction from copyright owners. Because of this, I avoid labelling any specific companies as copyright trolls. Instead (and largely in agreement with Sag, 2014), I refer to copyright trolling as a practice – one that threatens large numbers of individuals with copyright infringement claims, with the primary goal of profiting from settlements rather than proceeding to trial on the merits of a case (see Curran, 2013, p. 172).

How copyright trolling works

In theory, copyright trolling can develop wherever a copyright owner stands to profit from initiating lawsuits against alleged infringers. The now-infamous Righthaven attempted to build its business model around suing people who were sharing news articles. Currently, Canadian government lawyers are accusing Blacklock’s Reporter of being a copyright troll, after the site filed suit against several departments and agencies for unauthorized sharing of the site’s articles. My focus here will be on the most common form of copyright trolling — suing people accused of file-sharing copyrighted works. Because the defendants in these cases are listed as “Does” until identified, and plaintiffs typically file suit against multiple (sometimes hundreds or thousands) of defendants at once, these cases can be called Multi-defendant John/Jane Doe Lawsuits. They begin with the collection of IP addresses tied to alleged infringement, proceed to the identification of internet subscribers assigned those IP addresses (discovery), and conclude with claims made against these subscribers in the hope of reaching settlements or (if defendants do not respond) default judgements.

A copyright surveillance company is used to monitor file-sharing networks (principally BitTorrent), where IP addresses of those engaged in file-sharing can be recorded. Just as the activities and IP addresses of downloaders and uploaders are largely visible on BitTorrent, so are the activities of copyright surveillance companies. This is because collecting information on file-sharing cannot be achieved without some level of interaction: connections need to be established with file-sharers so that their IP addresses can be recorded. Once a copyright surveillance company has collected the IP addresses involved in sharing a particular file, it hands them over to a law firm. While there are allegations that a particular German-based copyright surveillance company has been the driving force behind many US copyright trolling cases, typically the surveillance company exits the picture once IP addresses have been collected.

The next step is to identify the persons “behind” these IP addresses, and the only way to make this link is through the cooperation or forced compliance of an ISP. Since blocks of IP addresses are assigned to particular ISPs, a law firm can determine which ISPs’ customers to pursue by checking their list of recorded IP addresses. Copyright trolls have to be selective, targeting particular ISPs on the basis of geography (jurisdiction) or other factors. ISPs vary in their levels of cooperation with copyright owners that seek to identify allegedly infringing subscribers. In some cases it has been possible to get an ISP to forward a settlement letter without disclosing the identity of the subscriber (for instance, by abusing Canada’s notice-and-notice system), but in general the troll must obtain a court order for the ISP to identify its subscribers. In the UK and Canada, a court order used in a lawsuit to compel information from a third party like an ISP is known as a Norwich order. In the US, courts can issue subpoenas for ISP records.

It is this “discovery phase” of a lawsuit that has generated the most public information about how copyright trolling operates, since as previously mentioned, the plaintiffs in these cases generally avoid proceeding to trial. Instead, they use the legal system to identify individuals who can credibly be threatened by a large penalty if they do not settle an infringement claim. ISPs are effectively caught between the plaintiff and the alleged infringers during the discovery phase, and can behave in a number of different ways. In the US, Verizon has recently opposed a particularly burdensome subpoena from Malibu Media. In Australia, a group of ISPs have jointly opposed efforts to identify thousands of their subscribers in a precedent-setting case that continues to unfold. In Canada, Bell, Videotron and Cogeco complied with a court order to identify subscribers in 2012, but TekSavvy took a different approach in a subsequent case involving the same copyright owner — Voltage Pictures. TekSavvy claimed it could not oppose the motion to identify its subscribers (an argument disputed by Knopf), but it did go further than the Canadian incumbents in the previous case, and CIPPIC was granted intervenor status to argue against disclosure and for the privacy interests of subscribers.

Once IP addresses have been linked to subscriber names and addresses, the trolling operation can begin collecting settlements from defendants. Subscribers who ignore the copyright owner’s demands may end up subject to a default judgement, and those who protest their innocence may end up in a lengthy back-and-forth with lawyers, which in the US has included forensic examination of computers and polygraph tests.

IP addresses

In copyright trolling, the main challenge is linking IP addresses to corresponding subscriber information, which often requires a court order. But once this link is made, what does it mean? Is it evidence that the subscriber infringed copyright?

In criminal internet investigations (such as child pornography), IP addresses are only ever used as supporting evidence. IP addresses do not identify people, but they do become a crucial piece of information in tying people to digital flows and fragments. In a criminal case, the knowledge provided by this association can open the door to a further search of a property and computer hardware, ultimately leading to a conviction. It a copyright trolling lawsuit, an IP address leads to the disclosure of subscriber information, which leads to the subscriber receiving a settlement offer/demand (unless the copyright owner chooses not to send one, after discovering the subscriber’s identity). It is all well and good to argue that an IP address does not identify a person, until you are a person at the receiving end of one of these letters. At that point, you, as an identified person, have some decisions to make.

I will spend more time talking about IP addresses specifically in a subsequent post, as these digital identifiers are important in a variety of contexts besides copyright trolling. In the meantime, I’ll be paying attention to the drawn-out saga of the Teksavvy – Voltage case and how courts around the world learn from each other in dealing with copyright trolling.

The Copyright Surveillance Industry

My most recent publication The Copyright Surveillance Industry, appears in a special surveillance-themed issue of the open-access journal Media and Communication. In it, I examine the industry that has developed to monitor the unauthorized use and distribution of copyrighted works online. The same companies often help to facilitate copyright enforcement, targeting either allegedly infringing content, or the persons allegedly engaged in infringement. These enforcement actions include sending vast numbers of algorithmically-generated takedown requests to service providers, blocking uploaded content that matches the characteristics of certain files, or the lawsuits filed by “copyright trolls” and law firms engaged in “speculative invoicing”.

The scale and scope of the copyright surveillance industry

An interesting fact about the copyright surveillance industry, given the scale of its interventions (for example, hundreds of millions of Google takedown requests and copyright trolls targeting hundreds of thousands of defendants in both the US and Germany) is the industry’s relatively small size. It is certainly much smaller than the multi-billion dollar industry which develops technological defenses against infringement (known as digital rights management [DRM]), or the billions of dollars flowing through police, security, and military-serving surveillance companies. Copyright surveillance companies with just a handful of employees can leverage algorithmic methods to achieve online coverage on a massive scale. While some of their methods are closely guarded (notably, copyright trolls typically avoid proceeding to trial where their evidence would be subject to scrutiny), small teams of academics working with limited resources to track online file-sharing have achieved similar results.

The first wave of copyright surveillance companies were founded in 1999 and 2000, during the rapid rise of Napster. As file-sharing moved to other platforms, new firms sprang up and some were bought out by larger players. In 2005 MediaDefender (one of the more notable firms at the time, with major music, film, and software clients) was bought for $43 million. Another notable surveillance company, Media Sentry, was bought for $20 million in the same year. This appears to have been a time when enthusiasm for the industry was high. Four years later Media Sentry was sold to MediaDefender’s owner for less than $1 million. Subsequent acquisitions have involved undisclosed amounts of money, but this is generally an industry that deals in millions and tens of millions of dollars, and in which a large company might have several dozen employees.

Today, larger and more notable copyright surveillance companies include Irdeto and MarkMonitor – both the product of industry mergers and buyouts. MarkMonitor, which bought the prominent tracking firm DtecNet in 2010, was reported to have 400 employees in five countries in 2012. Irdeto entered the copyright surveillance market in 2011 when it bought the monitoring firm BayTSP and its 53 employees. These companies offer copyright monitoring and enforcement as just part of their “anti-piracy” or “brand protection” services. There are also smaller and more dedicated companies such as Evidenzia in Germany and Canipre in Canada, and more shadowy players such as Guardaley and its various alleged “shell companies“. Copyright owners (or the law firms that represent them), will seek out and hire these firms. Alternately, surveillance companies drum up business by approaching content owners, informing them that their content is being “pirated”, and offering their services.

Algorithmic surveillance

I’ll discuss copyright trolling and identification based on IP addresses in a subsequent post, but I want to take this post to discuss the sort of algorithmic surveillance commonly used in copyright enforcement. We see algorithmic surveillance wherever there is lots of data to scan and not enough discerning sets of eyeballs to go around, but the copyright surveillance industry has, since its beginnings, been driven by the need to comb through vast online domains, and to do so quickly and inexpensively (ideally, with as little human intervention and supervision as possible).

Much of what is reported, removed, blocked, or flagged as a result of these algorithms is rather uncontroversial from the perspective of copyright law. That is to say, a court might support the algorithm’s judgement that a particular act or piece of content counts as copyright infringement. But algorithms inevitably make mistakes, some of which are so ridiculous that it is clear no thinking human was involved in the process. These include misidentifying promotional content such as official websites and advertisements as copyright infringement. In at least one instance, a copyright enforcement company misidentified their own notices of infringement as actual instances of infringement and issued a takedown notice for them, resulting in a sort of algorithmic feedback loop. These automated misidentifications also result in removing legitimate content belonging to other copyright owners. In one 2011 case, Warner Brothers was accused of repeatedly and willfully issuing mistaken takedown requests. In response, the company essentially argued that it believed its identifications were accurate at the time, and mistakes were not willful because the volume of infringement meant that human beings were unable to fully supervise its automated monitoring.

While there are plenty of examples of algorithms behaving badly in the world of copyright enforcement, it is important to remember that what counts as copyright infringement is often not an easy determination to make. Courts continue to struggle with copyright law’s grey areas, with judges disagreeing on a variety of issues. This is particularly the case with various kinds of “user-generated content“, such as mashups, home videos, or parodies uploaded to YouTube. To make things worse, copyright owners often tolerate or even encourage unauthorized uses of their work (such as fan videos and other forms of fan culture) online. Expecting algorithms to adjudicate what counts as infringement in these circumstances has more to do with the business models of the web and media industries than copyright law. The same can be said for the expectation that users can identify which of their actions count as infringement in advance, and that users who are mistakenly targeted can appeal algorithmic errors when they occur. Ultimately however, copyright law supports and legitimates these practices, given that the potential penalties for not playing ball with copyright owners far exceed the consequences for abuse or automated carelessness in copyright enforcement.

Internet and digital technologies have opened new possibilities for individuals to create, consume, and distribute content. However, areas of contact between individuals and copyright owners have also increased. Legal and extra-judicial copyright enforcement mechanisms are being employed on a mass scale, based on questionable identifications of individuals and content, and often with limited recourse for those affected. We are likely to see continued calls to make the algorithms involved more accountable, and for ways to determine who can be held accountable for an algorithm’s decisions.

Canada’s cyber security and the changing threat landscape

My article, Canada’s cyber security and the changing threat landscape has just been published online by Critical Studies on Security.

Broadly, it grapples with what cyber security has come to mean in the Canadian context. The article deals partly with Canada’s Cyber Security Strategy, the operations of the Canadian Cyber Incident Response Centre (CCIRC) between 2011 and 2013 (a time of great concern over hacktivism [Anonymous] and Advanced Persistent Threats [China]), and what we can say about Canada’s cyber security orientation in the “post-Snowden era”. It is based on publicly-available texts and several years of Access to Information requests (the requests were informal, for documents already released to other people, giving me several thousand pages to work with).

What is cyber security, and why should we care?

Cyber security emerged from a narrow set of concerns around safeguarding information and networks, but in recent years it has become intimately tied to foreign and domestic political objectives. This means that cyber security cannot be defined and delimited in the same way as the field of information security (as protecting the confidentiality, integrity, and availability of information). Instead, cyber security is a collective endeavor, typically tied to the larger project of national security, but also encompassing a broader set of social and ethical concerns. This is why hateful messages sent by teens are now treated as a cyber security problem, while Canada’s government fails to acknowledge the international cyber threat posed by its foreign allies.

One of the key effects of cyber security strategies and classifications is that they specify the boundaries of what is to be secured. As the line between ‘cyber’ and ‘non-cyber’ continues to blur, the scope of cyber security’s concerns can expand to cover new kinds of threats. If it is true, as the opening of Canada’s Cyber Security Strategy 2010 declares, that our “personal and professional lives have gone digital”, that we now “live, work, and play in cyberspace”, then cyberspace is not just a new domain to be secured, but a fundamental part of our lived reality. This means that it is now possible to conceive of cyber threats as existential threats of the highest order, but also that the project of cyber security will have deepening implications for our daily lives. Some of these implications can only be discussed by referencing the work of security professionals – work which typically takes place out of public view.

Operational and Technocratic Discourse

My article began as a work of discourse analysis, but over time I turned increasingly to international relations (IR) and what has been called the “Paris School” of security studies. I found that previous analyses of cyber security discourse, influenced by the Copenhagen School, focused largely on public discourse, and how political actors work to get cyber security on the political agenda (as a response to new, existential threats). The Paris School meanwhile, emphasizes that new security issues can arise and be defined in the hidden world of security professionals and their technocratic practices. The volumes of internal threat reports, alerts, and government emails accessible through Access to Information became a rich source for this technocratic and operational discourse, providing a sense of how the moving parts of cyber security fit together in practice.

Hacktivism

Hacktivism is an interesting threat category to consider because, at least in Canada, it has never been subject to visible politicization. Unlike cyberbullying, no new laws have been proposed to deal with hacktivists, and public officials have avoided referencing the threat in their public proclamations. The Government seems more willing to deal with hacktivism quietly than to engage in a public fight against Anonymous, or to publicly condemn tactics that some see as a legitimate form of protest.

Nevertheless, hacktivism has become a major preoccupation for Canadian security agencies, as evident through volumes of operational discourse, including detailed reports and responses to hacktivist campaigns. Where cyberbullying can be reduced to a problem of ethical conduct, common forms of hacktivism such as DDoS reduce to a technical problem. A DDoS attack becomes hacktivism by virtue of its political motivation, and not its methods. While DDoS actions have typically been handled by CCIRC and CTEC as individual incidents, the operational threat category of hacktivism makes these events legible as part of a larger and pathological social trend, and the growing concern with hacktivism since 2010 indicates cyber security’s opposition to disruptive forms of online activism and politically-motivated hacking.

Advanced Persistent Threats (APTs)

As actors define and redefine cyber security’s terminology, they produce new conceptions, repurpose old ones, and experiment with metaphors. Sometimes, a term becomes a prolific ‘buzzword’, securing regular usage in cyber security discourse, and also inevitably becoming a point of contention. One of the best recent examples is the Advanced Persistent Threat (APT). This is the threat category that best represents cyber security’s oblique treatment of international affairs and the new strategic stakes of cyber security. Where hacktivism is the intersection of cyber security and protest in operational discourse, APTs bring cyber security into opposition against state actors. The term usually refers to a well-resourced threat actor willing to devote considerable effort to compromise a particular target, and is often understood to mean a state-backed attacker – sometimes becoming simply a shorthand for “China”.

In tracing the emergence and proliferation of this new threat category, it is possible to get some sense of the multiple constituents and channels of cyber security discourse. In this case, a category emerged in the operational discourse of the US military, spread rapidly through the North American security industry, and was adopted for internal use by CCIRC in the aftermath of a major security breach in 2011. Along the way it was used to classify a growing number of intrusions and data breaches, sell security products and services, and make intelligible a world of online geopolitical contestation. APTs could be invoked to specify a threat, while eliding the attribution problem and preserving nominal ambiguity in the international political arena. For CCIRC, APTs became an operational threat category at a time when Chinese hackers were widely suspected of compromising Canadian government systems, and the term proliferated into public discourse through Mandiant’s reporting of Chinese cyber espionage in 2013. Not long after, the Snowden disclosures had a dramatic impact on how we understand and talk about cyber security.

After Snowden

One of the most important revelations of the Snowden documents has been that the project of cyber security (at least as interpreted by signals intelligence agencies like NSA, GCHQ and CSE) can include compromising the very digital infrastructure it is tasked to protect. Domestic cyber security programs can become an “advanced persistent threat” – a term once reserved for foreign hackers. Given these developments, it is worthwhile to reflect on how the governmental project of cyber security has evolved in recent years, and what cyber security has come to mean. This is particularly important in Canada, a country closely implicated in US cyber security efforts, but where post-Snowden commentary has made comparatively little impact.

The lack of visible concern by Canada’s government about the security threat posed by its closest allies (a threat that Canada has apparently facilitated), speaks to how foreign policy shapes the nation’s cyber security priorities. It also sends the dangerous message that while Canada is unable to clearly define a vision of what it is trying to secure, cyber security is somehow compatible with pervasive surveillance and widespread hacking.

State cyber security agencies work to guard us from new threats, but seem blind to the possibility that they or their partners might also threaten our security. To paraphrase Google’s chairman, an attack is an attack, whether it comes from China or the NSA. For Canada’s CSE and the other Five Eyes members, the equivalence may not be as clear. If cyber security is subordinated to national security interests and compatible with government hacking, then threats will continue to be defined very differently by those inside and outside government. In addition to a broadening scope for cyber security’s concerns, the current trend is one of growing division between government cyber security efforts and more clearly circumscribed approaches to information security by private companies and civil society.

The idea that cyber security can be compatible with hacking domestic companies and maintaining vulnerabilities in commonly-used technologies might be seen as a continuation of the exceptional measures justified by 9/11. But more fundamentally, it reflects the technocratic imperatives of agencies tasked with gaining and maintaining access to communications infrastructure. The Five Eyes’ objectives go far beyond countering terrorism, and surreptitious access to communications infrastructure is increasingly part of the larger cyber security project. This dangerous vision of cyber security has evolved in secret, establishing procedures for who can be targeted, what can be collected, and where compromising security might help to make us safer. We did not learn of these measures through visible political discourse or securitizing rhetoric (the traditional focus of the Copenhagen School), but through operational documents and presentation slides from closed meetings of security professionals.

Measuring Canada’s Internet

For most people, internet performance is a mystery. Many subscribers do not even know the level of bandwidth they are paying for, let alone how to test if they are actually receiving the sorts of speeds their ISP advertises. Canadian regulators have often been in the dark as well, which is a problem when their decisions are supposed to take the availability and geographic distribution of broadband into account.

Regulators have traditionally depended on information provided by industry as a basis for policy decisions, but this information can be inaccurate or incomplete. There are ample cases in the US and Canada where certain regions have been listed as having access to a certain level of broadband, or choice of ISPs, whereas the reality on the ground has been far less than what is supposedly available. This problem is not unknown to regulators. Network BC, working with Industry Canada and the CRTC, launched its broadband mapping initiative in 2014. This included consultations with the various ISPs spread across the province to determine what services where actually available in what locations, resulting in an interactive connectivity map. Industry Canada watched the efforts in BC closely, and is currently soliciting information from ISPs to carry out a national broadband availability mapping project. However, such efforts to not include any independent means of actually measuring internet performance in these areas.

Up until now, the go-to place for Canadian internet performance surveys that utilize a third-party service (that don’t on ISPs for information) has been averages of Ookla’s speedtest.net (see here and here), which is the same service typically used by individuals to see how their internet connections measure up. But the results are not really meant to be a basis for policy decisions, since the averages are not pulled from a representative sample, and the (mean) speeds are often higher than what is available to a “typical” internet subscriber,

The big news in recent weeks has been the entry of new players in the internet metrics game. First, CIRA kicked off its own broadband mapping effort, which anyone can participate in and provide information to (an appropriate browser/OS combo may be required to participate). The map is very much a work-in-progress, which will fill out as individuals add more data points, and as new features and methods are added. Not long after, the CRTC announced its own internet measuring initiative. This is new territory for the CRTC, which has never had much of an ability to independently investigate or collect data about the telecom industry it regulates. However, the plan has been in the works since at least 2013, and may be based on the FCC’s Measuring Broadband America project, which has been underway since 2011. As in the US (along with Europe, Brazil, Singapore, and other nations), the CRTC’s program depends on the use of the SamKnows “whiteboxes” deployed at participating locations (the CRTC is currently looking for volunteers to receive and set up the devices). These devices measure connectivity between the subscriber’s premises and major connection points between ISPs.

There are a number of concerns (see here and here) with the CRTC’s efforts. ISPs could try to “game” the metrics to make their network’s performance appear better (ISPs know which of their subscribers have the boxes, since they use this information to make sure the testing doesn’t contribute to a subscriber’s data cap). SamKnows might only measure internet performance in off-peak hours, when connectivity is less likely to be a problem, since the boxes are intended to operate when subscribers aren’t making full use of their bandwidth (on another page, the CRTC has gone even farther to say the information will be gathered “when users are not connected”). Not all ISPs are participating the program, raising the concern that smaller players and rural areas that are most disadvantaged in terms of connectivity are being left out. This last point relates to the importance of having a representative sample, which is a fundamental precondition for any survey that attempts to calculate meaningful (or generalizable) statistics. All of the above can be addressed with a properly designed methodology, full transparency of these methods, and careful qualification of the results. Here, the CRTC has plenty of international examples to draw from, and SamKnows has built its business around such openness, but we will have to wait for more details to weigh in on whether this particular partnership has done a good job.

Finally, it is important to realize that no test can ever truly gauge the speed of “the internet” from a given location. Typically, the best that can be achieved is a measurement from a subscriber’s home to a “major internet gateway”, where an ISP connects to the rest of the world. The ISP has no control over how fast the rest of the world’s internet is, and limited control over the performance of services that aren’t hosted on its network. Even the fastest gigabit networks are no faster than their connections to services “upstream,” like Netflix – a problem the FCC had to contend with as it tried to measure the performance of ISPs that were engaged in peering disputes that limited their connections to the streaming service.

Ultimately, all of this indicates a broader trend towards data gathering to erase some of the mystery about how the internet actually “performs”. For individuals, these are welcome steps towards becoming better informed about what one’s ISP actually provides, but also about what goes into determining internet speed or performance in the first place. For regulators, accurate and comprehensive information is a precondition for effective public policy, and it’s great to see Industry Canada and the CRTC taking steps to refine the picture they have of Canadian connectivity as they come to decide important questions about the future of Canada’s internet.

Positive and Negative Responsibilities for Internet Intermediaries

I’m interested in the responsibilities of various “internet intermediaries”. These might be internet service providers (ISPs), online service providers (like Google or Netflix), or increasingly, some combination of the two functions under the same organizational umbrella.

Regulations require these intermediaries to do certain things and avoid doing others. Child pornography or material that infringes copyright must be taken down, but personal communications or online behaviours cannot be tracked without consent and a valid reason. Certain protocols might be throttled where necessary for “network management”, but otherwise ISPs should not discriminate between packets. It strikes me that these responsibilities – duties to intervene and duties not to intervene – can be likened to the idea of positive and negative rights or duties in philosophy, where positive rights oblige action, and negative rights oblige inaction.

If notified of the presence of illicit content, a host must take action or face sanctions. This is a positive responsibility to intervene given certain conditions. Privacy protections and net-neutrality regulations are often negative responsibilities, in that they prevent the intermediary from monitoring, collecting, or discriminating between data flows.

However, as with positive and negative rights, it is not always easy to tease the two apart. Negative responsibilities can have a positive component, and the two are often bundled together. For example, the positive duty to install a court-ordered wiretap is typically tied to the negative duty of not informing the wiretap’s target. Non-discrimination is a negative responsibility, but US ISPs have been accused of discriminating against Netflix by not upgrading links to handle the traffic coming from the video services. Under this logic, an ISP has a positive responsibility to ensure its customers have adequate access to Netflix. Anything less amounts to discrimination against Netflix. In Canada, ISPs also have a negative responsibility not to discriminate against video services like Netflix, particularly since Netflix competes with incumbent ISPs’ own video offerings. However, the Canadian regulatory regime seems to be headed towards imposing the positive responsibility on these ISPs to make their own video services available through other providers under equal terms, under the reasoning that equal treatment and exclusivity cannot coexist.

I think the distinction between positive and negative responsibilities can be useful, particularly since the majority of the academic literature about internet intermediaries has emphasized their positive responsibilities. There has been less discussion of all the things that intermediaries could be doing with our traffic and data, but which they choose not to, or are constrained from doing.

On Cyberspace

When William Gibson coined “cyberspace” in the early 1980s, he was primarily interested in coming up with an exciting setting for science fiction, and one with a cool-sounding name. As he has told the story in numerous interviews, Gibson came across a Vancouver arcade one day and was struck by the intensity with which the gamers engaged with the screen, leaning ever closer as if they were trying to push through it to a world on the other side. He wanted to imagine what that world was like – to explore the “notional space” inside the computer. These days, Gibson has mixed feelings about the term he coined. In 2007 he was reported announcing the demise of ‘cyber’ talk, and has joined many others pointing out how unhelpful it was to think about cyberspace as some separate, virtual realm.

And yet, cyber talk keeps proliferating. Cyberspace has become a bloated, rudderless place-holder of a word. It means less and less every day, as it expands to encompass more and more. As the world fills up with networked computers, cyberspace is suddenly everywhere. Militaries have started slapping the ‘cyber’ label onto practices that fifty years ago had other names, like signals intelligence and electronic warfare. Now these are all ‘cyber operations’ and the domain of operations is cyberspace. In 2010 Canada’s government put forward a rather 1980s Gibsonian definition of cyberspace, and went about trying to secure it.

William Gibson is not the only one trying to helpfully remind people that cyberspace does not actually exist – that this is a word he invented to fill a storytelling need, which then took on a life of its own. Other writers have also been trying to get past the virtual, and point to the material. In the 1990s and 2000s, ‘cyber-utopians’ imagined they would have the freedom to build a new world in cyberspace. Some still do, but a realist backlash (of which Evgeny Morozov is the prime example) has reminded us that utopias can be dangerous, and that cyberspace is not somewhere we can go to escape power and exploitation. Our networks are material; they exist in governed territories; they must contend with states and other sovereigns.

My ongoing work is certainly an attempt to help ground internet studies in a material dimension, but I am struck by a vision similar to what Gibson saw in those kids in that arcade. These days, if you want to see someone getting immersed in a screen, you can likely just look across the room or out the window. Few of us imagine that we are somehow ‘in cyberspace’ when we hold the screen up to our face, and yet there is a world behind that screen. This world is largely invisible, sometimes secret, and usually hard to understand. It is a world of cables and switches, companies handing packets to one another on privately-agreed terms, while regulators and assorted security agents work to produce some sort of order.

Like a bad hangover from the 1980s and 90s, cyberspace persists in jargon and a great deal of government and academic discourse. One of the reasons is the difficulty of finding an adequate catch-all replacement. ‘The internet’ can be even more nebulous than cyberspace, and ‘online’ tends to be used as an adjective. At the present moment, it is more helpful to turn away from talk of virtual worlds, and focus on the material one we all have to contend with.