Tuesday, December 06, 2011

Vic Toews will get way more than your phone number

John Ibbitson had a piece last week, Tories Have Yet to Prove Case for E-Snooping, that raised the temperature on the lawful access debate. A key excerpt was this quote from the federal Privacy Commissioner: “there is not even a requirement for the commission of a crime to justify access to personal information – real names, home address, unlisted numbers, e-mail addresses, IP addresses and much more – without a warrant.”

In response, on Saturday Vic Toews wrote a letter to the editor of the Globe. He compared the amount of information that could be obtained without a warrant from internet service providers to that you would find in the phone book:
We will allow police to access “phone book”-type information from Internet service providers. If it becomes necessary to find a suspect's name, address, phone number or other similar identifier, ISPs will be required to disclose that information. ISPs will be required to have the capacity to allow police to investigate – strictly with a warrant – all communication methods.

Let me be clear: No legislation proposed will create powers for police to read e-mails without a warrant. Our proposed approach of linking an Internet address to subscriber information is on par with a phone book linking phone numbers to a residential address.
The public relations framing they have going is clearly meant to minimize the amount of information they will obtain. People will get a visual of one phone number in a phone book and think it's harmless enough. Except they're wrong.

Law professor Lisa Austin takes on Toews' argument in a Globe op-ed today: "Stop hiding behind the phone book, Mr. Toews." She gives an account of what she did on the internet this week versus what she did on the phone to illustrate the difference between the two: "This is why the digital trail I leave, the one Mr. Toews wants access to, is highly revealing, even if he never reads the content of my e-mail. This is private information and deserves protection through our existing standards of oversight and accountability, not something less." Worth a read. And the title of the op-ed isn't bad in terms of creating a visual to push back against Toews' argument.

Even more successful in demonstrating the falsity of Toews' phone book comparison is the information here: "The Anatomy of Lawful Access Phone Records." There the author breaks down the "eleven descriptively rich fields" in an internet "phone record" that Toews and the government will be able to access without a warrant. It looks like this:

After explaining each element of the subscriber information data, the author explains how those numbers can be used to put together a profile of the user:
Not all telecommunications service providers could make available a full post-lawful access legislation “phone record.” However, once authorities have a single piece of information they can then move to other service providers to develop a full record, one that could subsequently be used to map a person’s presence on the Internet, their habits, and their activities. Using open source intelligence, the email address can be employed to determine what other services are attached to that email address, and using the IP address authorities can determine where a person is accessing the Internet from (i.e. was the IP address leased to a cafe? to a home? to a business? to a mobile network?) and the billing records associated with that IP address. If browsing from Starbucks, the cafe might be able to turn over a log of users who used their wireless network during the time authorities are interested. If browsing from home, or your own mobile device, then the subscriber records associated with that billing address might be available. And, if browsing from a friend’s phone or computer, then their information might be given to police regardless of your friend’s interest to the police.

Remembering back to the discussion of traditional phone records, it is possible that multiple people share the same account and thus what turns up in the phonebook remains somewhat ambiguous. This may remain so when dealing with communal Internet connections but is far less true when dealing with mobile devices. Phones have, for many people, become fetishes that are carried on one’s person and jealously protected from third-party intrusion. Thus, the ability to ascertain who owns, and is using, a particular mobile device is far less ambiguous than who subscribes to, and uses, a landline phone. Using contemporary policing technologies such as IMSI catchers, authorities can de-anonymize a crowd by catching the IMSI associated with each phone and immediately requesting subscriber data from mobile phone providers. While it may not be legal for authorities to engage in ruses to compel individuals to identify themselves when those individuals have done nothing wrong, with IMSI catchers no ruse is needed for the identification process to occur. The term “papers please” is a distinctly analogue notion, one that can be abandoned by authorities in possession of IMSI catchers and lawful access powers.
The information that can be obtained without a warrant is much more extensive than that found in your typical phone book. Online subscriber data creates a living, breathing, ongoing information trail and a profile, all trackable courtesy of the lawful access legislation and all obtainable without a warrant.

The phone book nonsense needs to be thrown right back at the Conservatives. They're not just getting a phone number, they're getting a whole book.