This is my submission to Lawful Access consultations (Canadian Department of Justice). Please also see LexInformatica: Cybercrime and Lawful Access.
Copyright (C) 2002, Russell McOrmond <http://www.flora.ca/>
Permission is granted to reference, republish or include this document in your own materials, in whole or in part, as long as some form of acknowledgment is made. If the new work is a derivative work, please ensure that it is marked as such so that it will not be confused with my own writing.
My submission will be of a more personal nature. While I was born in 1968, I became involved in on-line communications at an early age given the time. Growing up in "cyberspace" has allowed me to see many issues from a vantage point that may be different from the average Canadian.
We are quickly approaching the 20-year anniversary of the birth of the Internet. The most logical date of origin of the Internet is January 1, 1983, when the ARPANET officially switched from the NCP protocol to TCP/IP (letter to CAnet-NEWS). My first involvement in electronic communications came the same year, when I became a Sysop (System Operator) for a Bulletin Board System (BBS) running at Science North in Sudbury, as well as a Co-Sysop for a number of other BBS systems. I am currently the sole-proprietor of an Internet based business called FLORA Community Consulting that does a mixture of Free/Libre and Open Source Software (FLOSS) consulting, support and ISP services.
Growing up in this environment, I consider myself a citizen of 'cyberspace' first, a citizen of 'planet earth' second, and only lastly a citizen of Canada. Legally I am only considered a citizen of Canada, but my allegiances are not to the interests of "Canada" any more than any other nation state.
As a citizen of cyberspace, I take to heart the February 8, 1996 "Declaration of Independence of Cyberspace" as published by community leader John Perry Barlow. Where I differ from this declaration is that I do fear the imposition of foreign laws onto cyberspace, which is why I am sending this submission to the Canadian Department of Justice.
As a citizen, I have a strong respect for rule of law and a strong moral code. I am also an active participant in the formation of laws and other public policy, both in Cyberspace and in Canada. I have made many submissions such as this one to the Government of Canada, including a submission to the 2001 copyright reform consultation and the 2002 Innovation Strategy.
To clarify, it is not my political beliefs around Competition, Copyright, Innovation and Patent policy that would make me a target. While there are special interest groups that strongly disagree with my views in these public policy areas, these are not (as of yet) target areas for police investigations.
Where I do believe I will have problems relate to my beliefs on international courts, international trade, and terrorism. I recently wrote a letter to my Member of Parliament, Mauril Bélanger, on this topic.
It is almost redundant that I send this, but just wanted to ensure that the statistics relating to constituents on this issue included one more person opposed to war on terrorism, and the "Iraq Attack".
I suspect you already know my views, which are based on very strong support for international law. I believe that any country that has not ratified the ICJ (and has been found guilty of crimes by it) should not be allowed to participate in a "war on terrorism". I believe that any country that has not ratified the ICC should not be allowed to send troops to foreign soil, especially under the name of a "war on terrorism".
If the only reason for Canada's involvement is to show solidarity with the USA (which appears to be the only justification offered so far), and the USA has no legitimate involvement, then Canada should also have no involvement.
I have read many times that the Lawful Access proposals are far reaching, yet there is little evidence offered that the changes are actually needed by law enforcement. I worry about any lessening in the requirements of "reasonable and probable cause" as my personal political beliefs may make me a target for surveillance "fishing trips".
When the "terrorism" card is played, many people fall into place. There is a belief that the "war on terrorism" justifies such new and administratively simplified (IE: removing some of the otherwise existing checks-and-balances) investigative tools. How I feel about this should be obvious given that my strong belief in international law and international courts has lead me to a different opinion on the "war on terrorism".
I am currently the ISP for a site called Rooting Out Evil. This is a group of citizens who wish people to join them in challenging rogue states run by military fanatics who produce and conceal weapons of mass destruction. The site asks people to become an Honorary Weapons Inspector and support their mission into the USA.
I have a personal relationship with either the owner or many of the staff for each ISP that I am a customer of. As an active member of the local cyber-community, it would be near impossible for me to have a relationship with an ISP that was entirely arms-length.
Requiring 'neighbors' and possibly close friends to divulge private information about each other, even with a full warrant, without telling the friend is highly unethical. When forced to trust a friend/neighbor or law enforcement, it would be extremely hard for me to believe/trust law enforcement.
A society that encourages/mandates that neighbors 'snitch' on each other brings us considerable social problems that may outweigh the social costs associated with the 'crimes' that are being investigated.
Citizens should be encouraged to use cryptography on their own communications, and to harden/secure any computers that they connect to the Internet. I worry that laws around Lawful Access may eventually be used to justify laws limiting or prohibiting the ability of secure their own communications.
Any tools that are used to "keep criminals out" of the communications and communications tools of law abiding citizens will also "keep law enforcement out". ICT tools can not differentiate circumvention initiated by law enforcement and circumvention initiated by criminals.
The United States has considered cryptography as munitions, and has laws which seek to control the export of cryptography. This foreign law has been a great hindrance to the wider spread adoption of privacy and security tools in Canada, given that producers of technology do not want to have to create a version for different countries.
In the context of 'copyright reform' I made the following two statements that apply equally to issues of privacy and other forms of cyber-security.
Any 'hardware assist' for communications, whether it be eye-glasses, VCR's, or personal computers, must be under the control of the citizen and not a third party.
Corollary: The "content industries", such as the motion picture and recording industries, are not legitimate stakeholders in the discussion of what features should or should not exist in my personal computer or VCR, any more than they are a legitimate stakeholder in the production of my corrective eye-glasses. If a member of a content industry don't like the technology that exists in a given market sector, be it consumer electronics in the home or personal computers, they can simply not offer their products/services into that market.
The language used to discuss viruses is very vague. I do not believe it is appropriate to equating software to a "device", given that there are always many legitimate and legal things done with software, even software that when executed for the purpose intended by the author does not have substantial legal purposes. The anti-virus community relies on the importation, reverse-engineering and documenting of viruses in order to protect citizens from the harmful effects of viruses. This is similar to the cryptography community which will attempt to crack all existing cryptography as a required part of research toward more effective cryptography.
There is also the question of what constitutes substantial lawful purposes. We already have obvious cases in the digital copyright field where software developers are seemingly randomly being charged for acts which not only should not be considered legal, but should be protected acts.
Two examples are U.S. v. Sklyarov (a.k.a. US v. Elcomsoft) and Norwegian Motion Picture Association v. Jon Johansen (DeCSS). In both cases these software developers made use of reverse-engineering in order to create compatible tools. This is a protected right in some countries, and is discussed in the European union 1991 directive on computer software.
I already wrote how citizens should be in control of communications tools. Critical to this is the recognition that computer 'interfaces' (between a human and a computer, between software and hardware, or between software components) should not be eligible for any type of government granted (or enforced) exclusivity, whether that be in the form of copyright, patents, or claimed trade secrets.
There is other currently controversial software such as peer-to-peer file sharing utilities which primarily have lawful purposes, but which some special business interest wish to have declared as unlawful.
A tool that may be used for an 'unlawful purpose' should only be used as additional evidence in the investigation of a specific 'unlawful act'. We should not ever be trying to declare multi-purpose software as being 'unlawful'. Software can never know whether it is being executed for lawful or unlawful purposes, only the human being in control of the software can know this.
It should be noted that as more control of communications tools are placed in the hands of citizens, the more immune they are able to make themselves to malicious software such as viruses. I am a strong believer that Free/Libre and Open Source Software (FLOSS), which allows for open public peer review of software, is inherently more secure against viruses and other forms of attack. On the other hand, some security consultants believe that popular vendors such as Microsoft should be considered criminally negligent due to the design flaws in their software which make virus infections against their software trivial.
April 5th, 1930, Mahatma Gandhi and about 75 followers marched to the sea in what has become know as the "salt march" in India. This was a protest against a claimed salt monopoly by the British government. Most people today do not see this act as being one of a criminal, but one of a hero.
When dealing with some laws being imposed on cyberspace by nation-state governments, such as the excessive monopolization of communication being granted with the expansion of so-called "intellectual property" law, some believe the same will happen in Cyberspace as happened in India.
In a summer 2001 submission to Industry Canada I indicated that I believe that the USA's interpretation of Copyright is wrong in the case of DVD viewing technology, and that what is happening should be understood as a violation of Canadian competition law. I have stated a willingness to disobey interpretations of this law based on my belief that my interpretation is more correct.
Reporters Without Borders (Reporters Sans Frontières) today voiced deep concern about the Australian high court's ruling yesterday that online publishers can be sued for libel in the countries where they are read and where the plaintiff's reputation is at risk, rather than in the countries where the publication originates. The decision was taken in connection with Australian mining businessman Joseph Gutnick's libel suit over an article published online in August 2000 by the US magazine Barron's, owned by the Dow Jones news group.
A similar discussion happened around the Hague Conference on Private International Law which included articles such as Richard Stallman's "Harm from the Hague".
The basic idea is reasonable enough: if someone hits your car in France or breaks a contract with your French company, you can sue him in France, then bring the judgment to a court in whichever country he lives in (or has assets in) for enforcement.
The treaty becomes a problem when it is extended to distribution of information -- because information now travels normally and predictably to all countries. (The Internet is one way, but not the only way.) The consequence is that you could be sued about the information you distributed under the laws of *any* Hague country, and the judgment would probably be enforced by your country.
For me this issue is simple: If I cannot, through democratic representation, help change the laws of a country --- nor have I physically decided to visit that country or are doing business in that country --- then I should not be expected to honor (or even be aware of) the laws of that country.
I live in Canada, have Canadian citizenship, and participate very actively in the development of public policy in Canada. I do not live in China, USA, or Afghanistan, and cannot participate in public policy development in those countries. I should be expected to obey the laws of Canada, not the laws of foreign countries which I should not reasonably be expected to even be aware of.
As John Perry Barlow would say, the Internet is both everywhere and nowhere. The people who's ideas are communicated on the Internet live in some specific country and should be expected to obey the laws of that country. They should not be expected to also obey the laws of every other country that happens to have citizens who communicate via the Internet.
Increasing the cost of providing ISP access in order to provide "methods to wiretap" will be impossible to keep secret. Citizens will ask what the increase in costs relate to, and will be told by their ISPs.
Law-abiding citizens noting the attack on their privacy will be more likely to make use of cryptography than in the past. Increased usage of cryptography will make law enforcement interception of messages even more expensive as less and less information will move over the Internet unencrypted.
It needs to be understood that the more that law enforcement tries to make wiretapping administratively easier for them, the technologically harder wiretapping will become. I have had the configuration the IP Security (IPSec) services of FreeSWAN.org as a plan for some time. The discussion around 'lawful access' had made me bring this to a higher priority for my business and personal communications.
I believe that your paper did not demonstrate that new powers are needed, or that there is adequate understanding of the technology involved in order to be consistent with the Canadian Charter of Rights and Freedoms. You speak of ratification of the Council of Europe Convention on Cyber-Crime as something that Canada must do. It may be that the Europeans do not have any better understanding of the technology and should not be followed.
I believe you should get in better contact with the technology community, starting with some of the individual citizens like myself who sent in submissions. A better understanding of the technology involved may allow you to better determine how best to move forward. You may simply determine that no changes at a technological level are necessary or desirable.
Please note the following information offered to this server by your browser. It is useful to know this information to determine what information a citizen would expect to be reasonably private, compared to the level of information which a website host can actually collect.
Your IP Address is: from port
|HTTP Request Header||Value|