Undermining C-51

OpenMedia.ca organized an open letter about how C-51 will undermine Canada’s business climate:

The challenge of being Canadian today is to uphold our values of openness, tolerance, and trust of others, while maintaining a very real understanding of the dangers of terrorism and the government’s need to protect us. But sometimes this balance is not struck correctly and we, as business people and entrepreneurs, are convinced that Bill C-51 is not balanced the way we as Canadians would want.

Why rush this legislation when there are so many reasons to rethink the approach? Why not establish effective Parliamentary oversight on par with our global counterparts? Why not establish a Royal Commission into the general state of digital privacy protection in Canada and get this right? Our values are too important to rush such an important decision.

The letter was signed by 59 technology and business leaders… and me.

Learn more and sign the petition at StopC51.ca

Bell rejiggers RAP, but will delete user data

The victories just keep piling up (see previous victory here). The Office of the Privacy Commissioner of Canada ruled against Bell and it’s collection of personal data for targeted advertising under the Relevant Ads Program (RAP). The question then became: what is Bell’s next move? Well, there was a little back and forth here, so I shall recap:

Apparently Bell withdrew the RAP at the urging of the Privacy Commissioner. They then said they would re-introduce it as “opt-in” only, as per advised by the PrivCom. However, there was remained the outstanding question of what to do with the existing data? During the last victory I had questions about what exactly was being deleted (I am still waiting on my request for clarification from Bell’s privacy officer). PrivCom wants Bell to delete everything. Time passed, but today, PrivCom says that Bell promised to delete the data.

Great! That is excellent news. Does this mean the whole saga is over? No! PrivCom may close there case, but the CRTC case is still ongoing, as far as I know, and there is a laundry list of other issues that need to be addressed. Stay tuned.

Thanks to PIAC and all the others who have done such great work in moving the ball forward. We still have a way to go, but the positive momentum is building up.

If you are a Bell customer, and still in doubt, opt-out of the RAP here.

A victory against Bell’s use of customer information

Michael Geist, law professor at the University of Ottawa, has criticized Bell Mobility’s Relevant Ads Program (RAP), saying it “falls short on privacy.” His main concern is that it is opt-out, but he also points out some of the other problems of a telecom provider mining and selling user data. Much is coming to light about the extent of Bell’s user data collection since the Public Interest Advocacy Centre (PIAC) and the Consumers’ Association of Canada (CAC) filed a complaint at the Canadian Radio-television and Telecommunication Commission (CRTC).

PIAC’s Executive Director argued that “Bell has overstepped its role as a neutral provider of telecommunications services.” The President of the CAC pointed out that “Bell is trying to ‘double-dip’ by taking your subscription fees and then selling information based on your use of the services you just paid for.”

The application to the CRTC has produced some wins. Before, opting out of the program simply meant that targeted ads wouldn’t be shown to you. You weren’t opting out of your information being used. Now things are different. In Bell’s response to the PIAC’s filing, they promise (paragraph 41):

Bell has changed its opt-out process so that an opt-out will terminate all use of personal information for the RAP and the deletion of any browsing, interest and category information from existing profiles. This change was made retroactive to cover anyone who chose to opt-out since the initiation of the RAP.

To parse this a bit: this says just the CATEGORIES are what is being deleted, not the actual browsing history. In other words, Bell is still collecting information on browsing habits, it is just not categorizing those habits for use in ad targeting. I have emailed Bell’ Privacy Ombudsman for clarification. It remains an opt-out system, as criticized by Michael Geist above, but this is still a positive development: the flawed opt-out system has become somewhat more robust.

In any case, this change is an example of consumer power. Last year Shaw changed it’s process for storing service calls in response to my PIPEDA request. Now, the PIPEDA request I made revealing Bell’s 56 categories for ad targeting has contributed to reform at Bell. Luckily, thanks to a concerned citizen who found my post from last year, the results of my PIPEDA request were submitted as part of the PIAC filing. The process has been long and very involved, and I would like to publicly thank that concerned citizen for their hard work. I have not had any direct contact with PIAC or the CAC. Everything was mediated by this private citizen, who says:

As to why I got involved? The previous Privacy Commissioner of Canada stated something along the lines of, if you don’t put up a fight for your privacy, privacy lost will not be regained. Once it’s gone you are not getting it back … I’m not about to let corporate interests and shareholder-value tell me what privacy rights I have, so it was time to fight and speak up. PIAC was the force that started it, and I jumped in as the regular Joe that I am.

The fight isn’t over. More and more information is coming to light about how our telecoms treat their customers. Consumer organizations like PIAC know how to take action, but they need data. Thus, I encourage everyone to take five minutes and send off the form letters Chris Parsons prepared in his post to shed light on what our telecoms are doing, and give them the ammunition they need to effect change.

Also, if you are a Bell Mobility customer, opt-out of the RAP program here.

Foreign Affairs: Cash but no plan

Columns at Persepolis

Foreign Affairs, Trade and Development Canada announced $9 million dollars in funding in partnership with the Munk School of Global Affairs at U of T for something called the “Digital Public Square project.” The CBC dubbed the project an experiment in digital diplomacy. The Globe called it “direct diplomacy.” The coverage in the National Post, Toronto Star et alia related how the project aims to allow government firewall circumvention, information sharing, and increase government accountability for citizens in “oppressive societies.” Leaving aside the questions around the efficacy of “digital diplomacy” (UPDATE: Taylor Owen outlines some of the perils), I was curious as to why there were no details on the “how.” Where is this money going to? Much of the news coverage focused on current efforts to engage Iranians, which is pretty confusing since the project seems to be about spreading to other countries. But how can we tell? There is no roadmap, and the hard questions have yet to be asked by the press. How can you announce $9M without saying how it will be used?

Until we get some more information, I took a look at the current Munk Center-backed program to engage Iranians.

Rial politik

The Global Dialogue on the Future of Iran site and its accompanying Google moderator sites sure don’t seem like something you throw $9M at. The RouhanimeterThe Rouhani Meter is some pretty good transparency propaganda, but Iran is awash in foreign propaganda (see below). The results seem impressive:

On May 10th, 2013, the Munk School launched a new kind of digital public square for Iran. … within two weeks, more than 360,000 unique users had connected with the Global Dialogue from inside Iran, and had visited the site over 1,490,000 times.

I am unclear as to how you would measure success. Iranians are notoriously political. Robert D. Kaplan once compared getting into a taxi in Tehran with getting into a taxi in Damascus: in Tehran the cabbie would right away start bitching about the government, while in Syria the cabbie was silent.

My experience was like this too. In 2004, during Ahmadinejad’s antagonistic era, I was in Iran covering the US presidential election (when George W. Bush was elected for a second term). Everybody wanted to talk to me about politics. Admittedly, I did spend most of my time with the kind of people who would hang around foreigners. They all listened to the BBC because they couldn’t trust their own newsmedia. However the blue-collar folk that I stayed with for my last week thought the BBC was propaganda. There are sharp divisions in the country to be sure, but Persian-language satellite channels, radio, websites etc. abound, especially thanks to the diaspora in Los Angeles. For years now, there has been a lot of civic activity around getting anti-regime voices to Iranians in country. I am unclear as to how a “digital public” square would be perceived any different. And it doesn’t explain how Iranians are being protected online.

Too many tomans?

So why is the Canadian government putting $9M in? That is a princely sum for a small startup guy like myself. Just from the news coverage, I don’t get it. I reached out to the Munk Center on Twitter and they recommended a couple of sources. Again, they related only to the current Iranian efforts, nothing about the future. Still, it did answer a couple of my questions.

Psiphon Inc logoFor example, circumvention. Psiphon originated as a project at the Citizen Lab (one of my fave orgs). They use a combination of VPN, SSH and proxies to get you around official barriers. Open source too. I am sure these guys could use some funding, so I hope they see some of that 9 mil.

Another org Munk pointed me to is ASL19, which seems like a sort of Citizen Lab focused on Iran. They have links with other orgs and other cool sites like Meidoon Watch which is kind of like a Hacker News for Iranian stuff. Seems useful. I wish I knew how much activity on that site is actually from inside of Iran. The Iranian diaspora is in the millions.

Mo’ money, mo’ problems… need mo’ info

There is certainly a network of organizations working on the Iran problem. The new Foreign Affairs money must be going to replicating these networks in other countries. I am just frustrated that Foreign Affairs and the Munk Center aren’t giving us more information on their plans, and that the press hasn’t asked for more. Sorry for this rambling post, but there is a bit of an information vacuum here, and I thought I would draw attention to it. I will gladly update this post if someone can provide answers. Or feel free to add some in the comments.

Photo credit: Me.

Local startups! Protect our shared resource!

The internet is like the sea, a vast and shared resource that we all depend on. Unfortunately we do not have anything like UNCLOS to help protect that resource from the countries and companies that threaten it. So much of the innovation and content on the internet is the result of individual users like us. Well, so is the responsibility to protect it.

Luckily we have some grassroots organizations to help coordinate individual efforts. Here in Canada we have OpenMedia, which I have mentioned before and you have probably seen me tweet about. I’ve been a member for a couple of years.

This month they are reaching out to fellow tech companies, whose businesses are all enabled by a free and open internet, to step up and contribute to the protection of that precious resource. The amazing thing they have done is got together a bunch of tech organizations to match all donations. This is the best time to get the most bang for your buck.

The campaign is called #StepUp4Net.

StepUpForNet_donate_banner

This is a grassroots campaign, led by local tech leaders. My pal Boris Mann has been working hard with cool people like Michael Tippet and Tim Bray to activate the YVR community, and I hear from OpenMedia that donations are coming in from Toronto. I would love to see some of our community members in the Okanagan and Thompson regions also contribute to this campaign.

For each one of you in your respective geographic areas, please reach out to find companies around you that are able to help. We are trying to get a couple hundred businesses to step up. Connect them directly to Open Media or even to me if they have questions. The campaign link is:

https://openmedia.org/stepup

2015 is going to be a big year with all kinds of legislation on the table regarding net neutrality, the TPP, surveillance, and lots of other issues. We need orgs like OpenMedia to augment our voice in Ottawa and elsewhere both as businesses and citizens. There is no better time to step up!

And don’t forget, you can still donate individually. Check out OpenMedia’s Donate page.

Bell’s 56 categories for ad targeting

BACKGROUND: On May 5th I sent Shaw Communications and Bell Mobility each a request for the personal information they have on me as per the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). I used Citizen Lab research Chris Parson’s form letter which made it easy. You can read about the weird results from Shaw at the links below:

It was easy, and I learned a lot. You should do it too!

Reply from Bell

On July 10th I received my privacy report from Bell Mobility. The report was expected within 30 days but I received an email extending the deadline, and then adjusting that extension. I am unsure if a claim can be made here.

bell_emails2
Bell replies on May 8th, May 27th and Jun 12th.

I have been a subscriber for just 2 years, and only subscribe to their mobile services — no television or internet. The package was about 40 pages with a 2 page intro letter and a 2 page glossary of technical terms. The glossary is pretty necessary since the rest of the package was all screen caps of Bell’s customer management application. That’s right, they showed me exactly what their reps see, going through every menu and tab, redacting only the names and other identifiers of the agents I have dealt with. It was all pretty routine and as expected. The only interesting thing about these screencaps is it looks like Bell is still using Win 95. 😉

There was one omission: there were no references to Bell’s controversial Relevant Ads program. So I emailed the Privacy Officer who promptly replied with the following:

My apologies, it was an oversight on my part, I inadvertently did not include the information related to the Relevant Ad Program in your information package. I have attached it for your information.

Excellent and timely response! Especially considering how long it took to get the first package. The only thing I have to complain about is she uses double spaces after her periods. 😉

On to the interesting bits: as soon as the Relevant Ads Program was announced, I opted out right away. I understood that what I was opting out of was being shown relevant ads, not being collected against. Thus it is not surprising the extent of the profile that Bell has on me, even though I only use just one of their services.

Below are all 56 categories they submitted to me and how they classified me. There are 3 main categories with a series of subcats each with various options. I have no idea how many potential options there are. I have reorganized them by topical category at the very bottom of this post. Since some of them repeat, it seems like they have 56 slots to put in an interest for an individual. We need more reports to reverse-engineer this!

The picture of me it paints is pretty accurate. I am interested in tech, movies and football (soccer). But, it also makes me think I should be using Tor on my phone more.

Anyways, take a gander at my preferences, and my all means, submit your own request and find out what they are recording about you!


Raw data

immedCat

  1. Technology=Cell Phones
  2. Technology=Network Security
  3. Arts & Entertainment=Movies
  4. Hobbies & Interests=Video & Computer Games
  5. Technology=Antivirus Software
  6. Technology=Web Design/HTML

shortCat

  1. Arts & Entertainment=Television
  2. Technology=Cell Phones
  3. Sports=General
  4. Shopping=Online
  5. Arts & Entertainment=Movies
  6. Technology=Network Security
  7. Science=Weather
  8. Technology=Antivirus Software
  9. Arts & Entertainment=Books & Literature
  10. News=Local News
  11. Arts & Entertainment=Music
  12. Style & Fashion=Beauty
  13. Hobbies & Interests=Video & Computer Games
  14. Hobbies & Interests=Photography
  15. Travel=Budget Travel
  16. Automotive=Road-Side Assistance
  17. Business=Government
  18. Technology=Web Design/HTML
  19. Technology=Shareware/Freeware
  20. Technology=Computer Peripherals
  21. Hobbies & Interests=Freelance Writing
  22. Business=Business Software
  23. Education=College Life
  24. Home & Garden=Entertaining
  25. Home & Garden=Entertaining

longCat

  1. Arts & Entertainment=Television
  2. News=Local News
  3. Technology=Computer Peripherals
  4. Hobbies & Interests=Photography
  5. Technology=Cell Phones
  6. Science=Weather
  7. Sports=General
  8. Technology=Network Security
  9. Arts & Entertainment=Movies
  10. Arts & Entertainment=Music
  11. Shopping=Online
  12. Technology=Shareware/Freeware
  13. Technology=Antivirus Software
  14. Technology=Web Design/HTML
  15. Hobbies & Interests=Video & Computer Games
  16. Arts & Entertainment=Books & Literature
  17. Technology=Data Centers
  18. Style & Fashion=Beauty
  19. Automotive=Road-Side Assistance
  20. Personal Finance=Investing
  21. Technology=Email
  22. Hobbies & Interests=Freelance Writing
  23. Home & Garden=Entertaining
  24. Hobbies & Interests=Radio
  25. Sports=Soccer

Options by Category

Technology

  • Cell Phones
  • Network Security
  • Antivirus Software
  • Web Design/HTML
  • Shareware/Freeware
  • Computer Peripherals
  • Data Centers
  • Email

Arts & Entertainment

  • Movies
  • Television
  • Music
  • Books & Literature

Hobbies & Interests

  • Video & Computer Games
  • Photography
  • Freelance Writing
  • Photography
  • Radio

Sports

  • General
  • Soccer

Shopping

  • Online

Science

  • Weather

News

  • Local News

Style & Fashion

  • Beauty

Travel

  • Budget Travel

Automotive

  • Road-Side Assistance

Business

  • Government
  • Business Software

Education

  • College Life

Home & Garden

  • Entertaining

Personal Finance

  • Investing

Shaw follow up

Upon receiving some strange results when I asked Shaw Communications about what information they had on me, I followed up with their investigations unit to see if they were aware that they had released information about other people in my privacy request for information. Here are the relevant bits of the email:

Upon investigation we have determined that Service Calls are tied to the service address, not the customers themselves. We have changed our process to ensure Service Calls per customer are sent upon request, rather than all historical Service Calls tied to that service address.

Excellent. I am glad they are changing their process, though I have no idea how we can ensure this change will actually happen.

Upon further investigation regarding the trouble ticketing details you received from your neighbor, we found that there was a data entry error … The staff responsible for the error has been re-trained and additional flags have been put in place within Trouble Ticketing and on the associated account(s) to notify others of this error. This should ensure this does not occur again in this case.

Another win. Hopefully the staff fully recovered from “re-training” … 😉

One other note for those interested, the privacy officer informed me that “Information may be retained for a minimum of 7 years”. Seems long, but that is a term dictated by the company, not by PIPEDA.

Well, I am glad that just a few minutes of work on my part identified bugs in Shaw’s system so that they can improve their operations. I am sure you have heard of Linus’s Law, one of the principles of Open Source, “that given enough eyeballs, all bugs are shallow.” Imagine if every person in the country wrote their telecom providers, imagine how many bugs we might find, and then imagine the better and more privacy-protecting processes that would come out of such a letter-writing campaign? We should not depend solely on government regulators to audit the carriers, not especially when there is such a simple tool for the public to audit. So I encourage you, take five minutes and send off the form letters Chris Parsons has prepared for you in his post: Responding the the Crisis in Canadian Telecommunications.

PS. I am still waiting on Bell Mobility’s results, which I will post as soon as they come in.

[UPDATE July 11, 2014] Here is Bell’s response.

What your telecom provider knows about you

Last April The Star reported that in 2011 alone, the Canadian government asked telecoms and social media companies to turn over user data on Canadians 1.2 million times. An interesting sidenote: the telecoms are charging the government for the privilege. Jesse Brown covered this in a number of Canadaland podcasts including an excellent one with Chris Parsons — a postdoc at of the Citizen Lab — entitled “Your Telecom Provider is Selling your Information to the Government”. One of the topics Chris talks about is his excellent form-letter for requesting your data from telecom providers under PIPEDA. You can find the letter plus all the contact information for the privacy officers of a number of telecom providers in Canada in this post: Responding the the Crisis in Canadian Telecommunications.

I decided to send my letters on May 5th and see what I got back. I use two telecom providers in Canada: Bell Mobility and Shaw Communications.

Bell responded on May 8th with an acknowledgement of my request. 19 days later, on May 27th they followed up informing me they couldn’t meet the PIPEDA-imposed time limit of 30 days, “because of the extent of the information requested.” I wonder if they are penalized for missing the deadline?

Bell's correspondance

Shaw never acknowledged my letter. But just yesterday a package arrived for me. It was the full results from Shaw!

As you can see above, what they are willing to release is the following:

  1. Current subscriber information;
  2. Account notes;
  3. E-mail addresses associated to account;
  4. Copies of available service calls;
  5. Trouble ticketing notes;
  6. Transaction Records;
  7. Outbound call records for previous month; and
  8. Current IP address(es).

Incoming calls require a court order, says the letter, and “a fee is associated with provision of this documentation.”

I was hoping for some advertising/DPI type information, but that seems a no go. I was not expecting the package to be very thick, since I only use Shaw to connect to the internet and have only been with them for less than 2 years. Here are the results:

The first category was pretty innocuous, what you would expect. The second was pretty sparse, but had some unknown redactions:

Shaw's customer notes on me

The yellow bar is my own redaction… it is just my house address. Not even sure what the other stuff could be. I especially like the third note from May 1st:

REDACTED /. REDACTED

Only my current email showed up for category 3, which is interesting I guess. For #6, they only showed me Transactions back to February. Maybe they can only show the most recent 5 transactions? Since I only use Shaw for internet access the sections on “Webspace Accounts”, “Pay Per View Purchases” and “Call Records” were all blank.

Sections 4 and 5 are where things get interesting. There are records of service calls to my address from 2007. Since I only moved in there during 2012, it is interesting that I get to see what previous tenants have had done. Furthermore, there is a carriage house on my property — a separate home on the same lot, with someone else living in it — and I got copies of email queries with the tenant in there.

Interesting to see that Shaw records seem to be attached to physical locations and not unique account numbers. Doesn’t seem like good, privacy-first design to me.

Once I get my information from Bell, which should be more substantial, I will report back. In the meantime, please consider sending your own form letter to your telecom providers. It only takes a minute. Get the details at: Responding the the Crisis in Canadian Telecommunications.

Postscript June 5, 2014

I followed up with Shaw and they replied with some changes to their policy. Read the results.

[UPDATE July 11, 2014] Here is Bell’s response.