Orwellian?

The US PCAST report puts forward the following scenario to illustrate how privacy mores change over time, and what the future could be like if digital natives fully trust in the cloud. They admit that “Taylor’s world seems creepy to us”, but they want to demonstrate that “In such a world, major improvements in the convenience and security of everyday life become possible.”

Taylor Rodriguez prepares for a short business trip. She packed a bag the night before and put it outside the front door of her home for pickup. No worries that it will be stolen: The camera on the streetlight was watching it; and, in any case, almost every item in it has a tiny RFID tag. Any would‐be thief would be tracked and arrested within minutes. Nor is there any need to give explicit instructions to the delivery company, because the cloud knows Taylor’s itinerary and plans; the bag is picked up overnight and will be in Taylor’s destination hotel room by the time of her arrival.

Taylor finishes breakfast and steps out the front door. Knowing the schedule, the cloud has provided a self‐ driving car, waiting at the curb. At the airport, Taylor walks directly to the gate – no need to go through any security. Nor are there any formalities at the gate: A twenty‐minute “open door” interval is provided for passengers to stroll onto the plane and take their seats (which each sees individually highlighted in his or her wearable optical device). There are no boarding passes and no organized lines. Why bother, when Taylor’s identity (as for everyone else who enters the airport) has been tracked and is known absolutely? When her known information emanations (phone, RFID tags in clothes, facial recognition, gait, emotional state) are known to the cloud, vetted, and essentially unforgeable? When, in the unlikely event that Taylor has become deranged and dangerous, many detectable signs would already have been tracked, detected, and acted on?

Indeed, everything that Taylor carries has been screened far more effectively than any rushed airport search today. Friendly cameras in every LED lighting fixture in Taylor’s house have watched her dress and pack, as they do every day. Normally these data would be used only by Taylor’s personal digital assistants, perhaps to offer reminders or fashion advice. As a condition of using the airport transit system, however, Taylor has authorized the use of the data for ensuring airport security and public safety.

Alluring.

Shaw follow up

Upon receiving some strange results when I asked Shaw Communications about what information they had on me, I followed up with their investigations unit to see if they were aware that they had released information about other people in my privacy request for information. Here are the relevant bits of the email:

Upon investigation we have determined that Service Calls are tied to the service address, not the customers themselves. We have changed our process to ensure Service Calls per customer are sent upon request, rather than all historical Service Calls tied to that service address.

Excellent. I am glad they are changing their process, though I have no idea how we can ensure this change will actually happen.

Upon further investigation regarding the trouble ticketing details you received from your neighbor, we found that there was a data entry error … The staff responsible for the error has been re-trained and additional flags have been put in place within Trouble Ticketing and on the associated account(s) to notify others of this error. This should ensure this does not occur again in this case.

Another win. Hopefully the staff fully recovered from “re-training” … 😉

One other note for those interested, the privacy officer informed me that “Information may be retained for a minimum of 7 years”. Seems long, but that is a term dictated by the company, not by PIPEDA.

Well, I am glad that just a few minutes of work on my part identified bugs in Shaw’s system so that they can improve their operations. I am sure you have heard of Linus’s Law, one of the principles of Open Source, “that given enough eyeballs, all bugs are shallow.” Imagine if every person in the country wrote their telecom providers, imagine how many bugs we might find, and then imagine the better and more privacy-protecting processes that would come out of such a letter-writing campaign? We should not depend solely on government regulators to audit the carriers, not especially when there is such a simple tool for the public to audit. So I encourage you, take five minutes and send off the form letters Chris Parsons has prepared for you in his post: Responding the the Crisis in Canadian Telecommunications.

PS. I am still waiting on Bell Mobility’s results, which I will post as soon as they come in.

[UPDATE July 11, 2014] Here is Bell’s response.

What your telecom provider knows about you

Last April The Star reported that in 2011 alone, the Canadian government asked telecoms and social media companies to turn over user data on Canadians 1.2 million times. An interesting sidenote: the telecoms are charging the government for the privilege. Jesse Brown covered this in a number of Canadaland podcasts including an excellent one with Chris Parsons — a postdoc at of the Citizen Lab — entitled “Your Telecom Provider is Selling your Information to the Government”. One of the topics Chris talks about is his excellent form-letter for requesting your data from telecom providers under PIPEDA. You can find the letter plus all the contact information for the privacy officers of a number of telecom providers in Canada in this post: Responding the the Crisis in Canadian Telecommunications.

I decided to send my letters on May 5th and see what I got back. I use two telecom providers in Canada: Bell Mobility and Shaw Communications.

Bell responded on May 8th with an acknowledgement of my request. 19 days later, on May 27th they followed up informing me they couldn’t meet the PIPEDA-imposed time limit of 30 days, “because of the extent of the information requested.” I wonder if they are penalized for missing the deadline?

Bell's correspondance

Shaw never acknowledged my letter. But just yesterday a package arrived for me. It was the full results from Shaw!

As you can see above, what they are willing to release is the following:

  1. Current subscriber information;
  2. Account notes;
  3. E-mail addresses associated to account;
  4. Copies of available service calls;
  5. Trouble ticketing notes;
  6. Transaction Records;
  7. Outbound call records for previous month; and
  8. Current IP address(es).

Incoming calls require a court order, says the letter, and “a fee is associated with provision of this documentation.”

I was hoping for some advertising/DPI type information, but that seems a no go. I was not expecting the package to be very thick, since I only use Shaw to connect to the internet and have only been with them for less than 2 years. Here are the results:

The first category was pretty innocuous, what you would expect. The second was pretty sparse, but had some unknown redactions:

Shaw's customer notes on me

The yellow bar is my own redaction… it is just my house address. Not even sure what the other stuff could be. I especially like the third note from May 1st:

REDACTED /. REDACTED

Only my current email showed up for category 3, which is interesting I guess. For #6, they only showed me Transactions back to February. Maybe they can only show the most recent 5 transactions? Since I only use Shaw for internet access the sections on “Webspace Accounts”, “Pay Per View Purchases” and “Call Records” were all blank.

Sections 4 and 5 are where things get interesting. There are records of service calls to my address from 2007. Since I only moved in there during 2012, it is interesting that I get to see what previous tenants have had done. Furthermore, there is a carriage house on my property — a separate home on the same lot, with someone else living in it — and I got copies of email queries with the tenant in there.

Interesting to see that Shaw records seem to be attached to physical locations and not unique account numbers. Doesn’t seem like good, privacy-first design to me.

Once I get my information from Bell, which should be more substantial, I will report back. In the meantime, please consider sending your own form letter to your telecom providers. It only takes a minute. Get the details at: Responding the the Crisis in Canadian Telecommunications.

Postscript June 5, 2014

I followed up with Shaw and they replied with some changes to their policy. Read the results.

[UPDATE July 11, 2014] Here is Bell’s response.