Skip to Content

Privacy

Wednesday June 9, 2010
Setting the Record Straight: 32 Questions and Answers on C-32's Digital Lock Provisions, Part Two
Yesterday's post on the 32 Questions and Answers on Bill C-32's digital lock provisions focused on general issues in the bill, including compliance with WIPO, the penalty provisions, and their constitutional validity.  Today's post discusses the shortcomings in the anti-circumvention exceptions that are included in C-32.  With the exception of a new exception for cellphone unlocking, the exceptions are the same as those found in C-61 and a virtual mirror of the U.S. DMCA. For those that want it all in a single package, I've posted the full series as PDF download. C-32's Circumvention Exceptions This section features answers to the following questions: Bill C-32 contains circumvention exceptions for encryption research and security testing.  Doesn't that address the research concerns? Bill C-32 contains a circumvention exception for privacy.  Doesn't that address the privacy concerns? Bill C-32 contains a circumvention exception for the visually impaired.  Doesn't that address those access concerns? Bill C-32 contains a circumvention exception for interoperability.  Doesn't that address those concerns?
Bill C-32 contains circumvention exceptions for encryption research and security testing.  Doesn't that address the research concerns?

No. The impact of the anti-circumvention provisions on the research community extends far beyond just encryption research and security testing.  Bill C-32's exception is the same as that used in Bill C-61.  When C-61 was introduced, I met with several University of Ottawa researchers engaged in fields as diverse as biblical scholarship and engineering.  Their common thread was that their research plans would be stymied by Bill C-61.  Researchers that need to circumvent in order to access content for media criticism, search technologies, network content distribution, etc. will all find themselves unable to conduct their research.  Those that argue that Bill C-32 is unenforceable have never had their work subjected to an ethics review that invariably includes an examination of the legality of the methodology.  If the work fails the review, there will be no grant funding and the research simply stops. The exceptions for encryption research and security testing are needed, however, the Canadian approach to exceptions has been to simply mirror the U.S. DMCA list.  A general research exception is essential if Canadian researchers are to be able to continue their work.

Moreover, the encryption research exception requires the researcher to inform the target about plans for circumvention for research purposes. The exception already includes a condition that "it would not be practical to carry out the research without circumventing the technological measure" and that the person has "lawfully obtained the work," so the researcher has a legal copy and must pass a necessity barrier.  The inclusion of an additional notice requirement should be dropped since it has little to do with copyright protection, yet creates a possible barrier for researchers who need to do encryption research without telegraphing their plans to the target organization.  The exception also raises issues for peer review since the exception does not cover third party peer reviewers, who may be unable to adequately review the research.

Bill C-32 contains a circumvention exception for privacy.  Doesn't that address the privacy concerns?
 
No. The exception fails to provide Canadians with full privacy protection and Bill C-32 unquestionably makes it more difficult for Canadians to effectively protect their privacy.  The reason for this is that though there is an exception that permits circumvention to protect (and prevent the collection or communication of) personal information, the ability to exercise this exception is rendered difficult by virtue of the inability to legally obtain devices (ie. software programs) for this very purpose.  The bill states that a person can offer circumvention devices or services for the protection of personal information only "to the extent that the services, technology, device or component do not unduly impair the technological measure."

Bill C-32 does not include a definition of "unduly impair."  However, according to an Industry Minister official who was responding to a journalist inquiry under Bill C-61 about the same language:

"The intent of the provision is to ensure that while individuals may obtain devices and services that circumvent technological measures with a view to protecting privacy, any ensuing circumvention of the technological measure cannot be done in a manner that would enable unauthorised uses of the underlying copyright material by that person or by a third party."

In other words, you can use a circumvention device to protect your privacy but it cannot allow you to simultaneously access the underlying content.  Of course, once most circumvention devices circumvent a technological measure, the protected content will be in the clear.  Distribution of this form of device is therefore illegal.  Moreover, service providers will be likely be unwilling to use this provision for fear of facing liability.  Not only should the "unduly impair" wording be removed, but the bill should place a positive obligation on those companies that use DRM that may raise privacy concerns to provide the keys to circumvent their technological measure where requested to do so for privacy purposes.

Bill C-32 contains a circumvention exception for the visually impaired.  Doesn't that address those access concerns?

No. The provision suffers from the same shortcoming as the privacy exception.  While there is an exception for the act of circumvention, access to devices that can be used to circumvent again comes with the restriction that a person can offer circumvention devices or services only "to the extent that the services, technology, device or component do not unduly impair the technological measure."

The notion of not unduly impairing the TPM is even more non-sensical in this context given that the whole point of circumventing is to provide access to the content for those with perceptual disabilities.  The content will obviously be in the clear since that is what is needed to provide the necessary access. The limitation on devices and services here makes absolutely no sense unless the real aim to stop those with perceptual disabilities from obtaining access. Not only should the "unduly impair" wording be removed, but the bill should place a positive obligation on those companies that use DRM to circumvent their technological measure where requested to do so for access for those with perceptual disabilities.

Bill C-32 contains a circumvention exception for interoperability.  Doesn't that address those concerns?

No.  The emergence of open source software as a powerful alternative to proprietary software models has been an important business and societal development.  Open source software is today widely used by consumers (e.g., Firefox browser) and businesses (e.g., Linux operating system, Apache web server).  From a policy perspective, the Canadian government's professed goal is to create a level playing field so that the marketplace rather than laws will determine marketplace winners.  It has opposed attempts to create policy preferences for open source (over the objection of some advocates and countries) instead favouring a more neutral approach.

Notwithstanding the claims of neutrality and trusting in the market, Bill C-32 creates significant marketplace impediments for open source software.  Achieving a level playing field requires interoperability so that differing computer systems can freely exchange data.  The bill includes an interoperability provision at Section 41.12 which states that the anti-circumvention provisions do not apply to:

a person who owns a computer program or a copy of it, or has a license to use the program or copy, and who circumvents a technological measure that protects that program or copy for the sole purpose of obtaining information that would allow the person to make the program and any other computer program interoperable.

The problem with this provision is that it does not extend far enough to maintain a level playing field. The classic example involves the use of Linux as a consumer operating system.  Unfortunately, this operating system cannot officially play DVDs since most commercial DVDs contain a digital lock and the entity that controls the lock does not license the necessary locks to play DVDs on Linux.  Programmers have developed alternatives, but all involve circumventing the digital lock, an act that becomes illegal under Bill C-32.

The interoperability provisions do not help address this issue, since DVDs may not be considered computer programs and many of the circumventing programs have functionality beyond playback of commercial DVDs.  The net effect is that Bill C-32 erects an enormous barrier to open source software adoption, thereby harming innovation and a competitive marketplace.  The solution - as proposed by the Computer and Communications Industry Association in 2000 - is to create an exception the substantially broadens the interoperability exception.
Yesterday's post on the 32 Questions and Answers on Bill C-32's digital lock provisions focused on general issues in the bill, including compliance with WIPO, the penalty provisions, and their constitutional validity.  Today's post discusses the shortcomings in the anti-circumvention exceptions that are included in C-32.  With the exception of a new exception for cellphone unlocking, the exceptions are the same as those found in C-61 and a virtual mirror of the U.S. DMCA. For those that want it all in a single package, I've posted the full series as PDF download.

C-32's Circumvention Exceptions

This section features answers to the following questions:
  • Bill C-32 contains circumvention exceptions for encryption research and security testing.  Doesn't that address the research concerns?
  • Bill C-32 contains a circumvention exception for privacy.  Doesn't that address the privacy concerns?
  • Bill C-32 contains a circumvention exception for the visually impaired.  Doesn't that address those access concerns?
  • Bill C-32 contains a circumvention exception for interoperability.  Doesn't that address those concerns?
Monday June 22, 2009
Ordinary Thursday Anything But For Canadian Internet
My weekly technology law column (Toronto Star version, homepage version) notes that last Thursday began as an ordinary, rainy, spring day in Ottawa.  Canadian politicians, having just avoided an unwanted election, were only two days away from an extended summer break.  Yet by the end of the day, a trio of events unfolded that could help shape the Internet in Canada for years to come. The first event took place mid-morning, with the introduction of new lawful access legislation.  The bills would dramatically change the Internet in Canada, requiring Internet service providers to install new surveillance capabilities, force them to disclose subscriber information such as name, address, and email address without a court order, as well as grant police broad new powers to obtain Internet transmission data.

The introduction of the legislation by Justice Minister Rob Nicholson and Public Safety Minister Peter Van Loan - accompanied by more than a dozen law enforcement representatives - generated an immediate wave of criticism.  ISPs expressed concern about the cost of the program, while privacy groups lamented the government’s about-face on the issue of court oversight since Stockwell Day, the previous Public Safety Minister, had pledged not to introduce mandated disclosure of subscriber information without it.

Given the experience with misuse of surveillance powers in other countries, the bill will likely continue to attract attention as Canadians ask whether the government has struck the right balance between providing law enforcement with the necessary investigative powers, ensuring robust oversight, and preserving online privacy.

Hours later, the scene shifted to Question Period, where Liberal Industry critic Marc Garneau surprised Internet watchers by emphasizing the importance of an open Internet and declaring that the Liberal party now firmly supports net neutrality.  The party has adopted a position opposing the management of Internet traffic that infringes privacy and targets specific websites, users, and legitimate business applications.

The move represents an unexpected shift in policy direction just weeks before the Canadian Radio-television and Telecommunications Commission is scheduled to conduct hearings on network management practices.  For months, the NDP has stood virtually alone among the major Canadian political parties in its support for net neutrality.  With the Liberals now onside, the door is open for a bi-partisan effort this fall to enshrine net neutrality principles into law.

Immediately after Question Period, the Standing Committee on Industry held its final hearing before the break on the Electronic Commerce Protection Act, Canada’s new anti-spam bill.  Some business groups have sought to water down the legislative proposal, implausibly arguing that Canadian privacy law is sufficient to address persistent spamming activities and that the ECPA’s tough penalties could dissuade talented business leaders from taking on corporate directorship positions for fear of potential liability.

Representatives from the Office of the Privacy Commissioner of Canada, the Competition Bureau, and CRTC Chair Konrad von Finckenstein firmly put those fears to rest.  Assistant Privacy Commissioner Elizabeth Denham rejected the view that current privacy laws are up to the task of countering Canadian spam and welcoming the clarity of the anti-spam bill.  Von Finckenstein was similarly supportive of the ECPA, expressing optimism about its potential to address longstanding spam concerns and doubt about whether the prospect of penalties would create a disincentive for would-be corporate directors.

These issues - lawful access, net neutrality, and the ECPA - will be back on the parliamentary agenda in the fall.  But on a single rainy day in Ottawa, all three moved to the fore with big implications for the future of the Internet in Canada.

ordinary thursday

My weekly technology law column (Toronto Star version, homepage version) notes that last Thursday began as an ordinary, rainy, spring day in Ottawa.  Canadian politicians, having just avoided an unwanted election, were only two days away from an extended summer break.  Yet by the end of the day, a trio of events unfolded that could help shape the Internet in Canada for years to come.

The first event took place mid-morning, with the introduction of new lawful access legislation.  The bills would dramatically change the Internet in Canada, requiring Internet service providers to install new surveillance capabilities, force them to disclose subscriber information such as name, address, and email address without a court order, as well as grant police broad new powers to obtain Internet transmission data.

Monday February 23, 2009
Privacy Commissioner Enters Net Neutrality Fray
The Privacy Commissioner of Canada has entered the net neutrality debate with a submission to the CRTC network management hearing on the privacy implications of network management that uses deep packet inspection technologies (hat tip: P2PNet).  The submission notes concerns with several uses of DPI, including scanning Internet traffic for certain content such as spam, copyright infringing materials, and hate content as well as for monitoring traffic loads to measure network performance.  The Commissioner expresses the need to factor privacy into the network management issue, stating that: "We respectfully submit that in order to advance the privacy objectives contained in the Act, telecommunications policy, decisions and regulation with respect to Internet traffic management practices in general, and DPI specifically, should consider the potentially invasive nature of DPI technology, and the manner in which it has been implemented by ISPs." With regard to the Canadian ISP use of DPI, the Commissioner pulls no punches: "There is concern that the implementation of DPI for Internet traffic management has been done in a manner that is less than transparent and potentially inconsistent with an individual's/consumer's expectations. There has been soem evidence in a number of jurisdictions suggesting that such technology has been used for 'unreasonable network management practices.'"
privacy commissioner on net neutrality
The Privacy Commissioner of Canada has entered the net neutrality debate with a submission to the CRTC network management hearing on the privacy implications of network management that uses deep packet inspection technologies (hat tip: P2PNet).  The submission notes concerns with several uses of DPI, including scanning Internet traffic for certain content such as spam, copyright infringing materials, and hate content as well as for monitoring traffic loads to measure network performance.  The Commissioner expresses the need to factor privacy into the network management issue, stating that:

"We respectfully submit that in order to advance the privacy objectives contained in the Act, telecommunications policy, decisions and regulation with respect to Internet traffic management practices in general, and DPI specifically, should consider the potentially invasive nature of DPI technology, and the manner in which it has been implemented by ISPs."

With regard to the Canadian ISP use of DPI, the Commissioner pulls no punches:

"There is concern that the implementation of DPI for Internet traffic management has been done in a manner that is less than transparent and potentially inconsistent with an individual's/consumer's expectations. There has been soem evidence in a number of jurisdictions suggesting that such technology has been used for 'unreasonable network management practices.'"

Privacy Commissioner on Net Neutrality

The Privacy Commissioner of Canada's blog notes the recent CRTC decision, stating that "the time has come for net neutrality, both as an economic and a social policy issue, to be examined by the Canadian government. And we look forward to being a part of that discussion."

Monday September 8, 2008
Digital Issues Deserve a Spot in Election Campaign
With a federal election now set for October 14th, the coming weeks will be dominated by political debate as each party seeks to make their case to voters across the country. My weekly technology law column (Toronto Star version, homepage version) notes that the election mode marks an important role reversal - after months of Canadians working to gain the attention of their elected officials, those same politicians will be knocking on doors, making phone calls, and participating in all-candidates meetings in an effort to seek them out. The 2008 election therefore presents an exceptional opportunity to raise the profile of digital issues.  Not only do these policies touch on so-called core concerns such as the economy, the environment, education, and health care, but they also resonate with younger Canadians, who could help swing the balance of power in many ridings. In the United States election, both Barack Obama and John McCain have unveiled detailed digital policy positions.  Canadian leaders have yet to promote their policies, but there are at least five worth watching and asking about.

1.    Spectrum surplus - The recent wireless spectrum auction generated over $4 billion for the federal government, nearly triple initial estimates.  The Conservatives committed in the 2008 budget to allocate the funds to debt reduction. The Liberals, meanwhile, focused on the opportunity to use the surplus revenues to kick-start long delayed plans to provide high-speed Internet access to all Canadians.  Where do the parties stand on the use of the spectrum proceeds and on universal broadband access from coast to coast to coast?

2.    Wireless competition - The sorry state of the Canadian wireless marketplace has been well documented in recent months with high profile incidents involving text message charges and high data pricing.  New competitors are slated to debut in late 2009, yet Canadians continue to face high prices and limited choice.  Are the political parties content with the status quo?  If not, would they consider additional measures such as the removal of foreign ownership restrictions or new openness requirements in the next spectrum auction?

3.    Net neutrality - Network neutrality emerged as a major issue this year with a political rally on Parliament Hill, the introduction of a Private Member's bill, and a heated regulatory battle between Bell and independent Internet service providers at the CRTC.  The same is true in the U.S., where the Federal Communications Commission (the CRTC's counterpart) ordered cable giant Comcast to abide by net neutrality principles.  Where do Canada's political parties stand on net neutrality?  If the CRTC concludes that it does not possess the regulatory power to address the issue, would they be prepared to introduce legislative reforms?

4.    Copyright - Few issues generated as much attention this summer as copyright with some Members of Parliament acknowledging that the controversial Bill C-61 was one of the most discussed constituent concerns.  With the bill now dead, each party should be asked to articulate its plan for the future.  Would the Conservatives reintroduce the bill unchanged?  Would the Liberals scrap the bill and hold public consultations as several of their MPs have suggested?  Would the NDP continue its strong opposition to the C-61 approach?

5.    Privacy reform - Over the past year, the Standing Committee on Access to Information, Privacy, and Ethics held hearings on potential reforms to both PIPEDA (the private sector privacy law) and the Privacy Act (the public sector privacy law).  These reform initiatives - including a recommendation to implement long-awaited mandatory security breach disclosure legislation - have now stalled with the election call.  None of the political parties have staked out a clear position on privacy legislation. This election campaign provides an opportunity to put the issue, along with other digital concerns, squarely on the policy agenda.

digital issues column

With a federal election now set for October 14th, the coming weeks will be dominated by political debate as each party seeks to make their case to voters across the country. My weekly technology law column (Toronto Star version, homepage version) notes that the election mode marks an important role reversal - after months of Canadians working to gain the attention of their elected officials, those same politicians will be knocking on doors, making phone calls, and participating in all-candidates meetings in an effort to seek them out.

The 2008 election therefore presents an exceptional opportunity to raise the profile of digital issues.  Not only do these policies touch on so-called core concerns such as the economy, the environment, education, and health care, but they also resonate with younger Canadians, who could help swing the balance of power in many ridings. In the United States election, both Barack Obama and John McCain have unveiled detailed digital policy positions.  Canadian leaders have yet to promote their policies, but there are at least five worth watching and asking about.

Friday April 4, 2008
CRTC To Face Net Neutrality Issue as CAIP Demands Bell Cease and Desist Its Throttling Practices
The CRTC has to date largely avoided the net neutrality issue, however, that is about to change.  The Canadian Association of Internet Providers, Canada's largest ISP association, has filed a Part VII application with the CRTC asking it to direct Bell Canada to cease and desist from throttling its wholesale Internet service.  The application, which was filed late yesterday and is not yet posted on the CRTC site, is the most significant legal development in the Canadian net neutrality debate yet since it places the issue squarely before the Commission.  The filing provides additional insights into Bell's action - the throttling has reduced speeds by as much as 90 percent - and marks an important milestone since the outcome will provide a clear answer on whether Canadian law currently protects net neutrality or if legislative reform is needed.  The application notes that "Bell's traffic shaping measures have impaired the speed and performance of the wholesale ADSL access services that it provides to independent ISPs and other competitors, to the point where the quality of the service has been degraded beyond recognition."  CAIP adds that the throttling is making it impossible for the independent ISPs to manage their networks and forcing them to pay for bandwidth they cannot use. In light of these effects, CAIP says "it seeks to restrain anti-competitive behaviour on the part of Bell.  Thus, the relief requested. . . is intended to 'ensure the technological and competitive neutrality' of the interconnection and and wholesale services provided by Bell to independent ISPs and to promote competition from new technologies that are enabled by the Internet and ADSL access technology." CAIP is therefore asking for an order, issued on an urgent and expedited basis, "directing Bell Canada to immediately cease and desist from using any technologies to "shape", "throttle" and/or "choke" its wholesale ADSL services." 

CAIP is also raising privacy concerns with the throttling, seeking an order that "Bell has acted unlawfully and contrary to the prohibition on carrier interference with the content of messages carried over its telecommunications network contrary to section 36 of the Act and contrary to the Canadian telecommunications policy objectives set out in paragraphs 7(a) and (i) which, inter alia, seek to protect the privacy of persons."  The privacy argument is based on Bell's deep-packet inspection of Internet traffic.  In particular:

"In order to throttle the Internet traffic originating from/or destined for end-user customers of independent ISPs, Bell is using measures to first, open each data packet, examine the packet data and header information, and then apply certain rules to the content in question. This aspect of Bell’s wholesale throttling activities give rise to concerns that Bell’s actions violate the privacy of the communications of its wholesale customers (as well as
that of their own end-user customers).  It also gives rise to concerns that Bell has violated its duty under section 36 of the Act not to control the content or influence the meaning or purpose of telecommunications carried by it for the public."

CAIP rightly notes that since there is no contractual relationship between Bell and the independent ISPs customers:

"by examining the packet data and packet header information of GAS customer traffic, Bell can identify, inter alia, the type of data being transferred, the ISP upon whose network the data is being transferred, an end-user’s intention to acquire certain types of Internet content and the IP address and, hence, the identity of the end-user customer who is sending/receiving the data.  The collection and use of such information by Bell, which in this case would have clearly been done without the prior consent of the end-user customers so affected, violates the privacy of such individuals."

Finally, CAIP also brings the broader net neutrality issue into the picture, noting that "Bell’s traffic shaping measures raise squarely the issue of 'Network Neutrality' which some have described as the right of individuals to gain unfettered and uninterrupted access to Internet content and applications of their choice."  I provide the full argument on net neutrality since it is critical to the current public debate:

"In its March 2006 Final Report, the Telecommunications Policy Review Panel (the Panel) dealt with the subject of network neutrality and stated that it 'believes that blocking access to [Internet] content and applications should not be permitted unless legally required.'  The Panel defined Internet "blocking" to mean 'both absolute
blocking and degradation that is serious enough to affect the desirability of an application or content' and it recommended that the Act should be amended 'to confirm the right of Canadian consumers to access publicly available Internet applications and content of their choice by means of all public telecommunications
networks providing access to the Internet."

The throttling or choking of wholesale ADSL access services that has been engaged in by Bell involves the running of complex algorithms on the GAS and HSA traffic of independent ISPs.  In so doing, Bell is reducing the throughput available to the end-user customers of these ISPs by as much as 90 per cent.  At such speeds, mainstream content available on the Internet, such as audio or video content (e.g., the CBC’s 'Next Great Prime Minister' program), would be slowed beyond recognition or meaning.  In fact, Bell degrades the service to the point of, in some cases, rendering the content inaccessible or at least, highly undesirable.  Bell is, therefore, clearly interfering with and, indeed, exercising control over this content by isolating it from other content, classifying it as low priority vis à vis other types of content and quarantining the content until Bell decides that it can be released to the end-user recipient in a manner determined wholly by Bell.

Similarly, Bell is influencing the 'meaning' and the intended 'purpose' of this content by preventing it from being delivered in the manner and within the time frames intended by the content sender and the content recipient. To use a case in point, if a musical selection that is lawfully downloaded from the Internet is constantly interrupted by Bell’s traffic shaping measures such that it can only be heard in fragments or only with the repeated clicking sounds that come from delays and re-buffering, then the meaning of the musical selection has been influenced by measures deliberately adopted by Bell.

As indicated above, Bell Canada’s traffic shaping measures discriminate between different types of content and the users of that content (contrary to subsection 27(2) of the Act). It is also evident, however, that these measures violate Bell’s obligation under section 36 of the Act not to control the content or influence the meaning or purpose of telecommunications carried by it for the public. Bell has a duty to uphold this obligation which is completely independent of its duties and obligations under subsection 27(2) of the Act, and no exercise of the Commission’s forbearance powers under section 34 of the Act, either in the retail Internet services market or in the wholesale market for underlying access services, relieves Bell of its section 36 duty to act in a transparent and
passive manner in relation to the content that is carried over its networks.

In light of the foregoing, CAIP respectfully requests that the Commission issue an order pursuant to paragraphs 7(a) and (j) and section 36 of the Act that Bell immediately cease and desist from interfering with the private communications and content of Internet services that is delivered over telecommunications equipment and transmission facilities controlled by Bell."

This brings together many of the net neutrality arguments that have been raised in recent months.  The ball is now in the CRTC's court.

caip net neutrality

The CRTC has to date largely avoided the net neutrality issue, however, that is about to change.  The Canadian Association of Internet Providers, Canada's largest ISP association, has filed a Part VII application with the CRTC asking it to direct Bell Canada to cease and desist from throttling its wholesale Internet service.  The application, which was filed late yesterday and is not yet posted on the CRTC site, is the most significant legal development in the Canadian net neutrality debate yet since it places the issue squarely before the Commission.  The filing provides additional insights into Bell's action - the throttling has reduced speeds by as much as 90 percent - and marks an important milestone since the outcome will provide a clear answer on whether Canadian law currently protects net neutrality or if legislative reform is needed. 

The application notes that "Bell's traffic shaping measures have impaired the speed and performance of the wholesale ADSL access services that it provides to independent ISPs and other competitors, to the point where the quality of the service has been degraded beyond recognition."  CAIP adds that the throttling is making it impossible for the independent ISPs to manage their networks and forcing them to pay for bandwidth they cannot use. In light of these effects, CAIP says "it seeks to restrain anti-competitive behaviour on the part of Bell.  Thus, the relief requested. . . is intended to 'ensure the technological and competitive neutrality' of the interconnection and and wholesale services provided by Bell to independent ISPs and to promote competition from new technologies that are enabled by the Internet and ADSL access technology." CAIP is therefore asking for an order, issued on an urgent and expedited basis, "directing Bell Canada to immediately cease and desist from using any technologies to "shape", "throttle" and/or "choke" its wholesale ADSL services." 

Syndicate content