Cyberspace Confidential (Globe and Mail essay)

“We have immersed ourselves in a technological environment of our own making, called cyberspace, which we take for granted as our communications and media ecosystem. We leave electronic traces of ourselves scattered across the servers of this vast geographically extended domain like granules of sand on an endlessly mutating, ever-expanding beach.

But who controls this domain and what are they doing with our data? What happens to our e-mail once we hear that familiar “woosh” sound as it leaves our screen? Is it shared with anyone without our consent? Under what circumstances?”

From The Globe and Mail

There’s a story about a 1960s British intelligence chief who was so frustrated and confused by the proliferation of meaningless acronyms and code names for spying missions that he turned to an assistant and asked in exasperation: “Now, just what on earth does this KUWAIT refer to?”

Listening to stories about BlackBerry and the United Arab Emirates, Canadians must be feeling the same way. UAE? RIM? Kuwait? BES? Public Key Encryption? What’s all the fuss about?

Well, Canadians had better pay attention, because the stakes are high and issues such as these are only going to become more common, as much for users as for companies such as Research In Motion.

All of us have become accustomed to the convenience of smart phones, the connectivity of social networking and the ubiquitous presence of digital media. We twitter about the geolocation of our favourite coffee shop, bank online with financial services apps, post our family snaps to photo-sharing sites, and check our e-mail and store our documents on cloud computing services.

We have immersed ourselves in a technological environment of our own making, called cyberspace, which we take for granted as our communications and media ecosystem. We leave electronic traces of ourselves scattered across the servers of this vast geographically extended domain like granules of sand on an endlessly mutating, ever-expanding beach.

But who controls this domain and what are they doing with our data? What happens to our e-mail once we hear that familiar “woosh” sound as it leaves our screen? Is it shared with anyone without our consent? Under what circumstances?

The first place you might look is the policies of the providers themselves. Many of them reassure us that their services are highly secure and that your data is confidential, but the devil is always in the details. In this case, he resides among those lengthy end-user licence agreements we agree to before proceeding to use our BlackBerry, iPhone or Gmail accounts.

Ever read and understood one? Not likely, unless you have an advanced legal degree. They also tend to be frustratingly vague on some key issues.

Take, for example, the Rogers Yahoo Internet Services Privacy Policy, which has an interesting clause: “Personal information collected for the Internet Service may be stored and processed in Canada, the United States or other countries and may be subject to the legal jurisdiction of these countries.” Other countries? Really? My data can be processed in another country and subject to the laws of those countries? Which countries? Whose laws?

Questions such as these are not obscure legalese that amount to nothing in practice. They become critically important as companies extend their services into emerging markets where profits can be made but often at the expense of principles we take for granted in Canada.

The key to understanding this dynamic is the sea change that has occurred as governments assert themselves in cyberspace, primarily for national security reasons. Fearful of cyber espionage, eager to manoeuvre in this domain, determined to block access to a range of content, governments are strategically exercising their power in cyberspace. To do so effectively, however, they need to enlist the co-operation of the companies that own and operate cyberspace. And that means companies such as Google, Microsoft, Yahoo and now RIM.

For their part, companies are eager to capitalize on emerging markets but often have to engage in complex negotiations to satisfy their hosts and to comply with local law. Part of that negotiation process can involve local companies with whom they must partner. This can create some vexing ethical issues for those companies, and some dubious associations.

Consider the case of Skype, the very popular VoIP and chat service. Much like RIM, Skype advertises its product as offering unbreakable “end-to-end encryption” and, for that reason, is used widely among businesses, human-rights activists and other persons at risk. In 2008, however, Citizen Lab researcher Nart Villeneuve determined that the Chinese partner of Skype, TOM-Skype, was secretly monitoring private chats of Skype users and uploading the data to the servers in mainland China, presumably to share with Chinese security services. The monitoring affected not only users of the Chinese version but also regular users of Skype with whom they communicated. Skype said it had no prior knowledge of the modification to the code made by TOM-Skype and “deeply apologize[d] for the breach of privacy.”

There are, of course, legitimate reasons for companies to comply with local laws, and with law enforcement and intelligence. Bad guys can use their products, and security services may need access to their data to be able to do their job. But it’s one thing for a company such as RIM to make provisions for access to its encrypted data for law enforcement and intelligence in a country such as Canada, the U.S. or Britain and quite another to do so with Egypt, Indonesia, Saudi Arabia, Kuwait, Russia, China or the United Arab Emirates.

These are countries that do not have the same legal checks and balances over security services, or anywhere near the same degree of judicial oversight and public accountability. More important, they also have a much broader notion of what constitutes a security threat, which can include human-rights activists, political opposition groups and free-speech advocates. Complying with “local law” in this case could mean collusion with some nasty regimes.

The issues around the RIM-UAE controversy go beyond interception of data to include access to information and freedom of speech. A BlackBerry is also used to surf the Web and, in many of the countries swirling around the latest controversy, Internet filtering is de rigueur.

A Kuwaiti newspaper has reported that RIM has agreed to filter access to 3,000 pornographic websites at the request of the Persian Gulf emirate’s government. (Some users say it’s already filtering access to Web content in the UAE and Pakistan). Research undertaken by the OpenNet Initiative over the past seven years shows that governments rarely admit to filtering anything other than “pornography,” even when they block non-pornographic websites. The UAE, for example, requires its ISPS to block access to political opposition groups, religious sites and sites related to gay and lesbian issues, although it doesn’t admit it.

Will RIM comply with those requirements? Will it inform its users that it’s doing so? Will it publicize the block lists that it’s given by the governments? Or will it take a stand against those requirements in ways that it has about interception of private data?

Part of the reason the RIM issue is so confusing is RIM itself. On one hand, it’s claiming its services are so secure even it can’t decrypt its own encrypted data streams. “RIM cannot accommodate any request for a copy of a customer’s encryption key, since at no time does RIM, or any wireless network operator or any third party, ever possess a copy of the key,” the company said in a statement this week.

On the other hand, the company said it respects “both the regulatory requirements of government and the security and privacy needs of corporations and consumers.” But how are these two principles resolved when governments require access to data for law enforcement and intelligence purposes?

RIM considers its negotiations with governments about access to be “confidential,” yet says it doesn’t make special arrangements with one country that aren’t “offered to the governments of all countries.” If that’s the case, why are there confidential negotiations at all?

There’s also confusion about which of the many RIM services and products are secure, and which aren’t. RIM says “customers of the BlackBerry enterprise solution can maintain confidence in the integrity of the security architecture without fear of compromise.” Does that mean its much more widely distributed consumer-level product is less secure and can be easily monitored?

Clarification about all of these issues would help.

RIM may be banking on the success of quiet diplomacy, and the hope that the controversy will quietly slip away. That would be an unfortunate mistake. As RIM expands its reach and its customer base into emerging markets, so will these problems.

What should RIM do? It could take a page from its peers who’ve gone through these experiences before. Google, for example, now has a page listing all of the requests it receives from governments for filtering or the sharing of user data, and is openly supporting advocacy groups, bloggers and researchers who are pushing for access to information, freedom of speech and privacy online. RIM could do the same.

It could join the Global Network Initiative, a self-governance forum set up by Google, Microsoft and Yahoo, where issues around data sharing, retention and filtering are discussed in an open, principled way. A growing support network of like-minded companies that resist such pressures is certainly more powerful than each of them being picked off by the UAEs and Indonesias of the world alone.

Ultimately, though, any company, acting together or alone, can’t solve the problems that RIM is encountering. These are global public policy – not just business – issues, and they require global public policy solutions that come from the concerted actions of governments, human-rights advocates and citizens.

It’s in this respect that the absence of a comprehensive Canadian strategy for cyberspace is painfully clear. Instead of acting like the British intelligence chief who mistook KUWAIT for a code name, we need to start treating cyberspace for what it is: the global communications space in which we are collectively immersed, and which is now under threat.

Latest reports are that International Trade Minister Peter Van Loan is now openly supporting RIM. This is encouraging, but incomplete. The engagement on this file needs to be seen as part of a broader vision that, so far, we haven’t articulated as a country. We need to be a strong voice internationally for a vision of cyberspace in which freedom of speech, access to information, and privacy are constitutive principles for this domain, and begin nurturing networks of actors that support this vision.

If the pressures on such a major Canadian business as RIM are not a wake-up call in this regard, nothing else will be.

Ron Deibert is director of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. He is a founder and principal investigator of the OpenNet Initiative and Information Warfare Monitor projects, and was one of the authors of the Tracking GhostNet and Shadows in the Cloud reports detailing global cyber-espionage networks.