The CRTC’s decision to deny a complaint from the Canadian Association of Internet Providers regarding Bell Canada Enterprises’ controversial throttling practices has received a lot of attention – mostly negative – on Internet message boards. But both Canada and the United States sold out the privacy battle a long time ago. And it doesn’t matter what network you’re using – the entire Internet is effectively compromised from a privacy standpoint. “The National Security Agency (NSA) in the United States and the Canadian Security Establishment (CSE) in Canada are sorting through petabytes of data. This is going on in real-time, and the carriers are compliant,” says Lawrence Surtees, vice-president and principal communications research analyst at IDC Canada. Most people agree that Bell’s use of deep packet inspection, or DPI, is for managing P2P traffic and not snooping on the actual content of the transmission, though AT&T Inc. has suggested such technology could be used to enforce copyright legislation. As a result, the debate has focussed on corporate control of the Internet and the rights of smaller ISPs, which is fair enough. But it’s odd to argue over these scraps when for years the Canadian and U.S. governments have blatantly trampled citizens’ privacy rights. “Sometimes it’s a matter of picking the right battle,” says Jay Angl, senior research analyst at Info-Tech Research Group in London, ON. “It’s a matter of awareness. People have security concerns, but often privacy is about regulatory compliance, such as with HIPAA in the United States for healthcare, and not the bigger picture.” The irony is that the sell-out on privacy issues is in play as security and online safety are held firmly on the front burner. For example, Edward Amoroso, chief security officer for AT&T, was in Ottawa recently to speak at the Cyber Security: Proactive Defence of Critical Systems and Information conference, hosted by the Conference Board of Canada. The event was full of great things to say about security, but Amoroso couldn’t speak too directly about privacy, because he knows that AT&T and other carriers breach individual’s and enterprise’s privacy all the time. “Partnering with a carrier to imbed security upstream is a fantastic idea,” he told Telemanagement. “You can call that managed security services if you want, but what it boils down to is that the simpler something is the more secure it is, and it make sense to do this in the cloud.” And the simpler it is the easier it is to mirror and to monitor, something AT&T has been doing at the behest of the U.S government for some time now. “AT&T uses optical splitters to take huge amounts of data – e-mail, VoIP, Internet search requests – which records a carbon copy of every packet in real time,” says Surtees. This is vastly different from previous intercept programs, he adds. Earlier programs would generally target specific paths from other countries, essentially plucking transmissions off of microwave networks or copper, as was the case during the Cold War when USS Seawolf submarines were used to tap undersea cables. “The traffic that AT&T is copying is not just its own,” says Surtees. “International peering means that, in effect, AT&T has access to everyone else’s data.” The Patriot Act prevents carriers or ISPs from telling their customers — whether inside or outside of the U.S., citizens or not — if the U.S. government has demanded private information. This is why big players like AT&T and Verizon Communications Inc. are essentially mute on the subject, although when faced with lawsuits Verizon has made the rather bizarre claim that this is a matter of free speech, and that as a result the company has the right to pass on customer information to government security services. No matter Verizon’s odd interpretation of the First Amendment, to return the favour the U.S. Congress has given AT&T and Verizon retroactive legal immunity from prosecution. “The immunity deal was abhorrence,” says Surtees. “This is not academic – the data behind this is unlike anything the world has ever seen. The knowledge used for the rendition of people to prisons outside of North America is coming from this program.” In fact, Qwest Communications International, Inc. was, according to some reports, the only U.S.-based telecommunications company that did not comply with the NSA’s request for non court-ordered phone documents. According to former Qwest chief executive officer Joseph Nacchio, the NSA leaned on him to participate in its wiretap program even before September 11, 2001, and threatened to cancel government contracts if he didn’t comply. “Nacchio has since been convicted of insider training,” says Surtees. “We’ll probably never know if his non-compliance and the government’s prosecution of him is a coincidence.” Surtees adds that Ottawa has been a participant in information surveillance since the inception of signals intelligence during the Second World War, and today it is as active as ever. “The CSE has been granted the right to intercept,” says Surtees. “There is nothing in our constitution that gives the state the right to conduct itself like this, with unfettered access to information.” Surtees says that it doesn’t matter what network you’re using – the entire Internet is effectively compromised from a privacy standpoint. The likes of AT&T and Verizon are providing surveillance for the U.S. government, and the CSE is tapping all international communication, which includes any of Bell’s traffic that is trunked on the Montreal-New York or Toronto-Chicago lines. “It doesn’t matter if you are using a third party managed services provider like Fusepoint or PEER 1,” says Surtees. “This is complete Internet surveillance in real-time.” Amoroso claims that from a law enforcement perspective AT&T’s role is essentially passive. “People are not comfortable with the carriers acting as nannies,” he says. “People want them to step out of the way – policy enforcement has not been our relationship.” “We would like nothing more than to have dialogue with our customers,” he adds, referring to the need to have an ongoing conversation about security. Not a bad idea. AT&T has a Toronto data centre, and is actively recruiting Canadian enterprise customers. Perhaps you are in financial services, or healthcare. Perhaps you are in legal services and hold client records, or are a manufacturer and have long-term, trusting relationships with your customers. You want to make sure your data are secure – and private. As part of your dialogue with AT&T, you might want to ask if they can assure you that third parties will not have access to your data. “Sometimes the provider won’t be able to answer that question,” says Angl. He’s right. If former AT&T employee Mark Klein hadn’t notified the world that his boss was diverting IP traffic to a secret NSA listening room in San Francisco, we’d be none the wiser, and it’s questionable whether or not a typical AT&T executive would have known anything about it. As it stands, if you are an AT&T customer and your customers ask you about the integrity of their data, you can have every reason to believe, based on past evidence, that it could be held – very securely – for arbitrary, non court-ordered government review, and that any action taken as a result will not be traced back to its source.