Fox Creek, AB – December 1

It was reported on Friday that Conservative MP Michael Chong is tabling a bill to enact major changes to the relationship between party leaders and their caucuses. The reforms would give MPs the ability to schedule a non-confidence motion in their leader if 15% of the caucus agrees and potentially remove their leader if 50% plus one of the caucus vote to do so. The caucus would also be in charge of determining its own membership, not the party leader. The reform would also remove the requirement for the party leader’s signature for candidates in elections. Instead, the riding associations themselves would get final say on who is to be their candidate.

The requirement for a candidate to have the leader’s signature to run has only existed since the 1970s. The lack of leader  accountability to the caucus has been around for a bit longer, arising in the 1930s. Originally party leaders were chosen by the caucus but the demands for a more democratic selection led to the first national conventions. Unfortunately, the party leaders realized quickly that they were now more than leaders of their caucuses, they were masters of them. Many of the problems in Parliament can be traced back to the immense power wielded by the party leaders. This reform bill will correct the power imbalance that has arose between party leaders and their MPs without losing the democratic nature of party leader selection.

“These reforms are huge. There was a time when MPs, like R.B. Bennett, could absolutely skewer their own party’s record on the floor of Commons and have a reasonable chance of becoming party leader themselves one day. Fast forward to 2013 and such a person would be persona non grata, most likely forever. The leaders in Parliament would have it no other way, as seen by the Conservatives, Liberals and New Democrats already coming out against it”, says James Wilson, Leader of the Pirate Party of Canada. The Pirate Party supports MP Michael Chong private members bill and will be calling on its members and the general public to contact their MPs encouraging them to support these vital reforms. The party will also be opposing attempts to either water down this bill or destroy it with ‘poison pill’ amendments.

The Pirate Party of Canada is a federal political party focused on thoughtful information policy reform, genuine democracy, civil liberties, and the freedom of the Internet. You can find out more online at www.pirateparty.ca{.extern} .

Winnipeg, MB – November 22

On Wednesday the Conservatives announced their strategy for a new anti-bullying law. While efforts must be taken to stop the recent tide of suicides related to bullying online it must be careful, considered change. Laws written in the wake of tragedies are often deeply flawed. In this regard it is good the Conservatives waiting until now to examine Canada’s bullying laws rather than in the immediate wake of the suicides of Amanda Todd and Rehtaeh Parsons.

However, reading over the bill one does get a sense of deja vu, as if we have already seen this bill before. That is because we have. Many, but not all, of the privacy-violating provisions of Bill C-30 (Lawful Access) have been revived. Prof. Michael Geist gives an excellent dissection of the issues on his blog.[1] Two important provisions are not returning: warrantless data collection and forcing telecommunications service providers to put ‘backdoors’ in their systems for law enforcement monitoring. However, this is of little comfort as the various documents leaked by Edward Snowden imply our government, or an allied government, may already have these capabilities without these provisions.

The bill also includes warrant powers for the collection of meta data, with a lower standard than other warrants. With this there is a ban on the disclosure of the existence of these warrants. As well ISPs will now be able to voluntarily hand over data without civil or criminal liability which means law enforcement don’t even need a warrant to get your data. As well, certain computer software will be criminalized. These are provisions the Conservatives promised not to revive when Bill C-30 caused a public outcry and was abandoned.

“The law could allow widespread collection of Canadians personal metadata. It could criminalize independent Information Technology researchers who investigates security flaws in systems and devices (e.g. critical bugs, spywares and backdoors).” says Ric Lim, Secretary of the Pirate Party of Canada. The Pirate Party believes that more needs to be done to combat bullying in society. Given the reports that law enforcement officers were slow to act in both of the recent tragedies it may be prudent to start with providing better training to officers to handle these kind of situations.[2] “The route taken by this Conservative government is typical of them. Take an issue people want action on, throw in some nice-sounding language and then add a bunch of ill-conceived ideas. The result being a bill dubious at best which the Conservatives will say must be passed ‘for the children”, says James Wilson, Leader of the Pirate Party of Canada. The Pirate Party urges Parliament to use caution as they examine the proposed bill so that in their effort to combat bullying they do not worsen other areas of Canadian law.

The Pirate Party of Canada is a federal political party focused on thoughtful information policy reform, genuine democracy, civil liberties, and the freedom of the Internet. You can find out more online at www.pirateparty.ca{.extern} .

#

[1] http://www.michaelgeist.ca/content/view/7003/125/{.extern}

[2] http://www.cbc.ca/news/canada/amanda-todd-suicide-rcmp-repeatedly-told-of-blackmailer-s-attempts-1.2427097{.extern}

TRANS-PACIFIC PARTNERSHIP A RAW DEAL FOR CANADIANS

Fox Creek, AB – November 14: It is being reported that Wikileaks has obtained a copy of the negotiating text for the Trans-Pacific Partnership. The text includes a chapter on intellectual property with provisions that many feared would be included: An extension of copyright terms, further restrictions on fair dealing and greater legal protection for digital locks to name just a few. None of these things are of benefit to the Canadian economy and only serve to create inefficiency through the strengthening of the copyright monopoly. With the London School of Economics being the latest to declare digital piracy a negligible risk to industry and a dearth of evidence that copyright even needs to be at the current length the inclusion of copyright in the Trans-Pacific Partnership would seem unreasonable.

The Trans-Pacific Partnership is a trade treaty being negotiated by U.S. and Japan, Mexico, Canada, Australia, Malaysia, Chile, Singapore, Peru, Vietnam, New Zealand and Brunei. The treaty is being negotiated in secret and only select corporations have been given access to the document. Despite the stated objective of TPP to promote economic and social development in digital economy and technological innovation, and for protecting public health. The revealed content of the IP chapter would do exactly the opposite.

The proposed IP provisions would raise the cost of drugs by shutting out generic drugs to the sole benefit of large pharmaceutical companies. This would expand their monopoly power for a unacceptably long time beyond what is allowed under our already generous patent laws. There are provisions that could lead to increase in internet access cost while reducing internet freedom by making an ISP act as watchdog for the copyright monopoly without due process and burden of proof. It will also restrict educational access which is currently protected under our current copyright law.

“Well this would certainly explain why the negotiations surrounding the TTP have been so secret, now wouldn’t it? After all the uproar surrounding SOPA and ACTA it has become clear to politicians that publicly stating that copyright is to be strengthened, among other things, is a good way to anger your constituents. The IP chapter is a dog’s breakfast of bad ideas and I would hope the Canadian negotiator is objecting strongly to its provisions”, says James Wilson, Leader of the Pirate Party of Canada. The Pirate Party will continue to work for limiting copyright and patent terms and law. A fairer IP law is essential for propagation of culture, improvement of rights of independent artists and inventors, and promotion of innovation beyond U.S. major labels, studios, and pharmaceutical companies.

Canada should withdraw, and not take part in the negotiations, until the text becomes transparent and open to the public. A treaty of economic and social significance should include the citizen and consumer stakeholders at the table. Canadians should resist the subjugation of our democracy. We must protect the public interest over that of a few U.S. corporate interests. This treaty is not in Canada’s economic, social or cultural interest and Canada should not sign it until it is.

The Pirate Party of Canada is a federal political party focused on thoughtful information policy reform, genuine democracy, civil liberties, and the freedom of the Internet. You can find out more online at www.pirateparty.ca .

#

Media Contacts: [email protected]

Background: https://my.pirateparty.ca/node/7{.extern}

PART 0: Introduction

Greetings,

I am writing on behalf of the Pirate Party of Canada to explain how the “Notice and Notice” regime will impact our VPN service (which we discontinued, but plan to bring back).

We are disappointed that we only found out about this through the media. Because the distribution list of the consultation letter is not disclosed, it is difficult to know which stake-holders are being consulted. In general, the Pirate Party of Canada will not operate a VPN service that keeps extensive logs. However, we think a VPN service is important enough that we should still offer one: despite guidance that we should keep detailed logs for 6 months. The primary purpose of our VPN service is to defend human rights: something not possible to do while keeping extensive logs.

While the Pirate Party does not officially condone copyright infringement (especially commercial copyright infringement), I am troubled by the characterization that the Copyright Modernization Act is designed to deter copyright infringement. At it’s core, copyright is censorship. Authors are given a time-limited monopoly on publishing their work, with the understanding that it must eventually fall into the public domain. All works build on what came before. Technologies like Technological Protection Measures threaten to bring about a second dark age if not handled carefully.

PART 1: IT details; What is possible?

A: How reliable is e-mail notification?

E-mail is a “best effort” delivery medium. This means that delivery is not guaranteed. This is exacerbated by the SPAM problem: users and hosts may be reluctant to report delivery failure ([1], section 15.4). DMARC allows the sending host to request specific rejection handling, but the receiving host is still free to ignore the advice. One reason a receiving host may want to do this in the context of “Notice and Notice” is if a specific host is known for sending poor quality automated infringement notices; while not responding to follow-up e-mail. The person handling such mail for the Pirate Party has requested that we block one such domain as spam.

The mostly standard way of requesting Disposition Notification is described in RFC 3798.[2] By including the Disposition-Notification-To header, the sender is requesting a notification when the message is either opened of deleted (possibly without being read). Again, this is optional on the part of the receiving host. While the government may be tempted to enact regulations requiring intermediaries to respond to such requests, it is a bad idea for the reasons outlined in section 6 of the RFC: “Security Considerations.” In particular, “MDNs do not provide non-repudiation with proof of delivery.” If non-repudiation is required, registered letter mail should be used instead.

B: How safe is e-mail notification?

To internet intermediaries and users, entities sending notices of infringement are considered potential attackers. Even if the notice is genuine, internet intermediaries and users must mitigate potential de-anonymization attacks. Among the most common (used by the Pirate Party in it’s mail-outs), is the use of HTML e-mail including a “Web Bug.”[3] A web-bug works by downloading data from the attacker’s server whenever the message is opened. In the context of a VPN provider, this may reveal the user’s real IP address if they open a forwarded message from the attacker without the VPN connection being active. Unique URLs included in the message may also be used for de-anonymization.[4] The very nature of infringement notices may make some infringement-specific URLs unavoidable.

The aforementioned attacks can be mitigated by using only plain-text e-mail. However, e-mail attachments are potential attack vectors as well.[5] Extraneous attachments should be avoided. Even if the attached file format is not designed to execute arbitrary code; there have been numerous security vulnerabilities disclosed for most image handling libraries over the years. E-mail software also varies in how it handles the forwarding of attachments. I recommend that to simplify the forwarding of infringement notices to users, plain-text e-mail should be used as much as possible. Copyright holders sending infringement notices may want to consider cryptographically signing their messages as well.

C: What information is required to identify an alleged infringer?

Our VPN service issues its users RFC 1918 private addresses.[6] Network Address Translation is then used to provide a connection to the IPv4 Internet. This means that in order to have any hope of identifying an alleged infringer, the infringement notice must include: the time, the IP address, and port used by our user. While just the IP address may be enough for traditional ISPs to identify a customer: in the case of our VPN service, the IP address is used by many users at the same time.

If our VPN service ever implements IPv6, it is likely that we will assign our users temporary (randomly generated) addresses. In that case, the full 128 bit address should be sufficient to identify a specific user at any given time. However, in the case of our service, we will not be able to identify specific infringers due to a minimal logging policy. This policy is in place so that users of our service can enjoy the right to privacy: stated explicitly in Article 12 of the UN declaration of human rights. It is safer for our users (which may include political dissidents in foreign countries) to keep no logs at all.

PART 2: Legal details; Will the Pirate Party get deregistered for not keeping logs?

A: OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

Our minimal logging policy generally follows the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.[7]

We follow the Collection Limitation Principle by limiting the logs we keep. Less data means that the Data Quality Principle is easier to implement.

Because extensive logs have no clear purpose, other than investigating possible abuse, we are following the Purpose Specification Principle. The guideline in question says that “the purposes for which personal data are collected should be specified not later than at the time of data collection.” However, it is possible that we may receive a court-order to keep additional logs: while being prohibited from disclosing the logging. The way privacy-conscious services have handled this in other jurisdictions is by partially or completely shutting down the service.[8,9] By limiting the logs we keep, we reduce the chances of violating the Use Limitation Principle.

Keeping minimal logs increases the security of the service from a privacy perspective: following the Security Safeguards Principle. By keeping our logging policy simple, we follow the Openness Principle. Minimal logs also reduce the administrative overhead in following the Individual Participation Principle. Simplified logging also simplifies our Accountability to our members: fewer logs mean inevitable mistakes have fewer ramifications in the event of a data-breach.

B: Explain the difference between criminal and civil liability

The Copyright Act[10] sets out two broad classes of remedies: Civil and Criminal. Section 41.27 also allows copyright holders to receive an injunction against the providers of information location tools. While a broad reading of subsection 5 may include keyboards, the VPN service is not really an “information location tool,” so that section is not likely to apply.

The following acts appear to have Criminal Remedies:

• Selling, renting, distributing, exhibiting, or importing infringing copies of a protected work in a manner prejudicial to the owner of the the copyright.
• Making a plate for making infringing copies or performing a protected work in public for private profit.
• Circumventing a Technological Protection Measure for commercial purposes.
• Performing in public for private profit a dramatic, operatic or musical work without permission from the copyright owner.
• Suppressing the title of or name of the author: of any dramatic, operatic or musical work.

The VPN service is essentially an anonymized Internet connection. While the service may be used by some of its users for the above acts, the service itself is not responsible for such acts. In general, our service is not suitable for commercial copyright infringement because only individual users are allowed to purchase a subscription. Corporations and Unions are prohibited from making donations to the Party by the Canada Elections Act.[11] (Section 404(1))

The following acts appear to have Civil Remedies:

• Infringing copyright
• Infringement of moral rights (described in sections 14.1 and 17.1).

The Copyright Modernization Act[12] introduced section 30.71 that clarifies that incidental buffering is not in itself an infringement of copyright. However, the wording of subsection (b) is troubling because our service has no way of knowing if a specific packet is infringing copyright or not.[13] Even if the packet can be identified as containing a fragment of a copyrighted work, not under a permissive license: one of our users may be making a copy for personal study; a specific exemption under the Copyright Act (section 29). Our service makes use of shared IP addresses, and does not allow our users to forward ports using UPnP. Because of this, our service does not lend itself to seeding infringing content. It is still possible: but any “downloaders” would have to have ports forwarded at their end of the connection.

The $5000 to $10,000 statutory damages mentioned in the consultation letter comes from Sections 41.25 and 41.26.

Our interpretation of the wording of subsection 41.26(2)(b) is that we must only retain the records we have at the time of the notice. Because the wording may be interpreted in such a way that logs must be recorded for a period of 6 months or more: we may, out of an abundance of caution, patch our kernel to black-list and log the ports named in any notices.[14] NAT should continue to work with 10,000 or more ports black-listed before we may be forced to allocate a second IP address for our VPN.

C: It is an infringement of copyright to operate a service solely for the purposes of copyright infringement — Section 27 Subsections (2.3), (2.4)

Section 8 of the Canadian Charter of Rights and Freedoms[15] prohibits unreasonable search or seizure. Due to the shared nature of our VPN service, any logging to track down a specific infringer constitutes an unreasonable search of all of our other users. The only way to universally enforce copyright is to impose a regime of universal surveillance. Universal surveillance prejudices the “fair dealing” exemptions outlined in section 29 of the Copyright Act.

Fair dealing allows copyright law to avoid conflicting with[16]:

• The right to freedom of thought, conscience and religion (Article 18)
• The right to freedom of opinion and expression (Article 19)
• The right to education (Article 26)
• The right freely to participate in the cultural life of the community (Article 27)

D: How does contracting an off-shore provider impact the above?

If we sub-contract to an off-shore provider, any infringement notices would be subject to the laws of the foreign jurisdiction. Since international copyright treaties have wide reach, this would (hopefully) require careful jurisdiction shopping to make sure that the host countries’ laws are not actually more severe than those in Canada. If the regime in Canada becomes too oppressive to maintain a viable VPN service, we may investigate other jurisdictions that actually respect the right to privacy.

PART 3: References

[1] Domain-based Message Authentication, Reporting and Conformance (DMARC)

draft-kucherawy-dmarc-base-01

https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/?include_text=1{.extern}

[2] Message Disposition Notification

https://tools.ietf.org/html/rfc3798{.extern}

[3] Wikipedia: Web bug

https://en.wikipedia.org/wiki/Web_bug{.extern}

[4] Bitmessage users de-anonymized

http://secupost.net/2325962497/bitmessage-security{.extern}

[5] E-mail Viruses

http://www.thegeekprofessor.com/guides/email/email-viruses/{.extern}

[6] Address Allocation for Private Internets

https://tools.ietf.org/html/rfc1918{.extern}

[7] OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

http://www.oecd.org/internet/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm{.extern}

[8] Lavabit

http://lavabit.com/{.extern}

[9] CryptoSeal VPN shuts down rather than risk NSA demands for crypto keys

http://arstechnica.com/information-technology/2013/10/cryptoseal-vpn-shuts-down-rather-than-risk-nsa-demands-for-crypto-keys/{.extern}

[10] Consolidated Copyright Act

http://laws.justice.gc.ca/eng/acts/C-42/{.extern}

[11] Canada Elections Act

http://elections.ca/content.aspx?section=res&dir=loi/fel/cea&document=index&lang=e{.extern}

[12] Copyright Modernization Act

http://www.parl.gc.ca/HousePublications/Publication.aspx?Language=E&Mode=1&DocId=5697419&File=4{.extern}

[13] What Colour are your bits?

http://ansuz.sooke.bc.ca/entry/23{.extern}

[14] Reserved network ports

http://lwn.net/Articles/375976/{.extern}

[15] Canadian Charter Of Rights And Freedoms

http://laws-lois.justice.gc.ca/eng/Const/page-15.html#h-39{.extern}

[16] The Universal Declaration Of Human Rights

http://www.un.org/en/documents/udhr/{.extern}

For Immediate Release