priVacy by Lee Harkness (CC BY-NC-SA 2.0) https://flic.kr/p/9FZSmo

priVacy by Lee Harkness (CC BY-NC-SA 2.0) https://flic.kr/p/9FZSmo

News

The Case Against the Bell Coalition’s Website Blocking Plan, Part 12: Increasing Privacy Risks for Canadians

The Bell website blocking coalition cites privacy protection as a reason to support its plan, noting the privacy risks that can arise from unauthorized streaming sites. There are obviously far better ways of protecting user privacy from risks on the Internet than blocking access to sites that might create those risks, however. Further, with literally millions of sites that pose some privacy risk, few would argue that the solution lies in blocking all of them. In fact, the privacy argument is not only weak, it is exceptionally hypocritical. Bell is arguably the worst major Canadian telecom company on user privacy and its attempt to justify website blocking on the grounds that it wants to protect privacy is not credible.

Years after competitors such as Rogers and Telus released telecom transparency reports that disclose the frequency of subscriber information disclosures to law enforcement, Bell has still refused to release such a report, keeping millions of Canadians in the dark on the issue. Bell’s approach to “targeted advertising” also demonstrates how little regard it has for customer privacy. The company changed its privacy policy in 2013 to allow for expanded usage of subscriber data on everything from website visits to TV viewing habits. That led to its targeted ad program, in which it automatically enrolled millions of subscribers unless they proactively opted-out. When the Privacy Commissioner of Canada found that the program violated the law, Bell simply refused to comply:

we remain of the view that Bell cannot rely on the opt-out consent of its customers in order to implement the RAP. Both the sensitivity of the information at issue and the reasonable expectations analysis lead us to the conclusion that such consent is not appropriate in the circumstances. In our preliminary report, we recommended that Bell provide its customers with the opportunity to make an express opt-in choice regarding whether or not they consent to Bell’s use of their personal information for the RAP. Bell refused to comply with our recommendation.

Bell later backed down, but its privacy challenges have not disappeared with a 2013 lawsuit that awarded thousands of dollars to a subscriber for a privacy violation as well as reports that it has hijacked browser sessions from customers that have asked to cancel services. The Privacy Commissioner is currently investigating the practice.

Even if Bell was as an exemplary company with respect to privacy protection, its website blocking proposal would still pose significant privacy risks. First, the use of virtual private networks is an increasingly important mechanism for users to safeguard their privacy online. Yet as noted earlier in this series, targeting VPNs is a likely next step for the anti-piracy effort, particularly since the services have been sore spot for the companies for many years. In 2015, Rogers executive David Purdy reportedly called for shutting down VPNs, while Bell executive Mary Ann Turcke specifically targeted VPN usage to access U.S. Netflix, telling an industry conference:

“It has to become socially unacceptable to admit to another human being that you are VPNing into U.S. Netflix. Like throwing garbage out your car window – you just don’t do it. We have to get engaged and tell people they are stealing. When we were young and made the error of swiping candy bars at the checkout of the grocery store, what did our parents do? They marched us back in, humiliated us, told us to apologize to the nice lady and likely scolded us on the way home.”

The comments equating VPN use to theft echo the remarks being made today by the Bell coalition about piracy sites and services. Further, since the response to site blocking from some Internet users will surely involve using VPNs to evade the blocks, the attempt to characterize VPNs as services engaged in piracy will only increase.

Second, the identification of piracy sites and usage by subscribers depends in part upon snooping into Internet users’ online activities. Sandvine, whose piracy data is cited in the Bell coalition application, openly acknowledges that “by inspecting unencrypted channels, communications service providers gain a more complete perspective on how subscribers are viewing pirated content.” In other words, ISPs have incentives to track user activity by inspecting unencrypted communications to identify which sites are being visited.

In fact, the Bell coalition application hints at monitoring subscriber activity to gauge the impact of piracy. After citing cord cutting data, it states:

While it is impossible to determine precisely how many of these 1.1 million households are lost subscribers due to piracy, the experience of relevant members of the coalition with their customers confirms that consumers who engage with piracy sites are many times more likely to cancel legal services or never subscribe to them in the first place than are those that do not engage with piracy sites.

How is Bell – or any other communications company – able to establish a linkage between website visits and cable/satellite subscription cancellations? Either statement is purely speculative or the companies are actively monitoring Internet use and television subscription habits and linking the two sets of data together.

Third, certain website blocking technologies raise serious privacy concerns. An Ofcom review of site blocking noted:

To be successful, any process also needs to acknowledge and seek to address concerns from citizens and legitimate users, for example that site blocking could ultimately have an adverse impact on privacy and freedom of expression.

The privacy impact is particularly acute with respect to deep-packet inspection blocking. The Bell coalition proposal does not identify specific blocking technologies, but studies have shown a correlation between cheaper blocking systems and a greater likelihood of overblocking (IP address blocking and shallow packet inspection blocking), while more targeted systems such as DPI were more effective but also the source of privacy concerns.

Rather than enhancing privacy protection, the Bell coalition proposal puts it at greater risk, with the possibility of VPN blocking, incentives to monitor customer traffic, and the potential adoption of invasive site blocking technologies.