The ISO layers of the legal code

{This entry written over a course of several weeks}

I attend a group called the “Gaggle”, see where I often argue, sometimes loudly (it’s a sports bar, so everything is loud) with Russell McOrmond ( ). Russell is my best friend, business partner and we were each other’s best men.

So, it’s often surprising how violently we can disagree. It’s even more surprising when we are often violently agreeing. One problem that both Russell and I have, is that often we argue with each other, often thinking that we are in fact arguing with the “enemy”. It’s kind of like honing one’s skills, but often it gets in the way to actually communicating new ideas to each other.

Sort of like when the angry feminist goes into some store and asks to buy some bullets, and the clerk says, “I can’t sell you those bullets.” and the woman gets mad, assuming that the clerk is some kind of misogynist. The clerk finally explains, “No, it’s not because you are a women, it’s because I don’t have any in stock.”

An on-going argument is about the end-to-end issues on the Internet, and what constitutes “upload” vs “downloading”.

In general, I hate the terms. People who use the terms uploading and downloading are from the Bulletin Board Systems days, and from that kind of thinking. Unfortunately 99% of the users of the internet came to it sufficient late, and via dialup and “residential high speed”, that they actually have never really experienced the Internet of the 1980s, and the early 1990s.

Russell is also concerned about end-to-end issues.

(Please correct me if I am using any loaded terminology)

Russell explains that in Canada, “downloading” copyrighted works (such as an MP3) is not illegal, particularly if it gets put onto a levy’ed media such as a CDrom.

What is illegal is “uploading”. So, the theory goes, I am permitted to receive materials, but I am not permitted to send them. I can make a private copy – so I can borrow your CD, and I can copy it. That’s permitted. You can’t take your CD, make a copy and give it to me. That’s not permitted.

There is a lot of question of intent.

My major concern is that of enforcement.

At present a large number of “residential” ISPs (Rogers, Bell Sympatico) have a policy of “no servers”, and they regularly block various ports, sometimes blocking all incoming packets with the “SYN” bit set. A TCP SYN packet is what is used to start communication with a “server”. Any ISP that puts their customers behind a NAT, or encourages their customers to install NATs by not providing them with enough IP addresses is effectively blocking TCP SYN packets. Bell Sympatico GIVES people the NATs. (Who owns and controls them? That’s the topic of another article)

It’s not limited to residential services. A huge number of business people think that NATs have some kind of useful security function. The reality is that they simply cut of 50% of the functions of the Internet, which sometimes means that they cut out 50% of the security holes present in some desktop operation systems. Of course, you can cut out 100% of the holes by powering the desktop down as well. Since the NAT improves security by preventing legitimate uses, any measure that improves security, even if it prevents legitimate users, would by the arguments above, be legitimate. So, I would conclude that the power switch is much more secure than the NAT.

However, I do not believe that we need to prevent legitimate uses to improve security. Often we can improve one module’s security profile, by moving appropriate functionality to another: for instance, exchanging files by FTP or SFTP is much smarter and more secure than doing it by email, but we don’t do that because residential desktops do not have permanent identities on the network, and oh. yeah… that NAT. And people who exchange files are, by definition, evil.

As I explained that Friday (2005-05-27), I can’t tell, as a network operator, looking at the layer-3 part of the packet (the IP header) if the traffic is an “upload” or a “download”, or if it is a TCP SYN packet or not. (The two are not equivalent. I can certainly identify the TCP SYN packet, but the upload/download involves knowing intent, which requires much deeper packet inspection.)

The layer-3 information is the only information that a network element needs to look at. I claim that this is the only part of the packet that a network element is permitted to look at.

To understand my claim you need to have some history about phone taping. Since 1984 in the US the pen register was formally defined. See for a good history.

This is important — access to the Pen Register is not considered a search, but at the same time, it isn’t public knowledge. From the above page:

Ten years later the Supreme Court held that a pen register is not a search because the "petitioner voluntarily conveyed numerical information to the telephone company." Smith v. Maryland, 442 U.S. 735, 744 (1979).

That’s why the law in 1984 was necessary.

The question is then: what parts of the TCP/IP stack are covered by Pen registry legislation, and what parts are not? The US Congress even talked about this a bit:

[[][Border Issues Ashcroft]]

(search for “Pen Register”. This from September 25, 2001, about the Patriot act. I don’t know why it shows up under…)

Another interesting link:

And another:

[Orin Kerr, 12:47 PM] New decision on surveillance of Internet search terms: During the debate over the USA Patriot Act, some opponents of the Act argued that the amendments to the Pen Register statute (18 USC 2701-11) gave the government the power to monitor the terms that users entered into Internet search engines with only a Pen Register order. As the Electronic Frontier Foundation warned in its analysis of the Patriot Act: Be careful what you put in that Google search. The government may now spy on web surfing of innocent Americans, including terms entered into search engines, by merely telling a judge anywhere in the U.S. that the spying could lead to information that is "relevant" to an ongoing criminal investigation. As I explained in a recent law review article, this criticism is off-base (if you're really interested, look at pages 644-648). Whether the government may collect search terms that appear in URLs depends upon whether the search terms are "contents" under the Wiretap Act, and does not involve the Pen Register statute. Whether search terms are "contents" remains unclear, I noted, and the Patriot Act unfortunately did not clarify whether the government needs a Wiretap Order to conduct such monitoring. But the Patriot Act did not lower the privacy protection offered to search terms. (This hasn't stopped reporters from repeating EFF's claim as simply a factual statement about what the Patriot Act does, but that's another matter.) I mention all of this because yesterday the First Circuit decided a case applying the Wiretap Act to the Internet that seems to conclude that URL search terms are in fact "contents" under the Wiretap Act. You can read the opinion here; read my summary of the case here. There are some analytical weaknesses in the opinion and its scope isn't entirely clear (see the case summary for the details), but the opinion supports the view that the Wiretap Act protects URL search terms-- and it does so by interpreting language in the Wiretap Act that was unchanged by the Patriot Act. In other words, the opinion suggests that URL search terms are protected by the Wiretap Act, not the Pen Register statute, even after the Patriot Act.

So, back to end-to-end.

If it is the case that only numbers disclosed to the ISP for routing are part of the Pen Registry, then I read this very clearly: the IPv4 header contains that information.

The TCP header (in which the SYN flag, and the port numbers are) do not.

  • Anyone filtering on TCP headers without the permission of both parties is performing an illegal search.*

Subsequent to when I started writing this entry, Sympatico announced they were amending their user agreement to get this kind of permission. That’s might be okay. We’d need to ask some critical questions before allowing citizens to give up their rights: did they have a choice? If all ISPs force citizens to do this, then perhaps there is a cartel? Some kind of collusion?

But, I have a simpler solution: any ISP that wants to do this is no longer a common carrier. They are now responsible for ALL content. Including the child porn found on a web server in Zealand that crosses their network.

But, back to “uploading” and “downloading”.

In Spain recently, it was reported in IRC (I do not have a good official reference, but would welcome one):

(12:17:38) quanttrom: talking about P2P : Section_Ei8ht writes "Spanish Congress has made it a civil offense to download anything via p2p networks, and a criminal offense for ISP's to allow users to file-share, even if the use is fair. There is also to be a tax on all forms of blank media, including flash memory drives. I guess the move towards distributing films legally via BitTorrent is a no go in Spain."

In Canada, we already have the tax on blank media, and generally this has permitting “downloading” to be legal, while “uploading” to not be legal.

Let’s say that Canada passes a law making it a “civil offense to upload”.

And let’s say someone wants to enforce this law. How can (technically) they do it? Simple: do not let TCP SYN packets to end users. Oh, wait. That requires a search warrant.

So the law enforcement agency has to have probable cause, and has to present a search warrant. That’s okay, since they had to have probably cause for a specific end-user, they can’t just let out a dragnet.

This is why I claim that nobody can tell (without a search warrant) if I am uploading and downloading, and thus, effectively, there can be no technical difference between the two operations.

Being able to enforce a law is one of the critical questions that law makers are supposed to ask. I conclude: you can not enforce such a law without violating everyone’s privacy rights.