My name is Michael MacKay; I am a Senior Consultant for ExitCertified, a company that trains Internet professionals throughout Canada and at many locations in the United States.  Specifically, we’re experts on the server side of things: the web servers that provide content for browsers, the mail relays that get electronic mail to your inbox, and most other “behind the scenes” aspects of the Internet.  As for me, I first started to work with the Internet before it was called that, learning about how it functioned before the World Wide Web application made it known to the general public.  Over the past 20 years I have worked as the project director on an Internet access project at a university in Ukraine, before becoming an instructor for system administrators who manage servers.

For the past 10 years I have worked for ExitCertified as an instructor, but as we started off as a small company I also have worked as a system administrator for our own networks, with a particular focus on email security.  Every day I see the flood of unsolicited commercial email, or spam, the fraud letters, and other undesirable intrusions, and I work very hard to see that this never makes it into our users’ inboxes.  I also take action against the perpetrators of these attacks by blocking the sending hosts and complaining to the Internet Service Providers (ISPs) that control the source network.  But it works both ways.  We also maintain wired and wireless networks of our own, with ExitCertified employees and customers joining these networks with desktop computers, laptops, BlackBerries and iPhones.  It is essential that these on-the-fly users of our networks do not inadvertently download a malicious computer program --- commonly called a virus --- that would cause a computer to become a server under outside control.  At worst, such a computer inside our network could become a server for content which constitutes child pornography.  In my 20 years of experience, I have never seen this worst-case scenario occur, but it is the duty of every system administrator to see that it doesn’t.

Therefore, my company fits into both camps being defined by Bill C-22.  We’re client nodes on the Internet, and therefore our users could become victims of child pornography.  We are also, for all practical purposes, an Internet Service Provider, and so we could become, unwittingly, a server node for child pornography, if we were not constantly vigilant about network security.  I’ve been asked to speak to you today as an expert in how the Internet works today, how it is exploited by child pornographers, and whether the provisions of Bill C-22 do anything to address the wish that the Internet not be used for the dissemination of child pornography.

Rules of the Internet

The rules of the Internet are not laws like the Criminal Code where offences are penalized, but more like the rules of grammar of a natural language.  Since the earliest form of the Internet started to be developed in the late 1960s, administrators who have connected networks have written down technical observations about how they succeeded.  These observations have come to be known as “Requests for Comments”, or RFCs, and to date over 6,000 of them have been written.

Some of these agreements or protocols are so fundamental, so important, that they have become standards.  An example, relevant to this bill, is an Internet Protocol (IP) address.  Such an address must be a certain length, and the bits contained within it must hold a certain meaning, otherwise a packet of data cannot move from one computer to another, to arrive at its destination, such as your web browser.  That’s like a rule of grammar in a natural language like English or French that says that the sentence I speak must have a subject and a predicate --- otherwise, you will find it difficult to understand me.

But other protocols are more like guidelines or good advice.  An example, also relevant to this bill, is how abuse of networks is to be reported.  A domain is a collection of networks under single administrative control with a simple name, such as for the Government of Canada.  The administrator of a domain is supposed to maintain a standard address, such as “postmaster” or “abuse” for the reporting of violations of the terms of service of his or her network, for the violations of RFCs (in other words, he or she’s not being a very good peer to other networks), or for the violations of the laws of the country.  I’m happy to say that the administrators of the domain are good Internet citizens, and respect this agreement among domain administrators.  But many do not, and the Internet works just fine, despite this.  It’s like a rule of grammar that says I should not end a sentence with a preposition --- many if not most people violate this rule, and yet intelligibility is not lost.

The point about RFCs --- the rules that practically, if not legally,  govern the Internet --- is that they are public, free, and global.  Anyone can have an intelligent, communicating device that respects these agreements, and they will be pretty much guaranteed the ability to send and receive data over the Internet.  RFCs are the grammar of the global language that sustains the Internet, and everyone in the world --- including criminals --- is speaking this language.  A bill like C-22 can only influence servers that are physically in Canada, but the Internet transcends sovereign jurisdiction.  I think that Canada benefits from being on the Internet, but the fact is that  the Internet does not need Canada.

Bill C-22 Proposals

Bill C-22 proposes a technical solution to a problem that does not exist.  It imagines a scenario where someone is in possession of evidence of child pornography, where the hosting or transmission of this material points to an Internet Service Provider.  In other words, this person starts with possession of both data and metadata: the data is the image that is a violation of existing laws of the Criminal Code and the metadata is the addressing and other information that indicates the location in cyberspace.  But instead of reporting this criminal act to the legal authorities, this bill imagines that this witness reports the metadata portion only to an ISP --- a third-party to the alleged crime.  Then, this third party, the ISP, is supposed to consider the metadata only and report the alleged crime.  The ISP does not need to consider the data itself and is not required or authorized to seek out child pornography.

Why didn’t the original witness just report the crime?  The way the Internet works means that when the witness reporting child pornography to the ISP receives data, such as when he or she views a web page, they are already in possession of a rich set of metadata --- more so than was ever the case when child pornography was distributed primarily by means of postal mail.  A plain brown envelope can be successfully delivered with nothing more than a recipient address, a postmark, and sufficient postage.  Canada Post is a service provider that should be in possession of more metadata than that, and can therefore be of real assistance in the investigation of the distribution of child pornography.  An Internet Service Provider is not like that at all.   An ISP is not in possession of better information, or more complete information, than the recipient already has; there is nothing magical about the way ISPs work, because the data and the metadata are there for all to see.  If it weren’t, the image or other content would not be able to be stored or be able to be transmitted in the first place.

A packet of data moving through the Internet can be compared to a postcard.  The data is the picture on the front and your personal message on the back; the metadata is the recipient address that you provide.  All this information is viewable to everyone along the delivery track of your postcard.  It has been said that if you don’t want your words to appear on the front page of the newspaper, then don’t write them on the Internet!  The same is true about child pornographers: they cannot hide their illegal images on the Internet, and ISPs cannot be their accomplices in allowing them to do that.  The metadata like the IP address must always be open, public, and accessible to anyone along the track of moving data, right up to the destination web browser.  The volume of all data, including child pornography, is increasing substantially with the growth of the Internet, but the rules by which the Internet works mean that it is more open, and more readily detectable, than ever before.  Internet Service Providers are transparent, not opaque, more so than older means of distributing information, both legal and illegal.

Let me provide an example of how open and transparent the Internet is, and why an ISP is not a holder of special information.  From home, I browsed the web site of the Senate of Canada.  On the main page, there is an image of the Parliament Buildings.  By viewing the source of the web page, with my ordinary web browser application, I was able to determine the following about this image: the name of the file is banner-b.jpg, which means it is in one of the most common formats for a static image.  The web page can be accessed by several names, but it has only one Internet Protocol address.  That address is in a network block that has been allocated to the Government of Canada, and your upstream provider that connects you to all networks other than your own is Bell Canada.  By the way, as easy as it was for me to track you and your website, I see that your web administrators are using Google Analytics, and so you were able to track me!  You know the identity of my computer when I browsed your web site.  You know where I was when I viewed this picture of the Parliament Buildings, and when I viewed it.

The data, in this instance, was the photograph of the Parliament Buildings; the metadata was all the addressing and other information I just mentioned.  My point is that this was easy to determine information, and that anyone in the world could have done it.  An ISP is not a holder of secret information --- both the data and the metadata must be public, or it just doesn’t work.

Providers of Internet Services

In fact, I would argue that the term “Internet service provider” is increasingly meaningless in the modern Internet.  Each one of you Honourable Senators has a BlackBerry, probably a laptop, probably a desktop computer, each one of which is an intelligent, communicating device on the Internet.  You are a “node” and you are participating in a network, and contributing to its functioning in essential ways.  The processing power, memory capacity, storage ability and communications mechanisms that your devices have are all adding to the overall level of service that is the Internet.  That little BlackBerry you have, Senators, has more computing power in it than the entire Apollo program required to put astronauts on the Moon, and you are serving up that power --- right now --- to the Internet.

Any Internet-connected device can become a server, and so anyone can be an Internet Service Provider --- not just big companies that we give that name.  Have you, or someone you know, ever been fooled into clicking on a link in an email you were sent, and ended up with a computer that is commonly known as being “infected with a virus”?  If you have, then your computer, without your knowledge, was just recruited into a botnet, and is being told by a computer program and by command-and-control servers elsewhere in the world to do what a criminal organization wants, such as distribute further copies of the virus to people in your address book, and to host data for others to download.  Your home computer is a server now, and you are an ISP.  It is possible (although very unlikely) that the content that your computer is serving up may be child pornography.  If I notified you that your computer was infected, would you then properly notify the relevant authorities, as you would be obliged to do under Bill C-22?  Would you even know what I was talking about if I advised you correctly about 32-bit IPv4 addresses, Fully-Qualified Domain Names, absolute pathnames to files, and Uniform Resource Identifiers?  You are an ISP --- although you didn’t know it --- and Bill C-22 threatens punishment if you don’t take my advice and report it to the competent authorities.

I feel that I need to defend system administrators here.  If they weren’t doing their jobs, the Internet would grind to a halt, choked to death by spam, denial of service attacks, and an incoherent Babel of inconsistent protocols.  It is so hard to prove a negative.  As an ordinary Internet user, you have no idea about what you are *not* seeing, and only notice that system administrators exist when there is a problem.  A system administrator is a front-line worker for the correct functioning of a system, just like an air-traffic controller is essential for the safe regulation of airspace.  Bill C-22 implies that a system administrator is potentially a co-conspirator with a child pornographer, and threatens him or her with punishment for being a third-party witness to somebody else’s crime.  Instead of helping system administrators to do their jobs, which includes keeping child pornography off the Internet, Bill C-22 coerces them into being unpaid state agents.  I think the real target of Bill C-22 should be child pornographers and not system administrators.

Proposals for Reform

Instead of a solution in search of a problem, how about addressing the real issue, which will incidentally address the issue of child pornography on the Internet.  Let’s consider an “Internet Service Provider” in the modern context to be anyone who contributes the processing power of their computers or the communicating power of their networks to the “network of networks” that is the Internet.   That means everyone in Canada that provides a wireless connection in a cafe or airport or hotel, it means every business that runs an email server for their employees, it means everyone that puts up vacation photos on a publicly-accessible web site.  In other words, it means every Canadian.  To participate, there are three categories of rules that either must be or should be respected: the terms of service (which is a business decision), following RFCs (which is a practical consideration to be a functioning peer on the network), and obeying the law of the land (which is an obligation of every citizen).

At one time, the Internet was under the control of the universities and government research institutions.  Terms of service were easy to enforce, because every participant in the Internet was a member of the university or an employee of the government department; RFCs were respected because all the participants were formal members of centralized networks; and obeying the law was easy, because almost the entire Internet was under the sovereign jurisdiction of the United States of America.  To deal with orderly regulation, an entity known as a Computer Emergency Response Team came into being.  This organization, now known by its acronym CERT, came about organically, and focuses primarily on the security of the Internet, and threats to its integrity.

Starting in the early 1990s, the Internet became truly international, was no longer restricted from commercial exploitation, and the World Wide Web made it known to many more people.  With this transition, the role of the CERT declined, to become little more than an advisory body about threats to the Internet, with no enforcement ability.  This decline can be reversed, and a functioning Computer Emergency Response Team would put Canada miles ahead of other countries in getting a handle on the Internet.  This would mitigate the prevalence of hosting and transmission of child pornography, but also encompass the many other threats faced by the Internet.

The Internet is all about speed and volume of data, and the Criminal Code is not the instrument to address this particular subject.  The Criminal Code already addresses the issue of the production and distribution of child pornography, and there is nothing special or unusual about the Internet with respect to these laws.  By all means enforce these laws, and enforce them on the Internet --- there is no hindrance to doing so now, effectively, because there is nothing categorically different about the Internet as a means for the production or distribution of child pornography.  But if the concern is the sheer volume and speed of the Internet, then that should be addressed on its own terms.  A CERT is a “rapid reaction force”, and it will succeed because it will force Internet Service Providers to do what they want to do anyway, which is to maintain a well-functioning network that respects their own terms of service, the protocols that all networks need to pay attention to world-wide, and the law of the land.

There are two ways I can think of for a system administrator to avoid running afoul of Bill C-22.  The first is to not be an “internet service” as defined in clause 1, and the second is to avoid being “advised”, as set out in clause 2.  The Internet is global in scale, and the rules that govern it transcend national boundaries.  I mentioned earlier that what system administrators do is like what air traffic controllers do, and rules governing air traffic control are largely determined by the International Civil Aviation Organization --- for example, the rule that the language they are to use over the radio is to be English.  A company doing business as an Internet Service Provider in Canada has no requirement or even need to hold data on servers that are physically located in Canada, or to route traffic through networks that traverse Canada.  To avoid running afoul of Bill C-22, it is a simple matter to “offshore” most hosting and routing operations, and therefore not be an “Internet service” in Canada.  Criminals in cyberspace already exploit this fundamental characteristic of the Internet; almost all will use so-called “bullet-proof hosting”, which is servers that are located in countries that will guarantee connectivity, no matter how many complaints are received.  The second way to avoid running afoul of Bill C-22 is not to be “advised”.  ISPs can abandon the standard operating procedure of being quickly and informally advised about any security problem, and instead demand to be formally and legally served with notification --- in order to protect themselves from prosecution.  Thousands of small businesses in Canada that are now providing services such as free WiFi in a cafe, or hosting a discussion board about their products and services, will think twice about doing so, given the threat posed by Bill C-22, whose repercussions they probably will not understand.

The best way to strike a blow against child pornography would be to abandon Bill C-22, and to vigorously enforce the excellent, existing provisions of the Criminal Code.  Failing that, the use of the term “Internet service” in clause 1 should be deleted because it is meaningless.  If you want to salvage some sense of the target of Bill C-22, then I would suggest the following: “an operator of a device that responds to a request for data over a network.”  The term “advise” in clause 2 should be clearly defined.  There is no chance Bill C-22 could be enforced in its current form, and therefore it cannot have any effect on child pornography.

A Computer Emergency Response Team, or CERT, would get it right, and go directly after child pornographers.  The large ISPs in Canada will not like it, as an effective CERT would have to interfere with their networks by forcing them to stop routing traffic that violates the Criminal Code.  The big television and radio companies don’t like the CRTC either, but the CRTC has a mandate to regulate public airwaves in the national interest.  The Internet is a packet-switched network of networks over public carriers, like telephone lines, and is global in scale, but its use of public carriers can be regulated in the national interest, such as to enforce the existing laws of the Criminal Code against child pornography.