The Quebec government intends to interfere in commerce on the Internet, the free choice of Quebecers to choose with whom to do business, and to require ISPs to establish an architecture of censorship, all with a view to driving users willy-nilly to Quebec’s official gabling site.
These measures were announced in the Quebec budget of March 2015.
So far there has not been a word of protest from any quarters, including the federal government. Why is this proposal to transgress federal jurisdiction over communications undertakings going unchallenged? Consider that the CRTaC recently blasted its cable undertakings when the last minutes of the Letterman show were blocked by the faulty application of simultaneous substitution rules. Which is the more potent threat to the CRTC’s jurisdiction? In fairness, complaints about Quebec’s move to build an architecture of censorship have yet to be made because the Quebec government’s attempts to build the Great Firewall of Quebec have yet to begin.
The Great Firewall of Quebec will be futile, but unless it and attempts like it are opposed, it will be essayed.
I cite the Quebec Budget of March 2015, section G, page 21, in the section entitled “The Fight against Tax Evasion.”
“With a view to public health and in order to further channel the revenues that escape the government, three of the measures recommended by the working group will be implemented during the next fiscal year.
— A legislative amendment will be proposed to introduce an illegal website filtering measure. In accordance with this measure, Internet service providers will not be allowed to provide access to an online gaming and gambling website whose name is on a list of websites that are to be blocked, drawn up by Loto-Québec. This measure will be applied by the Régie des alcools, des courses et des jeux, which should have the necessary resources to fulfil its new responsibilities.
— In addition, Loto-Québec will develop a portal to increase the ability of Espacejeux, the only legal online gaming site in Québec, to attract players. Loto-Québec will operate games on this portal offered by private operators. To become a supplier of a game offered on the portal, operators will have to enter into an agreement with Loto-Québec, who will become the exclusive operator of the online game of chance or gambling game in Québec.
— Moreover, in accordance with the recommendations of the working group. Loto-Québec will inform Quebecers about the legislation governing online gaming through multimedia campaigns.
The Quebec government defends these measures as follows:
“Illegal websites do not apply the same responsible gaming rules as Espacejeux. They thus pose a risk to the population, especially young people. Moreover, private operators who wish to offer games on the Espacejeux portal will have to comply with Loto-Québec’s high standards regarding responsible gaming measures.
In addition, the measures announced will enable the government to recover revenues that are escaping it and to fund public services for the benefit of all Quebecers. These three measures will increase the dividend that Loto-Québec pays to the government by $13.5 million in 2016-2017 and $27.0 million a year thereafter.”
Let us leave aside the hypocrisy of a government trying to confer a monopoly on itself, on grounds of that its websites promoting vice are morally superior to the websites of others promoting the same vice. Here we observe the state seeking to erect an architecture of censorship in the name of increased revenue. When China or Iran tries to do this sort of thing, we cry foul. When Quebec tries it, it seems like business as usual.
The important thing for governments to understand is that an architecture of censorship is both complicated to establish, expensive for ISPs to try to maintain, possibly ruinously expensive, and utterly futile. Censorship adds to the costs of communicating across the Internet, both in terms of increased costs of running an ISP and in legal fees to deal with prosecutions. These must inevitably be passed along to consumers. For smaller ISPs, these additional costs may drive them out of business.
More than this expense and legal risk to ISPs however, such measures drive consumers to evasive measures which are freely available, render law enforcement more difficult as the Internet grows more opaque, and, at the limit, and may break the Internet in ways that even the Chinese government does not attempt – and the Chinese know lots about censoring the Internet.
The futility of such measures is perhaps the hardest for governments unfamiliar with the Internet to understand, particularly if their knowledge is at the level of not knowing the difference between an IP address and a website. The technical information that follows is based on information supplied by Geoff Huston, Chief Scientist for APNIC, the regional Internet numbers registry for the Asia-Pacific region, to whom I am grateful.
The three available methods for blocking access to websites are
- route filtering,
- DNS name resolution filtering and
- traffic interception
- Route Filtering takes the IP address(es) of the service to the filtered and creates specific routing forwarding rules to treat all packets directed to this address in a manner that prevents the packets reaching their intended destination.
Route filtering adds to the noise in the name resolution system (the DNS) which generates the need for other measures to filter out. In addition, route filtering depends on a one-to-one relationship between the address and the website which government wants to block. This relationship no longer holds. IP level blocked sites can readily circumvent such IP-level interception mechanisms by shifting their content to other hosting agencies, so that the blocked content is no longer associated with a set of IP addresses. Second, users can avail themselves of virtual private network services that create a false geographic location for the end user so that they can evade local content restrictions. Canadians are becoming familiar with VPNs by reason of their desire to access all of Netflix’ stock of video.
- In the simplest form of name filtering a list of proscribed DNS names is circulated to internet Service Providers, and this list is used to configure their user-facing DNS resolvers, so that queries directed to these resolvers for the filtered names result in a false response.
These too are easily circumvented. Users can go to alternative name resolvers, such as those operated by Google (Google’s Public DNS), OpenDNS or Level 3. By replacing the reference to the ISP’s resolver with a reference to one of more of these open resolvers in their devices, the user effectively restores a complete view of the Internet’s name space and bypasses the locally imposed name filter.
The use of more distant resolvers also has negative effects on service times, and the security of data usage, since foreign data may completely escape local rules on data protection. It also results in users becoming more apt to use services that hide their presence from local (national or provincial) jurisdictional policies. From a governmental perspective, the Internet gets darker and more out of control as users flee the rules of local jurisdictions. The Internet makes national boundaries permeable, and the more pressure which is exerted inside a jurisdiction, the more users squeeze out into untraceability.
- The technique of route redirection can be coupled with traffic interception in order to address some of the shortfalls of IP address filtering. This approach uses some form of routing level interception to direct the traffic to a traffic interceptor which can determine if the URL is part of some blocked list, in which case the connection can be terminated by the agent, or whether the proxy can forward the fetch request to the intended destination as a conventional proxy.
This method of interception has been generally more successful than name filtering alone, but can be evaded by far more sophisticated technology that encrypts the user traffic and wraps it so as to obscure the user from their local network.
Your app is increasingly paranoid
Readers of this blog will be aware that some applications are able to tunnel down to obtain IP addresses completely outside the knowledge or detection by other devices on which the app runs or carriers which carry the traffic (see “Your app is increasingly paranoid”.) One such service recently launched is a mobile application called Google Fi. It wraps the entirety of a conversation in an encrypted tunnel. If an app controls a handover, then the session keeps running as you change IP address, which normally occurs when you go from one cell tower to another. The effect of this is that carriers are prevented from charging an outrageous rate for mobile data for what can be supplied at the cost of fixed data; the carrier has lost control of the session. Another example is Facebook, which contains its own protocol suite, which means it has its own DNS resolution, and thus can avoid the Apple device on which Facebook may run. The app is cloaked, and the device maker never knows what the app is doing.
The connection between ‘paranoid’ applications and government attempts to build an architecture of censorship is this: the arms race between apps makers and device makers, and apps makers and carriers, is continuous. Each is seeking information and revenue from the end user, and each seeks to prevent the taking by any other of information – which can be readily monetized – or money directly.
Back to Quebec
The government of Quebec is also seeking money from the end user by channeling usage into a government gambling website, and preventing access to all rivals. It is not unfair to say they have no idea of what they are getting into. It is also fair to state that many jurisdictions would seek to follow Quebec’s example if it were apparently successful.
Therefore it is incumbent upon those forces that want to keep the Internet working right to raise the alarm about Quebec’s intentions. Besides Quebec consumers and ISPs, who stands to lose?
- The trade and commerce carried on over the Internet is threatened by numerous jurisdictions seeking to distort the traffic in the name of local monopolies;
- The federal government is threatened when provinces trench on its jurisdiction over carriers;
- Police forces are threatened when the Internet goes dark on them, as it will when citizens use VPNs (virtual private networks) to evade restrictive policies.
- Banking and other normally secure communications would be threatened if the measures required to enforce the ban caused ISPs to have to inspect packets otherwise protected by standard security protocols.
A useful way to understand the technology of the Internet is that every intervention of the type proposed by Quebec drives users to evasive measures. The Internet is porous. It was built to be global and not local. Canadians are already becoming familiar with VPNs as they seek to get around intellectual property protections governing Netflix content; they will not hesitate to evade restrictions of the type sought by Quebec by the same and other methods.
Governments are not immune to futile gestures. Before the Government of Quebec attempts to direct some $27 million of revenue towards itself, which it will almost certainly not capture, it had better examine whether it would not also inflict tens or hundreds of millions of dollars of economic damage to commerce in Quebec in the attempt.