Menu Bar

  • Home
  • Blog
  • About
  • Language
  • Privacy Policy


May 15, 2018

The New Normal for the Iranian People: Population-scale Response to State-Level Communication Disruption

By: Ariel Leuthard and Jacob Klein

Introduction

In December 2017-January 2018, protests erupted throughout Iran, calling for change in the country. Unlike the protests of 2009, known as the Green Revolution, this civil unrest involved many Iranians that previously were unaffiliated with any political opposition movement. In response, the Iranian government enacted blocks on Telegram and Instagram in the country. To gain access to these applications and circumvent censorship, Iranian users flooded to tools like Psiphon. In order to shed light on these protests and the resulting surge in users, Psiphon has collected and analyzed network data from before, during and after the protests. This data has been combined with an understanding of the political, social and economic situation in Iran for a deeper look at how Internet connectivity and freedom impacts Iranian society as a whole. Ultimately, this blocking event has proven the importance of the Internet and access in Iran and highlighted the growing technical abilities and scope of the Iranian censorship regime.


Key Observations

On December 28, 2017, protests broke out in the northeastern city of Mashhad; smaller protests also occured in the nearby cities of Neyshabour and Kashmar. Initially calling for solutions to economic grievances, protests eventually covered social issues such as corruption, the presidency of Hassan Rouhani and Iran’s involvement in foreign conflicts. Some protestors even directly criticized Supreme Leader Ali Khamenei. Over the following days, the movement spread across Iran, with protests in nearly every single province. Protests occurred in many smaller cities and included many Iranians not officially or previously affiliated with any organized opposition group. Additionally, protests occurred daily in the capital of Tehran until January 9, 2018.

In response to the nationwide demonstrations, the Iranian government and the Islamic Revolutionary Guard Corps (IRGC) responded with force, both physically and virtually. However, due to the fact that this was a largely rural movement, it is possible that IRGC forces found it harder to physically limit the protests and the Iranian government turned to Internet and application blockages to quell the movement. Still, a number of protesters were arrested and, in some cities, tear gas, water cannons and other tactics were used to break up demonstrations.12 Three days into the protests, on December 31, the Iranian government blocked access to both Telegram and Instagram, the country’s most popular messaging and social media platforms, respectively. Thanks to Psiphon and other censorship circumvention technologies, Iranians were able to connect and maintain information sharing across these sites.


Reasons behind the protests

Despite some of the optimism stemming from easing of economic sanctions, Iranians were overburdened by economic hardship in 2017. Though Iran’s oil and gas industry has grown considerably in the last year, with production rising 62%, economic relief has not as quickly expanded to other sectors of the economy, which has only seen a growth of about 3.3%.3 Unemployment rose from 12.4% to 12.6% from January to July 2017 and continues to hover around 12%.4

In a survey of Iranian activists conducted by the link-sharing platform Balatarin, individuals indicated that economic issues and corruption were the leading causes behind the protests. In addition, rising inflation and the cost of living proved to be the most significant priority for Iranian families, followed by citizens’ rights. These concerns were reflected in the calls of protesters: "If embezzlement decreases, then our problems will be solved!”, "Come out fellow countrymen, scream and shout for your rights!", and “The youth are unemployed [while] the mullahs sit behind a desk!”5


In early December, President Rouhani released his version of the budget, promising alleviation of economic pressures, including rising employment and inflation. This relatively conservative budget went to the Majlis for approval on December 14. During the month of December, a substantial increase in social media usage by Iranians was seen on the Psiphon network leading up to the protests. On December 19, usage tripled, from an average of 2 terabytes (TB) to 6TB. On December 30, usage tripled again, hitting 18TB. It is possible that this build up was indicative of the unrest to come, as more Iranians moved to social media to express their grievances, before ultimately taking to the streets.



The censorship regime in Iran

Censorship of online content inside Iran is institutionalized at the highest levels of government. In March 2012, Iran’s Supreme Leader, Ayatollah Ali Khamenei, authorized the creation of the Supreme Council of Cyberspace (SCC), which is comprised of 17 members from various government institutions plus an additional 10 members appointed by Khamenei himself. It has become the central agency for implementing and upholding policies pertaining to the censorship of online content inside Iran.7 At its inception, Khamenei asked then-President Ahmadinejad to chair the Council8, though 2015 reforms resulted in the transfer of authority to the Supreme Leader9 and the consolidation of decision-making authorities of the pre-existing High Council of Informatics, Supreme Council of Information, and Supreme National Security Council of Information Exchange (AFTA) under the sole jurisdiction of the SCC.10

All Iranian internet service providers (ISPs) function under the jurisdiction of the Communication Regulatory Authority of Iran (CRA), which is responsible for telecommunications licensing and enforces censorship policies outlined by the the Committee for Determining Offensive Contents under the powers of the executive. It oversees the implementation the technical censorship policies that support the initiatives of the SCC. Such actions include:

  • The limitation of private home user bandwidth to 128 kilobytes per second (kb/s).
  • The redirection of Domain Name Service (DNS) queries, causing certain DNS requests to respond with fake local IP addresses that act as black holes to drop traffic intended for blocked domains.
  • The inspection of internet packet headers and URLs for keywords that may lead to sites with content that may feasibly be deemed immoral or could cause political or economic turmoil, and the manipulation of such traffic.
  • Especially during periods of political and economic unrest, ISPs will limit speed (aka throttle), either to specific sites or internet communication protocols, or all traffic.11
  • The government counterfeiting of web certificates to popular sites in order to conduct man-in-the-middle attacks.12
Traditional censorship practices have already been installed throughout the Iranian network. Website owners are required to register with the Ministry of Culture and Islamic Guidance or risk being blocked.  Website owners and private citizens that post potentially inflammatory content receive official removal requests. The Iranian Revolutionary Guard Corps routinely arrests Telegram channel administrators to coerce them into removing content or delete channels entirely. News sites are sent warnings about how they should report on controversial topics, such as the Nuclear Deal. All of these practices lead to significant self-censorship in order to avoid arrest.13 And censorship capabilities have become more pervasive in recent year, as the CRA has implemented policies to diversify and expand telecommunications networks throughout Iran.

Censors’ response to the protests


On December 30, Iran’s Minister of Information and Communications Technology Mohammad-Javad Azari Jahromi tweeted a request for the removal of @amadnews, a Telegram channel, to Telegram founder Pavel Durov. Telegram complied, removing the channel for its use of violent language. It is important to note that Twitter is a blocked platform in Iran, though Jahromi has requested that Twitter be made available to all Iranians. It is not uncommon for Iranian officials to use this banned social media platform, however it is particularly interesting that, in this case, it was used to publicly communicate removal requests for content on a popular application that has been heavily monitored, though still permitted, by the government. Telegram refused to comply with further content removal requests, explaining that the channels were, in fact, merely using the platform for peaceful protest. Because of this, the Iranian government directed Iranian ISPs to block traffic to the Telegram app and web interface on December 31.14 On the same day, Instagram, a popular picture and video sharing application, was also blocked. The block on Instagram lasted until January 6, while the Telegram block lasted until January 13.

During this time, Iranians continued to protests and access these platforms and others through circumvention software. This is evidenced by both continued, and even increased, engagement on both platforms. Though a brief drop in usage occurred initially, data shows that the number of posts and views on Telegram in Iran quickly returned to the about the same levels as before the blocking event. On Instagram, users flocked to Persian language news and media accounts. BBC Persian continued to call for videos and photos of the protests through its Instagram account and Telegram channel, despite both platforms being blocked by the government. In fact, BBC Persian’s Instagram following grew by about 200,000 in less than two weeks; one week of which Instagram was blocked in Iran. It had previously taken the account about nine months to gain that same amount of followers. A similar phenomenon occurred on the Instagram accounts of Radio Farda and Voice of America-Persian News Network (VOA-PNN).



Iranian user behavior and analytics

Psiphon has worked to offer users multiple ways of using our software, whether for mobile or desktop use. There are three major platforms through which one can download Psiphon: Google Play store, the Apple App Store, and through email auto-responders. On January 1, downloads peaked with:
  • 766,235 via Google Play
  • 458,768 via the App Store
  • 82,280 via auto-responders
Psiphon has dedicated email auto-responders for specific clients. On December 31, BBC Persian took to Instagram and posted a warning to all Persian speaking followers, instructing them on how to download Psiphon via their email auto-responder. On that day, BBC Persian, normally responsible for about 60 Psiphon downloads per day, was responsible for 60,695 Psiphon downloads. This is just one example of the many important relationships that are required to ensure internet access to people all over the world.

Google Play showed Psiphon as the most downloaded app in Iran during the protest, with competing tools rising and falling in the rankings as they proved ineffective for users. Applications for other circumvention tools, like VPNs and Lantern, a peer-to-peer software used for censorship bypass, rose and fell on the charts as users found that connections made through these apps were unreliable or slow, as expressed on Twitter. Psiphon remained the number one app in Iran on Google Play for over two weeks. Not only did Psiphon see a consistent increase in users, but this increase was at a much larger scale than other tools. Tor analytics showed a similar trend of increased use, with a spike during the protests. However, this increase peaked at just under 12,500 daily connections, while Psiphon’s network supported 287,925,106 connections on January 2 alone.15

Not only were new users downloading the app, but network analytics show that they were actively using it. Over the course of the protests, Psiphon added 22.2 million new users to the network. Data transfer during the protest period hit 61 megabytes (MB) per user per day at its lowest point. Emergency network scaling allowed for the Psiphon network to transfer and average of 124MB per user per day. As a point of reference, if an American paying $35 per month for a 2 gigabyte (GB) monthly plan through Verizon were to spread their data usage out equally throughout the month, they would be able to use a maximum of 66MB per day. Additionally, the global average mobile data plan is 4GB monthly, translating to 133 MB per day. During the entire protest period, our network transferred 19.54 petabytes (PB), equivalent to the amount of data processed by Google all over the world each day. Psiphon saw a peak data transfer on January 9 of of 1.445PB, which is equal to the same data as all of the 10 billion photos on Facebook.



All in all, a massive amount of data was transferred over the Psiphon network in response to the protests and blocking. The success and scalability of the Psiphon network during peak blocking periods can be credited to its heterogeneous infrastructure, varied partnerships, and significant focus on innovative research and development. By incorporating circumvention protocols such as Refraction Networking and MEEK, Psiphon’s network had become more redundant, resilient, and has increased its surge capacity.



Psiphon’s “new normal” in Iran


Psiphon has now adapted to a “new normal” in Iran. Part of this new normal is the significant increase in the amount of data being transferred over Psiphon’s network to social media platforms alone. This can be seen in the graph on the left, which shows that, on average, over 16TB of social media traffic is being transferred over the Psiphon network. This includes major platforms such as Facebook, Twitter, and Instagram.

The prevalence of the Iranian video sharing service Aparat on this graph, especially over Youtube, may be indicative of future threats to internet freedom in Iran. In order to post on Aparat, users need to connect their real identities with a registered account. This is part of the Iranian government’s larger initiative to produce a “halal net,” formally called the National Information Network (NIN).

This new normal also includes potential disruptions, both technical and political, that Iranian users face. In the first few days of February, Iranians took to the streets again in a number of strikes and protests against months of unpaid wages by their employers. These strikes spanned various industries, including bus drivers and railway workers. This activity was reflected on Psiphon’s network with a surge of users on February 5, from 3 million average daily unique users to 4 million. In times of political unrest, Psiphon has become the go-to censorship evasion tool for many Iranians.

This is also true for disruptions of a technical nature. On February 20, users in the Middle East and Europe became unable to access Telegram. On that day, the Psiphon network saw a significant surge in traffic from Iran, with over 3 million connections made. Suspecting a censorship event, Iranians users flooded to Psiphon to test the connection to Telegram. Through Psiphon, they were able to determine that there was a technical error in Telegram’s service, rather than a blocking event by the Iranian government. These incidents show that Psiphon is a trusted tool when internet accessibility is not guaranteed.

The continued Telegram battle

Telegram has continued to be a target for the Iranian regime and the government has moved to permanently block Telegram. On April 30, after the app’s use by government officials was prohibited, the Iranian judiciary issued a court order for all Iranian ISPs to begin blocking Telegram, effective immediately.16 Iranians have been encouraged to use domestic communication applications, which are generally avoided as they are widely-known to be subject to tight government control and surveillance. On May 7, six lawyers filed a petition to the Court for Government Employees in Iran to end the ban on Telegram in an unprecedented use of legal action against the Iranian government.

On April 26, Psiphon was contacted by the developers of TelegramDR with a request for assistance integrating and supplying network traffic for the Telegram Digital Resistance app. In anticipation of the long-threatened blocking of Telegram, Psiphon developers and outreach team members worked to successfully meet the April 30 deadline and offer Iranian citizens an effective tool for secure communication. On May 1, in direct response to the blocking event, TelegramDR was released on Google Play. Since the release, over 700,000 Iranians depend on TelegramDR, pushing over 5TB of traffic per day, indicating that the intensification of internet service blocking will surely be met with innovative circumvention techniques.

Conclusion

Since the Green Revolution of 2009, web and mobile online penetration of Iranian citizens has climbed dramatically. In fact, it has more than doubled. As of 2016, internet users make up over half of the Iranian population; in 2009, this was just under 14%.17 Access to the internet has become more widespread and quality has greatly improved. With this comes a greater reliance on internet-based platforms by Iranians, for everything from financial services to business operations. In addition, the influence of social media in the country has rapidly grown. Many businesses and news organizations rely on social media to connect with their customers. In addition, social media is slowly becoming the preferred method of communication among Iranians. This has been seen on the Psiphon network with more bytes transferred to social media sites than ever before. As stated previously, from the period before the protests and the blocking event to the end of the protests, Psiphon gained 22.2 million new users. This has led to an increase of one million average daily users; prior to the blocking Psiphon on average supported two million users per day in Iran and now supports about three million users per day.


Psiphon continues to operate at this new normal and must be prepared to increase capacity further in the event of another blocking event. However, there are considerable operating costs associated for any circumvention tool. In order to provide reliable connections to users in Iran, circumvention tools, like Psiphon, need consistent support. In addition, without access to these tools, Iranians may be compelled to migrate to government-supported and controlled domestic social media platforms. In order to maintain support for internet freedom, existing program models and support may require re-engineering. This would ideally include broader support from major social media platforms as their content is being delivered by much smaller, less funded organizations. In addition, more investments in technologies that can deliver content, expand the range of services, provide augmented capacity and adaptation will be necessary. As the Iranian government devotes resources to the development of its NIN, the internet freedom community will need to continually improve and build its capabilities.

2 Associated Press, “At least 9 killed in Iran overnight as protesters, security forces clash,” retrieved from Politico, January 2, 2018.
“Iran’s Economic Outlook,” The World Bank, October 11, 2017.
“Iran’s Economic Outlook,” The World Bank, October 11, 2017. 
5 Saidi, Mike, “Iranian Anti-Regime Protests and Security Flaws: A Dataset,” Critical Threats Project, American Enterprise Institute, January 12, 2018.
“Country Profile: Iran,” Freedom on the Net 2017, Freedom House, 2017.
10  “Country Profile: Iran,” Freedom on the Net 2017, Freedom House, 2017.
11 This has been reported for connections to Google services such as Gmail as well as traffic via specific protocols including HTTPS, SSH and VPN tunnels.
12 Simurgh Aryan, Homa Aryan, and J. Alex Halderman, “Internet Censorship in Iran: A First Look,”, Presented as part of the 3rd USENIX Workshop on Free and Open Communications on the Internet,” 2013.
13 “Country Profile: Iran,” Freedom on the Net 2017, Freedom House, 2017.
14 Durov, Pavel, Telegram post, December 31, 2017.
15 “Directly connecting users from Iran,” Tor Project, accessed February 2018. 
17 World Bank, “World Development Indicators Dataset: Iran,” retrieved March 2018. 



Read more »

The State of Data Logging: An Evaluation of Threat Levels and Security Practices

By: Jacob Klein

Psiphon Inc. has for years been leading the charge to open the internet to those living under censoring regimes. Despite facing no content restrictions online, users from Western countries are turning to VPNs such as Psiphon, to protect their personal privacy online. Yet in March 2017, the Pew Research Center released a startling statistic that some 70% of American internet users are not sure what purpose a VPN serves.1

If the ever-increasing number of Psiphon accounts is any indication of the growing number of VPN users worldwide, a substantial influx of independent users are entering a market in which they have no metric for critically evaluating the products. This group now bears the burden of understanding risks in the unfamiliar domain of cybersecurity. As such, they are therefore highly susceptible to misinformation. One such term that puts users on high alert is the pervasiveness of the term data logging throughout VPN websites and forums, and a misrepresentation of individual risks and methods to efficiently protect oneself.

According to Techopedia, “data logging is the process of collecting and storing data over a period of time in order to analyze specific trends or record the data-based events/actions of a system, network or IT environment. It enables the tracking of all interactions through which data, files or applications are stored, accessed or modified on a storage device or application.”2  Many VPNs market a zero-logging policy as a seemingly unique product feature, thus insinuating that the internet traffic of average citizens is otherwise at constant risk of being logged and possibly exploited for commercial and legal purposes.

This has become a hot button issue following the April 2017 repeal of certain FCC protections that would have required American Internet Services Providers (ISPs) to obtain permission before sharing user data (had it ever taken effect as intended in December 2017). The thought of their government advocating for ISPs to make logs of our personal internet histories and then selling or disclosing them without consent is alarming to most internet users.

As a strong proponent of internet freedom, Psiphon strives daily to ensure that our users receive fair and open access to an uncensored internet without repercussions. The expanding legality of the unauthorized use of user data and browsing history creates a troubling narrative that demonstrates that profits often outweigh ethics. But Psiphon took a deeper dive into understanding the landscape of traffic and data logging practices.

A Brief Comparative Analysis of Data Logging Policies in the US, the EU, and Canada

In general, Western nations have defined protections and regulations through the scope of stored data security. These laws set provisions pertaining to the standards of security to which firms are held while collecting and storing user data. They also outline the issues of legality pertaining to information disclosure. However, all the laws referenced in this paper leave the decisions regarding the type of data and the situations in which it is collected, was well as the duration such data is retained, in the discretion of the collecting organization.  While in many cases these organizations must justify the logic behind their policies to a central governing body, such legislation creates a double-edged sword, as it tacitly supports data retention in many cases.

For example, there are no over-arching regulations in the US pertaining to data logging at present. ISPs are free to collect and store user data, provided that the user is made aware that they are subject to such practices in the terms of service or user licensing agreement. However, companies are governed by the Stored Communications Act, which interdicts the disclosure of user data, including electronic communications, “to any person other than the addressee or intended recipient.”3  While the American government burdens all firms with protection of user data, they do not expressly limit logging practices or reasonable duration of data storage.

The bigger question of ISP logging is not a new one, and it also is not a stand-alone issue. In fact, the question of data logging is rooted in the same legal questions recently resurged net neutrality debate in the US.

The European Union passed a piece of bloc-wide legislation titled the General Data Protection Regulation (GDPR) in April 2016 that builds upon the original Data Protection Directive of 2012 and outlines data security guidelines, user rights, and legal classifications of subjects. However, individual member states are obliged to determine the appropriate duration of data retention and are not subjected to a bloc-wide mandated timeframe.
Data retention regulations in the EU are designed to ensure the security of user data and its availability to law enforcement agencies, and much of the language used in the original Data Protection Directive suggests that data retention is necessary for the ease and timeliness of legal investigations. It goes as far as to codify Article 6, which allows for specific legal classifications such as suspected criminals, convicted criminals, and victims to be legally distinguished from other persons during logging and data retention processes.

Independent firms are responsible for determining the appropriate duration of retention for data collected, while additional periods of retention may be set for “archiving in the public interest scientific, statistical or historical use.”4  However, under the provisions of the GDPR, a private citizen has the “right to be forgotten” and may request that their personal data be removed from a server.

Finally, Canada’s federalist structure has created a multi-tiered jurisdictional organization regarding its data logging regulations. It has enacted the Personal Information Protection and Electronic Documents Act (PIPEDA), which outlines nationwide directives and regulations regarding the collection of information for commercial activity, and setting a national standard definition for personally identifiable information, which includes:
age, name, ID numbers, income, ethnic origin, and blood type;
opinions, evaluations, comments, social status, or disciplinary actions, etc.
employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).5

Similar to the EU Directive, provisions are included to allow for the disclosure of information to the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) pertaining to individuals who are suspected of criminal acts such as financing terrorism. However, PIPEDA does not explicitly outline processes for securing information and limiting the legal duration of storage of information. While paragraph 4.5.3 states that “information that is no longer required to fulfill the identified purposes should be destroyed,” individual firms are at liberty to implement their own procedures.

Further down the chain, provinces that are capable of creating their own laws to ensure data protection may supersede the PIPEDA provisions.

So, are the alarmist VPNs right?

VPNs successfully alarm prospective customers for three fundamental flaws in current logging regimes:
1. Your personally identifiable data may not be adequately secure
2. ISPs and online companies may use your personal data for commercial gain
3. Databases of personal information being held by ISPs and online companies are at the disposal of law enforcement and government agencies

All three evaluated states have allowed for the legal collection and retention of personally identifiable user data. While ISPs and online companies are legally obliged to secure such information, at its core, this has created a weak trust-based system that lacks clear oversight in virtually every jurisdiction.  It is easy to say that those who are not using the internet for compromising or illegal activities need not worry, but at Psiphon we believe that all internet users have a reasonable expectation of privacy, regardless of online behaviors.

As such, it can be assumed that ISPs have the right to log user data. This may be troubling to individual internet users who fear the unauthorized use of private information such as medical records or banking information, or the malicious intrusion into such databases. Additionally, if an ISP received a National Security Letter or warrant requesting user records, they would be bound by law to provide such information to law enforcement.

With the current laws in place, online companies are not at liberty to sell personally identifiable data for commercial purposes or to disclose such information. However, they are well within their rights to retain and use this data for a variety of internal processes such as customer statistics. With the potentially imminent erosion of net neutrality in the United States, stores of personally identifiable data may be exploited or released without consent. Yet, a leading cause for concern among VPN users is the risk of such data being maliciously exfiltrated, despite the best intentions of the service provider.

Internet users will always bear the burden of educating themselves on the practices of the companies with whom they engage. A primary concern is that some end users may be unable to understand the meaning or consequences of terms of use and may base their usage on vague and often misleading social and technical standards of whether the VPN is trustworthy and reliable. Not to mention the market research that must be done to ensure that VPNs are truly abiding by the privacy policies they put forth to potential users, especially if the VPN service requires the creation of user accounts that are built around personally identifiable information.

What’s more, once an educated decision is reached, users in specific geographic locations and on specific sites may find that they feel comfortable using an unencrypted or standard https connection. But where there is still confusion or concern, a no-log VPN such as Psiphon may be used to protect personally identifiable data from being collected online.

Can a VPN protect me from data logging?

Many internet users turn to VPNs to anonymize themselves online and avoid data logging practices of commercial services online. However, it must be stated that no VPN can offer complete anonymity online. But those that are committed to a freely accessible internet, such as Psiphon, incorporate strong security measures into their services that protect the privacy of their users. By using a VPN proxy, internet traffic cannot be attributed to specific users, but users are still connected to and participating in the use of internet services.

In an effort to gain user trust and increase individual privacy, commercially available VPNs often highlight no-logging policies. They claim to discard all records of use, thus making it impossible. However, many VPN service agreements do not provide detailed explanations of such policies. In order to create an account or open an encrypted session, a VPN might require some detailed user information. Once again, the burden falls on the individual user to carefully read through the terms of service and make a determination whether to trust the VPN.

The structure of the internet requires that certain information must be exchanged in order for online communication to occur. No data can be sent or received without a functioning IP address, which includes the legitimate IP address of the VPN user. However, because none of the legislation assessed in this paper mandates that VPNs store user data for a specified amount of time, the core values of Psiphon and other VPN services might cause them to erase such information from their networks upon termination of an encrypted session.

What makes Psiphon different from traditional VPN services? Quite simply, we are borne from and exist predominantly for internet freedom. By design, the Psiphon platform does not store any personally identifiable information regarding end users’ browsing session. Because using Psiphon does not require an account, the software is virtually incapable of creating or storing information pertaining to any individual user. There is therefore no record of use, reassuring those who evade surveillance or fear the disclosure of personally identifiable information to unauthorized parties that using the Psiphon network cannot be attributed to a unique user or geolocation.

To ensure that our network remains efficient and scales with changing level of demand, we engage in internal data assessment, which includes traffic volume and user location information aggregated at the country level.6  This is the most detailed information retained by the service. But if, for example, a nefarious outside actor was to breach this statistical information, no personally identifiable information would be at risk.



3 S.Rep. No. 99-541, 97th Cong. 2nd Sess. 37, reprinted in 1986 U.S.C.C.A.N. 3555, 3591.
4 Ibid. Paragraph 26. 5 http://laws-lois.justice.gc.ca/eng/acts/P-8.6/FullText.html
6 However, city-level data will be automatically aggregate only after the usage within a country surpasses a threshold at which it would be statistically impossible for individual users to be identified via an evaluation of the number of active connections within the city. 

Read more »