Technology, Thoughts & Trinkets

Touring the digital through type

Month: August 2015

Half-Baked: The Opportunity To Secure Cookie-Based Identifiers From Passive Surveillance

rkBJB0J-300x225Andrew Hilts and I have released a new paper that is titled “Half-Baked: The Opportunity To Secure Cookie-Based Identifiers From Passive Surveillance.” Cookie-based identifiers are used by websites to deliver advertisements as well as collect analytics information about website visitors. Incidentally, intelligence agencies such as the NSA, GCHQ, CSE, and other Western signals intelligence bodies use the same identifiers to track the activities of individuals and their devices as they access, and use, the Internet. The paper respond to a series of basic questions: To what extent do major online properties encrypt the advertising, cookie, and other digital identifiers used by the NSA and other intelligence agencies to track users and their devices around the globe? Since the Snowden revelations began have providers actually encrypted more, or less, of these identifiers?

Full Abstract

Documents released by Edward Snowden have revealed that the National Security Agency, and its Australian, British, Canadian, and New Zealand equivalents, routinely monitor the Internet for the identifiers that are contained in advertising and tracking cookies. Once collected, the identifiers are stored in government databases and used to develop patterns of life, or the chains of activities that individuals engage in when they use Internet-capable devices. This paper investigates the extent to which contemporary advertising and analytics identifiers that are used in establishing such patterns continue to be transmitted in plaintext following Snowden’s revelations. We look at variations in the secure transmission of cookie-based identifiers across different website categories, and identify practical steps for both website operators and ad tracking companies to take to better secure their audiences and readers from passive surveillance.

Download the Paper

This post first appeared on the Telecom Transparency Project website.

Canada’s Quiet History Of Weakening Communications Encryption

500995147_6c97aab488_o-300x225American and British officials have been warning with an increasing sense of purported urgency that their inability to decrypt communications could have serious consequences. American authorities have claimed that if they cannot demand decrypted communications from telecommunications providers then serious crimes may go unsolved. In the UK this danger is often accentuated by the threat of terrorism. In both nations, security and policing services warn that increased use of encryption is causing communications to ‘go dark’ and thus be inaccessible to policing and security services. These dire warnings of the threats potentially posed by criminals and terrorists ‘going dark’ have been matched over the years with proposals that would regulate encryption or mandate backdoors into any otherwise secure system. Comparatively little has been said about Canada’s long-standing efforts to inhibit end-user encryption despite the federal government’s longstanding efforts to restrict the security provided to Canadians by encryption.

This article outlines some of the federal government of Canada’s successful and unsuccessful attempts to weaken cryptographic standards. It starts by explaining (in brief) what communications encryption is, why it matters, and the implications of enabling unauthorized parties to decrypt communications. With this primer out of the way, we discuss why all of Canada’s mobile telecommunications carriers agree to implement cryptographic weaknesses in their service offerings. Next, we discuss the legislation that can be used to compel telecommunications service providers to disclose decryption keys to government authorities. We then briefly note how Canada’s premier cryptologic agency, the Communications Security Establishment (CSE), successfully compromised global encryption standards. We conclude the post by arguing that though Canadian officials have not been as publicly vocal about a perceived need to undermine cryptographic standards the government of Canada nevertheless has a history of successfully weakening encryption available to and used by Canadians.

Continue reading

Canadian Transparency Publications

stack by hobvias sudoneighm (CC BY 2.0) https://flic.kr/p/Fecq6

Academics, private companies, journalists, non-government organizations, and government agencies have all made significant contributions to the telecommunications transparency debate in Canada since the beginning of this year. This post briefly describes the most significant contributions along with links to the relevant publications.

Academic Transparency Publications

Several academic groups published reports addressing telecommunications privacy and transparency issues. The Telecom Transparency Project published “The Governance of Telecommunications Surveillance: How Opaque and Unaccountable Practices and Policies Threaten Canadians,” which explored how much telecommunications surveillance occurs in Canada, what actors enable the surveillance, to what degree those actors disclose their involvement in (and the magnitude of) surveillance, and what degree of oversight is given to the federal governments’ surveillance practices. Two other reports, “Keeping Internet Users in the Know or in the Dark: 2014 Report on Data Privacy Transparency of Canadian Internet Service Providers” and “The 3+3 Project: Evaluating Canada’s Wireless Carriers’ Data Privacy Transparency,” analyzed the privacy practices of major Canadian telecommunications providers. The former report evaluated the data privacy transparency of the most significant forty-three Internet carriers serving the Canadian public and ranked the carriers against ten questions. In contrast, the latter report used 10 criteria to evaluate Canada’s three largest wireless carriers and their extension brands to establish how transparent they were about their privacy practices and how they treated subscribers’ personal information.

Corporate Reports and Guidance

A trio of telecommunications companies also released transparency reports in the first half of 2015. WIND Mobile’s Mobile Transparency (2014) revealed a significant decrease in requests for customer name and address information, and a modest increase of emergency response requests combined with an explosion of court ordered/legislative demands requests. TELUS and Rogers also released transparency reports; overall TELUS’ report shows a small decrease in government requests whereas Rogers’ report shows a significant decrease of roughly 60,000 fewer requests. The relative merits of companies’ transparency reports were discussed in the Telecom Transparency Project’s report, mentioned previously. Industry Canada also released transparency reporting guidelines to “help private organizations be open with their customers, regarding the management and sharing of their personal information with government, while respecting the work of law enforcement, national security agencies, and regulatory authorities.” Some thoughts on those guidelines were published by Michael Geist as well as by the Telecom Transparency Project.

Government Investigations into Domestic Data Collection

During this time the Office of the Privacy Commissioner of Canada also audited how the Royal Canadian Mounted Police (RCMP) collected and used subscriber data. This data was obtained from Canadian telecommunications companies. The Office found that, “the RCMP’s information management systems were not designed to identify files which contained warrantless access requests to subscriber information, we were unable to select a representative sample of files to review. Consequently, we were unable to assess the sufficiency of controls that may exist or if the collection of warrantless requests from TSPs was, or was not in compliance with the collection requirements of the Privacy Act.” The challenges experienced by the Office of the Privacy Commissioner of Canada were perhaps unsurprising, given that the RCMP stated in 2014 that they did not have a way of tracking subscriber data requests in response to questions from MP Charmaine Borg.

Signals Intelligence-Related Publications

There have also been a series of contributions that have focused prominently on Canada’s foreign signals intelligence organization, the Communications Security Establishment. Michael Geist’s edited collection, Law, Privacy and Surveillance in the Post-Snowden Era, contains nine contributions grouped into three parts: understanding surveillance in Canada, legal issues, and prospects for reform. In addition to Geist’s collection, two Canadian archives have been created to host Snowden documents. The first, “The Snowden Archives,” is hosted by the Canadian Journalists for Free Expression. The Snowden Archives contain approximately 400 documents and were compiled “to provide a tool that would facilitate citizen and researcher access to these important documents.” The second is the “Canadian SIGINT Summaries” which collate leaked documents that are exclusively linked to CSE’s operations. The SIGINT Summaries identify when the documents were created, provide a summary of the documents themselves, and also include metadata such as length, codenames, and news stories linked with the documents’ publication. Finally, the Canadian Broadcasting Corporation and the Globe and Mail have both published stories based on Snowden documents.

Summary

Overall, there has been an exceptional amount written on telecom transparency issues in Canada. Several transparency reports are expected later this year from Sasktel, MTS Allstream, and TekSavvy. And the Canadian Internet Registration Authority, though its Community Investment Program, is funding projects which will help Canadians request their personal information from public and private organizations alike as well as to help companies develop transparency reports. The coming months promise to continue being busy for transparency in Canada!

Photo Credit: stack by hobvias sudoneighm (CC BY 2.0) https://flic.kr/p/Fecq6

This post first appeared at the Telecom Transparency Project website.