Andrew Hilts and I have released a new paper that is titled “Half-Baked: The Opportunity To Secure Cookie-Based Identifiers From Passive Surveillance.” Cookie-based identifiers are used by websites to deliver advertisements as well as collect analytics information about website visitors. Incidentally, intelligence agencies such as the NSA, GCHQ, CSE, and other Western signals intelligence bodies use the same identifiers to track the activities of individuals and their devices as they access, and use, the Internet. The paper respond to a series of basic questions: To what extent do major online properties encrypt the advertising, cookie, and other digital identifiers used by the NSA and other intelligence agencies to track users and their devices around the globe? Since the Snowden revelations began have providers actually encrypted more, or less, of these identifiers?
Documents released by Edward Snowden have revealed that the National Security Agency, and its Australian, British, Canadian, and New Zealand equivalents, routinely monitor the Internet for the identifiers that are contained in advertising and tracking cookies. Once collected, the identifiers are stored in government databases and used to develop patterns of life, or the chains of activities that individuals engage in when they use Internet-capable devices. This paper investigates the extent to which contemporary advertising and analytics identifiers that are used in establishing such patterns continue to be transmitted in plaintext following Snowden’s revelations. We look at variations in the secure transmission of cookie-based identifiers across different website categories, and identify practical steps for both website operators and ad tracking companies to take to better secure their audiences and readers from passive surveillance.
American and British officials have been warning with an increasing sense of purported urgency that their inability to decrypt communications could have serious consequences. American authorities have claimed that if they cannot demand decrypted communications from telecommunications providers then serious crimes may go unsolved. In the UK this danger is often accentuated by the threat of terrorism. In both nations, security and policing services warn that increased use of encryption is causing communications to ‘go dark’ and thus be inaccessible to policing and security services. These dire warnings of the threats potentially posed by criminals and terrorists ‘going dark’ have been matched over the years with proposals that would regulate encryption or mandatebackdoors into any otherwise secure system. Comparatively little has been said about Canada’s long-standing efforts to inhibit end-user encryption despite the federal government’s longstanding efforts to restrict the security provided to Canadians by encryption.
This article outlines some of the federal government of Canada’s successful and unsuccessful attempts to weaken cryptographic standards. It starts by explaining (in brief) what communications encryption is, why it matters, and the implications of enabling unauthorized parties to decrypt communications. With this primer out of the way, we discuss why all of Canada’s mobile telecommunications carriers agree to implement cryptographic weaknesses in their service offerings. Next, we discuss the legislation that can be used to compel telecommunications service providers to disclose decryption keys to government authorities. We then briefly note how Canada’s premier cryptologic agency, the Communications Security Establishment (CSE), successfully compromised global encryption standards. We conclude the post by arguing that though Canadian officials have not been as publicly vocal about a perceived need to undermine cryptographic standards the government of Canada nevertheless has a history of successfully weakening encryption available to and used by Canadians.
Academics, private companies, journalists, non-government organizations, and government agencies have all made significant contributions to the telecommunications transparency debate in Canada since the beginning of this year. This post briefly describes the most significant contributions along with links to the relevant publications.
A trio of telecommunications companies also released transparency reports in the first half of 2015. WIND Mobile’s Mobile Transparency (2014) revealed a significant decrease in requests for customer name and address information, and a modest increase of emergency response requests combined with an explosion of court ordered/legislative demands requests. TELUS and Rogers also released transparency reports; overall TELUS’ report shows a small decrease in government requests whereas Rogers’ report shows a significant decrease of roughly 60,000 fewer requests. The relative merits of companies’ transparency reports were discussed in the Telecom Transparency Project’s report, mentioned previously. Industry Canada also released transparency reporting guidelines to “help private organizations be open with their customers, regarding the management and sharing of their personal information with government, while respecting the work of law enforcement, national security agencies, and regulatory authorities.” Some thoughts on those guidelines were published by Michael Geist as well as by the Telecom Transparency Project.
Government Investigations into Domestic Data Collection
During this time the Office of the Privacy Commissioner of Canada also audited how the Royal Canadian Mounted Police (RCMP) collected and used subscriber data. This data was obtained from Canadian telecommunications companies. The Office found that, “the RCMP’s information management systems were not designed to identify files which contained warrantless access requests to subscriber information, we were unable to select a representative sample of files to review. Consequently, we were unable to assess the sufficiency of controls that may exist or if the collection of warrantless requests from TSPs was, or was not in compliance with the collection requirements of the Privacy Act.” The challenges experienced by the Office of the Privacy Commissioner of Canada were perhaps unsurprising, given that the RCMP stated in 2014 that they did not have a way of tracking subscriber data requests in response to questions from MP Charmaine Borg.
Signals Intelligence-Related Publications
There have also been a series of contributions that have focused prominently on Canada’s foreign signals intelligence organization, the Communications Security Establishment. Michael Geist’s edited collection, Law, Privacy and Surveillance in the Post-Snowden Era, contains nine contributions grouped into three parts: understanding surveillance in Canada, legal issues, and prospects for reform. In addition to Geist’s collection, two Canadian archives have been created to host Snowden documents. The first, “The Snowden Archives,” is hosted by the Canadian Journalists for Free Expression. The Snowden Archives contain approximately 400 documents and were compiled “to provide a tool that would facilitate citizen and researcher access to these important documents.” The second is the “Canadian SIGINT Summaries” which collate leaked documents that are exclusively linked to CSE’s operations. The SIGINT Summaries identify when the documents were created, provide a summary of the documents themselves, and also include metadata such as length, codenames, and news stories linked with the documents’ publication. Finally, the Canadian Broadcasting Corporation and the Globe and Mail have both published stories based on Snowden documents.
Overall, there has been an exceptional amount written on telecom transparency issues in Canada. Several transparency reports are expected later this year from Sasktel, MTS Allstream, and TekSavvy. And the Canadian Internet Registration Authority, though its Community Investment Program, is funding projects which will help Canadians request their personal information from public and private organizations alike as well as to help companies develop transparency reports. The coming months promise to continue being busy for transparency in Canada!
Photo Credit: stack by hobvias sudoneighm (CC BY 2.0) https://flic.kr/p/Fecq6
The Canadian SIGINT Summaries includes downloadable copies, along with summary, publication, and original source information, of leaked CSE documents.
Parsons, Christopher; and Molnar, Adam. (2021). “Horizontal Accountability and Signals Intelligence: Lesson Drawing from Annual Electronic Surveillance Reports,” David Murakami Wood and David Lyon (Eds.), Big Data Surveillance and Security Intelligence: The Canadian Case.
Parsons, Christopher. (2015). “Stuck on the Agenda: Drawing lessons from the stagnation of ‘lawful access’ legislation in Canada,” Michael Geist (ed.), Law, Privacy and Surveillance in Canada in the Post-Snowden Era (Ottawa University Press).
Parsons, Christopher. (2015). “The Governance of Telecommunications Surveillance: How Opaque and Unaccountable Practices and Policies Threaten Canadians,” Telecom Transparency Project.
Parsons, Christopher. (2015). “Beyond the ATIP: New methods for interrogating state surveillance,” in Jamie Brownlee and Kevin Walby (Eds.), Access to Information and Social Justice (Arbeiter Ring Publishing).
Bennett, Colin; Parsons, Christopher; Molnar, Adam. (2014). “Forgetting and the right to be forgotten” in Serge Gutwirth et al. (Eds.), Reloading Data Protection: Multidisciplinary Insights and Contemporary Challenges.
Bennett, Colin, and Parsons, Christopher. (2013). “Privacy and Surveillance: The Multi-Disciplinary Literature on the Capture, Use, and Disclosure of Personal information in Cyberspace” in W. Dutton (Ed.), Oxford Handbook of Internet Studies.
McPhail, Brenda; Parsons, Christopher; Ferenbok, Joseph; Smith, Karen; and Clement, Andrew. (2013). “Identifying Canadians at the Border: ePassports and the 9/11 legacy,” in Canadian Journal of Law and Society 27(3).
Parsons, Christopher; Savirimuthu, Joseph; Wipond, Rob; McArthur, Kevin. (2012). “ANPR: Code and Rhetorics of Compliance,” in European Journal of Law and Technology 3(3).