Technology, Thoughts & Trinkets

Touring the digital through type

Category: Technology (page 1 of 77)

This is a general catch-all category for all topics that relate to technology.

New Report Shines Light On Limitations of Canadians’ Data Access Rights

The Citizen Lab has released a new report, “Approaching Access: A look at consumer personal data requests in Canada,” which was written by myself and my colleagues, Andrew Hilts and Masashi Crete-Nishihata. The report examines how different industries respond to Canadians’ requests to access their personal information. Such requests empower individuals to better understand what data is collected about them, the ways in which is it used, and to whom it is subsequently disclosed. While privacy policies or terms of service can be vague, the intent behind such laws is that they will let individuals understand specifically how their personal information is used.

Without knowing who is collecting personal data, for what purpose, or for how long, or the grounds under which they share it, a consumer cannot exercise their rights nor evaluate whether an organization is appropriately handling their data. Canada’s commercial privacy legislation, the Protection of Personal Information and Electronic Documents Act (PIPEDA), empowers Canadians to issue legally-binding Data Access Requests (DARs) to private companies to answer exactly these kinds of questions. This report is the result of a three year study of DARs in Canada that shows what happens when telecommunications companies, fitness trackers, and online dating services are asked by consumers to provide transparency into their data privacy practices and policies.

Between 2014-2016 we recruited participants to systematically issue DARs to telecommunications companies, fitness trackers, and online dating services used by Canadians to evaluate a series of research questions:

  • What proportion of companies contacted would respond to DARs at all?
  • What proportion of companies that did respond to DARs would respond in a relatively complete manner to all questions asked?
  • What proportion of companies that did respond to DARs would provide individuals with copies of their personal information at no or minimal cost?
  • What commonalities or differences would be found in responses to individuals in each industry group studied, and across industries?
  • To what extent would individuals who received responses be satisfied with the information they received and what, if anything, might be done to improve organizations’ disclosures to enhance individuals’ satisfaction?

Inconsistent Responses across Companies and Industries

Participants received responses from companies but the information provided varied widely across companies and industries. Variations included:

  • the specificity with which requester questions are answered;
  • what types of data are returned;
  • whether or not data retention periods are published; and
  • clarity about data disclosures to third parties, including government authorities.

Barriers to Access

Participants also encountered barriers to accessing the private information that companies retained about them. These barriers included:

  • identity verification procedures;
  • secure data transfer requirements;
  • costs offloaded to requesters; and
  • push-back by some non-Canadian companies as to whether their services to Canadian consumers in Canada are, in fact, bound by Canadian privacy law.

Towards Improved Data Access in Canada

Our report concludes with recommendations for how businesses can improve their DAR processes and related data transparency efforts, and allow citizens to more effectively exercise stewardship over their personal data.

We make seven key recommendations:.

  1. Companies should prepare and produce data retention schedules that identify specific types of information they collect and the period of time for which they retain it.
  2. Companies should prepare and publish government access handbooks that identify the different kinds of personal information they hold, and establish the specific legal powers and processes to be undertaken before the company will disclose a subscriber’s personal information.
  3. Companies should prepare transparency reports that disclosure the regularity, and rationale for which, government agencies request access to subscriber-related information.
  4. Companies should collaborate within their respective industries to establish common definitions for personal data mini-collections to which common policies are applied, such as subscriber data, metadata, content of communications, etc.
  5. Companies should not assume they know which communications method their customers would prefer to use when discussing a DAR letter. They should first ask the customer what their preferred method is, and only then pose questions to clarify the requester’s inquiries.
  6. Companies should publish data inventories describing all the kinds of personal information that they collect, and freely provide copies of a small set of representative examples of records for each kind of personal information to subscribers upon request.
  7. Either individual organizations or industry groups should communicate with non-corporate stakeholders to help streamline the request process, or to help establish requesters’ expectations. This effort might involve developing Application Programming Interfaces (APIs) to expedite the issuance and response to DAR letters, or working to modify language used by web applications to more accurately reflect the data that might be handled by organizations in the course of commercial activity.

DARs provide a valuable method for understanding the kinds of information which are collected, retained, processed, and handled by private companies. This report provides a look at how companies respond to these access rights and which also draws lessons from both within specific industry groupings and across industries. Given the amounts of digital information that individuals confide to third parties on a daily basis it is imperative that they can gain access to such information upon request, especially when companies do not publish clear guidance as to their broader data collection, retention, handling, or disclosure practices.

Our report showcases how DARs can provide insight into corporate practices. But, at present processes surrounding DAR-handling and -processing are immature. Advancing DAR practices and policies requires either private-sector coordination to advance individuals’ access to their personal information, or regulatory coordination to clarify how private organizations ought to provide access to the information of which they are stewards.


Project Support

This research is led by the Citizen Lab at the Munk School of Global Affairs, University of Toronto. The project was funded via Open Effect by CIRA’s 2015-16 Community Investment Program. Additional funding was provided by the Office of the Privacy Commissioner of Canada through its Contributions Program.

Thank you to Adam Senft and Bram Abramson for review and copyediting. We are grateful to Ron Deibert for research guidance and supervision. This research would not have been possible without the Access My Info users who participated in this study.


Dr. Christopher Parsons received his Bachelor’s and Master’s degrees from the University of Guelph, and his Ph.D from the University of Victoria. He is currently a Research Associate at the Citizen Lab at the Munk School of Global Affairs as well as the Managing Director of the Telecom Transparency Project at the Citizen Lab.

Andrew Hilts is a Senior Researcher and Developer at the Citizen Lab at the Munk School of Global Affairs, University of Toronto. His research and software development focuses on empowering citizens to exercise their digital rights online.

Masashi Crete-Nishihata is Research Director at the Citizen Lab, Munk School of Global Affairs, University of Toronto. He researchers the socio-political impact of information controls

Citizen Lab and CIPPIC Release Analysis of the Communications Security Establishment Act

The Fifth Eye by Dustin Ginetz (CC BY-NC-SA 2.0)

It’s with real pleasure that I can announce that the Citizen Lab and the Canadian Internet Policy & Public Interest Clinic (CIPPIC) have collaborated to produce a report which provides timely legal analysis, political context, and historical background on the Communications Security Establishment Act and related provisions in Bill C-59 (An Act respecting national security matters), First Reading (December 18, 2017).  We hope that this resource will help members of parliament, journalists, researchers, lawyers, and civil society advocates engage more effectively on the issues at stake. Our report represents an analysis of the legislation as it enters political debate in Canada, and should be understood in the context of a rapidly evolving legal and political landscape.

The Communications Security Establishment (“the CSE” or “the Establishment”) is Canada’s national signals intelligence and cybersecurity agency. In the course of our analysis, we summarize the CSE’s mandate, activities, operations, and powers, with an emphasis on their potential implications for human rights and global security. We also offer a series of recommendations which, if adopted, would ensure a more legally sound framework for the CSE, better protect global security interests in a rapidly changing technological environment, and more effectively account for Canada’s domestic and international human rights obligations.

In Section I, we provide a brief overview of the CSE’s current mandate and certain controversial activities undertaken as part of that mandate. We also provide a high-level overview of Bill C-59 and its primary implications for the CSE.

In Section II, we undertake a detailed analysis of key issues arising from Bill C-59 related to the CSE, focusing on aspects with the most critical implications for human rights, political transparency, and global security. In particular, some of the issues we highlight in the legislation relate to:

  • Longstanding problems with the CSE’s foreign intelligence operations, which are predicated on ambiguous and secretive legal interpretations that legitimize bulk collection and mass surveillance activities. These activities both attract Charter protections and engage Canada’s human rights obligations.
  • The complete lack of meaningful oversight and control of the CSE’s activities under the proposed active and defensive cyber operations aspects of its mandate.
  • The absence of meaningful safeguards or restrictions on the CSE’s active and defensive cyber operations activities, which have the potential to seriously threaten secure communications tools, public safety, and global security.
  • The absence of meaningful safeguards or restrictions on the CSE’s activities more generally. As drafted, the CSE Act appears to include a loophole which would allow the Establishment to cause death or bodily harm, and to interfere with the “course of justice or democracy,” if acting under its foreign intelligence or cybersecurity powers while prohibiting these outcomes under its new cyber operation powers.
  • The risk that the CSE’s cybersecurity and assurance operations for the federal government could threaten independence of the courts or the separation of powers.
  • Concerns regarding the framework for the CSE’s acquisition of malware, spyware and hacking tools, which may legitimize a market predicated on undermining and subverting, rather than strengthening, the security of the global information infrastructure.
  • Serious issues related to the CSE’s provision of technical and operational assistance to other entities—including Canadian law enforcement—which may lead the CSE to proffer capabilities that would otherwise be illegal or unconstitutional for domestic partners to develop, use or possess, or which would be inherently disproportionate if deployed in those contexts (e.g., in policing operations).
  • Potential issues with the National Security Intelligence Review Agency’s ability to access foreign-provided information, and the risk of regulatory capture through its hiring policies.
  • Serious shortcomings—both legal and practical—in the role of the Intelligence Commissioner, which does not resolve the constitutional challenges surrounding the current CSE Commissioner or the constitutionality of the CSE’s activities more generally.
  • The Intelligence Commissioner’s inability to exercise meaningful and comprehensive oversight and control over the CSE’s activities (including its most problematic activities) due to an under-inclusive mandate, issues of independence, and insufficient powers of a quasi-judicial nature.
  • Weak and vague protections for the privacy of Canadians and persons in Canada, alongside an abject disregard for privacy rights as an international human rights norm.
  • Extraordinary exceptions to the CSE’s general rule against “directing” activities at Canadians and persons in Canada significantly expand the CSE’s ability to use its expansive powers domestically.
  • A general failure to recognize that the highly interconnected and interdependent nature of the global information infrastructure means that protections or limits on the CSE’s powers that begin and end at national boundaries are insufficient to protect Canada’s security interests.
  • Deep tensions at the core of the CSE mandate, which requires the Establishment to both protect and defend against security threats while simultaneously exploiting, maintaining, and creating new vulnerabilities in order to further its foreign intelligence agenda. These tensions are exacerbated by the introduction of new offensive powers and the two new aspects of its mandate.
  • A lack of legal clarity regarding how, when, and whether vulnerabilities discovered by the CSE are disclosed to vendors or the public, and how the CSE accounts for the public interest in the process.
  • The lack of oversight or reporting requirements for “arrangements” with equivalent agencies to the CSE in foreign jurisdictions. There is a risk that these partnerships could involve receipt of information derived from torture or other activities that would be unlawful or unconstitutional if conducted by a Canadian agency.

In Section III, we summarize recommendations emerging from our analysis for committee members and other members of Parliament studying the proposed CSE Act. In particular, we make recommendations to improve systems of review, oversight, and control of the CSE and to constrain the CSE’s ability to engage in activities that are problematic, abusive, unconstitutional, or in violation of international human rights norms.

Download a copy of “Analysis of the Communications Security Establishment Act and Related Provisions in Bill C-59 ( An Act respecting national security matters ), First Reading (December 18, 2017)

Update to the SIGINT Summaries

As part of my ongoing research into the Edward Snowden documents, I have found and added an additional two documents to the Canadian SIGINT Summaries. The Summaries include downloadable copies of leaked Communications Security Establishment (CSE) documents, along with summary, publication, and original source information. CSE is Canada’s foreign signals intelligence agency and has operated since the Second World War.

Documents were often produced by CSE’s closest partners which, collectively, form the ‘Five Eyes’ intelligence network. This network includes the CSE, the National Security Agency (NSA), the Government Communications Headquarters (GCHQ), Australian Signals Directorate (ASD), and Government Communications Security Bureau (GCSB).

All of the documents are available for download from this website. Though I am hosting the documents they were all first published by another party. The new documents and their summaries are listed below. The full list of documents and their summary information is available on the Canadian SIGINT Summaries page.

These documents came to light as I examined the activities that took place between the NSA and New Zealand signals intelligence agencies. The first, “NSA Intelligence Relationship with New Zealand” notes that Canada is a member of the SIGINT Seniors Pacific group as well as SIGINT Seniors Europe. The second, “SIGINT Development Forum (SDF) Minutes”, notes how CSE and GCSB define shaping as “industry engagement and collection bending” as well as CSEC had considered audit analysts’ accounts similar to the NSA, though the prospect of such auditing had rearisen as a discussion point.

NSA Intelligence Relationship with New Zealand

Summary: This document summarizes the status of the NSA’s relationship with New Zealand Government Communications Security Bureau (GCSB). The GCSB has been forced to expend more of its resources on compliance auditing following recommendations after it exceeded its authority in assisting domestic law enforcement, but continues to be focused on government and five eyes priorities and encouraged to pursue technical interoperability with NSA and other FVEY nations.

The NSA provides GCSB with “raw traffic, processing, and reporting on targets of mutual interest, in addition to technical advice and equipment loans.” The GCSB primarily provides the NSA with access to communications which would otherwise remain inaccessible. These communications include: China, Japanese/North Korean/Vietnamese/South American diplomatic communications, South Pacific Island nations, Pakistan, India, Iran, and Antartica, as well as French police and nuclear testing activities in New Caledonia.

Of note, GCSB is a member of SIGINT Seniors Pacific (SSPAC) (includes Australia, Canada, France, India, Korea, New Zealand, Singapore, Thailand, United Kingdom, and United States) as well as SIGINT Seniors Europe (SSEUR) (includes Australia, Belgium, Canada, Denmark, France, Germany, Italy, Netherlands, New Zealand, Norway, Spain, Sweden, United Kingdom, and United States).

Document Published: March 11, 2015
Document Dated: April 2013
Document Length: 3 pages
Associated Article: Snowden revelations: NZ’s spy reach stretches across globe
Download Document: NSA Intelligence Relationship with New Zealand
Classification: TOP SECRET//SI//REL TO USA, FVEY
Authoring Agency: NSA
Codenames: None

SIGINT Development Forum (SDF) Minutes

Summary: This document summarizes the state of signals development amongst the Five Eyes (FVEY). It first outline the core imperatives for the group, including: ensuring that the top technologies are being identified for use and linked with the capability they bring; that NSA shaping (targeting routers) improves (while noting that for CSE and GCSB shaping involves “industry engagement and collection bending”); improving on pattern of life collection and analysis; improving on IP address geolocation that covers Internet, radio frequency, and GSM realms; analyzing how convergence of communications systems and technologies impacts SIGINT operations.

Privacy issues were seen as being on the groups’ radar, on the basis that the “Oversight & Compliance team at NSA was under-resourced and overburdened.” Neither GCSB or DSD were able to sponsor or audit analysts’ accounts similar to the NSA, and CSEC indicated it had considered funding audit billets; while dismissed at the time, the prospect has re-arisen. At the time the non-NSA FVEYs were considering how to implement ‘super-user’ accounts, where specific staff will run queries for counterparts who are not directly authorized to run queries on selective databases.

GCSB, in particular, was developing its first network analyst team in October 2009 and was meant to prove the utility of network analysis so as to get additional staff for later supporting STATEROOM and Computer Network Exploitation tasks. Further, GCSB was to continue its work in the South Pacific region, as well as expanding cable access efforts and capabilities during a 1 month push.  There was also a problem where 20% of GCSB’s analytic workforce lacked access to DSD’s XKEYSCORE, which was a problem given that GCSB provided NSA with raw data. The reason for needing external tools to access data is GCSB staff are prohibited from accessing New Zealand data.

Document Published: March 11, 2015
Document Dated: June 8-9, 2009
Document Length: 3 pages
Associated Article: Snowden revelations: NZ’s spy reach stretches across globe
Download Document: SIGINT Development Forum (SDF) Minutes
Authoring Agency: NSA

The (In)effectiveness of Voluntarily Produced Transparency Reports

Payphones by Christopher Parsons (All Rights Reserved)

I have a paper on telecommunications transparency reports which has been accepted for publication in Business and Society for later this year.

Centrally, the paper finds that companies will not necessarily produce easily comparable reports in relatively calm political waters and that, even should reports become comparable, they may conceal as much as they reveal. Using a model for evaluating transparency reporting used by Fung, Graham, and Weil in their 2007 book, Full Disclosure: The Perils and Promises of Transparency, I find that the reports issued by telecommunications companies are somewhat effective because they have led to changes in corporate behaviour and stakeholder interest, but have have been largely ineffective in prodding governments to behave more accountably. Moreover, reports issued by Canadian companies routinely omit how companies themselves are involved in facilitating government surveillance efforts when not legally required to do so. In effect, transparency reporting — even if comparable across industry partners — risks treating the symptom — the secrecy of surveillance — without getting to the cause — how surveillance is facilitated by firms themselves.

A pre-copyedited version of the paper, titled, “The (In)effectiveness of Voluntarily Produced Transparency Reports,” is available at the Social Sciences Research Network.

Older posts