Internet

Canadian Police Requests for Telecommunications Data

/ Christopher Parsons

2498847226_9beb1f55db_o-300x200In our report, “The Governance of Telecommunications Surveillance: How Opaque and Unaccountable Practices and Policies Threaten Canadians,” we discussed the regularity at which government agencies gain access to telecommunications data. Save for the Canadian Border Services Agency, federal government agencies that are principally responsible for conducting domestic telecommunications surveillance, such as the Royal Canadian Mounted Police, could not account for how often they use their surveillance powers.

In the course of investigating government access to telecommunications data we also contacted regional policing departments. This post expands on findings we provided in our report to discuss, in depth, the data provided by responsive police departments. We conclude by asserting that new legislation must be introduced and passed so that Canadians become aware of the magnitude of contemporary telecommunications surveillance that policing organizations are involved in on a yearly basis.

Requests to Police Departments

We filed requests to Canadian police departments to determine how often individual departments were exercising telecommunications surveillance powers. Though our report principally focused on federal government agencies’ surveillance, we had hoped to effectively juxtapose provincial/municipal telecommunications surveillance against their federal brethren. We ultimately decided to not conduct a detailed juxtaposition in the report because an insufficient number of police departments responded to our legally-binding requests for access to government data in time for publication.

We filed requests for information to police departments operating in Nova Scotia, Ontario, Alberta, and British Columbia. These requests identified the provincial statutes we were relying on to request information. We paid fees to the various police departments to initiate the processing of the requests. The only two police departments that were responsive to our requests were the Halifax and Vancouver police departments. The most notable non-responsive departments police the cities of Calgary and Toronto.

Continue reading

Does Mexico’s Transparency Report Promote Accountability?

/ Christopher Parsons

7666659340_d3096c746a_k-199x300Red en Defensa de los Derechos Digitales (R3D) has released a report that compares Mexican ISPs’ transparency and privacy practices. The work parallels the Karisma Foundation’s report about Columbian ISPs’ transparency and privacy practices; both the Mexican and Columbian organizations’ reports are based on the Electronic Frontier Foundation’s “Who Has Your Back” reporting format. The format is designed to visually summarize the practices taken by Internet companies so that end-users can easily evaluate how companies protect their users.

This post briefly summarizes R3D’s findings and then proceeds to discuss whether Mexican companies’ transparency report genuinely enable corporate accountability. Based on academic literatures, a strong argument can be made that the aggregated Mexican transparency report that have been issued by the Mexican telecommunications companies does not make the companies particularly accountable to their customers. The post concludes by raising questions about the status of third-party comparisons of corporate privacy and transparency practices: why are intermediaries like R3D, Karisma Foundation, Electronic Frontier Foundation, or IX Maps so important? And what are the deficits of contemporary comparisons of corporate transparency and privacy practices?

Summary of R3D Findings

RD3’s report examines privacy policies and codes of practices from the eight Mexican telecommunications companies that, in aggregate, compose 98% of Mexico’s mobile, fixed line, and broadband markets. Out of a possible six ‘stars’ only one company (Movistar) received two stars (the most of any company); half for requiring a warrant for data requests, half for publishing a transparency report, and a full star for advocating for privacy. The worst company, Megacable, received just a half-star for requiring a warrant for data requests.

Companies could receive either a full star, half-star, quarter-star or no star in each of the categories that are noted in Figure One. The evaluation criteria for receiving these grades follows the figure.

BAC1841D-E5B7-472F-9FB7-1544E3C3D550-1024x554

Continue reading

The Governance of Telecommunications Surveillance

/ Christopher Parsons

Last week I released a new report, The Governance of Telecommunications Surveillance: How Opaque and Unaccountable Practices and Policies Threaten Canadians, through the Telecommunications Transparency Project. The Project is associated with the Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs, University of Toronto, and the report was funded through the Canadian Internet Registration Authorities’s .CA Community Investment Program.

The report examines how contemporary telecommunications surveillance is governed in Canada. In it, we ask how much telecommunications surveillance is occurring in Canada, what actors are enabling the surveillance, to what degree those actors disclose their involvement in (and the magnitude of) surveillance, and what degree of oversight is given to the federal governments’ surveillance practices. We conclude that serious failures in transparency and accountability indicate that corporations are failing to manage Canadians’ personal information responsibly and that government irresponsibility surrounding accountability strains its credibility and aggravates citizens’ cynicism about the political process. In aggregate, these failings endanger both the development of Canada’s digital economy and aggravate the democratic deficit between citizens and their governments.

Continue reading

New Update to the SIGINT Summaries

/ Christopher Parsons

Grondstation van de Nationale SIGINT Organisatie (NSO) in Burum, Frysl‚nI have added one new item to the SIGINT Summaries page. The Summaries include downloadable copies of leaked Communications Security Establishment (CSE) documents, along with summary, publication, and original source information.1 CSE is Canada’s foreign signals intelligence agency and has operated since the Second World War.

Documents were often produced by CSE’s closest partners which, collectively, form the ‘Five Eyes’ intelligence network. This network includes the CSE, the National Security Agency (NSA), the Government Communications Headquarters (GCHQ), Australian Signals Directorate (ASD),2 and Government Communications Security Bureau (GCSB)).

All of the documents are available for download from this website. Though I am hosting the documents they were all first published by another party. The new documents and their summaries are listed below. The full list of documents and their summary information is available on the Canadian SIGINT Summaries page.

The new contribution comes from documents released by CBC and covers how Five Eyes intelligence analysts correlated telephony and mobile Internet communications information. For the first time I have noted, in the summary block, all of the codenames that were mentioned in the redacted document.

Synergising Network Analysis Tradecraft: Network Tradecraft Advancement Team (NTAT)

Summary: This slide deck showcases some of the activities, and successes, of the Network Tradecraft Advancement Team (NTAT). The slides focus on how to develop and document tradecraft which is used to correlate telephony and Internet data. Two separate workshops are discussed, one in 2011 and another in 2012. Workshop outcomes included identifying potentially converged data (between telephony and Internet data) as well as geolocating mobile phone application servers. A common mobile gateway identification analytic was adopted by three agencies, including DSD. NTAT had also adopted the CRAFTY SHACK tradecraft documentation system over the courses of these workshops.

In an experiment, codenamed IRRITANT HORN, analysts explored whether they could identify connections between a potentially ‘revolutionary’ country and mobile applications servers. They successfully correlated connections with application servers which opened up the potential to conduct Man in the Middle attacks or effect operations towards the mobile devices, as well as the potential to harvest data in transit and at rest from the devices. In the profiling of mobile applications servers it appears that EONBLUE was used to collect information about a company named Poynt; that company’s application was being used by Blackberry users, and the servers profiled were located in Calgary, Alberta (Canada).

The agencies successfully found vulnerabilities in UCWeb, which was found to leak IMSI, MSISDN, IMEI, and other device characteristics. These vulnerabilities were used to discover a target and it was determined that the vulnerabilities might let a SIGINT agency serve malware to the target. A ‘microplugin’ for XKeyscore was developed so that analysts could quickly surface UCWeb-related SIGINT material. (NOTE: The Citizen Lab analyzed later versions of UCWeb and found vulnerabilities that were subsequently patched by the company. For more, see: “A Chatty Squirrel: Privacy and Security Issues with UC Browser.”)

Document Published: May 21, 2015
Document Dated: 2012 or later
Document Length: 52 pages (slides plus notes)
Associated Article: Spy agencies target mobile phones, app stores to implant spyware
Download Document: Synergising Network Analysis Tradecraft: Network Tradecraft Advancement Team (NTAT)
Codenames mentioned: ATLAS, ATHENA, BLAZING SADDLES, CRAFTY SHACK, DANAUS, EONBLUE, FRETTING YETI, HYPERION, IRRITANT HORN, MASTERSHAKE, PEITHO, PLINK, SCORPIOFORE

Footnotes

  1.  Formally known as the Communications Security Establishment Canada (CSEC). 
  2.  The ASD was formerly known as the Defence Signals Directorate (DSD). 

Draft: Do Transparency Reports Matter for Public Policy?

/ Christopher Parsons

TransparancyTelecommunications transparency reports detail the frequency at which government agencies request information from telecommunications companies. Though American companies have been releasing these reports since 2009, it wasn’t until 2014 that Canadian companies began to follow suit. As part of my work at the Citizen Lab I’ve analyzed the Canadian reports against what makes an effective transparency report, with ‘effectiveness’ relating to achieving public policy goals as opposed to ‘having an effect’ in terms of generating media headlines.

Today I’m publishing a draft paper that summarizes my current analyses. The paper is titled, “Do Transparency Reports Matter for Public Policy? Evaluating the effectiveness of telecommunications transparency reports” and is available for download. I welcome feedback on what I’ve written and look forward to the conversations that it spurs in Canada and further abroad.

Abstract:

Telecommunications companies across Canada have begun to release transparency reports to explain what data the companies collect, what data they retain and for how long, and to whom that data is, or has been, disclosed to. This article evaluates the extent to which Canadian telecommunications companies’ transparency reports respond to a set of public policy goals set by civil society advocates, academics, and corporations, namely: of contextualizing information about government surveillance actions, of legitimizing the corporate disclosure of data about government-mandated surveillance actions, and of deflecting or responding to telecommunications subscribers’ concerns about how their data is shared between companies and the government. In effect, have the reports been effective in achieving the aforementioned goals or have they just had the effect of generating press attention?

After discussing the importance of transparency reports generally, and the specificities of the Canadian reports released in 2014, I argue that companies must standardize their reports across the industry and must also publish their lawful intercept handbooks for the reports to be more effective. Ultimately, citizens will only understand the full significance of the data published in telecommunications companies’ transparency when the current data contained in transparency reports is contextualized by the amount of data that each type of request can provide to government agencies and the corporate policies dictating the terms under which such requests are made and complied with.

Download Telecommunications Transparency in Canada 1.5 (Public Draft)  (Alternate SSRN link)

Advancing Encryption for the Masses

/ Christopher Parsons

CryptographyEdward Snowden’s revelations have made it incredibly obvious that signals intelligence agencies have focused a lot of their time and energy in tracking people as they browse the web. Such tracking is often possible at a global scale because so much of the data that crosses the Internet is unencrypted. Fortunately, the ease of such surveillance is being curtailed by large corporations and advocacy organizations alike.

Today, WhatsApp and Open Whisper Systems announced they have been providing, and will continue to deploy, what’s called ‘end to end’ encryption to WhatsApp users. This form of encryption ensures that the contents of subscribers’ communications are be secured from third-party content monitoring as it transits from a sender’s phone to a recipient’s device.

As a result of these actions, WhatsApp users will enjoy a massive boost in their communications security. And it demonstrates that Facebook, the owner of WhatsApp, is willing to enhance the security of its users even when such actions are likely to provoke and upset surveillance-hawks around the world who are more interested in spying on Facebook and WhatsApp subscribers than in protecting them from surveillance.

A separate, but thematically related, blog post the Electronic Frontier Foundation announced the creation of a new Certificate Authority (CA) initiative called ‘Let’s Encrypt’. Partnering with the Electronic Frontier Foundation are Mozilla, Cisco, Akamai, Identrust, and researchers at the University of Michigan. CAs issue the data files that are used to cryptographically secure communications between clients (like your web browser) and servers (like EFF.org). Such encryption makes it more challenging for another party to monitor what you are sending to, and receiving from, a server you are visiting.

Key to the ‘Let’s Encrypt’ initiative is that the issued certificates will be free and installable using a script. The script is meant to automate the process of requesting, configuring, and installing the certificate. Ideally, this will mean that people with relatively little experience will be able to safely and securely set up SSL-protected websites. Academic studies have shown that even those with experience routinely fail to properly configure SSL-protections.

The aim of both of these initiatives is to increase the ‘friction’, or relative difficulty, in massively monitoring chat and web-based communications. However, it is important to recognize that neither initiative can be considered a perfect solution to surveillance.

In the case of WhatsApp and Open Whisper Systems, end to end encryption does not fix the broader problems of mobile security: if an adversary can take control of a mobile device, or has a way of capturing text that is typed into or that is displayed on the screen when you’re using WhatsApp, then any message sent or received by the device could be susceptible to surveillance. However, there is no evidence that any government agency in the world has monitored, or is currently capable of monitoring, millions or billions of devices simultaneously. There is evidence, however, of government agencies aggressively trying to monitor the servers and Internet infrastructure that applications like WhatsApp use in delivering messages between mobile devices.

Moreover, it’s unclear what Facebook’s or WhatsApp’s reaction would be if a government agency tried to force the delivery of a cryptographically broken or weakened version of WhatsApp to particular subscribers using orders issued by American, European, or Canadian courts. And, even if the companies in question fought back, what would they do if they lost the court case?

Similarly, the ‘Let’s Encrypt’ initiative relies on a mode of securing the Internet that is potentially susceptible to state interference. Governments or parties affiliated with governments have had certificates falsely issued in order to monitor communications between client devices (e.g. smartphones) and servers (e.g. Gmail). Moreover, professional developers have misconfigured commerce backends to the effect of not checking whether the certificate used to encrypt a communication belong to the right organization (i.e. not checking that the certificate used to communicate with Paypal actually belongs to Paypal). There are other issues with SSL, including a poor revocation checking mechanism, historical challenges in configuring it properly, and more. Some of these issues may be defrayed by the ‘Let’s Encrypt’ initiative because of the members’  efforts to work with the Decentralized SSL Observatory, scans.io, and Google’s Certificate Authority logs, but the initiative — and the proposals accompanying it — is not a panacea for all of the world’s online encryption problems. But it will hopefully make it more difficult for global-scale surveillance that is largely predicated on monitoring unencrypted communications between servers and clients.

Edward Snowden was deeply concerned that the documents he brought to light would be treated with indifference and that nothing would change despite the documents’ presence in the public record. While people may be interested in having more secure, and more private, communications following his revelations those interests are not necessarily translated into an ability for people to secure their communications. And the position that people must either embark on elaborate training regimes to communicate securely or just not say sensitive things, or visit sensitive places, online simply will not work: information security needs to work with at least some of the tools that people are using in their daily lives while developing new and secure ones. It doesn’t make sense to just abandon the public to their own devices while the ‘professionals’ use hard-to-use ’secured’ systems amongst themselves.

The work of WhatsApp, Facebook, Open Whisper Systems, the Electronic Frontier Foundation, and that other members of the ‘Let’s Encrypt’ initiative can massively reduce the challenges people face when trying to communicate more responsibly. And the initiatives demonstrate how the cryptographic and communications landscape is shifting in the wake of Snowden’s revelations concerning the reality of global-scale surveillance. While encryption was ultimately thrown out of the original design specifications for the Internet it’s great to see that cryptography is starting to get bolted onto the existing Internet in earnest.