Internet

The Murky State of Canadian Telecommunications Surveillance

/ Christopher Parsons

Telephone PoleOn January 20, 2014 the Citizen Lab along with leading Canadian academics and civil liberties groups sent letters to Canada’s most prominent Internet service providers. We asked the companies to reveal the extent to which they voluntarily, and under compulsion, disclose information about their subscribers to state agencies, as well as for information about business practices and data retention periods. The requested information would let researchers, policy analysts, and civil liberties groups better understand the current telecommunications landscape and engage in evidence-based policy analysis of current and proposed government surveillance activities. The companies were asked to provide responses by March 3, 2014.

A considerable amount of attention has been given to state access to telecommunications data since January 20. Organizations such as the Globe and Mail wrote that Canadians deserve to know who is listening to their communications, and reporting by The Wire Report found that while telecommunications companies believed they might not be able to respond to all the questions in the letters, at least some responses might be provided without running afoul of government gag laws. However, The Wire Report also found that some sources believed they were forbidden from disclosing any information about the assistance they provide to government agencies, with one stating they were “completely resigned.”

At the same time as the letters were being examined by the companies, a series of high-profile telecommunications-related stories broke in the media. In the United States, leading telecommunications carriers released ‘transparency reports’ that put some information in the public arena concerning how often the companies disclose information to American state agencies. In Canada, there were revelations that the Communications Security Establishment Canada (CSEC) had surreptitiously monitored the movements of Canadians vis-a-vis mobile devices that connected to wireless routers. These revelations sparked renewed interest in the origins of CSEC’s data, whether Canadian telecommunications companies either voluntarily or under compulsion provide data to CSEC, the nature of CSEC’s ‘metadata’ collection process, and the rationales driving data exchanges between telecommunications companies and state agencies more generally. The Office of the Privacy Commissioner of Canada also tabled a report that outlined a series of ways to improve accountability and transparency surrounding state access to telecommunications data. Finally, MP Charmaine Borg, the New Democratic Party Member of Parliament for the riding of Terrebonne—Blainville in Quebec, issued a series of questions to the federal government that are meant to render transparent how federal agencies request information from telecommunications companies.

Continue reading

How to Dispel the Confusion Around iMessage Security

/ Christopher Parsons / 2 Comments

Image by Graham BrennaApple’s hardware and communications products continue to be widely purchased and used by people around the world. Comscore reported in March 2013 that Apple enjoyed a 35% market penetration in Canada, and their desktop and mobile computing devices remain popular choices for consumers. A messaging service, iMessage, spans the entire Apple product line. The company has stated that it “cannot decrypt that data.”

Apple’s statements concerning iMessage’s security are highly suspect. In what follows I summarize some of the serious questions about Apple’s encryption schemas. I then discuss why it’s important for consumers to know whether iMessages are secure from third-party interception. I conclude by outlining how Canadians who use the iMessage application can use Canadian privacy law to ascertain the validity of Apple’s claims against those of the company’s critics. Continue reading

How To Get Your Personal Information From Social Networks

/ Christopher Parsons / 5 Comments

Photo by Evan Long

Canadian news routinely highlights the ‘dangers’ that can be associated with social networking companies collecting and storing information about Canadian citizens. Stories and articles regularly discuss how hackers can misuse your personal information, how companies store ‘everything’ about you, and how collected data is disclosed to unscrupulous third parties. While many of these stories are accurate, insofar as they cover specific instances of harm and risky behaviour, they tend to lack an important next step; they rarely explain how Canadians can get educated on data collection, retention, and disclosure processes.

Let’s be honest: any next step has to be reasonable. Expecting Canadians to flee social media en masse and return to letter writing isn’t an acceptable (or, really, an appropriate) response. Similarly, saying “tighten your privacy controls” or “be careful what you post” are of modest value, at best; many Canadians are realizing that tightening their privacy controls does little when the companies can (and do) change their privacy settings without any notice. This post is inspired by a different next step. Rather than being inspired by fear emergent from ‘the sky is falling’ news stories, what if you were inspired by knowledge that you, yourself, gained? In what follows I walk you through how to compel social networking companies to disclose what information they have about you. In the process of filing these requests you’ll learn a lot more about being a member of these social networking services and, based on what you learn, can decide whether you want to change your involvement with particular social media companies.

I start by explaining why Canadians have a legal right to compel companies to disclose and make available the information that they retain about Canadian citizens. I then provide a template letter that you can send to social networking organizations with which you have a preexisting relationship. This template is, in effect, a tool that you can use to compel companies to disclose your personal information. After providing the template I explain the significance of some of the items contained in it. Next, I outline some of the difficulties or challenges you might have in requesting your personal information and a few ways to counteract those problems. Finally, I explain how you can complain if a company does not meet its legal obligation to provide you with a copy of your personal information. By the end of this post, you’ll have everything you need to request your personal information from the social networking services to which you subscribe. Continue reading

Understanding the Lawful Access Decryption Requirement

/ Christopher Parsons

Photo by walknboston

For several months I and a handful of others in the Canadian privacy and security community have been mulling over what Bill C-30, better known as Canada’s ‘lawful access’ legislation, might mean for the future of encryption policy in Canada. Today, I’m happy to announce that one of the fruits of these conversation, a paper that I’ve been working on with Kevin McArthur, is now public. The paper, titled “Understanding the Lawful Access Decryption Requirement,” spends a considerable amount of time considering the potential implications of the legislation. Our analysis considers how C-30 might force companies to adopt key escrows, or decryption key repositories. After identifying some of the problems associated with these repositories, we suggest how to amend the legislation to ensure that corporations will not have to establish key escrows. We conclude by outlining the dangers of leaving the legislative language as it stands today. The full abstract, and download link, follows.

Abstract

Canada’s lawful access legislation, Bill C-30, includes a section that imposes decryption requirements on telecommunications service providers. In this paper we analyze these requirements to conclude that they may force service providers to establish key escrow, or decryption key retention, programs. We demonstrate the significance of these requirements by analyzing the implications that such programs could have for online service providers, companies that provide client software to access cloud services, and the subscribers of such online services. The paper concludes by suggesting an amendment to the bill, to ensure that corporations will not have to establish escrows, and by speaking to the dangers of not implementing such an amendment.

Download paper at the Social Sciences Research Network

The Danger of Fetishizing BlackBerry Messenger Security

/ Christopher Parsons / 5 Comments

BlackBerry Bold 9780Research in Motion has a problem. For years they promoted themselves as a top-notch mobile security company. During those initial years most of their products were pitched at enterprise users.

Then RIM got into the consumer market.

Most consumers equate RIM’s products with security, email, BlackBerry Messenger (BBM), and a tepid suite of other smartphone features. Most of the people who report on the company tend to agonize over the fact that RIM complies with government surveillance laws. Such reports inevitably emerge each time that the public realizes that RIM meets its lawful access requirements for consumer-line products.

In this post, I want to briefly address some of the BBM-related security concerns and try to (again) correct the record surrounding the security promises of the messaging service. After outlining the deficits of consumer BBM products I briefly argue that we need to avoid fetishizing technology, encryption, or the law, and should instead focus on the democratic implications of the lawful access-style laws that governments use to access citizens’ communications.

In the interest of full disclose: I have family and friends who work at Research In Motion. I haven’t spoken to any of them concerning this post or its contents. None directly work on either BBM or RIM’s encryption systems.

Continue reading

The Danger Online Voting Poses to Democratic Legitimacy

/ Christopher Parsons

Vote Mob @ Memorial University of Newfoundland Online voting is a serious issue that Canadians need to remain aware of and/or become educated about. I’ve previously written about issues surrounding Internet-based voting, and was recently interviewed about online elections in light of problems that the National Democratic Party (NDP) had during their 2012 leadership convention. While I’m generally happy with how the interview played out – and thankful to colleagues for linking me up with the radio station I spoke on – there were a few items that didn’t get covered in the interview because of time limitations. This post is meant to take up those missed items, as well as let you go and listen to the interview for yourself.

Public Dialogue Concerning the NDP Leadership ‘Attack’

There are claims that the attacks against the NDP’s online voting system were “sophisticated” and that “the required organization and the demonstrated orchestration of the attack indicates that this was a deliberate effort to disrupt or negate the election by a knowledgeable person or group.” Neither of these statements are entirely fair or particularly accurate. Publicly disclosed information indicates that around 10,000 IP addresses were used to launch a small Distributed Denial of Service (DDoS) attack against the voting system used during the NDP’s convention. To be clear: this is a relatively tiny botnet.

While such a botnet might justifiably overwhelm some small business networks, or other organizations that haven’t seen the need to establish protections against DDoS scenarios, it absolutely should not be capable of compromising an electoral process. Such a process should be significantly hardened: scalable infrastructure ought to have been adopted, and all services ought to be sitting behind a defensible security perimeter. To give you an understanding of just how cheap a botnet (of a much larger size) can be: in 2009, a 80,000-120,000 machine botnet would run around $200/day. You even got a 3-minute trial window! In 2010, VeriSign’s iDefence Intelligence Operations Team reported that a comparable botnet would run around $9/hr or $67/day.

If a few Google searches and a couple hundred dollars from a Paypal account can get you a small botnet (and give you access to technical support to help launch the attack, depending on who you rent your bots from) then we’re not dealing with a particularly sophisticated individual or group, or an individual or group that necessarily possesses very much knowledge about this kinds of attacks. Certainly the action of hiring a botnet demonstrates intent but it’s an incredibly amateurish attempt, and one that should have been easily stopped by the vendor in question.

Continue reading