Mobiles

New Update to the SIGINT Summaries

/ Christopher Parsons

Grondstation van de Nationale SIGINT Organisatie (NSO) in Burum, Frysl‚nI have added one new item to the SIGINT Summaries page. The Summaries include downloadable copies of leaked Communications Security Establishment (CSE) documents, along with summary, publication, and original source information.1 CSE is Canada’s foreign signals intelligence agency and has operated since the Second World War.

Documents were often produced by CSE’s closest partners which, collectively, form the ‘Five Eyes’ intelligence network. This network includes the CSE, the National Security Agency (NSA), the Government Communications Headquarters (GCHQ), Australian Signals Directorate (ASD),2 and Government Communications Security Bureau (GCSB)).

All of the documents are available for download from this website. Though I am hosting the documents they were all first published by another party. The new documents and their summaries are listed below. The full list of documents and their summary information is available on the Canadian SIGINT Summaries page.

The new contribution comes from documents released by CBC and covers how Five Eyes intelligence analysts correlated telephony and mobile Internet communications information. For the first time I have noted, in the summary block, all of the codenames that were mentioned in the redacted document.

Synergising Network Analysis Tradecraft: Network Tradecraft Advancement Team (NTAT)

Summary: This slide deck showcases some of the activities, and successes, of the Network Tradecraft Advancement Team (NTAT). The slides focus on how to develop and document tradecraft which is used to correlate telephony and Internet data. Two separate workshops are discussed, one in 2011 and another in 2012. Workshop outcomes included identifying potentially converged data (between telephony and Internet data) as well as geolocating mobile phone application servers. A common mobile gateway identification analytic was adopted by three agencies, including DSD. NTAT had also adopted the CRAFTY SHACK tradecraft documentation system over the courses of these workshops.

In an experiment, codenamed IRRITANT HORN, analysts explored whether they could identify connections between a potentially ‘revolutionary’ country and mobile applications servers. They successfully correlated connections with application servers which opened up the potential to conduct Man in the Middle attacks or effect operations towards the mobile devices, as well as the potential to harvest data in transit and at rest from the devices. In the profiling of mobile applications servers it appears that EONBLUE was used to collect information about a company named Poynt; that company’s application was being used by Blackberry users, and the servers profiled were located in Calgary, Alberta (Canada).

The agencies successfully found vulnerabilities in UCWeb, which was found to leak IMSI, MSISDN, IMEI, and other device characteristics. These vulnerabilities were used to discover a target and it was determined that the vulnerabilities might let a SIGINT agency serve malware to the target. A ‘microplugin’ for XKeyscore was developed so that analysts could quickly surface UCWeb-related SIGINT material. (NOTE: The Citizen Lab analyzed later versions of UCWeb and found vulnerabilities that were subsequently patched by the company. For more, see: “A Chatty Squirrel: Privacy and Security Issues with UC Browser.”)

Document Published: May 21, 2015
Document Dated: 2012 or later
Document Length: 52 pages (slides plus notes)
Associated Article: Spy agencies target mobile phones, app stores to implant spyware
Download Document: Synergising Network Analysis Tradecraft: Network Tradecraft Advancement Team (NTAT)
Codenames mentioned: ATLAS, ATHENA, BLAZING SADDLES, CRAFTY SHACK, DANAUS, EONBLUE, FRETTING YETI, HYPERION, IRRITANT HORN, MASTERSHAKE, PEITHO, PLINK, SCORPIOFORE

Footnotes

  1.  Formally known as the Communications Security Establishment Canada (CSEC). 
  2.  The ASD was formerly known as the Defence Signals Directorate (DSD). 

It’s Time for BlackBerry to Come Clean

/ Christopher Parsons

BlackBerry N10On April 10, 2014, Blackberry’s enterprise chief publicly stated that his company had no intention of releasing transparency reports concerning how often, and under what terms, the company has disclosed Blackberry users’ personal information to government agencies. BlackBerry’s lack of transparency stands in direct contrast to its competitors: Google began releasing transparency reports in 2009, and Apple and Microsoft in 2013. And BlackBerry’s competitors are rigorously competing on personal privacy as well, with Apple recently redesigning their operating system to render the company unable to decrypt iDevices for government agencies and having previously limited its ability to decrypt iMessage communications. Google will soon be following Apple’s lead.

So, while Blackberry’s competitors are making government access to telecommunications data transparent to consumers and working to enhance their users’ privacy, BlackBerry remains tight-lipped about how it collaborates with government agencies. And as BlackBerry attempts to re-assert itself in the enterprise market — and largely cede the consumer market to its competitors — it is unclear how it can alleviate business customers’ worries about governments accessing BlackBerry-transited business information. Barring the exceptional situation where data from BlackBerry’s network is introduced as evidence in a court process businesses have no real insight of the extent to which Blackberry is compelled to act against its users’ interests by disclosing information to government agencies. And given that the company both owns an underlying patent for, and integrated into its devices’ VPN client, a cryptographic algorithm believed vulnerable to surreptitious government spying it’s not enough to simply refuse to comment on why, and the extent to which, BlackBerry is compelled to help governments spy on its customer base.

We know that BlackBerry has been legally and politically bludgeoned into developing, implementing, and providing training courses on intercepting and censoring communications sent over its network. At the same time, we know that many employees at BlackBerry genuinely care about developing secure products and delivering them to the world; reliable, secure, and productive communications products are ostensibly the lifeblood that keeps the company afloat. So why, knowing what we know about the company’s ethos and the surveillance compulsions it has faced in the past, is it so unwilling to be honest with its current and prospective enterprise customers and develop transparency reports: for fear that customers would flee the company upon realizing the extent to which BlackBerry communications are accessed or monitored by governments, because of gag-orders they’ve agreed to in order to sell products in less-democratic nations, or just because they hold their customers is contempt?

Canadian Cyberbullying Legislation Threatens to Further Legitimize Malware Sales

/ Christopher Parsons

Focus, Build, HackLawful access legislation was recently (re)tabled by the Government of Canada in November 2013. This class of legislation enhances investigative and intelligence-gathering powers, typically by extending search and seizure provisions, communications interception capabilities, and subscriber data disclosure powers. The current proposed iteration of the Canadian legislation would offer tools to combat inappropriate disclosure of intimate images as well as extend more general lawful access provisions. One of the little-discussed elements of the legislation is that it will empower government authorities to covertly install, activate, monitor, and remove software designed to track Canadians’ location and ‘transmission data.’

In this post I begin by briefly discussing this class of government-used malicious surveillance software, which I refer to as ‘govware’. Next, I outline how Bill C–13 would authorize the use of govware. I conclude by raising questions about whether this legislation will lead government agencies to compete with one another, with some agencies finding and using security vulnerabilities, and others finding and fixing the vulnerabilities such tools rely. I also argue that a fulsome debate must be had about govware based on how it can broadly threaten Canadians’ digital security. Continue reading

Responding the the Crisis in Canadian Telecommunications

/ Christopher Parsons

In the middle of an identity crisisOn April 29, 2014 the Interim Privacy Commissioner of Canada, Chantal Bernier, revealed that Canadian telecommunications companies have disclosed enormous volumes of information to state agencies. These agencies can include the Royal Canadian Mounted Police, Canadian Security Intelligence Service, Canadian Border Services Agency, as well as provincial and municipal authorities. Commissioner Bernier’s disclosure followed on news that federal agencies such as the Canadian Border Services Agency requested access to Canadians’ subscriber data over 19 thousand times in a year, as well as the refusal of Canadian telecommunications companies to publicly disclose how, why, and how often they disclose information to state agencies.

This post argues that Canadians are not powerless. They can use existing laws to try and learn whether their communications companies are disclosing their personal information to state agencies. I begin by explaining why Canadians have a legal right to compel companies to disclose the information that they generate and collect about Canadians. I then provide a template letter that Canadians can fill in and issue to the telecommunications companies providing them with service, as well as some of the contact information for major Canadian telecommunications companies. Finally, I’ll provide a few tips on what to do if companies refuse to respond to your requests and conclude by explaining why it’s so important that Canadians send these demands to companies providing them with phone, wireless, and internet service.

Continue reading

Accountability and Government Surveillance

/ Christopher Parsons / 3 Comments

Charmaine Borg, MPThe issue of lawful access has repeatedly arisen on the Canadian federal agenda. Every time that the legislation has been introduced Canadians have opposed the notion of authorities gaining warrantless access to subscriber data, to the point where the most recent version of the lawful access legislation dropped this provision. It would seem, however, that the real motivation for dropping the provision may follow from the facts on the ground: Canadian authorities already routinely and massively collect subscriber data without significant pushback by Canada’s service providers. And whereas the prior iteration of the lawful access legislation (i.e. C–30) would have required authorities to report on their access to this data the current iteration of the legislation (i.e. C–13) lacks this accountability safeguard.

In March 2014, MP Charmaine Borg received responses from federal agencies (.pdf) concerning the agencies’ requests for subscriber-related information from telecommunications service providers (TSPs). Those responses demonstrate extensive and unaccountable federal government surveillance of Canadians. I begin this post by discussing the political significance of MP Borg’s questions and then proceed to granularly identify major findings from the federal agencies’ respective responses. After providing these empirical details and discussing their significance, I conclude by arguing that the ‘subscriber information loophole’ urgently needs to be closed and that federal agencies must be made accountable to their masters, the Canadian public.

Continue reading

Lawful Access is Dead; Long Live Lawful Intercept!

/ Christopher Parsons

Honest PhoneLawful access was a contentious issue on the Canadian agenda when it was initially introduced by the Martin government, and has become even more disputed as subsequent governments have introduced their own iterations of the Liberal legislation. Last year the current majority government introduced Bill C-30, the Protecting Children from Internet Predators Act. In the face of public outcry the government sent the bill to committee prior to a vote on second reading, and most recently declared the bill dead.

Last year I began research concerning alternate means of instituting lawful access powers in Canada. Specifically, I explored whether a ‘backdoor’ had been found to advance various lawful access powers: was Industry Canada, through the 700MHz spectrum consultation, and Public Safety, through its changes to how communications are intercepted, effectively establishing the necessary conditions for lawful access by compliance fiat?

In this post I try to work through aspects of this question. I begin by briefly unpacking some key elements of Bill C-30 and then proceed to give an overview of the spectrum consultation. This overview will touch on proposed changes to lawful intercept standards. I then suggest how changes to the intercept standards could affect Canadians, as well as (re)iterate the importance of publicly discussing expansions to lawful access and intercept powers instead of expanding these powers through regulatory and compliance backdoors.

Continue reading