Technology, Thoughts & Trinkets

Touring the digital through type

Tag: accountability (page 1 of 2)

Accountability and the Canadian Government’s Reporting of Computer Vulnerabilities and Exploits

Photo by Taskin Ashiq on Unsplash

I have a new draft paper that outlines why the Canadian government should develop, and publish, the guidelines it uses when determining whether to acquire, use, or disclose computer- and computer-system vulnerabilities. At its crux, the paper argues that an accountability system was developed in the 1970s based on the intrusiveness of government wiretaps and that state-used malware is just as, if not more so, intrusive. Government agencies should be held to at least as high a standard, today, as they were forty years ago (and, arguably, an even higher one today than in the past). It’s important to recognize that while the paper argues for a focus on defensive cybersecurity — disclosing vulnerabilities as a default in order to enhance the general security of all Canadians and residents of Canada, as well as to improve the security of all government of Canada institutions — it recognizes that some vulnerabilities may be retained to achieve a limited subset of investigative and intelligence operations. As such, the paper does not rule out the use of malware by state actors but, instead, seeks to restrict the use of such malware while also drawing its use into a publicly visible accountability regime.

I’m very receptive to comments on this paper and will seek to incorporate feedback before sending the paper to an appropriate journal around mid-December.

Abstract:

Computer security vulnerabilities can be exploited by unauthorized parties to affect targeted systems contrary to the preferences their owner or controller. Companies routinely issue patches to remediate the vulnerabilities after learning that the vulnerabilities exist. However, these flaws are sometimes obtained, used, and kept secret by government actors, who assert that revealing vulnerabilities would undermine intelligence, security, or law enforcement operations. This paper argues that a publicly visible accountability regime is needed to control the discovery, purchase, use, and reporting of computer exploits by Canadian government actors for two reasons. First, because when utilized by Canadian state actors the vulnerabilities could be leveraged to deeply intrude into the private lives of citizens, and legislative precedent indicates that such intrusions should be carefully regulated so that the legislature can hold the government to account. Second, because the vulnerabilities underlying any exploits could be discovered or used by a range of hostile operators to subsequently threaten Canadian citizens’ and residents’ of Canada personal security or the integrity of democratic institutions. On these bases, it is of high importance that the government of Canada formally develop, publish, and act according to an accountability regime that would regulate its agencies’ exploitation of computer vulnerabilities.

Download .pdf // SSRN Link

Horizontal Accountability and Signals Intelligence: Lesson Drawing from Annual Electronic Surveillance Reports

‘Radome at Hartland Point’ by shirokazan (CC BY 2.0) at https://flic.kr/p/dfn9ei

Adam Molnar and I have a new paper on accountability and signals intelligence, which we will be presenting at the Security Intelligence & Surveillance in the Big Data Age workshop. The workshop will be held at the University of Ottawa later this month as part of the Big Data Surveillance partnership project that is funded by the Social Sciences and Humanities Research Council of Canada.

The paper focuses exclusively on the mechanisms which are needed for civil society actors to evaluate the propriety of actions undertaken by signals intelligence agencies. In it, we argue that Canada’s foreign signals intelligence agency’s public accountability reporting might be enhanced by drawing on lessons from existing statutory electronic surveillance reporting. Focusing exclusively on Canada’s signals intelligence agency, the Communications Security Establishment (CSE), we first outline the relationships between accountability of government agencies to their respective Ministers and Members of Parliament, the role of transparency in enabling governmental accountability to the public, and the link between robust accountability regimes and democratic legitimacy of government action. Next, we feature a contemporary bulk data surveillance practice undertaken by Canada’s signals intelligence agency and the deficiencies in how CSE’s existing review body makes the Establishment’s practices publicly accountable to Parliamentarians and the public alike. We then discuss how proposed changes to CSE oversight and review mechanisms will not clearly rectify the existing public accountability deficits. We conclude by proposing a principle-based framework towards a robust public accountability process that is linked to those underlying domestic and foreign statutory electronic surveillance reports.

A copy of our paper, titled, “Horizontal Accountability and Signals Intelligence: Lesson Drawing from Annual Electronic Surveillance Reports,” is available at the Social Sciences Research Network as well as for download from this website.

More Surveillance Powers Won’t Prevent Intelligence Failures

Newspapers B&W (5)I co-authored a comment to the editors of the Globe and Mail, “More Surveillance Powers Won’t Prevent Intelligence Failures,” in response to Christian Leuprecht’s article “Pointing fingers won’t prevent intelligence failures“. Leuprecht asserts that further intelligence sharing is critical to prevent and avoid attacks such as those in Paris, that more trust between intelligence agencies to facilitate international intelligence sharing is needed, and that more resources are needed if particular individuals subject to state suspicion are to be monitored. He also asserted that governments need the powers to act against targeted individuals, and that unnamed ‘critics’ are responsible for the weakening of intelligence agencies and, by extension, for the senseless deaths of innocents that result from agencies’ inabilities to share, monitor, and engage suspicious persons.

The co-authored comment rebuts Leuprecht’s assertions. We point that there is more intelligence collected, now, than ever before. We note that some of the attackers were already known to intelligence and security services. And we note that it was intelligence sharing, itself, that led to the targeting and torture of Maher Arar. In effect, the intelligence community is failing in spite of having the capabilities and powers that Leuprecht calls for; what is missing, if anything, is the ability to transform the intelligence collected today into something that is actionable.

The full comment, first published at the Globe and Mail, is reproduced below:

More Surveillance Powers Won’t Prevent Intelligence Failures
Re: “Pointing Fingers Won’t Prevent Intelligence Failures” (Nov 25):

The horrific attacks in Paris have led to a wave of finger-pointing – often powerfully disassociated from the realities of the failures (Pointing Fingers Won’t Prevent Intelligence Failures – Nov 25). The answer from security agencies is inevitably to request more surveillance and more capacity to intrude into citizens’ lives.

These requests are made despite the historically unprecedented access to digital information that security agencies already enjoy and repeated expansions of security powers. Clearly “more security” is not the answer to preventing all future attacks.

The intelligence failure in Paris painted a familiar picture. Many of the attackers were known to French officials, and Turkish intelligence agencies sent repeated warnings of another. Yet in their rush to blame communications technologies such as iPhone encryption and the PlayStation (claims since discredited), security agencies neglect the lack of adequate human intelligence resources and capacities needed to translate this digital knowledge into threat prevention. Also absent is attention to agency accountability – the unaddressed information-sharing problems that caused the mistaken targeting and torture of Maher Arar.

The targets of terror are not only physical, but also ideological. Introducing a laundry list of new powers in response to every incident without regard to the underlying causes will not prevent all attacks, but will leave our democracy in tatters.

Vincent Gogolek, Executive Director, BC Freedom of Information and Privacy Association (BCFIPA)

Tamir Israel, Staff Lawyer, Canadian Internet Policy & Public Interest Clinic (CIPPIC), University of Ottawa

Monia Mazigh, National Coordinator, International Civil Liberties Monitoring Group (ICLMG)

Christopher Parsons, Postdoctoral Fellow, Citizen Lab at Munk School of Global Affairs, University of Toronto

Sukanya Pillay, Executive Director & General Counsel, Canadian Civil Liberties Association (CCLA)

Laura Tribe, Digital Rights Specialist, OpenMedia

Micheal Vonn, Policy Director, British Columbia Civil Liberties Association (BCCLA)

Photo credit: Newspapers B&W (5) by Jon S (CC BY 2.0) https://flic.kr/p/ayGkBN

Canadian Police Requests for Telecommunications Data

2498847226_9beb1f55db_o-300x200In our report, “The Governance of Telecommunications Surveillance: How Opaque and Unaccountable Practices and Policies Threaten Canadians,” we discussed the regularity at which government agencies gain access to telecommunications data. Save for the Canadian Border Services Agency, federal government agencies that are principally responsible for conducting domestic telecommunications surveillance, such as the Royal Canadian Mounted Police, could not account for how often they use their surveillance powers.

In the course of investigating government access to telecommunications data we also contacted regional policing departments. This post expands on findings we provided in our report to discuss, in depth, the data provided by responsive police departments. We conclude by asserting that new legislation must be introduced and passed so that Canadians become aware of the magnitude of contemporary telecommunications surveillance that policing organizations are involved in on a yearly basis.

Requests to Police Departments

We filed requests to Canadian police departments to determine how often individual departments were exercising telecommunications surveillance powers. Though our report principally focused on federal government agencies’ surveillance, we had hoped to effectively juxtapose provincial/municipal telecommunications surveillance against their federal brethren. We ultimately decided to not conduct a detailed juxtaposition in the report because an insufficient number of police departments responded to our legally-binding requests for access to government data in time for publication.

We filed requests for information to police departments operating in Nova Scotia, Ontario, Alberta, and British Columbia. These requests identified the provincial statutes we were relying on to request information. We paid fees to the various police departments to initiate the processing of the requests. The only two police departments that were responsive to our requests were the Halifax and Vancouver police departments. The most notable non-responsive departments police the cities of Calgary and Toronto.

Continue reading

« Older posts