Canada

How to Dispel the Confusion Around iMessage Security

/ Christopher Parsons / 2 Comments

Image by Graham BrennaApple’s hardware and communications products continue to be widely purchased and used by people around the world. Comscore reported in March 2013 that Apple enjoyed a 35% market penetration in Canada, and their desktop and mobile computing devices remain popular choices for consumers. A messaging service, iMessage, spans the entire Apple product line. The company has stated that it “cannot decrypt that data.”

Apple’s statements concerning iMessage’s security are highly suspect. In what follows I summarize some of the serious questions about Apple’s encryption schemas. I then discuss why it’s important for consumers to know whether iMessages are secure from third-party interception. I conclude by outlining how Canadians who use the iMessage application can use Canadian privacy law to ascertain the validity of Apple’s claims against those of the company’s critics. Continue reading

Enforcing Canadian Privacy Laws Against American Social Networking Companies

/ Christopher Parsons

Photo by Jimmy Emerson

As mentioned previously, I’ve been conducting research with academics at the University of Victoria to understand the relationship(s) between social networking companies’ data access, retention, and disclosure policies for the past several months. One aspect of our work addresses the concept of jurisdiction: what systems of rules mediate or direct how social media companies collect, retain, use, and disclose subscribers’ personal information? To address this question we have taken up how major social networking companies comply, or not, with some of the most basic facets of Canadian privacy law: the right to request one’s own data from these companies. Our research has been supported by funding provided through the Office of the Privacy Commissioner of Canada’s contributions program. All our research has been conducted independently of the Office and none of our findings necessarily reflect the Commissioner’s positions. As part of our methodology, while we may report on our access requests being stymied, we are not filing complaints with the federal Commissioner’s office.

Colin Bennett first presented a version of this paper, titled “Real and Substantial Connections: Enforcing Canadian Privacy Laws Against American Social Networking Companies” at an Asian Privacy Scholars event and, based on comments and feedback, we have revised that work for a forthcoming conference presentation in Malta. Below is the abstract of the paper, as well as a link to the Social Science Research Network site that is hosting the paper.

Abstract:

Any organization that captures personal data in Canada for processing is deemed to have a “real and substantial connection” to Canada and fall within the jurisdiction of the Personal Information Protection and Electronic Documents Act (PIPEDA) and of the Office of the Privacy Commissioner of Canada. What has been the experience of enforcing Canadian privacy protection law on US-based social networking services? We analyze some of the high-profile enforcement actions by the Privacy Commissioner. We also test compliance through an analysis of the privacy policies of the top 23 SNSs operating in Canada with the use of access to personal information requests. Most of these companies have failed to implement some of the most elementary requirements of data protection law. We conclude that an institutionalization of non-compliance is widespread, explained by the countervailing conceptions of jurisdiction inherent in corporate policy and technical system design.

Download the paper at SSRN

Lawful Access is Dead; Long Live Lawful Intercept!

/ Christopher Parsons

Honest PhoneLawful access was a contentious issue on the Canadian agenda when it was initially introduced by the Martin government, and has become even more disputed as subsequent governments have introduced their own iterations of the Liberal legislation. Last year the current majority government introduced Bill C-30, the Protecting Children from Internet Predators Act. In the face of public outcry the government sent the bill to committee prior to a vote on second reading, and most recently declared the bill dead.

Last year I began research concerning alternate means of instituting lawful access powers in Canada. Specifically, I explored whether a ‘backdoor’ had been found to advance various lawful access powers: was Industry Canada, through the 700MHz spectrum consultation, and Public Safety, through its changes to how communications are intercepted, effectively establishing the necessary conditions for lawful access by compliance fiat?

In this post I try to work through aspects of this question. I begin by briefly unpacking some key elements of Bill C-30 and then proceed to give an overview of the spectrum consultation. This overview will touch on proposed changes to lawful intercept standards. I then suggest how changes to the intercept standards could affect Canadians, as well as (re)iterate the importance of publicly discussing expansions to lawful access and intercept powers instead of expanding these powers through regulatory and compliance backdoors.

Continue reading

Forgetting, Non-Forgetting and Quasi-Forgetting in Social Networking

/ Christopher Parsons

Image by fake is the new real

For the past several months I’ve been conducting research with academics at the University of Victoria to understand the relationship(s) between social networking companies’ data access, retention, and disclosure policies. One element of of this research has involved testing whether these networks comply with the Personal Information Protection and Electronic Documents Act; do social networks provide subscribers access to their personal data when a subscriber asks? Another element has involved evaluating the privacy policies of major social networks: how do these companies understand access, retention, and disclosure of subscriber data? We’ve also been investigating how law enforcement agencies access, and use, data from social networking companies. This research has been supported by funding provided through the Office of the Privacy Commissioner of Canada’s contributions program. All our research has been conducted independently of the Office and none of our findings necessarily reflect the Commissioner’s positions.

Colin Bennett presented a draft of one of the academic papers emergent from this research, titled “Forgetting, Non-Forgetting and Quasi-Forgetting in Social Networking: Canadian Policy and Corporate Practices.” It was given at the 2013 Computers, Privacy and Data Protection Conference. Below is the abstract of the paper, as well as a link to the Social Science Research Network site that is hosting the paper.

Abstract:

In this paper we analyze some of the practical realities around deleting personal data on social networks with respect to the Canadian regime of privacy protection. We first discuss the extent to which the European right to be forgotten is, and is not, reflected in Canadian privacy law, in regulation, and in the decisions of the Office of the Privacy Commissioner of Canada. After outlining the limitations of Canadian law we turn to corporate organizational practices. Our analyses of social networking sites’ privacy policies reveal how poorly companies recognize the right to be forgotten in their existing privacy commitments and practices. Next, we turn to Law Enforcement Authorities (LEAs) and how their practices challenge the right because of LEAs’ own capture, processing, and retention of social networking information. We conclude by identifying lessons from the Canadian experience and raising them against the intense transatlantic struggle over the scope of the new Draft Regulation.

Download paper at SSRN (Download from alternate source)

Understanding the Lawful Access Decryption Requirement

/ Christopher Parsons

Photo by walknboston

For several months I and a handful of others in the Canadian privacy and security community have been mulling over what Bill C-30, better known as Canada’s ‘lawful access’ legislation, might mean for the future of encryption policy in Canada. Today, I’m happy to announce that one of the fruits of these conversation, a paper that I’ve been working on with Kevin McArthur, is now public. The paper, titled “Understanding the Lawful Access Decryption Requirement,” spends a considerable amount of time considering the potential implications of the legislation. Our analysis considers how C-30 might force companies to adopt key escrows, or decryption key repositories. After identifying some of the problems associated with these repositories, we suggest how to amend the legislation to ensure that corporations will not have to establish key escrows. We conclude by outlining the dangers of leaving the legislative language as it stands today. The full abstract, and download link, follows.

Abstract

Canada’s lawful access legislation, Bill C-30, includes a section that imposes decryption requirements on telecommunications service providers. In this paper we analyze these requirements to conclude that they may force service providers to establish key escrow, or decryption key retention, programs. We demonstrate the significance of these requirements by analyzing the implications that such programs could have for online service providers, companies that provide client software to access cloud services, and the subscribers of such online services. The paper concludes by suggesting an amendment to the bill, to ensure that corporations will not have to establish escrows, and by speaking to the dangers of not implementing such an amendment.

Download paper at the Social Sciences Research Network

(Draft) ANPR: Code and Rhetorics of Compliance

/ Christopher Parsons

Image by ntr23

For roughly the past two years I’ve been working with colleagues to learn how Automatic Number Plate Recognition (ANPR) systems are used in British Columbia, Canada’s westernmost province. As a result of this research one colleague, Rob Wipond, has published two articles on how local authorities and the RCMP are using ANPR technologies. Last February I disclosed some of our findings at the Reboot privacy and security conference, highlighting potential uses of the technology and many of the access to information challenges that we had experienced with respect to our research. Another, Kevin McArthur has written several pieces about ANPR on his website over the years and is largely responsible for Rob and I getting interested, and involved, in researching the technology and the practices associated with it.

The most recent piece of work to come out of our research is a paper that I, Joseph Savirimuthu, Rob, and Kevin have written. Joseph and I will be presenting it in Florence later this month. The paper, titled “ANPR: Code and Rhetorics of Compliance,” examines BC and UK deployments of ANPR systems to explore the rationales and obfuscations linked to the programs. The paper is presently in a late draft so if you have any comments or feedback then please send it my way. The abstract is below, and you can download the paper from the Social Sciences Research Network.

Abstract

Automatic Number Plate Recognition (ANPR) systems are gradually entering service in Canada’s western province of British Columbia and are prolifically deployed in the UK. In this paper, we compare and analyze some of the politics and practices underscoring the technology in these jurisdictions. Drawing from existing and emerging research we identify key actors and how authorities marginalize access to the systems’ operation. Such marginalization is accompanied by rhetorics of privacy and security that are used to justify novel mass surveillance practices. Authorities justify the public’s lack of access to ANPR practices and technical characteristics as a key to securing environments and making citizens ‘safe’. After analyzing incongruences between authorities’ conceptions of privacy and security, we articulate means of resisting intrusive surveillance practices by reshaping agendas surrounding ANPR.

Download paper from the Social Sciences Research Network

UPDATE: The paper is now published in the European Journal of Law and Technology