Facebook

Advancing Encryption for the Masses

/ Christopher Parsons

CryptographyEdward Snowden’s revelations have made it incredibly obvious that signals intelligence agencies have focused a lot of their time and energy in tracking people as they browse the web. Such tracking is often possible at a global scale because so much of the data that crosses the Internet is unencrypted. Fortunately, the ease of such surveillance is being curtailed by large corporations and advocacy organizations alike.

Today, WhatsApp and Open Whisper Systems announced they have been providing, and will continue to deploy, what’s called ‘end to end’ encryption to WhatsApp users. This form of encryption ensures that the contents of subscribers’ communications are be secured from third-party content monitoring as it transits from a sender’s phone to a recipient’s device.

As a result of these actions, WhatsApp users will enjoy a massive boost in their communications security. And it demonstrates that Facebook, the owner of WhatsApp, is willing to enhance the security of its users even when such actions are likely to provoke and upset surveillance-hawks around the world who are more interested in spying on Facebook and WhatsApp subscribers than in protecting them from surveillance.

A separate, but thematically related, blog post the Electronic Frontier Foundation announced the creation of a new Certificate Authority (CA) initiative called ‘Let’s Encrypt’. Partnering with the Electronic Frontier Foundation are Mozilla, Cisco, Akamai, Identrust, and researchers at the University of Michigan. CAs issue the data files that are used to cryptographically secure communications between clients (like your web browser) and servers (like EFF.org). Such encryption makes it more challenging for another party to monitor what you are sending to, and receiving from, a server you are visiting.

Key to the ‘Let’s Encrypt’ initiative is that the issued certificates will be free and installable using a script. The script is meant to automate the process of requesting, configuring, and installing the certificate. Ideally, this will mean that people with relatively little experience will be able to safely and securely set up SSL-protected websites. Academic studies have shown that even those with experience routinely fail to properly configure SSL-protections.

The aim of both of these initiatives is to increase the ‘friction’, or relative difficulty, in massively monitoring chat and web-based communications. However, it is important to recognize that neither initiative can be considered a perfect solution to surveillance.

In the case of WhatsApp and Open Whisper Systems, end to end encryption does not fix the broader problems of mobile security: if an adversary can take control of a mobile device, or has a way of capturing text that is typed into or that is displayed on the screen when you’re using WhatsApp, then any message sent or received by the device could be susceptible to surveillance. However, there is no evidence that any government agency in the world has monitored, or is currently capable of monitoring, millions or billions of devices simultaneously. There is evidence, however, of government agencies aggressively trying to monitor the servers and Internet infrastructure that applications like WhatsApp use in delivering messages between mobile devices.

Moreover, it’s unclear what Facebook’s or WhatsApp’s reaction would be if a government agency tried to force the delivery of a cryptographically broken or weakened version of WhatsApp to particular subscribers using orders issued by American, European, or Canadian courts. And, even if the companies in question fought back, what would they do if they lost the court case?

Similarly, the ‘Let’s Encrypt’ initiative relies on a mode of securing the Internet that is potentially susceptible to state interference. Governments or parties affiliated with governments have had certificates falsely issued in order to monitor communications between client devices (e.g. smartphones) and servers (e.g. Gmail). Moreover, professional developers have misconfigured commerce backends to the effect of not checking whether the certificate used to encrypt a communication belong to the right organization (i.e. not checking that the certificate used to communicate with Paypal actually belongs to Paypal). There are other issues with SSL, including a poor revocation checking mechanism, historical challenges in configuring it properly, and more. Some of these issues may be defrayed by the ‘Let’s Encrypt’ initiative because of the members’  efforts to work with the Decentralized SSL Observatory, scans.io, and Google’s Certificate Authority logs, but the initiative — and the proposals accompanying it — is not a panacea for all of the world’s online encryption problems. But it will hopefully make it more difficult for global-scale surveillance that is largely predicated on monitoring unencrypted communications between servers and clients.

Edward Snowden was deeply concerned that the documents he brought to light would be treated with indifference and that nothing would change despite the documents’ presence in the public record. While people may be interested in having more secure, and more private, communications following his revelations those interests are not necessarily translated into an ability for people to secure their communications. And the position that people must either embark on elaborate training regimes to communicate securely or just not say sensitive things, or visit sensitive places, online simply will not work: information security needs to work with at least some of the tools that people are using in their daily lives while developing new and secure ones. It doesn’t make sense to just abandon the public to their own devices while the ‘professionals’ use hard-to-use ’secured’ systems amongst themselves.

The work of WhatsApp, Facebook, Open Whisper Systems, the Electronic Frontier Foundation, and that other members of the ‘Let’s Encrypt’ initiative can massively reduce the challenges people face when trying to communicate more responsibly. And the initiatives demonstrate how the cryptographic and communications landscape is shifting in the wake of Snowden’s revelations concerning the reality of global-scale surveillance. While encryption was ultimately thrown out of the original design specifications for the Internet it’s great to see that cryptography is starting to get bolted onto the existing Internet in earnest.

Enforcing Canadian Privacy Laws Against American Social Networking Companies

/ Christopher Parsons

Photo by Jimmy Emerson

As mentioned previously, I’ve been conducting research with academics at the University of Victoria to understand the relationship(s) between social networking companies’ data access, retention, and disclosure policies for the past several months. One aspect of our work addresses the concept of jurisdiction: what systems of rules mediate or direct how social media companies collect, retain, use, and disclose subscribers’ personal information? To address this question we have taken up how major social networking companies comply, or not, with some of the most basic facets of Canadian privacy law: the right to request one’s own data from these companies. Our research has been supported by funding provided through the Office of the Privacy Commissioner of Canada’s contributions program. All our research has been conducted independently of the Office and none of our findings necessarily reflect the Commissioner’s positions. As part of our methodology, while we may report on our access requests being stymied, we are not filing complaints with the federal Commissioner’s office.

Colin Bennett first presented a version of this paper, titled “Real and Substantial Connections: Enforcing Canadian Privacy Laws Against American Social Networking Companies” at an Asian Privacy Scholars event and, based on comments and feedback, we have revised that work for a forthcoming conference presentation in Malta. Below is the abstract of the paper, as well as a link to the Social Science Research Network site that is hosting the paper.

Abstract:

Any organization that captures personal data in Canada for processing is deemed to have a “real and substantial connection” to Canada and fall within the jurisdiction of the Personal Information Protection and Electronic Documents Act (PIPEDA) and of the Office of the Privacy Commissioner of Canada. What has been the experience of enforcing Canadian privacy protection law on US-based social networking services? We analyze some of the high-profile enforcement actions by the Privacy Commissioner. We also test compliance through an analysis of the privacy policies of the top 23 SNSs operating in Canada with the use of access to personal information requests. Most of these companies have failed to implement some of the most elementary requirements of data protection law. We conclude that an institutionalization of non-compliance is widespread, explained by the countervailing conceptions of jurisdiction inherent in corporate policy and technical system design.

Download the paper at SSRN

Graph Search and ‘Risky’ Communicative Domains

/ Christopher Parsons

Photo by Lynn Friedman

There have been lots of good critiques and comments concerning Facebook’s recently announced “Graph Search” product. Graph Search lets individuals semantically query large datasets that are associated with data shared by their friends, friends-of-friends, and the public more generally. Greg Satell tries to put the product in context – Graph Search is really a a way for corporations to peer into our lives –  and a series of articles have tried to unpack the privacy implications of Facebook’s newest product.

I want to talk less directly about privacy, and more about how Graph Search threatens to further limit discourse on the network. While privacy is clearly implicated throughout the post, we can think of privacy beyond just a loss for the individual and more about the broader social impacts of its loss. Specifically, I want to briefly reflect on how Graph Search (further?) transforms Facebook into a hostile discursive domain, and what this might mean for Facebook users.

Continue reading

Forgetting, Non-Forgetting and Quasi-Forgetting in Social Networking

/ Christopher Parsons

Image by fake is the new real

For the past several months I’ve been conducting research with academics at the University of Victoria to understand the relationship(s) between social networking companies’ data access, retention, and disclosure policies. One element of of this research has involved testing whether these networks comply with the Personal Information Protection and Electronic Documents Act; do social networks provide subscribers access to their personal data when a subscriber asks? Another element has involved evaluating the privacy policies of major social networks: how do these companies understand access, retention, and disclosure of subscriber data? We’ve also been investigating how law enforcement agencies access, and use, data from social networking companies. This research has been supported by funding provided through the Office of the Privacy Commissioner of Canada’s contributions program. All our research has been conducted independently of the Office and none of our findings necessarily reflect the Commissioner’s positions.

Colin Bennett presented a draft of one of the academic papers emergent from this research, titled “Forgetting, Non-Forgetting and Quasi-Forgetting in Social Networking: Canadian Policy and Corporate Practices.” It was given at the 2013 Computers, Privacy and Data Protection Conference. Below is the abstract of the paper, as well as a link to the Social Science Research Network site that is hosting the paper.

Abstract:

In this paper we analyze some of the practical realities around deleting personal data on social networks with respect to the Canadian regime of privacy protection. We first discuss the extent to which the European right to be forgotten is, and is not, reflected in Canadian privacy law, in regulation, and in the decisions of the Office of the Privacy Commissioner of Canada. After outlining the limitations of Canadian law we turn to corporate organizational practices. Our analyses of social networking sites’ privacy policies reveal how poorly companies recognize the right to be forgotten in their existing privacy commitments and practices. Next, we turn to Law Enforcement Authorities (LEAs) and how their practices challenge the right because of LEAs’ own capture, processing, and retention of social networking information. We conclude by identifying lessons from the Canadian experience and raising them against the intense transatlantic struggle over the scope of the new Draft Regulation.

Download paper at SSRN (Download from alternate source)

How To Get Your Personal Information From Social Networks

/ Christopher Parsons / 5 Comments

Photo by Evan Long

Canadian news routinely highlights the ‘dangers’ that can be associated with social networking companies collecting and storing information about Canadian citizens. Stories and articles regularly discuss how hackers can misuse your personal information, how companies store ‘everything’ about you, and how collected data is disclosed to unscrupulous third parties. While many of these stories are accurate, insofar as they cover specific instances of harm and risky behaviour, they tend to lack an important next step; they rarely explain how Canadians can get educated on data collection, retention, and disclosure processes.

Let’s be honest: any next step has to be reasonable. Expecting Canadians to flee social media en masse and return to letter writing isn’t an acceptable (or, really, an appropriate) response. Similarly, saying “tighten your privacy controls” or “be careful what you post” are of modest value, at best; many Canadians are realizing that tightening their privacy controls does little when the companies can (and do) change their privacy settings without any notice. This post is inspired by a different next step. Rather than being inspired by fear emergent from ‘the sky is falling’ news stories, what if you were inspired by knowledge that you, yourself, gained? In what follows I walk you through how to compel social networking companies to disclose what information they have about you. In the process of filing these requests you’ll learn a lot more about being a member of these social networking services and, based on what you learn, can decide whether you want to change your involvement with particular social media companies.

I start by explaining why Canadians have a legal right to compel companies to disclose and make available the information that they retain about Canadian citizens. I then provide a template letter that you can send to social networking organizations with which you have a preexisting relationship. This template is, in effect, a tool that you can use to compel companies to disclose your personal information. After providing the template I explain the significance of some of the items contained in it. Next, I outline some of the difficulties or challenges you might have in requesting your personal information and a few ways to counteract those problems. Finally, I explain how you can complain if a company does not meet its legal obligation to provide you with a copy of your personal information. By the end of this post, you’ll have everything you need to request your personal information from the social networking services to which you subscribe. Continue reading

Brief: Social Networking and Canadian Privacy Law

/ Christopher Parsons

Image by Jessica

Last year I was invited to submit a brief to the Canadian Parliament’s Access to Information, Privacy and Ethics Committee. For my submission (.pdf), I tried to capture some of of the preliminary research findings that have been derived from social media and surveillance project I’m co-investigating with Colin Bennett. Specifically, the brief focuses on questions of jurisdiction, data retention, and data disclosure in the context of social media use in Canada. The ultimate aim of the submission was to give the committee members insight into the problems that Canadians experience when accessing the records held by social networking companies.

The project, and our research for it, has been funded through the Office of the Privacy Commissioner’s Contributions Program. Anything contained in the brief is not necessarily representative of the Office’s own positions or stances.

Abstract/Introduction:

In this submission, I highlight some of our analyses of 20 social networking sites’ privacy  policies and findings about Canadians’ ability to access their own personal information that social networking sites store. These findings let us understand how the companies running these services understand their legal jurisdictional obligations and the retention of personally identifiable information. Moreover, these discoveries let us ascertain the actual access that Canadians have to profiles that they and the identities that networking services Canadians associate with are developing. Together, these points reveal how social networking companies understand Canadians’ personal information, the conditions of data sharing, and the level of ease with which Canadians can access the information that they themselves contribute to these services. I conclude this submission by suggesting a few ways that could encourage these companies to more significantly comply with Canadian privacy laws.

Download (.pdf) “Social Networking and Canadian Privacy Law: Jurisdiction, Retention, and Disclosure