Last year a report that I wrote for the Centre for Law and Democracy was published online. The report, “Transparency in Surveillance: Role of various intermediaries in facilitating state surveillance transparency,” discusses how governments have expanded their surveillance capabilities in an effort to enhance law enforcement, foreign intelligence, and cybersecurity powers and the implications of such expansions. After some of these powers are outlined and the impact on communicating parties clarified, I explore how the voluntary activities undertaken by communications intermediaries can also facilitate government surveillance activities. However, while private companies can facilitate government surveillance they can also facilitate transparency surrounding the surveillance by proactively working to inform their users about government activities. The report concluded by discussing the broader implications of contemporary state surveillance practices, with a focus on the chilling effects that these practices have on social discourse writ large.
Cite as: Parsons, Christopher. (2016). “Transparency in Surveillance: Role of various intermediaries in facilitating state surveillance transparency,” Centre for Law and Democracy. Available at: http://responsible-tech.org/wp-content/uploads/2016/06/Parsons.pdf
Read “Transparency in Surveillance: Role of various intermediaries in facilitating state surveillance transparency“
American and British officials have been warning with an increasing sense of purported urgency that their inability to decrypt communications could have serious consequences. American authorities have claimed that if they cannot demand decrypted communications from telecommunications providers then serious crimes may go unsolved. In the UK this danger is often accentuated by the threat of terrorism. In both nations, security and policing services warn that increased use of encryption is causing communications to ‘go dark’ and thus be inaccessible to policing and security services. These dire warnings of the threats potentially posed by criminals and terrorists ‘going dark’ have been matched over the years with proposals that would regulate encryption or mandate backdoors into any otherwise secure system. Comparatively little has been said about Canada’s long-standing efforts to inhibit end-user encryption despite the federal government’s longstanding efforts to restrict the security provided to Canadians by encryption.
This article outlines some of the federal government of Canada’s successful and unsuccessful attempts to weaken cryptographic standards. It starts by explaining (in brief) what communications encryption is, why it matters, and the implications of enabling unauthorized parties to decrypt communications. With this primer out of the way, we discuss why all of Canada’s mobile telecommunications carriers agree to implement cryptographic weaknesses in their service offerings. Next, we discuss the legislation that can be used to compel telecommunications service providers to disclose decryption keys to government authorities. We then briefly note how Canada’s premier cryptologic agency, the Communications Security Establishment (CSE), successfully compromised global encryption standards. We conclude the post by arguing that though Canadian officials have not been as publicly vocal about a perceived need to undermine cryptographic standards the government of Canada nevertheless has a history of successfully weakening encryption available to and used by Canadians.
Lawful access legislation was recently (re)tabled by the Government of Canada in November 2013. This class of legislation enhances investigative and intelligence-gathering powers, typically by extending search and seizure provisions, communications interception capabilities, and subscriber data disclosure powers. The current proposed iteration of the Canadian legislation would offer tools to combat inappropriate disclosure of intimate images as well as extend more general lawful access provisions. One of the little-discussed elements of the legislation is that it will empower government authorities to covertly install, activate, monitor, and remove software designed to track Canadians’ location and ‘transmission data.’
In this post I begin by briefly discussing this class of government-used malicious surveillance software, which I refer to as ‘govware’. Next, I outline how Bill C–13 would authorize the use of govware. I conclude by raising questions about whether this legislation will lead government agencies to compete with one another, with some agencies finding and using security vulnerabilities, and others finding and fixing the vulnerabilities such tools rely. I also argue that a fulsome debate must be had about govware based on how it can broadly threaten Canadians’ digital security. Continue reading
The issue of lawful access has repeatedly arisen on the Canadian federal agenda. Every time that the legislation has been introduced Canadians have opposed the notion of authorities gaining warrantless access to subscriber data, to the point where the most recent version of the lawful access legislation dropped this provision. It would seem, however, that the real motivation for dropping the provision may follow from the facts on the ground: Canadian authorities already routinely and massively collect subscriber data without significant pushback by Canada’s service providers. And whereas the prior iteration of the lawful access legislation (i.e. C–30) would have required authorities to report on their access to this data the current iteration of the legislation (i.e. C–13) lacks this accountability safeguard.
In March 2014, MP Charmaine Borg received responses from federal agencies (.pdf) concerning the agencies’ requests for subscriber-related information from telecommunications service providers (TSPs). Those responses demonstrate extensive and unaccountable federal government surveillance of Canadians. I begin this post by discussing the political significance of MP Borg’s questions and then proceed to granularly identify major findings from the federal agencies’ respective responses. After providing these empirical details and discussing their significance, I conclude by arguing that the ‘subscriber information loophole’ urgently needs to be closed and that federal agencies must be made accountable to their masters, the Canadian public.
Last month I, along with a series of academic researchers and civil liberties organizations, asked Canada’s leading Telecommunications Services Providers (TSPs) to disclose how, why, and how often they provide telecommunications information pertaining to their subscribers to state agencies. We received responses from ten of sixteen companies a little over a month later. Many of the companies steadfastly refused to provide any information beyond assertions that they protected Canadians’ privacy, that they were largely prohibited from providing any specific information because of national security or confidentiality of investigative techniques reasons, and that the signatories to the letter would be better suited contacting the government directly.
Less directly, I’ve heard from a series of high-profile figures in Canada’s telecommunications industry and national security community. Some figures in the telecommunications industry expressed concern about Canadians’ privacy but indicated that they lacked the time, inclination, resources, or sufficient buy-in to ascertain what they could do to render their companies’ practices more transparent. TELUS is on record as stating they would “request the Government to clarify and limit the scope of current confidentiality requirements and to consider measures to facilitate greater transparency.” Members of the national security community worried about enhancing Canadians’ trust in what they do, but remained uncertain about what they could specifically recommend to their peers. Almost all the people I’ve spoken with have indicated that they would appreciate some kind of practical ‘here’s what could be done’ document that they could use to develop an internal business case for an expanded transparency regime.
This post offers some guidance for how companies can improve their transparency practices, along with why particular proposals should be adopted. Specifically, I identify three things that companies do in the order of least to most challenging tasks. They could disclose data retention periods, make their lawful access handbooks available to the public, and produce full-bodied transparency reports. Critically, the first two of these proposals would just require publicizing documentation that Canada’s TSPs already retain. After outlining all three proposals, I conclude by explaining why corporate transparency needs to be complemented by government accountability.
Lawful access was a contentious issue on the Canadian agenda when it was initially introduced by the Martin government, and has become even more disputed as subsequent governments have introduced their own iterations of the Liberal legislation. Last year the current majority government introduced Bill C-30, the Protecting Children from Internet Predators Act. In the face of public outcry the government sent the bill to committee prior to a vote on second reading, and most recently declared the bill dead.
Last year I began research concerning alternate means of instituting lawful access powers in Canada. Specifically, I explored whether a ‘backdoor’ had been found to advance various lawful access powers: was Industry Canada, through the 700MHz spectrum consultation, and Public Safety, through its changes to how communications are intercepted, effectively establishing the necessary conditions for lawful access by compliance fiat?
In this post I try to work through aspects of this question. I begin by briefly unpacking some key elements of Bill C-30 and then proceed to give an overview of the spectrum consultation. This overview will touch on proposed changes to lawful intercept standards. I then suggest how changes to the intercept standards could affect Canadians, as well as (re)iterate the importance of publicly discussing expansions to lawful access and intercept powers instead of expanding these powers through regulatory and compliance backdoors.