Mobiles

The Limits of Tower Dump Privacy Protections in Canada

/ Christopher Parsons

290822052_cccfe6d6ee_oOn January 14, 2016, the Ontario Superior Court ruled that “tower dumps” – the mass release of data collected by cellphone towers at the request of law enforcement agencies – violate privacy rights under the Canadian Charter of Rights and Freedoms. In response, Justice Sproat outlined a series of guidelines for authorities to adhere to when requesting tower dump warrants in the future.

I wrote about this case for PEN Canada. I began by summarizing the issue of the case and then proceeded to outline some of the highlights of Justice Sproat’s decision. The conclusion of the article focuses on the limits of that decision: it does not promote statutory reporting of tower dumps and thus Canadians will not learn how often such requests are made; it does not require notifying those affected by tower dumps; it does not mean Canadians will know if data collected in a tower dump is used in a subsequent process against them. Finally, the guidelines are not precedent-setting and so do not represent binding obligations on authorities requesting the relevant production orders.

Read the Article

Photo credit: cell tower next to the casita by dasroofless (CC BY-NC-ND 2.0) https://flic.kr/p/rGxgj

Canada’s Quiet History Of Weakening Communications Encryption

/ Christopher Parsons

500995147_6c97aab488_o-300x225American and British officials have been warning with an increasing sense of purported urgency that their inability to decrypt communications could have serious consequences. American authorities have claimed that if they cannot demand decrypted communications from telecommunications providers then serious crimes may go unsolved. In the UK this danger is often accentuated by the threat of terrorism. In both nations, security and policing services warn that increased use of encryption is causing communications to ‘go dark’ and thus be inaccessible to policing and security services. These dire warnings of the threats potentially posed by criminals and terrorists ‘going dark’ have been matched over the years with proposals that would regulate encryption or mandate backdoors into any otherwise secure system. Comparatively little has been said about Canada’s long-standing efforts to inhibit end-user encryption despite the federal government’s longstanding efforts to restrict the security provided to Canadians by encryption.

This article outlines some of the federal government of Canada’s successful and unsuccessful attempts to weaken cryptographic standards. It starts by explaining (in brief) what communications encryption is, why it matters, and the implications of enabling unauthorized parties to decrypt communications. With this primer out of the way, we discuss why all of Canada’s mobile telecommunications carriers agree to implement cryptographic weaknesses in their service offerings. Next, we discuss the legislation that can be used to compel telecommunications service providers to disclose decryption keys to government authorities. We then briefly note how Canada’s premier cryptologic agency, the Communications Security Establishment (CSE), successfully compromised global encryption standards. We conclude the post by arguing that though Canadian officials have not been as publicly vocal about a perceived need to undermine cryptographic standards the government of Canada nevertheless has a history of successfully weakening encryption available to and used by Canadians.

Continue reading

New Update to the SIGINT Summaries

/ Christopher Parsons

Grondstation van de Nationale SIGINT Organisatie (NSO) in Burum, Frysl‚nI have added one new item to the SIGINT Summaries page. The Summaries include downloadable copies of leaked Communications Security Establishment (CSE) documents, along with summary, publication, and original source information.1 CSE is Canada’s foreign signals intelligence agency and has operated since the Second World War.

Documents were often produced by CSE’s closest partners which, collectively, form the ‘Five Eyes’ intelligence network. This network includes the CSE, the National Security Agency (NSA), the Government Communications Headquarters (GCHQ), Australian Signals Directorate (ASD),2 and Government Communications Security Bureau (GCSB)).

All of the documents are available for download from this website. Though I am hosting the documents they were all first published by another party. The new documents and their summaries are listed below. The full list of documents and their summary information is available on the Canadian SIGINT Summaries page.

The new contribution comes from documents released by CBC and covers how Five Eyes intelligence analysts correlated telephony and mobile Internet communications information. For the first time I have noted, in the summary block, all of the codenames that were mentioned in the redacted document.

Synergising Network Analysis Tradecraft: Network Tradecraft Advancement Team (NTAT)

Summary: This slide deck showcases some of the activities, and successes, of the Network Tradecraft Advancement Team (NTAT). The slides focus on how to develop and document tradecraft which is used to correlate telephony and Internet data. Two separate workshops are discussed, one in 2011 and another in 2012. Workshop outcomes included identifying potentially converged data (between telephony and Internet data) as well as geolocating mobile phone application servers. A common mobile gateway identification analytic was adopted by three agencies, including DSD. NTAT had also adopted the CRAFTY SHACK tradecraft documentation system over the courses of these workshops.

In an experiment, codenamed IRRITANT HORN, analysts explored whether they could identify connections between a potentially ‘revolutionary’ country and mobile applications servers. They successfully correlated connections with application servers which opened up the potential to conduct Man in the Middle attacks or effect operations towards the mobile devices, as well as the potential to harvest data in transit and at rest from the devices. In the profiling of mobile applications servers it appears that EONBLUE was used to collect information about a company named Poynt; that company’s application was being used by Blackberry users, and the servers profiled were located in Calgary, Alberta (Canada).

The agencies successfully found vulnerabilities in UCWeb, which was found to leak IMSI, MSISDN, IMEI, and other device characteristics. These vulnerabilities were used to discover a target and it was determined that the vulnerabilities might let a SIGINT agency serve malware to the target. A ‘microplugin’ for XKeyscore was developed so that analysts could quickly surface UCWeb-related SIGINT material. (NOTE: The Citizen Lab analyzed later versions of UCWeb and found vulnerabilities that were subsequently patched by the company. For more, see: “A Chatty Squirrel: Privacy and Security Issues with UC Browser.”)

Document Published: May 21, 2015
Document Dated: 2012 or later
Document Length: 52 pages (slides plus notes)
Associated Article: Spy agencies target mobile phones, app stores to implant spyware
Download Document: Synergising Network Analysis Tradecraft: Network Tradecraft Advancement Team (NTAT)
Codenames mentioned: ATLAS, ATHENA, BLAZING SADDLES, CRAFTY SHACK, DANAUS, EONBLUE, FRETTING YETI, HYPERION, IRRITANT HORN, MASTERSHAKE, PEITHO, PLINK, SCORPIOFORE

Footnotes

  1.  Formally known as the Communications Security Establishment Canada (CSEC). 
  2.  The ASD was formerly known as the Defence Signals Directorate (DSD). 

Responding the the Crisis in Canadian Telecommunications

/ Christopher Parsons

In the middle of an identity crisisOn April 29, 2014 the Interim Privacy Commissioner of Canada, Chantal Bernier, revealed that Canadian telecommunications companies have disclosed enormous volumes of information to state agencies. These agencies can include the Royal Canadian Mounted Police, Canadian Security Intelligence Service, Canadian Border Services Agency, as well as provincial and municipal authorities. Commissioner Bernier’s disclosure followed on news that federal agencies such as the Canadian Border Services Agency requested access to Canadians’ subscriber data over 19 thousand times in a year, as well as the refusal of Canadian telecommunications companies to publicly disclose how, why, and how often they disclose information to state agencies.

This post argues that Canadians are not powerless. They can use existing laws to try and learn whether their communications companies are disclosing their personal information to state agencies. I begin by explaining why Canadians have a legal right to compel companies to disclose the information that they generate and collect about Canadians. I then provide a template letter that Canadians can fill in and issue to the telecommunications companies providing them with service, as well as some of the contact information for major Canadian telecommunications companies. Finally, I’ll provide a few tips on what to do if companies refuse to respond to your requests and conclude by explaining why it’s so important that Canadians send these demands to companies providing them with phone, wireless, and internet service.

Continue reading

Towards Transparency in Canadian Telecommunications

/ Christopher Parsons / 2 Comments

Ethernet CablesTelecommunications services providers that offer Internet and phone service play central roles in the daily lives of Canadians. The services that these companies provide are essential for contemporary living; we rely on these services to access our email, make or receive our phone calls and text messages, check and update our social media feeds, and figure out how to get where we are going by way of GPS. Our lives are predominantly channeled through these companies’ digital networks, to the extent that Canadian telecommunications service providers are functionally the gatekeepers Canadians must pass by before accessing the Internet, or phone networks, at large. Today, Canadian scholars and civil liberties organizations have come together to ask that many of Canada’s most preeminent telecommunications companies disclose the kinds, amounts, and regularity at which state agencies request telecommunications data pertaining to Canadians.

Canadian state agencies often request access to the subscriber and telecommunications data held by these Canadian companies, as befits the companies’ privileged roles in our lives. [1] Sometimes access is gained using a court order, sometimes it is not. Sometimes requests are for circumspect amounts of information, and other times for greater volumes of data. To date, however, interested Canadians have had only vague understandings of how, why, and how often Canadian telecommunications providers have disclosed information to government agencies. Given the importance of such systems to Canadians’ lives, and the government’s repeated allegations that more access is needed to ensure the safety of Canadians, more data is needed for scholars, civil rights organizations, and the public to understand, appreciate, and reach informed conclusions about the legitimacy of such allegations.

Our call for telecommunications transparency is in line with actions taken in the United States, where politicians such as Representative Markey have successfully asked telecommunications service providers to explain the types of requests made by American state agencies for telecommunications data, the regularity of such requests, and the amounts of data disclosed. [2] Moreover, American companies are developing more and more robust ‘transparency reports’ to clarify to their subscribers how often, and on what grounds, the companies disclose subscriber information to American state authorities. There is no reason why similar good practices cannot be instantiated in Canada as well.

Over the past decade, Canadians have repeatedly heard that law enforcement professionals and state security agents need enhanced access to telecommunications data in order to go about their jobs.[3] And Canadians have read about how our own signals intelligence service, the Communications Security Establishment Canada, has been and continues to be involved in surveillance operations that ‘incidentally’ capture Canadians’ personal information. [4] Despite these developments in Canada, there is not a substantially greater degree of actual transparency into how and why Canadian telecommunications service providers disclose information to agents of the Canadian government.

It is in light of this ongoing lack of transparency surrounding telecommunications providers’ disclosure of information to state authorities that we, a series of academics and civil rights groups, have issued public letters to many of Canada’s largest or most significant Internet and mobile communications providers. We hope that Canada’s telecommunications community will welcome these letters in the spirit they are intended: to make clearer to Canadians the specific conditions under which the Canadian government can and does access telecommunications information pertaining to Canadians, the regularity at which such access is granted, and the conditions under which telecommunications companies disclose information to state agencies.

The responses to these letters will enable superior scholarly analyses of Canadian state agency practices, evaluations of proposed federal legislation, and analysis of government agencies to currently access data that is held or transmitted by Canadian telecommunications companies. These responses will also better comparisons between the Canadian and American situations; too often, scholars, advocates, and policy analysts have been forced to transpose American realities onto what might be occurring in Canada. With real Canadian data in hand, it will be possible to more affirmatively differentiate between the state surveillance practices in Canada and the US, as well as to assess existing and proposed mechanisms that state agencies use to access telecommunications data pertaining to Canadians.

These letters were issued by letter mail and, where possible, by e-mail on January 20, 2014. We have requested that the companies respond, or provide a commitment to respond, by March 3, 2014. Below are .pdf copies of the letters that we sent; we look forward to hearing back from the recipients.

Letters sent to Canadian telecommunications service providers

  1. Nicholas Koutros and Julien Demers, “Big Brother’s Shadow: Historical Decline in Reported Use of Electronic Surveillance by Canadian Federal Law Enforcement,” SSRN, February 3, 2013, accessed December 13, 2013, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2220740; Andrea Slane and Lisa Austin, “What’s in a Name? Privacy and Citizenship in the Voluntary Disclosure of Subscriber Information in Online Child Exploitation Investigations,” Criminal Law Quarterly (57) (2011); Ian Kerr and Daphne Gilbert, “The Role of ISPs in the Investigation of Cybercrime,” in Information Ethics in the Electronic Age: Current Issues in Africa and the World, ed. Johannes J. Britz and Tom Mendina (Jefferson, North Carolina: McFarland & Company Inc, 2004).  ↩
  2. Eric Litchblau, “More Demands on Cell Carriers in Surveillance,” New York Times, July 8, 2012, accessed January 19, 2014, http://www.nytimes.com/2012/07/09/us/cell-carriers-see-uptick-in-requests-to-aid-surveillance.html; Brian X. Chen, “A Senator Plans Legislation to Narrow Authorities’ Cellphone Data Requests,” New York Times, December 9, 2013, accessed January 19, 2014, http://www.nytimes.com/2013/12/09/technology/a-senator-plans-legislation-to-narrow-authorities-cellphone-data-requests.html.  ↩
  3. Jesse Kline, “Vic Toews draws line on lawful access: You’re with us, or the child pornographers,” National Post, February 14, 2012, accessed January 19, 2014, http://fullcomment.nationalpost.com/2012/02/14/vic-toews-draws-line-on-lawful-access-youre-with-us-or-the-child-pornographers/; Jane Taber, “New cyberbullying laws should pass this spring, Justice Minister says,” The Globe and Mail, January 9, 2014, accessed January 19, 2014, http://www.theglobeandmail.com/news/politics/new-cyberbullying-laws-should-pass-this-spring-justice-minister-says/article16253334/.  ↩
  4. Ian MacLeod, “Spy agency admits it spies on Canadians ‘incidentally’,” Ottawa Citizen, January 6, 2014, accessed January 19, 2014, http://www.ottawacitizen.com/news/agency+admits+spies+Canadians+incidentally/9356255/story.html.  ↩

[box style=”blue”]Note: This post first appeared on the Citizen Lab website[/box]

Canadian Social Media Surveillance: Today and Tomorrow

/ Christopher Parsons / 8 Comments

Image by Maureen Flynn-Burhoe

After disappearing for an extended period of time – to the point that the Globe and Mail reported that the legislation was dead – the federal government’s lawful access legislation is back on the agenda. In response to the Globe and Mail’s piece, the Public Safety Minister stated that the government was not shelving the legislation and, in response to the Minister’s statements, Open Media renewed the campaign against the bill. What remains to be seen is just how ‘lively’ this agenda item really is; it’s unclear whether the legislation remains on a back burner or if the government is truly taking it up.

While the politics of lawful access have been taken up by other parties, I’ve been pouring through articles and ATIP requests related to existing and future policing powers in Canada. In this post I first (quickly) outline communications penetration in Canada, with a focus on how social media services are used. This will underscore just how widely Canadians use digitally-mediated communications systems and, by extension, how many Canadians may be affected by lawful access powers. I then draw from publicly accessible sources to outline how authorities presently monitor social media. Next, I turn to documents that have been released through federal access to information laws to explicate how the government envisions the ‘nuts and bolts’ of their lawful access legislation. This post concludes with a brief discussion of the kind of oversight that is most appropriate for the powers that the government is seeking.

Continue reading