Last week I, along with a collection of Canadian experts and civil liberties groups, sent letters to many of Canada’s leading telecommunications companies. Those letters ask the companies to explain why, how often, and under what conditions they provide information to government authorities. Such information is pressing given the routine reappearance of telecommunications surveillance legislation on the government’s Order Paper. Specifically, lawful access legislation has been introduced by successive federal governments, with the requested power extensions justified on grounds that authorities cannot effectively police online criminal behaviour, on grounds that telecommunications companies do not always provide subscriber information when government authorities request it, and on grounds that such legislation will prevent terrorism/serious crimes/kidnapping/pedophilia/cyber bullying.
Only with empirical data about how, and why, state authorities presently access telecommunications data will Canadians be able to knowledgeably ascertain whether these expanded state powers are needed. Moreover, with data in hand about companies’ disclosures of subscriber information consumers can make informed choices when choosing their telecommunications providers. Specifically, such information would let consumers compare companies’ privacy practices and choose companies’ services based on privacy (along with other consumer) grounds. While many have been supportive of this public letter initiative, almost all the people that I have spoken to about the letters have voiced their skepticism that the companies would be motivated to respond. I remain optimistic that the companies will respond to demonstrate their privacy bona fides and tell their side of the story. Moreover, the requests for information about how and why state agencies access telecommunications data have been amplified today from two different sources. Continue reading
Online voting is a serious issue that Canadians need to remain aware of and/or become educated about. I’ve previously written about issues surrounding Internet-based voting, and was recently interviewed about online elections in light of problems that the National Democratic Party (NDP) had during their 2012 leadership convention. While I’m generally happy with how the interview played out – and thankful to colleagues for linking me up with the radio station I spoke on – there were a few items that didn’t get covered in the interview because of time limitations. This post is meant to take up those missed items, as well as let you go and listen to the interview for yourself.
Public Dialogue Concerning the NDP Leadership ‘Attack’
There are claims that the attacks against the NDP’s online voting system were “sophisticated” and that “the required organization and the demonstrated orchestration of the attack indicates that this was a deliberate effort to disrupt or negate the election by a knowledgeable person or group.” Neither of these statements are entirely fair or particularly accurate. Publicly disclosed information indicates that around 10,000 IP addresses were used to launch a small Distributed Denial of Service (DDoS) attack against the voting system used during the NDP’s convention. To be clear: this is a relatively tiny botnet.
While such a botnet might justifiably overwhelm some small business networks, or other organizations that haven’t seen the need to establish protections against DDoS scenarios, it absolutely should not be capable of compromising an electoral process. Such a process should be significantly hardened: scalable infrastructure ought to have been adopted, and all services ought to be sitting behind a defensible security perimeter. To give you an understanding of just how cheap a botnet (of a much larger size) can be: in 2009, a 80,000-120,000 machine botnet would run around $200/day. You even got a 3-minute trial window! In 2010, VeriSign’s iDefence Intelligence Operations Team reported that a comparable botnet would run around $9/hr or $67/day.
If a few Google searches and a couple hundred dollars from a Paypal account can get you a small botnet (and give you access to technical support to help launch the attack, depending on who you rent your bots from) then we’re not dealing with a particularly sophisticated individual or group, or an individual or group that necessarily possesses very much knowledge about this kinds of attacks. Certainly the action of hiring a botnet demonstrates intent but it’s an incredibly amateurish attempt, and one that should have been easily stopped by the vendor in question.