On May 12, 2021, President Joseph Biden promulgated an Executive Order (EO) to compel federal agencies to modify and enhance their cybersecurity practices. In this brief post I note a handful of elements of the EO that are noteworthy for the United States and, also, more broadly can be used to inform, assess, and evaluate non-American cybersecurity practices.
The core takeaway, for me, is that the United States government is drawing from its higher level strategies to form a clear and distinct set of policies that are linked to measurable goals. The Biden EO is significant in its scope though it remains unclear whether it will actually lead to government agencies better mitigating the threats which are facing their computer networks and systems.
Photo by Marco Verch (CC BY 2.0) https://flic.kr/p/RjMXMP
The Government of Canada has historically opposed the calls of its western allies to undermine the encryption protocols and associated applications that secure Canadians’ communications and devices from criminal and illicit activities. In particular, over the past two years the Minister of Public Safety, Ralph Goodale, has communicated to Canada’s Five Eyes allies that Canada will neither adopt or advance an irresponsible encryption policy that would compel private companies to deliberately inject weaknesses into cryptographic algorithms or the applications that facilitate encrypted communications. This year, however, the tide may have turned, with the Minister apparently deciding to adopt the very irresponsible encryption policy position he had previously steadfastly opposed. To be clear, should the Government of Canada, along with its allies, compel private companies to deliberately sabotage strong and robust encryption protocols and systems, then basic rights and freedoms, cybersecurity, economic development, and foreign policy goals will all be jeopardized.
This article begins by briefly outlining the history and recent developments in the Canadian government’s thinking about strong encryption. Next, the article showcases how government agencies have failed to produce reliable information which supports the Minister’s position that encryption is significantly contributing to public safety risks. After outlining the government’s deficient rationales for calling for the weakening of strong encryption, the article shifts to discuss the rights which are enabled and secured as private companies integrate strong encryption into their devices and services, as well as why deliberately weakening encryption will lead to a series of deeply problematic policy outcomes. The article concludes by summarizing why it is important that the Canadian government walk back from its newly adopted irresponsible encryption policy.
Telecommunications transparency reports detail the frequency at which government agencies request information from telecommunications companies. Though American companies have been releasing these reports since 2009, it wasn’t until 2014 that Canadian companies began to follow suit. As part of my work at the Citizen Lab I’ve analyzed the Canadian reports against what makes an effective transparency report, with ‘effectiveness’ relating to achieving public policy goals as opposed to ‘having an effect’ in terms of generating media headlines.
Today I’m publishing a draft paper that summarizes my current analyses. The paper is titled, “Do Transparency Reports Matter for Public Policy? Evaluating the effectiveness of telecommunications transparency reports” and is available for download. I welcome feedback on what I’ve written and look forward to the conversations that it spurs in Canada and further abroad.
Telecommunications companies across Canada have begun to release transparency reports to explain what data the companies collect, what data they retain and for how long, and to whom that data is, or has been, disclosed to. This article evaluates the extent to which Canadian telecommunications companies’ transparency reports respond to a set of public policy goals set by civil society advocates, academics, and corporations, namely: of contextualizing information about government surveillance actions, of legitimizing the corporate disclosure of data about government-mandated surveillance actions, and of deflecting or responding to telecommunications subscribers’ concerns about how their data is shared between companies and the government. In effect, have the reports been effective in achieving the aforementioned goals or have they just had the effect of generating press attention?
After discussing the importance of transparency reports generally, and the specificities of the Canadian reports released in 2014, I argue that companies must standardize their reports across the industry and must also publish their lawful intercept handbooks for the reports to be more effective. Ultimately, citizens will only understand the full significance of the data published in telecommunications companies’ transparency when the current data contained in transparency reports is contextualized by the amount of data that each type of request can provide to government agencies and the corporate policies dictating the terms under which such requests are made and complied with.
The policies, politics, and technologies associated with Canadian identity documents and their surrounding data architectures are incredibly important issues because of their capacities to reconfigure the state’s relationship with its residents. The most recent such system, the BC Services Card, is designed to expand digital service delivery options that are provided to residents of British Columbia by the provincial government and by corporations. The government, to date, remains uncertain about what services will be associated with the Card. It also remains uncertain about how data linked to the Card’s usage will be subsequently be data mined, though promises that such mining efforts will be exciting and respective of people’s privacy.
Vague statements and broad policy potentials are the very things that make people concerned about identity systems, especially systems that are untested, expensive, and designed with unclear intentions, objectives, or benchmarks.
To try and unpack the policy issues associated with the Services Card, Dr. Kate Milberry and I have written a report wherein we suggest that the Services Card may operate as a kind of ‘proto Pan-Canadian’ identity card. Specifically, the Card is designed to be massively interoperable with other province’s (similar) identity document systems as well as with the federal government’s digital delivery service. Similarly, the Card is meant to interoperate with private businesses’ services. To this end, the lead vendor for the project, SecureKey, has already secured telecommunications and financial organizations as key service delivery partners.
The Services Card isn’t necessary good nor evil. But it is a system that has received little public attention, little external technical scrutiny, and even less external policy critique. The province of British Columbia, and indeed residents of other provinces that are taking up the SecureKey offering, need to be properly consulted on the appropriateness, desirability, and feasibility of the Services Card architecture. To date, this has not been performed in British Columbia nor by the Government of Canada. The document that Dr. Milberry and I have written is meant to contribute to the (limited) public discussion. Hopefully the provincial and federal governments pay attention.
Funding for this report was secured by the British Columbia Civil Liberties Association (BCCLA), and provided for through the Office of the Privacy Commissioner of Canada’s Contributions Program. The text in the report is reflective of the BCCLA’s position towards the Services Card; the report does not, however, necessarily reflect the position of the Privacy Commissioner of Canada. The executive summary, and download link, of the report follows.
For the last several years, British Columbia has been developing the technical infrastructure and legal framework for a comprehensive integrated identity system as part of its “technology and transformation” approach to governance. Otherwise known as “Government 2.0” or e-government, this approach will aggregate the personal information of citizens in order to link and share this data across government bodies. The BC Services Card is the latest in a series of major information technology projects that is part of the Government 2.0 mandate. It is a mandatory provincial ID card that enables access to a range of government services, beginning with health care and driver licencing. The BC Services Card is a key element of unprecedented changes in the way the province collects, accesses and shares personal information, including highly sensitive health information, amongst departments, agencies and even private contractors.
The card is just part of BC’s wide-ranging vision for integrated identity and information management—a vision that scales and interoperates on a federal level. Indeed, the system is not only envisioned to extend to other provinces, in essence forming a pan-Canadian identity architecture, but the ID card is expressly intended to provide authentication conducted by the private sector and facilitation of commercial transactions governed by PIPEDA and applicable provincial private sector privacy legislation. The importance of developments with the BC card for national identity management cannot be overstated: the BC Services Card model is interoperable with the federal system, and thus a (proto) Canadian ID card, and is also meant to be used for commercial and e-commerce transactions. Thus, developments in BC have critically important implications for ID systems provincially and federally, and involve both the public and private sector.
This report examines the normative, technical and policy implications of the BC Services Card and the federal and commercial implications of the technical systems underlying the Services Card. Throughout the report, the ID system is examined from the perspectives of security, privacy and civil liberties, and generally echoes the Information and Privacy Commissioner for BC’s call for broad and meaningful public consultation before Phase II of the card program is implemented. Emergent from the analysis of the Services Card is a call for the Office of the Privacy Commissioner of Canada to work with provincial privacy commissioners to issue a joint resolution on the applicable privacy and security standards for the provincial systems on the basis that they will ultimately compose the national federated system. The report concludes with provincial and federal recommendations for designing an identity system that is secure, privacy-protective, trusted and fit for purpose.
The Canadian SIGINT Summaries includes downloadable copies, along with summary, publication, and original source information, of leaked CSE documents.
Parsons, Christopher; and Molnar, Adam. (2021). “Horizontal Accountability and Signals Intelligence: Lesson Drawing from Annual Electronic Surveillance Reports,” David Murakami Wood and David Lyon (Eds.), Big Data Surveillance and Security Intelligence: The Canadian Case.
Parsons, Christopher. (2015). “Stuck on the Agenda: Drawing lessons from the stagnation of ‘lawful access’ legislation in Canada,” Michael Geist (ed.), Law, Privacy and Surveillance in Canada in the Post-Snowden Era (Ottawa University Press).
Parsons, Christopher. (2015). “The Governance of Telecommunications Surveillance: How Opaque and Unaccountable Practices and Policies Threaten Canadians,” Telecom Transparency Project.
Parsons, Christopher. (2015). “Beyond the ATIP: New methods for interrogating state surveillance,” in Jamie Brownlee and Kevin Walby (Eds.), Access to Information and Social Justice (Arbeiter Ring Publishing).
Bennett, Colin; Parsons, Christopher; Molnar, Adam. (2014). “Forgetting and the right to be forgotten” in Serge Gutwirth et al. (Eds.), Reloading Data Protection: Multidisciplinary Insights and Contemporary Challenges.
Bennett, Colin, and Parsons, Christopher. (2013). “Privacy and Surveillance: The Multi-Disciplinary Literature on the Capture, Use, and Disclosure of Personal information in Cyberspace” in W. Dutton (Ed.), Oxford Handbook of Internet Studies.
McPhail, Brenda; Parsons, Christopher; Ferenbok, Joseph; Smith, Karen; and Clement, Andrew. (2013). “Identifying Canadians at the Border: ePassports and the 9/11 legacy,” in Canadian Journal of Law and Society 27(3).
Parsons, Christopher; Savirimuthu, Joseph; Wipond, Rob; McArthur, Kevin. (2012). “ANPR: Code and Rhetorics of Compliance,” in European Journal of Law and Technology 3(3).