report

Shining a Light on the Encryption Debate: A Canadian Field Guide

/ Christopher Parsons

The Citizen Lab and the Canadian Internet Policy and Public Interest Clinic (CIPPIC) have released a joint collaborative report, “Shining a Light on the Encryption Debate: A Canadian Field Guide,” which was written by Lex Gill, Tamir Israel, and myself. We argue that access to strong encryption is integral to the defense of human rights in the digital era. Encryption technologies are also essential to securing digital transactions, securing public safety, and protecting national security interests. Unfortunately, many state agencies have continues to argue that encryption poses insurmountable or unacceptable barriers to their investigative- and intelligence-gathering activities. In response, some governments have advanced irresponsible encryption policies that would limit the public availability and use of secure, uncompromised encryption technologies.

Our report examines this encryption debate, paying particular attention to the Canadian context. It provides insight and analyses for policy makers, lawyers, academics, journalists, and advocates who are trying to understand encryption technologies and the potential viability and consequences of different policies pertaining to encryption.

Section One provides a brief primer on key technical principles and concepts associated with encryption in the service of improving policy outcomes and enhancing technical literacy. In particular, we review the distinction between encryption at rest and in transit, the difference between symmetric and asymmetric encryption systems, the issue of end-to-end encryption, and the concept of forward secrecy. We also identify some of the limits of encryption in restricting the investigative or intelligence-gathering objectives of the state, including in particular the relationship between encryption and metadata.

Section Two explains how access to strong, uncompromised encryption technology serves critical public interest objectives. Encryption is intimately connected to the constitutional protections guaranteed by the Canadian Charter of Rights and Freedoms as well as those rights enshrined in international human rights law. In particular, encryption enables the right to privacy, the right to freedom of expression, and related rights to freedom of opinion and belief. In an era where signals intelligence agencies operate with minimal restrictions on their foreign facing activities, encryption remains one of the few practical limits on mass surveillance. Encryption also helps to guarantee privacy in our personal lives, shielding individuals from abusive partners, exploitative employers, and online harassment. The mere awareness of mass surveillance exerts a significant chilling effect on freedom of expression. Vulnerable and marginalized groups are both disproportionately subject to state scrutiny and may be particularly vulnerable to these chilling effects. Democracies pay a particularly high price when minority voices and dissenting views are pressured to self-censor or refrain from participating in public life. The same is true when human rights activists, journalists, lawyers, and others whose work demands the ability to call attention to injustice, often at some personal risk, are deterred from leveraging digital networks in pursuit of their activities. Unrestricted public access to reliable encryption technology can help to shield individuals from these threats. Efforts to undermine the security of encryption in order to facilitate state access, by contrast, are likely to magnify these risks. Uncompromised encryption systems can thus foster the security necessary for meaningful inclusion, democratic engagement, and equal access in the digital sphere.

Section Three explores the history of encryption policy across four somewhat distinct eras, with a focus on Canada to the extent the Canadian government played an active role in addressing encryption. The first era is characterized by the efforts of intelligence agencies such as the United States National Security Agency (NSA) to limit the public availability of secure encryption technology. In the second era of the 1990s, encryption emerged as a vital tool for securing electronic trust on the emerging web. In the third era—between 2000 and 2010—the development and proliferation of strong encryption technology in Canada, the United States, and Europe progressed relatively unimpeded. The fourth era encompasses from 2011 to the present day where calls to compromise, weaken, and restrict access to encryption technology have steadily reemerged.

Section Four reviews the broad spectrum of legal and policy responses to government agencies’ perceived encryption “problem,” including historical examples, international case studies, and present-day proposals. The section provides an overview of factors which may help to evaluate these measures in context. In particular, it emphasizes questions related to: (1) whether the proposed measure is truly targeted and avoids collateral or systemic impacts on uninvolved parties; (2) whether there is an element of conscription or compelled participation which raises an issue of self-incrimination or unfairly impacts the interests of a third party; and (3) whether, in considering all the factors, the response remains both truly necessary and truly proportionate. The analysis of policy measures in this sections proceeds in three categories. The first category includes measures designed to limit the broad public availability of effective encryption tools. The second category reviews measures that are directed at intermediaries and service providers. The third category focuses on efforts that target specific encrypted devices, accounts, or individuals.

Section Five examines the necessity of proposed responses to the encryption “problem.” A holistic and contextual analysis of the encryption debate makes clear that the investigative and intelligence costs imposed by unrestricted public access to strong encryption technology are often overstated. At the same time, the risks associated with government proposals to compromise encryption in order to ensure greater ease of access for state agencies are often grossly understated. When weighed against the profound costs to human rights, the economy, consumer trust, public safety, and national security, such measures will rarely—if ever—be proportionate and almost always constitute an irresponsible approach to encryption policy. In light of this, rather than finding ways to undermine encryption, the Government of Canada should make efforts to encourage the development and adoption of strong and uncompromised technology.

DOWNLOAD THE FULL REPORT

Project Support

This research was led by the Citizen Lab at the Munk School of Global Affairs, University of Toronto, as well as the Canadian Internet Policy and Public Interest Clinic (CIPPIC) at the University of Ottawa. This project was funded, in part, by the John D. And Catherine T. MacArthur Foundation and the Ford Foundation.

The authors would like to extend their deepest gratitude to a number of individuals who have provided support and feedback in the production of this report, including (in alphabetical order) Bram Abramson, Nate Cardozo, Masashi Crete-Nishihata, Ron Deibert, Mickael E.B., Andrew Hilts, Jeffrey Knockel, Adam Molnar, Christopher Prince, Tina Salameh, Amie Stepanovich, and Mari Jing Zhou. Any errors remain the fault of the authors alone.

We are also grateful to the many individuals and organizations who gave us the opportunity to share early versions of this work, including Lisa Austin at the Faculty of Law (University of Toronto); Vanessa Rhinesmith and David Eaves at digital HKS (Harvard Kennedy School); Ian Goldberg and Erinn Atwater at the Cryptography, Security, and Privacy (CrySP) Research Group (University of Waterloo); Florian Martin-Bariteau at the Centre for Law, Technology and Society (University of Ottawa); and the Citizen Lab Summer Institute (Munk School of Global Affairs, University of Toronto).

Authors

Lex Gill is a Citizen Lab Research Fellow. She has also served as the National Security Program Advocate to the Canadian Civil Liberties Association, as a CIPPIC Google Policy Fellow and as a researcher to the Berkman Klein Center for Internet & Society at Harvard University. She holds a B.C.L./LL.B. from McGill University’s Faculty of Law.

Tamir Israel is Staff Lawyer at the Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic at the University of Ottawa, Faculty of Law. He leads CIPPIC’s privacy, net neutrality, electronic surveillance and telecommunications regulation activities and conducts research and advocacy on a range of other digital rights-related topics.

Christopher Parsons is currently a Research Associate at the Citizen Lab, in the Munk School of Global Affairs with the University of Toronto as well as the Managing Director of the Telecom Transparency Project at the Citizen Lab. He received his Bachelor’s and Master’s degrees from the University of Guelph, and his Ph.D from the University of Victoria.

IMSI Catcher Report Calls for Transparency, Proportionality, and Minimization Policies

/ Christopher Parsons

imsi-catcher-coverThe Citizen Lab and CIPPIC released a report, Gone Opaque? An Analysis of Hypothetical IMSI Catcher Overuse in Canada, which examined the use of devices that are commonly referred to as ‘cell site simulators’, ‘IMSI Catchers’, ‘Digital Analyzers’, or ‘Mobile Device Identifiers’, and under brand names such as ‘Stingray’, DRTBOX, and ‘Hailstorm’. IMSI Catchers are a class of of surveillance devices used by Canadian state agencies. They enable state agencies to intercept communications from mobile devices and are principally used to identify otherwise anonymous individuals associated with a mobile device and track them.

Though these devices are not new, the ubiquity of contemporary mobile devices, coupled with the decreasing costs of IMSI Catchers themselves, has led to an increase in the frequency and scope of these devices’ use. Their intrusive nature, as combined with surreptitious and uncontrolled uses, pose an insidious threat to privacy.

This report investigates the surveillance capabilities of IMSI Catchers, efforts by states to prevent information relating to IMSI Catchers from entering the public record, and the legal and policy frameworks that govern the use of these devices. The report principally focuses on Canadian agencies but, to do so, draws comparative examples from other jurisdictions. The report concludes with a series of recommended transparency and control mechanisms that are designed to properly contain the use of the devices and temper their more intrusive features.

The report is structured across four sections:

  • Section One provides an overview of the technical capabilities of IMSI Catchers.
  • Section Two focuses on civil society and journalists’ efforts to render transparent how IMSI Catchers are used.
  • Section Three examines the regulation of IMSI Catchers and avenues towards lawful regulation of their use.
  • Section Four sets out best practices that should be incorporated into a framework governing IMSI Catcher use.

In more detail, Section One provides an overview of the technical capabilities of IMSI Catchers. The report principally focuses on how the devices can be used in ‘identification mode’, where they intercept digital numbers that are unique to mobile devices. IMSI Catchers exploit weaknesses in the design of mobile communications systems to induce mobile devices to transmit these unique numbers that, typically, are only sent to telecommunications carriers. From a privacy perspective, the report argues that IMSI Catchers are inherently intrusive: by design, they capture mobile identifiers from all phones in range, leading to significant collateral privacy impact that can affect the privacy of thousands of non-targets for each individual legitimate target.

Section Two focuses on transparency efforts associated with IMSI Catchers, and how states have routinely sought to prevent information about IMSI Catchers from reaching the public record. After highlighting some of the hard-fought successes to bring documents to the public record in the United States, in particular, the report examines comparable efforts to uncover IMSI Catchers’ use in Canada and these efforts’ comparative successes and failures. In doing so, a case analysis is conducted where the Toronto Police Services Board successfully (and inappropriately) prevented documents from becoming public. The report critiques a number of the justifications that are frequently advanced by state agencies seeking to prevent information related to IMSI Catchers from becoming public. Furthermore, it argues that providing some details on IMSI Catcher use will not undermine the investigative utility of the devices, and that there is substantial public interest that should compel authorities to disclose documents regardless of whether they affect investigative utility. Furthermore, disclosure of such documents is needed to evaluate whether the possession of the devices is inconsistent with the Radiocommunications Act, the Privacy Act, and perhaps the Charter. Equally seriously, refusing to officially acknowledge IMSI Catcher use in the face of a growing body of documents demonstrating their use threatens to undermine public confidence that the devices are being used lawfully and in a manner that is proportionate and minimized their impact on non-targeted members of the public.

Section Three examines the regulation of IMSI Catchers and avenues towards the lawful authorization of their use. After surveying German and American regulatory processes to understand gaps in the Canadian context, the report explores Canada’s ambitious statutory framework for electronic surveillance. Doing so explicates the legal avenues state agencies can exercise to authorize their use of IMSI Catchers. This section reveals how a range of overlapping powers might apply to IMSI Catcher authorization, and that this ambiguity might let agencies deploy IMSI Catchers using powers offering minimal privacy protection. The section concludes by examining the Charter implications of IMSI Catcher uses, and rejects possible justifications of IMSI Catcher deployment which lack prior judicial authorization. A series of safeguards and conditions on the use of IMSI Catchers, such that their operation does not amount to a constitutionally impermissible search, wraps up this section.

Section Four sets out best practices that should be incorporated into a framework governing IMSI Catcher use. The section recommends that IMSI Catcher use by state agencies be subject to comprehensive transparency mechanisms, including annual statistical reporting on use, an individual notice requirement, and compliance with standard reporting obligations typically applied to radio devices owned by state agencies. It further argues for the criminalization of unauthorized uses of IMSI Catchers. Such authorization should be subject to a strict regime that is linked with demonstrating their investigative necessity, including a “serious crimes” provision that limits IMSI Catchers’ use to investigate only the most severe offences. In addition to proportionality measures, targeting and minimization procedures should be imposed to limit the collateral impact of deployment on innocent third-parties.

The report’s Conclusion highlights core findings and also emphasizes the importance of privacy in liberal democratic societies.

We hope that this report will contribute to the growing discussion and debate concerning how, and the appropriateness of, state agencies’ use of IMSI Catchers. Ultimately, it is in the government’s and citizens’ best interest for state agencies to be more transparent and accountable for how they use IMSI Catchers in the course of conducting investigations.

DOWNLOAD FULL REPORT (English) // DOWNLOAD EXECUTIVE SUMMARY (French)

Project Support

The authors would like to graciously thank a number of sources whose generous funding made this report possible: the Open Society Foundation, Frederick Ghahramani, a Social Sciences and Humanities Research Council (SSHRC) Postdoctoral Fellowship Award, and the Munk School of Global Affairs at the University of Toronto. Furthermore, the authors are grateful for in-depth substantive input on the December 2015 draft of this document from Professor Ron Deibert and Sarah McKune, to Adrian Dabrowski and to participants of Citizen Lab Summer Institute 2016 for key input on technical questions raised by this paper and to Lex Gill for extensive substantive additions and edits. Responsibility for any errors or omissions remains with the authors.

Authors

Christopher Parsons

Dr. Christopher Parsons received his Bachelor’s and Master’s degrees from the University of Guelph, and his Ph.D from the University of Victoria. He is currently the Managing Director of the Telecom Transparency Project and a Research Associate at the Citizen Lab, in the Munk School of Global Affairs.

Tamir Israel

Tamir is staff lawyer with the Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic (CIPPIC) at the University of Ottawa Faculty of Law, where he conducts research and advocacy on various digital rights-related topics, with a focus on online privacy and anonymity, net neutrality, intellectual property, intermediary liability, spam, e-commerce, and consumer protection generally.

A Crisis of Accountability — The Canadian Situation

/ Christopher Parsons

CanadaThe significance of Edward Snowden’s disclosures is an oft-debated point; how important is the information that he released? And, equally important, what have been the implications of his revelations? Simon Davies, in association with the Institute of Information Law of the University of Amsterdam and Law, Science, Technology & Social Studies at the Vrie Universiteit of Brussels, has collaborated with international experts to respond to the second question in a report titled A Crisis of Accountability: A global analysis of the impact of the Snowden revelations.

In what follows, I first provide a narrative version of the report’s executive summary. The findings are sobering: while there has been a great deal of international activity following Snowden’s revelations, the tangible outcomes of that activity has been globally negligible. I then provide the text of the Canadian section of the report, which was drafted by Tamir Israel, myself, and Micheal Vonn. I conclude by providing both an embedded and downloadable version of the report.

Continue reading

BC Services Card Report Released

/ Christopher Parsons

Screenshot_2013-04-15_11_24_PMThe proposed imposition of identity cards tends to gets people riled up. This is especially true of the people who are going to have to carry the documents in their purses and wallets. In British Columbia the provincial government has slowly, and quietly, developed an identity card termed the ‘BC Services Card’. The Services Card will effectively be a required piece of documentation for all BC residents as of about 2018; it will be used to access non-emergency medical services, as well as to-be-decided government services provided by education, citizen services, and more.

In 2012, the British Columbia Civil Liberties Association commissioned a technical report about the services card from my company, Block G Privacy and Security Consulting. The goal of our report was to contextualize the politics and technology behind the new BC Services Card and, in the process, understand prospective security-and privacy-related issues linked with the initiative. A core aspect of our report consists of a technical survey of the Services Card and its associated infrastructure. As part of our survey we evaluate possible vulnerabilities that could be exploited by a hostile third-party intent on undermining, disrupting, or otherwise compromising Services Cards or the trust BC residents are expected to place in them as technically sophisticated and reliable identity tokens. Given that we lacked direct access to the cards and infrastructure our analyses and critiques were based on limited documentary evidence, expert-level interviews, and secondary sources.

Highlights from the section of the report covering risks and vulnerabilities include:

  •  The importance of ensuring that government actors responsible for issuing the cards are trustworthy; failure to do so could undermine many of the government’s identity assurance processes that underlie the entire card system.
  • Physical security characteristics are positive, though the inclusion of biometric facial images does not necessarily lead to the security enhancements suggested by the government.
  • The near field communication (NFC) chips embedded in the cards are a point of significant vulnerability, insofar as they could be read at a distance, compromised by a malicious actor, or tampered with to intrude into the computers and mobile phones reading the chips.
  • The potential for ‘function creep’, or the expanded use of the Services Card for purposes beyond the current scope of the card. This might include use of the card by private parties or the card ultimately being integrated with the federal government’s planned pan-Canadian identity card.

In light of these risks, we provide the following suggestions to ameliorate potential security dangers:

  • Penetration tests should conducted to ‘attack’ the system, in order to understand where vulnerabilities exist, how they could be exploited, and how to subsequently rectify them. Given the magnitude of the government’s proposed data linking infrastructure associated with the Services Card this kind of analysis is critical. Testers should be given a wide permit in testing the system and not be artificially limited in what they can do to identify vulnerabilities.
  • Public consultations with security experts should occur and consultations findings summarized and subsequently made public. These consultations should attend to how security of the cards and BC residents’ privacy can be maximized.
  • Public audits should be routinely conducted on the systems and infrastructure surrounding the BC Services Card. This should include auditing private vendors who are contracted to provide service.

Our report is available for public download.