Security

Advancing Encryption for the Masses

/ Christopher Parsons

CryptographyEdward Snowden’s revelations have made it incredibly obvious that signals intelligence agencies have focused a lot of their time and energy in tracking people as they browse the web. Such tracking is often possible at a global scale because so much of the data that crosses the Internet is unencrypted. Fortunately, the ease of such surveillance is being curtailed by large corporations and advocacy organizations alike.

Today, WhatsApp and Open Whisper Systems announced they have been providing, and will continue to deploy, what’s called ‘end to end’ encryption to WhatsApp users. This form of encryption ensures that the contents of subscribers’ communications are be secured from third-party content monitoring as it transits from a sender’s phone to a recipient’s device.

As a result of these actions, WhatsApp users will enjoy a massive boost in their communications security. And it demonstrates that Facebook, the owner of WhatsApp, is willing to enhance the security of its users even when such actions are likely to provoke and upset surveillance-hawks around the world who are more interested in spying on Facebook and WhatsApp subscribers than in protecting them from surveillance.

A separate, but thematically related, blog post the Electronic Frontier Foundation announced the creation of a new Certificate Authority (CA) initiative called ‘Let’s Encrypt’. Partnering with the Electronic Frontier Foundation are Mozilla, Cisco, Akamai, Identrust, and researchers at the University of Michigan. CAs issue the data files that are used to cryptographically secure communications between clients (like your web browser) and servers (like EFF.org). Such encryption makes it more challenging for another party to monitor what you are sending to, and receiving from, a server you are visiting.

Key to the ‘Let’s Encrypt’ initiative is that the issued certificates will be free and installable using a script. The script is meant to automate the process of requesting, configuring, and installing the certificate. Ideally, this will mean that people with relatively little experience will be able to safely and securely set up SSL-protected websites. Academic studies have shown that even those with experience routinely fail to properly configure SSL-protections.

The aim of both of these initiatives is to increase the ‘friction’, or relative difficulty, in massively monitoring chat and web-based communications. However, it is important to recognize that neither initiative can be considered a perfect solution to surveillance.

In the case of WhatsApp and Open Whisper Systems, end to end encryption does not fix the broader problems of mobile security: if an adversary can take control of a mobile device, or has a way of capturing text that is typed into or that is displayed on the screen when you’re using WhatsApp, then any message sent or received by the device could be susceptible to surveillance. However, there is no evidence that any government agency in the world has monitored, or is currently capable of monitoring, millions or billions of devices simultaneously. There is evidence, however, of government agencies aggressively trying to monitor the servers and Internet infrastructure that applications like WhatsApp use in delivering messages between mobile devices.

Moreover, it’s unclear what Facebook’s or WhatsApp’s reaction would be if a government agency tried to force the delivery of a cryptographically broken or weakened version of WhatsApp to particular subscribers using orders issued by American, European, or Canadian courts. And, even if the companies in question fought back, what would they do if they lost the court case?

Similarly, the ‘Let’s Encrypt’ initiative relies on a mode of securing the Internet that is potentially susceptible to state interference. Governments or parties affiliated with governments have had certificates falsely issued in order to monitor communications between client devices (e.g. smartphones) and servers (e.g. Gmail). Moreover, professional developers have misconfigured commerce backends to the effect of not checking whether the certificate used to encrypt a communication belong to the right organization (i.e. not checking that the certificate used to communicate with Paypal actually belongs to Paypal). There are other issues with SSL, including a poor revocation checking mechanism, historical challenges in configuring it properly, and more. Some of these issues may be defrayed by the ‘Let’s Encrypt’ initiative because of the members’  efforts to work with the Decentralized SSL Observatory, scans.io, and Google’s Certificate Authority logs, but the initiative — and the proposals accompanying it — is not a panacea for all of the world’s online encryption problems. But it will hopefully make it more difficult for global-scale surveillance that is largely predicated on monitoring unencrypted communications between servers and clients.

Edward Snowden was deeply concerned that the documents he brought to light would be treated with indifference and that nothing would change despite the documents’ presence in the public record. While people may be interested in having more secure, and more private, communications following his revelations those interests are not necessarily translated into an ability for people to secure their communications. And the position that people must either embark on elaborate training regimes to communicate securely or just not say sensitive things, or visit sensitive places, online simply will not work: information security needs to work with at least some of the tools that people are using in their daily lives while developing new and secure ones. It doesn’t make sense to just abandon the public to their own devices while the ‘professionals’ use hard-to-use ’secured’ systems amongst themselves.

The work of WhatsApp, Facebook, Open Whisper Systems, the Electronic Frontier Foundation, and that other members of the ‘Let’s Encrypt’ initiative can massively reduce the challenges people face when trying to communicate more responsibly. And the initiatives demonstrate how the cryptographic and communications landscape is shifting in the wake of Snowden’s revelations concerning the reality of global-scale surveillance. While encryption was ultimately thrown out of the original design specifications for the Internet it’s great to see that cryptography is starting to get bolted onto the existing Internet in earnest.

It’s Time for BlackBerry to Come Clean

/ Christopher Parsons

BlackBerry N10On April 10, 2014, Blackberry’s enterprise chief publicly stated that his company had no intention of releasing transparency reports concerning how often, and under what terms, the company has disclosed Blackberry users’ personal information to government agencies. BlackBerry’s lack of transparency stands in direct contrast to its competitors: Google began releasing transparency reports in 2009, and Apple and Microsoft in 2013. And BlackBerry’s competitors are rigorously competing on personal privacy as well, with Apple recently redesigning their operating system to render the company unable to decrypt iDevices for government agencies and having previously limited its ability to decrypt iMessage communications. Google will soon be following Apple’s lead.

So, while Blackberry’s competitors are making government access to telecommunications data transparent to consumers and working to enhance their users’ privacy, BlackBerry remains tight-lipped about how it collaborates with government agencies. And as BlackBerry attempts to re-assert itself in the enterprise market — and largely cede the consumer market to its competitors — it is unclear how it can alleviate business customers’ worries about governments accessing BlackBerry-transited business information. Barring the exceptional situation where data from BlackBerry’s network is introduced as evidence in a court process businesses have no real insight of the extent to which Blackberry is compelled to act against its users’ interests by disclosing information to government agencies. And given that the company both owns an underlying patent for, and integrated into its devices’ VPN client, a cryptographic algorithm believed vulnerable to surreptitious government spying it’s not enough to simply refuse to comment on why, and the extent to which, BlackBerry is compelled to help governments spy on its customer base.

We know that BlackBerry has been legally and politically bludgeoned into developing, implementing, and providing training courses on intercepting and censoring communications sent over its network. At the same time, we know that many employees at BlackBerry genuinely care about developing secure products and delivering them to the world; reliable, secure, and productive communications products are ostensibly the lifeblood that keeps the company afloat. So why, knowing what we know about the company’s ethos and the surveillance compulsions it has faced in the past, is it so unwilling to be honest with its current and prospective enterprise customers and develop transparency reports: for fear that customers would flee the company upon realizing the extent to which BlackBerry communications are accessed or monitored by governments, because of gag-orders they’ve agreed to in order to sell products in less-democratic nations, or just because they hold their customers is contempt?

How to Dispel the Confusion Around iMessage Security

/ Christopher Parsons / 2 Comments

Image by Graham BrennaApple’s hardware and communications products continue to be widely purchased and used by people around the world. Comscore reported in March 2013 that Apple enjoyed a 35% market penetration in Canada, and their desktop and mobile computing devices remain popular choices for consumers. A messaging service, iMessage, spans the entire Apple product line. The company has stated that it “cannot decrypt that data.”

Apple’s statements concerning iMessage’s security are highly suspect. In what follows I summarize some of the serious questions about Apple’s encryption schemas. I then discuss why it’s important for consumers to know whether iMessages are secure from third-party interception. I conclude by outlining how Canadians who use the iMessage application can use Canadian privacy law to ascertain the validity of Apple’s claims against those of the company’s critics. Continue reading

Lawful Access is Dead; Long Live Lawful Intercept!

/ Christopher Parsons

Honest PhoneLawful access was a contentious issue on the Canadian agenda when it was initially introduced by the Martin government, and has become even more disputed as subsequent governments have introduced their own iterations of the Liberal legislation. Last year the current majority government introduced Bill C-30, the Protecting Children from Internet Predators Act. In the face of public outcry the government sent the bill to committee prior to a vote on second reading, and most recently declared the bill dead.

Last year I began research concerning alternate means of instituting lawful access powers in Canada. Specifically, I explored whether a ‘backdoor’ had been found to advance various lawful access powers: was Industry Canada, through the 700MHz spectrum consultation, and Public Safety, through its changes to how communications are intercepted, effectively establishing the necessary conditions for lawful access by compliance fiat?

In this post I try to work through aspects of this question. I begin by briefly unpacking some key elements of Bill C-30 and then proceed to give an overview of the spectrum consultation. This overview will touch on proposed changes to lawful intercept standards. I then suggest how changes to the intercept standards could affect Canadians, as well as (re)iterate the importance of publicly discussing expansions to lawful access and intercept powers instead of expanding these powers through regulatory and compliance backdoors.

Continue reading

Smart Chip, Simple Illusions: NFC and the BC Services Card

/ Christopher Parsons / 2 Comments
This is a guest post from my colleague, Adam Molnar, who has been conducting research on the BC Services Card. Adam is a PhD Candidate in the Department of Political Science at the University of Victoria and a member of the New Transparency Project. His dissertation research focuses on security and policing legacies associated with mega-events. You can find him on Twitter at @admmo

Image by Pierre Metivier

In just two weeks, the province of British Columbia will be launching the new BC Services Card. If you haven’t already heard about the new province-wide identity management initiative, it’s not your fault; the government only began its public relations campaign for the Services Card initiative six weeks before the card was set to hit wallets and hospitals across the province. In fact, the government’s been so unforthcoming about the new Cards that, just six weeks before it’s release, the British Columbia Office of the Information and Privacy Commissioner is racing to adequately review the program. To be clear: this isn’t a new initiative, but one going back several years. The unwillingness to disclose the documents necessary for the Commissioner’s review is particularly troubling since the Services Card is just one component in a much larger transformation of the province’s movement to its integrated identity management program. Will similar tardiness to assist the province’s privacy czar pervade this entire transition? Will the public be as excluded from future debates as they have from the Services Card development and deployment regime?

The Services Cards feature a host of security enhancements, including layered polycarbonate plastics, embedded holography, laser etchings for images and text appearing on the card, and the integration of a Near Field Communications (NFC) chip. For this post, I focus exclusively on the NFC chip, that is meant to ‘secure’ your identity when presenting the card to government agencies, either in person or online.

The BC government has been touting NFC as an enhanced security feature in the Services Card initiative. While this technical feature might enhance the perception of privacy (especially when buttressed by official provincial political rhetoric), they actually entail serious flaws. These flaws could leave the personal information of BC residents and government databases vulnerable to attack; the security ‘features’ could be the beachhead that leads to serious privacy breaches.

Continue reading

The BC Services Card and Confused Public Outreach

/ Christopher Parsons

Photo by Jonny Wikins

Last week members of the BC government engaged in a media blitz to promote the proposed BC Services Card. As part of the blitz, BC’s Health Minister gave an interview to CBC’s All Points West to explain some of the proposed Services Card’s features. As a key Minister involved in the Services Card she understandably has been an outspoken advocate for the new initiative. Previously, BC’s Health Ministers have stridently argued that the Services Card would defray fraud, though this rhetoric has since been toned down: now the cards will remedy unknown levels of fraud, save unknown amounts of money, and facilitate undetermined kinds of data migration across government.

In what follows, I analyze the Minister’s interview with CBC to identify the confused and problematic nature of the Services Card, as it is being presented to the public. I start by noting an area where I think most residents likely support the government – some basic updates to the present CareCards – and then proceed to deficiencies in how the Minister is introducing the new Cards. I conclude by focusing on the frankly bizarre methods that the provincial government is using to ‘sell’ the card to the public and ask whether these cards could be a significant election issue later this year.

Continue reading