Brief: Social Networking and Canadian Privacy Law

January 7, 2013August 18, 2022 / Christopher Parsons

Last year I was invited to submit a brief to the Canadian Parliament’s Access to Information, Privacy and Ethics Committee. For my submission (.pdf), I tried to capture some of of the preliminary research findings that have been derived from social media and surveillance project I’m co-investigating with Colin Bennett. Specifically, the brief focuses on questions of jurisdiction, data retention, and data disclosure in the context of social media use in Canada. The ultimate aim of the submission was to give the committee members insight into the problems that Canadians experience when accessing the records held by social networking companies.

The project, and our research for it, has been funded through the Office of the Privacy Commissioner’s Contributions Program. Anything contained in the brief is not necessarily representative of the Office’s own positions or stances.

Abstract/Introduction:

In this submission, I highlight some of our analyses of 20 social networking sites’ privacy policies and findings about Canadians’ ability to access their own personal information that social networking sites store. These findings let us understand how the companies running these services understand their legal jurisdictional obligations and the retention of personally identifiable information. Moreover, these discoveries let us ascertain the actual access that Canadians have to profiles that they and the identities that networking services Canadians associate with are developing. Together, these points reveal how social networking companies understand Canadians’ personal information, the conditions of data sharing, and the level of ease with which Canadians can access the information that they themselves contribute to these services. I conclude this submission by suggesting a few ways that could encourage these companies to more significantly comply with Canadian privacy laws.

Download (.pdf) “Social Networking and Canadian Privacy Law: Jurisdiction, Retention, and Disclosure“

Review: In the Plex

January 6, 2013May 14, 2021 / Christopher Parsons

Steven Levy’s book, “In the Plex: How Google Things, Works, and Shapes Our Lives,” holistically explores the history and various products of Google Inc. The book’s significance comes from Levy’s ongoing access to various Google employees, attendance at company events and product discussions, and other Google-related cultural and business elements since the company’s inception in 1999. In essence, Levy provides us with a superb – if sometimes favourably biased – account of Google’s growth and development.

The book covers Google’s successes, failures, and difficulties as it grew from a graduate project at Stanford University to the multi-billion dollar business it is today. Throughout we see just how important algorithmic learning and automation is; core to Google’s business philosophy is that using humans to rank or evaluate things “was out of the question. First, it was inherently impractical. Further, humans were unreliable. Only algorithms – well drawn, efficiently executed, and based on sound data – could deliver unbiased results” (p. 16). This attitude of the ‘pure algorithm’ is pervasive; translation between languages is just an information problem that can – through suitable algorithms – accurately and effectively translate even the cultural uniqueness that is linked to languages. Moreover, when Google’s search algorithms routinely display anti-Semitic websites after searching for “Jew” the founders refused to modify the search algorithms because the algorithms had “spoke” and “Brin’s ideals, no matter how heartfelt, could not justify intervention. “I feel like I shouldn’t impose my beliefs on the world,” he said. “It’s a bad technology practice”” (p. 275). This is an important statement: the founders see the product of human mathematical ingenuity as non-human and lacking bias born of their human creation.

Continue reading →

Understanding the Lawful Access Decryption Requirement

September 17, 2012March 2, 2013 / Christopher Parsons

For several months I and a handful of others in the Canadian privacy and security community have been mulling over what Bill C-30, better known as Canada’s ‘lawful access’ legislation, might mean for the future of encryption policy in Canada. Today, I’m happy to announce that one of the fruits of these conversation, a paper that I’ve been working on with Kevin McArthur, is now public. The paper, titled “Understanding the Lawful Access Decryption Requirement,” spends a considerable amount of time considering the potential implications of the legislation. Our analysis considers how C-30 might force companies to adopt key escrows, or decryption key repositories. After identifying some of the problems associated with these repositories, we suggest how to amend the legislation to ensure that corporations will not have to establish key escrows. We conclude by outlining the dangers of leaving the legislative language as it stands today. The full abstract, and download link, follows.

Abstract

Canada’s lawful access legislation, Bill C-30, includes a section that imposes decryption requirements on telecommunications service providers. In this paper we analyze these requirements to conclude that they may force service providers to establish key escrow, or decryption key retention, programs. We demonstrate the significance of these requirements by analyzing the implications that such programs could have for online service providers, companies that provide client software to access cloud services, and the subscribers of such online services. The paper concludes by suggesting an amendment to the bill, to ensure that corporations will not have to establish escrows, and by speaking to the dangers of not implementing such an amendment.

Download paper at the Social Sciences Research Network

The Danger Online Voting Poses to Democratic Legitimacy

March 28, 2012March 2, 2013 / Christopher Parsons

Online voting is a serious issue that Canadians need to remain aware of and/or become educated about. I’ve previously written about issues surrounding Internet-based voting, and was recently interviewed about online elections in light of problems that the National Democratic Party (NDP) had during their 2012 leadership convention. While I’m generally happy with how the interview played out – and thankful to colleagues for linking me up with the radio station I spoke on – there were a few items that didn’t get covered in the interview because of time limitations. This post is meant to take up those missed items, as well as let you go and listen to the interview for yourself.

Public Dialogue Concerning the NDP Leadership ‘Attack’

There are claims that the attacks against the NDP’s online voting system were “sophisticated” and that “the required organization and the demonstrated orchestration of the attack indicates that this was a deliberate effort to disrupt or negate the election by a knowledgeable person or group.” Neither of these statements are entirely fair or particularly accurate. Publicly disclosed information indicates that around 10,000 IP addresses were used to launch a small Distributed Denial of Service (DDoS) attack against the voting system used during the NDP’s convention. To be clear: this is a relatively tiny botnet.

While such a botnet might justifiably overwhelm some small business networks, or other organizations that haven’t seen the need to establish protections against DDoS scenarios, it absolutely should not be capable of compromising an electoral process. Such a process should be significantly hardened: scalable infrastructure ought to have been adopted, and all services ought to be sitting behind a defensible security perimeter. To give you an understanding of just how cheap a botnet (of a much larger size) can be: in 2009, a 80,000-120,000 machine botnet would run around $200/day. You even got a 3-minute trial window! In 2010, VeriSign’s iDefence Intelligence Operations Team reported that a comparable botnet would run around $9/hr or $67/day.

If a few Google searches and a couple hundred dollars from a Paypal account can get you a small botnet (and give you access to technical support to help launch the attack, depending on who you rent your bots from) then we’re not dealing with a particularly sophisticated individual or group, or an individual or group that necessarily possesses very much knowledge about this kinds of attacks. Certainly the action of hiring a botnet demonstrates intent but it’s an incredibly amateurish attempt, and one that should have been easily stopped by the vendor in question.

Continue reading →

BCCLA Releases Electronic Devices at the Border Handbook

March 5, 2012March 2, 2013 / Christopher Parsons

Crossing international borders can be worrying, especially for those carrying confidential or privileged information on their electronic devices. While I’ve seen a variety of documents and advisories explaining how to deal (or not deal) with American border authorities, there hasn’t been what I consider a decent guide for dealing with the Canadian Border Services Agency (CBSA). As of today, this deficit has been significantly remedied.

For the past several months, Greg McMullen has been working on a handbook to help Canadians (and non-Canadians) navigate officials’ demands for electronic devices at Canada’s national borders. The BCCLA has funded his work, and the handbook is intended for educational and discussion purposes; it isn’t intended to replace legal counsel or constitute firm legal advice. The handbook is written for a general audience and does a nice job of walking readers through what rights they enjoy at the border, CBSA policies, best practices, and what to do if you have been subject to a search.

I’d highly recommend the handbook, which is available through the BCCLA and also available for download through my website.

Technology, Thoughts & Trinkets

Touring the Digital Though Type

Security