Last week, I published a report with Gary Miller and the Citizen Lab entitled, “Finding You: The Network Effect of Telecommunications Vulnerabilities for Location Disclosure.” I undertook this research while still employed by the Citizen Lab and was delighted to see it available to the public. In it, we discuss how the configuration and vulnerabilities of contemporary telecommunications networks enables surveillance actors to surreptitiously monitor the location of mobile phone users.
The report provides a high-level overview of the geolocation-related threats associated with contemporary networks that depend on the protocols used by 3G, 4G, and 5G network operators, followed by evidence of the proliferation of these threats. Part 1 provides the historical context of unauthorized location disclosures in mobile networks and the importance of the target identifiers used by surveillance actors. Part 2 explains how mobile networks are made vulnerable by signaling protocols used for international roaming, and how networks are made available to surveillance actors to carry out attacks. An overview of the mobile ecosystem lays the foundation for the technical details of domestic versus international network surveillance, while the vectors of active versus passive surveillance techniques with evidence of attacks shows how location information is presented to the actor. Part 3 provides details of a case study from a media report that shows evidence of widespread state-sponsored surveillance, followed by threat intelligence data revealing network sources attributed to attacks detected in 2023. These case studies underscore the significance and relevance of undertaking these kinds of surveillance operations.
Deficiencies in oversight and accountability of network security are discussed in Part 4. This includes outlining the incentives and enablers that are provided to surveillance actors from industry organizations and government regulatory agencies. Part 5 makes clear that the adoption of 5G technologies will not mitigate future surveillance risks unless policymakers quickly move to compel telecommunications providers to adopt the security features that are available in 5G standards and equipment. If policymakers do not move swiftly then surveillance actors may continue to prey upon mobile phone users by tracking their physical location. Such a future paints a bleak picture of user privacy and must be avoided.
Last month I published a report, “Cybersecurity Will Not Thrive in Darkness: A Critical Analysis of Proposed Amendments in Bill C-26 to the Telecommunications Act.” The report undertakes a critical analysis of Bill C-26 which would empower the government to compel critical infrastructure companies to undertake (or refrain from taking) activities the government was of the opinion would enhance the security of Canada’ critical infrastructure. The report begins by offering a background to why this legislation is seen as necessary by the government and, then, proceeds to assess the elements of the legislation which would modify the Telecommunications Act. Specifically, it focuses on issues associated with:
Compelling or directing modifications to organizations’ technical or business activities
Secrecy and absence of transparency or accountability provisions
Deficient judicial review processes
Extensive information sharing within and beyond Canadian agencies
Costs associated with security compliance
Vague drafting language
30 different recommendations are offered that, if adopted, would leave the government able to compel telecommunications companies to modify their practices while, simultaneously, imbuing the legislation with additional nuance, restraint, and accountability provisions. As drafted, today, the legislation prioritises secrecy at the expense of democratic accountability and would establish law that empowered actions which were unpredictable to private organizations and residents of Canada alike. The effect would be to empower the government to undertake lawful, if democratically illegible, activities. Cybersecurity requires a high degree of transparency and dialogue to be successfully implemented. Security can be and must be aligned with Canada’s democratic principles. It is now up to the government to amend its legislation in accordance with them.
Executive Summary
On June 14, 2022, the Government of Canada introduced “Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.” If passed into law, it will significantly reform the Telecommunications Act as well as impose new requirements on federally regulated critical infrastructure providers. This report, “Cybersecurity Will Not Thrive in Darkness: A Critical Analysis of Proposed Amendments in Bill C-26 to the Telecommunications Act,” offers 30 recommendations to the draft legislation in an effort to correct its secrecy and accountability deficiencies, while suggesting amendments that would impose some restrictions on the range of powers that the government would be able to wield. These amendments must be seriously taken up because of the sweeping nature of the legislation.
As drafted at time of writing, Bill C-26 would empower the Minister of Industry to compel telecommunications providers to do or refrain from doing anything in the service of securing Canadian telecommunications networks against the threats of interference, manipulation, or disruption. The legislation would authorize the Minister to compel providers to disclose confidential information and then enable the Minister to circulate it widely within the federal government; this information could potentially include either identifiable or de-identified personal information. Moreover, the Minister could share non-confidential information internationally even when doing so could result in regulatory processes or private right of actions against an individual or organization. Should the Minister or other party to whom the Minister shares information unintentionally lose control of the information, there would be no liability attached to the government for the accident.
Where orders or regulations are issued, they would not need to be published in the Canadian Gazette and gags could be attached to the recipients of such orders. There may even be situations where the government could issue an order or regulation, with the aforementioned publication ban and gag, that runs counter to a decision by the Canadian Radio-television and Telecommunications Commission (CRTC) and that overrides aspects of that decision. And in any cases where a telecommunications provider seeks judicial review, it might never see the evidence used to justify an order or regulation. However, if a telecommunications provider is found to have deliberately ignored or failed to adhere to an order, then either the individuals who directed the action or the telecommunications provider could suffer administrative monetary penalties.
This report, in summary, identifies and analyzes a series of deficiencies in Bill C-26 as it is presently drafted:
The breadth of what the government might order a telecommunications provider to do is not sufficiently bounded.
The excessive secrecy and confidentiality provisions imposed on telecommunications providers threaten to establish a class of secret law and regulations.
Significant potential exists for excessive information sharing within the federal government as well as with international partners.
Costs associated with compliance with reforms may endanger the viability of smaller providers.
Vague drafting language means that the full contours of the legislation cannot be assessed.
No recognition of privacy or other Charter-protected rights exists as a counterbalance to proposed security requirements nor are appropriate accountability or transparency requirements imposed on the government.
Even if it is presumed that the government does need the ability to encourage or compel telecommunications providers to modify their technical or business operations to enhance the security of their services and facilities, it is readily apparent that more transparency and accountability should be required of the government. All of the recommendations in this report are meant to address some of the existent problems in the legislation.
Should these recommendations or ones derived from them not be taken up, then the government will be creating legislation of the worst kind insofar as it will require the public—and telecommunications providers—to simply trust that the government knows what it is doing, is reaching the right decisions, and that no need exists for a broader public discussion concerning the kinds of protections that should be put in place to protect the cybersecurity of Canada’s telecommunications networks. Cybersecurity cannot thrive on secretive and shadowy government edicts. The government must amend its legislation to ensure its activities comport with Canada’s democratic values and the norms of transparency and accountability.
Many of Canada’s closest allies have either firmly or softly blocked Huawei and ZTE from selling telecommunications equipment to Internet service providers in their countries over the past several years. After repeated statements from Canadian government officials that a review of Huawei equipment was ongoing, on May 19, 2022 the government announced its own bans on Huawei and ZTE equipment. The government published an accompanying policy statement from Innovation, Science, and Economic Development (ISED) Canada on the same day.
This post begins by summarizing the possible risks that Chinese vendors might pose to Canadian networks. Next, it moves to discuss the current positions of Canada’s closest allies as well as Canada’s actions and statements pertaining to Chinese telecommunications vendors leading up to the May 2022 announcement. It then proceeds to unpack the government’s “Securing Canada’s Telecommunications System” policy statement. Some highlight findings include:
The government is unclear when it refers to “supply chain breaches”;
The government may be banning Huawei and ZTE principally on the basis of American export restrictions placed on Chinese vendors and, thus, be following the same model as the United Kingdom which was forced to ban Huawei following American actions; and
Establishing the security and protection of telecommunications systems as an “overriding objective” of Canadian telecommunications policy could have long-term implications for Canadians’ privacy interests.
The post concludes by discussing the policy and political implications of the policy statement, why any telecommunications security reforms must not be accompanied by broader national security and law enforcement reforms, and why the Canadian government should work with allied and friendly countries to collectively assess telecommunications equipment.
Payphones by Christopher Parsons (All Rights Reserved)
I have a paper on telecommunications transparency reports which has been accepted for publication in Business and Society for later this year.
Centrally, the paper finds that companies will not necessarily produce easily comparable reports in relatively calm political waters and that, even should reports become comparable, they may conceal as much as they reveal. Using a model for evaluating transparency reporting used by Fung, Graham, and Weil in their 2007 book, Full Disclosure: The Perils and Promises of Transparency, I find that the reports issued by telecommunications companies are somewhat effective because they have led to changes in corporate behaviour and stakeholder interest, but have have been largely ineffective in prodding governments to behave more accountably. Moreover, reports issued by Canadian companies routinely omit how companies themselves are involved in facilitating government surveillance efforts when not legally required to do so. In effect, transparency reporting — even if comparable across industry partners — risks treating the symptom — the secrecy of surveillance — without getting to the cause — how surveillance is facilitated by firms themselves.
In mid-October I co-authored a submission to the Canadian Radio-television and Telecommunications Commission (CRTC) with Tamir Israel, a staff lawyer with the Canadian Internet Policy & Public Interest Clinic (CIPPIC) at the University of Ottawa. Our submission was filed in support of complaints issued by the Public Interest Advocacy Centre and Vaxination Informatique against Vidéotron’s (a subsidiary of Québecor Media Inc.) newly introduced Unlimited Music service.
The complaints arose after Vidéotron announced Unlimited Music, a mobile platform that offers access to a curated list of music streaming services over Vidéotron’s mobile data network without imposing data fees on the customers (often termed ‘zero rating’). In our submission, we argue that offerings of this kind raise concerns of undue preference, unjust discrimination and, more broadly, net neutrality, as addressed by the CRTC Commission in Broadcasting and Telecom Decision CRTC 2015-26 and in the Telecom Regulatory Policy CRTC 2009-657 (extended to mobile Internet access in Telecom Decision CRTC 2010-445). By zero rating specific services or categories thereof, Vidéotron is leveraging its role as a gateway to network content in order to provide its chosen services an advantage that no other competing service can match. Doing so disrupts the neutral ecosystem that is necessary for digital innovation to continue to flourish. It also raises serious ancillary privacy questions.
Our submission begins by arguing that Vidéotron’s mobile usage billing practices constitute an economic Internet traffic management practice and that zero rating services such as Unlimited Music are generally problematic. We then discuss the likely role of Deep Packet Inspection (DPI) technologies in facilitating Vidéotron’s zero rating practices. Next, we broadly argue that Vidéotron’s Unlimited Music offering is preferential and discriminatory; in addition to constituting an undue and unreasonable preference for certain service offerings, it unjustly discriminates against complementary offerings from other online vendors that include music in their broader product offering. Moreover, there is the potential for Vidéotron to discriminate against services that are mislabelled as ‘unlawful’. We conclude by discussing some of the other potential implications of Vidéotron’s Unlimited Music service.
Tamir is staff lawyer with the Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic (CIPPIC) at the University of Ottawa Faculty of Law, where he conducts research and advocacy on various digital rights-related topics, with a focus on online privacy and anonymity, net neutrality, intellectual property, intermediary liability, spam, e-commerce, and consumer protection generally.
Earlier this year I had a book chapter, titled “Stuck on the Agenda: Drawing Lessons from the Stagnation of “Lawful Access” Legislation in Canada” published in Law, Privacy and Surveillance in Canada in the Post-Snowden Era. The book was edited by Michael Geist and is freely available in .pdf format from the University of Ottawa Press. The edited collection brings together many of Canada’s leading thinkers on privacy and national security issues, with authors outlining how Canadian-driven intelligence operations function, the legal challenges facing Canadian signals intelligence operations, and ways to reform Canada’s ongoing signals intelligence operations and the laws authorizing those operations.
The book arguably represents the best, and most comprehensive, examination of the Communications Security Establishment (CSE) in recent history. While not providing insiders’ accounts, many of the chapters draw from access to information documents, documents provided to journalists by Edward Snowden, and publicly available information concerning how intelligence operations are conducted by Canadian authorities. In aggregate they critically investigate the actual and alleged intelligence practices undertaken by Canadian authorities.
My contribution focuses on the politics associated with Canada’s lawful access legislation, and identifies some of the political conditions that may precede successful opposition to legislation that expands or reifies both domestic and foreign intelligence surveillance practices. Specifically, the chapter begins by outlining how agenda-setting operates and the roles of different agendas, tactics, and framings. Next, it turns to the Canadian case and identifies key actors, actions, and stages of the lawful access debates. The agenda-setting literature lets us identify and explain why opponents of the Canadian legislation were so effective in hindering its passage and what the future holds for opposing similar legislative efforts in Canada. The final section steps away from the Canadian case to suggest that there are basic as well as additive general conditions that may precede successful political opposition to newly formulated or revealed government surveillance powers that focus on either domestic or signals intelligence operations. You can read the chapter on pages 256-283.
In mid-October I co-authored a submission to the Canadian Radio-television and Telecommunications Commission (CRTC) with 
Earlier this year I had a book chapter, titled “Stuck on the Agenda: Drawing Lessons from the Stagnation of “Lawful Access” Legislation in Canada” published in Law, Privacy and Surveillance in Canada in the Post-Snowden Era. The book was edited by Michael Geist and is 
Technology, Thoughts & Trinkets 