Spoils of my on-air interview this morning!
Author: Christopher Parsons
Policy wonk. Torontonian. Photographer. Not necessarily in that order.
Christopher Parsons, a fellow at the Citizen Lab at the University of Toronto, a group that helped review the documents, added that while using corporate analytics may have been one possible attack vector, there could have been another.
“There’s a series of different kinds of identifiers—that’s not entirely clear from the documents,” he told Ars.
“It’s also theoretically possible that [CSEC] may be tapping into other identifiers. There’s going to be some global database that they’re pulling from. Whether it’s going to be cookies or another identifier. My thought would be [if not cookies] that if they’re looking for particular chat user names or e-mail that is also sent in clear or sent in clear often enough. One of [the] pieces about this [is] that it seems to indicate that it’s the act of logging on. It’s not clear that you have to make some particular action, it’s that the device[s] are likely to be sending out this kind of information upstream. It is possible that it’s your username every time you hit the mail server.”
He also noted that in Canada, the two major ISPs—Bell and Rogers—provide, by default, e-mail accounts on Microsoft and Yahoo, respectively.
So, he speculated, if CSEC was going to use such an e-mail username for instance, “that ISP is going to have a litany of personal information about a Canadian target, billing and everything else that they hold, whereas the cookie information may not provide [all that information.]”
Both Parsons and Weaver also added that the use of Tor, VPNs, and anti-tracking software (such as browser plugins like Disconnect or Ghostery) may help to somewhat thwart this type of tracking.
Source: New Snowden docs show Canadian spies tracked thousands of travelers
The security design of the system as implemented in tests so far will require a national certificate infrastructure much like that used for preventing domain spoofing and securing the Web. It will require a database of certificates—like the X.509 certificates used in public key infrastructure (PKI)—to verify that devices are legitimate and make it possible to rescind permissions to ensure that no one can send out spoofed messages. If a certificate were to become compromised or if a manufacturer misconfigured a batch of V2V systems, the certificate authority would be able to revoke the associated certificate. This prevents spoofing much in the way that DNS SEC prevents the “poisoning” of Internet domain address tables by a rogue Domain Name Service server.
The problem is that no one has ever developed a PKI system large enough to handle every vehicle in the United States—every car, truck, bus, and motorcycle. The revocation table for expired or compromised certificates would have to be distributed constantly to cars to make sure they weren’t victimized by recorded data attacks or other systems that used hacked hardware to spoof traffic.
So far, there hasn’t been any agreement yet on how this PKI would distribute its certificates. Proposals have included having roadside systems issue certificates as vehicles drive by and having certificates sent to vehicles out-of-band over cellular connections. The latter would mean that every car in the country would have to have its own integrated cellular phone or that drivers would have to connect their phones regularly to the systems to ensure they didn’t get shut out of the network.
Oh yes, please: let’s build a mass communications network dependent on a (largely) creaky Certificate system, deploy the devices to the attackers (i.e. car owners), and just trust that no one’s gonna hack a mass, nation-wide, Vehicle-to-Vehicle communications network.
Also: taking bets on it being an escrowed certificate system. For public safety and all that good stuff.
On Tuesday, Interim Privacy Commissioner Chantal Bernier called for more surveillance disclosure and a rewrite of Canada’s privacy laws
Christopher Parsons, a postdoctoral fellow at the Munk School of Global Affairs’ Citizen Lab, who studies state access to telecommunications data.Some of the recommendations in the report are similar to those made before – including a call for broader powers and more robust laws to allow watchdogs to do their job.
“Many of these suggestions the privacy commissioner has put forward are indicative of that office not being able to play its role. It doesn’t have the required powers to understand what’s going on in order to a) make things right or b) blow the whistle,” he said, later adding: “Should Canadians be concerned? Yeah. What the Commissioner’s office is saying is we do a good job, we do the best we can within our mandate, but our mandate is to narrow.”
Hopefully the Commissioner’s recommendations are implemented by the federal government given how pressing national security and signals intelligence issues have become.
Source: Experts weigh in on the state of Canadaâs spying rules
Categories
Privacy: You need to know who is listening
As it happens, last week, a group of academics and civil-liberties organizations, led by Christopher Parsons, a postdoctoral fellow at the University of Toronto, sent out a long questionnaire to 16 Canadian telecommunications carriers. For example, it asks the carriers how the types of the authorities’ requests break down, as among matters of child exploitation, terrorism, national security and foreign intelligence.
Nice to have been mentioned in the Globe’s Editorial!
Categories
2014.1.29
But no politician should ever apologize for stealing a good policy idea. And it is a good idea. It is a brave idea, courageous even, which is usually enough to start political antennae tingling in veterans whose modus operandi is to never do anything for the first time.
John Ivison, “With Senate caucus expulsion, Trudeau is testing the depth of the water with both feet ”
As American telcoms operators take up the practice of publishing transparency reports showing how many law-enforcement requests they receive, Canadian activists are wondering why Canada’s telcoms sector hasn’t followed suit.
Source: Citizen Lab calls on Canada’s telcos to publish transparency report
More coverage of our letters to Canadian telecommunications service providers concerning how, when, under what conditions, and how often they disclose information to government agencies.
Source: Reveal extent of government data surveillance, campaign asks telecom companies
Prominent privacy and digital-security researchers send open letter to Bell, Rogers, Telus, Shaw and a dozen other companies
Nice coverage by the Globe and Mail
Source: Telecom firms being asked what data they are giving to police, intelligence agencies
A particularly handy guide, if you have privacy concerns and want them resolved by a privacy commissioner/data protection office.
Excited Pixels 