Policy wonk. Torontonian. Photographer. Not necessarily in that order.
The problem … was that the surveillance technology sold to Iran in 2008 is standard “lawful intercept” functionality required by law in Europe, so that police can track criminals. Unfortunately, with the same technology in the hands of a regime that defines “crime” broadly to include political dissent and “blasphemy,” the result is an efficient antidissident surveillance machine.
It’s time to stop debating whether the Internet is an effective tool for political expression, and to move on to the much more urgent question of how digital technology can be structured, governed, and used to maximize the good it can do in the world, and minimize the evil.
Steve Stecklow, for Reuters, has an special report discussing how Chinese vendor ZTE was able to resell American network infrastructure and surveillance products to the Iranian government. The equipment sold is significant;
Mahmoud Tadjallimehr, a former telecommunications project manager in Iran who has worked for major European and Chinese equipment makers, said the ZTE system supplied to TCI was “country-wide” and was “far more capable of monitoring citizens than I have ever seen in other equipment” sold by other companies to Iran. He said its capabilities included being able “to locate users, intercept their voice, text messaging … emails, chat conversations or web access.”
The ZTE-TCI documents also disclose a backdoor way Iran apparently obtains U.S. technology despite a longtime American ban on non-humanitarian sales to Iran – by purchasing them through a Chinese company.
ZTE’s 907-page “Packing List,” dated July 24, 2011, includes hardware and software products from some of America’s best-known tech companies, including Microsoft Corp, Hewlett-Packard Co, Oracle Corp, Cisco Systems Inc, Dell Inc, Juniper Networks Inc and Symantec Corp.
ZTE has partnerships with some of the U.S. firms. In interviews, all of the companies said they had no knowledge of the TCI deal. Several – including HP, Dell, Cisco and Juniper – said in statements they were launching internal investigations after learning about the contract from Reuters.
The sale of Western networking and surveillance equipment/software to the Iranian government isn’t new. In the past, corporate agents for major networking firms explained to me the means by which Iran is successfully importing the equipment; while firms cannot positively know that this is going on, it’s typically because of an intentional willingness to ignore what they strongly suspect is happening. Regardless, the actual sale of this specific equipment – while significant – isn’t the story that Western citizens can do a lot to change at this point.
Really, we should be asking: do we, as citizens of Western nations, believe that manufacturing of these kinds of equipment is permissible? While some degree of surveillance capacity is arguably needed for lawful purposes within a democracy it is theoretically possible to design devices such that they have limited intercept and analysis capability out of the box. In essence, we could demand that certain degrees of friction are baked into the surveillance equipment that is developed, and actively work to prevent companies from producing highly scaleable and multifunctional surveillance equipment and software. Going forward, this could prevent the next sale of significant surveillance equipment to Iran on grounds that the West simply doesn’t have any for (legal) sale.
In the case of government surveillance inefficiency and lack of scaleability are advantageous insofar as they hinder governmental surveillance capabilities. Limited equipment would add time and resources to surveillance-driven operations, and thus demand a greater general intent to conduct surveillance than when authorities have access to easy-to-use, advanced and scalable, surveillance systems.
Legal frameworks are insufficient to protect citizens’ rights and privacy, as has been demonstrated time and time again by governmental extensions or exploitations of legal frameworks. We need a normatively informed limitation of surveillance equipment that is included in the equipment at the vendor-level. Anything less will only legitimize, rather than truly work towards stopping, the spread of surveillance equipment that is used to monitor citizens across the globe.
We recently learned that the Australian government had blocked Huawei from tendering contracts for Australia’s National Broadband Network. The government defended their position, stating that:
As such, and as a strategic and significant government investment, we have a responsibility to do our utmost to protect its integrity and that of the information carried on it.
Of note, internally Huawei had been a preferred choice but the company was ostensibly blocked for political/security, rather than economic, reasons. This decision isn’t terribly surprising given that American, Australian, and United Kingdom national intelligence and security agencies have all come out against using Huawei equipment in key government-used networks. The rationale is that, even were a forensic code audit possible (and likely wouldn’t be, on grounds that we’re talking millions of lines of code) it wouldn’t be possible to perform such an audit on each and every update. In effect, knowing that a product is secure now isn’t a guarantee that the product will remain secure tomorrow after receiving a routine service update. The concern is that Huawei could, as a Chinese company, be compelled by the Chinese government to include such a vulnerability in an update. Many in the security community suspect that such vulnerabilities have already been seeded.
Does this mean that security is necessarily the real reason for the ‘national security card’ being played in Australia? No, of course not. It’s equally possible that calling national security:
Moreover, simply because Australia isn’t tendering contracts from Huawei doesn’t suggest that whatever equipment is purchased will be any more secure. In theory, were Cisco equipment used to power the National Broadband Network then the American government could similarly compel Cisco to add vulnerabilities into routers.
In part, what this comes down to is who do you trust to spy on you? If you see the Americans as more friendly and/or less likely to involve themselves closely in your matters of state, then perhaps American companies are preferred over your economic and geographical next-door neighbours.
I should note, just in closing, that Huawei has contracts with most (though not quite all) of Canada’s largest mobile and wireline Internet companies. Having spoken with high-level governmental officials about security concerns surrounding Huawei’s equipment there seems to be a total lack of concern: just because GCHQ, NSA, and ASIO have publicly raised concerns about the company’s equipment doesn’t seem to raise any alarm bells or worries with our highest government officials.
…the Consumer Groups note Bell Canada’s somewhat thin argument on s. 36 to the effect that throttling is examination of the “application header of the content but not the content itself.” This is akin to arguing that one is listening into a telephone conversation and identifying the language being spoken but not listening to the words. However, this is a false analogy, as Bell does influence the content of the message by blocking the usability of the P2P protocol by slowing it down, thus rendering its purpose (to quickly download large files) moot. To continue the language analogy, Bell is effectively listening in for, say, Mandarin Chinese and making sure the call breaks up and drops out to the point that half of the speakers simply abandon the call.
In today’s era of hyperbolic security warnings one of the easiest things that people can do to ‘protect’ themselves online is select super hard passwords to crack, stuff them in a centralized password manager, and then only have to remember a single password to access the rest in the manager. I’ve used a password manager for some time and there are real security benefits: specifically, if a single service that I’ve registered with is hacked then my entire online life isn’t compromised, just that one service.
Password manager companies recognize the first concern that most people have surrounding their services: how do the managers protect the sensitive information they’re entrusted with? The standard response from vendors tends to reference ‘strong security models and usage of cryptography. Perhaps unsurprisingly, it is now quite apparent that the standard responses really can’t be trusted.
In a recent paper (.pdf), researchers interrogated the security status of password managers. What they found is, quite frankly, shocking and shameful. They also demonstrate the incredible need for third-party vetting of stated security capabilities.
The abstract for the paper is below but you should really just go read the whole paper (.pdf). It’s worth your time and if you’re not a math person you can largely skim over the hard math: the authors have provided a convenient series of tables and special notes that indicate the core deficiencies in various managers’ security stance. Don’t use a password manager that is clearly incompetently designed and, perhaps in the future, you will be more skeptical of the claims companies make around security.
Abstract:
In this paper we will analyze applications designed to facilitate storing and management of passwords on mobile platforms, such as Apple iOS and BlackBerry. We will specifically focus our attention on the security of data at rest. We will show that many password keeper apps fail to provide claimed level of protection
A quick TEDx talk about the inherent (in)security of the software-driven devices that are increasingly embedded throughout our lives.
Anne Rector gives voice to many who were systematically abused as children and who, often as a result of the abuse, are now ardent protectors of basic privacy rights. From her piece:
While I’m fairly openly about many things, my privacy has been savagely breached quite enough in this life. I should be able to preserve the tatters of personal privacy that remain, as I wish.
But this Conservative crime bill targets my privacy’s safeguards, and it’s inappropriate of politicians to use ‘pedophiles’ to strip me of them.
Just try claiming that I support child pornographers… and I’ll impart what fierce really is.
Go read the piece. It’s short. It does a good job identifying just how hurtful and harmful the Canadian Government’s equivalency of privacy advocates and child pornographers is for those who have suffered at the hands of child abusers.
The hacking of major certificate authorities, Comodo and DigiNotar, has been somewhat addressed by certificate blacklists and revocations. Despite these measures, however, the fallout of the hacks continues. As picked up by PC Magazine,
This week Kaspersky has discovered malicious droppers – programs that install malware – bearing stolen VeriSign certificates originally issued to a Swiss company called Conpavi AG.
…
One of the droppers carries a 32-bit driver containing a malicious DLL, which gets injected into your Internet browser process. A malicious 64-bit dropper injects the DLL directly.
From there, the DLL reroutes all your search queries in Google, Yahoo!, and Bing, to a pay-per-click search engine called Search 123. Search 123 makes money off people who search and click on their results.
As a colleague of mine commented, this is just another nail in X.509’s coffin. Let’s just hope that not too many innocents are buried along with it.
Excited Pixels