Author: Christopher Parsons

Policy wonk. Torontonian. Photographer. Not necessarily in that order.

Categories
Links

Feds considering warrantless access to internet subscriber info: police chiefs

Feds considering warrantless access to internet subscriber info: police chiefs:

OTTAWA – A new administrative scheme that would allow police to obtain basic information about Internet subscribers without a warrant is one option being considered by federal officials following a landmark Supreme Court ruling that curbed access to such data, Canadian police chiefs say.

A researcher who has long pressed for more transparency around police access to subscriber data said Monday that law-enforcement agencies have yet to make the case for warrantless access – especially since companies can make information available quickly in a genuine emergency.

“We’re not at a point where it’s clear the police have a legitimate concern,” said Christopher Parsons, a postdoctoral fellow with the Citizen Lab at Toronto’s Munk School of Global Affairs.

In June last year, the Supreme Court ruled police need judicial authorization to obtain subscriber data linked to online activities. The high court rejected the notion the federal privacy law governing companies allowed them to hand over subscriber identities voluntarily.

The court judgment came amid swelling public concern about authorities quietly gaining access to customer information with little evident scrutiny or oversight.

Parsons wants police to release more statistical information about their requests. “They actually have to make the argument with data, so we can have an evidence-based policy discussion.”

He would also like to see civil society groups and others included in the discussions about possible legislative change.

 

Categories
Links

Twitter closes off ability to track and repost politicians’ deleted tweets | Toronto Star

Twitter closes off ability to track and repost politicians’ deleted tweets:

Twitter has shut off the ability of more than two dozen accounts to track and repost tweets deleted by politicians and other officials in 30 countries around the world, including Canada.

Christopher Parsons, a fellow at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, said Twitter’s decision shows that the company “is unwilling to have its API routinely used to monitor what people have tried to delete.

“It appears as though Twitter is saying, ‘Look we know it’s possible, but we don’t want it being done.’ ”

According to Parsons, the weekend Twitter closures may force groups to analyze the different reasons tweets are deleted, rather than posting all deletions automatically, which could change the data’s impact.

“The way in which (the information is) published can be very different, the context can be much broader, and depending on the intent of the group in question, it could be more damning,” he said.

The debate, he added, shows the impact corporations such as Twitter can have on how public figures communicate with people.

“With the American election right now and the Canadian election going on, that’s where these sorts of deletions are often most interesting to the general public,” he said.

 

Categories
Links

Canadian companies have no incentive to report cyber attacks, like that on Ashley Madison | Toronto Star

Canadian companies have no incentive to report cyber attacks, like that on Ashley Madison:

Canada’s Digital Privacy Act, passed by Parliament in June, will require companies to report breaches once regulations are prepared. But experts say it is essentially toothless because it contains few financial penalties.

The Act will introduce fines up to $100,000 for deliberately not reporting a breach.

“There’s the obligation to report, which is, of course, positive,” said Christopher Parsons, managing director of the telecom transparency project at the Munk School of Global Affairs’ Citizen Lab.

“But without any sort of punitive consequences you run into the question of how useful is the notification itself.”

There is little data on how secure corporate Canada truly is partly because of a lack of breach notification laws, Parsons said.

Without a financial imperative to beef up security, companies are unlikely to shell out the millions of dollars required to identify and prevent them, Parsons said.

“For most companies, security is a drag,” Parsons said, adding that executives tend to reject investment in cybersecurity, where concerns tend to lead to IT professionals saying “no” to a lot of ideas, while also eating up company time, money and resources.

“All those no’s either inhibit fast fluid business, or they increase the cost and the friction of anything a company wants to do.”
Meanwhile, hackers are getting more sophisticated, but they don’t even need to because the defence systems are so weak, Parsons said.

“If you’re a hacker, you have to succeed once; if you’re a defender, you have to succeed every single time.”

 

Categories
Links

So your name is in the Ashley Madison database … are you a cheater? | Metro News

So your name is in the Ashley Madison database … are you a cheater?:

“There was no requirement for verification prior to being added to their database,” said Christopher Parsons, a post-doctoral researcher and cyber-security expert at the University of Toronto’s Citizen Lab.

“It’s entirely possible that people’s email addresses were added by friends or co-workers as a prank.”

But, he said, the likelihood of that “is somewhat low.”

Just because someone’s email address can be found in the database doesn’t mean they were active users who committed adultery. They could have just been curious about the site, Parsons said.

While those who registered for the site using their official, government-issued email addresses may be naïve, Parsons said some of them may have done so intentionally.

“Perhaps they share a personal email account with their spouse or partner,” he said. “Using their government account might have been seen as safer.”

Although there have been larger data breaches in the past, Parsons said the Ashley Madison hack is worrying because government officials found using the site could become victims of blackmail.

It’s happened after data breaches in the U.S. and could happen just as easily in Canada, he said.

 

Categories
Links

Partnership between NSA and telecoms pose both security and privacy risk, experts say

Partnership between NSA and telecoms pose both security and privacy risk, experts say:

Speculation remains as to whether the programs still exist, but as Cohn said: “The story that [these documents] tell is [the NSA is] just grabbing more, and more, and more, and more. Nothing in this six-year span is of them getting anything less. [So our] best guess is that trajectory continued.”

Christopher Parsons, postdoctoral fellow, Citizen Lab at the Munk School of Global Affairs, seconded Cohn’s thoughts and expressed surprise that no documents have indicated any change in programs.

Even if Americans aren’t exactly concerned about their data, per se, Parsons reminded that beyond losing its citizens’ trust, the U.S. government loses diplomatic credibility through these leaked documents. The government can’t argue for a free and open internet if it monitors foreigners and its own citizens, he said.

“If you use the internet, and the data goes through the U.S., the government is spying on it,” he said.

Categories
Links

Encryption: Officials seek ‘backdoor’ entry points; critics decry government overreach

Encryption: Officials seek ‘backdoor’ entry points; critics decry government overreach:

In other words, University of Toronto’s Chris Parsons wrote on Twitter, “you either support backdoors, or you support the murderers and child abuser.”

“I think that each company will have to evaluate the corporate risks associated with implementing any backdoors,” Mr. Parsons, a postdoctoral fellow who studies privacy and security at Citizen Lab, a division of the university’s Munk School of Global Affairs, told The Washington Times this week.

“While satisfying U.S. and U.K. government authorities might (temporarily) relieve pressure, the companies would suffer tremendous international criticism and suspicion were they to undermine the security of their products,” he continued, adding that a likely plummet in profits, if nothing else, “will buttress corporate principles and force companies (on their shareholders’ behalfs) to maintain their current security stances.”

Neither Google nor Apple has publicly responded yet to this week’s op-ed, but Mr. Parsons in Toronto says that it’s so far been promising to hear that law enforcement can’t crack a type of encryption that now comes standard.

“To a certain degree, it is reassuring that consumer-level encryption is sufficiently robust that even state authorities find it challenging to break. People and businesses entrust highly sensitive information and capabilities to their devices, and so this affirmation confirms that criminals who steal devices will have similar difficulties in using these against their owners,” he told The Times.

But it’s also reassuring, he added, “because the adoption of these strong standards is a result of companies acknowledging that law enforcement and other state agencies are overreaching in their access to customer data,” including federal and local security and law enforcement groups.

“Legal protections have simply not kept up with the people’s privacy expectations, and the adoption of these strong standards is an encouraging sign that companies are responding accordingly,” he said. “The reality is that, while this may close off one avenue of investigation to state agencies, these agencies now have access to more information with fewer legal restrictions than at any time in recent history.”

 

Categories
Links

Ottawa’s ‘secret network’ in question following alleged hack

Ottawa’s ‘secret network’ in question following alleged hack:

OTTAWA — The integrity of a federal “secret network” launched last year at a cost of millions to taxpayers is in question following an alleged hack this week that resulted in highly sensitive information becoming public.

It is possible, of course, to maintain the integrity of a network regardless of the number of people authorized for access, said Christopher Parsons, a fellow with the Citizen Lab at the Munk School of Global Affairs.

It’s just difficult, he said.

“The goal with these secured networks is to keep classified material in the classified space,” Parsons said in an interview. “If that firewall is maintained between classified and unclassified material, the number of people doesn’t immediately cause a problem.”

The potential for problems arises, however, when a weak link presents itself —and the more people brought in, the higher the chance a weak link will show up, Parsons explained, speaking broadly of classification and secure-network issues.

“It’s just the fact of the matter that the more people you have on any of these networks, the higher the chance someone accidentally moves a document where they weren’t supposed to, or intentionally moves a document somewhere they weren’t supposed to, or, in a worst case scenario, there’s an insider threat,” he said.

Based on the bit of information available at this point on this week’s incident, which comes mostly from Anonymous, it’s difficult to say whether the document was made available through a leak or a hack, Parsons said before offering five hypotheses making their way around:

The first is that some individuals found a way to remove redactions on a previously released document. Secondly, it’s feasible someone within Treasury Board accidentally shared the file through a program, innocuously moving it from the classified to unclassified network. The third possibility is similar, only the move from a secure to un-secure environment was intentional.

Another option still is that an employee’s laptop or device was infected with malware.

“Or, it could be, legitimately, the individuals calling themselves Anonymous this time successfully penetrated some element of the Treasury Board’s network,” Parsons said.

“Some of the government’s Crown Jewels lie in the Treasury Board’s networks. Having unauthorized parties within them would be a serious breach of not just cyber security, but national security … If one party is doing it, there’s no reason to think another party, like a foreign government isn’t doing the same thing.”

 

Categories
Links

Pakistan Is Ordering Telecom Companies to Ban BlackBerry Encrypted Messaging

Pakistan Is Ordering Telecom Companies to Ban BlackBerry Encrypted Messaging:

The government of Pakistan is “requesting” that three telecom companies stop providing BlackBerry’s encrypted messaging services to customers, according to documents obtained by civil rights group Bytes for All Pakistan.

“This demonstrates, at a policy level, that a very large government is willing to ban communications if they can’t gain access to it,“ said Chris Parsons, a post-doctoral fellow at digital rights group Citizen Lab.”Maybe it’s just Pakistan, and nobody else will do it, but it’s certainly a strong change to, ‘If we can’t backdoor it, then we will ban it,’” he added.

 

Categories
Links

The Case for Encryption | CJFE

The Case for Encryption:

Forgive me for sounding a little paranoid, but I’ve had the rainbows ripped from my eyes. Last fall, I signed up to work on a CBC investigation into Canada’s electronic spying programs, relying on the CBC’s exclusive access to the Edward Snowden/NSA leaks. It has been shocking to learn the capabilities of our intelligence agencies. But it has also been a surprising crash course in new technology, privacy and vital questions facing the future of journalism.

But surveillance risks go beyond reporters covering foreign conflicts, terrorism or spies, notes Christopher Parsons of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, who has helped the CBC dissect the Canadian Snowden documents. “Sports reporters might be less interesting to signals intelligence organizations but might still be very interesting to other sporting organizations, criminal betting organizations and so forth.”

“Malware and spyware infect computers across Canada on a regular basis; what do you do when your work computer, holding audio or text files pursuant to a sensitive story, has been compromised?” asks Parsons. “Do you want to notify sources? Do you want to have an ‘air gapped’ computer, which is disconnected from the Internet, where you store source materials, and another computer or device for writing your stories?”

These are awkward questions. No news organization wants to publicly admit its electronic communications are vulnerable. Frankly, I’ve never had a single conversation with the CBC’s IT people about whether we’ve been hacked or compromised, let alone been told what we do specifically to protect sensitive information. And it’s vital, because so much of our email and work these days lives in the cloud.

Categories
Links

Rampant telecom surveillance conducted with little transparency, oversight

Rampant telecom surveillance conducted with little transparency, oversight:

Canadian telecommunications providers have been handing over vast amounts of customer information to law enforcement and government departments and agencies with little transparency or oversight, a new report says.

“We conclude that serious failures in transparency and accountability indicate that corporations are failing to manage Canadians’ personal information responsibly,” says the report released by Citizen Lab today that examines how Canadian telecommunications data is monitored, collected and analyzed by groups such as police, intelligence and government agencies.

The report also criticizes the government’s “irresponsibility surrounding accountability” with respect to telecommunications surveillance. It warns that that could endanger the development of Canada’s digital economy and breed cynicism among citizens.

“Access to our private communications is incredibly sensitive,” said Christopher Parsons, lead author of the study and a postdoctoral researcher at Citizen Lab, which conducts research on information technology in the context of human rights and global security.

The report, funded by the Canadian Internet Registration Authority, showed Canadians recognize this and are very concerned.

But despite that, evidence suggests governments and law enforcement have been demanding millions of subscriber records from telecom firms in recent years.

“It raises real questions about the appropriateness of the powers or perhaps the appropriateness of the mandates or aggressiveness of the agencies that currently look to keep Canadians safe,” Parsons said.

Outdated laws

He noted there’s no way to know what the requests were about, how many there were or whether any one person’s data was requested, as Canadian law doesn’t require police to record or report any of that information.

Outdated laws require government departments and agencies to report telecommunications interceptions, but not access to stored communications such as emails and text messages, nor “non-sensitive” information such as records of calls dialed and received.

The Canada Border Services Agency is one of the few government departments that tracks such requests. In 2012 and 2013, it made 18,849 requests for telecommunications information. None were interceptions, the study found.

“That really indicates that the interception reports, while they’re very rigorous, they’re such a limited data set that they really don’t explain to parliamentarians or the public the extent or kind of surveillance that are commonplace in Canada today,” Parsons said.

A Supreme Court decision last year has forced police to start getting a warrant before requesting subscriber information from telecoms. While that has slashed the number of police requests for data, Parsons warns that new legislation that is currently before the Senate could make it easy for telecom data to be shared among police and government agencies.

New bill a concern

Bill C-51 would allow, for example, the Canada Revenue Agency to request information about a telecom customer related to a tax issue, then pass it on to the CBSA, RCMP or CSIS to probe something only marginally related, Parsons said.

Meanwhile, oversight bodies such as the privacy commissioner of Canada have no way to share information with other oversight bodies, such as the Security Intelligence Review Committee, which oversees CSIS.

And while the privacy commssioner can go to court to force private companies to comply with Canadian privacy laws, it can’t do that with government departments or agencies under the Privacy Act, Parsons said.

Another concern cited in the report is that governments and telecommunications companies have spent the past decade or so negotiating behind closed doors about technology to allow interceptions and the types of interceptions that should be mandated into law.

“I think that’s incredibly inappropriate,” Parsons said. Such interceptions are “something that we just need to do in contemporary law and order environment, but doesn’t have to take place in secretive back rooms.” He believes discussions about it should involve the public.

The report offers a long list of recommendations for corporations and government as to how they can become more transparent and accountable about telecommunications surveillance.

For example, Parsons hopes that Canadian telecommunications companies, which have just started releasing transparency reports about requests for customer data, will begin to issue more standardized and detailed reports as they do in the U.S.

He added, “I think we’re absolutely behind.”