Author: Christopher Parsons

Policy wonk. Torontonian. Photographer. Not necessarily in that order.

Categories
Links

So your name is in the Ashley Madison database … are you a cheater? | Metro News

So your name is in the Ashley Madison database … are you a cheater?:

“There was no requirement for verification prior to being added to their database,” said Christopher Parsons, a post-doctoral researcher and cyber-security expert at the University of Toronto’s Citizen Lab.

“It’s entirely possible that people’s email addresses were added by friends or co-workers as a prank.”

But, he said, the likelihood of that “is somewhat low.”

Just because someone’s email address can be found in the database doesn’t mean they were active users who committed adultery. They could have just been curious about the site, Parsons said.

While those who registered for the site using their official, government-issued email addresses may be naïve, Parsons said some of them may have done so intentionally.

“Perhaps they share a personal email account with their spouse or partner,” he said. “Using their government account might have been seen as safer.”

Although there have been larger data breaches in the past, Parsons said the Ashley Madison hack is worrying because government officials found using the site could become victims of blackmail.

It’s happened after data breaches in the U.S. and could happen just as easily in Canada, he said.

 

Categories
Links

Partnership between NSA and telecoms pose both security and privacy risk, experts say

Partnership between NSA and telecoms pose both security and privacy risk, experts say:

Speculation remains as to whether the programs still exist, but as Cohn said: “The story that [these documents] tell is [the NSA is] just grabbing more, and more, and more, and more. Nothing in this six-year span is of them getting anything less. [So our] best guess is that trajectory continued.”

Christopher Parsons, postdoctoral fellow, Citizen Lab at the Munk School of Global Affairs, seconded Cohn’s thoughts and expressed surprise that no documents have indicated any change in programs.

Even if Americans aren’t exactly concerned about their data, per se, Parsons reminded that beyond losing its citizens’ trust, the U.S. government loses diplomatic credibility through these leaked documents. The government can’t argue for a free and open internet if it monitors foreigners and its own citizens, he said.

“If you use the internet, and the data goes through the U.S., the government is spying on it,” he said.

Categories
Links

Encryption: Officials seek ‘backdoor’ entry points; critics decry government overreach

Encryption: Officials seek ‘backdoor’ entry points; critics decry government overreach:

In other words, University of Toronto’s Chris Parsons wrote on Twitter, “you either support backdoors, or you support the murderers and child abuser.”

“I think that each company will have to evaluate the corporate risks associated with implementing any backdoors,” Mr. Parsons, a postdoctoral fellow who studies privacy and security at Citizen Lab, a division of the university’s Munk School of Global Affairs, told The Washington Times this week.

“While satisfying U.S. and U.K. government authorities might (temporarily) relieve pressure, the companies would suffer tremendous international criticism and suspicion were they to undermine the security of their products,” he continued, adding that a likely plummet in profits, if nothing else, “will buttress corporate principles and force companies (on their shareholders’ behalfs) to maintain their current security stances.”

Neither Google nor Apple has publicly responded yet to this week’s op-ed, but Mr. Parsons in Toronto says that it’s so far been promising to hear that law enforcement can’t crack a type of encryption that now comes standard.

“To a certain degree, it is reassuring that consumer-level encryption is sufficiently robust that even state authorities find it challenging to break. People and businesses entrust highly sensitive information and capabilities to their devices, and so this affirmation confirms that criminals who steal devices will have similar difficulties in using these against their owners,” he told The Times.

But it’s also reassuring, he added, “because the adoption of these strong standards is a result of companies acknowledging that law enforcement and other state agencies are overreaching in their access to customer data,” including federal and local security and law enforcement groups.

“Legal protections have simply not kept up with the people’s privacy expectations, and the adoption of these strong standards is an encouraging sign that companies are responding accordingly,” he said. “The reality is that, while this may close off one avenue of investigation to state agencies, these agencies now have access to more information with fewer legal restrictions than at any time in recent history.”

 

Categories
Links

Ottawa’s ‘secret network’ in question following alleged hack

Ottawa’s ‘secret network’ in question following alleged hack:

OTTAWA — The integrity of a federal “secret network” launched last year at a cost of millions to taxpayers is in question following an alleged hack this week that resulted in highly sensitive information becoming public.

It is possible, of course, to maintain the integrity of a network regardless of the number of people authorized for access, said Christopher Parsons, a fellow with the Citizen Lab at the Munk School of Global Affairs.

It’s just difficult, he said.

“The goal with these secured networks is to keep classified material in the classified space,” Parsons said in an interview. “If that firewall is maintained between classified and unclassified material, the number of people doesn’t immediately cause a problem.”

The potential for problems arises, however, when a weak link presents itself —and the more people brought in, the higher the chance a weak link will show up, Parsons explained, speaking broadly of classification and secure-network issues.

“It’s just the fact of the matter that the more people you have on any of these networks, the higher the chance someone accidentally moves a document where they weren’t supposed to, or intentionally moves a document somewhere they weren’t supposed to, or, in a worst case scenario, there’s an insider threat,” he said.

Based on the bit of information available at this point on this week’s incident, which comes mostly from Anonymous, it’s difficult to say whether the document was made available through a leak or a hack, Parsons said before offering five hypotheses making their way around:

The first is that some individuals found a way to remove redactions on a previously released document. Secondly, it’s feasible someone within Treasury Board accidentally shared the file through a program, innocuously moving it from the classified to unclassified network. The third possibility is similar, only the move from a secure to un-secure environment was intentional.

Another option still is that an employee’s laptop or device was infected with malware.

“Or, it could be, legitimately, the individuals calling themselves Anonymous this time successfully penetrated some element of the Treasury Board’s network,” Parsons said.

“Some of the government’s Crown Jewels lie in the Treasury Board’s networks. Having unauthorized parties within them would be a serious breach of not just cyber security, but national security … If one party is doing it, there’s no reason to think another party, like a foreign government isn’t doing the same thing.”

 

Categories
Links

Pakistan Is Ordering Telecom Companies to Ban BlackBerry Encrypted Messaging

Pakistan Is Ordering Telecom Companies to Ban BlackBerry Encrypted Messaging:

The government of Pakistan is “requesting” that three telecom companies stop providing BlackBerry’s encrypted messaging services to customers, according to documents obtained by civil rights group Bytes for All Pakistan.

“This demonstrates, at a policy level, that a very large government is willing to ban communications if they can’t gain access to it,“ said Chris Parsons, a post-doctoral fellow at digital rights group Citizen Lab.”Maybe it’s just Pakistan, and nobody else will do it, but it’s certainly a strong change to, ‘If we can’t backdoor it, then we will ban it,’” he added.

 

Categories
Links

The Case for Encryption | CJFE

The Case for Encryption:

Forgive me for sounding a little paranoid, but I’ve had the rainbows ripped from my eyes. Last fall, I signed up to work on a CBC investigation into Canada’s electronic spying programs, relying on the CBC’s exclusive access to the Edward Snowden/NSA leaks. It has been shocking to learn the capabilities of our intelligence agencies. But it has also been a surprising crash course in new technology, privacy and vital questions facing the future of journalism.

But surveillance risks go beyond reporters covering foreign conflicts, terrorism or spies, notes Christopher Parsons of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, who has helped the CBC dissect the Canadian Snowden documents. “Sports reporters might be less interesting to signals intelligence organizations but might still be very interesting to other sporting organizations, criminal betting organizations and so forth.”

“Malware and spyware infect computers across Canada on a regular basis; what do you do when your work computer, holding audio or text files pursuant to a sensitive story, has been compromised?” asks Parsons. “Do you want to notify sources? Do you want to have an ‘air gapped’ computer, which is disconnected from the Internet, where you store source materials, and another computer or device for writing your stories?”

These are awkward questions. No news organization wants to publicly admit its electronic communications are vulnerable. Frankly, I’ve never had a single conversation with the CBC’s IT people about whether we’ve been hacked or compromised, let alone been told what we do specifically to protect sensitive information. And it’s vital, because so much of our email and work these days lives in the cloud.

Categories
Links

Rampant telecom surveillance conducted with little transparency, oversight

Rampant telecom surveillance conducted with little transparency, oversight:

Canadian telecommunications providers have been handing over vast amounts of customer information to law enforcement and government departments and agencies with little transparency or oversight, a new report says.

“We conclude that serious failures in transparency and accountability indicate that corporations are failing to manage Canadians’ personal information responsibly,” says the report released by Citizen Lab today that examines how Canadian telecommunications data is monitored, collected and analyzed by groups such as police, intelligence and government agencies.

The report also criticizes the government’s “irresponsibility surrounding accountability” with respect to telecommunications surveillance. It warns that that could endanger the development of Canada’s digital economy and breed cynicism among citizens.

“Access to our private communications is incredibly sensitive,” said Christopher Parsons, lead author of the study and a postdoctoral researcher at Citizen Lab, which conducts research on information technology in the context of human rights and global security.

The report, funded by the Canadian Internet Registration Authority, showed Canadians recognize this and are very concerned.

But despite that, evidence suggests governments and law enforcement have been demanding millions of subscriber records from telecom firms in recent years.

“It raises real questions about the appropriateness of the powers or perhaps the appropriateness of the mandates or aggressiveness of the agencies that currently look to keep Canadians safe,” Parsons said.

Outdated laws

He noted there’s no way to know what the requests were about, how many there were or whether any one person’s data was requested, as Canadian law doesn’t require police to record or report any of that information.

Outdated laws require government departments and agencies to report telecommunications interceptions, but not access to stored communications such as emails and text messages, nor “non-sensitive” information such as records of calls dialed and received.

The Canada Border Services Agency is one of the few government departments that tracks such requests. In 2012 and 2013, it made 18,849 requests for telecommunications information. None were interceptions, the study found.

“That really indicates that the interception reports, while they’re very rigorous, they’re such a limited data set that they really don’t explain to parliamentarians or the public the extent or kind of surveillance that are commonplace in Canada today,” Parsons said.

A Supreme Court decision last year has forced police to start getting a warrant before requesting subscriber information from telecoms. While that has slashed the number of police requests for data, Parsons warns that new legislation that is currently before the Senate could make it easy for telecom data to be shared among police and government agencies.

New bill a concern

Bill C-51 would allow, for example, the Canada Revenue Agency to request information about a telecom customer related to a tax issue, then pass it on to the CBSA, RCMP or CSIS to probe something only marginally related, Parsons said.

Meanwhile, oversight bodies such as the privacy commissioner of Canada have no way to share information with other oversight bodies, such as the Security Intelligence Review Committee, which oversees CSIS.

And while the privacy commssioner can go to court to force private companies to comply with Canadian privacy laws, it can’t do that with government departments or agencies under the Privacy Act, Parsons said.

Another concern cited in the report is that governments and telecommunications companies have spent the past decade or so negotiating behind closed doors about technology to allow interceptions and the types of interceptions that should be mandated into law.

“I think that’s incredibly inappropriate,” Parsons said. Such interceptions are “something that we just need to do in contemporary law and order environment, but doesn’t have to take place in secretive back rooms.” He believes discussions about it should involve the public.

The report offers a long list of recommendations for corporations and government as to how they can become more transparent and accountable about telecommunications surveillance.

For example, Parsons hopes that Canadian telecommunications companies, which have just started releasing transparency reports about requests for customer data, will begin to issue more standardized and detailed reports as they do in the U.S.

He added, “I think we’re absolutely behind.”

Categories
Links

Secret Documents Reveal Canada’s Spy Agencies Got Extremely Cozy With Each Other | VICE News

Secret Documents Reveal Canada’s Spy Agencies Got Extremely Cozy With Each Other:

Highly classified documents obtained by VICE News offer new insights into how Canada’s two-headed spy apparatus works to blend its intelligence, skirt court oversight of its spying powers, and intercept communications inside the country’s borders.

Christopher Parsons, postdoctoral fellow at the Munk School, says there is long-standing ambiguity over when CSE can and cannot spy on its own citizens. And it’s worrying.

“Generally, we have questions about how meaningful, or not meaningful, Mandate C actually is,” he told VICE News.

Craig Forcese, law professor at the University of Ottawa and one of Canada’s foremost experts on security policy, says Mandate C is a tunnel through the barrier stopping CSE’s from snooping on Canadians.

“If CSE is providing assistance to CSIS under Mandate C, then CSE is clothed with the same legal authority CSIS has,” Forcese says. “So it can act as CSIS’s technological appendix, including in conducting domestic surveillance.”

University of Ottawa Professor Wesley Wark, a specialist in intelligence and national security, says there is need for a review body that can actually investigate how Mandate C is used, “in a way typically that the current CSE Commissioner has not, I don’t think, very fully.”

“The Ministry returned the letter requesting further details to address concerns raised by the Minister’s Office in relation to CSIS authority to enter into subsequent arrangements without further approval from the Minister each time,” reads a summary of changes requested to the documents.

It’s unclear if the minister’s change was actually made.

“If the minister put a stop to that, he should be congratulated,” says Parsons. The simple fact that the agencies were trying to bestow themselves that power is “more than a little bit concerning,” he says.

It’s long been speculated that signals intelligence has been the basis for many warrants and criminal charges, but that the fingerprints of CSE’s involvement were scrubbed before the application to the court was made.

“There’s a real question whether it’s CSE or CSIS in the driver’s seat,” says Parsons.

 

Categories
Links

CSIS can’t keep up with ‘daily’ state-sponsored cyber attacks | Toronto Star

CSIS can’t keep up with ‘daily’ state-sponsored cyber attacks:

OTTAWA—Canada’s spies admit they can’t keep up with daily cyber attacks from state-sponsored hackers, according to an internal report obtained by the Star.

Christopher Parsons at University of Toronto’s Citizen Lab said the documents point to a larger conflict that’s largely been taking place behind the scenes — the militarization of the Internet.

“Canada is hardly alone as the target — or originator — of state-sponsored hacking,” Parsons said.

As countries, including Canada, continue to develop both offensive and defensive Internet capabilities, he said it’s become urgent to come to an international consensus of what counts as legitimate targets in the Internet age.

“The internet has become militarized behind the backs of most citizens, and I think that if we’re not going to roll back that militarization entirely … at the very least principled agreements about what are legitimate and illegitimate modes of militarization have to be established,” Parsons said.

 

Categories
Links

New Mass Surveillance Laws Come to Canada, France, and the United Kingdom, as the NSA May Have Its Wings Clipped | VICE News

New Mass Surveillance Laws Come to Canada, France, and the United Kingdom, as the NSA May Have Its Wings Clipped:

Canada’s Anti-Terrorism Act is just one step away from becoming law, with its controversial information-sharing and secret police powers still intact. France’s cyber-snooping bill is facing broad political support. And the United Kingdom’s nanny state law has been in effect for months, despite protestations of a coalition of anti-spying activists.

Christopher Parsons, postdoctoral fellow at the University of Toronto’s Citizen Lab, said that while neutering the Patriot Act might impede how Americans’ data gets scooped up, nobody should expect these changes will do much to kneecap the NSA’s mass spying regime.

“I think they can do it anyway,” Parsons told VICE News, pointing to Executive Order 12333 — the directive issued by Ronald Reagan that first permitted the NSA to spy on foreign soil.

“In an era of cloud computing, there is a strong argument to be made that even after that section of the Patriot Act goes away, where and when Americans’ data flows across international boundaries, it can be collected anyway,” he said.

And while the NSA’s ability to collect data within the United States might be “slightly diminished,” other American agencies with mandates to surveil domestic threats could simply take over.

Parsons says the emerging relationship between Washington and its Five Eyes partners – Canada, the United Kingdom, Australia and New Zealand — is evolving into something much more advanced.

“All the various signals intelligence agencies have become increasingly sophisticated in, not just their ability to collect data, but also their ability to share data with one another,” Parsons said.