Author: Christopher Parsons

Policy wonk. Torontonian. Photographer. Not necessarily in that order.

Categories
Links

Is Uber’s rider database a sitting duck for hackers?

Is Uber’s rider database a sitting duck for hackers?:

Imagine for a second that your job is to gather intelligence on government officials in Washington, or financiers in London, or entrepreneurs in San Francisco. Imagine further that there existed a database that collected daily travel information on such people with GPS-quality precision– where they went, when they went there and who else went to those same places at the same times.

Now add that all this location data was not held by a battle-hardened company with tons of lawyers and security experts, such as Google. Instead, this data was held by a start-up that was growing with viral exuberance – and with so few privacy protections that it created a “God View” to display the movements of riders in real-time and at least once projected such information on a screen for entertainment at a company party.

“It’s a huge trove of data that could be used for a whole number of uses,” said Christopher Parsons, a digital privacy expert at Citizen Lab, a research center at the University of Toronto.

 

Categories
Links Writing

FFS SSL

FFS SSL:

I just set up SSLTLS on my web site. Everything can be had via https://wingolog.org/, and things appear to work. However the process of transitioning even a simple web site to SSL is so clownshoes bad that it’s amazing anyone ever does it. So here’s an incomplete list of things that can go wrong when you set up TLS on a web site.

Now you start to add secure features to your web app, safe with the idea you have SSL. But better not forget to mark your cookies as secure, otherwise they could be leaked in the clear, and better not forget that your website might also be served over HTTP. And better check up on when your cert expires, and better have a plan for embedded browsers that don’t have useful feedback to the user about certificate status, and what about your CA’s audit trail, and better stay on top of the new developments in security! Did you read it? Did you read it? Did you read it?

It’s a wonder anything works. Indeed I wonder if anything does.

Without any doubt this is one of the better(?) rants about SSL/TLS that I’ve read recently. And given my own recent experiences in setting up SSL/TLS on another site I entirely empathize: it was a horrible experience that involved tracking down what was causing things to break, when they were breaking, and how to remedy them. It was a non-trivial learning experience and that was a very simple site. Large sites….well, I shudder to consider the work entailed in securing them.

(As a sidenote: yes, SSL/TLS is broken. But it adds friction to mass surveillance processes and at little cost to the visitor of websites/users of web services. It’s a pain for those delivering content, but that’s a pain that it’s arguably appropriate for those content providers to bear.)

Categories
Aside Links

Christopher Parsons weighs in on privacy concerns in Canada

A roundup of what I’ve said, to whom, and that was published this month.

Christopher Parsons weighs in on privacy concerns in Canada

Categories
Links

Caught on Camera?

Caught on Camera?:

According to Christopher Parsons, a post-doctoral fellow and the managing director of the telecommunications transparency project at the University of Toronto’s Citizen Lab, the broadest applications to date [of facial recognition technologies] involve tranches of official photos maintained by government agencies that issue identification documents, such as passports and driver’s licenses.

In recent years, he adds, facial recognition software has become substantially more sophisticated. The advent of so-called 3-D recognition techniques allows the software to make matches between official posed photos and informal, un-posed ones—e.g., images posted on social media sites. What’s more, these biometric algorithms, which can “learn” to recognize faces based on composites developed from multiple images, are no longer restricted to government security. Facebook has a facial recognition app, and at least two developers have built apps for Google Glass that purport to be able to run facial images through picture databases from dating sites or sex offender registries, Forbes reported earlier this year.

To date, this kind of cross-referencing hasn’t produced great results, says Parsons, although he adds that the latest generation “is better than it used to be.”

And in Canada? Police in Vancouver successfully used facial recognition technology to identify looters during the Stanley Cup riot in 2011, drawing from videos submitted by bystanders as well as CCTV images. The technology was also deployed during the G8/G20 in Toronto. But Parsons points out that at date, there’s not enough data on general law enforcement applications to determine whether this sort of facial recognition is effective.

 

Categories
Quotations

2014.11.26

The debate about cyber-security in political science and international relations has been very visible among policy elites. Policy-makers and their advisers read Foreign Affairs and Foreign Policy. However, political and social scientists often do not appreciate the technical details of network breaches, or security setups in critical infrastructure and industrial plants.

Most political scientists also lack the technical skills to call out poor- quality company reports or government documents. Instead, too many scholars seem happy to engage in self-referential theoretical debates of little relevance to anybody else – for instance, on the ‘securitisation’ of cyber-security.

Robert M. Lee and Thomas Rid. (2014). “OMG Cyber!: Thirteen Reasons Why Hype Makes for Bad Policy,” The RUSI Journal 169(5).

I cannot overstate how emphatically I agree with this general assessment of political science analyses of digital security issues.

Categories
Links

Alberta Primetime – Increased surveillance powers in Canada

Alberta Primetime – Increased surveillance powers in Canada:

Discussing security, police surveillance, and the privacy of Canadians—is the federal government getting the balance right?

 

Categories
Links

Uber’s ‘God View’ Was Once Available to Drivers

Uber’s ‘God View’ Was Once Available to Drivers:

I reached out to Chris Parsons, a cybersurveillance researcher at the University of Toronto’s Citizen Lab, to discuss Uber’s God View and the ramifications for users.

“Uber understandably has infrastructure in place to monitor where its drivers are and a business case can be made for some degree of monitoring of how, and how often, their clients use the service,“ he said. “However, such data must be carefully controlled with strict security, privacy, and access safeguards. At this point it doesn’t appear that such have been stringently developed or applied.”

“We know that national security and intelligence agencies are deeply interested in where people travel to, and in understanding the movement patterns of individuals regardless of their being identified as ‘targets’ of government surveillance,” Parsons continued. “And Uber’s seeming failure to secure its data—to the point where developers have already found ways of querying the data by reverse-engineering Uber’s mobile client software—would suggest that an intelligence or security service that was sufficiently motivated could do the same.”

“There’s no evidence that such a security or intelligence service has ‘cracked’ Uber but past Snowden revelations have revealed that the NSA and its partners are voracious collectors of all kinds of tracking data,” Parsons concluded. “There’s no reason why these agencies wouldn’t be as interested in Uber’s data as other services’ data that could identify where, and how often, people travel around their cities and around the world.”

 

Categories
Links

New Documents Show Thousands of Unreported Wiretaps by Canadian Cops

New Documents Show Thousands of Unreported Wiretaps by Canadian Cops:

Christopher Parsons, a postdoctoral fellow with The Citizen Lab at the University of Toronto’s Munk School of Global Affairs, called the finding a missing link in our understanding of the scope of electronic surveillance in Canada.

“Wiretap data is, in theory, being recorded. But subscriber data and CDR data—neither of those have to be recorded under government statue,” Parsons explained. “There’s nothing in the legislation that will require agencies to record how often they got those court orders.”

Microsoft, BlackBerry and Cogeco, who were also presents at the meeting between Public Safety and industry stakeholders, did not respond to a request for comment.

“I think what’s most telling is it seems that the parties that have the best records of anyone in Canada is corporate Canada,” Parsons said. “These are the people who are being forced to use their resources to provide assistance to law enforcement, and law enforcement can’t even be bothered to record and disclose themselves how often this is going on.“

 

Categories
Links

CSIS’s New Powers Demand New Accountability Mechanisms

CSIS’s New Powers Demand New Accountability Mechanisms:

It is imperative that the Canadian public trust that CSIS is not acting in a lawless manner. And while improving how SIRC functions, or adding Parliamentary review, could regain or maintain that trust, a more cost-sensitive approach could involve statutory reporting. Regardless, something must be done to ensure that CSIS’ actions remain fully accountable to the public, especially given the new powers the Service may soon enjoy. Doing anything less would irresponsibly expand the state’s surveillance capabilities and threaten to dilute the public’s trust in its intelligence and security service.

 

Categories
Aside Humour

stopdataretention:

Who you email/txt, where you go, what sites you visit – stored by govt for 2 yrs under new laws.