Author: Christopher Parsons

Policy wonk. Torontonian. Photographer. Not necessarily in that order.

Categories
Links

Advancing Encryption for the Masses

Advancing Encryption for the Masses:

The work of WhatsApp, Facebook, Open Whisper Systems, the Electronic Frontier Foundation, and that other members of the ‘Let’s Encrypt’ initiative can massively reduce the challenges people face when trying to communicate more responsibly. And the initiatives demonstrate how the cryptographic and communications landscape is shifting in the wake of Snowden’s revelations concerning the reality of global-scale surveillance. While encryption was ultimately thrown out of the original design specifications for the Internet it’s great to see that cryptography is starting to get bolted onto the existing Internet in earnest.

 

Categories
Links

Drupal in the Age of Surveillance

Drupal in the Age of Surveillance:

“Contemporary websites have almost innumerable places where information can be entered, logged, and accessed, by either the first party or third parties.”

That’s the frank assessment of Chris Parsons, a postdoctoral fellow at The Citizen Lab at the University of Toronto’s Munk School of Global Affairs. Parsons’ current research focus is on state access to telecommunications data, through both overt mechanisms and signals intelligence – covert surveillance.

Parsons recommends an approach to user data protection called threat modeling. “So who are you concerned about, what do you believe your ethical duties of care are, and then how do you both defend against your perceived attackers and apply your duty of care?”

Parsons suggests, “The first step is really just information inventory: what’s collected, why, where’s it going, for how long.”

For Parsons, having strong protections for user data is critical, and not merely from a privacy perspective. Rather, privacy protection is just sound business practice. Imagine this scenario, he suggests: “One of your core databases with customer information gets compromised.” Then, “If you have an auditor that comes in, or if you have the press pounding on your door, you don’t want to be telling either of those parties, ‘Yeah, that’s a good question. I don’t know where any of our data is. We don’t know what we lost.’”

Parsons is more pragmatic, acknowledging that when it comes to analytics the battle has already been lost, if it even happened at all. Still, he points to the practical advantages of maintaining your own statistics. “I often avoid using Google Analytics, in part because more and more people are blocking Doubleclick [and other Google] cookies.” Instead, Parsons opts for self-hosted solutions because, “I find that the truth that comes through them can be more useful.”

Parsons similarly recommends a tool called Social Share Privacy, which has an associated Drupal module. Like Mytube, Social Share Privacy communicates with the third party website only if a user first clicks a link. Parson comments, “If your content is really great – and most people hope it is – I don’t think that one extra click is going to doom the ability to share [it].”

Burdett explains that while standard encryption uses a single key that’s used across a server, there is a newer method called forward secrecy: “[It] means that a unique key is generated for each HTTPS session.” If you run an e-commerce bookshop and receive a law enforcement subpoena relating to a particular customer, Parsons says, “You as a bookshop seller do not want to be in a situation where you’re disclosing the decryption key for every person – or every IP address, rather – that has looked at your website and what books they’ve looked at.” Forward secrecy ensures there is no single key that decrypts all users’ communications.

For Parsons, once you’ve completed your information inventory and determined what you’re gathering – and how and why – a key next step is writing a detailed and appropriate privacy policy.

“You can usually tell it’s a bad privacy policy,” Parsons says, “as soon as you get stuff like, ‘In the provision of this service, we may provide information to third parties.’ Whereas you, as the site owner, know damn well that you’re using Google Analytics, you’re using Twitter, you’re using Facebook.”

A privacy policy is also a good place to point people to ways they can opt out. “I personally like seeing links or notices about ‘this is how you can avoid this if you want,’” Parsons says. “So you link someone out to Ghostery (a browser plugin used to block tracking software), or whatever you want to link them out to.”

As well as being specific, a privacy policy should be readable. Parsons notes, “You go and read the ‘disclosures’ that people make – their terms of service, their privacy policies – and you get this horrible language. No human in their right mind would ever know what was going on. And indeed, when I spoke with some businesses, they don’t know where that data is going.”

To Parsons, protecting user information should be anything but an afterthought. “Certainly, if there’s any sort of commercial or business interest involved, I think this just flows out of the business plan that you’ve probably developed.”

 

Categories
Links

Picking out a face in the crowd: Toronto police considering facial recognition technology

Picking out a face in the crowd: Toronto police considering facial recognition technology:

But for all its abilities, privacy advocates caution that the technology raises big questions about surveillance, and has potential implications for members of the public who aren’t suspects of a crime.

In cases like these, the technology has clear advantages, says privacy expert Christopher Parsons, a fellow at the Munk School of Global Affairs at the University of Toronto.

“Serious crimes — rapes, murders, manslaughter — these are the kinds of crimes that must be brought to justice,” he says. “But for other crimes, lesser crimes, maybe those aren’t the situations where we [should] use these really efficient, high-tech systems.” The risk, he says, is that “it starts … criminalizing a large portion of the population.”

Police aren’t the only organizations to employ this type of technology. Some department stores and retail chains also use it to catch repeat shoplifters. But Parsons points out there is a difference between private individuals capturing images and the police.

“[Private individuals] don’t have the power to arrest,” he says.

 

Categories
Links Quotations

The Canadian Government Wants to Pay More People to Creep Your Facebook

The Canadian Government Wants to Pay More People to Creep Your Facebook:

But government social media monitoring could very easily cross over into a legal gray area. Christopher Parsons, a cybersurveillance researcher at the University of Toronto’s Citizen Lab, said the collection of personal data from online sources needs to be rigorously justified, and even when it is, the data needs to be handled and stored safely.

“The government can’t just collect information about Canadians—even from public sourced data repositories such as social media—just because it wants to,” said Parsons in an email to me. “There have to be terms set on the collection, handling, disclosure, and disposal of personal information that the government wants to gather. As a result, even when data is collected for legitimate reasons that doesn’t mean the data can then be used in any way that the government (subsequently) decides.”

Strict oversights into how the government gleans and uses this intelligence—even in the service of testing policy reactions, as Parsons thinks this service will likely do—is required.

According to Parsons, that comes in the form of internal “privacy impact assessments” related to the specific social media surveillance program.

“Government agencies are supposed to conduct such assessments before collecting Canadians’ personal information and explain the specifics of how and why they will collect Canadians’ personal data,” said Parsons.

In the medium term, it appears Canadians can count on more of their tweets to be sucked up into a government social media surveillance system—then potentially shared across government departments.

Parsons told me that the sharing of the personal data of Canadian, in general, is only becoming more pervasive across government agencies.

“There has been a marked increase in the sharing of personal data between and across different departments because information is initially being collected for vague or far-sweeping reasons. Were social media information collected for similarly vague reasons then the government could then try to expansively share collected information across government,” he said.

 

Categories
Aside

German spy agency seeks millions to monitor social networks outside Germany

The BND also wants to spend €4.5 million to crack and monitor HTTPS (Hypertext Transfer Protocol Secure) encrypted Internet traffic. By 2020 some of that money may be spent the black market to buy zero day exploits, unpublicized vulnerabilities that can be exploited by hackers. That program, called “Nitidezza”, should also provide better protection for government networks, German weekly Der Spiegel said in a separate report on BND’s budget requests.

Moreover, a plan to monitor Internet exchanges outside Germany is also in the works. Next year, the agency wants to spend €4.5 million on a program called “Swop” to provide additional hidden access to a non-German exchange, the newspaper report said.

Because the solution to the ‘cybersecurity problem’ is to undermine the capacity for secure communications rather than working to strengthen what we have…

Categories
Links

Homeownership in America Has Collapsed—Don’t Blame Millennials – The Atlantic

The economy has a Gen-X problem. It’s a small cohort with a much-smaller-than-usual homeownership rate. And people wonder why the housing market is sluggish.

To quote a friend… “ah, it feels good to be blamed for something once again.” :p Damn us GenXers for ruining the economy.

Categories
Quotations

2014.10.28

Elizabeth May, then the sole Member of Parliament representing the Green Party, tells the story of MPs of various party affiliations inquiring of her as to how she decides how she is going to vote on any particular bill or motion. She replies that she reads the bill, studies it, consults with her constituents, sometimes asks questions of the sponser, and then comes to her position. Incredulous, MPs from other parties exlaim about how labour intensive that must be and how much easier it is to simply follow the voting instructions provided by the party whips! Undoubtably that is true. However, I believe most constituents would be shocked to discover that their elected representatives are voting automatons, often too disengaged to even follow what item they are voting on.

Brent Rathgeber, Irresponsible Government: The Decline of Parliamentary Democracy in Canada
Categories
Links

Never let the facts get in the way of a good Cronkite moment

Never let the facts get in the way of a good Cronkite moment:

Lost in all the boosterism and talk of 9/11, solidarity and resolve was another inconvenient fact: A lot of the so-called ‘iron-clad’ reporting about what allegedly took place last Wednesday has turned out to be crap.

We were told that there were two or more shooters. Wrong. We were told that Wednesday’s shooting was likely “linked” to the hit and run death of Warrant Officer Patrice Vincent in St. St-Jean-sur-Richelieu, Quebec and hence that some sort of wider conspiracy was afoot. Wrong. We were told that shooter Michael Zahef-Bibeau was on a high-risk travel list. Wrong. We were told that Zahef-Bibeau wanted to travel to Syria. Wrong. (He hoped to go to Saudi Arabia – one of Canada’s best buddies in the Middle East.) We were told that the 90-odd individuals supposedly on a CSIS “watch” list were being “rounded up” by authorities. Wrong.

Even the “hero” Sergeant-at-Arms “story” is collapsing. Reportedly, Zahef-Bibeau was shot at least a dozen times and possibly dead before Kevin Vickers fired his gun.

Categories
Links

Conservatives mulling legislation making it illegal to condone terrorist acts online

Conservatives mulling legislation making it illegal to condone terrorist acts online:

Sources suggest the government is likely to bring in new hate speech legislation that would make it illegal to claim terrorist acts are justified online.

The Prime Minister told the House of Commons on Thursday that Canada’s law and policing powers need to be strengthened in the areas of surveillance, detention and arrest. He said work is already under way to provide law enforcement agencies with “additional tools” and that work will now be expedited.

The Conservative MP said the new legislation was crafted before this week’s events and is not “trauma tainted.”

Never waste a crisis: one way of using them is to to pass legislation that’s crafted ‘well in advance’ of any given crisis, but that could likely only pass with the support of the House and/or the citizenry in the face of the crisis.

Categories
Aside Links

Actual Buzzfeed headline, or Onion parody of a Buzzfeed headline? – The Washington Post

The article: meh.

The humour: our purebred Himalayan cat looking dazed and confused on the Washington Post’s website.