Category: Links

Categories
Links Writing

Categorizing Contemporary Attacks on Strong Encryption

Matt Burgess at Wired has a good summary article on the current (and always ongoing) debate concerning the availability of strong encryption.

In short, he sees three ‘classes’ of argument which are aimed at preventing individuals from protecting their communications (and their personal information) with robust encryption.

  1. Governments or law enforcement agencies are asking for backdoors to be built into encrypted platforms to gain “lawful access” to content. This is best exemplified by recent efforts by the United Kingdom to prevent residents from using Apple’s Advanced Data Protection.
  2. An increase in proposals related to a technology known as “client-side scanning.” Perhaps the best known effort is an ongoing European proposal to monitor all users’ communications for child sexual abuse material, notwithstanding the broader implications of integrating a configurable detector (and censor) on all individuals’ devices.
  3. The threat of potential bans or blocks for encrypted services. We see this in Russia, concerning Signal and legal action against WhatsApp in India.

In this broader context it’s worth recognizing that alleged Chinese compromises of key American lawful interception systems led the US government to recommend that all Americans use strongly encrypted communications in light of network compromises. If strong encryption is banned then there is a risk that there will be no respite from such network intrusions while, also, likely creating an entirely new domain of cyber threats.

Categories
Links Writing

An Initial Assessment of CLOUD Agreements

The United States has bilateral CLOUD Act agreements with the United Kingdom and Australia, and Canada continues to also negotiate an agreement with the United States.1 CLOUD agreements are meant to alleviate some of the challenges attributed to the MLAT process, namely that MLATs can be ponderous with the result being that investigators have difficulties obtaining information from communication providers in a manner deemed timely.

Investigators must conform with their domestic legal requirements and, with CLOUD agreements in place, can serve orders directly on bilateral partners’ communications and electronic service providers. Orders cannot target the domestic residents of a targeted country (i.e., the UK government could not target a US resident or person, and vice versa). Demands also cannot interfere with fundamental rights, such as freedom of speech. 2

A recent report from Lawfare unpacks the November 2024 report that was produced to explain how the UK and USA governments actually used the powers under their bilateral agreement. It showcases that, so far, the UK government has used this substantially to facilitate wiretap requests, with the UK issuing,

… 20,142 requests to U.S. service providers under the agreement. Over 99.8 percent of those (20,105) were issued under the Investigatory Powers Act, and were for the most part wiretap orders, and fewer than 0.2 percent were overseas production orders for stored communications data (37).

By way of contrast, the “United States made 63 requests to U.K. providers between Oct. 3, 2022, and Oct. 15, 2024. All but one request was for stored information.” Challenges in getting UK providers to respond to US CLOUD Act requests, and American complaints about this, may cause the UK government to “amend the data protection law to remove any doubt about the legality of honoring CLOUD Act requests.”

It will be interesting to further assess how CLOUD Acts operate, in practice, at a time when there is public analysis of how the USA-Australia agreement has been put into effect.

  1. In Canada, the Canadian Bar Association noted in November 2024 that new enabling legislation may be required, including reforms of privacy legislation to authorize providers’ disclosure of information to American investigators. ↩︎
  2. Debates continue about whether protections built into these agreements are sufficient. ↩︎
Categories
Links

Privacy, Dignity, and Autonomy in the Workplace

Reporting by Sophie Charara unpacks the potentials of contemporary workplace monitoring technologies. Of course, concerns about employee privacy and the overzealous surveillance of employees are not new. What is changing are the ways that contemporary technologies can be used, sometimes for potentially positive uses (e.g., making it easier to determine if meeting rooms are actually available for booking or ensuring that highly-trafficked areas of the office receive special cleaning) and sometimes for concerning uses (e.g., monitoring where employees gather in the workplace, tracking them in near-real time through the work environment, or monitoring communications patterns).

Ultimately, Charara’s work can help inform ongoing discussions about what safeguards and protections should be considered in the workplace, so that employees’ privacy is appropriately protected. It can, also, showcase practices that we may want to bar before ever coming into mainstream practice to protect the privacy, dignity, and autonomy of people in the workplace.

Categories
Links Writing

VW Leaks Geolocation Data

Contemporary devices collect vast sums of personal and sensitive information, and usually for legitimate purposes. However this means that there are an ever growing number of market participants that need to carefully safeguard the data they are collecting, using, retaining, or disclosing.

One of Volkswagen’s software development subsidiaries, Cariad, reportedly failed to adequately secure software installed in VW, Audi, Seat, and Skoda vehicles:

The sensitive information was left exposed on an unprotected and misconfigured Amazon cloud storage system for months – the problem has now been patched.

In some 466,000 of the 800,000 vehicles involved, location data was extremely precise so that anyone could track the driver’s daily routine. Spiegel reported that the list of owners includes German politicians, entrepreneurs, the entire EV fleet driven by Hamburg police, and even suspected intelligence service employees – so while nothing happened, it seriously could have been a lot worse.

This is a case where no clear harm has been detected. But it speaks more broadly of the continuing need for organizations to know what sensitive information they are collecting, the purposes of the collection, and need to establish adequate controls to protect collected and retained data.

Categories
Links Photography

Best Photography-Related Stuff of 2024

The White House, Washington, DC, 2023

It’s the time of year for people’s best-of roundups. Like last year I wanted to recognize stuff that meant a lot to my photography through 2024. And, this year, I’ve also added a short list of hopes for stuff in 2025!

Photography Stuff I Used

Yonge & Dundas, Toronto, 2024

Best Technology of 2024

The big change this year? I pretty well completely pivoted to my Leica Q2 and with only rare exceptions did I use the Ricoh GR IIIx or my iPhone 14 Pro. When I bought the Q2 it was, in part, to be able to capture images at night where there was little light. I’ve made images under these conditions that I’m happy with and I’ve come to learn how to better use the 28mm focal range. At this point I’ve created well over ten thousand frames over the year.1

I upgraded to the 11” iPad Pro (2024) and definitely appreciate how light the device is, and how vibrant the screen is. I continue to use an iPad Mini for most of my actual reading but write a lot of blog posts on the iPad Pro and do all my photo editing on it.

When I take my photowalks I’m always listening to a podcast or music on my AirPod Pros. However I’ve long had an issue with finding tips that best fit my ears; the ones in the box always slip out. I recently learned about, and bought, the SpinFit CP1025 (S/SS) and they’ve been game changing. I get a perfect fit and the AirPods stay in my ears. Highly recommend them!

Best Services I Paid For

I continue to post images to Glass each day. I’m still disappointed with their AI search, and especially disappointed that landscape viewing on the iPad has now been broken for about a year.2 Still, it’s a terrific community and a good place to post images regularly.

Apple One is key to my data management strategy. I’m still under the 2TB that is provided as part of the subscription though, with my current data use, I suspect that in 3-5 years I’ll need to expand that 2TB storage limit.

Lastly, while I’ve watched less photography YouTube I continue to appreciate YouTube Premium. It’s still about the most regularly used subscription service that I use on a regular basis.

Best Apps

Have I changed the apps that I rely on regularly since 2023?

Nope.

And so my best apps of 2024 include:

  • Glass: I use to share my images on a daily basis.
  • Geotags Photos Pro and Geotags Photo Tagger: I use to add geotags to my images.
  • Reeder Classic: To follow various photography blogs.
  • Apple Podcasts app: I use this to listen to photography podcasts while on my weekly photowalks.
  • Apple News: To read photography magazines and websites that otherwise would be paywalled.
  • Apple Photos: Used to edit and store all my images. I don’t love the iOS version of the application but it is what it is.

Stuff I Made

College & Clinton, Toronto, 2024

Writing

  • Sharing Photographs, and Photography, with Others and Growing as a Photographer: Despite being pretty used to being in the public eye as a result of my day job it’s different to expose myself when sharing the images that I make. Those images, if read carefully, reveal some elements of myself that I showcase less often, and this is made even revelatory when producing and sharing physical items to people I respect or submitting digital images to competitions. Just talking about that experience was liberating and reaffirmed that I am, slowly, growing as a photographer.
  • Accidentally Discovered Street Photos: Imagine my surprise when, after opening my used copy of Conversations: With Contemporary Photographers a strip of exposed Kodak 100TX film fell out! I used a free app to enlarge some of the images and while my efforts weren’t spectacular it did result in seeing — and sharing — some images from an earlier time.
  • 10 Tips for Starting to Photograph on the Street: I regularly read and view content that is meant to help new photographers get comfortable on the streets. Much of that content is good but is directed towards a certain kind of concern, and way of behaving, on the streets (e.g., Zone focus! Shoot from the hip! Be invisible!). I think that my 10 tips are for people like me who are interested in making street photos but are shy about even being seeing with a camera. Really, this is a blog written for myself which, if I’d read it 10 years ago, would have given me a clearer sense of what I could do to develop my confidence and skills.
  • Nuit Blanche, 2024: I’ve been attending Nuit Blanche in Toronto, an annual art festival that runs for a single day from sundown to sunup, for many years. I always make photographs during it but, at the same time, have been challenged by using a smaller APS-C sensor camera. I was both pleased in the art that I experienced this year as well as the ability of the Leica Q2 to capture images more like how I wanted them due to its lens and sensor size.

Stuff I Read

Oxford & Augusta, Toronto, 2024

Best Photography Books and Magazines

  • Metropolis: I’ve followed Alan’s work for years and appreciate how stark his imagery is and his absolute attention to form. His images carefully consider what is absolutely needed to communicate his vision and no more.
  • Conversations: With Contemporary Photographers: This was probably the most important book about photography that I read this year. I’m, personally, interested in thinking more deeply about the ontology of photography and what it is and is not. The photographers interviewed in the book provided a range of interpretations of what photography is, and means, for each of them, and I benefitted tremendously from their thoughts on the medium as one which controls time and, also, the role of time in their own creative activities.
  • Framelines: The team behind Framelines improve the magazine with every issue. From enhancements to the printing, imagery, interviews and just shipping, this is an instant purchase each time they come out with new issues. I particularly appreciate how they celebrate new and emerging photographers from around the world and platform those who, otherwise, I’d be entirely unaware of.
  • André Kertész: Sixty Years of Photography: This book is a gift to photographers and the image-viewing public more broadly. Published back in 1978 it catalogues Kertéz’s photographic history. It is when we look at images like this that it is apparent how much you can do with black and white images that are focused on the forms across a frame, and also how having decades of images enable a playfulness between pages so that works from different decades can speak to one another and create a perception of continuity across time and space. If you are committed to street images, black and white images, or just seeing how history unfolded over sixty years, then this book is a must see.
  • The Pleasure of Seeing: Conversations with Joel Meyerowitz on sixty years in the life of photography: Joel is, of course, a (still living) legend and has a number of different monographs under his name. This book is a little different because it explores his thought process across the different phases or eras of his photography. Now, if you’ve actively listened to his talks, interviews, podcasts, and so forth over the past decades many of the messages he communicates will be familiar. But to have them all in one place, along with his images that underscore his creative vision, is a real gift to photographers.

Stuff I Watched

Great Lakes Waterfront Trail, Toronto, 2024

Best Movies

  • Lee: This was an engrossing and highly cinematic movie. I liked how it conveyed the experiences that female photographers and journalists experienced during the time period and, also, communicated the toughness of Lee Miller and the harmful effects of being a war photographer more generally.
  • Harry Benson: Shoot First: I thought this was a terrific documentary of Benson who has made a living capturing images of celebrities. The images are profound but, also, you walk away with a sense that he lacks much empathy for his subjects. The inclusion of those who love his work, and those who hate it, helps to communicate what a controversial figure Benson has been throughout his life and career.

Best YouTube Channels

  • Paulie B: Almost certainly one of the most important American street photography channels, Paulie B has done a masterful job interviewing a range of photographers across the United States to understand what drives and inspires them. His episodes showcase photographers who may not be widely known, unpacks the creative processes of those he interviews, and also lets other street photographers really see how others work the streets. We’ve all heard about how the greats of the 1960s and 1970s worked; Paulie B is showing us how our American contemporaries move, think, and behave.
  • James Popsys: James is a quiet and almost introspective photographer, which are not necessarily the traits that lend themselves well to YouTube. However, his thoughtful meditations on how and why he makes images, combined with the sheer beauty of his work, results in each video containing a gem that is worth treasuring.
  • Photographic Eye: Some channels on YouTube focus on gear or technical methods of getting certain kinds of images. The Photographic Eye is not that. Instead, Alex Kilbee explains the intellectual processes of photography and speaks as a kind mentor or peer who is, also, working through his photography. I particularly like how he shares some of his own images so that viewers can appreciate the variety and intentionality behind image making.
  • The Art of Photography: Ted Forbes has been running his channel for over sixteen years at this point and made videos on just about everything that you’d ever want to know about. I find his historical episodes that break down, and showcase, the great photographers as essential to my own photographic education. And his episodes that showcase viewers’ own projects have led me to finding a range of photographers and purchasing work from them.3

Stuff I Subscribed To

Richmond & Spadina, Toronto, 2024

Best Podcasts

  • The Photowalk: I’ve been a supporter of the Photowalk for several years and it’s a regular joy and pleasure to hear Neale and his guests talk about the broader experiences of making images. The discussions rarely touch on gear and, instead, are centred around the ‘why’ of image making. Whenever I’m out on a weekly photo walk, I’m listening to Neale and recommend that you do the same.
  • Frames Photography Podcast: Frames features photographers from across the different photographic genres. Many of the discussions are insightful for understanding what is behind different photographers’ creative processes, what motivates their projects, and how they work to express themselves to the broader world.
  • Street Photography Magazine: Featuring street photographers from around the world, this podcast exposes how and why different people got into the genre, what they aim to present through their work, and the rationales underlying how they make their images. Many of the photographers who are interviewed talk about their recent, or ongoing, projects which serves to underscore the different ways in which projects are conceptualized and brought into the world.
  • The Candid Frame: Conversations on Photography: Operating since 2006, The Candid Frame features photographers from all walks of life discussing the how and why of their image making. This is particularly useful, for me, in learning about photographers working in genres entirely different from street photography and learning how their thought processes can apply to my own photographic life.
  • Street Life Podcast: This is one of the most recent additions to my list of podcasts and I’ve been enjoying every episode this year. It typically features photographers working in and around Australia and, aside from Houman Katoozi, I’m largely unfamiliar with folks working on that continent. The podcast often has a sense of friends talking amongst themselves about street photography and you’re just overhearing them as they joke with one another, talk about the Australian street photography community, and the challenges they’re facing in their own photographic activities.

Best Blogs/RSS Feeds

  • GR Official: As an owner of a few Ricoh GRs I’m always curious about how others handle and experience the camera. This blog features a range of authors, with a diversity of photographic backgrounds and personal experiences, which means that each blog is a bit of a surprise: is this going to be a more reflective piece, a showcase of just a few images, thoughts on a piece of equipment, or…?
  • Little Big Traveling Camera: I am always envious of how focused this photoblog is, how thoughtful the author is, and how well put together the images are. LBTC is, to my eye, the definition of what an excellent personal photoblog can be.
  • Mobiography: I don’t take a large number of mobile phone photographs but I appreciate learning how such images can be made. If nothing else, it showcases just how can be done with phones of today (as well as those of a decade or more ago) in the hands of competent photographers.
  • The Phoblographer: A regular publication that both showcases contemporary work while also engaging in some opinion and discussion about trends or issues in the photographic world.
  • Ming Thein: I owe a lot of what I (think I) understand about photography to Ming’s blog. He shuttered it several years ago but has kept it alive / in archival mode. I hope that it never goes away given how helpful and insightful his writing is for new and more experienced photographers alike.
  • Skinny Latte’s Creative Brain: I loved the photoessays that were published that exhibited gorgeous photography along with explanations and narratives to surround the images themselves. Sadly the photoblog has been left behind but the images and stories remain worth revisiting periodically.

Hopes for the future

Front & Bay, Toronto, 2024
  • Apple Photos: I just want it to reach parity with its Mac counterpart. We know that Apple has purchased Pixelmator and I’m hopeful that some of that DNA makes its way over to Photos.
  • iPhone Camera app: I’ll be honest, the new iPhones’ ability to better control and develop custom JPG settings along with the adoption of JPG XL are very exciting and make me look forward to whenever I upgrade from my iPhone 14 Pro. However, I really wish that Apple would bring additional exposure metering to the iPhone and, in particular, highlight metering for my black and white images. While there are ways to get around this on the iPhone it’d be nice if it was something they could do by default.
  • WordPress: I’ve been using WordPress for over 18 years at this point and it just seems to get more and more bloated. There are basic things that just don’t seem to be well developed, such as media management or the presentation of images, while a huge amount of effort has been put into turning WordPress into an enterprise CMS. I get that the company’s business is derived from its enterprise work but it’d be nice if basic features were also included in the priority product lists.
  • Leica Q2 Thumb Grip: In a late end-of-year purchase, I’ve ordered the ‘official’ Q2 thumb grip to further improve on the ergonomics of the Q2. Here’s hoping that I end up happy with it!
  1. Though, admittedly, I’ve kept far fewer after doing my regular culling. ↩︎
  2. Yes, I’ve contacted support. No, I never heard anything back. ↩︎
  3. In the interests of disclosure I was featured in one of the mailbag episodes for my Postcards project. ↩︎
Categories
Links Writing

American Telecommunication Companies’ Cybersecurity Deficiencies Increasingly Apparent

Five Eyes countries have regularly and routinely sought, and gained, access to foreign telecommunications infrastructures to carry out their operations. The same is true of other well resourced countries, including China.

Salt Typhoon’s penetration of American telecommunications and email platforms is slowly coming into relief. The New York Times has an article that summarizes what is being publicly disclosed at this point in time:

  • The full list of phone numbers that the Department of Justice had under surveillance in lawful interception systems has been exposed, with the effect of likely undermining American counter-intelligence operations aimed at Chinese operatives
  • Phone calls, unencrypted SMS messages, and email providers have been compromised
  • The FBI has heightened concerns that informants may have been exposed
  • Apple’s services, as well as end to end encrypted systems, were not penetrated

American telecommunications networks were penetrated, in part, due to companies relying on decades old systems and equipment that do not meet modern security requirements. Fixing these deficiencies may require rip-and-replacing some old parts of the network with the effect of creating “painful network outages for consumers.” Some of the targeting of American telecommunications networks is driven by an understanding that American national security defenders have some restrictions on how they can operate on American-based systems.

The weaknesses of telecommunications networks and their associated systems are generally well known. And mobile systems are particularly vulnerable to exploitation as a result of archaic standards and an unwillingness by some carriers to activate the security-centric aspects of 4G and 5G standards.

Some of the Five Eyes, led by Canada, have been developing and deploying defensive sensor networks that are meant to shore up some defences of government and select non-government organizations.1 But these edge, network, and cloud based sensors can only do so much: telecommunications providers, themselves, need to prioritize ensuring their core networks are protected against the classes of adversaries trying to penetrate them.2

At the same time, it is worth recognizing that end to end communications continued to be protected even in the face of Salt Typhoon’s actions. This speaks the urgent need to ensure that these forms of communications security continue to be available to all users. We often read that law enforcement needs select access to such communications and that they can be trusted to not abuse such exceptional access.

Setting aside the vast range of legal, normative, or geopolitical implications of weakening end to end encryption, cyber operations like the one perpetrated by Salt Typhoon speak to governments’ collective inabilities to protect their lawful access systems. There’s no reason to believe they’d be any more able to protect exceptional access measures that weakened, or otherwise gained access to, select content of end to end encrypted communications.

  1. I have discussed these sensors elsewhere, including in “Unpacking NSICOP’s Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack”. Historical information about these sensors, which were previously referred to under the covernames of CASCADE, EONBLUE, and PHOTONICPRISM, is available at the SIGINT summaries. ↩︎
  2. We are seeing some governments introducing, and sometimes passing, laws that would foster more robust security requirements. In Canada, Bill C-26 is generally meant to do this though the legislation as introduced raised some serious concerns. ↩︎
Categories
Links

New Russian APT Daisy-Chain Capability Revealed

In an impressive operation, a Russian APT reportedly targeted a Washington, DC network after daisy chaining through a sequence of neighbouring networks and devices in 2022. The trick: they may have done so without ever using any local operatives.

This is a movie-like kind of operation and speaks to the immense challenges in defending against very well resourced, motivated, and entrepreneurial adversaries.

Wired has a good and accessible article on the cyber activity. The full report is available at Volexity’s website; it’s well worth the read, if only to appreciate the tradecraft of the adversaries as well as Veloxity’s own acumen.

Categories
Links Writing

Emerging Trends from Canadian Privacy Regulators and Cybersecurity Legislation?

Earlier this evening, the Office of the Privacy Commissioner of Canada (OPC) appeared before the Standing Senate Committee on National Security, Defence and Veterans Affairs on the topic of Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.

While at Committee, Commissioner Dufresne recognized the value of making explicit the OPC’s oversight role concerning the legislation. He, also, reaffirmed the importance of requiring any collection, use, or disclosure of personal information to be both necessary and proportionate. And should the Standing Committee decline to adopt this amendment they were advised to, at a minimum, include a requirement that data only be retained for as long as necessary. Government institutions should also be required to undertake privacy impact assessments and consult with the OPC.

Finally, in cases of cyber incidents that may result in a material breach, his office should be notified; this could entail the OPC being notified by the Communications Security Establishment based on a real risk of significant harm standard. Information sharing agreements should also be put in place that provide minimum privacy safeguards while also strengthening governance and accountability processes.

The safeguards the OPC are calling for are important and, also, overlap with many of the Information and Privacy Commissioner of Ontario’s (written submission, Commissioner Kosseim’s oral remarks) concerning the provincial government’s Bill 194, Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024.

Should other Canadian jurisdictions propose their own cybersecurity legislation to protect critical infrastructure and regulated bodies it will be interesting to monitor for the consistency in the amendments called for by Canada’s privacy regulators.

Categories
Links Writing

Significant New Cybersecurity Protections Added in iOS 18.1

Apple has quietly introduced an enhanced security feature in iOS 18.1. If you haven’t authenticated to your device recently — the past few days — the device will automatically revert from the After First Unlock (AFU) state to the Before First Unlock (BFU) state, with the effect of better protecting user information.1

Users may experience this new functionality by sometimes needing to enter their credentials prior to unlocking their device if they haven’t used it recently. The effect is that stolen or lost devices will be returned to a higher state of security and impede unauthorized parties from gaining access to the data that users have stored on their devices.

There is a secondary effect, however, insofar as these protections in iOS 18.1 may impede some mobile device forensics practices when automatically returning seized devices to a higher state of security (i.e., BFU) after a few days. This can reduce the volume of user information that is available to state agencies or other parties with the resources to forensically analyze devices.

While this activity may raise concerns that lawful government investigations may be impaired it is worth recalling that Apple is responsible for protecting devices from around the world. Numerous governments, commercial organizations, and criminal groups are amongst those using mobile device forensics practices, and iOS devices in the hands of a Canadian university student are functionally same as iOS devices used by fortune 50 executives. The result is that all users receive an equivalent high level of security, and all data is strongly safeguarded regardless of a user’s economic, political, or socio-cultural situation.

  1. For more details on the differences between the Before First Unlock (BFU) and After First Unlock (AFU) states, see: https://blogs.dsu.edu/digforce/2023/08/23/bfu-and-afu-lock-states/ ↩︎
Categories
Links Writing

Encryption Use Hits a New Height in Canada

In a continuing demonstration of the importance of strong and privacy-protective communications, the federal Foreign Interference Commission has created a Signal account to receive confidential information.

Encrypted Messaging
For those who may feel more comfortable providing information to the Commission using encrypted means, they may do so through the Signal – Private Messenger app. Those who already have a Signal account can contact the Commission using our username below. Others will have to first download the app and set up an account before they can communicate with the Commission.

The Commission’s Signal Username is signal_pifi_epie20.24

Signal users can also scan QR Code below for the Commission’s username:

The Commission has put strict measures in place to protect the confidentiality of any information provided through this Signal account.

Not so long ago, the Government of Canada was arguing for an irresponsible encryption policy that included the ability to backdoor end-to-end encryption. It’s hard to overstate the significance of a government body now explicitly adopting Signal.