A roundup of what I’ve said, to whom, and that was published this month.
Category: Links
Categories
Caught on Camera?
According to Christopher Parsons, a post-doctoral fellow and the managing director of the telecommunications transparency project at the University of Toronto’s Citizen Lab, the broadest applications to date [of facial recognition technologies] involve tranches of official photos maintained by government agencies that issue identification documents, such as passports and driver’s licenses.
In recent years, he adds, facial recognition software has become substantially more sophisticated. The advent of so-called 3-D recognition techniques allows the software to make matches between official posed photos and informal, un-posed ones—e.g., images posted on social media sites. What’s more, these biometric algorithms, which can “learn” to recognize faces based on composites developed from multiple images, are no longer restricted to government security. Facebook has a facial recognition app, and at least two developers have built apps for Google Glass that purport to be able to run facial images through picture databases from dating sites or sex offender registries, Forbes reported earlier this year.
To date, this kind of cross-referencing hasn’t produced great results, says Parsons, although he adds that the latest generation “is better than it used to be.”
…
And in Canada? Police in Vancouver successfully used facial recognition technology to identify looters during the Stanley Cup riot in 2011, drawing from videos submitted by bystanders as well as CCTV images. The technology was also deployed during the G8/G20 in Toronto. But Parsons points out that at date, there’s not enough data on general law enforcement applications to determine whether this sort of facial recognition is effective.
Alberta Primetime – Increased surveillance powers in Canada:
Discussing security, police surveillance, and the privacy of Canadians—is the federal government getting the balance right?
Uber’s ‘God View’ Was Once Available to Drivers:
I reached out to Chris Parsons, a cybersurveillance researcher at the University of Toronto’s Citizen Lab, to discuss Uber’s God View and the ramifications for users.
“Uber understandably has infrastructure in place to monitor where its drivers are and a business case can be made for some degree of monitoring of how, and how often, their clients use the service,“ he said. “However, such data must be carefully controlled with strict security, privacy, and access safeguards. At this point it doesn’t appear that such have been stringently developed or applied.”
…
“We know that national security and intelligence agencies are deeply interested in where people travel to, and in understanding the movement patterns of individuals regardless of their being identified as ‘targets’ of government surveillance,” Parsons continued. “And Uber’s seeming failure to secure its data—to the point where developers have already found ways of querying the data by reverse-engineering Uber’s mobile client software—would suggest that an intelligence or security service that was sufficiently motivated could do the same.”
…
“There’s no evidence that such a security or intelligence service has ‘cracked’ Uber but past Snowden revelations have revealed that the NSA and its partners are voracious collectors of all kinds of tracking data,” Parsons concluded. “There’s no reason why these agencies wouldn’t be as interested in Uber’s data as other services’ data that could identify where, and how often, people travel around their cities and around the world.”
New Documents Show Thousands of Unreported Wiretaps by Canadian Cops:
Christopher Parsons, a postdoctoral fellow with The Citizen Lab at the University of Toronto’s Munk School of Global Affairs, called the finding a missing link in our understanding of the scope of electronic surveillance in Canada.
“Wiretap data is, in theory, being recorded. But subscriber data and CDR data—neither of those have to be recorded under government statue,” Parsons explained. “There’s nothing in the legislation that will require agencies to record how often they got those court orders.”
…
Microsoft, BlackBerry and Cogeco, who were also presents at the meeting between Public Safety and industry stakeholders, did not respond to a request for comment.
“I think what’s most telling is it seems that the parties that have the best records of anyone in Canada is corporate Canada,” Parsons said. “These are the people who are being forced to use their resources to provide assistance to law enforcement, and law enforcement can’t even be bothered to record and disclose themselves how often this is going on.“
CSIS’s New Powers Demand New Accountability Mechanisms:
It is imperative that the Canadian public trust that CSIS is not acting in a lawless manner. And while improving how SIRC functions, or adding Parliamentary review, could regain or maintain that trust, a more cost-sensitive approach could involve statutory reporting. Regardless, something must be done to ensure that CSIS’ actions remain fully accountable to the public, especially given the new powers the Service may soon enjoy. Doing anything less would irresponsibly expand the state’s surveillance capabilities and threaten to dilute the public’s trust in its intelligence and security service.
Categories
Advancing Encryption for the Masses
Advancing Encryption for the Masses:
The work of WhatsApp, Facebook, Open Whisper Systems, the Electronic Frontier Foundation, and that other members of the ‘Let’s Encrypt’ initiative can massively reduce the challenges people face when trying to communicate more responsibly. And the initiatives demonstrate how the cryptographic and communications landscape is shifting in the wake of Snowden’s revelations concerning the reality of global-scale surveillance. While encryption was ultimately thrown out of the original design specifications for the Internet it’s great to see that cryptography is starting to get bolted onto the existing Internet in earnest.
Categories
Drupal in the Age of Surveillance
Drupal in the Age of Surveillance:
“Contemporary websites have almost innumerable places where information can be entered, logged, and accessed, by either the first party or third parties.”
That’s the frank assessment of Chris Parsons, a postdoctoral fellow at The Citizen Lab at the University of Toronto’s Munk School of Global Affairs. Parsons’ current research focus is on state access to telecommunications data, through both overt mechanisms and signals intelligence – covert surveillance.
Parsons recommends an approach to user data protection called threat modeling. “So who are you concerned about, what do you believe your ethical duties of care are, and then how do you both defend against your perceived attackers and apply your duty of care?”
Parsons suggests, “The first step is really just information inventory: what’s collected, why, where’s it going, for how long.”
For Parsons, having strong protections for user data is critical, and not merely from a privacy perspective. Rather, privacy protection is just sound business practice. Imagine this scenario, he suggests: “One of your core databases with customer information gets compromised.” Then, “If you have an auditor that comes in, or if you have the press pounding on your door, you don’t want to be telling either of those parties, ‘Yeah, that’s a good question. I don’t know where any of our data is. We don’t know what we lost.’”
…
Parsons is more pragmatic, acknowledging that when it comes to analytics the battle has already been lost, if it even happened at all. Still, he points to the practical advantages of maintaining your own statistics. “I often avoid using Google Analytics, in part because more and more people are blocking Doubleclick [and other Google] cookies.” Instead, Parsons opts for self-hosted solutions because, “I find that the truth that comes through them can be more useful.”
…
Parsons similarly recommends a tool called Social Share Privacy, which has an associated Drupal module. Like Mytube, Social Share Privacy communicates with the third party website only if a user first clicks a link. Parson comments, “If your content is really great – and most people hope it is – I don’t think that one extra click is going to doom the ability to share [it].”
…
Burdett explains that while standard encryption uses a single key that’s used across a server, there is a newer method called forward secrecy: “[It] means that a unique key is generated for each HTTPS session.” If you run an e-commerce bookshop and receive a law enforcement subpoena relating to a particular customer, Parsons says, “You as a bookshop seller do not want to be in a situation where you’re disclosing the decryption key for every person – or every IP address, rather – that has looked at your website and what books they’ve looked at.” Forward secrecy ensures there is no single key that decrypts all users’ communications.
…
For Parsons, once you’ve completed your information inventory and determined what you’re gathering – and how and why – a key next step is writing a detailed and appropriate privacy policy.
“You can usually tell it’s a bad privacy policy,” Parsons says, “as soon as you get stuff like, ‘In the provision of this service, we may provide information to third parties.’ Whereas you, as the site owner, know damn well that you’re using Google Analytics, you’re using Twitter, you’re using Facebook.”
A privacy policy is also a good place to point people to ways they can opt out. “I personally like seeing links or notices about ‘this is how you can avoid this if you want,’” Parsons says. “So you link someone out to Ghostery (a browser plugin used to block tracking software), or whatever you want to link them out to.”
As well as being specific, a privacy policy should be readable. Parsons notes, “You go and read the ‘disclosures’ that people make – their terms of service, their privacy policies – and you get this horrible language. No human in their right mind would ever know what was going on. And indeed, when I spoke with some businesses, they don’t know where that data is going.”
…
To Parsons, protecting user information should be anything but an afterthought. “Certainly, if there’s any sort of commercial or business interest involved, I think this just flows out of the business plan that you’ve probably developed.”
Picking out a face in the crowd: Toronto police considering facial recognition technology:
But for all its abilities, privacy advocates caution that the technology raises big questions about surveillance, and has potential implications for members of the public who aren’t suspects of a crime.
…
In cases like these, the technology has clear advantages, says privacy expert Christopher Parsons, a fellow at the Munk School of Global Affairs at the University of Toronto.
“Serious crimes — rapes, murders, manslaughter — these are the kinds of crimes that must be brought to justice,” he says. “But for other crimes, lesser crimes, maybe those aren’t the situations where we [should] use these really efficient, high-tech systems.” The risk, he says, is that “it starts … criminalizing a large portion of the population.”
Police aren’t the only organizations to employ this type of technology. Some department stores and retail chains also use it to catch repeat shoplifters. But Parsons points out there is a difference between private individuals capturing images and the police.
“[Private individuals] don’t have the power to arrest,” he says.
The Canadian Government Wants to Pay More People to Creep Your Facebook:
But government social media monitoring could very easily cross over into a legal gray area. Christopher Parsons, a cybersurveillance researcher at the University of Toronto’s Citizen Lab, said the collection of personal data from online sources needs to be rigorously justified, and even when it is, the data needs to be handled and stored safely.
“The government can’t just collect information about Canadians—even from public sourced data repositories such as social media—just because it wants to,” said Parsons in an email to me. “There have to be terms set on the collection, handling, disclosure, and disposal of personal information that the government wants to gather. As a result, even when data is collected for legitimate reasons that doesn’t mean the data can then be used in any way that the government (subsequently) decides.”
Strict oversights into how the government gleans and uses this intelligence—even in the service of testing policy reactions, as Parsons thinks this service will likely do—is required.
According to Parsons, that comes in the form of internal “privacy impact assessments” related to the specific social media surveillance program.
“Government agencies are supposed to conduct such assessments before collecting Canadians’ personal information and explain the specifics of how and why they will collect Canadians’ personal data,” said Parsons.
…
In the medium term, it appears Canadians can count on more of their tweets to be sucked up into a government social media surveillance system—then potentially shared across government departments.
Parsons told me that the sharing of the personal data of Canadian, in general, is only becoming more pervasive across government agencies.
“There has been a marked increase in the sharing of personal data between and across different departments because information is initially being collected for vague or far-sweeping reasons. Were social media information collected for similarly vague reasons then the government could then try to expansively share collected information across government,” he said.
Excited Pixels 