Category: Writing

Categories
Writing

Brief Thoughts on Google’s ‘Shared Endorsements’ Policy

Simon Davies, one of the world’s most prominent privacy advocates, has filed formal complaints across the EU concerning Google’s ‘Shared Endorsements’ policy. Per this policy, Google may use:

the images, personal data and identities of its users to construe personal endorsements published alongside the company’s advertised products across the Internet

The legality of recent changes to Google’s policies that allow the company to share personal data across all its products and services are currently being investigated by a number of EU data protection authorities. The data protection issues and violations highlighted in my complaint go the heart of many of the aspects under investigation. Indeed the Shared Endorsements policy is made possible only through company-wide amalgamation of personal data.

In effect, Davies argues that the amalgamation of Google’s services under the company’s harmonized privacy policy/data pooling policy may be illegal and that, moreover, individuals may not know that their images and comments might be revealed to people they know upon leaving reviews of products and services in Google-owned environments.

Admittedly, I find that the shared pooling of information across my networks can be incredibly helpful (e.g. highlighting the reviews/opinions of people I know concerning various subjects and topics). Knowing that a colleague with whom I share book interests likes a book is more helpful to me than a review from someone that I don’t know. At the same time, I review products that I’ve purchased online quite often: given how helpful others’ reviews can be when I’m purchasing a product it seems like a courtesy to provide information into a private-commons. So, while I would prefer a review from a colleague I’m perfectly willing to make purchasing decisions based on what absolute strangers say/write as well.

The more significant issue with Google’s products, in my opinion, emerges from how the company’s business decisions are narrowing the range of commentary individuals may engage in. Such self-censorship is largely attributable to linking all comments to a person’s real name/public identity. Personally, this means that I often avoid leaving some book reviews, not because I’m ‘ashamed’ of the review but because I worry about whether it could detrimentally affect my future publishing opportunities. My reviews are (I think) reasonably high quality and fair but I refuse to leave some without some degree of pseudonymity. There is no reason to believe that my decision is unique: those in similar, tight-knit, industries likely experience similar pressures to avoid reviewing/commenting on some products, despite being experts concerning the product(s) in question.

I am not from  a ‘marginalized’ or ‘repressed’ social population, and Google is seemingly deploying platforms that are meant to serve people like me: people who freely review products online and who find it acceptable that such reviews are publicly shared and oftentimes highlighted to specific users. And yet, even I avoid saying certain (legal) things based on the (unknown) consequences linked to such speech acts. Despite being reasonably savvy concerning the collection, use, and sharing of personal information even I do not fully appreciate or understand how Google collects, retains, processes, or disseminates information I provide to the company. If even I am censoring legitimate speech because of the vicissitudes of Google’s privacy policies and uncertainties associated with providing content on their platforms then there is (to my mind) a very serious problem at the very base of the company’s contemporary data-integration and disclosure operations.

Categories
Writing

Cyberstalking, Victimization, and the Experience of Fear

Ars Technica has a good piece on how cyberstalkers and bullies operate, with reporting based on studies (circa 2006, admittedly) and some anecdotal evidence. In effect, the mechanisms to stalk and bully online are often easy to use, reasonably accessible, and capable of significant intrusion into people’s lives. However, what struck me most poignantly was the concluding section of the article:

In this particular case, going to law enforcement wasn’t going to be much of an option. The woman said she had gotten rid of the BlackBerry, so there was no way to perform forensics on it to gather evidence. The same was true of her father’s computer, which the technician had wiped clean.

That’s a common problem in dealing with these sorts of cases, Southworth said. “Some victims just want their device clean and just want the stalking to stop. But if you clean off the device, you’re destroying the evidence.” And for victims who are trying to deal with an abusive relationship, trying to do anything to remove malware from a phone or computer could put the victim in danger. “Even looking for the spyware can raise the risk,” Southworth said, because the software could alert the attacker of the attempt and trigger violence.

And even when software is removed, the persistence of such stalkers usually means that they won’t stop their behavior—they’ll just take different approaches. That, paradoxically, is an upside for law enforcement, Southworth said. “They don’t stop, so if she wants law enforcement to get involved,” she said referring to the victim, “there’s likely another form of stalking going on for them to catch him with.”

People who haven’t experienced stalking, or the fear of stalking, may not appreciate the emotional desire to just make it stop. Such desires are often based on an attempt to feel ‘safe’ again, often when doing simple things like buying groceries, waiting for a bus, or just going home. As such, wanting to remove the suspicious tracking systems – instead of leaving them there, and maintaining the fear, in the hopes of a criminal arrest – will often take priority over ‘catching’ the perpetrator. But, at the same time, there is often a fear that the very act of ‘making the surveillance stop’ could lead to physical consequences. It’s a lose-lose experience, where any decision merely modifies the ‘kind’ of fear instead of terminating the experience of fear itself.

Moreover, removing suspected surveillance-ware may not alleviate the fear of being monitored: most technical systems (effectively) operate like magic for the majority of the computer-using population. How the surveillance-ware was even installed, or if it was all purged, or if it could infect a person’s computer systems again, will often pervade how a person uses computers. In light of specific concerns (surveillance) that are imprecisely directed (i.e. is my phone, my computer, or other device infected and, if so, would I even know?) a person may simply avoid some actions or actively engage in deceptions to ‘throw off’ someone who might be watching.

In effect, concerns of possible but undetected surveillance are often accompanied by heightened privacy and security efforts. These efforts might be more or less effective (or even needed!), and taking such efforts will almost certainly diminish a person’s ‘normal’ uses of services (e.g. Facebook) that their (not-stalked/bullied) friends and colleagues get to enjoy. Moreover, the experience of having to use such privacy and security techniques is representative of the scarring left by online stalking and bullying: ‘normality’ becomes defined as a defensive posture online based on (often) physical fears. No one’s ‘normal’ should be predominantly defined by fear.

It’s this broader emotional fear that is challenging to address, both in terms of law (i.e. getting the data needed to pursue a meaningful conviction or punishment) and personal mental health (i.e. learning to ‘trust’ systems that aren’t really understood and that have previously compromised a person’s life possibilities).

In Canada, the federal government has recently introduced legislation ostensibly meant to crack down on cyberbullying linked to the unauthorized sharing of a person’s intimate images. While criminalizing the sharing of such images may be a helpful addition to the Criminal Code for certain kinds of cases, doing so doesn’t address the broader challenges linked to cyberstalking and cyberbullying. Addressing these challenges requires something else – though I don’t know what – that meaningfully responds to the societal issues associated with online stalking and bullying in a more holistic manner, a manner that frees people from the persistent fear of being a victim despite going to either law enforcement or removing the stalking-ware.

Categories
Writing

We Need Clarity on ‘National Security’ Rules for Telecommunications

The story of Blackberry has gripped many technology watchers, watchers who are bearing witness to the trials and tributations of the company as it struggles to compete in the increasingly populated smartphone market. To some, it seemed that one way ‘out’ for Blackberry was for the company to be purchased by another firm looking to aggressively enter this market. Based on recent reporting by the Globe and Mail, however, it looks like any hopes that Blackberry might be purchased could be scuttled for ‘national security’ reasons.

Specifically, Steven Chase and Boyd Erman write that,

Ottawa made it clear in high-level discussions with BlackBerry that it would not approve a Chinese company buying a company deeply tied into Canada’s telecom infrastructure, sources said. The government made its position known over the last one to two months. Because Ottawa made it clear such a transaction would not fly, it never formally received a proposal from BlackBerry that envisioned Lenovo acquiring a stake, sources said.

on Monday the Canadian official took pains to emphasize that concerns about BlackBerry are not part of a trend to shut out Chinese investment. “This is a company that has built its reputation and built its success on system security and its infrastructure. That’s one of the reasons businesses use BlackBerries. … The security is robust and we’d obviously have an interest in making sure we didn’t do anything or allow anything that would compromise Last fall, citing a rarely used national-security protocol, Ottawa has sent a signal to Chinese telecom equipment giant Huawei Technologies that it would block the firm from bidding to build the Canadian government’s latest telecommunications and e-mail network. Huawei, founded by a former People’s Liberation Army member, has on numerous occasions found itself having to reject claims its equipment could be used to enable spying.

In October. 2012, a senior spokesman for Prime Minister Stephen Harper publicly hinted Huawei would be left out the cold. “I’ll leave it to you if you think that Huawei should be a part of [the] Canadian government security system,” Mr. MacDougall said.

I’m particularly mindful of the possible security issues that may be linked to letting foreign-located businesses playing significant roles in Canadian telecommunications networks. But, at the same time, the present Canadian government seems to be applying ‘national security considerations’ in a manner that prevents market analysts and watchers from clearly assessing when such considerations might be applied.

Without clear criteria, what are the conditions under which a non-Canadian company could purchase Blackberry? Could a well-financed American company buy it, based on what we’ve learned about NSA surveillance? Could a company that was known to comply with foreign governments’ lawful interception requirements buy Blackberry, given that such requirements could have a global reach? Could Blackberry be purchased by companies that operate in countries that, if their governments had access to Blackberry communications, could gain an edge in international diplomatic engagements with Canada or its closest international partners?

I don’t dispute that national security may sometimes demand terminating business deals that would violate the national interest. However, given that incredibly large investments are being killed by the federal government of Canada it is imperative that the government make clear what ‘national security’ interests are at play, and the security models that motivate terminating such deals. To date, neither the interests nor models are particularly clear. As a result, analysts are forced to read the outcome of federal decisions without the benefit of understanding the full rationale of what went into them in the first place. The result has been to make it incredibly uncertain whether foreign businesses will be legally permitted to engage in market operations with Canadian companies.

Canadians are all to aware that the current federal government has failed on its promise to provide a digital strategy for the Canadian marketplace. In the absence of such a strategy, perhaps the federal government could at least provide its rules for determining when a business proposal runs counter to national security?

Categories
Links Writing

Did Canadian Oil Companies Get a Tip-Off from CSEC?

The Globe and Mail reports on discussions in the Canadian Senate. Specifically, Liberal Senator Wilfred Moore asked:

“Can the [Senate] leader enlighten this chamber as to what was done with the data obtained by CSEC from the Brazilian Ministry of Mines and Energy?”

Alleging that CSEC’s “cyberhacking” was intended to probe Brazil’s claims about discovering billions of barrels of oil in a new offshore-field find, Mr. Moore noted that no Canadian or U.S. corporations have joined the bidding for drilling rights in an auction that was held earlier this week in Brazil.

This is an incendiary question. If it turns out that Canadian companies didn’t bid because CSEC found Petrobras has overestimated the oil reserves in the Libra field, or if CSEC found that it was going to be harder to extract the oil that stated by the Brazilian government, then it’s a very, very big deal on the basis that the Canadian government (and extension of the department of national defence) would then be engaging in espionage on the behalf of Canadian companies.

Categories
Links Writing

NSA Revelations Kill IBM Hardware Sales in China

For several months there have been warnings that the NSA revelations will seriously upset American technology companies’ bottom lines. Though not directly implicated in any of the leaks thus far it appears that IBM’s Chinese growth predictions have just been fed through a wood chipper. From Zerohedge:

In mid-August, an anonymous source told the Shanghai Securities News, a branch of the state-owned Xinhua News Agency, which reports directly to the Propaganda and Public Information Departments of the Communist Party, that IBM, along with Oracle and EMC, have become targets of the Ministry of Public Security and the cabinet-level Development Research Centre due to the Snowden revelations.

“At present, thanks to their technological superiority, many of our core information technology systems are basically dominated by foreign hardware and software firms, but the Prism scandal implies security problems,” the source said, according to Reuters. So the government would launch an investigation into these security problems, the source said.

Absolute stonewalling ensued. IBM told Reuters that it was unable to comment. Oracle and EMC weren’t available for comment. The Ministry of Public Security refused to comment. The Development Research Centre knew nothing of any such investigation. The Ministry of Industry and Information Technology “could not confirm anything because of the matter’s sensitivity.”

This is the first quantitative indication of the price Corporate America has to pay for gorging at the big trough of the US Intelligence Community, and particularly the NSA with its endlessly ballooning budget. For once, there is a price to be paid, if only temporarily, for helping build a perfect, seamless, borderless surveillance society. The companies will deny it. At the same time, they’ll be looking for solutions. China, Russia, and Brazil are too important to just get kicked out of – and other countries might follow suit.

Now, IBM et al. aren’t necessarily purely victim to the NSA’s massive surveillance practices: there likely are legitimate domestic market changes that are also affecting the ability of Western companies to sell product in China and other Asian-Pacific countries. But still, that NSA can be used to justify retreats from Western products indicates how even companies not clearly and directly implicated in the scandals stand to lose. One has to wonder whether the economic losses that will be incurred following the NSA revelations are equal to, or exceed, any economic gains linked to the spying.

Categories
Writing

How Not To Defend Your Signals Intelligence Agency

Many Canadians, at this point, will have heard that our foreign signals intelligence agency has reportedly been spying in Brasil. Specifically, the Communications Security Establishment Canada (CSEC) has been accused of using “email and phone metadata to map internal communications within Brazil’s Mines and Energy Ministry through a software program called Olympia.” This has created quite a stir and forced the federal government of Canada to defend itself, and CSEC’s actions.

However, at a technology conference the head of CSEC tried to pacify Canadians by stating that there was already appropriate oversight of the agency’s actions. Referring to the independent commissioner overseeing CSEC, John Foster said, the commissioner “and his office have full access to every record, every system and every staff member to ensure that we follow Canadian laws and respect Canadians’ privacy.”

Foster is playing a game with Canadians. And it’s not a very good one. Given the CSEC reputedly engages in more ‘transactions’ each day than all of the banks in Canada combined, and given the relative size of the commissioner’s staff (usually a dozen or less) compared to CSEC’s staff (roughly 2,000), and the blurriness of the law guiding CSEC’s actions, I really can’t imagine how Canadians could possibly be reassured from Foster’s statements. No, what is clear is that rather than wanting to have a meaningful discussion – perhaps acknowledging deficiencies in oversight, the need to mediate CSEC’s actions so they align with Canada’s foreign policy positions, or something along those lines – he has purely said that Canadians should be satisfied with how things are today.

If Mr. Foster wants to be taken seriously then perhaps as a first, very small, bit of ‘goodwill’ he will disclose how exactly CSEC respects Canadians’ privacy: information on how this is ensured was redacted in documents from CSEC (see page 23). Providing the plaintext would be one first, good, step towards actually – instead of rhetorically – assuaging concerns Canadians might have over how signals intelligence is conducted in Canada.

Categories
Links Writing

Secret Courts, Secret Evidence, and American Justice

Techdirt has recently covered a just shameful decision out of the US. The case involved an alleged domestic terror suspect who the FBI helped in every way to plan a bombing in Chicago. From the article:

Daoud’s lawyers made a much more thorough request for the evidence obtained via the FAA. As they note, there may be significant problems with the FISA information, including, but not limited to the FISA application for electronic surveillance may fail to establish probable cause that Dauoud was “an agent of a foreign power.” As they note, he was an American citizen and school student in suburban Chicago. They also suggest the FISA application may have contained material falsehoods or omissions and might violate the 4th Amendment. The surveillance also may have violated the FISA law. There are many other reasons they bring up as well.

The Justice Department (of course) argued that it shouldn’t have to hand over any of this info, in part because it’s classified and in part because they’re not going to use that evidence against Daoud.

Unfortunately, the court wasted little time in agreeing with the feds that they don’t need to turn over the evidence collected under FISA.

Just to be clear, this means that a secret court approved the secret surveillance of a domestically situated American citizen, and then refused to disclose the collected evidence. The American defendant, then, cannot know the totality of evidence that the state collected. This evidence might have played a key role in subsequent investigative efforts and, as a result, may have ‘poisoned’ the subsequent evidence.

Of course, we seemingly won’t ever know if such a poisoning theorem is true or not. All we’ll know is that American courts permit the state to engage in secret surveillance without disclosing what was collected to defence attorneys. And declare all subsequent proceedings as a ‘fair’ trial environment.

Categories
Links Writing

BBM as a Microsoft Product?

Dan Froomer has an interesting 20/20 piece in which he asks what would have happened if Microsoft bought Blackberry in 2009. While he points to the potential of combining Z10 hardware with Windows Phone software, plus the 2009-value of Blackberry’s enterprise market, those claims aren’t his most ambitious. No, the pie-in-the-sky claim, emphasized below, is:

a Microsoft-BlackBerry tie-up in 2009 could have been good! Just as Microsoft was starting to put together a really solid software platform in Windows Phone 7, BlackBerry needed a grownup OS. Plus the obvious overlap in enterprise, RIM’s worldwide distribution, and even a budding mobile social network in BBM. There’s a possibility that it could have been a good combination.

Now, while BBM may have had up to 25 million subscribers in 2009 I simply cannot imagine Microsoft deciding to toss Windows Live Messenger with its 500 million+ users for BBM. My perspective is that things like BBM go to die in companies like Microsoft. Regardless of whether there were actual synergies between Blackberry and Microsoft in 2007 – and whether they could have been realized by Microsoft – BBM almost certainly wasn’t one of them.

Categories
Links Quotations Writing

2013.8.23

Neither the GCSB nor a spokesperson for the Embassy of New Zealand in the United States immediately responded to Ars’ request for comment. In June 2013, New Zealand Prime Minister John Key evaded answering whether the GCSB uses or has access to the NSA’s PRISM system.

“I can’t tell you how the United States gather all of their information, what techniques they use, I just simply don’t know,” Key told TV3’s Firstline. “But if the question is do we use the United States or one of our other partners to circumvent New Zealand law then the answer is categorically no. We do exchange—and it’s well known—information with our partners. We do do that. How they gather that information and whether they use techniques or systems like PRISM, I can’t comment on that.”

Cyrus Farivar, “New Zealand appears to have used NSA spy network to target Kim Dotcom”

What’s often missing from reporting about whether intelligence agencies are asking five eyes partners to monitor the agencies’ own citizens is this: rarely would a formal request for such monitoring services be required.

You see, folks in the intelligence and security agencies train with one another. They go to international courses together, just like any other group of professionals. And, as anyone who attends professional events knows, informal networks of information sharing arise. In the context of NSA/CSEC/ASIO/GCHQ/etc this can take the form of one government official complaining about the inability to conduct domestic surveillance on X group(s) that are regarded as a problem and then – independent of a ‘formal’ request! – other partners just might collect information on X given that a problem for the complaining agency just might turn into a problem for all the five eyes partners.

As an example: when a CSEC or NSA official complains that domestic extremists could be plotting a terror attack, but that neither CSEC or NSA can legally conduct the surveillance, a partner might be motivated to conduct the surveillance because, you know, terrorism. And, to turn the intelligence into something that’s actionable the foreign service could turn the collected information to CSEC/NSA/agency that is domestically located.

The great thing about this approach is no formal request needs to have been made. Is this as efficient as “Hey, can you guys spy on X so we don’t break our national laws?” No. But it does have the effect of generating favours and goodwill between the very professionals who are often in close contact with one another. And it also lets information be shared without the clear violation of domestic laws that forbid most intelligence services from spying on their own citizens.

Categories
Links Writing

Thoughts on the Implications of ‘Secret Surveillance’

In one of Michael Geist’s recent articles on secret surveillance he notes three key issues with the secretive intelligence surveillance actions that are coming to light. Specifically:

First, the element of trust has been severely compromised. Supporters of the current Internet governance model frequently pointed to Internet surveillance and the lack of accountability within countries like China and Russia as evidence of the danger of a UN-led model. With the public now aware of the creation of a massive, secret U.S.-backed Internet surveillance program, the U.S. has ceded the moral high ground on the issue.

This has been a point that academics have warned about for the past decade: when/if it is apparent that the US and other Western governments aren’t ‘fit to govern’ critical Internet infrastructure then foreign states will increasingly agitate to influence network design. Still, while the US government’s mass surveillance systems may accelerate the rate at which governments are ‘interested’ in critical infrastructure design and deployment, this isn’t a novel path or direction: governments throughout the world have been extending their surveillance capacities, often pointing to the US’ previously disclosed behaviours as justifications. The consequence of the recent high-profile articles on NSA surveillance has been to (arguably) ensure that a ‘moral high ground’ cannot be reclaimed; arguably, that ground has actually been lost for quite some time.

Geist continues:

Second, as the scope of the surveillance becomes increasingly clear, many countries are likely to opt for a balkanized Internet in which they do not trust other countries with the security or privacy of their networked communications. This could lead to new laws requiring companies to store their information domestically to counter surveillance of the data as it crosses borders or resides on computer servers located in the U.S. In fact, some may go further by resisting the interoperability of the Internet that we now take for granted.

Again, we’ve been seeing these kinds of law crop up for the past many years. However, the countries that have been engaging in such actions are all (generally) regarded as ‘foreign’ by individuals in North America. So, when Iran, India, China, or other countries have imposed localization laws those nations are seen as ‘rogue’; missing from much of the critique, however, has been how ‘domestic’ governments have sought to contain or delimit the flow of information. Admittedly, most of Canada, the UK, and America lacks ‘data localization’ laws, but all of those jurisdictions do have ‘data limitation’ laws, insofar as some information is blocked at an ISP level. In effect, while a hardware balkanization of the Internet might accelerate, the content balkanization of the Internet has been ongoing for over a decade.

Geist concludes:

Third, some of those same countries may demand similar levels of access to personal information from the Internet giants. This could create a “privacy race to the bottom”, where governments around the world create parallel surveillance programs, ensuring that online privacy and co-operative Internet governance is a thing of the past.

This is an area that will be particularly interesting to watch for. In terms of content localization, there are laws around the world limiting what citizens in various nations can access. While such localization laws were initially seen as heralding the end of the Internet this has not been the case: save for in particularly censorious regimes, local norms have guided what should(n’t) be accessible (e.g. child pornography, nazi symbology and paraphernalia, etc). At issue is that efforts to ‘block’ certain content tends to often not work well, and also tends to reduce efforts to legally punish those responsible for the content in the first place. In effect, the former problem speaks to the limitations of blocking any content effectively and without accidental overreach, and the latter with poor international cooperation between policing agencies to actually act against the producers of obviously nefarious content (e.g. child pornography).

The ability for nations to demand strong data/server/service localization requirements will, I suspect, be predicated on economic size and relative ‘value’ of a nation’s citizens to a particular company. So, if you have a very large multinational, with ‘boots on the ground’ and a large subscriber base in a profitable nation-state, then the multinational may be more likely to comply with localization requirements compared to a similar demand from a small/economically insignificant state in which the company lacks ‘boots’. Moreover, the potential for certain services to no longer be accessible – say, GMail, if Google refused to comply with a given nations’ localization laws – could lead citizens to turn on their own government on the basis that the services are needed for ongoing, daily, commercial or personal activity.

In effect, I think that while Geist’s third point is arguably the most significant, it’s also the one that we’re furthest off from necessarily crossing over to. Admittedly there are some isolated cases of localization requirements now (e.g. India), but the ability to successfully impose such requirements is as much based on the attractiveness of a given market as anything else. So, there could actually be a division between the ‘localization countries’: ones that are ‘big enough’ to commercially demand compliance versus ones that are ‘too small’ to successfully impose their sovereign wills on Internet multinationals. How any such division were to line up, and the political and economic rationales for all involved, will be fascinating to watch, document, and explore in the coming years!