While at Committee, Commissioner Dufresne recognized the value of making explicit the OPC’s oversight role concerning the legislation. He, also, reaffirmed the importance of requiring any collection, use, or disclosure of personal information to be both necessary and proportionate. And should the Standing Committee decline to adopt this amendment they were advised to, at a minimum, include a requirement that data only be retained for as long as necessary. Government institutions should also be required to undertake privacy impact assessments and consult with the OPC.
Finally, in cases of cyber incidents that may result in a material breach, his office should be notified; this could entail the OPC being notified by the Communications Security Establishment based on a real risk of significant harm standard. Information sharing agreements should also be put in place that provide minimum privacy safeguards while also strengthening governance and accountability processes.
Should other Canadian jurisdictions propose their own cybersecurity legislation to protect critical infrastructure and regulated bodies it will be interesting to monitor for the consistency in the amendments called for by Canada’s privacy regulators.
When people are at risk, law enforcement agencies can often move quickly to obtain certain information from online service providers. In the United States this can involve issuing Emergency Data Requests (EDRs) absent a court order.1
While the full extent of the threat remains unknown, of Verizon’s total 127,000 requests for data in Q2 of 2023, 36,000 were EDRs. And Kodex, a company that is often the intermediary between law enforcement and online providers, found that over the past year it had suspended 4,000 law enforcement users and approximately 30% of EDRs did not pass secondary verification. Taken together this may indicate a concerning cyber policy issue that may seriously endanger affected individuals.
These are just some of the broader policy and cybersecurity challenges that are key to keep in mind, both as new laws are passed and as new cybersecurity requirements are contemplated. It is imperative that lawful government capabilities are not transformed into significant and powerful tools for criminals and adversaries alike.
There are similar kinds of provisions in the Canadian Criminal Code. ↩︎
Apple has quietly introduced an enhanced security feature in iOS 18.1. If you haven’t authenticated to your device recently — the past few days — the device will automatically revert from the After First Unlock (AFU) state to the Before First Unlock (BFU) state, with the effect of better protecting user information.1
Users may experience this new functionality by sometimes needing to enter their credentials prior to unlocking their device if they haven’t used it recently. The effect is that stolen or lost devices will be returned to a higher state of security and impede unauthorized parties from gaining access to the data that users have stored on their devices.
There is a secondary effect, however, insofar as these protections in iOS 18.1 may impede some mobile device forensics practices when automatically returning seized devices to a higher state of security (i.e., BFU) after a few days. This can reduce the volume of user information that is available to state agencies or other parties with the resources to forensically analyze devices.
While this activity may raise concerns that lawful government investigations may be impaired it is worth recalling that Apple is responsible for protecting devices from around the world. Numerous governments, commercial organizations, and criminal groups are amongst those using mobile device forensics practices, and iOS devices in the hands of a Canadian university student are functionally same as iOS devices used by fortune 50 executives. The result is that all users receive an equivalent high level of security, and all data is strongly safeguarded regardless of a user’s economic, political, or socio-cultural situation.
Each week is seemingly accompanied by news of some perimeter security appliance being successfully exploited by adversaries. Sophos has produced a report — covered by Wired — which outlines their 5-year efforts to identify and combat such adversaries. It’s a wild read both in terms of the range of activities undertaken by Sophos and for making clearer to the public the range of intelligence activities that private organizations undertake as part of their cybersecurity operations.
Some of the major revelations, and activities undertaken, by Sophos include:
A broader group of China-based researchers developed hacking techniques and supplied them to Chinese government APTs.
Historically the exploitation of Sophos appliances was being carried out using 0-days but, in recent assessments, APTs are using N-days to target end-of-life equipment.
Sophos included code in one of its hotfixes to obtain additional information from consumer devices and expose more information about adversaries to the company.
Sophos went to far as to deploy, “its own spy implants to the Sophos devices in Chengdu they were testing on—essentially hacking the hackers, albeit only through code added to a few installations of its own products the hackers had obtained.”
Targets of Chinese APTs were often located throughout Asia, and most recently included “another country’s nuclear energy regulatory agency, then a military facility in the same country and the airport of the country’s capital city, as well as other hacking incidents that targeted Tibetan exiles.”
Sophos found that the adversaries had built a bootkit which is designed to infect low-level code. The company is asserting this may be the first time a firewall bootkit has ever been seen. They have no intelligence that it has ever been deployed in the wild.
It’s uncommon for the details of how private companies have developed their defensive strategies over a longer period of time to be made public, and so this is helpful for broadening the space for discussion. Sophos’ activities are, also, significant on the basis that the private company implanted its own systems to develop intelligence concerning its Chinese adversaries.
There has been extensive normative and legal discussion on the risks linked with “hacking back” and Sophos’ actions are another step towards normalizing such behaviour, albeit under the auspice of a company targeting its own equipment. I personally don’t think that Sophos’ defence that they were targeting their own equipment meaningfully isolates the broader implications of their actions. Perimeter appliances are extensively deployed and their decision may both normalize such behaviours broadly by private firms for their own ends and, also, further open the doors to some governments pressuring private firms to deploy implants on behalf of said governments. Neither of these trajectories are likely to end well.
These activities are occurring despite OpenAI’s warnings that Whisper should not be used in high-risk domains.
The article reports that a “machine learning engineer said he initially discovered hallucinations in about half of the over 100 hours of Whisper transcriptions he analyzed. A third developer said he found hallucinations in nearly every one of the 26,000 transcripts he created with Whisper. The problems persist even in well-recorded, short audio samples. A recent study by computer scientists uncovered 187 hallucinations in more than 13,000 clear audio snippets they examined.”
Transcription errors can be very serious. Research by Prof. Koenecke and Prof. Sloane of the University of Virgina found:
… that nearly 40% of the hallucinations were harmful or concerning because the speaker could be misinterpreted or misrepresented.
In an example they uncovered, a speaker said, “He, the boy, was going to, I’m not sure exactly, take the umbrella.”
But the transcription software added: “He took a big piece of a cross, a teeny, small piece … I’m sure he didn’t have a terror knife so he killed a number of people.”
A speaker in another recording described “two other girls and one lady.” Whisper invented extra commentary on race, adding “two other girls and one lady, um, which were Black.”
In a third transcription, Whisper invented a non-existent medication called “hyperactivated antibiotics.”
While, in some cases, voice data is deleted for privacy reasons this can impede physicians (or other medical personnel) from double checking the accuracy of transcription. While some may be caught, easily and quickly, more subtle errors or mistakes may be less likely to be caught.
One area where work stills needs to be done is to assess the relative accuracy of the AI scribes versus that of physicians. While there may be errors introduced by automated transcription what is the error rate of physicians? Also, what is the difference in quality of care between one whom is self-transcribing during a meeting vs reviewing transcriptions after the interaction? These are central questions that should play a significant role in assessments of when and how these technologies are deployed.
In 2023, Andrea Bianco wrote a lovely long-form meditation on the difference in practice between excellent smart phone cameras (i.e., iPhone 11 Pro) and excellent compact cameras (i.e., Ricoh GR 2). I appreciated that it wasn’t a “smartphones bad and dedicated cameras good” (or the vice versa) kind of assessment. He, instead, considered the utility and capabilities of both classes of cameras. He often noted how phone cameras were best consumed on smaller screens but that their limitations became more apparent when viewed on larger screens.
His post reminded me of some longer-term considerations I’ve had for the past year about the screens on which we assess the images that we make.
Cherry & Polson, Toronto, 2024
Our camera’s screen size, or viewfinder resolution, has an effect on how we compose images. We may try to squeeze in (or exclude) content based on what we can see. However, the screen on which we edit images also affects how we perceive and present the images we have captured.
Editing on smaller screens, such as those used with phones, can lead to presenting images differently than when editing on a larger tablet or computer monitor screen. A figure that is apparent on a 12” or 24” display and is poignant to the photo editing process may functionally be a near-invisible dot on a 6” phone screen.
Eireann Quay & Queens Quay, Toronto, 2024
How we see when editing images, then, will often affect the images which are produced using dedicated cameras by merit of photographers often editing them on larger tablet or laptop screens. By editing on these larger screens we will often make very different editorial or cropping decisions based (in part) on the sheer size of the screen we are reviewing and editing photographs on. The size of the screen (and its quality) affects how we read and interpret our own photographs.
Queen & Bay, Toronto, 2019
The effects of screen size then expand, further, when we consider what screens we use to view other photographers’ work, and correspondingly lead to very different perceptions of work that photographers are digitally displaying. If a photographer edits all their work on a display of 11” or greater, should we not view it with the same size screen to truly read what they are communicating? And, by way of contrast, if a photographer’s photos are all edited on a smartphone then should we view them primarily at the size of a phone? And either way, shouldn’t we view other photographers’ work at peak screen brightness?
Of course we will all use a variety of different screens, of different sizes and luminosity and quality, to look at one another’s work. But because we are both unaware of one another’s editing and viewing defaults it is imperative to think carefully when looking at photographers’ works and ask ourselves: “Do I have the same equipment as they do, to approximate an attempt to see the photograph and scene as they intended for it to be viewed?”
Note: Updated to correctly refer to Andrea’s gender. Apologies!
In a continuing demonstration of the importance of strong and privacy-protective communications, the federal Foreign Interference Commission has created a Signal account to receive confidential information.
Encrypted Messaging For those who may feel more comfortable providing information to the Commission using encrypted means, they may do so through the Signal – Private Messenger app. Those who already have a Signal account can contact the Commission using our username below. Others will have to first download the app and set up an account before they can communicate with the Commission.
The Commission’s Signal Username is signal_pifi_epie20.24
Signal users can also scan QR Code below for the Commission’s username:
The Commission has put strict measures in place to protect the confidentiality of any information provided through this Signal account.
Not so long ago, the Government of Canada was arguing for an irresponsible encryption policy that included the ability to backdoor end-to-end encryption. It’s hard to overstate the significance of a government body now explicitly adopting Signal.
For months or longer, the hackers might have held access to network infrastructure used to cooperate with lawful U.S. requests for communications data, according to people familiar with the matter, which amounts to a major national security risk. The attackers also had access to other tranches of more generic internet traffic, they said.
…
The surveillance systems believed to be at issue are used to cooperate with requests for domestic information related to criminal and national security investigations. Under federal law, telecommunications and broadband companies must allow authorities to intercept electronic information pursuant to a court order. It couldn’t be determined if systems that support foreign intelligence surveillance were also vulnerable in the breach.
Not only is this a major intelligence coup for the adversary in question, but it once more reveals the fundamental difficulties in deliberately establishing lawful access/interception systems in communications infrastructures to support law enforcement and national security investigations while, simultaneously, preventing adversaries from taking advantage of the same deliberately-designed communications vulnerabilities.
While there can be significant efficiencies gained by increasing the amount of data that is accessible by motor vehicles, connecting these computers-on-wheels to the Internet can have notable consequences.
… a group of independent security researchers revealed that they’d found a flaw in a web portal operated by the carmaker Kia that let the researchers reassign control of the internet-connected features of most modern Kia vehicles—dozens of models representing millions of cars on the road—from the smartphone of a car’s owner to the hackers’ own phone or computer. By exploiting that vulnerability and building their own custom app to send commands to target cars, they were able to scan virtually any internet-connected Kia vehicle’s license plate and within seconds gain the ability to track that car’s location, unlock the car, honk its horn, or start its ignition at will.
…
“If someone cut you off in traffic, you could scan their license plate and then know where they were whenever you wanted and break into their car,” says Curry. “If we hadn’t brought this to Kia’s attention, anybody who could query someone’s license plate could essentially stalk them.” For Kias that come installed with a 360-degree camera, that camera, too, was accessible to hackers. Beyond allowing the hijacking of connected features in cars themselves, Curry says, the web portal flaw also allowed hackers to query a broad range of personal information about Kia customers—names, email addresses, phone numbers, home addresses, and even past driving routes in some cases—a potentially massive data leak.
The nature of the vulnerability is particularly concerning:
When the researchers sent commands directly to the API of that website—the interface that allows users to interact with its underlying data—they say they found that there was nothing preventing them from accessing the privileges of a Kia dealer, such as assigning or reassigning control of the vehicles’ features to any customer account they created.
I do have to admit that I appreciate that this started with discovering issues with APIs used by scooters, which led the researchers to become “super interested in trying more ways to make more things honk.”
The democratization of photography means that there are a lot of people who are interested in making images on the streets. However, many are scared of the possible confrontations they may have after taking other people’s images without first getting their permission. There are innumerable videos and essays that offer a lot of tips, but many of the common “tips” just wouldn’t work for me when I was starting out.
By way of background, I’ve been making images in Toronto since 2014 and have used a range of cameras, focal lengths, and so forth. I started out being very hesitant to take people’s images whereas, today, I am pretty comfortable and they are in the majority of the images that I take each week. You can see my most recent images on my Glass profile.
So here are 10 tips that can help you get used to making images on the street based on my own trepidations when I started out.
1. Just Walk Around With Your Camera
When I first purchased my Olympus EM10-II I was really nervous to actually use it in downtown Toronto. What if someone got mad that I was taking their photo?
2015
So my solution at the outset was just to always be carrying my camera to and from work. I had about a 2-3 km walk each way through urban areas and ensured that I had my camera in my hand the whole time.
For me, just always holding the camera in public normalized how it felt to me. It also helped me better appreciate the weight and how it moved in my hand.
2. Don’t Focus on Being “Stealthy”
So many street photography tips focus on being “stealthy”. That can mean using a long lens so that people don’t know you’re taking their photo, to shooting exclusively from waist height, never raising your camera to your eye, and so forth. But when you’re shooting in a stealthy way and someone approaches you, then you’re put in a position of potentially lying to them if you say you weren’t making images.
2016
By being “stealthy” — especially if you’re nervous about confrontation — and getting caught the potential confrontation may be a lot more emotionally charged. By way of contrast, if you’re not sneaking about and you’re being confronted then the emotions are going to be lower at the outset than if you were caught sneaking a shot of someone.
3. Don’t Focus on the People
If you’re anything like me when I started making images in my downtown core, taking images of people was something I aspired to but wasn’t comfortable with. But I lived in a big urban city and there was always lots to see and make images of…and so I made images of graffiti, of buildings, or of art exhibitions, and so forth. And in all cases the images that I captured were in public with other people around.
2017
Again, the focus (no pun intended) was just to get comfortable using my camera in public. I liked capturing ambient images of the city and its life, but really this was me practicing and just getting used to holding and using my camera in public, with the ultimate ambition of including people in my images.
Bonus Sub-Tip: As part of not focusing on people you can also consider looking for scenes and then waiting for people to just wander through the scene. I often will do this, myself: I’ll find a location, raise my camera to my eye, hold it for a minute or two, and only then start making images. Anyone who comes through the scene knows that I was there first — I wasn’t chasing them to make their image — and if someone asks what I’m doing, I can talk about the scene and what drew me to it. This helps to orient any conversations around specific individuals in your photographs being incidental to the image being taken, as opposed to the individuals being the primary focus of the image itself.
4. Practice With a 50mm or Wider Lens
It’s pretty routine advice to get a prime lens and learn with it, especially when taking images of metropolitan areas. To my mind there are a few good reasons for this approach to learning.
2018
First, just in terms of training, a prime prevents you from certain kinds of indecisiveness. When you’re operating a zoom lens you have to wonder which of the focal lengths are “best” and you don’t necessarily learn to “see” in any particular focal lengths. If you only have a 50mm focal length, by way of comparison, then you quickly learn to “see” in that length. And you can still zoom — it just requires using your feet!
Second, a prime lens helps you determine what kinds of images you are, or are not, looking to make. If you’re using a 50mm lens then very wide street images that you can capture with a 28mm are just not going to be made. And that’s fine — you learn to look for images that align with that particular focal length. By imposing a series of restrictions on how you can make an image you can expand your creativity by just focusing on what that focal length can produce.
2019
Third, using a single prime lens will mean that you’re carrying less weight and you won’t end up carrying a whole pile of kit with you. Which brings us to the next tip…
5. Don’t Trudge Around with More Than 1-2 Lenses
If you’re going to wander around the streets then you will benefit from not carrying too many lenses. I’d recommend only stepping out the door with your one prime lens. Not only does having a few lenses lead to creative ambiguity — is lens 1 or 2 or 3 “right” for this scene? — but it means you have to carry more stuff on your person.
Down But Not Out, 2020
Less weight and fewer focal lengths options means that you may be out making images longer and with more creative discipline. And by really leaning into 1 or 2 fixed focal lengths you’ll learn a lot about whether you like those focal lengths and, as importantly, how you can use them when making images.1
6. Go to Events Where Taking Photographs is Normalized
If there’s a parade, or public art show, or whatever then try to get there and practice taking images of people in those venues. Because it’s a big public event people will tend to be pretty OK with their images being taken. And it will also expose you, a budding photographer, to the challenge of sometimes grabbing a shot in changing light, moving crowds, and so forth.
Joy In Dark Times, 2021
If you’re feeling particularly daring then you might consider walking alongside a parade or protest, and make images of those who are viewing the event. It’s the “one step up” from making images of the participants of parades and events but still pretty comfortable. Most people in crowds are going to be OK with their images being captured and you’ll have walked past anyone who happened to be annoyed at your photographing them before they emerge from the crowds.
7. Go Out a Lot
I try to get onto the streets for a couple hours every weekend. I have a busy full-time job and photography is my hobby, so I don’t worry about not being able to devote a hour or more every day into making images. I’d love to be able to do so but it’s just not my reality.
Fix, Found, 2022
This having been said I am always out each weekend. Every year I make thousand of frames and often keep returning to the same spots year over year over year in the hopes of some scenes finally producing an image that I like. And by going out you both get a sense for how light falls in your environments, how people move in them, as well as how the urban environment changes through the year. The more you can predict about the environment and its inhabitants the more likely it is that you’ll collect images that speak to you.
8. Review Your Work
Figure out a review tempo for your work and then keep to it. There are at least two parts to this.
First, you need to review the images that you’re making on the streets. I tend to do quick reviews when I come back but other folks do so days or weeks later. Whatever your tempo is it’ll be important to look to see what you’re capturing. It’s the only way to really understand how your creative vision is being interpreted using the camera and lens that you’re carrying.
Toronto, 2023
Second, I’d encourage you to do either monthly, quarterly, bi-annual, or annual assessments of the images that you’re taking. Go through and pick out your top 10-20 images and really think about why they’re your favourites. And, also, how would you want them to be improved? What more might you have done?
As you go through more of these reviews also do comparisons to past favourite images — it’s by undertaking this kind of self-assessment or critique that you’ll be able to see whether you are growing or stretching as a photographer, as well as detect themes or commonalities in what you are being attracted towards.
9. Post Some of Your Work Online
Lots of photographers use some kind of online service to post their images. What you use doesn’t really matter. But having a published set of images means that if someone does ask you what you’re doing on the streets, you can quickly direct them to your online work so they can see you’re doing something artistic and genuine.
Cumberland & Bellair, Toronto, 2024
If someone does ask about you about what you’re doing just be honest: you’re starting out as a photographer and like capturing urban environments. Maybe the person in question looked interesting. And you can show them a selection of your work which will reveal you are treating photography at least somewhat seriously as opposed to just taking creepy shots of people on the street.2
10. Have Fun and Ignore Equipment
Street photography is a fun hobby whether you’re out with a smartphone camera, using a film camera or DSLR, or playing with a mirrorless camera. Don’t worry about having “the right” camera or one that is sufficiently new. Any camera that has been made in the past 10 years is going to be more than enough when you’re in the streets for the first time. Don’t focus on the equipment and, instead, just enjoy the fun that comes from focusing intently on the built environment, light, and the people who pass through the streets.
Princess & Nunavut (CNE), Toronto, 2024
Those are my own 10 tips — what tips would you give a younger version of yourself, today, based on your experiences to date?
If you just want to use the kit lens that came with your camera — likely a zoom lens — then just set it to a single fixed focal lens and restrict in in place with some electrical tape. ↩︎
Of course, if you are just taking creepy shots of people — such as some street photographers who use massive zoom lenses to exclusively take long distance photographs of attractive people — then this will just “out” you and what you’re up to. Don’t be one of those people! ↩︎
Excited Pixels 