Tag: ISPs

Categories
Links Writing

An Initial Assessment of CLOUD Agreements

The United States has bilateral CLOUD Act agreements with the United Kingdom and Australia, and Canada continues to also negotiate an agreement with the United States.1 CLOUD agreements are meant to alleviate some of the challenges attributed to the MLAT process, namely that MLATs can be ponderous with the result being that investigators have difficulties obtaining information from communication providers in a manner deemed timely.

Investigators must conform with their domestic legal requirements and, with CLOUD agreements in place, can serve orders directly on bilateral partners’ communications and electronic service providers. Orders cannot target the domestic residents of a targeted country (i.e., the UK government could not target a US resident or person, and vice versa). Demands also cannot interfere with fundamental rights, such as freedom of speech. 2

A recent report from Lawfare unpacks the November 2024 report that was produced to explain how the UK and USA governments actually used the powers under their bilateral agreement. It showcases that, so far, the UK government has used this substantially to facilitate wiretap requests, with the UK issuing,

… 20,142 requests to U.S. service providers under the agreement. Over 99.8 percent of those (20,105) were issued under the Investigatory Powers Act, and were for the most part wiretap orders, and fewer than 0.2 percent were overseas production orders for stored communications data (37).

By way of contrast, the “United States made 63 requests to U.K. providers between Oct. 3, 2022, and Oct. 15, 2024. All but one request was for stored information.” Challenges in getting UK providers to respond to US CLOUD Act requests, and American complaints about this, may cause the UK government to “amend the data protection law to remove any doubt about the legality of honoring CLOUD Act requests.”

It will be interesting to further assess how CLOUD Acts operate, in practice, at a time when there is public analysis of how the USA-Australia agreement has been put into effect.

  1. In Canada, the Canadian Bar Association noted in November 2024 that new enabling legislation may be required, including reforms of privacy legislation to authorize providers’ disclosure of information to American investigators. ↩︎
  2. Debates continue about whether protections built into these agreements are sufficient. ↩︎
Categories
Links Writing

American Telecommunication Companies’ Cybersecurity Deficiencies Increasingly Apparent

Five Eyes countries have regularly and routinely sought, and gained, access to foreign telecommunications infrastructures to carry out their operations. The same is true of other well resourced countries, including China.

Salt Typhoon’s penetration of American telecommunications and email platforms is slowly coming into relief. The New York Times has an article that summarizes what is being publicly disclosed at this point in time:

  • The full list of phone numbers that the Department of Justice had under surveillance in lawful interception systems has been exposed, with the effect of likely undermining American counter-intelligence operations aimed at Chinese operatives
  • Phone calls, unencrypted SMS messages, and email providers have been compromised
  • The FBI has heightened concerns that informants may have been exposed
  • Apple’s services, as well as end to end encrypted systems, were not penetrated

American telecommunications networks were penetrated, in part, due to companies relying on decades old systems and equipment that do not meet modern security requirements. Fixing these deficiencies may require rip-and-replacing some old parts of the network with the effect of creating “painful network outages for consumers.” Some of the targeting of American telecommunications networks is driven by an understanding that American national security defenders have some restrictions on how they can operate on American-based systems.

The weaknesses of telecommunications networks and their associated systems are generally well known. And mobile systems are particularly vulnerable to exploitation as a result of archaic standards and an unwillingness by some carriers to activate the security-centric aspects of 4G and 5G standards.

Some of the Five Eyes, led by Canada, have been developing and deploying defensive sensor networks that are meant to shore up some defences of government and select non-government organizations.1 But these edge, network, and cloud based sensors can only do so much: telecommunications providers, themselves, need to prioritize ensuring their core networks are protected against the classes of adversaries trying to penetrate them.2

At the same time, it is worth recognizing that end to end communications continued to be protected even in the face of Salt Typhoon’s actions. This speaks the urgent need to ensure that these forms of communications security continue to be available to all users. We often read that law enforcement needs select access to such communications and that they can be trusted to not abuse such exceptional access.

Setting aside the vast range of legal, normative, or geopolitical implications of weakening end to end encryption, cyber operations like the one perpetrated by Salt Typhoon speak to governments’ collective inabilities to protect their lawful access systems. There’s no reason to believe they’d be any more able to protect exceptional access measures that weakened, or otherwise gained access to, select content of end to end encrypted communications.

  1. I have discussed these sensors elsewhere, including in “Unpacking NSICOP’s Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack”. Historical information about these sensors, which were previously referred to under the covernames of CASCADE, EONBLUE, and PHOTONICPRISM, is available at the SIGINT summaries. ↩︎
  2. We are seeing some governments introducing, and sometimes passing, laws that would foster more robust security requirements. In Canada, Bill C-26 is generally meant to do this though the legislation as introduced raised some serious concerns. ↩︎
Categories
Links Writing

The Ongoing Problems of Placing Backdoors in Telecommunications Networks

In a cyber incident reminiscent of Operation Aurora,1 threat actors successfully penetrated American telecommunications companies (and a small number of other countries’ service providers) to gain access to lawful interception systems or associated data. The result was that:

For months or longer, the hackers might have held access to network infrastructure used to cooperate with lawful U.S. requests for communications data, according to people familiar with the matter, which amounts to a major national security risk. The attackers also had access to other tranches of more generic internet traffic, they said.

The surveillance systems believed to be at issue are used to cooperate with requests for domestic information related to criminal and national security investigations. Under federal law, telecommunications and broadband companies must allow authorities to intercept electronic information pursuant to a court order. It couldn’t be determined if systems that support foreign intelligence surveillance were also vulnerable in the breach.

Not only is this a major intelligence coup for the adversary in question, but it once more reveals the fundamental difficulties in deliberately establishing lawful access/interception systems in communications infrastructures to support law enforcement and national security investigations while, simultaneously, preventing adversaries from taking advantage of the same deliberately-designed communications vulnerabilities.

  1. Or Greece’s 2004 Olympics wiretap scandal. ↩︎
Categories
Links

Are internet service providers keeping tabs on your browsing? | Toronto Star

Are internet service providers keeping tabs on your browsing?:

What does your internet service providers know about your internet browsing habits?

Christopher Parsons, from the University of Toronto’s Citizen Lab said the range in the responses to the Star’s questions may have to do with how each company defines the word “logging.”

“I suspect that some companies may be using terms differently,“ Parsons said.

As for how long an IP address would be associated with a customer’s account, Bell said that in January they began logging IP addresses for a year in order to comply with the Copyright Act that just came into force.

Rogers said the company doesn’t “maintain a list of past IP addresses for each customer, but in some cases we can manually retrieve them for a period of time (generally not further than a year back).”

Abramson , TekSavvy’s lawyer, said via email the company keeps a log of sessions for the previous 30 days.

 

Categories
Links

Telecoms’ tight lips on customer data use leaves privacy watchdog in the dark

Canada’s privacy commissioner says she has no idea how often telecom companies share consumers’ personal information, despite repeated requests for such information from Canada’s telecom giants. After an appearance before the Senate committee on transportation and communications Tuesday, Interim Privacy Commissioner Chantal Bernier said cell phone and internet companies are refusing to release details on the practice.

It is beyond disappointing that Canada’s telecoms have decided to treat Canadians’ personal information without even basic regards for Canadian privacy law (which includes being transparent, accountable, and open about how personal information is collected, retained, managed, and disclosed). What’s worse is that most Canadians seem bemused when officers of parliament, academics, reporters, and similarly interested groups try to learn this information, with many Canadians seemingly believing that the telecoms are (effectively) beyond the law and that it’s a fool’s errand to try and bring them into compliance.

Source: Telecoms’ tight lips on customer data use leaves privacy watchdog in the dark

Categories
Links Quotations

U of T steps into Internet privacy conversation

In the post-Snowden era of Internet privacy, Parsons and others are continuing the often difficult and unpopular work of pulling back the veil of government surveillance. Students across the country, continent, and indeed, the world, are aware of the new status quo, but may not have considered the full privacy implications of increased access to information online. It is, unfortunately, easy to ignore the droning of television anchors or the frequently updated headlines of news sources as they appear on Facebook and Twitter, especially when the medium lends itself to distraction. The irony, of course, is that as these stories appear, they are swiftly buried under an infinite stream of online information.

From the editorial board at The Varsity, U of T’s student newspaper.

Categories
Links

Citizen Lab calls for government surveillance oversight

U of T post-doctoral fellow writes letter asking for detailed answers on consumer data sharing

Another article, this time in the UoT student newspaper, about the letters we sent to Canadian ISPs.

Source: Citizen Lab calls for government surveillance oversight

Categories
Links Quotations

Supreme Court Hearings – Matthew David Spencer v. Her Majesty the Queen

Case # 34644 Matthew David Spencer v. Her Majesty the Queen (December 9, 2013) At issue is Whether section 8 of the Charter of Rights and Freedoms was violated. The appellant downloaded child pornography from the internet using a peer-to-peer file-sharing software program. The appellant stored child pornography in a shared folder and did not override the default settings that made the folder accessible to others. Since the files were accessible to other users they could therefore be downloaded. A police officer searched the shared folder and discovered the pornographic files. The officer couldn’t identify the owner of the folder but was able to determine that the IP address being used was assigned by Shaw Communications. The police wrote to Shaw and requested information identifying the assignee at the relevant time. Shaw Communications identified the user as the appellant’s sister. The police obtained a warrant and searched her residence, where they seized the appellant’s computer. The appellant was charged with possession of child pornography and making child pornography available.

An interesting case, especially when read against the scholarship that examines the Charter and PIPEDA implications of disclosing subscriber data absent a court order.

Categories
Quotations

2013.7.9

Canadian carriers detect over 125 million attacks per hour on Canadians, comprising 80,000 new zero-day exploits identified every day. The vast majority of attacks are undetectable by traditional security software/hardware.

From “The Canadian Cyber Security Situation in 2011
Categories
Aside Links

Firm That Tests ISP Meters: ISP Meters Aren’t Accurate

I have this dream of Measurement Canada being forced to regulate ISPs’ mirrors.