Link

Apple Logs Your iMessage Contacts — and May Share Them With Police

The Intercept:

Every time you type a number into your iPhone for a text conversation, the Messages app contacts Apple servers to determine whether to route a given message over the ubiquitous SMS system, represented in the app by those déclassé green text bubbles, or over Apple’s proprietary and more secure messaging network, represented by pleasant blue bubbles, according to the document. Apple records each query in which your phone calls home to see who’s in the iMessage system and who’s not.

This log also includes the date and time when you entered a number, along with your IP address — which could, contrary to a 2013 Apple claim that “we do not store data related to customers’ location,” identify a customer’s location. Apple is compelled to turn over such information via court orders for systems known as “pen registers” or “trap and trace devices,” orders that are not particularly onerous to obtain, requiring only that government lawyers represent they are “likely” to obtain information whose “use is relevant to an ongoing criminal investigation.” Apple confirmed to The Intercept that it only retains these logs for a period of 30 days, though court orders of this kind can typically be extended in additional 30-day periods, meaning a series of monthlong log snapshots from Apple could be strung together by police to create a longer list of whose numbers someone has been entering.

That Apple has to run a lookup to see whether to send a message securely using Messages or insecurely using SMS isn’t surprising. And the 30 day retention period is likely to help iron out bugs associated with operating a global messaging system: when things go wonky (and they do…) engineers need some kind of data to troubleshoot what’s going on.

Importantly, Apple is not logging communications. Nor is it recording if you communicate with someone who is assigned a particular phone number. All that is retained is the lookup itself. So if you ever type in a wrong number that lookup is recorded, regardless of whether you communicate with whomever holds the number.

More troubling is the fact that Apple does not disclose this information when an individual formally requests copies of all their personal information that Apple retains about them. These lookups arguably constitute personal information, and information like IP addresses etc certainly constitute this information under Canadian law.

Apple, along with other tech companies, ought to release their lawful access guides so that users know and understand what information is accessible to authorities and under what terms. It isn’t enough to just disclose how often such requests are received and complied with: customers should be able to evaluate the terms under which Apple asserts it will, or will not, disclose that information in the first place.

Link

National security review tries to tackle needs of law enforcement in digital world | Toronto Star

The Toronto Star:

Lawful access is “a real thorny issue,” said University of Ottawa law professor Craig Forcese, a national security law expert, in an interview with the Star.

“For years I’ve been saying we’ve got to deal with it, and you can’t deal with it without investing people in a discussion, because the best-organized civil liberties organizations in Canada right now are privacy groups,” said Forcese.

“And if you go ahead unilaterally and start tabling stuff in Parliament, you’re going to have a replay of the disaster of the last decade in Parliament where nothing ever got passed, except the cyberbullying bill which didn’t address all the issues.”

Parliament did a lot over the last decade. Including passing lawful access legislation following more than 10 years of public debate that included numerous public consultations (i.e. not just with civil liberties organizations).

That civil liberties groups – which by definition argue hard against infringements of constitutional rights – did their jobs is to be congratulated not smeared.

Link

Feds considering warrantless access to internet subscriber info: police chiefs

Feds considering warrantless access to internet subscriber info: police chiefs:

OTTAWA – A new administrative scheme that would allow police to obtain basic information about Internet subscribers without a warrant is one option being considered by federal officials following a landmark Supreme Court ruling that curbed access to such data, Canadian police chiefs say.

A researcher who has long pressed for more transparency around police access to subscriber data said Monday that law-enforcement agencies have yet to make the case for warrantless access – especially since companies can make information available quickly in a genuine emergency.

“We’re not at a point where it’s clear the police have a legitimate concern,” said Christopher Parsons, a postdoctoral fellow with the Citizen Lab at Toronto’s Munk School of Global Affairs.

In June last year, the Supreme Court ruled police need judicial authorization to obtain subscriber data linked to online activities. The high court rejected the notion the federal privacy law governing companies allowed them to hand over subscriber identities voluntarily.

The court judgment came amid swelling public concern about authorities quietly gaining access to customer information with little evident scrutiny or oversight.

Parsons wants police to release more statistical information about their requests. “They actually have to make the argument with data, so we can have an evidence-based policy discussion.”

He would also like to see civil society groups and others included in the discussions about possible legislative change.

 

Link

Police investigations show even BlackBerry messages can be intercepted

Police investigations show even BlackBerry messages can be intercepted:

Touted as one of the most secure ways to communicate, BlackBerry smartphones have been put in the spotlight after several police investigations said they were able to track criminals who used the device’s encrypted technology.

“It’s a problem in the way that BlackBerry has marketed some of its services to the consumer market,” said Christopher Parsons, a fellow at the University of Toronto’s Citizen Lab, which specializes on how privacy is affected by digital surveillance.

“It’s a very difficult security posture and probably one that most users … don’t fully understand.”

Parsons said many BlackBerry owners assume incorrectly that their smartphones meet the same standards as BlackBerrys used by major corporations and the U.S. government, even though they’re not operating on the same high-level security servers that have come to define the company’s advantage over its competitors.

Link

Cyberbullying law would let police ‘remotely hack into computers, mobile devices, or cars’

Cyberbullying law would let police ‘remotely hack into computers, mobile devices, or cars’:

Experts say police would be able to install viruses, or malware, into the electronics of anyone suspected of a crime, after gaining judicial approval.

“There’s a series of different tactics that they could adopt. They could engage in phishing schemes — deliberately serving infected files to computers — or it could involve sending URLs to people’s emails and when they click it, it infects their computers,” he said, adding that it could also involve installing malicious apps onto Canadians’ smartphones that work as listening devices. Police could even hack into a car’s OnStar to keep tracking of location, and call logs.

While C–13 is intended to target transmission data — call information, IP address, and location data — Mr. Parsons said it’s entirely possible that C–13 could capture basic data from Canadians’ Skype conversations, as well as a vast field of other digital information. “That’s the way that it reads,” he says.

The powers would still be subject to judicial oversight. The warrants are valid for two months for most crimes, but extends that to a year if the crime is terrorism-related, or if the suspect is connected to a criminal organization.

“Compounding that, there’s no reporting required,” Mr. Parsons said. “We won’t know if it’s 10 requests a year, a hundred requests a year, a thousand requests a year, or a million requests a year.”

Mr. Parsons calls it the dawn of Canadian ‘‘Govware.’’ Passing this bill, as is, said Mr. Parsons, “risks introducing significant, and poorly understood, new powers to the Canadian authorities.”

Mr. Fraser and Mr. Parsons raise the practical implication of the procurement process for this sort of software. If Ottawa contracts out the creation of a digital snooping program, it risks legitimizing the creation of malware, said Mr. Parsons, adding that Ottawa should be fighting to improve the security of our electronics, not exploiting their weaknesses.

Another good piece by Justin Ling, who is quickly becoming a key go-to reporter for all federal government issues privacy- and surveillance-related issues.

Link

Stockwell Day calls for changes to cybercrime bill

Stockwell Day calls for changes to cybercrime bill:

This is a unexpected voice, now added to the chorus of experts calling for the lawful access provisions of C-13 to be split from the anti-sexting aspects of the legislation.