Privacy issues could not be ignored in 2014 (Transcript Summary):
Telecom and online security expert Christopher Parsons, post-doctoral fellow at the University of Toronto’s Citizen Lab and director of the Telecom Transparency Project, reviews how Canadians’ shifted in 2014 and what to expect in the new year.
Public and private sector companies vulnerable to Sony-like attacks :
Christopher Parsons, the managing director of a telecom transparency project in The Citizen Lab at the University of Toronto, said agrees with Tobok; it’s not enough for companies to leave digital security to their designated IT employees or mid-level management.
“It’s an increasingly serious issue; companies not treating it at the top do so at their own peril.”
Bigger security breaches are a reality of a more digitally-literate world, Parsons said.
“If you’re dealing with a well-resourced attacker with lots of time, there’s a reasonable chance they will find some way through.”
That’s why companies also need to invest in a strong remediation strategy in case an attack does occur, he said.
I should be particularly emphatic on one point: the hack of Sony does not constitute ‘cyberwar’. To begin, the very definition of the term is ambiguous at best. Moreover, the attack on a non-critical-systems company cannot be understood as an assault on critical infrastructure systems (e.g. dams, power grids, etc) that could be interpreted as an undeclared war-like action. What has happened to Sony is a corporate tragedy and one for the textbooks on remediation and mitigation strategies. To be clear: this is a lesson for business and security textbooks, not military strategy textbooks.
Claims that the attacks on Sony are some kind of ‘warlike’ behaviour operate on the assumption that we can attribute who is responsible for the attacks. We are unable to so ascribe action at the moment. And until the NSA or the other SIGINT agencies pull stuff from their bags of tricks to more positively establish a link between the attacks on Sony and a specific nation-state threat actor with obvious war-based intentionality, any calls that we are witnessing some kind of ‘cyberwar’ are ill-considered at best, and outright ignorant at worst.
Or, alternately, such calls might constitute efforts on the parts of those with Top Secret/Special Compartmentalized information to raise awareness about some kind of ‘behind the scenes’ action. I strongly doubt those calling the Sony attacks cyberwar have access to such kinds of deeply sensitive operational, and classified, information. But perhaps I’m wrong. And, if I am, I hope they’re leaking with authorization or have particularly terrific counsel to defend them against allegations of leaking classified information.
Canada asks app stores to mandate privacy policies:
“Developers are asking for information they have no real business accessing,” said Christopher Parsons, a post-doctoral fellow at the University of Toronto’s Citizen Lab. “If a flashlight app is asking to read your SMS messages, that’s a step too far.”
According to Parsons, many app developers participate in a “grey market” of personal information.
“The value is not in selling apps,” he said. “The value is in collecting information about individuals and then turning around and selling it to third parties.”
Requiring developers to include privacy plans alongside their apps “is a step in the right direction,” Parsons said, but many policies are written in “boilerplate legalese,” meaning even if they’re available, many consumers won’t be able to interpret them.
“What commissioners could do is say that if you’re going to develop a privacy policy… you should be providing a simple, accessible version of what you’re doing,” he said.
However, making privacy policies mandatory could allow agencies like the privacy commissioner’s office to better target companies who violate their own terms of service.
“What it means is that when and if a company says something in its privacy policy that’s not true, there’s an actionable legal case against them,” Parsons said.
Social Media Privacy – Part I:
One in three anglophone Canadians say that not a single day goes by without checking into their social media feeds. Use of such applications has increased. On top of that, there is growing concern over how much information is being shared online and who may have access to it. Has the government been doing enough to protect Canadians? Is the social media industry being proactive or reactive? Will government institutions such as CSIS and CSES increase their monitoring of users in light of recent events? We will explore the current situation, what the future holds and what social media users can do to protect their information.
This week’s expert guests are:
- Christopher Parsons, Postdoctoral Fellow at the Citizen Lab in the Munk School of Global Affairs at the University of Toronto and a Principal at Block G Privacy and Security Consulting
- Avner Levin, Director of the Privacy and Cyber Crime Institute at Ryerson University, Associate Professor at the Ted Rogers School of Management, and Chair of the Law & Business Department
- Sharon Polsky, President of the Privacy and Access Council of Canada
Cyber-security in 2014: What we learned from the Heartbleed bug:
Parsons warned that the fallout from Heartbleed may not be over for web users.
We still don’t know just how much information was stolen or accessed as a result of the bug. Stolen login credentials and user information is likely to be leaked by hackers, putting users at risk for additional hacks.
The problem is hackers could leak this information at any time.
“If logins and passwords were successfully extracted – and I’m willing to say 99.9 per cent of people haven’t changed all of their passwords – people still could be affected,” he said.
…
“Always expect at some point, possibly through no fault of your own, you will be compromised,” Parsons warned.
“Then think, ‘What would I do if my personal information was leaked?’ Thinking before these things happen can help you come up with a recovery strategy.”
Should you worry about social media surveillance?
Citizen Lab’s Christopher Parsons joins guest host Piya Chattopadhyay to discuss the Canadian government’s growing interest in the real-time contents of social
Is Uber’s rider database a sitting duck for hackers?:
Imagine for a second that your job is to gather intelligence on government officials in Washington, or financiers in London, or entrepreneurs in San Francisco. Imagine further that there existed a database that collected daily travel information on such people with GPS-quality precision– where they went, when they went there and who else went to those same places at the same times.
Now add that all this location data was not held by a battle-hardened company with tons of lawyers and security experts, such as Google. Instead, this data was held by a start-up that was growing with viral exuberance – and with so few privacy protections that it created a “God View” to display the movements of riders in real-time and at least once projected such information on a screen for entertainment at a company party.
…
“It’s a huge trove of data that could be used for a whole number of uses,” said Christopher Parsons, a digital privacy expert at Citizen Lab, a research center at the University of Toronto.
A roundup of what I’ve said, to whom, and that was published this month.
According to Christopher Parsons, a post-doctoral fellow and the managing director of the telecommunications transparency project at the University of Toronto’s Citizen Lab, the broadest applications to date [of facial recognition technologies] involve tranches of official photos maintained by government agencies that issue identification documents, such as passports and driver’s licenses.
In recent years, he adds, facial recognition software has become substantially more sophisticated. The advent of so-called 3-D recognition techniques allows the software to make matches between official posed photos and informal, un-posed ones—e.g., images posted on social media sites. What’s more, these biometric algorithms, which can “learn” to recognize faces based on composites developed from multiple images, are no longer restricted to government security. Facebook has a facial recognition app, and at least two developers have built apps for Google Glass that purport to be able to run facial images through picture databases from dating sites or sex offender registries, Forbes reported earlier this year.
To date, this kind of cross-referencing hasn’t produced great results, says Parsons, although he adds that the latest generation “is better than it used to be.”
…
And in Canada? Police in Vancouver successfully used facial recognition technology to identify looters during the Stanley Cup riot in 2011, drawing from videos submitted by bystanders as well as CCTV images. The technology was also deployed during the G8/G20 in Toronto. But Parsons points out that at date, there’s not enough data on general law enforcement applications to determine whether this sort of facial recognition is effective.
Alberta Primetime – Increased surveillance powers in Canada:
Discussing security, police surveillance, and the privacy of Canadians—is the federal government getting the balance right?
Excited Pixels