Tag: Media

Categories
Links

Spies Know What You’re Downloading on Filesharing Sites, New Snowden Docs Show

Spies Know What You’re Downloading on Filesharing Sites, New Snowden Docs Show:

Where is all this data coming from?

Rather than monitor each file sharing company individually, the documents hint at a “special source” known only by the codename ATOMIC BANJO, which is responsible for the collection of “HTTP metadata” from 102 known file sharing sites (Sendspace, Rapidshare, and the now-defunct Megaupload are the only three identified by name).

“‘Special Source’ typically refers to access to corporate data stores, or corporate data flows, so ISPs or data centers or something like that. Trans-atlantic cables,” said Christopher Parsons, a postdoctoral fellow at the Citizen Lab, which studies surveillance and other digital policy issues within the University of Toronto’s Munk School of Global Affairs. “Access is predicated on either contractual term or a monetary payment or something of that nature. Which is to say that someone or some individuals within the special source organizations are aware of what’s going on.”

As for CSE, a document released by Ge​rman newspaper Der Spiegel earlier this month describes a “cyber threat detection platform” called EONBLUE. According to the document, EONBLUE had been under development for over eight years as of November 2010—the date the document was published—and is made up of over 200 sensors deployed across the globe using “collection programs including S​PECIALSOURCE.”

What makes EONBLUE significant, said Parsons, is that we now know “Canada has sites around the world. And based on previous documents around special source operations, we quite often see large volumes of data being accessed. So it’s possible that EONBLUE is similarly used to access large quantities of data.”

One of EONBLUE’s capabilities is the collection of metadata. It is not clear whether the metadata collected from ATOMIC BANJO is related to the metadata produced by EONBLUE.

“It’s certainly possible, but there’s no definitive evidence, that would indicate a direct correlation,” Parsons said.

 

Categories
Links

Privacy issues could not be ignored in 2014 (video)

This links to the full video interview I gave to Postmedia about privacy issues in 2014. On the whole I’m actually pretty optimistic about things: we know more than in the past about the extents to which governments engage in surveillance. The organizations and individuals who subsequently act on this knowledge are more capable, today, than they were even two years ago. And the political class is increasingly aware that privacy and transparency issues are becoming more and more important to their constituents.

Now, does this optimism mean that things will necessarily improve dramatically in 2015? Of course not. But momentum continues to build and more and more individuals and organizations are taking privacy issues seriously. And that’s cause for some celebration as far as I’m concerned.

Categories
Links

Privacy issues could not be ignored in 2014 (Transcript Summary)

Privacy issues could not be ignored in 2014 (Transcript Summary):

Telecom and online security expert Christopher Parsons, post-doctoral fellow at the University of Toronto’s Citizen Lab and director of the Telecom Transparency Project, reviews how Canadians’ shifted in 2014 and what to expect in the new year.

Categories
Links Writing

Public and private sector companies vulnerable to Sony-like attacks

Public and private sector companies vulnerable to Sony-like attacks :

Christopher Parsons, the managing director of a telecom transparency project in The Citizen Lab at the University of Toronto, said agrees with Tobok; it’s not enough for companies to leave digital security to their designated IT employees or mid-level management.

“It’s an increasingly serious issue; companies not treating it at the top do so at their own peril.”

Bigger security breaches are a reality of a more digitally-literate world, Parsons said.

“If you’re dealing with a well-resourced attacker with lots of time, there’s a reasonable chance they will find some way through.”

That’s why companies also need to invest in a strong remediation strategy in case an attack does occur, he said.

I should be particularly emphatic on one point: the hack of Sony does not constitute ‘cyberwar’. To begin, the very definition of the term is ambiguous at best. Moreover, the attack on a non-critical-systems company cannot be understood as an assault on critical infrastructure systems (e.g. dams, power grids, etc) that could be interpreted as an undeclared war-like action. What has happened to Sony is a corporate tragedy and one for the textbooks on remediation and mitigation strategies. To be clear: this is a lesson for business and security textbooks, not military strategy textbooks.

Claims that the attacks on Sony are some kind of ‘warlike’ behaviour operate on the assumption that we can attribute who is responsible for the attacks. We are unable to so ascribe action at the moment. And until the NSA or the other SIGINT agencies pull stuff from their bags of tricks to more positively establish a link between the attacks on Sony and a specific nation-state threat actor with obvious war-based intentionality, any calls that we are witnessing some kind of ‘cyberwar’ are ill-considered at best, and outright ignorant at worst.

Or, alternately, such calls might constitute efforts on the parts of those with Top Secret/Special Compartmentalized information to raise awareness about some kind of ‘behind the scenes’ action. I strongly doubt those calling the Sony attacks cyberwar have access to such kinds of deeply sensitive operational, and classified, information. But perhaps I’m wrong. And, if I am, I hope they’re leaking with authorization or have particularly terrific counsel to defend them against allegations of leaking classified information.

Categories
Links

Canada asks app stores to mandate privacy policies

Canada asks app stores to mandate privacy policies:

“Developers are asking for information they have no real business accessing,” said Christopher Parsons, a post-doctoral fellow at the University of Toronto’s Citizen Lab. “If a flashlight app is asking to read your SMS messages, that’s a step too far.”

According to Parsons, many app developers participate in a “grey market” of personal information.

“The value is not in selling apps,” he said. “The value is in collecting information about individuals and then turning around and selling it to third parties.”

Requiring developers to include privacy plans alongside their apps “is a step in the right direction,” Parsons said, but many policies are written in “boilerplate legalese,” meaning even if they’re available, many consumers won’t be able to interpret them.

“What commissioners could do is say that if you’re going to develop a privacy policy… you should be providing a simple, accessible version of what you’re doing,” he said.

However, making privacy policies mandatory could allow agencies like the privacy commissioner’s office to better target companies who violate their own terms of service.

“What it means is that when and if a company says something in its privacy policy that’s not true, there’s an actionable legal case against them,” Parsons said.

Categories
Links

Social Media Privacy – Part I

Social Media Privacy – Part I:

One in three anglophone Canadians say that not a single day goes by without checking into their social media feeds. Use of such applications has increased. On top of that, there is growing concern over how much information is being shared online and who may have access to it. Has the government been doing enough to protect Canadians? Is the social media industry being proactive or reactive? Will government institutions such as CSIS and CSES increase their monitoring of users in light of recent events? We will explore the current situation, what the future holds and what social media users can do to protect their information.

This week’s expert guests are:

  • Christopher Parsons, Postdoctoral Fellow at the Citizen Lab in the Munk School of Global Affairs at the University of Toronto and a Principal at Block G Privacy and Security Consulting
  • Avner Levin, Director of the Privacy and Cyber Crime Institute at Ryerson University, Associate Professor at the Ted Rogers School of Management, and Chair of the Law & Business Department
  • Sharon Polsky, President of the Privacy and Access Council of Canada

 

Categories
Links

Cyber-security in 2014: What we learned from the Heartbleed bug

Cyber-security in 2014: What we learned from the Heartbleed bug:

Parsons warned that the fallout from Heartbleed may not be over for web users.

We still don’t know just how much information was stolen or accessed as a result of the bug. Stolen login credentials and user information is likely to be leaked by hackers, putting users at risk for additional hacks.

The problem is hackers could leak this information at any time.

“If logins and passwords were successfully extracted – and I’m willing to say 99.9 per cent of people haven’t changed all of their passwords – people still could be affected,” he said.

“Always expect at some point, possibly through no fault of your own, you will be compromised,” Parsons warned.

“Then think, ‘What would I do if my personal information was leaked?’ Thinking before these things happen can help you come up with a recovery strategy.”

 

Categories
Links

Should you worry about social media surveillance?

Should you worry about social media surveillance?

Citizen Lab’s Christopher Parsons joins guest host Piya Chattopadhyay to discuss the Canadian government’s growing interest in the real-time contents of social

 

Categories
Links

Is Uber’s rider database a sitting duck for hackers?

Is Uber’s rider database a sitting duck for hackers?:

Imagine for a second that your job is to gather intelligence on government officials in Washington, or financiers in London, or entrepreneurs in San Francisco. Imagine further that there existed a database that collected daily travel information on such people with GPS-quality precision– where they went, when they went there and who else went to those same places at the same times.

Now add that all this location data was not held by a battle-hardened company with tons of lawyers and security experts, such as Google. Instead, this data was held by a start-up that was growing with viral exuberance – and with so few privacy protections that it created a “God View” to display the movements of riders in real-time and at least once projected such information on a screen for entertainment at a company party.

“It’s a huge trove of data that could be used for a whole number of uses,” said Christopher Parsons, a digital privacy expert at Citizen Lab, a research center at the University of Toronto.

 

Categories
Aside Links

Christopher Parsons weighs in on privacy concerns in Canada

A roundup of what I’ve said, to whom, and that was published this month.

Christopher Parsons weighs in on privacy concerns in Canada