Tag: Media

Categories
Links

Uber’s ‘God View’ Was Once Available to Drivers

Uber’s ‘God View’ Was Once Available to Drivers:

I reached out to Chris Parsons, a cybersurveillance researcher at the University of Toronto’s Citizen Lab, to discuss Uber’s God View and the ramifications for users.

“Uber understandably has infrastructure in place to monitor where its drivers are and a business case can be made for some degree of monitoring of how, and how often, their clients use the service,“ he said. “However, such data must be carefully controlled with strict security, privacy, and access safeguards. At this point it doesn’t appear that such have been stringently developed or applied.”

“We know that national security and intelligence agencies are deeply interested in where people travel to, and in understanding the movement patterns of individuals regardless of their being identified as ‘targets’ of government surveillance,” Parsons continued. “And Uber’s seeming failure to secure its data—to the point where developers have already found ways of querying the data by reverse-engineering Uber’s mobile client software—would suggest that an intelligence or security service that was sufficiently motivated could do the same.”

“There’s no evidence that such a security or intelligence service has ‘cracked’ Uber but past Snowden revelations have revealed that the NSA and its partners are voracious collectors of all kinds of tracking data,” Parsons concluded. “There’s no reason why these agencies wouldn’t be as interested in Uber’s data as other services’ data that could identify where, and how often, people travel around their cities and around the world.”

 

Categories
Links

New Documents Show Thousands of Unreported Wiretaps by Canadian Cops

New Documents Show Thousands of Unreported Wiretaps by Canadian Cops:

Christopher Parsons, a postdoctoral fellow with The Citizen Lab at the University of Toronto’s Munk School of Global Affairs, called the finding a missing link in our understanding of the scope of electronic surveillance in Canada.

“Wiretap data is, in theory, being recorded. But subscriber data and CDR data—neither of those have to be recorded under government statue,” Parsons explained. “There’s nothing in the legislation that will require agencies to record how often they got those court orders.”

Microsoft, BlackBerry and Cogeco, who were also presents at the meeting between Public Safety and industry stakeholders, did not respond to a request for comment.

“I think what’s most telling is it seems that the parties that have the best records of anyone in Canada is corporate Canada,” Parsons said. “These are the people who are being forced to use their resources to provide assistance to law enforcement, and law enforcement can’t even be bothered to record and disclose themselves how often this is going on.“

 

Categories
Links

Drupal in the Age of Surveillance

Drupal in the Age of Surveillance:

“Contemporary websites have almost innumerable places where information can be entered, logged, and accessed, by either the first party or third parties.”

That’s the frank assessment of Chris Parsons, a postdoctoral fellow at The Citizen Lab at the University of Toronto’s Munk School of Global Affairs. Parsons’ current research focus is on state access to telecommunications data, through both overt mechanisms and signals intelligence – covert surveillance.

Parsons recommends an approach to user data protection called threat modeling. “So who are you concerned about, what do you believe your ethical duties of care are, and then how do you both defend against your perceived attackers and apply your duty of care?”

Parsons suggests, “The first step is really just information inventory: what’s collected, why, where’s it going, for how long.”

For Parsons, having strong protections for user data is critical, and not merely from a privacy perspective. Rather, privacy protection is just sound business practice. Imagine this scenario, he suggests: “One of your core databases with customer information gets compromised.” Then, “If you have an auditor that comes in, or if you have the press pounding on your door, you don’t want to be telling either of those parties, ‘Yeah, that’s a good question. I don’t know where any of our data is. We don’t know what we lost.’”

Parsons is more pragmatic, acknowledging that when it comes to analytics the battle has already been lost, if it even happened at all. Still, he points to the practical advantages of maintaining your own statistics. “I often avoid using Google Analytics, in part because more and more people are blocking Doubleclick [and other Google] cookies.” Instead, Parsons opts for self-hosted solutions because, “I find that the truth that comes through them can be more useful.”

Parsons similarly recommends a tool called Social Share Privacy, which has an associated Drupal module. Like Mytube, Social Share Privacy communicates with the third party website only if a user first clicks a link. Parson comments, “If your content is really great – and most people hope it is – I don’t think that one extra click is going to doom the ability to share [it].”

Burdett explains that while standard encryption uses a single key that’s used across a server, there is a newer method called forward secrecy: “[It] means that a unique key is generated for each HTTPS session.” If you run an e-commerce bookshop and receive a law enforcement subpoena relating to a particular customer, Parsons says, “You as a bookshop seller do not want to be in a situation where you’re disclosing the decryption key for every person – or every IP address, rather – that has looked at your website and what books they’ve looked at.” Forward secrecy ensures there is no single key that decrypts all users’ communications.

For Parsons, once you’ve completed your information inventory and determined what you’re gathering – and how and why – a key next step is writing a detailed and appropriate privacy policy.

“You can usually tell it’s a bad privacy policy,” Parsons says, “as soon as you get stuff like, ‘In the provision of this service, we may provide information to third parties.’ Whereas you, as the site owner, know damn well that you’re using Google Analytics, you’re using Twitter, you’re using Facebook.”

A privacy policy is also a good place to point people to ways they can opt out. “I personally like seeing links or notices about ‘this is how you can avoid this if you want,’” Parsons says. “So you link someone out to Ghostery (a browser plugin used to block tracking software), or whatever you want to link them out to.”

As well as being specific, a privacy policy should be readable. Parsons notes, “You go and read the ‘disclosures’ that people make – their terms of service, their privacy policies – and you get this horrible language. No human in their right mind would ever know what was going on. And indeed, when I spoke with some businesses, they don’t know where that data is going.”

To Parsons, protecting user information should be anything but an afterthought. “Certainly, if there’s any sort of commercial or business interest involved, I think this just flows out of the business plan that you’ve probably developed.”

 

Categories
Links

Picking out a face in the crowd: Toronto police considering facial recognition technology

Picking out a face in the crowd: Toronto police considering facial recognition technology:

But for all its abilities, privacy advocates caution that the technology raises big questions about surveillance, and has potential implications for members of the public who aren’t suspects of a crime.

In cases like these, the technology has clear advantages, says privacy expert Christopher Parsons, a fellow at the Munk School of Global Affairs at the University of Toronto.

“Serious crimes — rapes, murders, manslaughter — these are the kinds of crimes that must be brought to justice,” he says. “But for other crimes, lesser crimes, maybe those aren’t the situations where we [should] use these really efficient, high-tech systems.” The risk, he says, is that “it starts … criminalizing a large portion of the population.”

Police aren’t the only organizations to employ this type of technology. Some department stores and retail chains also use it to catch repeat shoplifters. But Parsons points out there is a difference between private individuals capturing images and the police.

“[Private individuals] don’t have the power to arrest,” he says.

 

Categories
Links Quotations

The Canadian Government Wants to Pay More People to Creep Your Facebook

The Canadian Government Wants to Pay More People to Creep Your Facebook:

But government social media monitoring could very easily cross over into a legal gray area. Christopher Parsons, a cybersurveillance researcher at the University of Toronto’s Citizen Lab, said the collection of personal data from online sources needs to be rigorously justified, and even when it is, the data needs to be handled and stored safely.

“The government can’t just collect information about Canadians—even from public sourced data repositories such as social media—just because it wants to,” said Parsons in an email to me. “There have to be terms set on the collection, handling, disclosure, and disposal of personal information that the government wants to gather. As a result, even when data is collected for legitimate reasons that doesn’t mean the data can then be used in any way that the government (subsequently) decides.”

Strict oversights into how the government gleans and uses this intelligence—even in the service of testing policy reactions, as Parsons thinks this service will likely do—is required.

According to Parsons, that comes in the form of internal “privacy impact assessments” related to the specific social media surveillance program.

“Government agencies are supposed to conduct such assessments before collecting Canadians’ personal information and explain the specifics of how and why they will collect Canadians’ personal data,” said Parsons.

In the medium term, it appears Canadians can count on more of their tweets to be sucked up into a government social media surveillance system—then potentially shared across government departments.

Parsons told me that the sharing of the personal data of Canadian, in general, is only becoming more pervasive across government agencies.

“There has been a marked increase in the sharing of personal data between and across different departments because information is initially being collected for vague or far-sweeping reasons. Were social media information collected for similarly vague reasons then the government could then try to expansively share collected information across government,” he said.

 

Categories
Links

Never let the facts get in the way of a good Cronkite moment

Never let the facts get in the way of a good Cronkite moment:

Lost in all the boosterism and talk of 9/11, solidarity and resolve was another inconvenient fact: A lot of the so-called ‘iron-clad’ reporting about what allegedly took place last Wednesday has turned out to be crap.

We were told that there were two or more shooters. Wrong. We were told that Wednesday’s shooting was likely “linked” to the hit and run death of Warrant Officer Patrice Vincent in St. St-Jean-sur-Richelieu, Quebec and hence that some sort of wider conspiracy was afoot. Wrong. We were told that shooter Michael Zahef-Bibeau was on a high-risk travel list. Wrong. We were told that Zahef-Bibeau wanted to travel to Syria. Wrong. (He hoped to go to Saudi Arabia – one of Canada’s best buddies in the Middle East.) We were told that the 90-odd individuals supposedly on a CSIS “watch” list were being “rounded up” by authorities. Wrong.

Even the “hero” Sergeant-at-Arms “story” is collapsing. Reportedly, Zahef-Bibeau was shot at least a dozen times and possibly dead before Kevin Vickers fired his gun.

Categories
Links

Mississauga man pleads guilty in international Xbox hacking ring | Toronto Star

Mississauga man pleads guilty in international Xbox hacking ring:

Prosecutors said the small group of gaming enthusiasts called itself the Xbox Underground.

“These were extremely sophisticated hackers. Don’t be fooled by their ages,” Assistant U.S. Attorney Ed McAndrew said after Tuesday’s court hearing. McAndrew told reporters the other members of the group looked to Pokora as a leader.

Chris Parsons, a post-doctoral fellow at the University of Toronto’s Citizen Lab and expert in Internet security, told the Star the technique used by the group, known as “SQL injection,” is one of the most common attacks used.

“I’m not saying that these individuals are more or less sophisticated, but you really do not have to be terribly clever to run SQL injections,” said Parsons, who has no involvement in the case.

The technique at its most simple involves tricking a database used by the organization into thinking that the hacker has the power to run administrator-level commands.

Parsons says the value of intellectual property and material like the group was after is difficult to gauge. He said they could sell it, or trade it online.

“Certainly some information would be more valuable than others. There might be a large variation for how much you might pay for a prototype Xbox One, versus information about how the U.S. military trains its apache helicopter pilots,” said Parsons. “It would vary substantially in terms of what the information is and the completeness of it.”

There’s no indication in the court documents that the group attempted to sell military information.

 

Categories
Links

Mapping The Canadian Government’s Telecommunications Surveillance

Mapping The Canadian Government’s Telecommunications Surveillance:

What:

Canadian federal government agencies, like many government agencies around the world, often request user data from telecommunications agencies for the purpose of surveillance. With few regulations in place that force governments or corporations to explain how Canadians’ telecommunications information is accessed or processed, the Citizen Lab along with its’ partners, worked over the course of a year to compile and disseminate lawfully accessible data that showed how often, for what reasons, and on what legal grounds telecommunications companies in Canada provided their subscribers’ data to state agencies.

The Electronic Frontier Foundation has a series of Counter-Surveillance Success Stories and my work over the past year’s been recognized in the stories. It’s really exceptional the excellent work that people are doing all around the world – you should check them all out!

Categories
Links

Canada’s Cyberspy Agency, CSEC, Hijacks Computers Worldwide to Build Their Spynet

Canada’s Cyberspy Agency, CSEC, Hijacks Computers Worldwide to Build Their Spynet:

One key part of the HACIENDA infrastructure, however, is a Canadian program called LANDMARK, which looks for “ORBS” (Operational Relay Box) that were recently defined by Colin Freeze in the Globe and Mail as “computers [the Five Eyes spy agencies] compromise in third-party countries.” I spoke to Chris Parsons from the Citizen Lab, who explained that these ORBs are quite possibly the property of innocent citizens, and not exclusively intelligence targets:

“CSEC seemingly regards unsecured devices (their ‘ORBs’) as valid intelligence targets in order to launch deniable attacks and reconnaissance practices. We don’t know whether there is some effort to ascertain civilian vs non-civilian intermediary computers to take over, but the slides suggest that civilians and their equipment can be targeted.”

“CSEC operates using the same techniques as organized crime and foreign intelligence services… CSEC uses these techniques for nation-state aims, similar reconnoissance techniques are used by criminals, academics, and interested internet sleuths. The tools of reconnaissance and offence are depressingly affordable, whereas secure code is expensive and hard to come by.”

Categories
Links

Poor record of fed requests to telecom companies for Canadians’ data

Poor record of fed requests to telecom companies for Canadians’ data:

Many law-enforcement agencies do not track requests for private information, making the system vulnerable to abuse

“Many departments say they don’t have the information and say they don’t keep track of these things,” said NDP MP Charmaine Borg, whose questions led to the release of response documents. “… And if that is the case, that brings up to me a huge problem. How are we supposed to ensure there are no abuses, and that government agencies are making these requests within very extreme circumstances, when they don’t even keep track of when they’re making them?”

Christopher Parsons, a postdoctoral fellow at the Citizen Lab of the University of Toronto’s Munk School of Global Affairs, said non-federal agencies, such as police forces, are also seeking data. “Even if we got good numbers from all the federal government, there is a huge, huge part of the surveillance iceberg that’s yet to be seen,” he said.

It’s important to keep in mind that much of the attention concerning government surveillance has been about how federal agencies access telecommunications data, and how proposed lawful access legislation would extend and expand such access. While this attention is deserved there is an entirely different set of actors that have yet to be examined in any sustained way: provincial agencies and municipal organizations.