Tag: Media

Categories
Links

Canada’s Cyberspy Agency, CSEC, Hijacks Computers Worldwide to Build Their Spynet

Canada’s Cyberspy Agency, CSEC, Hijacks Computers Worldwide to Build Their Spynet:

One key part of the HACIENDA infrastructure, however, is a Canadian program called LANDMARK, which looks for “ORBS” (Operational Relay Box) that were recently defined by Colin Freeze in the Globe and Mail as “computers [the Five Eyes spy agencies] compromise in third-party countries.” I spoke to Chris Parsons from the Citizen Lab, who explained that these ORBs are quite possibly the property of innocent citizens, and not exclusively intelligence targets:

“CSEC seemingly regards unsecured devices (their ‘ORBs’) as valid intelligence targets in order to launch deniable attacks and reconnaissance practices. We don’t know whether there is some effort to ascertain civilian vs non-civilian intermediary computers to take over, but the slides suggest that civilians and their equipment can be targeted.”

“CSEC operates using the same techniques as organized crime and foreign intelligence services… CSEC uses these techniques for nation-state aims, similar reconnoissance techniques are used by criminals, academics, and interested internet sleuths. The tools of reconnaissance and offence are depressingly affordable, whereas secure code is expensive and hard to come by.”

Categories
Links

Poor record of fed requests to telecom companies for Canadians’ data

Poor record of fed requests to telecom companies for Canadians’ data:

Many law-enforcement agencies do not track requests for private information, making the system vulnerable to abuse

“Many departments say they don’t have the information and say they don’t keep track of these things,” said NDP MP Charmaine Borg, whose questions led to the release of response documents. “… And if that is the case, that brings up to me a huge problem. How are we supposed to ensure there are no abuses, and that government agencies are making these requests within very extreme circumstances, when they don’t even keep track of when they’re making them?”

Christopher Parsons, a postdoctoral fellow at the Citizen Lab of the University of Toronto’s Munk School of Global Affairs, said non-federal agencies, such as police forces, are also seeking data. “Even if we got good numbers from all the federal government, there is a huge, huge part of the surveillance iceberg that’s yet to be seen,” he said.

It’s important to keep in mind that much of the attention concerning government surveillance has been about how federal agencies access telecommunications data, and how proposed lawful access legislation would extend and expand such access. While this attention is deserved there is an entirely different set of actors that have yet to be examined in any sustained way: provincial agencies and municipal organizations.

Categories
Links

Canadian ISPs Won’t Tell You Much About Your Own Data

Canadian ISPs Won’t Tell You Much About Your Own Data:

Ever wondered how long your telecom provider retains your user data? Or if law enforcement has requested your records?

This “Access My Info” tool was launched in June, and now, responses have started to trickle back in.

“We’re starting to be able to compare and contrast some of the larger company’s responses,” Parsons said.

Using either Parsons’ form letter, or the AMI tool, subscribers can request that their telecom providers clarify the types of data they collect, tell them how long they retain such data, provide copies of relevant records, and whether their information has been disclosed to law enforcement or government agencies. But perhaps unsurprisingly, policies and practices tend to differ from one provider to the next.

“I think that the letters from TekSavvy are comprehensive. They’re not trying to play games,” Parsons said, referring to the responses sent out by one of Canada’s smaller  internet service providers. “They’re actually taking seriously the questions that individuals are making and not trying to blow them off. That stands in variance with, I would say, almost every other member of the industry.”

Parsons said that in other responses, “the detail that is present, or is more often the case, absent, is really quite breathtaking. The only thing I have from Bell is a one page sheet that’s almost worse than useless. It almost doesn’t respond to the customer’s question.”

Parsons told me that discerning how long certain types of data are retained has proven particularly hard, for example.

“Retention schedules matter. How long you store data should not be a top secret corporate secret, because it’s about citizens,” said Parsons. ”Here we’re talking about basic, basic, basic privacy information. How long do you store information about me? None of these companies aside from TekSavvy have tried to comprehensively respond to that question.“

This is a detailed piece by Matt Braga, and one that I’d highly recommend if you’re interested what the Telecom Transparency Project has (and hasn’t) learned about Canadian telecommunications companies’ data retention schedules.

Categories
Links

Telus joins transparency push by sharing demands for customer info

Telus joins transparency push by sharing demands for customer info :

Christopher Parsons, a research fellow with Citizen Lab, which is part of the University of Toronto’s Munk School of Global Affairs, says he commends Telus for following through on a commitment to release a report this summer and for its call for industry standards on such disclosures.

“The trick is, however, that we’re still missing Bell Canada, which is the largest telecommunications provider in the country,” he said. “Clearly, there’s an industry movement in Canada and all across North America toward these transparency reports and Bell Canada needs to be on board.”

Mr. Parsons says any industry standard around reporting should also include disclosure about how long the companies retain customer information.

TELUS is to be congratulated for following through on their promise to release a transparency, report, as well as for committing to publishing future reports. At this point, two of the largest telecom in Canada (Rogers and TELUS) along with a leading independent telecom (TekSavvy) have released transparency reports: where’s Bell and all the smaller companies?

Categories
Links

Canada Spies on Israel’s Enemies

Canada Spies on Israel’s Enemies:

A new report in The Intercept revealed that CSEC, Canada’s NSA, spies on Israel’s enemies. But what does that entail? And is it within CSEC’s mandate to do so?

I reached out to Chris Parsons, a prominent cybersecurity and surveillance researcher from Toronto’s Citizen Lab, to discuss CSEC’s role in Israel’s military offensives. He told me there are “at least two ways” that CSEC would be involved in helping out Israel. One of which would be to provide INSU with a tracking program, or specific databases, to help spy on targets and persons of interest, which would have been developed by CSEC. As we learned from the free airport WiFi presentation, which was more about tracking targets as they log into various WiFi access points around the world than it was about surveilling airport travelers in particular, CSEC does have these capabilities in their wheelhouse.

Parsons went on to say that CSEC could also assist Israel by “providing some sort of expertise with how to use databases that are shared out to the Israeli intelligence community.” Simply put, Canada may be giving the Israelis tech support for the spying systems we’re giving them. In terms of whether or not this kind of assistance is within CSEC’s mandate, Parsons told me: “As you’re aware, the Canadian government has identified Hamas as a terrorist organization and as such, it would make sense for CSEC to be engaged in the monitoring of their locations and their electronic systems that Hamas is believed to be using. So in that sense, it should fit within CSEC’s mandated intelligence-gathering.”

But even with Hamas on a designated terror list, the complexities surrounding our Canadian surveillance agency spying on Palestinian targets opens up major issues of privacy; specifically when you consider how a target is selected, and how sure government powers need to be before a person is added to a list of terrorists. As Parsons told me, there is the “very serious question of how exactly individuals are identified as valid targets or not… How many individuals are swept up into the monitoring?”

Categories
Links

Facebook Messenger app sparks privacy concerns

Facebook Messenger app sparks privacy concerns:

Christopher Parsons, a postdoctoral fellow at the Munk School of Global Affairs’ Citizen Lab, said the fact that Facebook is asking for access to so much data is not surprising given the way the Android operating system works, but said users’ concerns over privacy are still legitimate.

“People enjoy the functionality of the app, but they’re sort of shocked when they ascertain or remember that ‘Oh yeah, this is what I actually have to give up in order to use contemporary, full-scale social media,’ ” he said.

Parsons, who is also managing director of Munk’s Telecom Transparency Project, said the odds of the data accessed by Facebook falling into the wrong hands are slim, describing its cyber-security staff as among the most aggressive and well-financed in the world.

Still, he said companies like Facebook could do a much better job at explaining to users why it needs their permission for so many different functions. It could, for example, offer a scaled-down version of its terms and conditions written in a language that anyone can understand, said Parsons.

He said even though more and more people have realized over the past week the extent of the Messenger requirements, it’s unlikely that Facebook will see a mass exodus of users.

“People may feel they don’t have any actual option, because if they don’t download the app, they can’t communicate with their social network,” said Parsons.

Categories
Aside Links

Rogers sheds new light on what personal data spy agencies can get

Rogers sheds new light on what personal data spy agencies can get:

Comments yield insights into a largely hidden relationship between intelligence agencies and communications corporations Federal spy agencies are, like police, “obviously going to have to get a lot more production orders than they did in the past,” one of Canada’s Big Three communications companies says.

And while Ottawa’s agents had been getting warrantless access to some corporately held records, “we have not opened up our metadata to the government as apparently has happened in the U.S.”

Rogers Communications’ vice-president of regulatory affairs, Ken Engelhart, made these and other remarks about his company’s relationships with federal intelligence-agencies, as he spoke to The Globe’s Christine Dobby about corporate transparency in an interview this week.

Such remarks, not published until now, are important because they yield some insights into a largely hidden relationship between intelligence agencies and communications corporations.

But even as Rogers is now publicizing its bona fides as a telecom company that acts more openly than most, it is privately admitting to customers that it can face federal gag orders.

“We are unable to confirm with a customer when their information has been disclosed to a government institution… where that institution has refused to allow Rogers to disclose that information,” reads one such July 10 letter obtained by The Globe and Mail from privacy researcher Christopher Parsons, of University of Toronto’s Citizen Lab.

That Rogers is, in essence, playing a game of Catch-22 (if we told you we didn’t disclose your information, then others could see if they got a different response and learn we had disclosed their information, therefore we can’t tell anyone if we disclosed their information) is absurd. As is their refusal to provide basic records to their subscribers.

Categories
Links

Rogers to require warrants for police requests

Rogers to require warrants for police requests:

In the wake of a landmark court ruling last month that upheld Canadians’ right to online privacy, telecommunications companies are tightening their policies on when they will share customer information with police and government authorities.

The move by one of Canada’s biggest cellphone, Internet and home-phone companies comes as the federal government works to pass legislation that academics and privacy advocates warn will erode protections around Canadians’ personal information. The Conservatives’ anti-cyberbullying bill is still before the House of Commons, but if passed in its current form, Bill C–13 would give legal immunity to telecommunications companies that voluntarily hand subscriber information to police and other public officials.

However, if telecom providers refuse to voluntarily disclose information without a warrant or court order, that could weaken the effect of the legislation, said Christopher Parsons, a research fellow with Citizen Lab, part of the University of Toronto’s Munk School of Global Affairs.

“Rogers’s decision shows even though that liability shield is being offered, some telecoms may decline to take advantage of it,” he said Wednesday. “Rogers is not the entire industry, of course. But if we see [others] start to take a similar position, maybe that would defray the impact of C–13, although it wouldn’t mean that C–13 was a better law.”

The Citizen Lab’s Mr. Parsons said Rogers’s policy shift is a positive step. “This is just making it really clear to their subscribers that no matter what interpretation [of the ruling] the authorities take, Rogers’s interpretation is going to be: You need to come with a warrant.”

Rogers, TELUS, and TekSavvy have all now changed their policies: no court order, no data. It’s good to see these companies taking seriously their duties to protect subscriber data from government overreach. Now, if only they can improve on how they respond to subscribers’ requests for their personal information…

Categories
Links

Police and bylaw enforcement may be tracking your licence plate for parking data

Police and bylaw enforcement may be tracking your licence plate for parking data:

Calgary resident Linda McKay-Panos doesn’t venture downtown often, but a city database knows where and when she parked her car during 10 visits over the past four years.

Each day, parking enforcement officers drive the city’s streets in cars equipped with cameras designed to scan licence plates and identify parking scofflaws. Even if no violation has been committed, the city still holds on to data showing the time and location the vehicle was spotted, as well as a photo of the vehicle.

As use of licence-plate scanning technology grows in Canada among bylaw enforcement agencies and police departments there is no consistency as to how long such data is retained or who it’s shared with.

The technology is becoming a “mass surveillance” tool and demands better oversight, said Christopher Parsons, a post-doctoral fellow at the University of Toronto’s Citizen Lab specializing in technology and privacy issues.

“It doesn’t matter that there are positive intentions behind this. It’s a surveillance system,” he said.

Even if police have a reason to sift through the stored data, the fact that the data consists of plate information belonging to people who are innocent of wrongdoing is troublesome, Parsons said.

“I don’t think people go around their daily lives with the expectation that my movements are going to be monitored because at some point in the future I may be of interest to the police.”

The whole article is important, and worth the read, and discloses the massive variance in how vehicular surveillance is happening across Canada.

Categories
Links

This App Helps Reveal What Personal Data Is Stored by Canadian ISPs

This App Helps Reveal What Personal Data Is Stored by Canadian ISPs:

To find out what people could expect to learn by using the Access My Info tool, I spoke to one of the main people behind it: Chris Parsons, a post-doctoral Fellow at the University of Toronto’s Citizen Lab.

“The privacy tool should let individuals know what information is being collected, and what’s being stored,” he said. “Additionally, telecoms’ responses should be informative if somebody wants to ask ‘have you exposed my information to government or another entity.”

Parsons and the team plan to crowdsource the replies that telecoms provide to users to gain a much better understanding of just what’s being held onto by service providers. Presently, it’s not exactly clear if ISPs track the sites we visit, or how long our mobile phone texts are stored.

Will the tool let users know if their data has been handed over to the police without a warrant? “Maybe,” said Parsons. “Companies would have to ask police before letting us know, so as not to jeopardize any ongoing investigations.” The same goes for finding out which agencies have had access to our information.

In any case, Parsons said, finding out what information could potentially be shared with authorities is the first giant step towards an informed discussion about privacy in Canada.

“This is our information, and we have a right to understand how it’s being managed. It’s not clear from the companies how they’re doing it. They don’t tell us,” he told me.

Parsons made it clear that the way the Access My Info tool works is very simple. It’s really just using existing legal powers available to citizens and bringing them into the digital world. The Citizen Lab had already released a template letter for doing the same thing, but the tool makes it even easier auto-fill request forms.

Moreover, Access My Info is based on an open platform. As a result, it can be reconfigured to send the same kinds of legal requests for information to all kinds of companies: credit card companies, banks, stores, or even car companies.

Parsons pointed to the example of OnStar, General Motors’ in-car service. Because it tracks the car’s location and other data, OnStar has proved a valuable resource for law enforcement. Thanks to this new tool, Canadians could soon be petitioning GM to find out how long their location data is stored.