Tag: Privacy

Categories
Links

Unpacking the Global Pivot from AI Safety

The global pivot away from AI safety is now driving a lot of international AI policy. This shift is often attributed to the current U.S. administration and is reshaping how liberal democracies approach AI governance.

In a recent article on Lawfare, author Jakub Kraus argues there are deeper reasons behind this shift. Specifically, countries such as France had already begun reorienting toward innovation-friendly frameworks before the activities of the current American administration. The rapid emergence of ChatGPT also sparked a fear of missing out and a surge in AI optimism, while governments also confronted the perceived economic and military opportunities associated with AI technologies.

Kraus concludes his article by arguing that there may be some benefits of emphasizing opportunity over safety while, also, recognizing the risks of not building up effective international or domestic governance institutions.

However, if AI systems are not designed to be safe, transparent, accountable, privacy protective, or human rights affirming then there is a risk that people will lack trust in these systems based on the actual and potential harms of them being developed and deployed without sufficient regulatory safeguards. The result could be a birthing or fostering of a range of socially destructive harms and long-term hesitancy to take advantage of the potential benefits associated with emerging AI technologies.

Categories
Links Writing

Categorizing Contemporary Attacks on Strong Encryption

Matt Burgess at Wired has a good summary article on the current (and always ongoing) debate concerning the availability of strong encryption.

In short, he sees three ‘classes’ of argument which are aimed at preventing individuals from protecting their communications (and their personal information) with robust encryption.

  1. Governments or law enforcement agencies are asking for backdoors to be built into encrypted platforms to gain “lawful access” to content. This is best exemplified by recent efforts by the United Kingdom to prevent residents from using Apple’s Advanced Data Protection.
  2. An increase in proposals related to a technology known as “client-side scanning.” Perhaps the best known effort is an ongoing European proposal to monitor all users’ communications for child sexual abuse material, notwithstanding the broader implications of integrating a configurable detector (and censor) on all individuals’ devices.
  3. The threat of potential bans or blocks for encrypted services. We see this in Russia, concerning Signal and legal action against WhatsApp in India.

In this broader context it’s worth recognizing that alleged Chinese compromises of key American lawful interception systems led the US government to recommend that all Americans use strongly encrypted communications in light of network compromises. If strong encryption is banned then there is a risk that there will be no respite from such network intrusions while, also, likely creating an entirely new domain of cyber threats.

Categories
Links Writing

An Initial Assessment of CLOUD Agreements

The United States has bilateral CLOUD Act agreements with the United Kingdom and Australia, and Canada continues to also negotiate an agreement with the United States.1 CLOUD agreements are meant to alleviate some of the challenges attributed to the MLAT process, namely that MLATs can be ponderous with the result being that investigators have difficulties obtaining information from communication providers in a manner deemed timely.

Investigators must conform with their domestic legal requirements and, with CLOUD agreements in place, can serve orders directly on bilateral partners’ communications and electronic service providers. Orders cannot target the domestic residents of a targeted country (i.e., the UK government could not target a US resident or person, and vice versa). Demands also cannot interfere with fundamental rights, such as freedom of speech. 2

A recent report from Lawfare unpacks the November 2024 report that was produced to explain how the UK and USA governments actually used the powers under their bilateral agreement. It showcases that, so far, the UK government has used this substantially to facilitate wiretap requests, with the UK issuing,

… 20,142 requests to U.S. service providers under the agreement. Over 99.8 percent of those (20,105) were issued under the Investigatory Powers Act, and were for the most part wiretap orders, and fewer than 0.2 percent were overseas production orders for stored communications data (37).

By way of contrast, the “United States made 63 requests to U.K. providers between Oct. 3, 2022, and Oct. 15, 2024. All but one request was for stored information.” Challenges in getting UK providers to respond to US CLOUD Act requests, and American complaints about this, may cause the UK government to “amend the data protection law to remove any doubt about the legality of honoring CLOUD Act requests.”

It will be interesting to further assess how CLOUD Acts operate, in practice, at a time when there is public analysis of how the USA-Australia agreement has been put into effect.

  1. In Canada, the Canadian Bar Association noted in November 2024 that new enabling legislation may be required, including reforms of privacy legislation to authorize providers’ disclosure of information to American investigators. ↩︎
  2. Debates continue about whether protections built into these agreements are sufficient. ↩︎
Categories
Links

Privacy, Dignity, and Autonomy in the Workplace

Reporting by Sophie Charara unpacks the potentials of contemporary workplace monitoring technologies. Of course, concerns about employee privacy and the overzealous surveillance of employees are not new. What is changing are the ways that contemporary technologies can be used, sometimes for potentially positive uses (e.g., making it easier to determine if meeting rooms are actually available for booking or ensuring that highly-trafficked areas of the office receive special cleaning) and sometimes for concerning uses (e.g., monitoring where employees gather in the workplace, tracking them in near-real time through the work environment, or monitoring communications patterns).

Ultimately, Charara’s work can help inform ongoing discussions about what safeguards and protections should be considered in the workplace, so that employees’ privacy is appropriately protected. It can, also, showcase practices that we may want to bar before ever coming into mainstream practice to protect the privacy, dignity, and autonomy of people in the workplace.

Categories
Quotations

The Trouble of Defining Privacy

Privacy is not something that can be counted, divided, or “traded.” It is not a substance or collection of data points. It’s just a word that we clumsily use to stand in for a wide array of values and practices that influence how we manage our reputations in various context.

— Siva Vaidhyanathan. (2011). The Googlization of Everything (And Why We Should Worry). Page 87

Categories
Links Writing

VW Leaks Geolocation Data

Contemporary devices collect vast sums of personal and sensitive information, and usually for legitimate purposes. However this means that there are an ever growing number of market participants that need to carefully safeguard the data they are collecting, using, retaining, or disclosing.

One of Volkswagen’s software development subsidiaries, Cariad, reportedly failed to adequately secure software installed in VW, Audi, Seat, and Skoda vehicles:

The sensitive information was left exposed on an unprotected and misconfigured Amazon cloud storage system for months – the problem has now been patched.

In some 466,000 of the 800,000 vehicles involved, location data was extremely precise so that anyone could track the driver’s daily routine. Spiegel reported that the list of owners includes German politicians, entrepreneurs, the entire EV fleet driven by Hamburg police, and even suspected intelligence service employees – so while nothing happened, it seriously could have been a lot worse.

This is a case where no clear harm has been detected. But it speaks more broadly of the continuing need for organizations to know what sensitive information they are collecting, the purposes of the collection, and need to establish adequate controls to protect collected and retained data.

Categories
Writing

The Data Broker Economy Continues to Endanger Individuals’ Privacy

Mobile advertisers and data brokers routinely collect vast amounts of sensitive information without individuals’ meaningful consent. Sometimes this collection is explicitly mentioned in the terms of service that advertisers provide. However, in many other cases, this collection is linked to “free” functionality services that developers integrate into their applications at the cost of losing control of their users’ data.

These kinds of data brokers fuel a large and mostly invisible data market. But there are times where aspects of it (accidentally) emerge from the shadows.

Recent reporting, first covered by 404 Media, reveals how Fog Reveal sells geolocation services to government agencies. Geofences can be placed around targeted persons’ friends’ and families’ homes, places of worship, doctors’ offices, and offices of a person’s lawyer. Fences can be established retroactively as well as proactively.

These same capacities, it must be noted, can and are also exploited by non-law enforcement agencies. Recent reporting has showcased how the activities of these kinds of data brokers can endanger national security, and they can also put the safety of political and business leaders, to say nothing of regular people, at risk of harm.

Fog Reveal and similar companies are offering an expansive for-sale surveillance capacity. And the capacity, which was once the thing of science fiction, has somehow become banally available for those who can convince private vendors to provide access to the data they have collected.

There remains an open question of how to remedy the current situation: should the focus be on regulating bad actors after they appear or, instead, invest the political capital required to stop the processes enabling the data collection in the first place?

Categories
Writing

Intelligence Commissioner Raises Concerns About Canada’s Federal Cybersecurity Legislation

Earlier this week the Intelligence Commissioner (IC) appeared at the Standing Senate Committee on National Security, Defence and Veterans Affairs on Bill C-26, along with federal Privacy Commissioner. The bill is intended to enhance the cybersecurity requirements that critical infrastructure providers must adopt.

The IC’s remarks are now public. He made four very notable comments in his opening remarks:

  1. The IC warned that the proposed amendments to the Telecom Act would allow the minister to essentially compel the production of any information in support of orders. This information could include personal information – which under broad exceptions, could then be widely disclosed.
  2. Part 2 allows for the regulators to carry out the equivalent of unwarranted searches – where again, personal information could be collected.
  3. The CSE will play a vital role and will be the holder of this information, in a technological form or otherwise, which will contain elements for which we have a reasonable expectation of privacy.
  4. In light of the invasive nature of the Bill, he asserted that it is important that meaningful safeguards be part of the legislation so that Canadians have confidence in the cybersecurity system.

His responses to comments at committee — not yet available through Hansard — made even more clear that he believed that amendments are needed to integrate appropriate oversight and accountability measures into the legislation. The IC’s comments, combined with those of the federal Privacy Commissioner of Canada and civil society representatives, constitute a clear warning to senators about the potential implications of the legislation.

It will be interesting to see how they respond.

Categories
Links Writing

Emerging Trends from Canadian Privacy Regulators and Cybersecurity Legislation?

Earlier this evening, the Office of the Privacy Commissioner of Canada (OPC) appeared before the Standing Senate Committee on National Security, Defence and Veterans Affairs on the topic of Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.

While at Committee, Commissioner Dufresne recognized the value of making explicit the OPC’s oversight role concerning the legislation. He, also, reaffirmed the importance of requiring any collection, use, or disclosure of personal information to be both necessary and proportionate. And should the Standing Committee decline to adopt this amendment they were advised to, at a minimum, include a requirement that data only be retained for as long as necessary. Government institutions should also be required to undertake privacy impact assessments and consult with the OPC.

Finally, in cases of cyber incidents that may result in a material breach, his office should be notified; this could entail the OPC being notified by the Communications Security Establishment based on a real risk of significant harm standard. Information sharing agreements should also be put in place that provide minimum privacy safeguards while also strengthening governance and accountability processes.

The safeguards the OPC are calling for are important and, also, overlap with many of the Information and Privacy Commissioner of Ontario’s (written submission, Commissioner Kosseim’s oral remarks) concerning the provincial government’s Bill 194, Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024.

Should other Canadian jurisdictions propose their own cybersecurity legislation to protect critical infrastructure and regulated bodies it will be interesting to monitor for the consistency in the amendments called for by Canada’s privacy regulators.

Categories
Writing

Ongoing Criminal Exploitation of Emergency Data Requests

When people are at risk, law enforcement agencies can often move quickly to obtain certain information from online service providers. In the United States this can involve issuing Emergency Data Requests (EDRs) absent a court order.1

The problem? Criminal groups are increasingly taking advantage of poor cyber hygiene to gain access to government accounts and issue fraudulent EDRs.

While the full extent of the threat remains unknown, of Verizon’s total 127,000 requests for data in Q2 of 2023, 36,000 were EDRs. And Kodex, a company that is often the intermediary between law enforcement and online providers, found that over the past year it had suspended 4,000 law enforcement users and approximately 30% of EDRs did not pass secondary verification. Taken together this may indicate a concerning cyber policy issue that may seriously endanger affected individuals.

These are just some of the broader policy and cybersecurity challenges that are key to keep in mind, both as new laws are passed and as new cybersecurity requirements are contemplated. It is imperative that lawful government capabilities are not transformed into significant and powerful tools for criminals and adversaries alike.

  1. There are similar kinds of provisions in the Canadian Criminal Code. ↩︎