Tag: Privacy

Categories
Links

Drupal in the Age of Surveillance

Drupal in the Age of Surveillance:

“Contemporary websites have almost innumerable places where information can be entered, logged, and accessed, by either the first party or third parties.”

That’s the frank assessment of Chris Parsons, a postdoctoral fellow at The Citizen Lab at the University of Toronto’s Munk School of Global Affairs. Parsons’ current research focus is on state access to telecommunications data, through both overt mechanisms and signals intelligence – covert surveillance.

Parsons recommends an approach to user data protection called threat modeling. “So who are you concerned about, what do you believe your ethical duties of care are, and then how do you both defend against your perceived attackers and apply your duty of care?”

Parsons suggests, “The first step is really just information inventory: what’s collected, why, where’s it going, for how long.”

For Parsons, having strong protections for user data is critical, and not merely from a privacy perspective. Rather, privacy protection is just sound business practice. Imagine this scenario, he suggests: “One of your core databases with customer information gets compromised.” Then, “If you have an auditor that comes in, or if you have the press pounding on your door, you don’t want to be telling either of those parties, ‘Yeah, that’s a good question. I don’t know where any of our data is. We don’t know what we lost.’”

Parsons is more pragmatic, acknowledging that when it comes to analytics the battle has already been lost, if it even happened at all. Still, he points to the practical advantages of maintaining your own statistics. “I often avoid using Google Analytics, in part because more and more people are blocking Doubleclick [and other Google] cookies.” Instead, Parsons opts for self-hosted solutions because, “I find that the truth that comes through them can be more useful.”

Parsons similarly recommends a tool called Social Share Privacy, which has an associated Drupal module. Like Mytube, Social Share Privacy communicates with the third party website only if a user first clicks a link. Parson comments, “If your content is really great – and most people hope it is – I don’t think that one extra click is going to doom the ability to share [it].”

Burdett explains that while standard encryption uses a single key that’s used across a server, there is a newer method called forward secrecy: “[It] means that a unique key is generated for each HTTPS session.” If you run an e-commerce bookshop and receive a law enforcement subpoena relating to a particular customer, Parsons says, “You as a bookshop seller do not want to be in a situation where you’re disclosing the decryption key for every person – or every IP address, rather – that has looked at your website and what books they’ve looked at.” Forward secrecy ensures there is no single key that decrypts all users’ communications.

For Parsons, once you’ve completed your information inventory and determined what you’re gathering – and how and why – a key next step is writing a detailed and appropriate privacy policy.

“You can usually tell it’s a bad privacy policy,” Parsons says, “as soon as you get stuff like, ‘In the provision of this service, we may provide information to third parties.’ Whereas you, as the site owner, know damn well that you’re using Google Analytics, you’re using Twitter, you’re using Facebook.”

A privacy policy is also a good place to point people to ways they can opt out. “I personally like seeing links or notices about ‘this is how you can avoid this if you want,’” Parsons says. “So you link someone out to Ghostery (a browser plugin used to block tracking software), or whatever you want to link them out to.”

As well as being specific, a privacy policy should be readable. Parsons notes, “You go and read the ‘disclosures’ that people make – their terms of service, their privacy policies – and you get this horrible language. No human in their right mind would ever know what was going on. And indeed, when I spoke with some businesses, they don’t know where that data is going.”

To Parsons, protecting user information should be anything but an afterthought. “Certainly, if there’s any sort of commercial or business interest involved, I think this just flows out of the business plan that you’ve probably developed.”

 

Categories
Links

Access, Partners Recognize Heroes, Villains on Human Rights and Communications Surveillance

Access, Partners Recognize Heroes, Villains on Human Rights and Communications Surveillance

Transparency

Summary: States should be transparent about the use and scope of Communications Surveillance laws, regulations, activities, powers, or authorities.

Hero: Doctor Christopher Parsons

Doctor Parsons has actively pushed Canada’s leading Telecommunications Services Providers to disclose how, why, and how often they provide subscriber information to state agencies. Based on their responses, Dr. Parsons offered comprehensive recommendations on how companies could improve public transparency.

Villain: Secretary Jeremy Heywood

Under the authority of UK Prime Minister David Cameron, Mr. Heywood ordered the Guardian to destroy documents regarding surveillance activities of the NSA and GCHQ. The hard drives were “pulverized” in the basement of the newspaper’s London offices. Notably, the Guardian has stated that all documents related to its reporting on these matters are stored in other offices.

It remains amazing – and an absolute honour – to be listed as a hero alongside Edward Snowden, Navi Pillay (former UN High Commissioner), Sen. Ron Wyden, Dilma Rousseff, amongst a host of others.

Also: I guess I have something to talk about next time I run into a member of the British Cabinet?

Categories
Links

Poor record of fed requests to telecom companies for Canadians’ data

Poor record of fed requests to telecom companies for Canadians’ data:

Many law-enforcement agencies do not track requests for private information, making the system vulnerable to abuse

“Many departments say they don’t have the information and say they don’t keep track of these things,” said NDP MP Charmaine Borg, whose questions led to the release of response documents. “… And if that is the case, that brings up to me a huge problem. How are we supposed to ensure there are no abuses, and that government agencies are making these requests within very extreme circumstances, when they don’t even keep track of when they’re making them?”

Christopher Parsons, a postdoctoral fellow at the Citizen Lab of the University of Toronto’s Munk School of Global Affairs, said non-federal agencies, such as police forces, are also seeking data. “Even if we got good numbers from all the federal government, there is a huge, huge part of the surveillance iceberg that’s yet to be seen,” he said.

It’s important to keep in mind that much of the attention concerning government surveillance has been about how federal agencies access telecommunications data, and how proposed lawful access legislation would extend and expand such access. While this attention is deserved there is an entirely different set of actors that have yet to be examined in any sustained way: provincial agencies and municipal organizations.

Categories
Links

Canadian ISPs Won’t Tell You Much About Your Own Data

Canadian ISPs Won’t Tell You Much About Your Own Data:

Ever wondered how long your telecom provider retains your user data? Or if law enforcement has requested your records?

This “Access My Info” tool was launched in June, and now, responses have started to trickle back in.

“We’re starting to be able to compare and contrast some of the larger company’s responses,” Parsons said.

Using either Parsons’ form letter, or the AMI tool, subscribers can request that their telecom providers clarify the types of data they collect, tell them how long they retain such data, provide copies of relevant records, and whether their information has been disclosed to law enforcement or government agencies. But perhaps unsurprisingly, policies and practices tend to differ from one provider to the next.

“I think that the letters from TekSavvy are comprehensive. They’re not trying to play games,” Parsons said, referring to the responses sent out by one of Canada’s smaller  internet service providers. “They’re actually taking seriously the questions that individuals are making and not trying to blow them off. That stands in variance with, I would say, almost every other member of the industry.”

Parsons said that in other responses, “the detail that is present, or is more often the case, absent, is really quite breathtaking. The only thing I have from Bell is a one page sheet that’s almost worse than useless. It almost doesn’t respond to the customer’s question.”

Parsons told me that discerning how long certain types of data are retained has proven particularly hard, for example.

“Retention schedules matter. How long you store data should not be a top secret corporate secret, because it’s about citizens,” said Parsons. ”Here we’re talking about basic, basic, basic privacy information. How long do you store information about me? None of these companies aside from TekSavvy have tried to comprehensively respond to that question.“

This is a detailed piece by Matt Braga, and one that I’d highly recommend if you’re interested what the Telecom Transparency Project has (and hasn’t) learned about Canadian telecommunications companies’ data retention schedules.

Categories
Links

Telus joins transparency push by sharing demands for customer info

Telus joins transparency push by sharing demands for customer info :

Christopher Parsons, a research fellow with Citizen Lab, which is part of the University of Toronto’s Munk School of Global Affairs, says he commends Telus for following through on a commitment to release a report this summer and for its call for industry standards on such disclosures.

“The trick is, however, that we’re still missing Bell Canada, which is the largest telecommunications provider in the country,” he said. “Clearly, there’s an industry movement in Canada and all across North America toward these transparency reports and Bell Canada needs to be on board.”

Mr. Parsons says any industry standard around reporting should also include disclosure about how long the companies retain customer information.

TELUS is to be congratulated for following through on their promise to release a transparency, report, as well as for committing to publishing future reports. At this point, two of the largest telecom in Canada (Rogers and TELUS) along with a leading independent telecom (TekSavvy) have released transparency reports: where’s Bell and all the smaller companies?

Categories
Quotations

2014.9.2

The Great Celebrity Naked Photo Leak of 2014 – or perhaps we should call it The Great Celebrity Naked Photo Leak of August 2014, given that this happens so often that there won’t be only one this year – is meant to remind women of their place. Don’t get too high and mighty, ladies. Don’t step out of line. Don’t do anything to upset or disappoint men who feel entitled to your time, bodies, affection or attention. Your bared body can always be used as a weapon against you. You bared body can always be used to shame and humiliate you. Your bared body is at once desired and loathed.

Roxane Gay, “The Great Naked Celebrity Leak of 2014 Is Just the Beginning
Categories
Links

Facebook Messenger app sparks privacy concerns

Facebook Messenger app sparks privacy concerns:

Christopher Parsons, a postdoctoral fellow at the Munk School of Global Affairs’ Citizen Lab, said the fact that Facebook is asking for access to so much data is not surprising given the way the Android operating system works, but said users’ concerns over privacy are still legitimate.

“People enjoy the functionality of the app, but they’re sort of shocked when they ascertain or remember that ‘Oh yeah, this is what I actually have to give up in order to use contemporary, full-scale social media,’ ” he said.

Parsons, who is also managing director of Munk’s Telecom Transparency Project, said the odds of the data accessed by Facebook falling into the wrong hands are slim, describing its cyber-security staff as among the most aggressive and well-financed in the world.

Still, he said companies like Facebook could do a much better job at explaining to users why it needs their permission for so many different functions. It could, for example, offer a scaled-down version of its terms and conditions written in a language that anyone can understand, said Parsons.

He said even though more and more people have realized over the past week the extent of the Messenger requirements, it’s unlikely that Facebook will see a mass exodus of users.

“People may feel they don’t have any actual option, because if they don’t download the app, they can’t communicate with their social network,” said Parsons.

Categories
Links

Inside Citizen Lab, the “Hacker Hothouse” protecting you from Big Brother

Inside Citizen Lab, the “Hacker Hothouse” protecting you from Big Brother:

Starting out in the basement of the Munk School of Global Affairs with a handful of students in the Spring of 2001, Deibert’s Citizen Lab now operates out of a third-story office on Bloor Street, on the northwest edge of the University of Toronto campus. But like the agencies its members often criticize, Citizen Lab has collaborators operating everywhere, supplying information about how state power is being exercised in cyberspace.

Deibert doesn’t mind the comparison. In fact, much of his inspiration for the Lab came from working inside the Canadian Department of Foreign Affairs in the mid-‘90s, where he studied the use of satellite reconnaissance for arms control verification. The working group he was part of conceptualized a kind of “earth monitoring system” to enforce bans on nuclear testing—a worldwide system of satellites, underwater fences, and seismic stations designed to hold entire nations to account.

Still, when it comes to what a “people’s intelligence agency” might look like, it’s hard to find a better template than the one created by Citizen Lab. And its hacker ethos is reflected in those it calls its allies.

One of the better descriptions of some of what we do, on a daily and ongoing basis, at the Citizen Lab.

Categories
Aside Links

Rogers sheds new light on what personal data spy agencies can get

Rogers sheds new light on what personal data spy agencies can get:

Comments yield insights into a largely hidden relationship between intelligence agencies and communications corporations Federal spy agencies are, like police, “obviously going to have to get a lot more production orders than they did in the past,” one of Canada’s Big Three communications companies says.

And while Ottawa’s agents had been getting warrantless access to some corporately held records, “we have not opened up our metadata to the government as apparently has happened in the U.S.”

Rogers Communications’ vice-president of regulatory affairs, Ken Engelhart, made these and other remarks about his company’s relationships with federal intelligence-agencies, as he spoke to The Globe’s Christine Dobby about corporate transparency in an interview this week.

Such remarks, not published until now, are important because they yield some insights into a largely hidden relationship between intelligence agencies and communications corporations.

But even as Rogers is now publicizing its bona fides as a telecom company that acts more openly than most, it is privately admitting to customers that it can face federal gag orders.

“We are unable to confirm with a customer when their information has been disclosed to a government institution… where that institution has refused to allow Rogers to disclose that information,” reads one such July 10 letter obtained by The Globe and Mail from privacy researcher Christopher Parsons, of University of Toronto’s Citizen Lab.

That Rogers is, in essence, playing a game of Catch-22 (if we told you we didn’t disclose your information, then others could see if they got a different response and learn we had disclosed their information, therefore we can’t tell anyone if we disclosed their information) is absurd. As is their refusal to provide basic records to their subscribers.

Categories
Links

Telecoms move in right direction on privacy: Editorial

Telecoms move in right direction on privacy: 

Telus and Rogers won rare pats on the back for their decision to stop routinely handing out basic customer information to police and security agencies without seeing a warrant first.

It’s important to note that, while warrants will be required for police, they won’t necessarily be required for any agencies that already enjoy statutory authority to request information from telecommunications companies. So security agencies will continue to access data, often without warrant, despite what the Star has written.