New allegations that CSEC tracked the gadgets of travellers using Wi-Fi have some questioning their privacy â but experts say there’s little Canadians can do about it.
Last week I was interviewed by Global News about the revelations CSEC was collecting metadata emitted from wireless stations in Canada. This is the result.
Source: Alleged Wi-Fi tracking is out of Canadians’ control: privacy experts
Christopher Parsons, a fellow at the Citizen Lab at the University of Toronto, a group that helped review the documents, added that while using corporate analytics may have been one possible attack vector, there could have been another.
“There’s a series of different kinds of identifiers—that’s not entirely clear from the documents,” he told Ars.
“It’s also theoretically possible that [CSEC] may be tapping into other identifiers. There’s going to be some global database that they’re pulling from. Whether it’s going to be cookies or another identifier. My thought would be [if not cookies] that if they’re looking for particular chat user names or e-mail that is also sent in clear or sent in clear often enough. One of [the] pieces about this [is] that it seems to indicate that it’s the act of logging on. It’s not clear that you have to make some particular action, it’s that the device[s] are likely to be sending out this kind of information upstream. It is possible that it’s your username every time you hit the mail server.”
He also noted that in Canada, the two major ISPs—Bell and Rogers—provide, by default, e-mail accounts on Microsoft and Yahoo, respectively.
So, he speculated, if CSEC was going to use such an e-mail username for instance, “that ISP is going to have a litany of personal information about a Canadian target, billing and everything else that they hold, whereas the cookie information may not provide [all that information.]”
Both Parsons and Weaver also added that the use of Tor, VPNs, and anti-tracking software (such as browser plugins like Disconnect or Ghostery) may help to somewhat thwart this type of tracking.
Source: New Snowden docs show Canadian spies tracked thousands of travelers
As it happens, last week, a group of academics and civil-liberties organizations, led by Christopher Parsons, a postdoctoral fellow at the University of Toronto, sent out a long questionnaire to 16 Canadian telecommunications carriers. For example, it asks the carriers how the types of the authorities’ requests break down, as among matters of child exploitation, terrorism, national security and foreign intelligence.
Nice to have been mentioned in the Globe’s Editorial!
I’m not in corporate PR, but when it turns out your company (i.e. BlackBerry) holds the patent on a known-NSA-backdoored encryption standard I’m not sure shutting up and avoiding the press is the best of ideas. Especially if your product (*cough* BlackBerry *cough*) is predicated on strong security against all attackers.
Source: The strange connection between the NSA and an Ontario tech firm
Clearly, Canadians can totally have confidence in CSEC’s steps to protect privacy. As in, there are 5 separate steps to protect Canadians, plus (possibly) other ‘incidental’ steps that are dealt with elsewhere. (Source: 2011 ATIP from CSEC)
And don’t worry about those incidents because they’re all dealt with in ‘privacy protective’ ways. (And just trust CSEC on the latter, even though CSEC redacts its privacy protective practices for when incidentally collecting Canadians’ information.)
To players of WoW (such as my sons), WOW is a fun game. They often wear headsets to talk with teammates while playing, and keep a chat window scrolling as well. To law enforcement, WoW (or any other similar game) can seem instead to be a global terrorist communications network. Players can talk and send chat messages, internationally, outside of the traditional telephone network and outside of the scope of CALEA. The architecture is based on what works for the game, and not what facilitates lawful access.
Peter Swire, “From real-time intercepts to stored records: why encryption drives the government to seek access to the cloud”
Of course, this statement is largely bunk given that the large companies (like Blizzard, the producers of World of Warcraft) tend to have lawful access guides. And Blizzard’s, in particular, is incredibly detailed (and humorous) and been around since at least 2009. It’s statements like the one quoted, above, that make Swire’s entire paper dubious: given the empirical deficiency of his paper (especially in light of Snowden) he should be required to either write an update to the paper and identity everything that was false in it, or just recant the old paper in its majority.
While policies may vary, the sensitive nature of the data produced does not. Traffic data analysis generates more sensitive profiles of an individual’s actions and intentions, arguably more so than communica- tions content. In a communication with another individual, we say what we choose to share; in a transaction with another device, for example, search engines and cell stations, we are disclosing our actions, movements, and intentions. Technology- neutral policies continue to regard this transactional data as POTS traffic data, and accordingly apply inadequate protections.
…
This is not faithful to the spirit of updating laws for new technology. We need to acknowledge that changing technological environments transform the policy itself. New policies need to reflect the totality of the new environment.
Alberto Escudero-Pascual and Ian Hosein, “Questioning Lawful Access to Traffic Data”
Particularly relevant for Snowden’s whistleblower status is his efforts to reveal misconduct within official NSA channels. According to the interview, Snowden aired his misgivings as early as October 2012 with as many as 17 co-workers and superiors, challenging them with the sheer volume of domestic data being collected by the BOUNDLESSINFORMANT program. The challenges went nowhere. Six months later, he began contacting reporters. Contacted for comment, an NSA spokesman told the Post there was no record of the conversations.
Russell Brandom, “NSA leaker Edward Snowden: ‘I already won’”
The irony that the NSA lacks a record of those conversations is incredibly rich.
…according to a former NSA employee, by 1995 the agency had installed sniffer software to collect various kinds of traffic at nine major Internet exchange points (IXPs). Terry Thompson, the NSA deputy director, also acknowledged in 2001 that the agency has taken to hiring technicians away from the private companies that run much of the World Wide Web, such as Cisco systems, and employing them to reverse engineer various communications technologies in order to locate vulnerabilities that the agency can exploit. This poached taken much be invaluable in sorting through the packetized and multiplexed flows of digital data.
Patrick Radden Keefe, Chatter: Dispatches from the Secret World of Global Eavesdropping
Excited Pixels