Tag: Surveillance

Categories
Links

Drupal in the Age of Surveillance

Drupal in the Age of Surveillance:

“Contemporary websites have almost innumerable places where information can be entered, logged, and accessed, by either the first party or third parties.”

That’s the frank assessment of Chris Parsons, a postdoctoral fellow at The Citizen Lab at the University of Toronto’s Munk School of Global Affairs. Parsons’ current research focus is on state access to telecommunications data, through both overt mechanisms and signals intelligence – covert surveillance.

Parsons recommends an approach to user data protection called threat modeling. “So who are you concerned about, what do you believe your ethical duties of care are, and then how do you both defend against your perceived attackers and apply your duty of care?”

Parsons suggests, “The first step is really just information inventory: what’s collected, why, where’s it going, for how long.”

For Parsons, having strong protections for user data is critical, and not merely from a privacy perspective. Rather, privacy protection is just sound business practice. Imagine this scenario, he suggests: “One of your core databases with customer information gets compromised.” Then, “If you have an auditor that comes in, or if you have the press pounding on your door, you don’t want to be telling either of those parties, ‘Yeah, that’s a good question. I don’t know where any of our data is. We don’t know what we lost.’”

Parsons is more pragmatic, acknowledging that when it comes to analytics the battle has already been lost, if it even happened at all. Still, he points to the practical advantages of maintaining your own statistics. “I often avoid using Google Analytics, in part because more and more people are blocking Doubleclick [and other Google] cookies.” Instead, Parsons opts for self-hosted solutions because, “I find that the truth that comes through them can be more useful.”

Parsons similarly recommends a tool called Social Share Privacy, which has an associated Drupal module. Like Mytube, Social Share Privacy communicates with the third party website only if a user first clicks a link. Parson comments, “If your content is really great – and most people hope it is – I don’t think that one extra click is going to doom the ability to share [it].”

Burdett explains that while standard encryption uses a single key that’s used across a server, there is a newer method called forward secrecy: “[It] means that a unique key is generated for each HTTPS session.” If you run an e-commerce bookshop and receive a law enforcement subpoena relating to a particular customer, Parsons says, “You as a bookshop seller do not want to be in a situation where you’re disclosing the decryption key for every person – or every IP address, rather – that has looked at your website and what books they’ve looked at.” Forward secrecy ensures there is no single key that decrypts all users’ communications.

For Parsons, once you’ve completed your information inventory and determined what you’re gathering – and how and why – a key next step is writing a detailed and appropriate privacy policy.

“You can usually tell it’s a bad privacy policy,” Parsons says, “as soon as you get stuff like, ‘In the provision of this service, we may provide information to third parties.’ Whereas you, as the site owner, know damn well that you’re using Google Analytics, you’re using Twitter, you’re using Facebook.”

A privacy policy is also a good place to point people to ways they can opt out. “I personally like seeing links or notices about ‘this is how you can avoid this if you want,’” Parsons says. “So you link someone out to Ghostery (a browser plugin used to block tracking software), or whatever you want to link them out to.”

As well as being specific, a privacy policy should be readable. Parsons notes, “You go and read the ‘disclosures’ that people make – their terms of service, their privacy policies – and you get this horrible language. No human in their right mind would ever know what was going on. And indeed, when I spoke with some businesses, they don’t know where that data is going.”

To Parsons, protecting user information should be anything but an afterthought. “Certainly, if there’s any sort of commercial or business interest involved, I think this just flows out of the business plan that you’ve probably developed.”

 

Categories
Links

Picking out a face in the crowd: Toronto police considering facial recognition technology

Picking out a face in the crowd: Toronto police considering facial recognition technology:

But for all its abilities, privacy advocates caution that the technology raises big questions about surveillance, and has potential implications for members of the public who aren’t suspects of a crime.

In cases like these, the technology has clear advantages, says privacy expert Christopher Parsons, a fellow at the Munk School of Global Affairs at the University of Toronto.

“Serious crimes — rapes, murders, manslaughter — these are the kinds of crimes that must be brought to justice,” he says. “But for other crimes, lesser crimes, maybe those aren’t the situations where we [should] use these really efficient, high-tech systems.” The risk, he says, is that “it starts … criminalizing a large portion of the population.”

Police aren’t the only organizations to employ this type of technology. Some department stores and retail chains also use it to catch repeat shoplifters. But Parsons points out there is a difference between private individuals capturing images and the police.

“[Private individuals] don’t have the power to arrest,” he says.

 

Categories
Links Quotations

The Canadian Government Wants to Pay More People to Creep Your Facebook

The Canadian Government Wants to Pay More People to Creep Your Facebook:

But government social media monitoring could very easily cross over into a legal gray area. Christopher Parsons, a cybersurveillance researcher at the University of Toronto’s Citizen Lab, said the collection of personal data from online sources needs to be rigorously justified, and even when it is, the data needs to be handled and stored safely.

“The government can’t just collect information about Canadians—even from public sourced data repositories such as social media—just because it wants to,” said Parsons in an email to me. “There have to be terms set on the collection, handling, disclosure, and disposal of personal information that the government wants to gather. As a result, even when data is collected for legitimate reasons that doesn’t mean the data can then be used in any way that the government (subsequently) decides.”

Strict oversights into how the government gleans and uses this intelligence—even in the service of testing policy reactions, as Parsons thinks this service will likely do—is required.

According to Parsons, that comes in the form of internal “privacy impact assessments” related to the specific social media surveillance program.

“Government agencies are supposed to conduct such assessments before collecting Canadians’ personal information and explain the specifics of how and why they will collect Canadians’ personal data,” said Parsons.

In the medium term, it appears Canadians can count on more of their tweets to be sucked up into a government social media surveillance system—then potentially shared across government departments.

Parsons told me that the sharing of the personal data of Canadian, in general, is only becoming more pervasive across government agencies.

“There has been a marked increase in the sharing of personal data between and across different departments because information is initially being collected for vague or far-sweeping reasons. Were social media information collected for similarly vague reasons then the government could then try to expansively share collected information across government,” he said.

 

Categories
Aside

German spy agency seeks millions to monitor social networks outside Germany

The BND also wants to spend €4.5 million to crack and monitor HTTPS (Hypertext Transfer Protocol Secure) encrypted Internet traffic. By 2020 some of that money may be spent the black market to buy zero day exploits, unpublicized vulnerabilities that can be exploited by hackers. That program, called “Nitidezza”, should also provide better protection for government networks, German weekly Der Spiegel said in a separate report on BND’s budget requests.

Moreover, a plan to monitor Internet exchanges outside Germany is also in the works. Next year, the agency wants to spend €4.5 million on a program called “Swop” to provide additional hidden access to a non-German exchange, the newspaper report said.

Because the solution to the ‘cybersecurity problem’ is to undermine the capacity for secure communications rather than working to strengthen what we have…

Categories
Links

When I knew I had no place left to hide

The effects of Snowden’s revelations are more than just political or technical. For many they are personal; lives have been remade as we become aware of the legal and political and familial ramifications of our work. And what is left unsaid is often more extensive than what is uttered aloud.

Categories
Links

Mapping The Canadian Government’s Telecommunications Surveillance

Mapping The Canadian Government’s Telecommunications Surveillance:

What:

Canadian federal government agencies, like many government agencies around the world, often request user data from telecommunications agencies for the purpose of surveillance. With few regulations in place that force governments or corporations to explain how Canadians’ telecommunications information is accessed or processed, the Citizen Lab along with its’ partners, worked over the course of a year to compile and disseminate lawfully accessible data that showed how often, for what reasons, and on what legal grounds telecommunications companies in Canada provided their subscribers’ data to state agencies.

The Electronic Frontier Foundation has a series of Counter-Surveillance Success Stories and my work over the past year’s been recognized in the stories. It’s really exceptional the excellent work that people are doing all around the world – you should check them all out!

Categories
Links

Canada’s Cyberspy Agency, CSEC, Hijacks Computers Worldwide to Build Their Spynet

Canada’s Cyberspy Agency, CSEC, Hijacks Computers Worldwide to Build Their Spynet:

One key part of the HACIENDA infrastructure, however, is a Canadian program called LANDMARK, which looks for “ORBS” (Operational Relay Box) that were recently defined by Colin Freeze in the Globe and Mail as “computers [the Five Eyes spy agencies] compromise in third-party countries.” I spoke to Chris Parsons from the Citizen Lab, who explained that these ORBs are quite possibly the property of innocent citizens, and not exclusively intelligence targets:

“CSEC seemingly regards unsecured devices (their ‘ORBs’) as valid intelligence targets in order to launch deniable attacks and reconnaissance practices. We don’t know whether there is some effort to ascertain civilian vs non-civilian intermediary computers to take over, but the slides suggest that civilians and their equipment can be targeted.”

“CSEC operates using the same techniques as organized crime and foreign intelligence services… CSEC uses these techniques for nation-state aims, similar reconnoissance techniques are used by criminals, academics, and interested internet sleuths. The tools of reconnaissance and offence are depressingly affordable, whereas secure code is expensive and hard to come by.”

Categories
Links

Listening In: The Navy Is Tracking Ocean Sounds Collected by Scientists

Listening In: The Navy Is Tracking Ocean Sounds Collected by Scientists:

A network of Internet-connected undersea microphones is picking up more than whale songs.

This is one of the coolest surveillance/national security/academic research-related news article I’ve read in a long time. Highly recommended!

Categories
Aside Links

From The Unsealed ‘Jewel v. NSA’ Transcript: The DOJ Has Nothing But Contempt For American Citizens

From The Unsealed ‘Jewel v. NSA’ Transcript: The DOJ Has Nothing But Contempt For American Citizens:

Hey, I’m sorry the leaks have made it harder for these agencies to do whatever the hell they want, but they are all part of a government that’s supposed to be accountable to the citizens picking up the check. But when faced with unhappy citizens and their diminished rights, all the DOJ’s lawyers can say is that the public doesn’t know shit and has no right to question the government’s activities.

The government has somehow managed to come to a conclusion others reached weeks ago – there’s more than one leaker out there. GOOD. Burn it down. In the DOJ’s hands, the government isn’t by or for the people. It’sdespite the people. The DOJ can’t be trusted to protect the balance between privacy and security. As it sees it, what the public doesn’t know will likely hurt it, and it’s damned if it’s going to allow citizens to seek redress for their grievances.

While I don’t agree with the whole ‘burn-the-DOJ-down’ mentality, that this is an increasingly mainstream opinion regarding key US government institutions is deeply problematic. Such attitudes are indicative of a population no longer seeing itself reflected in its government which is, in turn, a recipe for social conflicts.

Categories
Links

Inside Citizen Lab, the “Hacker Hothouse” protecting you from Big Brother

Inside Citizen Lab, the “Hacker Hothouse” protecting you from Big Brother:

Starting out in the basement of the Munk School of Global Affairs with a handful of students in the Spring of 2001, Deibert’s Citizen Lab now operates out of a third-story office on Bloor Street, on the northwest edge of the University of Toronto campus. But like the agencies its members often criticize, Citizen Lab has collaborators operating everywhere, supplying information about how state power is being exercised in cyberspace.

Deibert doesn’t mind the comparison. In fact, much of his inspiration for the Lab came from working inside the Canadian Department of Foreign Affairs in the mid-‘90s, where he studied the use of satellite reconnaissance for arms control verification. The working group he was part of conceptualized a kind of “earth monitoring system” to enforce bans on nuclear testing—a worldwide system of satellites, underwater fences, and seismic stations designed to hold entire nations to account.

Still, when it comes to what a “people’s intelligence agency” might look like, it’s hard to find a better template than the one created by Citizen Lab. And its hacker ethos is reflected in those it calls its allies.

One of the better descriptions of some of what we do, on a daily and ongoing basis, at the Citizen Lab.