Tag: Telecommunications

Categories
Links Writing

Categorizing Contemporary Attacks on Strong Encryption

Matt Burgess at Wired has a good summary article on the current (and always ongoing) debate concerning the availability of strong encryption.

In short, he sees three ‘classes’ of argument which are aimed at preventing individuals from protecting their communications (and their personal information) with robust encryption.

  1. Governments or law enforcement agencies are asking for backdoors to be built into encrypted platforms to gain “lawful access” to content. This is best exemplified by recent efforts by the United Kingdom to prevent residents from using Apple’s Advanced Data Protection.
  2. An increase in proposals related to a technology known as “client-side scanning.” Perhaps the best known effort is an ongoing European proposal to monitor all users’ communications for child sexual abuse material, notwithstanding the broader implications of integrating a configurable detector (and censor) on all individuals’ devices.
  3. The threat of potential bans or blocks for encrypted services. We see this in Russia, concerning Signal and legal action against WhatsApp in India.

In this broader context it’s worth recognizing that alleged Chinese compromises of key American lawful interception systems led the US government to recommend that all Americans use strongly encrypted communications in light of network compromises. If strong encryption is banned then there is a risk that there will be no respite from such network intrusions while, also, likely creating an entirely new domain of cyber threats.

Categories
Links Writing

American Telecommunication Companies’ Cybersecurity Deficiencies Increasingly Apparent

Five Eyes countries have regularly and routinely sought, and gained, access to foreign telecommunications infrastructures to carry out their operations. The same is true of other well resourced countries, including China.

Salt Typhoon’s penetration of American telecommunications and email platforms is slowly coming into relief. The New York Times has an article that summarizes what is being publicly disclosed at this point in time:

  • The full list of phone numbers that the Department of Justice had under surveillance in lawful interception systems has been exposed, with the effect of likely undermining American counter-intelligence operations aimed at Chinese operatives
  • Phone calls, unencrypted SMS messages, and email providers have been compromised
  • The FBI has heightened concerns that informants may have been exposed
  • Apple’s services, as well as end to end encrypted systems, were not penetrated

American telecommunications networks were penetrated, in part, due to companies relying on decades old systems and equipment that do not meet modern security requirements. Fixing these deficiencies may require rip-and-replacing some old parts of the network with the effect of creating “painful network outages for consumers.” Some of the targeting of American telecommunications networks is driven by an understanding that American national security defenders have some restrictions on how they can operate on American-based systems.

The weaknesses of telecommunications networks and their associated systems are generally well known. And mobile systems are particularly vulnerable to exploitation as a result of archaic standards and an unwillingness by some carriers to activate the security-centric aspects of 4G and 5G standards.

Some of the Five Eyes, led by Canada, have been developing and deploying defensive sensor networks that are meant to shore up some defences of government and select non-government organizations.1 But these edge, network, and cloud based sensors can only do so much: telecommunications providers, themselves, need to prioritize ensuring their core networks are protected against the classes of adversaries trying to penetrate them.2

At the same time, it is worth recognizing that end to end communications continued to be protected even in the face of Salt Typhoon’s actions. This speaks the urgent need to ensure that these forms of communications security continue to be available to all users. We often read that law enforcement needs select access to such communications and that they can be trusted to not abuse such exceptional access.

Setting aside the vast range of legal, normative, or geopolitical implications of weakening end to end encryption, cyber operations like the one perpetrated by Salt Typhoon speak to governments’ collective inabilities to protect their lawful access systems. There’s no reason to believe they’d be any more able to protect exceptional access measures that weakened, or otherwise gained access to, select content of end to end encrypted communications.

  1. I have discussed these sensors elsewhere, including in “Unpacking NSICOP’s Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack”. Historical information about these sensors, which were previously referred to under the covernames of CASCADE, EONBLUE, and PHOTONICPRISM, is available at the SIGINT summaries. ↩︎
  2. We are seeing some governments introducing, and sometimes passing, laws that would foster more robust security requirements. In Canada, Bill C-26 is generally meant to do this though the legislation as introduced raised some serious concerns. ↩︎
Categories
Links Writing

The Ongoing Problems of Placing Backdoors in Telecommunications Networks

In a cyber incident reminiscent of Operation Aurora,1 threat actors successfully penetrated American telecommunications companies (and a small number of other countries’ service providers) to gain access to lawful interception systems or associated data. The result was that:

For months or longer, the hackers might have held access to network infrastructure used to cooperate with lawful U.S. requests for communications data, according to people familiar with the matter, which amounts to a major national security risk. The attackers also had access to other tranches of more generic internet traffic, they said.

The surveillance systems believed to be at issue are used to cooperate with requests for domestic information related to criminal and national security investigations. Under federal law, telecommunications and broadband companies must allow authorities to intercept electronic information pursuant to a court order. It couldn’t be determined if systems that support foreign intelligence surveillance were also vulnerable in the breach.

Not only is this a major intelligence coup for the adversary in question, but it once more reveals the fundamental difficulties in deliberately establishing lawful access/interception systems in communications infrastructures to support law enforcement and national security investigations while, simultaneously, preventing adversaries from taking advantage of the same deliberately-designed communications vulnerabilities.

  1. Or Greece’s 2004 Olympics wiretap scandal. ↩︎
Categories
Links

New Details About Russia’s Surveillance Infrastructure

Writing for the New York Times, Krolik, Mozur, and Satariano have published new details about the state of Russia’s telecommunications surveillance capacity. They include documentary evidence in some cases of what these technologies can do, including the ability to:

  • identify if mobile phones are proximate to one another to detect meetups
  • identify whether a person’s phone is proximate to a burner phone, to de-anonymize the latter
  • use deep packet inspection systems to target particular kinds of communications metadata associated with secure communications applications

These types of systems are appearing in various repressive states and are being used by their governments.

Similar systems have long been developed in advanced Western democratic countries which leads me to wonder whether what we’re seeing from authoritarian countries will ultimately usher in the use of similar technologies in higher rule-of-law states or if, instead, Western companies will merely export the tools without them being adopted in the countries developing them.

In effect, will the long-term result of revealing authoritarian capabilities lead to the gradual legitimization of their use in democratic countries so long as using them is tied to judicial oversight?

Categories
Links Writing

Who Benefits from 5G?

The Financial Times (FT) ran a somewhat mixed piece on the future of 5G. The thesis is that telecom operators are anxious to realise the financial benefits of 5G deployments but, at the same time, these benefits were always expected to come in the forthcoming years; there was little, if any, expectation that financial benefits would happen immediately as the next-generation infrastructures were deployed.

The article correctly notes that consumers are skeptical of the benefits of 5G while, also, concluding by correctly stating that 5G was really always about the benefits that 5G Standalone will have for businesses. This is, frankly, a not great piece in terms of editing insofar as it combines two relatively distinct things without doing so in a particularly clear way.

5G Extended relies on existing 4G infrastructures. While there are theoretically faster speeds available to consumers, along with a tripartite spectrum band segmentation that can be used,1 most consumers won’t directly realise the benefits. One group that may, however, benefit (and that was not addressed at all in this piece) are rural customers. Opening up the lower-frequency spectrum blocks will allow 5G signals to travel farther with the benefit significantly accruing to those who cannot receive new copper, coax, or fibre lines. This said, I tend to agree with the article that most of the benefits of 5G haven’t, and won’t, be directly realised by individual mobile subscribers in the near future.2

5G Standalone is really where 5G will theoretically come alive. It’s, also, going to require a whole new way of designing and securing networks. At least as of a year or so ago, China was a global leader here but largely because they had comparatively poor 4G penetration and so had sought to leapfrog to 5G SA.3 This said, American bans on semiconductors to Chinese telecoms vendors, such as Huawei and ZTE, have definitely had a negative effect on the China’s ability to more fully deploy 5G SA.

In the Canadian case we can see investments by our major telecoms into 5G SA applications. Telus, Rogers, and Bell are all pouring money into technology clusters and universities. The goal isn’t to learn how much faster consumers’ phones or tablets can download data (though new algorithms to better manage/route/compress data are always under research) but, instead, to learn how how to take advantage of the more advanced business-to-business features of 5G. That’s where the money is, though the question will remain as to how well telecom carriers will be able to rent seek on those features when they already make money providing bandwidth and services to businesses paying for telecom products.

  1. Not all countries, however, are allocating the third, high-frequency, band on the basis that its utility remains in doubt. ↩︎
  2. Incidentally: it generally just takes a long, long time to deploy networks. 4G still isn’t reliably available across all of Canada, such as in populated rural parts of Canada. This delay meaningfully impedes the ability of farmers, as an example, to adopt smart technologies that would reduce the costs associated with farm and crop management and which could, simultaneously, enable more efficient crop yields. ↩︎
  3. Western telecoms, by comparison, want to extend the life of the capital assets they purchased/deployed around their 4G infrastructures and so prefer to go the 5G Extended route to start their 5G upgrade path. ↩︎
Categories
Links Quotations

What’s worse than a cookie? A ‘perma-cookie’

What’s worse than a cookie? A ‘perma-cookie’:

Last fall, Verizon in the U.S. was found to be using the headers to cash in on the mobile advertising market and deliver targeted ads to customers.

It was later revealed that other advertisers, unaffiliated with Verizon’s own advertising program, were taking advantage of the headers to then track and target cellphone users for ads, even if customers had opted out.

Privacy experts also worry about the potential for governments and criminals to hijack the data.

Christopher Parsons, the managing director of a telecom transparency project run out of the Citizen Lab at the University of Toronto, says that national security services and agencies “already track Canadians, Americans and citizens of other nations using unencrypted identifying information and there’s no reason to believe they wouldn’t use perma-cookies for similar tracking purposes.”

 

Categories
Links

Rogers reports sharp drop in police demands for customer data

Rogers reports sharp drop in police demands for customer data:

Christopher Parsons, a researcher at the University of Toronto’s Citizen Lab, said Rogers’ commitment to regularly releasing such data is commendable. Yet, he argued the company could go even further with certain aspects of its report, such as including information about when it discloses to customers that a law enforcement request has been made.

He noted that authorities are required to notify individuals who have been subject to wiretap requests or any intercept of live information. However, he said requests for stored data do not trigger a statutory requirement to inform the person that they were under investigation and unless the information is introduced in a court proceeding, they would never know.

“Rogers could advance the privacy discussion in Canada that much more by trying to push government and law enforcement agencies to let the company disclose that their customers were subject to a request,” Mr. Parsons said.

 

Categories
Links

Police asked telcos for client data in over 80% of criminal probes

Police asked telcos for client data in over 80% of criminal probes:

In recent years, civil liberty advocates, journalists and Canada’s privacy watchdog have repeatedly sought details on the frequency with which telecom companies hand over data to police officers.

Not all are convinced that the 80-95 per cent estimate is accurate.

“How exactly did they derive such high numbers? What is the methodology?” asks Chris Parsons, a post-doctoral fellow at Citizen Lab, an academic unit at the University of Toronto’s Munk School of Global Affairs.

“If it is sound, that indicates an incredibly high rate, assuming that all crimes or all investigations are some way linked with telecommunications data.”

Last year, TekSavvy, Rogers and Telus became the first telecommunications companies to release transparency reports — following in the footsteps of their U.S. counterparts and spurred to action by a questionnaire sent by a group of academics led by Parsons. Bell Canada was alone among the large telcos not to issue a report.

Previously released government documents suggested that Public Safety officials worried that the firms might divulge “sensitive operational details” in their reports.

The federal department sought advice on whether any potential legal issues might exist around the disclosure of how telecommunication companies interacted with police, the newly released ministerial briefing says.

“If I were being very charitable, it could be a way to assuage the concerns that ISPs [internet service providers] may have had,” said Parsons. “Less charitably, it could also mean that Public Safety was interested in seeing if there was a way to prevent the reports from coming out.”

Many internet and phone service providers cited potential legal issues — along with a litany of other reasons — as why they failed to disclose any figures.

 

Categories
Links

Evening Brief: Tuesday, May 26, 2015

Evening Brief: Tuesday, May 26, 2015:

A new report from Citizen Lab at the Munk School says “Canadian telecommunications providers have been handing over vast amounts of customer information to law enforcement and government departments and agencies with little transparency or oversight,” reports CBC. “We conclude that serious failures in transparency and accountability indicate that corporations are failing to manage Canadians’ personal information responsibly,” says the report. “Access to our private communications is incredibly sensitive,” said Christopher Parsons, lead author of the study and a postdoctoral researcher at Citizen Lab.

Categories
Links

Mapping The Canadian Government’s Telecommunications Surveillance

Mapping The Canadian Government’s Telecommunications Surveillance:

What:

Canadian federal government agencies, like many government agencies around the world, often request user data from telecommunications agencies for the purpose of surveillance. With few regulations in place that force governments or corporations to explain how Canadians’ telecommunications information is accessed or processed, the Citizen Lab along with its’ partners, worked over the course of a year to compile and disseminate lawfully accessible data that showed how often, for what reasons, and on what legal grounds telecommunications companies in Canada provided their subscribers’ data to state agencies.

The Electronic Frontier Foundation has a series of Counter-Surveillance Success Stories and my work over the past year’s been recognized in the stories. It’s really exceptional the excellent work that people are doing all around the world – you should check them all out!