Posts

  • CSIS’s New Powers Demand New Accountability Mechanisms

    6165458242_97e0572d03_oThe Government of Canada recently tabled Bill C-44, the Protection of Canada from Terrorists Act, in response to a series of court defeats concerning how the Canadian Intelligence and Security Service (CSIS) collects intelligence about Canadian residents. The federal courts took CSIS to task after Justice Richard Mosley realized that warrants issued to CSIS, which enabled CSIS to collaborate with Canada’s foreign signal intelligence agency to monitor Canadians abroad, were also being used to enlist the assistance of other nations’ signals intelligence agencies. In addition to the warrants not being issued with such foreign collaboration in mind there was — and remains — a judicial belief that CSIS’ lawyers deliberately misled the court when requesting the warrants.

    The tabled legislation would not alleviate the ruling that CSIS lawyers misled the court. It would, however, authorize CSIS to apply for warrants which authorize the service to monitor Canadians abroad even if doing so would violate the laws of foreign nations. Moreover, CSIS would be empowered to request the assistance of foreign organizations in monitoring the aforementioned Canadians. The Act would also provide the government the power to prevent courts from publicly examining informants as well as to revoke citizenship under certain situations. Finally, the legislation further clarifies (and arguably extends) prohibitions on revealing the identity of CSIS officers.

    A host of academics and lawyers have examined and critiqued the legislation thus far. In summary, they have raised the following concerns:

    In addition to these concerns, many public commentators have argued that the proposed legislation should be designed to enhance oversight and review of CSIS’ activities. The current review mechanism, the Security Intelligence Review Committee (SIRC), has been woefully neglected by the Government of Canada for some time. It currently only has three of five committee members, with one past Chair fighting extradition to Canada and another having resigned from the Committee after the press realized he was a registered lobbyist. Moreover, SIRC’s recent report indicates that CSIS is sometimes resistant to cooperating with its Review Committee.

    In principle I agree that further review and oversight is required of Canada’s security, intelligence, and law enforcement agencies. In the case of CSIS and Canada’s signals intelligence agency, demonstrating that they are only monitoring Canadians in legally authorized ways and that collected information is subject to strict limitations of access and use gives Canadians reason to trust the agencies. Moreover, by including political review of these agencies it would be possible to remediate activities before they unnecessarily infringe on Charter rights and freedoms or cause Canada to violate its human rights obligations.

    Establishing such review and oversight processes are unlikely given the current political climate in Ottawa. Perhaps more modestly, Bill C-44 could be amended to include a statutory reporting requirement. Specifically, CSIS could be required to provide yearly reports that detail its request for, and use of, its new warrant powers to monitor Canadians abroad, to work with foreign partners, and to violate foreign laws. In addition to reporting on the Service’s use of these powers another amendment could fill an existing reporting gap at the same time: the Service could be required to provide yearly reports on its access to Call Detail Records (CDRs) and subscriber data. While CSIS presumably avails itself of these kinds of records, today, there are no statutory requirements for the Service (or any other government agency) to record and report how often it requests, and receives, access to such data either under emergency circumstances, by warrant, or by using other statutory instruments.

    Such statutory reporting is important because it would reveal the regularity at which some of the most invasive kinds of surveillance are actually used by state agencies in the course of their operations. And it would reveal the face of contemporary surveillance to Canadians: do wiretaps still reign supreme (answer: no) or do other techniques (answer: yes). And, with aggregated data on the public record a real debate about the extent of contemporary surveillance could take place that is based on evidence and not rhetoric, concern, fear, or guesswork.

    Each year the federal government and provinces are required to table reports on how often private communications are intercepted and such reports do not impair government agencies’ abilities to monitor private communications. The reports do, however, show Canadians the rationales for such surveillance, the utility of the surveillance, and the number of Canadians affected by the surveillance each year. The creation of similar reports that addressed foreign monitoring, call detail records, and access to subscriber records could alleviate Canadians’ concerns similar to how wiretap reports alleviate worries that wiretaps are used excessively and inappropriately. Moreover, expanded statutory reporting would let citizens or parliamentarians raise concerns if, suddenly, there were unexplainable increases of the surveillance powers.

    Statutory reporting adds cost to the government’s surveillance practices but all efforts to ensure that the government is acting appropriately bear some cost. And given that currently tabled legislation would significantly increase the legal tools available to CSIS (and, presumably, require increasing CSIS’ budgets so the Service could take advantage of the powers) it makes sense to establish measures to gauge how widely used, and how important, these powers are to the Service’s operations. And while increasing oversight bodies could be expensive the costs of statutory reporting would be comparatively minimal.

    It is imperative that the Canadian public trust that CSIS is not acting in a lawless manner. And while improving how SIRC functions, or adding Parliamentary review, could regain or maintain that trust, a more cost-sensitive approach could involve statutory reporting. Regardless, something must be done to ensure that CSIS’ actions remain fully accountable to the public, especially given the new powers the Service may soon enjoy. Doing anything less would irresponsibly expand the state’s surveillance capabilities and threaten to dilute the public’s trust in its intelligence and security service.

  • Advancing Encryption for the Masses

    CryptographyEdward Snowden’s revelations have made it incredibly obvious that signals intelligence agencies have focused a lot of their time and energy in tracking people as they browse the web. Such tracking is often possible at a global scale because so much of the data that crosses the Internet is unencrypted. Fortunately, the ease of such surveillance is being curtailed by large corporations and advocacy organizations alike.

    Today, WhatsApp and Open Whisper Systems announced they have been providing, and will continue to deploy, what’s called ‘end to end’ encryption to WhatsApp users. This form of encryption ensures that the contents of subscribers’ communications are be secured from third-party content monitoring as it transits from a sender’s phone to a recipient’s device.

    As a result of these actions, WhatsApp users will enjoy a massive boost in their communications security. And it demonstrates that Facebook, the owner of WhatsApp, is willing to enhance the security of its users even when such actions are likely to provoke and upset surveillance-hawks around the world who are more interested in spying on Facebook and WhatsApp subscribers than in protecting them from surveillance.

    A separate, but thematically related, blog post the Electronic Frontier Foundation announced the creation of a new Certificate Authority (CA) initiative called ‘Let’s Encrypt’. Partnering with the Electronic Frontier Foundation are Mozilla, Cisco, Akamai, Identrust, and researchers at the University of Michigan. CAs issue the data files that are used to cryptographically secure communications between clients (like your web browser) and servers (like EFF.org). Such encryption makes it more challenging for another party to monitor what you are sending to, and receiving from, a server you are visiting.

    Key to the ‘Let’s Encrypt’ initiative is that the issued certificates will be free and installable using a script. The script is meant to automate the process of requesting, configuring, and installing the certificate. Ideally, this will mean that people with relatively little experience will be able to safely and securely set up SSL-protected websites. Academic studies have shown that even those with experience routinely fail to properly configure SSL-protections.

    The aim of both of these initiatives is to increase the ‘friction’, or relative difficulty, in massively monitoring chat and web-based communications. However, it is important to recognize that neither initiative can be considered a perfect solution to surveillance.

    In the case of WhatsApp and Open Whisper Systems, end to end encryption does not fix the broader problems of mobile security: if an adversary can take control of a mobile device, or has a way of capturing text that is typed into or that is displayed on the screen when you’re using WhatsApp, then any message sent or received by the device could be susceptible to surveillance. However, there is no evidence that any government agency in the world has monitored, or is currently capable of monitoring, millions or billions of devices simultaneously. There is evidence, however, of government agencies aggressively trying to monitor the servers and Internet infrastructure that applications like WhatsApp use in delivering messages between mobile devices.

    Moreover, it’s unclear what Facebook’s or WhatsApp’s reaction would be if a government agency tried to force the delivery of a cryptographically broken or weakened version of WhatsApp to particular subscribers using orders issued by American, European, or Canadian courts. And, even if the companies in question fought back, what would they do if they lost the court case?

    Similarly, the ‘Let’s Encrypt’ initiative relies on a mode of securing the Internet that is potentially susceptible to state interference. Governments or parties affiliated with governments have had certificates falsely issued in order to monitor communications between client devices (e.g. smartphones) and servers (e.g. Gmail). Moreover, professional developers have misconfigured commerce backends to the effect of not checking whether the certificate used to encrypt a communication belong to the right organization (i.e. not checking that the certificate used to communicate with Paypal actually belongs to Paypal). There are other issues with SSL, including a poor revocation checking mechanism, historical challenges in configuring it properly, and more. Some of these issues may be defrayed by the ‘Let’s Encrypt’ initiative because of the members’  efforts to work with the Decentralized SSL Observatory, scans.io, and Google’s Certificate Authority logs, but the initiative — and the proposals accompanying it — is not a panacea for all of the world’s online encryption problems. But it will hopefully make it more difficult for global-scale surveillance that is largely predicated on monitoring unencrypted communications between servers and clients.

    Edward Snowden was deeply concerned that the documents he brought to light would be treated with indifference and that nothing would change despite the documents’ presence in the public record. While people may be interested in having more secure, and more private, communications following his revelations those interests are not necessarily translated into an ability for people to secure their communications. And the position that people must either embark on elaborate training regimes to communicate securely or just not say sensitive things, or visit sensitive places, online simply will not work: information security needs to work with at least some of the tools that people are using in their daily lives while developing new and secure ones. It doesn’t make sense to just abandon the public to their own devices while the ‘professionals’ use hard-to-use ’secured’ systems amongst themselves.

    The work of WhatsApp, Facebook, Open Whisper Systems, the Electronic Frontier Foundation, and that other members of the ‘Let’s Encrypt’ initiative can massively reduce the challenges people face when trying to communicate more responsibly. And the initiatives demonstrate how the cryptographic and communications landscape is shifting in the wake of Snowden’s revelations concerning the reality of global-scale surveillance. While encryption was ultimately thrown out of the original design specifications for the Internet it’s great to see that cryptography is starting to get bolted onto the existing Internet in earnest.

  • Microsoft’s OneDrive Storage Expands NSA Surveillance

    spigget_dispersive_prism_illustration

    Earlier this month Microsoft announced that its Office 365 subscribers would be able to upload an unlimited amount of data into Microsoft’s cloud-based infrastructure. Microsoft notes that the unlimited data storage capacity is:

    just one small part of our broader promise to deliver a single experience across work and life that helps people store, sync, share, and collaborate on all the files that are important to them, all while meeting the security and compliance needs of even the most stringent organizations.

    Previously, subscribers could store up to 1TB of data in OneDrive. The new, unlimited storage model, creates new potential uses of the Microsoft cloud including even “wholesale backup of their computer hard drives, or even of their local backup drives”. And, given OneDrive’s integration with contemporary Windows operating systems there is the opportunity for individuals to expand what they store to the Cloud so it can be accessed on other devices.

    While the expanded storage space may be useful to some individuals and organizations, it’s important to question Microsoft’s assertion that OneDrive meets the most stringent organization’s security and compliance needs. One reason to question these assertions arise out of a memo that was disclosed by National Security Agency (NSA) whistleblower Edward Snowden. The memo revealed that:

    NSA Memo on Microsoft enabling SIGINT Access to SkyDrive

    As summarized by the Electronic Frontier Foundation, Section 702 of the FISA Amendments Act which is mentioned in the NSA memo is extremely permissive. The section has been used to authorize:

    • collection of Americans’ phone records without a warrant;
    • access to large portions of Internet traffic that moves through American servers;
    • disclosure of collected information to other parties (e.g. the Drug Enforcement Agency);

    European policy analysts agree that Section 702 is overly permissive(.pdf) and argue that the definitions used in the section are so general that “any data of assistance to US foreign policy is eligible, including expressly political surveillance over ordinary lawful democratic activities.” The scope of surveillance was made worse as a result of the FISA Amendments Act 2008. While the FAA 2008 is perhaps best known for providing legal immunity to companies which participated in the warrantless wiretapping scandal, it also expanded the scope of NSA surveillance. Specifically:

    [b]y introducing “remote computing services” (a term defined in ECPA 1986 dealing with law enforcement access to stored communications), the scope was dramatically widened communications and telephony to include Cloud computing (.pdf source).

    Microsoft’s expansion of OneDrive storage limits is meant to enhance its existing consumer cloud offerings. And such cloud storage can produce workplace efficiencies by simplifying access to documents, protecting against device loss, and externalizing some security-related challenges.

    However, if subscribers take advantage of the new unlimited storage and send ever-increasing amounts of data into Microsoft’s clod, then there will be a much greater amount of information that is readily available to the NSA (and other allied SIGINT agencies). And given that Section 702 authorizes surveillance of foreign political activities there is a real likelihood that data content which was previously more challenging for NSA to access will now be more readily available to interception and analysis.

    Signals intelligence agencies, such as the NSA, are likely not top of mind threats to individuals around the world. However, Microsoft’s willingness to manufacture government access to personal and business data should give people pause before they generate sensitive documents, share or store intimate photos, or otherwise place important data in Microsoft’s cloud infrastructure. Any company so willing to engineer its users’ privacy out of personal and enterprise services alike must be treated with a degree of suspicion and its product announcement and security assurances with extremely high levels of skepticism.

  • It’s Time for BlackBerry to Come Clean

    BlackBerry N10On April 10, 2014, Blackberry’s enterprise chief publicly stated that his company had no intention of releasing transparency reports concerning how often, and under what terms, the company has disclosed Blackberry users’ personal information to government agencies. BlackBerry’s lack of transparency stands in direct contrast to its competitors: Google began releasing transparency reports in 2009, and Apple and Microsoft in 2013. And BlackBerry’s competitors are rigorously competing on personal privacy as well, with Apple recently redesigning their operating system to render the company unable to decrypt iDevices for government agencies and having previously limited its ability to decrypt iMessage communications. Google will soon be following Apple’s lead.

    So, while Blackberry’s competitors are making government access to telecommunications data transparent to consumers and working to enhance their users’ privacy, BlackBerry remains tight-lipped about how it collaborates with government agencies. And as BlackBerry attempts to re-assert itself in the enterprise market — and largely cede the consumer market to its competitors — it is unclear how it can alleviate business customers’ worries about governments accessing BlackBerry-transited business information. Barring the exceptional situation where data from BlackBerry’s network is introduced as evidence in a court process businesses have no real insight of the extent to which Blackberry is compelled to act against its users’ interests by disclosing information to government agencies. And given that the company both owns an underlying patent for, and integrated into its devices’ VPN client, a cryptographic algorithm believed vulnerable to surreptitious government spying it’s not enough to simply refuse to comment on why, and the extent to which, BlackBerry is compelled to help governments spy on its customer base.

    We know that BlackBerry has been legally and politically bludgeoned into developing, implementing, and providing training courses on intercepting and censoring communications sent over its network. At the same time, we know that many employees at BlackBerry genuinely care about developing secure products and delivering them to the world; reliable, secure, and productive communications products are ostensibly the lifeblood that keeps the company afloat. So why, knowing what we know about the company’s ethos and the surveillance compulsions it has faced in the past, is it so unwilling to be honest with its current and prospective enterprise customers and develop transparency reports: for fear that customers would flee the company upon realizing the extent to which BlackBerry communications are accessed or monitored by governments, because of gag-orders they’ve agreed to in order to sell products in less-democratic nations, or just because they hold their customers is contempt?

Back to top