Archive for Privacy

How Long Does CSEC Keep The Private Data Of Canadians?

Posted in Commentary with tags , on August 5, 2014 by itnerd

That’s a question being asked today as The Globe And Mail is reporting that CSEC or the Communications Security Establishment which is the Canadian version of the NSA won’t say how long it keeps the private data of Canadians:

The federal government’s secretive electronic intelligence agency is not disclosing how long it can hold onto Canadians’ communications – even though its leaders have said that “firm” time limits are in place to protect privacy.

The strictures surrounding Communications Security Establishment Canada’s data-retention periods – including those affecting recognized “private communications” and also “metadata” – are blacked out from an operational document obtained by The Globe and Mail.

The redactions of this document are so extensive that little is revealed, beyond the latest indication that CSEC is drawing from unspecified sources within Canada.

“The retention schedules outlined in these procedures deal with SIGINT [signals intelligence] data acquired from Canadian [word redacted] sources,” it says.

Basically, CSEC is saying “trust us.” The problem is that without out complete (or as complete as you’re going to get in the spy game) disclosure of what they do with this data, it’s hard to trust them. Even the NSA has limits for this sort of thing:

No specific time periods were mentioned. And the Canadian agency’s closest ally is less secretive on such matters. “Inadvertently acquired communications of or concerning a United States person may be retained no longer than five years,” reads a declassified National Security Agency document.

So, one has to wonder why CSEC hasn’t got something similar. It’s too bad that someone can’t ask them and expect a fulsome response.

Private Data Often Caught Up In Canadian Intelligence Sweeps: Globe & Mail

Posted in Commentary with tags , , on July 31, 2014 by itnerd

The Globe And Mail is reporting today that when the Communications Security Establishment Canada goes looking for hackers and other cyber criminals, the private info of Canadians who have nothing to do with said evil doers often gets caught up in the sweep:

A 22-page “Operational Procedures for Cyber Defence” document obtained by The Globe speaks to just how Communications Security Establishment Canada (CSEC) can log, store and study volumes of electronic communications that touch government computer networks – including the “private communications” of Canadians not themselves thought to be hackers.

Full details about the tradeoffs involved in CSEC’s operations are known only to one outsider – Minster of National Defence Rob Nicholson, the official who approves such surveillance, and who is provided with statistics about its risks.

That’s not good. I’m all for making sure that Canada is safe from cyber threats. But when it affects the personal info of Canadians, I think that’s when you have to start looking closer at this to see if that can be avoided:

“We need to start asking a lot of questions about how the cybersecurity part of the CSEC mandate is being carried out,” said Tamir Israel, a lawyer at an Internet-policy think tank in Ottawa.

Thus, I think this needs to be discussed in the open in a robust manner as I believe that the privacy of Canadians cannot be sacrificed just to get the bad guys.

Agree? Disagree? Please leave a comment and share your thoughts.

Here’s A List Of Sites That Do Canvas Fingerprinting…. All 5,619 Of Them

Posted in Commentary with tags on July 24, 2014 by itnerd

So, if you’re scared of Canvas Fingerprinting, and you’re not blocking it using AdBlock Plus, there’s another way to deal with this privacy menace. Simply avoid sites that use it. How do you do that? Here’s a list of 5,619 website have used the technology during May 1-5, 2014 created by a group of researchers that looked into this technology. Besides porn sites, 48 government sites have Canvas Fingerprinting code as there are .gov domains listed here. That’s very unsettling.

Also, if you’re the curious type check out the project website for background information about canvas fingerprinting and other advanced tracking mechanisms such as ever cookies and use of “cookie syncing” in conjunction with ever cookies. It will make you not want to surf the Internet.

AdBlock Plus Claims It Can Stop Canvas Fingerprinting

Posted in Commentary with tags on July 23, 2014 by itnerd

This morning, I posted a story about Canvas Fingerprinting. A method of online tracking that is impossible to detect and impossible to stop. Well, AdBlock Plus who makes a tool to allow you to surf the web without getting ads the like says they can stop Canvas Fingerprinting and cookies for an added bonus. They have a blog post that goes into detail about what Canvas Fingerprinting is and how it works. Then they tell you how they can help:

When you add the EasyPrivacy filter list in Adblock Plus this won’t make Adblock Plus block tracking cookies directly. Instead, Adblock Plus will block the script that would try to set these cookies. And guess what: blocking that script doesn’t just prevent cookie-based tracking, it also lets you deal with canvas fingerprinting or evercookie or any other tracking approach. In particular, the rules to prevent AddThis tracking were added to EasyPrivacy almost five years ago.

Now I haven’t tried this so I can’t vouch for whether this works or not. Thus I would like to see a third party test this out empirically to see if it does work. If it does, perhaps we’ll feel safer when surfing the web…. Until the next person finds a way to monitor your activities without you knowing about it and being unable to stop them.

New Technology Tracks Your Web Usage Without Your Knowledge

Posted in Commentary with tags on July 23, 2014 by itnerd

The Globe And Mail is reporting on a new technology that is rapidly spreading through major websites that not only tracks you without your knowledge, but there’s no way for you to evade it:

Canvas fingerprinting, which can command your browser to draw a unique identifier and then log your online behaviour, is nearly impossible to detect, does not fall under “do not track” voluntary systems and evades most conventional ad-blocking software. It is already tracking users on 5 per cent of the biggest sites on the Internet, including The White House, Starbucks, Re/Max Canada, Canadian retailers Metro and Home Hardware, Postmedia website, as well as a number of pornography sites.

That’s not encouraging. If you read the complete article, you’ll see how chilling this is. At least with conventional technologies, you can can evade them by clearing cookies or setting the “do not track” option on your web browser of choice correctly. Now, all that is off the table. What’s also interesting is that when websites were contacted about why they were using Canvas fingerprinting, most of them yanked it out or committed to doing so quickly. That sounds like they got caught with their hand in the metaphorical cookie jar.

What this proves is something that I’ve been saying for a while now. You should have no reasonable expectation of privacy anymore. It doesn’t exist. You can also bet that even if Canvas fingerprinting disappears (which it won’t), there will be some other technology that will be even more invasive and even more stealthy to replace it.

“Millions” Of Data Requests From Canadian Police: Toronto Star

Posted in Commentary with tags , on July 22, 2014 by itnerd

The Toronto Star via some newly released documents is reporting that law enforcement in Canada have requested data on Canadians from telecommunication companies “millions” of times dating back to 2006:

Internal documents from Public Safety Canada reveal authorities requested telecom companies to turn over “basic subscriber information” at least1.13 million times a year between 2006 and 2008.

That figure matches revelations from the federal privacy watchdog earlier this year that authorities sought subscriber information 1.2 million times in 2011.

“It suggests that there have been huge numbers of requests for years now taking place largely below the radar screen . . . without very much public awareness,” said Michael Geist, a University of Ottawa law professor and Star columnist, who obtained the documents.

So, what info are they getting? Here’s a partial list:

“Basic subscriber information” can include details like name, address, Internet protocol (IP) address, telephone number, email address and local service provider identity. The federal government and law enforcement agencies have argued this amounts to “phonebook information” — police seem to generally request names and addresses — but privacy advocates warn it can lead authorities to more personal and detailed information.

To top it off, some of these requests are made without a warrant:

In the documents, the RCMP said they do not track the number of “informal” warrantless requests — verbal or written — for “customer name and address” information.

“Police do not know across Canada, in all jurisdictions, how many (customer name and address) requests (telecoms) are answering voluntarily each year,” the documents state.

That should be cause for concern. But one that may be solved by the recent Supreme Court Of Canada decision that requires a warrant for accessing this type of info. But it still remains an open question as to how the Canadian Government is going to deal with this decision as that may once again change the landscape when it comes to this issue. Regardless, I believe that this illustrates the need for increased transparency on this issue. Canadians, except for a handful of cases, should know how and when information about them is being accessed by their government or by someone related to government such as law enforcement. By not having that transparency creates the impression that government and law enforcement are simply doing whatever they want with no rules, boundaries, of limitations. And that is not good for all concerned.

Rogers Updates Policies Related To Lawful Access Of Customer Info

Posted in Commentary with tags , , on July 16, 2014 by itnerd

About a month ago, I wrote about Rogers and Teksavvy releasing transparency reports that show how often law enforcement requests customer data and what data is handed over. Rogers today reached out to me with an update:

After hearing feedback from our customers and reviewing the Supreme Court ruling from last month, we’ve decided that from now on we will require a court order/warrant to provide basic customer information to law enforcement agencies, except in life threatening emergencies. We believe this move is better for our customers and that law enforcement agencies will still be able to protect the public

We’ve updated our blog post on Rogers Redboard to let customers know about the change.

Transparency Report blog post:

The Supreme Court ruling that’s being referred to is this one and it states that Canadian ISPs cannot hand over customer info to police without a warrant. What I like about this is there is no ambiguity as to where Rogers stands on this subject. I would like to see other ISPs in Canada do the same thing. Strangely, I have not seen anything like this from any other ISP other than the transparency report put out by Teksavvy. I can’t say why that is the case, but I hope that changes.


Get every new post delivered to your Inbox.

Join 217 other followers