Archive for Privacy

How Long Does CSEC Keep The Private Data Of Canadians?

Posted in Commentary with tags , on August 5, 2014 by itnerd

That’s a question being asked today as The Globe And Mail is reporting that CSEC or the Communications Security Establishment which is the Canadian version of the NSA won’t say how long it keeps the private data of Canadians:

The federal government’s secretive electronic intelligence agency is not disclosing how long it can hold onto Canadians’ communications – even though its leaders have said that “firm” time limits are in place to protect privacy.

The strictures surrounding Communications Security Establishment Canada’s data-retention periods – including those affecting recognized “private communications” and also “metadata” – are blacked out from an operational document obtained by The Globe and Mail.

The redactions of this document are so extensive that little is revealed, beyond the latest indication that CSEC is drawing from unspecified sources within Canada.

“The retention schedules outlined in these procedures deal with SIGINT [signals intelligence] data acquired from Canadian [word redacted] sources,” it says.

Basically, CSEC is saying “trust us.” The problem is that without out complete (or as complete as you’re going to get in the spy game) disclosure of what they do with this data, it’s hard to trust them. Even the NSA has limits for this sort of thing:

No specific time periods were mentioned. And the Canadian agency’s closest ally is less secretive on such matters. “Inadvertently acquired communications of or concerning a United States person may be retained no longer than five years,” reads a declassified National Security Agency document.

So, one has to wonder why CSEC hasn’t got something similar. It’s too bad that someone can’t ask them and expect a fulsome response.

Private Data Often Caught Up In Canadian Intelligence Sweeps: Globe & Mail

Posted in Commentary with tags , , on July 31, 2014 by itnerd

The Globe And Mail is reporting today that when the Communications Security Establishment Canada goes looking for hackers and other cyber criminals, the private info of Canadians who have nothing to do with said evil doers often gets caught up in the sweep:

A 22-page “Operational Procedures for Cyber Defence” document obtained by The Globe speaks to just how Communications Security Establishment Canada (CSEC) can log, store and study volumes of electronic communications that touch government computer networks – including the “private communications” of Canadians not themselves thought to be hackers.

Full details about the tradeoffs involved in CSEC’s operations are known only to one outsider – Minster of National Defence Rob Nicholson, the official who approves such surveillance, and who is provided with statistics about its risks.

That’s not good. I’m all for making sure that Canada is safe from cyber threats. But when it affects the personal info of Canadians, I think that’s when you have to start looking closer at this to see if that can be avoided:

“We need to start asking a lot of questions about how the cybersecurity part of the CSEC mandate is being carried out,” said Tamir Israel, a lawyer at an Internet-policy think tank in Ottawa.

Thus, I think this needs to be discussed in the open in a robust manner as I believe that the privacy of Canadians cannot be sacrificed just to get the bad guys.

Agree? Disagree? Please leave a comment and share your thoughts.

Here’s A List Of Sites That Do Canvas Fingerprinting…. All 5,619 Of Them

Posted in Commentary with tags on July 24, 2014 by itnerd

So, if you’re scared of Canvas Fingerprinting, and you’re not blocking it using AdBlock Plus, there’s another way to deal with this privacy menace. Simply avoid sites that use it. How do you do that? Here’s a list of 5,619 website have used the technology during May 1-5, 2014 created by a group of researchers that looked into this technology. Besides porn sites, 48 government sites have Canvas Fingerprinting code as there are .gov domains listed here. That’s very unsettling.

Also, if you’re the curious type check out the project website for background information about canvas fingerprinting and other advanced tracking mechanisms such as ever cookies and use of “cookie syncing” in conjunction with ever cookies. It will make you not want to surf the Internet.

AdBlock Plus Claims It Can Stop Canvas Fingerprinting

Posted in Commentary with tags on July 23, 2014 by itnerd

This morning, I posted a story about Canvas Fingerprinting. A method of online tracking that is impossible to detect and impossible to stop. Well, AdBlock Plus who makes a tool to allow you to surf the web without getting ads the like says they can stop Canvas Fingerprinting and cookies for an added bonus. They have a blog post that goes into detail about what Canvas Fingerprinting is and how it works. Then they tell you how they can help:

When you add the EasyPrivacy filter list in Adblock Plus this won’t make Adblock Plus block tracking cookies directly. Instead, Adblock Plus will block the script that would try to set these cookies. And guess what: blocking that script doesn’t just prevent cookie-based tracking, it also lets you deal with canvas fingerprinting or evercookie or any other tracking approach. In particular, the rules to prevent AddThis tracking were added to EasyPrivacy almost five years ago.

Now I haven’t tried this so I can’t vouch for whether this works or not. Thus I would like to see a third party test this out empirically to see if it does work. If it does, perhaps we’ll feel safer when surfing the web…. Until the next person finds a way to monitor your activities without you knowing about it and being unable to stop them.

New Technology Tracks Your Web Usage Without Your Knowledge

Posted in Commentary with tags on July 23, 2014 by itnerd

The Globe And Mail is reporting on a new technology that is rapidly spreading through major websites that not only tracks you without your knowledge, but there’s no way for you to evade it:

Canvas fingerprinting, which can command your browser to draw a unique identifier and then log your online behaviour, is nearly impossible to detect, does not fall under “do not track” voluntary systems and evades most conventional ad-blocking software. It is already tracking users on 5 per cent of the biggest sites on the Internet, including The White House, Starbucks, Re/Max Canada, Canadian retailers Metro and Home Hardware, Postmedia website Canada.com, as well as a number of pornography sites.

That’s not encouraging. If you read the complete article, you’ll see how chilling this is. At least with conventional technologies, you can can evade them by clearing cookies or setting the “do not track” option on your web browser of choice correctly. Now, all that is off the table. What’s also interesting is that when websites were contacted about why they were using Canvas fingerprinting, most of them yanked it out or committed to doing so quickly. That sounds like they got caught with their hand in the metaphorical cookie jar.

What this proves is something that I’ve been saying for a while now. You should have no reasonable expectation of privacy anymore. It doesn’t exist. You can also bet that even if Canvas fingerprinting disappears (which it won’t), there will be some other technology that will be even more invasive and even more stealthy to replace it.

“Millions” Of Data Requests From Canadian Police: Toronto Star

Posted in Commentary with tags , on July 22, 2014 by itnerd

The Toronto Star via some newly released documents is reporting that law enforcement in Canada have requested data on Canadians from telecommunication companies “millions” of times dating back to 2006:

Internal documents from Public Safety Canada reveal authorities requested telecom companies to turn over “basic subscriber information” at least1.13 million times a year between 2006 and 2008.

That figure matches revelations from the federal privacy watchdog earlier this year that authorities sought subscriber information 1.2 million times in 2011.

“It suggests that there have been huge numbers of requests for years now taking place largely below the radar screen . . . without very much public awareness,” said Michael Geist, a University of Ottawa law professor and Star columnist, who obtained the documents.

So, what info are they getting? Here’s a partial list:

“Basic subscriber information” can include details like name, address, Internet protocol (IP) address, telephone number, email address and local service provider identity. The federal government and law enforcement agencies have argued this amounts to “phonebook information” — police seem to generally request names and addresses — but privacy advocates warn it can lead authorities to more personal and detailed information.

To top it off, some of these requests are made without a warrant:

In the documents, the RCMP said they do not track the number of “informal” warrantless requests — verbal or written — for “customer name and address” information.

“Police do not know across Canada, in all jurisdictions, how many (customer name and address) requests (telecoms) are answering voluntarily each year,” the documents state.

That should be cause for concern. But one that may be solved by the recent Supreme Court Of Canada decision that requires a warrant for accessing this type of info. But it still remains an open question as to how the Canadian Government is going to deal with this decision as that may once again change the landscape when it comes to this issue. Regardless, I believe that this illustrates the need for increased transparency on this issue. Canadians, except for a handful of cases, should know how and when information about them is being accessed by their government or by someone related to government such as law enforcement. By not having that transparency creates the impression that government and law enforcement are simply doing whatever they want with no rules, boundaries, of limitations. And that is not good for all concerned.

Rogers Updates Policies Related To Lawful Access Of Customer Info

Posted in Commentary with tags , , on July 16, 2014 by itnerd

About a month ago, I wrote about Rogers and Teksavvy releasing transparency reports that show how often law enforcement requests customer data and what data is handed over. Rogers today reached out to me with an update:

After hearing feedback from our customers and reviewing the Supreme Court ruling from last month, we’ve decided that from now on we will require a court order/warrant to provide basic customer information to law enforcement agencies, except in life threatening emergencies. We believe this move is better for our customers and that law enforcement agencies will still be able to protect the public

We’ve updated our blog post on Rogers Redboard to let customers know about the change.

Transparency Report blog post:

http://redboard.rogers.com/2014/transparency_report/

The Supreme Court ruling that’s being referred to is this one and it states that Canadian ISPs cannot hand over customer info to police without a warrant. What I like about this is there is no ambiguity as to where Rogers stands on this subject. I would like to see other ISPs in Canada do the same thing. Strangely, I have not seen anything like this from any other ISP other than the transparency report put out by Teksavvy. I can’t say why that is the case, but I hope that changes.

US Government Claims That Data On Servers Anywhere Belongs To Them

Posted in Commentary with tags , , on July 15, 2014 by itnerd

If there was something that could be defined as over-reaching, perhaps this is it. Here’s a story from ARS Technica that I just tripped over that has the U.S. Justice Department’s claiming that companies served with valid warrants for data must produce that data even if the data is not stored in the U.S.:

Global governments, the tech sector, and scholars are closely following a legal flap in which the US Justice Department claims that Microsoft must hand over e-mail stored in Dublin, Ireland. In essence, President Barack Obama’s administration claims that any company with operations in the United States must comply with valid warrants for data, even if the content is stored overseas. It’s a position Microsoft and companies like Apple say is wrong, arguing that the enforcement of US law stops at the border. A magistrate judge has already sided with the government’s position, ruling in April that “the basic principle that an entity lawfully obligated to produce information must do so regardless of the location of that information.” Microsoft appealed to a federal judge, and the case is set to be heard on July 31.

Well, isn’t that delightful. I was always under the impress that you cannot serve warrants to search property in other countries. But I’m a computer nerd, not a lawyer. But I’m thinking that if this does hold up somehow, and Microsoft releases the data stored in another country, then how long will it take for every other country in the world to buy equipment or services from a non-American or solely domestic company simply to avoid something like this happening to them? For example Germans buy from German companies or the French buying from French companies. But I’m getting ahead of myself. This is a case that needs to be watched closely as it’s going to have a huge impact.

Apple Responds To Chinese Over Location Tracking

Posted in Commentary with tags , , on July 15, 2014 by itnerd

Last week you’ll recall that I wrote about Chinese State Media claiming that Apple’s location tracking was a “national security concern.” I also said that because of Apple’s desire to be a player in the Chinese market, they’d have to respond. Well, they have on their Chinese website in both Chinese and English. Here’s a portion of what the statement said:

Our customers want and expect their mobile devices to be able to quickly and reliably determine their current locations for specific activities such as shopping, travel, finding the nearest restaurant or calculating the amount of time it takes them to get to work. We do this at the device level. Apple does not track users’ locations – Apple has never done so and has no plans to ever do so.

And:

Frequent Locations are only stored on a customer’s iOS device, they are not backed up on iTunes or iCloud, and are encrypted. Apple does not obtain or know a user’s Frequent Locations and this feature can always be turned “Off” via our privacy settings. 

Apple does not have access to Frequent Locations or the location cache on any user’s iPhone at any time. We encrypt the cache by the user’s passcode and it is protected from access by any app.

They conclude by saying this:

As we have stated before, Apple has never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will. It’s something we feel very strongly about.

Now, that’s a very definitive statement. One wonders why they didn’t come out with something similar last year when iOS 7 first appeared and people (including yours truly) first found this feature. Perhaps if they did, we wouldn’t be talking about it now.

China Claims That Apple’s Location Tracking A “National Security Concern”

Posted in Commentary with tags , , on July 11, 2014 by itnerd

Chinese state run media, which means it’s essentially the Chinese Government, has made a very interesting claim. They claim that because iOS 7 tracks your movements that this makes it a “national security concern.” Here’s what the Wall Street Journal had to say:

In its national noon broadcast, state-run China Central Television criticized the “frequent locations” function in Apple’s iOS 7 mobile operating system, which tracks and records the time and location of the owner’s movements. The report quoted researchers who said that those with access to that data could gain knowledge of the broader situation in China or “even state secrets.”

Apple didn’t respond to requests for comment.

Now I have talked about the frequent locations option previously. At the time I said that other phone makes do something similar and that I don’t think there’s anything sinister going on here. But I also mentioned that Apple should clear the air on this feature. Perhaps if they did, we wouldn’t be talking about this right now. Given that Apple really wants to make inroads into the Chinese marketplace, I think they’ll have to address this now.

This is one of those stories to keep an eye on.

Follow

Get every new post delivered to your Inbox.

Join 204 other followers