#CyberFLASH: When it comes to cyberspace, should national security trump user security?

Apple Hosts Event At Company's Town HallRon Deibert is the director of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs.

Imagine if the government had knowledge of a critical vulnerability in a heart pacemaker, but decided to keep the information secret in order to exploit it as a weapon. Would that be okay? What about flaws in the electronic controls of a 747 that could be manipulated remotely to cause the plane to crash? Or a nuclear enrichment facility? Should they publicly disclose these vulnerabilities in the interests of user safety? Or should they keep them classified in case they provide comparative advantage in matters of national intelligence or warfare?

Whatever each of us may think about these questions, it appears the world’s most powerful spy agencies have already resolved on an answer: for them, national security trumps user security.

Today, the University of Toronto’s Citizen Lab is publishing a report documenting major security and privacy vulnerabilities in one of the world’s most widely used mobile applications: UC Browser. Chances are if you are a North American reading this, you have never heard of UC Browser. But if you live in China or India, it’s probably as familiar as Microsoft Explorer. In fact, UC Browser is used by over 500 million people, and is the fourth most popular mobile browser in the world.

Popularity aside, UC Browser has fundamental problems (problems the company is working to repair after our notification): it leaks a huge torrent of highly detailed personally identifiable data about its users. Those leaks include the unique identification number hard-baked into the device (IMEI), personal registration data on the user’s SIM card (IMSI), any queries sent over the browser’s search engine, a list of the names of any WiFi networks to which the device has recently connected, and the geolocation of the device. Some of this data is sent entirely “in the clear” without encryption; others are sent using weak encryption that could be easily decrypted. Some of it is sent the moment the application is turned on, in an “idle state.” None of it is sent with the explicit permission of its users.

Read more here

About canux
© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.