#CyberFLASH: Balancing police, power and privacy

hacker-stolen-passwords

Canadians support more investigative powers for police — with a catch, Nov. 17

Your story declares that Canadians support police demands for more surveillance, even though data from the survey indicates only 34 per cent are confident that new powers will be used “reasonably and according to the law.” Presumably that is why, in every case, the survey found that people want use of these powers to require a warrant from a judge.

Yet while it mentions reports of police spying on journalists and lawbreaking by CSIS, both your story and the survey neglect to mention that warrants were granted inappropriately in the first case, and that CSIS lied to the courts about their actions in the second.

The survey also suggests Canadians support data retention by telecom providers if authorities have a warrant to access the data. However, it wasn’t asked whether they should be able to retain that data before a warrant is granted or only afterwards. Your story assumes, without any justification, that Canadians support retention of data about a person before a warrant is granted.

The report also states that 74 per cent of Canadians have never encrypted their communications, without pointing out that we do so every time we use online banking, or visit an increasing number of websites — including the Star’s! Worst of all, it leaves out that Canadians have a right not to incriminate themselves under the Charter, protecting them against giving their passwords or encryption keys in an investigation.

Finally, the survey suggests 47 per cent of Canadians think there is a right to “complete digital privacy,” while only 23 per cent think it is currently possible to have that privacy.

Read more here

#CyberFLASH: Canadians not terribly savvy about digital privacy, poll finds

pope-vatican

We all delete our internet browser history from time to time, and most of us have, at some point, removed something we’ve posted online.

But encryption? Virtual private networks? Not so much.

A poll conducted by CBC News and the Toronto Star this month found that hardly anyone in Canada said they use more advanced personal security tools.

This means that when it comes to digital security and privacy, Canadians really aren’t too savvy.

“There are so many unauthorized uses of people’s data and data breaches and hacking — it’s just grown exponentially,” said Ann Cavoukian, the former Ontario privacy commissioner and now the executive director of the Privacy and Big Data Institute at Ryerson University.

Read more here

#CyberFLASH: National electronic intelligence agency executive calls for ‘rational debate’ on encryption

cse-headquarters-file-jpg-size-custom-crop-1086x722OTTAWA–Canadians are being encouraged to ask more questions about the security of their electronic devices from an unlikely source — an executive at the country’s electronic intelligence agency.

Scott Jones, the deputy director of IT security at the Communications Security Establishment, said Canadians need to start taking a greater interest in how their electronic devices protect personal information.

“We should be asking when we go and buy the stuff we have at home, OK, tell me how it’s being protected,” Jones said in an interview.

“If it’s my cellphone, does it have encryption if I lose it? Can somebody just read the data off of it or not? We need to start asking questions like that … We need to start helping each other, and helping citizens, helping businesses, helping the government when we’re buying these products they need to be secure by default.”

It may come as a bit of a surprise to hear an employee at CSE counselling Canadians to protect private information. The agency, which has largely operated in secret since its creation at the end of the Second World War, was thrust into the spotlight after U.S. whistleblower Edward Snowden’s disclosures.

CSE is part of the Five Eyes security alliance, which includes spy agencies in the United States, the United Kingdom, Australia and New Zealand. Snowden’s disclosures revealed the mass surveillance programs used by those countries, including programs that scooped up their own citizens’ data.

Jones’ comments also come as law enforcement agencies in the U.S. and Canada are forcefully arguing for the need to limit encryption — calling for so-called “back doors” that would let authorities decode citizens’ data.

Read more here

#CyberFLASH: Prepare for threat of quantum computing to encrypted data, Canadian conference told

feature-quantum-computing-quantum-information-science-620x250The race to create new cryptographic standards before super-fast quantum computers are built that can rip apart data protected by existing encryption methods isn’t going fast enough, two senior Canadian officials have warned a security conference.

“I think we are already behind,” Scott Jones, deputy chief of IT security at the Communications Security Establishment (CSE), responsible for securing federal information systems, told the fourth annual international workshop on quantum-safe cryptography in Toronto on Monday.

Quantum computing – or more accurately, computers that use quantum mechanics – is not a dream, Jones and others told the conference of business executives, crypto academics, IT companies and government officials. One prediction is there’s a one in seven chance that by 2026 a quantum computer will exist that can break RSA-2048 encryption. It may take longer — or, if there’s an advance, shorter.

“Quantum represents a fundamental change and challenge to encryption for all of us,” Jones said, noting that encrypted transactions are the backbone of security and trust on the Internet.

His comments were backed by David Sabourin, CSE’s manager of cryptographic security, who said that if the 2026 prediction is right “we’re in trouble.” Speaking on a panel of government experts, Sabourin noted the U.S.-based National Institute of Standards and Technology (NIST) will close its call for proposed new and more quantum-secure public key encryption algorithms next year. Then it will take a couple of years of review, which means products that can use new crypto standards might be released in 2025 – and then start to be implemented around the world. So 2026 will be “messy,” he concludes, with organizations rushing to install new solutions.

Read more here

CyberFLASH: The Internet of Things moving us toward connected homes

images-126It’s lunchtime at race car driver Alex Tagliani’s house, and there are no fewer than a dozen people buzzing around. Landscapers are putting in a new front yard, a curtain company employee is up on a ladder, wrestling with the motorized drapes for a product photo shoot and a toddler is running around, demanding to be fed.

Tagliani has made a name for himself on the Indy and NASCAR circuits. But, after years of living in Las Vegas and Indianapolis, he has returned to his native Quebec, settling down in an impressive $1.4(ish)-million home nestled in the scenic suburbs of Lorraine with his wife, Bronte, and their daughter Eva-Rose.

The house was custom built according to Tagliani’s vision of a modern smart home. He was the general contractor on the project, coordinating the architect, interior designers and a small army of independent contractors, including a home-automation team.

“I spent a year and a half messing around with the build,” Tagliani says.

From the moment he considered building a house, Tagliani knew he wanted it to be “smart” — a connected home that learns from and syncs to his family’s behaviours. He hired HomeSync, a Montreal-based home-automation installer that he’d previously worked with when customizing his last place, a condo in Laval. (HomeSync doesn’t manufacture its own hardware, but rather connects other companies’ components.)

Privacy concerns

Earlier this year, design flaws in Samsung’s SmartThings allowed people to remotely hack a front-door lock. There’s very little to stop a determined and tech-savvy criminal or mischief-maker to glean what your devices have learned about you and use it against you.

Gobi enjoys the convenience and novelty of the technology, but he is concerned about the SmartThings hack. He’s considering switching to Apple’s recently launched HomeKit because it offers high-security encryption. “The encryption they’re asking for is really, really high. If we think more about Big Brother issues with the Internet of Things and the smart home, I would be more comfortable to use high-security devices and I’m happy that Apple is now fighting a battle for privacy,” Gobi says.

Still, training connected devices to recognize your habits also means opting in to having an unprecedented amount of your deeply personal data compiled and kept on file by someone, somewhere, without knowing exactly if and how it’s used.

In 2016, Canada’s privacy commission published a guide on connected devices and IoT and concerns related to them, particularly as it pertains to data harvesting. “The full impact of the Internet of Things for our privacy may become more evident when its capabilities are combined with other innovations shaping our world today that track not only our activities, movements, behaviours and preferences, but our emotions and our thoughts,” the report concludes.

Read more here

#CyberFLASH: Encryption actually protects law-abiding Canadians

malware-hacking-cybersecurityWhen it comes to policing and national security, far too often Canadians are asked to let fear trump their rights.

Recently, the front page of the Toronto Star featured the headline, “Encryption creating a barrier for police …,” potentially convincing some readers that the technology’s only purpose is to aid criminals. Rarely do we see headlines such as, “Encryption protects thousands of Canadians’ credit card information,” or “Encryption enables secure communications for every Canadian.” or even the aspirational, “Canada leads the way in cybersecurity for its citizens.”

Increasingly, when we hear about encryption in the media, or from public safety officials, it’s presented as a danger — something that prevents those whose job it is to keep us safe from fulfilling their role. However, in the vast majority of transactions online by ordinary, law-abiding citizens, encryption is a good thing that makes personal, sensitive data harder to capture and decipher. Indeed, if more data were stored in encrypted form, sensational breaches of privacy — like the one that drove some Ashley Madison users to suicide — could be avoided.

Acknowledging that encryption can be a good thing for society doesn’t erase police concerns about data access; it contextualizes them. We at the Canadian Civil Liberties Association (CCLA) have long been supporters of warrants, the process by which police can go before a judge to demonstrate that their need to intercept a suspect’s private communications is reasonable and proportionate.

While we understand that warrants aren’t helpful if data can’t be decrypted, reports indicate police now have the tools, and are working with technology companies, to gain access to even the most complex of encrypted data. For example, as we learned from the Project Clemenza investigation, police can now decrypt BlackBerry communications and are making extensive use of Stingray technology, which allows for the mass interception of cellphone data.

Read more here

#CyberFLASH: Apple Encryption Saga and Beyond: What U.S. Courts Can Learn from Canadian Caselaw

computer-laptop-keyboard-852It has been said that privacy is “at risk of becoming a real human right.” The exponential increase of personal information in the hands of organizations, particularly sensitive data, creates a significant rise in the perils accompanying formerly negligible privacy incidents. At one time considered too intangible to merit even token compensation, risks of harm to privacy interests have become so ubiquitous in the past three years that they require special attention.

Legal and social changes have for their part also increased potential privacy liability for private and public entities when they promise – and fail – to guard our personal data (think Ashley Madison…). First among those changes has been the emergence of a “privacy culture” — a process bolstered by the trickle-down effect of the Julia Angwin’s investigative series titled “What They Know,” and the heightened attention that the mainstream media now attaches to privacy incidents. Second, courts in various common law jurisdictions are beginning to recognize intangible privacy harms and have been increasingly willing to certify class action lawsuits for privacy infringements that previously would have been summarily dismissed without hesitation.

Prior to 2012, it was difficult to find examples of judicially recognized losses arising from privacy breaches. Since then however, the legal environment in common law jurisdictions and in Canada in particular has changed dramatically. Claims related to privacy mishaps are now commonplace, and there has been an exponential multiplication in the number of matters involving inadvertent communication or improper disposal of personal data, portable devices, and cloud computing.

The obvious overlap between personal and professional e-mail accounts, Internet use, and quasi-ubiquitous surveillance renders the classic “reasonable expectation” standard quasi-obsolete, or at least unhelpful in articulating and enforcing privacy rights and duties. Assessing an individual’s right to privacy by reference to society’s conception of the measure of privacy that one is entitled to reasonably expect is particularly awkward when such expectations are rapidly eroding, precisely by reason of eventual social habituation to recurring intrusions. Plainly put and paradoxically: the more we are watched, the more we expect to be watched.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.