=== Ron Diebert discussing "Black Code: Inside the Battle for Cyberspace" === 2014-02-03 === Intro === * Recent revelations about CSEC WiFi snooping * Head of CSEC was at a senate committee today * Book covers technical implications, as well as "radical political and philosophical implications" * "Not a techie by academic background, but a political scientist" * Harold Innis and Marshall McLuhan help us understand changing forms of communication Citizen Lab - "an interdisciplinary research and development hothouse" * Working on security and human rights We no longer "move about our lives as self-contained beings" but are rather "nodes of information production" === Presentation === No systematic plan for statements, wants feedback on the book * Will talk about Citizen Lab, Snowden revelations, and current events Idea for the book originated around 1995 * Had been working mostly solo as a conventional scholar of political science, with limited technical knowledge * Considered pursuing further study * Ford Foundation was "trying to identify people who want to do research in a new field - information security" * Invited to go work as a program officer * Declined, but they came back with an offer for funding at U of T Citizen Lab - Hired expertise rather than acquiring it * One early researcher - paper topic to test limits of internet censorship in China * Use computers in China to test limits of censorship * This became the basis for one portion of their core methodology, which also includes field research * At peak in early 2000s, working on over 70 countries "Secret of the Citizen Lab" - marshalling together talented genius people, not necessarily classically trained, who really understand technology * Part of the rationale, put people with passion into a more systematic approach, to investigate "threats to this open commons of information as it becomes securitized" Book traces back to the origin of the Citizen Lab * Lab meant as a place to conduct empirical research for Black Code * Research complex, demanding, interesting, with real-world implications and media interest * Book repeatedly delayed Published May 21, 2013 - day Edward Snowden fled from Hawaii to Hong Kong * Good timing? Or bad timing? * Paperback edition contains a new forward that addresses it in part * There is much more public awareness now of organizations like CSEC * Now a matter of front-page media discussion * Those who looked paranoid before, now less so Snowden revelations * Incredible volume of documents * June 5th, first revelation * Roughly a document per week since then, in NY Times, Guardian, CBC, etc * At this rate, it will take 46 years to release everything * "In the short term, it's obviously raising a lot of awareness about what I was writing about in Black Code" * "Power is exercised by state authorities" on the Internet, and Snowden has "lifted the lid on this" and spurred investigative journalism "I'm a little concerned that in the short run anyway the implications are going to be pretty bad and accelerate some of the troubling characteristics I document in Black Code" * Think about the perspective of a government not allied with the US * Are we being spied on by the Americans? * I don't know, but I need advanced equipment to investigate * Many of these countries are autocratic authoritarian regimes who will use these capabilities against their own populations * We have seen evidence of this - India is establishing a "central monitoring system", using the NSA as a model * China is meeting with Iran on a new national intranet for Iran * "We'll see other NSAs" Countries like Canada need to get their own house in order * Must be able to say credibly to other countries that what they are doing is wrong * Requires that we not be doing it ourselves For many decades, this system was hidden in the shadows - agencies not publicly accountable in ways proper to a liberal democratic society System in Canada largely British-style * Ottawa establishment where things done by norms and culture rather than laws and regulation * Today's hearing an important first step CSEC doesn't answer to Parliament - doesn't have to respond if they don't want to * CSEC Commissioner - retired judge - reports to the Minister of Defence * "Within the security tent" * "Structural flaw in the architecture of democracy" When it comes to communications and security, we live in extraordinary times * Cloud computing, social media, mobile - 5-10 years old * Share an important characteristic: information previously in desktops and filing cabinets entrusted to third parties, usually private companies * Usually with a headquarters in another jurisdiction * We're not conscious of all the data being collected - metadata * "Even not carrying a mobile phone will make you stick out" * All active phones are broadcasting their make and model, your name, and the location of the phone * "That information doesn't just evaporate - it sits on the servers" * Whoever owns and operates the infrastructure decides what they will do with it * Government agencies are gathering it up, because it is powerful and revealing * Shows who spends time with who, etc "The security environment is changing" * During Cold War: state adversaries with ballistic missiles * Modern signals intelligence agencies started off trying to eavesdrop on such adversaries * Threat environment changed substantially after 9/11 * Now individual terrorists, small groups, etc * Big changes in the last 5-10 years What checks and balances are appropriate here? Re: latest revelations * What Glen Greenwald has done is select a news organization in each country to team up with * Working with Greg Weston (sp?) at the CBC * Security and Information Act (formerly, Official Secrets Act) - crime to handle classified documents * Possible subpoena to Citizen Lab, which could set their work back for years * Took it to lawyer - James Lockyear (sp???) * CBC published them redacted - "quite wise" * Could otherwise have endangered people or revealed things that should not be known Canada spying on Brazil / CSEC and NSA listening post for G20 * Neither very surprising * "Coverage has been really misleading" * "Not about free WiFi at airports at all" - "much more concerning" * CSEC has "consistently and adamantly stressed that they are not targeting Canadians" * They have gone to a "Canadian special source" - Canadian telco * Using NSA and GCHQ databases, Canadian databases, commercial databases with locations of devices by ID numbers "The government has been using a different English dictionary from the rest of us" * Targeting, tracking, incidental - all specially defined "Collision of social media explosion and huge agencies turning inward, operating under Cold War logic" * "Using secret justification from secret laws to justify what they're doing" * "Potential for abuse is virtually unlimited" === Discussion === Question: Re: "The Brazil Caper" * CSEC broke into Ministry of Mines * Likely motive: industrial espionage * Are we at a stage where such activity affects our national political process? RD: "There is no evidence of abuse right now" * "Boils down to the issue of independent judicial oversight" Looked like a project report conducted by CSEC for the NSA * "To what extent are our precious resources being directed by another country?" One of the most important Snowden revelations showed the NSA hacking into data transmission between Google servers * "Really irritated the Google security engineers" "We have turned our personal lives inside out, and extraordinarily personal details from all our lives are now sitting on computers" Question: "What is your opinion of Mr. Snowden's action, and what is your estimate of the future that awaits him?" * "If your cellphone is turned off, can they still track you" RD: "The most important leak in intelligence history - no doubt about it" * Traitor v. whistleblower? * Actions justified as the latter, though the process he used is open to fair questions * "By fleeing, it opens questions about whether he is controlled by a foreign government" * Being in Russia provides some protection against physical deportation * Now cannot move or communicate freely Re: phone "of course" * Devices that provide all sorts of freedom, know where we are, etc * Even when not on, not being used, still connected * Some capabilities outlined in recent Snowden revelation - "extraordinary ways that they can get inside computers using radio waves and things like that" * Depends on firmware, hardware, etc * "There is a problem here socially" - Apple and others make proprietary phones with proprietary code * As a US company, they likely collude with the NSA under the Patriot Act and other security organizations Question (Trevor): Individual versus mass surveillance - "just a statistic" now? * How can people be made aware of the dangers of wholesale harvesting RD: "More and more of a challenge with people who have lived with it - digital natives" * People already make trade-offs about privacy * What would once have been very inappropriate to share is now acceptable * Arguing for privacy is not the way to go - highlight potential for abuse of unchecked power * We can't go back to people communicating in a contained fashion * Communication now "necessary for the future of the human race" - to solve problems * "Surveillance is an important means to that end" - like satellite monitoring of environmental degradation, disease surveillance * No independent oversight for security services Question: 1) Oversight - Parliamentary committee has no jurisdiction over CSEC - "full time surveillance with part-time oversight" - What is the ideal oversight mechanism for Canada? 2) Does having servers in Canada, Canadian ISPs, etc provide any useful protection? RD: There are legal issues here well beyond his capabilities * "What exists now is insufficient, and the potential for abuse is almost limitless" * "We need an oversight body that is separate from the Ottawa establishment" We really don't know if shifting data hosting to Canada will be any help Question: 1) Is Blackberry's security better? 2) What about the criminal element on the internet? RD: Around 2010, started hearing stories about Blackberry and the ultimatums being issued to them by governments like the United Arab Emirates and Saudi Arabia * Resisted such deals initially * Something didn't add up about them refusing and these governments continuing to allow Blackberry * "Some kind of dubious arrangement was made" - "the degree to which the company has failed to disclose information on this is incorrigible" * India has said that they have wholesale surveillance of Blackberry * Technicians are being trained in Waterloo on how to do this "We need to hold companies accountable in the same ways as governments" * "We need rigorous, independent monitoring" * Various US companies now publish transparency reports - not even under discussion in Canada * "Arrangement needs to happen at some level" - "the world is a bad place" - but there needs to be warrants Re: criminal behaviour * "Cybercrime is enormous and getting worse" * Volume of data out there getting larger, fast turnover in applications and devices * Creates more vectors for exploitation by cybercriminals * Governments like Syria and Iran are now using the tradecraft of cybercrime against opposition grouls My question: Monitoring real-time v. storing forever 1 - Encrypted archives just sitting around, waiting for the computing power and algorithms to crack Assuming -A) the encryption algorithm isn't broken by design -B) some software backdoor isn't broadcasting the key 2 - Potential to look up everything on a person's life at any time, from facial recognition data to web browsing history RD: "This is exactly the concern" * There is a huge amount of data which allows someone to reconstruct exactly what you did every day * "People need to be able to make mistakes in their lives and be able to recover from it" * We are now encouraged to share everything * Young people today may be cavalier in ways they won't be ten years later Question: Need for greater oversight and monitoring - has the technology developed to the point that politicians can't comprehend it enough to regulate it? * Is it reasonable to think that, even in the long run, politicians will ever be able to figure it out? RD: "Whatever oversight exists must be separate from that Ottawa establishment tent" * "We need many different types of oversight" - we need to be wary of government agencies, but also companies * Each iPhone app made by a different company, which may have a headquarters anywhere We need "distributed security" - least developed idea in the book * "Distributing as widely as possible mechanisms of oversight" * "We need organizations like Citizen Lab whose mission is to persistently and carefully - using evidence research - lift the lid on what's going on" * "Platform of the university" can allow research to be published in a way that protects researchers * This is starting to take place - "The internet has provided a remarkable way to leak documents" * Snowden got all this in three months of working as a private contractor Question: Would planting bogus data to see where it turns up help? (Barium meal concept) RD: "Absolutely" - "Citizen Lab takes ethics very seriously, including in terms of methods" * Don't want to break the law in Canada * Want to be ethical beyond that * "You can catch wrongdoing in very clever ways" * "Fingerprinting method" - identify the products being used for censorship and surveillance around the world * "We need more clever forensic investigation" Role of the university - "we need to change the disciplinary divisions at the heart of the university" - "people are trained in silos" - "political science have no exposure to computer science" * "We need to have a complete redrawing of the boundaries to educate people effectively to live in this technological society" Question: Does the sheer volume of communication provide protection? * Stasi stored huge amounts of "stupid" material * "Antidotes are there too" - Citizen Lab, Snowden, etc