How are the latest NSA spying revelations affecting Canadians' use of the internet? Danny Bradbury finds out.Anne Cavoukian, the information and privacy commissioner for the province of Ontario, has a name for what the National Security Agency (NSA) has done – following revelations earlier this month about systematic anti-encryption measures by the intelligence organization which operates under the jurisdiction of the U.S. Department of Defense. “I call it surveillance by design, because they are intentionally designing the system so that they can easily surveil, and have a backdoor by whichever means they want,” she says.
Cavoukian uses these words carefully. She invented Privacy by Design, a method of protecting privacy by building core principles into new technologies. Developed in the 1990s, it was adopted as an international standard by data protection and privacy commissioners in 2010.
But revelations in the U.K. and U.S. media that the NSA has deliberately introduced weaknesses into cryptographic tools and standards for more than a decade makes this a difficult concept to follow these days.
We already knew about PRISM, a project that saw the NSA accessing data stored on cloud-based services in the United States. Under the more recently discovered Project Bullrun, the NSA worked deliberately with technology vendors to introduce weaknesses in the implementations of encryption technologies, according to documents supplied by whistleblower Edward Snowden, a former NSA contract employee.
Canadians have a right to be concerned about the latest revelations, says James Arlen, senior security adviser with Leviathan Security Group in Canada. “For everyone who has had their tin foil hat screwed on real tight, we believe you now,” he says. “You're only paranoid when there's no one out to get you.”
"A lot of Canadian internet traffic happens via the U.S.”
– Dragos Ruiu, founder of the CanSecWest conference
Now that we know for sure U.S. spy agencies have been secretly subverting the basis of our communications, what next? Do we need to take any more measures north of the border? Unfortunately, simply storing it here may no longer be enough.
Companies have long known about the dangers to data stored on U.S. soil – or in other countries using servers owned by U.S. corporations. The USA Patriot Act, signed into law in response to the attacks of Sept. 11, made it far easier for authorities to co-opt that data, and serve a service provider with a gag order preventing them from talking about it.
Until now, the idea was that by storing data with a Canadian cloud service provider, Canadian companies and individuals could avoid having the data pilfered by authorities south of the border. But Dragos Ruiu, a Canadian security consultant and founder of the CanSecWest conference, which focuses on applied digital security, is not so sure.
“There is a lot of talk right now about boomerang routing,” he says. “A lot of Canadian internet traffic happens via the U.S., even if it's between different points in Canada.”
Early in September, the Washington Post published a new slide revealing an NSA project called Upstream, which collected communications on fiber cables and infrastructure as data flows past. It suggests that fiber links into and out of the United States were being tapped. Presumably, then, data in transit could be in just as much danger as data at rest.
A lot of Canadian traffic travels via northern U.S. exchange points, such as Buffalo, says Ben Sapiro, co-founder of OpenCERT, a nonprofit Computer Emergency Response Team in Canada, launching in Q4. “If I had your and my IP addresses, I could do a traceroute and then say, ‘Oh, that's a bad route,'” he says. “Maybe I use the Tor network, or a VPN service provider. The vast majority of users and corporations won't do this.”
Even if they did, what guarantees do citizens or enterprises now have that a VPN wouldn't be readable? And recent analysis by Rob Graham, head of Errata Security, suggests that Tor relays using 1024-bit keys can be decrypted by the NSA.