How are the latest NSA spying revelations affecting Canadians' use of the internet? Danny Bradbury finds out.
Ann Cavoukian, the information and privacy commissioner for the province of Ontario, has a name for what the National Security Agency (NSA) has done – following revelations earlier this month about systematic anti-encryption measures by the intelligence organization which operates under the jurisdiction of the U.S. Department of Defense. “I call it surveillance by design, because they are intentionally designing the system so that they can easily surveil, and have a backdoor by whichever means they want,” she says.
Cavoukian uses these words carefully. She invented Privacy by Design, a method of protecting privacy by building core principles into new technologies. Developed in the 1990s, it was adopted as an international standard by data protection and privacy commissioners in 2010.
But revelations in the U.K. and U.S. media that the NSA has deliberately introduced weaknesses into cryptographic tools and standards for more than a decade makes this a difficult concept to follow these days.
"A lot of Canadian internet traffic happens via the U.S.”
– Dragos Ruiu, founder of the CanSecWest conference
We already knew about PRISM, a project that saw the NSA accessing data stored on cloud-based services in the United States. Under the more recently discovered Project Bullrun, the NSA worked deliberately with technology vendors to introduce weaknesses in the implementations of encryption technologies, according to documents supplied by whistleblower Edward Snowden, a former NSA contract employee.
Canadians have a right to be concerned about the latest revelations, says James Arlen, senior security adviser with Leviathan Security Group in Canada. “For everyone who has had their tin foil hat screwed on real tight, we believe you now,” he says. “You're only paranoid when there's no one out to get you.”
Now that we know for sure U.S. spy agencies have been secretly subverting the basis of our communications, what next? Do we need to take any more measures north of the border? Unfortunately, simply storing it here may no longer be enough.
Companies have long known about the dangers to data stored on U.S. soil – or in other countries using servers owned by U.S. corporations. The USA Patriot Act, signed into law in response to the attacks of Sept. 11, made it far easier for authorities to co-opt that data, and serve a service provider with a gag order preventing them from talking about it.
Until now, the idea was that by storing data with a Canadian cloud service provider, Canadian companies and individuals could avoid having the data pilfered by authorities south of the border. But Dragos Ruiu, a Canadian security consultant and founder of the CanSecWest conference, which focuses on applied digital security, is not so sure.
“There is a lot of talk right now about boomerang routing,” he says. “A lot of Canadian internet traffic happens via the U.S., even if it's between different points in Canada.”