How are the latest NSA spying revelations affecting Canadians’ use of the internet? Danny Bradbury finds out.
Anne Cavoukian, the information and privacy commissioner for the province of Ontario, has a name for what the National Security Agency (NSA) has done – following revelations earlier this month about systematic anti-encryption measures by the intelligence organization which operates under the jurisdiction of the U.S. Department of Defense. “I call it surveillance by design, because they are intentionally designing the system so that they can easily surveil, and have a backdoor by whichever means they want,” she says.
Cavoukian uses these words carefully. She invented Privacy by Design, a method of protecting privacy by building core principles into new technologies. Developed in the 1990s, it was adopted as an international standard by data protection and privacy commissioners in 2010.
But revelations in the U.K. and U.S. media that the NSA has deliberately introduced weaknesses into cryptographic tools and standards for more than a decade makes this a difficult concept to follow these days.
We already knew about PRISM, a project that saw the NSA accessing data stored on cloud-based services in the United States. Under the more recently discovered Project Bullrun, the NSA worked deliberately with technology vendors to introduce weaknesses in the implementations of encryption technologies, according to documents supplied by whistleblower Edward Snowden, a former NSA contract employee.
Canadians have a right to be concerned about the latest revelations, says James Arlen, senior security adviser with Leviathan Security Group in Canada. “For everyone who has had their tin foil hat screwed on real tight, we believe you now,” he says. “You’re only paranoid when there’s no one out to get you.”
“A lot of Canadian internet traffic happens via the U.S.”
– Dragos Ruiu, founder of the CanSecWest conference
Now that we know for sure U.S. spy agencies have been secretly subverting the basis of our communications, what next? Do we need to take any more measures north of the border? Unfortunately, simply storing it here may no longer be enough.
Companies have long known about the dangers to data stored on U.S. soil – or in other countries using servers owned by U.S. corporations. The USA Patriot Act, signed into law in response to the attacks of Sept. 11, made it far easier for authorities to co-opt that data, and serve a service provider with a gag order preventing them from talking about it.
Until now, the idea was that by storing data with a Canadian cloud service provider, Canadian companies and individuals could avoid having the data pilfered by authorities south of the border. But Dragos Ruiu, a Canadian security consultant and founder of the CanSecWest conference, which focuses on applied digital security, is not so sure.
“There is a lot of talk right now about boomerang routing,” he says. “A lot of Canadian internet traffic happens via the U.S., even if it’s between different points in Canada.”
Early in September, the Washington Post published a new slide revealing an NSA project called Upstream, which collected communications on fiber cables and infrastructure as data flows past. It suggests that fiber links into and out of the United States were being tapped. Presumably, then, data in transit could be in just as much danger as data at rest.
A lot of Canadian traffic travels via northern U.S. exchange points, such as Buffalo, says Ben Sapiro, co-founder of OpenCERT, a nonprofit Computer Emergency Response Team in Canada, launching in Q4. “If I had your and my IP addresses, I could do a traceroute and then say, ‘Oh, that’s a bad route,’” he says. “Maybe I use the Tor network, or a VPN service provider. The vast majority of users and corporations won’t do this.”
Even if they did, what guarantees do citizens or enterprises now have that a VPN wouldn’t be readable? And recent analysis by Rob Graham, head of Errata Security, suggests that Tor relays using 1024-bit keys can be decrypted by the NSA.
But perhaps Canadians needn’t look south of the border to be worried about data tapping. The Canadian government’s own surveillance policy is also under scrutiny. The Snowden documents revealed that the information needed to decrypt communications was available to a handful of senior officials within the Five Eyes community. Five Eyes, founded in 1946, is an international intelligence-sharing agreement between the United Kingdom, the United States, Canada, Australia and New Zealand.
Further, the operations of Canada’s own secretive foreign signals intelligence agency, CSEC, have also been called into question. Outgoing Commissioner Robert Décary said in his final report this June that “a small number of records suggested the possibility that some activities may have been directed at Canadians, contrary to law.” The necessary records were unclear and incomplete, he said, adding that records relating to exchanges of information with Canada’s domestic intelligence service, CSIS, were also unclear.
But, OpenCERT’s Sapiro warns against what he calls “security nihilism,” adding that good security measures are still important, and that Canadians shouldn’t simply give up.
“Some parts of cryptography are broken,” Sapiro admits, but he argues that the organization that broke it is but a single adversary. “There are other threats that don’t have this capability. Do I still want to engage in encryption and use Tor and patch and build secure applications? Yes, because probably 99 percent of the things I have to worry about as a corporation and a private citizen will benefit from these.” In short, just because the NSA can see what’s travelling over your VPN, doesn’t mean that cyber crooks can, too.
It may be possible to secure your communications more effectively from the NSA, too. The shorter the cryptographic key, the more likely it is that the agency can crack it. Snowden said in an interview with theGuardian newspaper earlier in the summer that properly implemented encryption is still the best protection. Longer key lengths are a good protective measure, says Sapiro (2048-bit keys are a safer bet than 1024-bit keys).
On the positive side, Brian Bourne, founder of the Toronto-based SecTor security conference, argues that this could be a good thing for the Canadian security sector. “It’s creating more opportunities for Canadian companies,” he says, arguing that many companies in the U.S. may decide to store their data on Canadian soil and use Canadian products due to an increasing distrust of U.S. surveillance policy. “One reason that Canadian firms are getting funding is that they are Canada-based.”
While Canadians mull that issue over, Anne Cavoukian is already working on a new concept: Privacy-Protective Surveillance (PPS) by Design, intended to deal with privacy concerns in a world where governments apparently form part of the threat vector. It’s an extension of the original Privacy by Design concept, she says, in which surveillance systems are designed to cherry pick only relevant data, and leave personally identifiable information untouched. Clearly, in this new post-Snowden environment, encryption standards are not the only ones that will have to be revised.