Today, the Citizen Lab is releasing a new report, entitled: “Are the Kids Alright? Digital Risks to Minors from South Korea’s Smart Sheriff Application.” South Korea is unique among all countries in having a legal mandate that requires parents whose minor children have mobile phone subscriptions to install a parental content filtering application. A powerful industry consortium, the Korean Mobile Internet Business Association (MOIBA), had just such an application in hand ready prior to the law being introduced, called “Smart Sheriff.” Smart Sheriff provided a lot more than just content filtering: it went beyond the legal mandate to allow parents to monitor their minor children’s use and receive notifications if their minor children did anything to try and disable the application.
Earlier this summer, a group of researchers who participated at the 2015 Citizen Lab Summer Institute, as well as the European security company Cure53, got together and collaborated on an independent analysis of the application. What we found was alarming: at least 26 different security vulnerabilities, includinglack of industry-standard encryption, outdated software running on servers, and a lack of proper validation or passwords required to register and manage accounts. All of these represent fundamental failures to follow standard practices for protecting user information and could seriously put minor children at risk.
We engaged in a process of responsible disclosure to the manufacturers of the application, giving them 45 days to patch the vulnerabilities before we released our report. At this point, however, we are not confident that the problems have been fixed and we are urging South Koreans to cease using the application until an independent audit can be undertaken.
The research and the report are part of a larger interest we at the Citizen Lab have in understanding the privacy and security implications of mobile applications.
Statement on Citizen’s Lab/Kaspersky report of June 24, 2014:
Hacking Team is aware of the ongoing efforts of Citizen’s Lab [sic] to attack our business by attempting to disclose confidential information, systems, and procedures that we use. This report is only their latest effort. It is evident that the primary complaint of the authors is about repressive government, however, Citizen’s Lab has chosen to target a private business operating in full compliance with all relevant law.
We believe the software we provide is essential for law enforcement and for the safety of us all in an age when terrorists, drug dealers, sex traffickers and other criminals routinely use the Internet and mobile communications to carry out their crimes. We sell only to government agencies such as police forces. We do not conduct digital investigations. Those are carried out by law enforcement and are, of course, entirely confidential as is any law enforcement investigation.
The June 24 report does not include our customer policy, however, we invite you to read the policy which describes the steps we take to avoid abuse of our software. We believe this policy is unique in our industry and a strong, good-faith effort to prevent misuse of our products. We have both refused to do business with agencies we felt might misuse our software, and we have investigated cases either discovered internally or reported in the press that suggest abuse. We can and have taken action in such cases, however, we consider the results of our investigations and the actions we take based on them to be confidential matters between us and our clients.
We write to address certain factual inaccuracies contained in this statement, as well as apparent misinterpretations by Hacking Team of the content and purpose of Citizen Lab’s report. We clarify those issues here, and present a few additional questions to Hacking Team that are raised by the statement:
* Your reference to the “Citizen’s Lab [sic] / Kaspersky report of June 24, 2014” suggests that we authored the report jointly with Kaspersky (though we note that the complaints lodged in the statement are directed solely at Citizen Lab). We prepared and issued our report independently of Kaspersky.
* Citizen Lab is an academic research institution housed at the Munk School of Global Affairs, University of Toronto, that engages in evidence-based research to document uses of technology with the potential to undermine human rights. We do not undertake our rigorous research, analysis, and reporting in order to “attack” the business of Hacking Team or any other company on which we have previously reported. Rather, we seek to provide concrete data that will inform discussions between civil society, policy makers, and the private sector, so that society can properly determine its stance on the capabilities and deployment of dual-use technologies that impact individuals around the world. While Hacking Team may “believe the software [it] provide[s] is essential for law enforcement and for the safety of us all,” in democratic societies, such a determination is best suited to an informed public debate rather than the closed-door deliberations of a private company. Unfortunately, equating efforts to promote such transparency and debate with an attack against the company only reinforces the impression that Hacking Team wishes to prevent human rights-related inquiries into its products and services.
* We also take issue with Hacking Team’s assertion that “the primary complaint of the authors is about repressive government.” While Citizen Lab is certainly concerned with the use of technologies by repressive governments to undermine human rights, we are equally concerned with the role of companies in equipping those regimes and profiting from activities that threaten human rights. As the UN Guiding Principles on Business and Human Rights make clear, companies are independently obliged to respect human rights. They have the responsibility to avoid causing or contributing to adverse human rights impacts, and to address such impacts when they occur. Indeed, the European Commission (EC) ICT Sector Guide on Implementing the UN Guiding Principles on Business and Human Rights notes that companies may contribute to a harm, and therefore have a responsibility to cease such activity and engage in remediation, when they “provid[e] surveillance technology to a government that uses it to track and persecute human rights defenders, journalists or members of a minority group.”
We encourage Hacking Team and all companies involved in the surveillance technology industry to carefully consider the human rights impact of their products and services, the potential for complicity in government practices that violate human rights, and steps to address these concerns. The aforementioned EC ICT Sector Guide is one resource that companies can utilize in developing appropriate human rights policy commitments as well as due diligence and remediation measures.
* The statement that Hacking Team is “operating in full compliance with all relevant law” raises certain questions to which we urge you to respond publicly.
First, what precisely does Hacking Team consider to be the “relevant law”? Does the company include within that rubric international human rights law embodied in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and the International Covenant on Economic, Social and Cultural Rights, or the European Convention on Human Rights? With the laws of which state or states does Hacking Team comply? How does it account for national laws that may conflict with international human rights law?
Second, does Hacking Team’s assertion of compliance with relevant law rely on the absence of precise law or regulations, given the novelty of the industry, that would control the production or sale of Hacking Team products? As articulated by United Nations Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression Frank La Rue in his April 2013 report to the UN Human Rights Council:
Offensive intrusion software such as Trojans, or mass interception capabilities, constitute such serious challenges to traditional notions of surveillance that they cannot be reconciled with existing laws on surveillance and access to private information. These are not just new methods for conducting surveillance; they are new forms of surveillance. From a human rights perspective, the use of such technologies is extremely disturbing. . . . Although it is clear that many States possess offensive intrusion software, such as Trojan technology, the legal basis for its use has not been publicly debated in any State, with the exception of Germany.
The lack of transparency and public debate surrounding the surveillance technology industry, and its close ties with the apparatus of state security, have resulted in legal and regulatory gray areas in which companies have thus far operated with relative impunity.
It is essential to note, however, that:
The responsibility to respect human rights is a global standard of expected conduct for all business enterprises wherever they operate. It exists independently of States’ abilities and/or willingness to fulfil their own human rights obligations, and does not diminish those obligations. And it exists over and above compliance with national laws and regulations protecting human rights.
Indeed, under the UN Guiding Principles on Business and Human Rights, “Where national law and human rights conflict, companies should respect the principles of internationally recognised human rights to the greatest extent possible in the circumstances. They should also be prepared [to] explain their efforts to do so.” We encourage Hacking Team and other companies in this industry to take a proactive and long-term view of legal compliance, particularly given that initiatives are currently underway at international, regional, and domestic levels to develop suitable controls for the surveillance technology trade.
* We applaud Hacking Team’s efforts to develop a customer policy that incorporates human rights considerations. The policy states that Hacking Team (HT) reviews potential customers before sales are made, assisted by “a panel of technical experts and legal advisors,” and that it will refuse to provide or cease providing products or services to entities that Hacking Team believes use its products to violate human rights. The policy also states: “Should questions be raised about the possible abuse of HT software in human rights cases, HT will investigate to determine the facts to the extent possible.”
While these are admirable commitments, we remain concerned that Hacking Team provides no further information regarding its implementation of the customer policy. In order to credibly invoke the customer policy, more transparency surrounding implementation is necessary (which could take any number of forms and need not identify clients). For example, what procedure is employed for customer reviews? Who sits on the review panel? Does that panel include civil society actors? The Hacking Team statement notes that the company has “refused to do business with agencies we felt might misuse our software”; can you elaborate on the reasons for and frequency of those refusals? And what investigation, if any, has Hacking Team undertaken concerning reports of misuse of the software in Saudi Arabia, the United Arab Emirates, Morocco, and against Ethiopian journalists in the United States?
To further strengthen respect for human rights in its business operations, Hacking Team may also wish to consider establishing an operational-level grievance mechanism (as enumerated in the UN Guiding Principles on Business and Human Rights and the EC ICT Sector Guide) for individuals that have experienced adverse human rights impacts caused or facilitated by Hacking Team technology. Such an effort could set an industry-leading positive example that may generate long-term success for your company.
* Additionally, if Hacking Team is in fact confident that its methods are beyond reproach, opening such methods to independent inspection should only strengthen the company and promote respect for human rights in the surveillance technology industry. We urge Hacking Team to enhance the transparency of its operations by publishing in full on its website the Hacking Team user manuals described in Citizen Lab’s report; all internal policies and procedures related to human rights; statistics regarding the sales and deployment of Hacking Team products as well as sales discontinued out of concern for misuse of the software; and an export control matrix indicating the product classifications relevant to Hacking Team. We note that your company has in the past sought patents worldwide — with the World Intellectual Property Organization under the Patent Cooperation Treaty, as well as in Europe, Canada, the United States, Singapore, Mexico, and Korea — thereby making public details regarding the operation of certain Hacking Team software. Confidentiality is therefore not an obstacle to beginning a public discussion of, at a minimum, those details.
Both Citizen Lab’s report and our ongoing research are intended to provide information that will advance the transparency and accountability that is sorely lacking from this industry. It cannot be denied that surveillance technologies have the potential to seriously impact individual human rights. If Hacking Team wishes to profit from such a business, we urge it to also accept its responsibility for the human rights impacts that business entails. We invite Hacking Team to contact us to discuss these issues in greater depth, and would welcome the opportunity for dialogue around measures to safeguard human rights.
Professor Ronald Deibert
Director, The Citizen Lab
Munk School of Global Affairs
University of Toronto
I was asked by the Dutch gov to co chair a working group for their next Freedom Online Coalition meeting in 2015. We have now put out our call for expressions of interest. This is an opportunity to have civil society input into cyber security discussions. I’ll do my best to make sure the case is made loud and clear.
As cybersecurity becomes a critical issue on the international agenda, there is a growing need for an informed debate on the relationship between governance, security, and fundamental rights and freedoms online, involving all stakeholders. In this context, the working group “Internet free and secure” seeks to bring a human rights framing to ongoing debates on cybersecurity and aims to develop, through multistakeholder dialogue, meaningful outputs that feed into existing processes.
Within the above framing and building on the Tallinn Agenda, while drawing on the outcomes from NetMundial and acknowledging the ongoing discussions on roles and responsibilities of various stakeholders in internet policy debates, the preliminary framing for this WG is to explore and develop recommendations on how the multistakeholder approach could apply in the field of cybersecurity.
The proposed framing and exact output of the Group will be further refined by its members.
Structure and Membership
The work of the WG will be carried out by its members. The Group will consist of up to 15 selected individuals who will join the WG Co-chairs – the Dutch Government and Ron Deibert of Citizen Lab – and other FOC country members who have expressed interest in participating in the WG. Non-members of the WG will be able to input into the WG at various points in the process through physical meetings and online. Activities of the WG will be supported by the FOC Support Unit.
In an effort to bring a variety of perspectives to the table, the WG Co-chairs are now seeking expressions of interest from individuals and organisations to join the Working Group, help shape its framing, and carry out its work. To submit an expression of interest, please send a short motivation outlining how your experience and expertise could contribute to shaping the Group’s work and outcomes to email@example.com with a subject line “FOC – WG1 expression of interest_name surname”. The deadline for submissions is Friday, May 30th 2014. Please also indicate if you’re planning to attend the upcoming Stockholm Internet Forum and would be available for a short informal brainstorm to develop the framing of the working group.
Expressions of interest will be evaluated by the FOC Support Unit and WG1 Co-chairs, based on the following criteria:
Quality of submission
Relevance of experience and expertise
Regional, gender, and stakeholder balance
Please note that participation in the Working Group is voluntary. Feel free to get in touch if you have any questions.
Working methods and timeline
The bulk of the WG’s work will be done remotely via email, with potential physical meetings on the margins of existing international events like the Internet Governance Forum. A detailed plan of work will be developed by WG members.
Group decisions and approval of final outcomes will be made by consensus among Group members.
The tentative end-date for the WG is the Global Conference on Cyberspace in spring 2015.
My TEDx Toronto talk has been posted. I discussed how there is a paradox today: as never before are we surrounded by so much technology, and, yet, as never before do we know so little about what goes on beneath the surface of that technology. I spoke about the Citizen Lab, and some of our research projects, and then encouraged everyone to become a hacker — in the original sense of the term: developing an ethic of experimentation and curiosity about cyberspace.
Canada recently issued a strategy for cyber security. I argue that the policy is thin on both commitments and specifics and left many issues unaddressed. The first part of my paper explores “the landscape of cyber security on a global level to give a ‘bird’s eye’ view of the scope of the issues in global cyberspace security and governance”, while the second part lays out some recommendations for “a comprehensive approach to Canadian cyber security following a ‘distributed security’ model that is inspired and derived from liberal democratic and traditional republican security traditions and thought.”
Looking forward to being a part of the TedXToronto event in October 25 2012 at the Sony Centre for the Performing Arts, along with Shawn Micallef, Sonya JF Barnett, Heather Jarvis, and Joseph Cafazzo. Here is my video preview.
I will take part in RSA Conference’s Special Forum on the Future of Cyber Security and Active Defense with fellow panelists Jim Dempsey, Vice President for Public Policy, Center for Democracy and Technology; Lt. Gen. (Ret) Kenneth Minihan, Managing Director, Paladin; and General Michael Hayden, Principal, Chertoff Group. Jim Lewis, Program Director, Center for Strategic and International Studies, will be moderating. We’ll be discussing “active or dynamic defense”, an approach to proactively deal with cyber attacks.
The National Post’s Matt Hartley wrote a profile of the Citizen Lab‘s work on Iran, and my views on what Canada could be doing to protect and preserve an open Internet. We are fortunate to collaborate with ASL19 and other Iranians on our research and other projects. Hartley’s piece also mentioned my keynote presentation at the recent iConference 2012, which was an interesting experience.
Back to Top | Comments Off on National Post: Canada has a responsibility to protect Open Web
It has been a busy week, with the release of our report – The Canadian Connection: An investigation of Syrian government and Hezbullah web hosting in Canada. The report covers a very delicate issue. We were very concerned about the findings as we came across them, and saw this as a case that could generate some much needed discussion about the proper limits around intermediary liability and how to deal with cases properly where there is an organization/entity whose services are being hosted in violation of sanctions. Furthermore, since Canada has sanctioned Addounia TV, as did the EU, for incitement of violence in Syria, we felt that it was important to bring the case to public attention.
(We probably could have picked a different title, as there is as much relevance to the United States as there is Canada, but it started out for us as a Canadian story, and so we kept the working title.)