My conversation with Edward Snowden

Earlier this week, I was fortunate to have a lengthy conversation with Edward Snowden.  The chat was held at Rightscon and moderated by Access’ Amie Stephanovich, and it is archived at the RightsCon website here: https://www.youtube.com/watch?v=yGDqXokPGiE

We covered many topics, and I learned a great deal about Ed’s positions, and also his eloquence and passion.  It is clear he has deeply held and sophisticated perspectives on security, rights, and freedom.  It is remarkable that the person who is the world’s most important whistleblower in the history of intelligence also happens to be so thoughtful and articulate.

We spoke about the Internet rights community, and the challenges of extending the values of that community to the broader public in a context where big data and state surveillance are overwhelmingly dominating.  I made the case for the value of evidence-based, mixed methods University research of the sort that Citizen Lab does to bring transparency and support human rights advocacy.  I described the various fellowship opportunities, and even recommended Ed apply for one as a remote fellow. 🙂

We also spoke about the status of the Snowden disclosures moving forward.  It is clear Ed thought carefully about how best to avoid prejudice concerning the analysis of the documents. Handing them over to third parties makes sense.  But now, the documents are largely in the possession of a single media organization and the process around access to them for outside interested parties is opaque and lacking in explicit rules that we can all acknowledge.  Opening the entire cache up to the public, on the other hand, would be irresponsible since there is still sensitive information in them that could put lives at risk.

A different model I proposed is to create a respected international independent advisory board that would oversee and adjudicate applications to the archives from journalists and researchers. Ed responded that discussions had been held with a University about taking the documents, but the University was naturally concerned about the liabilities of handling them. But I believe that is confusing things. Here we need to separate the physical location of the documents from the process of how to get access to them.  It does not matter where the documents are archived — whether that be in one or several locations — as long as they are secure.  What matters more is the process by which decisions are made as to who gets access to them.  Right now, it’s a bit of a mystery and based largely on personal connections revolving around one or two journalists and a few editors of a private company.  Moving forward, that needs to change.  It’s a matter of global public interest.

Thanks to Access Now for archiving it here: https://www.youtube.com/watch?v=yGDqXokPGiE

Wup Woh: Security Issues with Another China-based Browser

“Once is happenstance. Twice is coincidence. The third time, it’s enemy action” – Ian Fleming, Goldfinger

The Citizen Lab is releasing a new report today authored by Jeffrey Knockel, Adam Senft, and myself, entitled: “WUP! There It Is: Privacy and Security Issues in QQ Browser.”*   The report is a continuation of the research we have been doing on privacy and security issues in popular Asia-based applications, and in particular China-based mobile browsers. Previous Citizen Lab reports found major security and privacy issues in UC Browser and Baidu Browser.  We now find strikingly similar problems in a third Chinese application, QQ Browser.

As we detail at length in the report (based on Jeffrey Knockel’s reverse engineering and technical analysis), we find QQ Browser is collecting a lot of highly sensitive information about users (what a user is searching for and where they are located) and users’ devices (IMEI number, SIM Card number, etc) and then transmitting all of this data either completely unencrypted or in an easily decrypt-able format back to Tencent’s servers (Tencent is the parent company of QQ).

We also identify a major vulnerability in the software update process, which would allow any malicious actor to easily spoof the automatic browser update with malware and then completely take over a user’s device.  In our report, we demonstrate this vulnerability by installing Angry Birds.  We could have just as easily installed spyware as a software update — and then turn on the microphone and camera, harvest user information, send spoofed emails or instant messages from the device, or change any of its security settings.

The threats for users of the privacy and security issues we found are numerous and troubling, especially in a context like China.  The insecure transmission of highly sensitive user data means that any actor with visibility along any point of the networks through which QQ’s data passes (WiFi cafes, ISPs, telcos, etc) could collect all of it and share it with anyone they want.  The software vulnerability update process means that any of those same actors along any of those network paths could also trivially push a fake update to the device and take it over in the same way we did.  The collection and insecure transmission of very invasive persistent identifiers hard-baked into a user’s device (IMEI number, SIM card number, serial number) is a gold mine for law enforcement and SIGINT agencies, as clearly demonstrated in the Snowden disclosures – since they can use these device identifiers to track people as they move around — as most of us do — with devices in our pockets.

Most concerning of all, of course is that these problems are situated in the context of China — a country with one of the world’s most extensive censorship and surveillance regimes; a country that compels all Internet companies, like Tencent, to turn over user data upon request to security services; a country that has recently passed a far-reaching anti-terrorism law that requires service providers to decrypt communications when the government asks; a country that is in the midst of a dramatic tightening up of laws and regulations around social media use; and a country that routinely incarcerates, detains, or harasses human rights activists, lawyers, activists, and others the regime deems to be subversive, both within mainland China and abroad.

Why is QQ collecting all of this highly invasive user data and transmitting it back to its servers in an insecure fashion? And, why are three of the most popular mobile browser applications in China all suffering from nearly identical problems?

As with UC Browser and Baidu Browser, we engaged in a responsible notification process to QQ’s security engineers (who only partially fixed the issues), and then sent detailed questions to the parent company, Tencent, answers to which we promise to publish in full alongside our report.  At the time of publication, however, Tencent has not replied to those questions.

Without those answers, we can only speculate.  It could be that the engineers are all following the same sloppy security and aggressive data collection practices as a coincidence.  Or, it could be because sloppy security and aggressive data collection practices are the norm in the application development industry, and these engineers are just doing what’s normal.  But given the context in China described above, one cannot help but speculate that there is something else more nefarious going on.

Regardless of the reasons, the effect is the same: millions of users of these applications are exposed to serious, perhaps life threatening, privacy violations and security risks.

Read the full report here: https://citizenlab.org/2016/03/privacy-security-issues-qq-browser/

Read the Washington Post story here: http://wpo.st/skzP1

Read the Wall Street Journal story here: http://on.wsj.com/1ohHbIy

*The title “WUP! There It Is” is a reference to the insecure transmission of user data sent by QQ Browser across the network, which they designate as “WUP” requests.

Shifting Tactics, Same Results: Users at Risk

Citizen Lab is releasing a new report today entitled, “Shifting Tactics: Tracking changes in years-long espionage campaign against Tibetans,” authored by Jakub Dalek, Masashi Crete-Nishihata, and John Scott-Railton.

Tibetans have long suffered persistent cyber espionage.  Being perceived as one of the political thorns in the side of the Chinese regime means that all those sophisticated digital spying campaigns we hear often about targeting companies and governments in the West — Tibetans have faced them too.  When it comes to cyber attacks, in other words, they have been canaries in the coal mine.

Today, the Citizen Lab is releasing a new report that details the latest iteration in a long-running espionage campaign against the Tibetan community.  Using malware and emails shared with us by trusted partners in Tibetan communities, Citizen Lab researchers were able to track the evolution in attacker behaviour from document-based malware attacks of the sort many are familiar with (“don’t click on that attachment, it might contain malware!”) to phishing attacks that draw on “inside” knowledge and attempt to trick users into entering credentials into cloud based infrastructure, like Google Docs.

One interesting observation we make is that this shift in tactics maps onto changes in security behaviours that the Tibetans themselves made.  To protect themselves and their community, some years ago Tibetans began advocating against opening attachments (“Detach from Attachments”).  The attackers noticed, however, and altered their methods too.  The speed with which this change happened shows how difficult it is for groups like the Tibetans to remain safe online.

Once again, what we find hitting civil society overlaps with what the private sector has previously identified hitting their clients.  In this case, we connect the attack group’s infrastructure and techniques to a group previously identified by Palo Alto Networks, which they named Scarlet Mimic.   We add some detail about the command and control infrastructure and targeting of victims to the Palo Alto report.

The information vacuumed up by whomever is behind these attacks is sensitive, and in the hands of a well-resourced adversary like China could cause serious damage to the safety and security of individuals in Tibet and beyond. The extracted information could also be used in support of efforts to frustrate and isolate political groups in the Tibetan diaspora.

We conclude the report with several tips, tools, and tactics on how users can protect themselves against this type of attack

The full report is here: https://citizenlab.org/2016/03/shifting-tactics

Update: Motherboard’s Lorenzo Franceshi-Bicchierai wrote up a great piece about it here: https://motherboard.vice.com/read/how-tibetans-are-fighting-back-against-chinese-hackers

Down on the Baidu

Today, the Citizen Lab is releasing a new report, “Baidu’s and Don’ts: Privacy and Security Issues in Baidu Browser.”

The report is the result of many weeks of careful analysis, led by Citizen Lab security researcher Jeffrey Knockel and co-authors Adam Senft and Sarah McKune and is part of Citizen Lab’s interest in analyzing the privacy and security issues involved with popular mobile applications.

Reuters has an exclusive story on the report here: http://www.reuters.com/article/baidu-vulnerability-idUSL3N1613VI

The report takes a close look at Baidu Browser, a popular China-based mobile application that is available in Windows and Android versions. What we found was very troubling.

Baidu Browser collects and transmits a lot of personal user data back to Baidu servers that we believe goes far beyond what should be collected, and it does so either without encryption, or with easily decryptable encryption. Data collected and transmitted in the Android version without any encryption includes a user’s GPS coordinates, search terms, and URLs visited. The user’s IMEI and nearby wireless networks are sent with easily decryptable encryption. Meanwhile, the Windows version sends search terms, hard drive serial number, network MAC address, title of all webpages visited and GPU model number.

That is a a lot of fine-grained personally-identifiable information about what a user is doing, where they are located, and their device.  Hard drive serial number? Really? What does the manufacturer of a mobile browser application need to know about the hard drive serial number of your device? Sending all of that information in the clear is a big problem too because it means anyone who operates any of the networks over which communication takes place (e.g., wifi, cell, ISP, telco providers) can see and log it too (more on that below).

We also found neither the Windows nor the Android version of Baidu Browser protect software updates with code signatures, meaning an in-path malicious actor could cause the application to download and execute arbitrary code.

What does that risk represent in real terms? Say you had Baidu Browser loaded on your mobile device and you connected to a wifi hotspot controlled by a criminal, spy, or some other nefarious group, maybe at a conference hotel, a coffee shop, or an airport. People with access to those networks would have been able to send malware to your phone disguised as a Baidu update and take over your phone and do anything they want with it. (Thankfully, it appears this issue has now been fixed by Baidu after our security disclosure).

On a methodological level, the findings show the value of reverse engineering – a method that is under pressure as companies get more and more litigious and copyright laws more stringent around just what individuals can do with devices and applications.  I have repeatedly argued that “lifting the lid” on the Internet is not only interesting from a research perspective, it is also a civic responsibility.  Of course not everyone can “lift the lid” on the Internet.  It requires a lot of skill of the sort Citizen Lab security researcher Jeffrey Knockel has, and which this report demonstrates.

After the last few reports where reverse engineering has figured prominently, I would like to propose a new rule: the more you take popular applications apart, the more scary the findings.

There are also some interesting lessons around the responsible disclosure process we undertook around this report (which is detailed in the report itself). We gave the company 45 days to address the issues, and then extended that deadline at their request. Baidu security engineers were very responsive, for the most part, and took our concerns very seriously.  We sent them questions prior to the report’s release, and Baidu’s International Communications Office sent back their reply, which we published here.

However, Baidu’s “fixes,” while correcting some critical problems, actually appear to have made some other things worse, and there are still some serious questions lingering about why they collect such highly invasive data about their users in the first place (about which the company feels it cannot transparently comment).

Of course, that Baidu is made in China and most of its users are there should raise alarm bells. China requires local companies like Baidu to retain and share user data without much of any kind of due process, transparency, or public accountability.  Did Baidu build their browser to hoover up all of this personal information at the request of the Chinese authorities? Did they do it for commercial reasons? Did they do it because of over zealous engineering choices?

In a way, it doesn’t matter. Whether poor design, or surveillance by design, it is the same effect: users are at risk.

The report also illustrates a series of larger concerns related to the multiplication of applications, devices, and “things” that are connected to each other and the Internet, and which follow us around relentlessly.  Insofar as applications such as these leak personally identifiable information, they become attractive targets for state intelligence agencies and other threat actors.  We know this from the Snowden disclosures and comments made by senior intelligence officials.  And you can bet if the FVEYs see it this way, other lower-tier countries and threat actors will do so eventually (if they are not already). Seemingly trivial bits of data leaked out that connect back to users become a very convenient “hook” or “selector” for intelligence analysts. With that IMEI number or serial number in hand, an analyst can go back in time and make connections with other individuals, places, points of data, or events that can be seriously incriminating.That may not matter to everyone who feels they have “nothing to hide” (although even in those cases people should still worry about crime, identity theft, etc.), but it can affect high risk users in life threatening ways.

All of this research underscores a pretty scary scenario we’re heading into, illustrated by one of the most remarkable aspects of the findings.   We discovered the software development kit at the heart of the Baidu Browser issue happens to be repurposed and employed in thousands of other applications developed by Baidu and third parties, affecting potentially hundreds of millions of users. Yes, hundreds of millions of potential users. Thousands of other applications, many of them available on the Google Play Store outside of China, and some of which have been installed hundreds of millions of times, contain the same flaws, and are sending back the same detailed information, to Baidu servers.

That means there is major collateral damage of the problems we identify that go well beyond Baidu browser, and beyond China.  This finding offers another reminder that the flaws in small but important chunks of code can ripple far and wide in the ecosystem of interconnected applications and devices (e.g., the Heartbleed OpenSSL case).

Read the full report here: https://citizenlab.org/2016/02/privacy-security-issues-baidu-browser/

Fitness Tracker Applications — Leaky, Insecure, and a Sign of the Times

Last week, the Citizen Lab in collaboration with Open Effect released a new report, “Every Step You Fake: A comparative analysis of fitness tracker privacy and security.” The report contains primarily the background, overview, methods and technical findings.  A subsequent report will include the policy and legal analysis that the team is presently completing.  Open Effect is a non-profit organization led by Citizen Lab research fellow Andrew Hilts, and one on whose board I presently serve.  We work together on a variety of projects in the area of privacy and security, and we’ll have more reports coming down the pipeline together beyond the work on Fitness Trackers. (Open Effect and Citizen Lab also worked together on the Access My Info project).

The “fitness tracker” topic may seem to be a bit of an outlier for us at the Citizen Lab, but lately we have become more and more interested in privacy and security of mobile applications. Part of it has to do with the refinement of reverse engineering and other technical analysis methods that inform several Citizen Lab projects.  A much broader concern of ours is around the privacy and security of the growing number of devices and applications that surround us in the so called “Internet of Things” ecosystem.  Obviously, the implications for consumers of these devices and applications are important from a privacy and security point of view.  But personally speaking, I find it very compelling to try to see how security holes, vulnerabilities, and other unintentional flaws could be exploited by government threat actors, putting users at risk.  Having spent considerable time studying the Snowden disclosures, I have been struck by how seemingly trivial leaks of users’ data can end up being routinely leveraged by SIGINT agencies.  A recent talk by the chief of the NSA’s TAO underscored this point well.  We leave a trail of digital droppings where ever we go, which in and of themselves may seem unimportant but when collated and analyzed together can reveal a lot.

One of the other interesting components of this report was the responsible notification process we undertook, and which is explained in the report. We notified the fitness tracker vendors who had security and privacy problems with their products, and only a few of them got back to us — until journalists reached out to them, that is.   Media strategy is important to creating positive outcomes of research, and this case illustrates it well.  (We gave an exclusive to CBC on the Fitness Tracker report for this reason). For example, although Garmin did not respond to our initial responsible disclosure, they did after the report came out. The updated version of their application seems to suggest they’ve implemented some basic security protocols that were lacking (ht Ryan Budish), which is a positive outcome of the research.

 

 

Canada’s Netsweeper in Yemen

A new Citizen Lab report was published yesterday morning on information controls during the ongoing armed conflict in Yemen.

The report shows in detail how a Canadian company’s technology, Netsweeper, is being used to filter critical political content, independent media websites, and all websites belonging to the Israeli (.il) top-level domain — a major expansion of Yemen’s censorship regime that was implemented following the takeover of Yemen’s capital, Sana’a, by the Houthis in September 2014.

The Shiite Islamic Houthis are one of many groups who have been fighting for power in the war-torn country of Yemen for many years.  Their slogan (which our report shows painted on the front gates of the country’s main ISP, YemenNet) is “Allah Akbar; Death to America, Death to Israel, A curse upon the Jews! Victory for Islam!”

Research for this report was undertaken over 10 months, and included in country field research and highly detailed technical tests which referenced a wide spectrum of data. We were able to determine that most of the political and local news content blocked by Netsweeper was undertaken in a non-transparent way, with fake network error pages delivered back to users instead of an explicit block pages.  Beyond Internet censorship, we also found manipulation of fuel supplies and disruptions to the electrical infrastructure are key ingredients of the armed conflict that aligned with the Houthis overall strategy of information denial in Yemen.

This report is a continuation of research we have done on Netsweeper providing services in questionable country contexts, including Pakistan and Somalia.

On October 9, 2015, Citizen Lab sent detailed questions [pdf] to Netsweeper about their provision of services to YemenNet, their human rights policies, and whether the company undertakes any due diligence, and notified of them their intent to publish a report.  We have included our letter to Netsweeper as an appendix to our report.  As of the time of publication, the company had not replied to us.

The full report is here: https://citizenlab.org/2015/10/information-controls-military-operations-yemen

Our press release is here: https://citizenlab.org/2015/10/netsweeper-censors-internet-yemen

The Globe and Mail: http://www.theglobeandmail.com/report-on-business/yemen-using-canadian-software-to-block-internet-access-amid-civil-war-report/article26898441/

Daily Beast: http://www.thedailybeast.com/cheats/2015/10/20/canadian-web-co-helps-yemen-censor-net.html

Motherboard: http://motherboard.vice.com/read/researchers-accuse-canadian-internet-company-of-helping-yemen-censor-the-web

Toronto Star: https://www.thestar.com/news/canada/2015/10/21/canadian-internet-filtering-company-accused-of-aiding-censorship-in-war-torn-yemen.html

 Al Jazeera: http://america.aljazeera.com/articles/2015/10/22/yemen-rebels-using-canadian-software-to-censor-internet.html

New Citizen Lab Report: Are the Kids Alright?

Today, the Citizen Lab is releasing a new report, entitled: “Are the Kids Alright? Digital Risks to Minors from South Korea’s Smart Sheriff Application.”   South Korea is unique among all countries in having a legal mandate that requires parents whose minor children have mobile phone subscriptions to install a parental content filtering application.  A powerful industry consortium, the Korean Mobile Internet Business Association (MOIBA), had just such an application in hand ready prior to the law being introduced, called “Smart Sheriff.” Smart Sheriff provided a lot more than just content filtering: it went beyond the legal mandate to allow parents to monitor their minor children’s use and receive notifications if their minor children did anything to try and disable the application.

Earlier this summer, a group of researchers who participated at the 2015 Citizen Lab Summer Institute, as well as the European security company Cure53, got together and collaborated on an independent analysis of the application.  What we found was alarming: at least 26 different security vulnerabilities, including lack of industry-standard encryption, outdated software running on servers, and a lack of proper validation or passwords required to register and manage accounts.  All of these represent fundamental failures to follow standard practices for protecting user information and could seriously put minor children at risk.  

We engaged in a process of responsible disclosure to the manufacturers of the application, giving them 45 days to patch the vulnerabilities before we released our report.  At this point, however, we are not confident that the problems have been fixed and we are urging South Koreans to cease using the application until an independent audit can be undertaken.

The research and the report are part of a larger interest we at the Citizen Lab have in understanding the privacy and security implications of mobile applications.

Our press release is here:

https://citizenlab.org/2015/09/press-release-security-privacy-issues-in-smart-sheriff-south-korea

The full report can be found here:

https://citizenlab.org/2015/09/digital-risks-south-korea-smart-sheriff

Open Letter to Hacking Team

Update: An open letter to Hacking Team following its statement on the Citizen Lab “Police Story” report

August 8, 2014

Dear Mr. Vincenzetti and team,

This letter is in response to a statement issued by Hacking Team that has recently come to our attention, concerning Citizen Lab’s report titled “Police Story: Hacking Team’s Government Surveillance Malware” (June 24, 2014). The statement[1] reads as follows:

Statement on Citizen’s Lab/Kaspersky report of June 24, 2014:

Hacking Team is aware of the ongoing efforts of Citizen’s Lab [sic] to attack our business by attempting to disclose confidential information, systems, and procedures that we use. This report is only their latest effort. It is evident that the primary complaint of the authors is about repressive government, however, Citizen’s Lab has chosen to target a private business operating in full compliance with all relevant law.

We believe the software we provide is essential for law enforcement and for the safety of us all in an age when terrorists, drug dealers, sex traffickers and other criminals routinely use the Internet and mobile communications to carry out their crimes. We sell only to government agencies such as police forces. We do not conduct digital investigations. Those are carried out by law enforcement and are, of course, entirely confidential as is any law enforcement investigation.

The June 24 report does not include our customer policy, however, we invite you to read the policy which describes the steps we take to avoid abuse of our software. We believe this policy is unique in our industry and a strong, good-faith effort to prevent misuse of our products. We have both refused to do business with agencies we felt might misuse our software, and we have investigated cases either discovered internally or reported in the press that suggest abuse. We can and have taken action in such cases, however, we consider the results of our investigations and the actions we take based on them to be confidential matters between us and our clients.

We write to address certain factual inaccuracies contained in this statement, as well as apparent misinterpretations by Hacking Team of the content and purpose of Citizen Lab’s report. We clarify those issues here, and present a few additional questions to Hacking Team that are raised by the statement:

* Your reference to the “Citizen’s Lab [sic] / Kaspersky report of June 24, 2014” suggests that we authored the report jointly with Kaspersky (though we note that the complaints lodged in the statement are directed solely at Citizen Lab). We prepared and issued our report independently of Kaspersky.

* Citizen Lab is an academic research institution housed at the Munk School of Global Affairs, University of Toronto, that engages in evidence-based research to document uses of technology with the potential to undermine human rights. We do not undertake our rigorous research, analysis, and reporting in order to “attack” the business of Hacking Team or any other company on which we have previously reported. Rather, we seek to provide concrete data that will inform discussions between civil society, policy makers, and the private sector, so that society can properly determine its stance on the capabilities and deployment of dual-use technologies that impact individuals around the world. While Hacking Team may “believe the software [it] provide[s] is essential for law enforcement and for the safety of us all,” in democratic societies, such a determination is best suited to an informed public debate rather than the closed-door deliberations of a private company. Unfortunately, equating efforts to promote such transparency and debate with an attack against the company only reinforces the impression that Hacking Team wishes to prevent human rights-related inquiries into its products and services.

* We also take issue with Hacking Team’s assertion that “the primary complaint of the authors is about repressive government.” While Citizen Lab is certainly concerned with the use of technologies by repressive governments to undermine human rights, we are equally concerned with the role of companies in equipping those regimes and profiting from activities that threaten human rights. As the UN Guiding Principles on Business and Human Rights make clear, companies are independently obliged to respect human rights.[2] They have the responsibility to avoid causing or contributing to adverse human rights impacts, and to address such impacts when they occur.[3] Indeed, the European Commission (EC) ICT Sector Guide on Implementing the UN Guiding Principles on Business and Human Rights notes that companies may contribute to a harm, and therefore have a responsibility to cease such activity and engage in remediation, when they “provid[e] surveillance technology to a government that uses it to track and persecute human rights defenders, journalists or members of a minority group.”[4]

We encourage Hacking Team and all companies involved in the surveillance technology industry to carefully consider the human rights impact of their products and services, the potential for complicity in government practices that violate human rights, and steps to address these concerns. The aforementioned EC ICT Sector Guide is one resource that companies can utilize in developing appropriate human rights policy commitments as well as due diligence and remediation measures.

* The statement that Hacking Team is “operating in full compliance with all relevant law” raises certain questions to which we urge you to respond publicly.

First, what precisely does Hacking Team consider to be the “relevant law”? Does the company include within that rubric international human rights law embodied in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and the International Covenant on Economic, Social and Cultural Rights, or the European Convention on Human Rights? With the laws of which state or states does Hacking Team comply? How does it account for national laws that may conflict with international human rights law?

Second, does Hacking Team’s assertion of compliance with relevant law rely on the absence of precise law or regulations, given the novelty of the industry, that would control the production or sale of Hacking Team products? As articulated by United Nations Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression Frank La Rue in his April 2013 report to the UN Human Rights Council:

Offensive intrusion software such as Trojans, or mass interception capabilities, constitute such serious challenges to traditional notions of surveillance that they cannot be reconciled with existing laws on surveillance and access to private information. These are not just new methods for conducting surveillance; they are new forms of surveillance. From a human rights perspective, the use of such technologies is extremely disturbing. . . . Although it is clear that many States possess offensive intrusion software, such as Trojan technology, the legal basis for its use has not been publicly debated in any State, with the exception of Germany.

The lack of transparency and public debate surrounding the surveillance technology industry, and its close ties with the apparatus of state security, have resulted in legal and regulatory gray areas in which companies have thus far operated with relative impunity.

It is essential to note, however, that:

The responsibility to respect human rights is a global standard of expected conduct for all business enterprises wherever they operate. It exists independently of States’ abilities and/or willingness to fulfil their own human rights obligations, and does not diminish those obligations. And it exists over and above compliance with national laws and regulations protecting human rights.[5]

Indeed, under the UN Guiding Principles on Business and Human Rights, “Where national law and human rights conflict, companies should respect the principles of internationally recognised human rights to the greatest extent possible in the circumstances. They should also be prepared [to] explain their efforts to do so.”[6] We encourage Hacking Team and other companies in this industry to take a proactive and long-term view of legal compliance, particularly given that initiatives are currently underway at international, regional, and domestic levels to develop suitable controls for the surveillance technology trade.

* We applaud Hacking Team’s efforts to develop a customer policy that incorporates human rights considerations. The policy states that Hacking Team (HT) reviews potential customers before sales are made, assisted by “a panel of technical experts and legal advisors,” and that it will refuse to provide or cease providing products or services to entities that Hacking Team believes use its products to violate human rights. The policy also states: “Should questions be raised about the possible abuse of HT software in human rights cases, HT will investigate to determine the facts to the extent possible.”

While these are admirable commitments, we remain concerned that Hacking Team provides no further information regarding its implementation of the customer policy. In order to credibly invoke the customer policy, more transparency surrounding implementation is necessary (which could take any number of forms and need not identify clients). For example, what procedure is employed for customer reviews? Who sits on the review panel? Does that panel include civil society actors? The Hacking Team statement notes that the company has “refused to do business with agencies we felt might misuse our software”; can you elaborate on the reasons for and frequency of those refusals? And what investigation, if any, has Hacking Team undertaken concerning reports of misuse of the software in Saudi Arabia, the United Arab Emirates, Morocco, and against Ethiopian journalists in the United States?

To further strengthen respect for human rights in its business operations, Hacking Team may also wish to consider establishing an operational-level grievance mechanism (as enumerated in the UN Guiding Principles on Business and Human Rights[7] and the EC ICT Sector Guide[8]) for individuals that have experienced adverse human rights impacts caused or facilitated by Hacking Team technology. Such an effort could set an industry-leading positive example that may generate long-term success for your company.

* Additionally, if Hacking Team is in fact confident that its methods are beyond reproach, opening such methods to independent inspection should only strengthen the company and promote respect for human rights in the surveillance technology industry. We urge Hacking Team to enhance the transparency of its operations by publishing in full on its website the Hacking Team user manuals described in Citizen Lab’s report; all internal policies and procedures related to human rights; statistics regarding the sales and deployment of Hacking Team products as well as sales discontinued out of concern for misuse of the software; and an export control matrix indicating the product classifications relevant to Hacking Team. We note that your company has in the past sought patents worldwide — with the World Intellectual Property Organization under the Patent Cooperation Treaty, as well as in Europe, Canada, the United States, Singapore, Mexico, and Korea — thereby making public details regarding the operation of certain Hacking Team software. Confidentiality is therefore not an obstacle to beginning a public discussion of, at a minimum, those details.

Both Citizen Lab’s report and our ongoing research are intended to provide information that will advance the transparency and accountability that is sorely lacking from this industry. It cannot be denied that surveillance technologies have the potential to seriously impact individual human rights. If Hacking Team wishes to profit from such a business, we urge it to also accept its responsibility for the human rights impacts that business entails. We invite Hacking Team to contact us to discuss these issues in greater depth, and would welcome the opportunity for dialogue around measures to safeguard human rights.

Sincerely,

Professor Ronald Deibert
Director, The Citizen Lab
Munk School of Global Affairs
University of Toronto

________________
[1] Hacking Team did not publicly release this statement; rather, it appears to have sent the statement in response to specific inquiries made to the company regarding Citizen Lab’s June 24 report. See, e.g., Doug Bernard, “Saudi App Appears to Target Residents With Surveillance,” Voice of America, June 27, 2014, http://www.voanews.com/content/saudi-app-appears-to-target-residents-with-surveillance/1946570.html.
[2] Principle 11.
[3] Principles 11 and 13.
[4] Shift and the Institute for Human Rights and Business, European Commission ICT Sector Guide on Implementing the UN Guiding Principles on Business and Human Rights, June 17, 2013, http://www.shiftproject.org/publication/european-commission-ict-sector-guide, at pp. 74-75.
[5] See UN Guiding Principles on Business and Human Rights, Commentary to Principle 11.
[6] Shift and the Institute for Human Rights and Business, European Commission ICT Sector Guide on Implementing the UN Guiding Principles on Business and Human Rights, June 17, 2013, http://www.shiftproject.org/publication/european-commission-ict-sector-guide, at p. 53
[7] Principle 29.
[8] Section 3-VI.

An Internet Free and Secure

I was asked by the Dutch gov to co chair a working group for their next Freedom Online Coalition meeting in 2015.  We have now put out our call for expressions of interest.  This is an opportunity to have civil society input into cyber security discussions.  I’ll do my best to make sure the case is made loud and clear.

Here is the call below

https://www.freedomonlinecoalition.com/how-we-work/working-groups/working-group-1/

Feel free to circulate widely.

Working Group 1 – An Internet Free and Secure

As cybersecurity becomes a critical issue on the international agenda, there is a growing need for an informed debate on the relationship between governance, security, and fundamental rights and freedoms online, involving all stakeholders. In this context, the working group “Internet free and secure” seeks to bring a human rights framing to ongoing debates on cybersecurity and aims to develop, through multistakeholder dialogue, meaningful outputs that feed into existing processes.

Framing

Within the above framing and building on the Tallinn Agenda, while drawing on the outcomes from NetMundial and acknowledging the ongoing discussions on roles and responsibilities of various stakeholders in internet policy debates, the preliminary framing for  this WG is to explore and develop recommendations on how the multistakeholder approach could apply in the field of cybersecurity.

The proposed framing and exact output of the Group will be further refined by its members.

Structure and Membership

The work of the WG will be carried out by its members. The Group will consist of up to 15 selected individuals who will join the WG Co-chairs – the Dutch Government and Ron Deibert of Citizen Lab – and other FOC country members who have expressed interest in participating in the WG. Non-members of the WG will be able to input into the WG at various points in the process through physical meetings and online. Activities of the WG will be supported by the FOC Support Unit.

In an effort to bring a variety of perspectives to the table, the WG Co-chairs are now seeking expressions of interest from individuals and organisations to join the Working Group, help shape its framing, and carry out its work. To submit an expression of interest, please send a short motivation outlining how your experience and expertise could contribute to shaping the Group’s work and outcomes to info@freedomonlinecoalition.com with a subject line “FOC – WG1 expression of interest_name surname”. The deadline for submissions is Friday, May 30th 2014. Please also indicate if you’re planning to attend the upcoming Stockholm Internet Forum and would be available for a short informal brainstorm to develop the framing of the working group.

Expressions of interest will be evaluated by the FOC Support Unit and WG1 Co-chairs, based on the following criteria:

  • Quality of submission
  • Relevance of experience and expertise
  • Regional, gender, and stakeholder balance

Please note that participation in the Working Group is voluntary. Feel free to get in touch if you have any questions.

Working methods and timeline

The bulk of the WG’s work will be done remotely via email, with potential physical meetings on the margins of existing international events like the Internet Governance Forum. A detailed plan of work will be developed by WG members.

Group decisions and approval of final outcomes will be made by consensus among Group members.

The tentative end-date for the WG is the Global Conference on Cyberspace in spring 2015.