Testimony Given to the House of Commons on Parliamentary Duties and the COVID-19 Pandemic

The following is testimony provided by Ronald Deibert to the Standing Committee on Procedure and House Affairs (PROC) on April 29, 2020.

I am Ron Deibert, Professor of Political Science and founder and director of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs & Public Policy. Our research at Citizen Lab includes investigating digital espionage against civil society, documenting Internet filtering and other technologies and practices that impact freedom of expression online, analyzing privacy, security, and information controls of popular applications, and examining transparency and accountability mechanisms relevant to the relationship between corporations and state agencies regarding personal data and other surveillance activities. I submit these comments in a professional capacity representing my views and those of the Citizen Lab.

As much of the world moves into work-from-home rules and self-isolation, technology has become an essential lifeline. However, this sudden dependence on remote networking has opened up a whole new assortment of security and privacy risks. In light of these sudden shifts in practices, it is essential that the tools relied on for sensitive and high risk communications be subjected to careful scrutiny.

In what follows, I first provide a summary of the Citizen Lab’s recent investigation into the security of Zoom’s video conferencing application, and the company’s responses. I then discuss a broader range of digital security risks that are relevant to the work-from-home routines that MPs and their staff are following. Finally, I conclude with six recommendations.1

Citizen Lab Research on Zoom Security

On April 3, 2020, the Citizen Lab published a report on a technical analysis of the confidentiality of communications on the popular video chat application Zoom.2 On April 8, we released a followup report with details of a security vulnerability in Zoom’s waiting room feature.3

Our initial report found that the encryption in Zoom did not seem to have been well-designed or effectively implemented, and that its public documentation made several misleading claims about Zoom’s encryption protocols that did not match what we observed in our analysis. I invite those with interest to see the full details as outlined in our report.4

We also found potential security issues with Zoom’s generation and storage cryptographic information. While based in Silicon Valley, Zoom owns three companies in China where its engineers develop the Zoom software. In some of our tests, our researchers observed encryption keys being distributed through Zoom servers in China, even when all meeting participants were outside of China. A company primarily catering to North American clients that distributes encryption keys through servers in China is very concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China.

In our report published on April 3, we noted that we also discovered a security issue with Zoom’s “waiting room” feature. Specifically, we found Zoom servers provided both the encryption keys and a live video stream of the Zoom meeting to all users in the meeting’s waiting room, even if the waiting users had not been approved to join the meeting. This issue would enable an arbitrary, unauthorized Zoom user in a waiting room to intercept and decrypt the “encrypted” video content.

In response to our research and concerns raised by other parties, Zoom has taken a number of actions regarding security.5 Zoom has committed to a 90-day process to identify and fix security issues, including a third-party security review, enhancing their bug bounty program and preparing a transparency report.

In direct response to our research, Zoom acknowledged the concerns we raised about their use of non-industry standard encryption and committed to making improvements, including working towards the implementation of end-to-end encryption. Zoom also acknowledged that some Zoom users based outside of China would have connected to data centres within China, and indicated they had immediately put in place measures to prevent that from happening.

On April 8th, Zoom released a new version of their client that added additional security features. Zoom CEO Eric Yuan indicated in a video webinar that this new version fixed the waiting room security issue we identified.6 He also announced that Zoom had established a CISO Council and Advisory Board to assist with their privacy and security practices, and had hired former Facebook Chief Security Officer Alex Stamos as an advisor.

It is important to underscore that we did not test Zoom’s HIPAA/PIPEDA-compliant healthcare plan, or the ZoomGov software that is used by some government agencies. These platforms would require additional analysis.

While it is encouraging that Zoom is working to improve their product, the sudden reliance by a very large number of people on a platform that was never designed for highly-sensitive communications is symptomatic of a much larger set of problems related to work-from-home routines.7 It is imperative that we evaluate all of the risks associated with this sudden change in routines, and not just those associated with one particular application.

Security Risks Related to Work-From-Home Environments

Legislators working from home are connecting using devices, accounts and applications through widely differing home network setups, as are their staff. These networks may be shared with roommates and family members, whose own digital security practices could collaterally affect their own security, and the devices which are being used are likely loaded with applications that can access large volumes of sensitive information. Whereas in the pre-COVID era, these devices were routinely brought back into the government’s security perimeter where sensors might detect aberrant network behavior, this will no longer be the case. Consequently, adversaries might linger on networks and devices indefinitely, and obtain more data from targets than in a pre-COVID world.

The communications systems that we rely on have rarely been designed with security in mind. Security has either routinely been regarded as slowing the speed of innovation or impossible to impose on essential systems that have chronic failings and which would require total redevelopment of communications infrastructures to become “secured.” The consequence is that there is a vast array of unpatched systems that leave persistent vulnerabilities for malicious actors to exploit. These risks extend right down into the most fundamental layers of our shared infrastructure. For example, telecommunications and cell phone networks still rely on a decades-old information exchange protocol, called SS7, that has been shown to be highly insecure and prone to abuse and illegal surveillance, including when sending second-factor authentications over mobile phone networks.8

Meanwhile, governments and criminal enterprises have dramatically increased their capabilities to exploit this ecosystem for a variety of purposes. Almost all nation-states now have at least some “cyber espionage” capabilities, with many in the top-tier being exceedingly well-resourced and routinely spending billions of dollars on clandestine influence and intelligence-gathering operations. There is a vast and poorly regulated private market for cyber security that includes numerous companies that provide “off-the-shelf” targeted espionage and mass surveillance services.9 Citizen Lab’s research has shown that the market for commercial spyware in particular is proflierating widely, and is highly prone to abuse (including being linked to targeted killings),10 with sophisticated hacking tools ending up in the hands of despots and dictators.11 These relationships may well open the door to the same tools being deployed against legislators and their staff in jurisdictions like Canada. As a result, the government must be wary of seemingly less competent adversaries punching well above their weight by using private and commercial hacking tools.

At the best of times, these problems present extraordinary challenges for network defenders. But parliamentarians and their staff are now at even greater risk. Not surprisingly, threat actors are already capitalizing on this new environment. Phishing and malware attacks have targeted and disrupted hospitals in the Czech Republic, the U.S. Department of Health and Human Services, and the World Health Organization. On April 14, a leading U.S. cybersecurity firm revealed that a “Canadian government health organization actively engaged in COVID-19 response efforts, and a Canadian university conducting COVID-19 research,” had been victims of ransomware attacks.12 These reports are likely only scratching at the surface.

While it is laudable that a platform like Zoom has received a lot of attention about security risks, we should not lose sight of the fact that our entire communications ecosystem contains numerous insecurities, and that there are a multitude of bad actors searching for and seeking to exploit them.

Recommendation #1: Where possible extend digital security resources developed for the House of Commons (HoC) to all Canadians

Remote work for the HoC will require a significant investment in additional digital security support, resources, and capacity. These teams were already engaged in actively protecting members of the HoC and are now dealing with a significantly broader set of home network and device setups, while simultaneously defending against a tsunami of targeted malware and other attacks that are outside of the government’s formal security perimeter.

To partially combat new threats, the CSE’s Canadian Centre for Cyber Security has begun sharing information with infrastructure providers to reduce the likelihood of phishing or malware successfully exploiting devices and systems.13However, the details of this program (and others like it) presently lack public accountability or transparency, and it has not been independently audited. If these are rolled out without proper safeguards, such systems can end up undermining free expression, privacy, and other rights. Wherever possible, the HoC and the rest of government could share mitigation techniques or signatures to Canadian infrastructure owners in a transparent and accountable way to both improve the home security of MPs and HoC staff, as well as all other residents of Canada.

Additionally, distributing and encouraging the use of educational tools to all parliamentarians, their staff, and all residents of Canada could help boost awareness and help mitigate risks.14

Recommendation #2: Evaluate and issue guidance on work-from-home best practices, including those for video conferencing applications.

The Government of Canada should issue detailed guidance on work-from-home best practices that includes a detailed evaluation of video conferencing applications. The latter could include recommendations on scenarios for use of some applications for specific purposes but not others. Such guidance could be made available to Canadians to assist medium and small businesses, as well as individual residents of Canada, make decisions that are informed by security expertise from the government. Although some guidance has been issued already,15,16these are dated, and largely insufficient to the tasks at hand.

By way of contrast, the U.S.’s NSA has issued public guidance that identifies various criteria to consider when using a video conferencing service.17 These criteria include, inter alia, whether the service uses end-to-end encryption; whether they share data with third parties; and whether or not the service’s source code has been shared publicly. Other assessments consider questions of transparency and privacy, for example whether firms issue transparency reports or have clear privacy policies.18

Recommendation #3: Support independent research on digital security and the promotion of secure communications tools.

At a time when daily life significantly depends on technological systems, there should be more high quality, independent research that scrutinizes these systems for privacy and security risks. To assure Canadians that the digital appliances and networks upon which they depend are secure, researchers must have the ability to dig beneath the surface of those systems, including into proprietary algorithms, without fear of reprisal.

Presently, researchers can come under legal threat when they conduct this research, to the detriment of improving security for all users, including MPs and their staff who are at home. As such, we recommend that the Government of Canada pass legislation which explicitly recognizes a public interest right to engage in security research, and prohibits organizations or individuals from legally threatening residents of Canada who are involved in such public interest research.

Recommendation #4: Implement a Vulnerability Disclosure Process for Government Agencies, including the House of Commons

Vulnerabilities disclosure policies (VDPs) establish terms and processes by which researchers can communicate the presence of vulnerabilities in organizations’ systems or networks without fearing legal repercussions. American institutions, such as the Department of Defense,19 have already adopted a VDP and additional American institutions are developing them. Canada should follow this model, so that researchers can identify and work with the government of Canada to mitigate vulnerabilities, instead of declining to communicate them out of fear they may experience legal (or other) threats. This recommendation is in line with a report issued by the HoC Public Safety and National Security Committee in 2019, where it recommended that “the Government of Canada support responsible vulnerability disclosure programs.”20

Recommendation #5: Transparent and Accountable Vulnerabilities Equities Process

The Communications Security Establishment (CSE) currently has a process by which it evaluates whether to conceal the presence of computer software vulnerabilities for use in its own intelligence operations, or to disclose a given vulnerability to ensure that all devices are made secure from it. However, the CSE is formally alone in making decisions over whether to retain or disclose a vulnerability.

We recommend that the Government of Canada broaden the stakeholder institutions who adjudicate whether vulnerabilities are retained or disclosed, especially in light of the enhanced risk that all government workers are at given their work-from-home situation. We also recommend that the Government of Canada follow international best practice and release a full vulnerabilities equities process policy, so that residents of Canada can rest assured that the CSE and its government will not retain vulnerabilities that could seriously compromise the security of Canadians.

Recommendation #6: Support for Strong Encryption

In 2019, the HoC Public Safety and National Security Committee recommended that “the Government of Canada reject approaches to lawful access that would weaken cybersecurity.”21 Given the potential for adversaries to take advantage or poorly-secured devices and systems, we recommend that the Government of Canada support the availability of strong encryption so that MPs, their staffs, and residents of Canada can be assured that the Government is not secretly weakening this life-saving and commerce-enabling technology, to the detriment of all Canadians and our allies.

  1. Thanks to Christopher Parsons, Lex Gill, and Josh Gold for comments and assistance.
  2. Bill Marczak & John Scott-Railton, “Move Fast and Roll Your Own Crypto: A Quick Look at the Confidentiality of Zoom Meetings,” The Citizen Lab, April 3, 2020,https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/
  3. Bill Marczak & John Scott-Railton, “Zoom’s Waiting Room Vulnerability,” The Citizen Lab, April 8, 2020, https://citizenlab.ca/2020/04/zooms-waiting-room-vulnerability/
  4. In our report of April 3, we found that Zoom documentation claimed that the app uses “AES-256” encryption for meetings where possible. However, in our testing, a single AES-128 key was used in ECB mode by all meeting participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption. What this finding means is that the encryption in Zoom does not seem to have been well-designed or implemented.
  5. Colleen Rodriguez, “Zoom Hits Milestone on 90-Day Security Plan, Releases Zoom 5.0,” Zoom Blog, April 22, 2020, https://blog.zoom.us/wordpress/2020/04/22/zoom-hits-milestone-on-90-day-security-plan-releases-zoom-5-0/
  6. “Ask Eric Anything,” (YouTube Video), Zoom, April 8, 2020, https://www.youtube.com/watch?v=TeohYK-hsO4
  7. See John Scott-Railton, “Another Critical COVID-19 Shortage: Digital Security,” Medium. March 23, 2020, https://medium.com/@_jsr/another-critical-covid-19-shortage-digital-security-374b1617fea7
  8. Stephanie Kirchgaessner, “Revealed: Saudis suspected of phone spying campaign in US,” The Guardian, March 29, 2020, https://www.theguardian.com/world/2020/mar/29/revealed-saudis-suspected-of-phone-spying-campaign-in-us
  9. For further detail, see testimony by Ron Deibert on this subject to the Senate of Canada on November 30, 2016, here: https://sencanada.ca/en/Content/Sen/committee/421/ridr/52951-e.
  10. Research by The Citizen Lab has revealed several cases of targeted killings linked to targeted espionage and surveillance software, including the murder of Saudi journalist Jamal Kashoggi. For further information on this, and other cases, see for example: Miles Kenyon, “Dubious Denials & Scripted Spin: Spyware Company NSO Group Goes on 60 Minutes,” The Citizen Lab, April 1, 2019,https://citizenlab.ca/2019/04/dubious-denials-scripted-spin-spyware-company-nso-group-goes-on-60-minutes/.
  11. Bill Marczak, John Scott-Railton, Sarah McKune, Bahr Abdul Razzak, and Ron Deibert, “Hide and Seek: Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries,” The Citizen Lab, September 18, 2018, https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/.
  12. James McLeod, “Canadian coronavirus response workers targeted in ransomware attack, says U.S. cybersecurity report,” Financial Post, April 14, 2020, https://business.financialpost.com/technology/canadian-coronavirus-response-workers-targeted-in-ransomware-attack-u-s-firm
  13. Canadian Centre for Cyber Security, “Canadian Shield – Sharing the Cyber Centre’s Threat Intelligence to Protect Canadians During the COVID-19 Pandemic,” April 23, 2020, https://www.cyber.gc.ca/en/canadian-shield-sharing-cyber-centres-threat-intelligence-protect-canadians-during-covid-19.
  14. Some resources to consider include the Citizen Lab’s Security Planner (https://securityplanner.org/) and the Electronic Frontier Foundation’s Surveillance Self Defense project (https://ssd.eff.org/en).
  15. Canadian Centre for Cyber Security, “Considerations when using video-teleconference products and services,” April 3, 2020 (amended April 14), https://cyber.gc.ca/en/alerts/considerations-when-using-video-teleconference-products-and-services.
  16. Canadian Centre for Cyber Security, “Cyber Hygiene for COVID-19,” March 18, 2020, https://cyber.gc.ca/en/guidance/cyber-hygiene-covid-19.
  17. Existing assessments of various video teleconferencing applications could be built on. See, for example, guidance from the US National Security Agency issued on April 24, 2020: (https://media.defense.gov/2020/Apr/24/2002288652/-1/-1/0/CSI-SELECTING-AND-USING-COLLABORATION-SERVICES-SECURELY-LONG-FINAL.PDF).
  18. See, for example, assessments by Freedom of the Press (https://freedom.press/training/blog/videoconferencing-tools/) and Google engineer Gary Belvin (https://medium.com/@gdbelvin/covid-19-and-cybersecurity-e9ee5cba6de7)
  19. Department of Defense Cyber Crime Center, “DoD Vulnerability Disclosure Program (VDP), November, 2016, https://www.dc3.mil/vulnerability-disclosure.
  20. SECU, “Report 38: Cybersecurity in the Financial Sector as a National Security Issue”, Adopted by the Committee June 17, 2019, https://www.ourcommons.ca/Committees/en/SECU/StudyActivity?studyActivityId=10450263. See recommendation 7, page 38.
  21. SECU, “Report 38: Cybersecurity in the Financial Sector as a National Security Issue”, Adopted by the Committee June 17, 2019, https://www.ourcommons.ca/Committees/en/SECU/StudyActivity?studyActivityId=10450263. See recommendation 8, page 39.
  22. Lotus Ruan, Jeffrey Knockel, and Masashi Crete-Nishihata, “Censored Contagion: How Information on the Coronavirus is Managed on Chinese Social Media,” The Citizen Lab, March 3, 2020, https://citizenlab.ca/2020/03/censored-contagion-how-information-on-the-coronavirus-is-managed-on-chinese-social-media/.

Endless Mayfly: an invasive species in the social media ecosystem

Bring up the topic of social media and state-sponsored disinformation, and most people think reflexively of Russian interference in the 2016 U.S. election. As the Mueller report recently affirmed, Russian entities operated a sweeping and systematic social media “active measures” campaign designed to sow division and support Donald Trump leading up to the election.

But what may be less appreciated is just how many other actors in countries and regions all over the world are now undertaking social media influence operations, each with their own unique objectives, flavour, and style. In India, for example, citizens “are bombarded with fake news and divisive propaganda on a near-constant basis from a wide range of sources.” In Myanmar, it is now widely acknowledged that Facebook was used to incite genocide. Throughout Africa, hoaxes, disinformation, and spoofed articles circulate so widely that they are now commonplace; one study found that an alarming 38% of Kenyans, 28% of Nigerians, and 35% of South Africans surveyed acknowledged having shared stories which they knew to be fake.

Indeed, it is fair to say that social media has quickly become what Citizen Lab’s John Scott-Railton has described as a giant “disinformation laboratory.” Multiple actors in just about every region of the world are now experimenting with new techniques to sow disinformation, spread inauthentic narratives, project power and influence, and undermine adversaries. Given this new reality, it is imperative that researchers carefully dissect as many different disinformation operations as can be found to better understand the innovations in tactics, techniques and procedures in this quickly evolving terrain.

Enter “Endless Mayfly.” Endless Mayfly is the name we have given to “an Iran-aligned network of inauthentic personas and social media accounts that spreads falsehoods and amplifies narratives critical of Saudi Arabia, the United States, and Israel.”

Endless Mayfly is but one among many invasive species in the social media ecosystem. What distinguishes it from others, however, is a technique we dubbed “ephemeral disinformation.” Endless Mayfly publishes content on websites they create that impersonate legitimate media outlets, like Le Soir, or the Guardian, using a variety of typosquatting and domain spoofing techniques (e.g., bloomberq[.]com instead of bloomberg[.]com).

Inauthentic personas managed by Endless Mayfly, with names such as “Brian Hayden” or “Mona A. Rahman,” then attempt to amplify the content over social media, by circulating them on their own, or by privately and publicly engaging journalists and others over social media.

But Endless Mayfly’s real innovation comes in the form of its use of ephemerality. Once Endless Mayfly’s carefully constructed content achieves some degree of social media pickup, the spoofed articles are permanently deleted and the links are altered to redirect to the legitimate domain being impersonated.

Click on the link to one of Endless Mayfly’s inauthentic Guardian articles, for example, and after a period of time a user is taken to the legitimate Guardian website instead.

What happened to the original article? “Perhaps it’s the Guardian’s fault?” one might wonder. Who’s to say? In our data-saturated, always-on world, who has the time to find out? Endless Mayfly’s operators appear to be banking on social media users’ short attention spans and our inclination to trust headlines associated with what appear to be credible sources, rather than dig deeper to verify facts from the ground up ourselves.

In total, we found Endless Mayfly created 72 of these fake domains, many of which were used to host 135 of their inauthentic articles. Some of these domains the operators appear to have kept in reserve for future operations, like theglobalandmail[.]org (instead of .com), which was registered by Endless Mayfly but not employed in a specific campaign.

Did it work? It is difficult to measure whether this technique had much of an impact. Quantitatively, engagement with the links to their various articles, accounts, and personas was modest at best. But on several occasions, Endless Mayfly’s inauthentic content was picked up by mainstream media, creating significant confusion. In one instance, for example, Washington Post columnist Anne Applebaum stumbled upon part of Endless Mayfly’s operation and wrongly attributed it to yet more Russian malfeasance.

In terms of our own attribution, we determine with moderate confidence that Endless Mayfly is linked to Iran. This level of confidence is based on “the overall framing of the campaign, the narratives used, and indicators from overlapping data in other reports.” In terms of the latter, in August 2018 accounts and pages associated with Endless Mayfly were deactivated by Facebook in coordination with FireEye, and FireEye traced back registration information and other indicators to Iranian origins. But beyond that circumstantial evidence, we have no “smoking gun” that proves Endless Mayfly is an operation run by the Iranian state itself.

The technique of ephemerality pioneered by Endless Mayfly presents major challenges to researchers, policymakers, and others hoping to investigate and mitigate disinformation operations. Deliberately hiding one’s tracks in this way makes it harder to pin down, analyze, and trace the origins of a malicious campaign, let alone verify the truth-claims and other content that may be getting social media traction. If it becomes a popular tool in the disinformation toolkit, it could sow serious short-term confusion in social media spaces.

In the end, Endless Mayfly’s biggest accomplishment may not be around its principal objective, which was apparently to undermine Iran’s adversaries. It may have more to do with contributing in yet one more way to the ongoing poisoning of our social media public sphere.  

When it comes to cyber security, it is usually the technological layer that gets the most attention, like risks to critical infrastructure and other technical systems. But what about the social and cultural layer? In fact, it may be in this layer where the most intense geopolitical struggles and malicious experimentations are taking place. Given the properties of social media — which as presently constituted favor lewd, salacious, and shocking information — it may also be the layer that is most challenging to defend.

We have no simple remedy to the problems that operations like Endless Mayfly poses, other than to undertake more research, refine our methods, and collaborate with others to better understand the evolving terrain of social media disinformation. To that end, alongside our report, we are publishing a major disinformation research bibliography compiled and annotated by Citizen Lab fellow Gabrielle Lim.

Read the main report here: https://citizenlab.ca/2019/05/burned-after-reading-endless-mayflys-ephemeral-disinformation-campaign

Our annotated bibliography of disinformation research is here: https://citizenlab.ca/wp-content/uploads/2019/05/Disinformation-Bibliography.pdf

Citizen Lab on 60 Minutes

Doing the “60 Minutes Stroll” with correspondent Lesley Stahl

Last week, 60 Minutes broadcast an episode entitled “Pegasus” focusing on the controversies surrounding Israeli-based commercial spyware vendor, NSO Group. The episode profiled Citizen Lab’s work, and featured interviews with myself and my Citizen Lab colleague, Bill Marczak.

My Citizen Lab colleagues and I published an analysis of the episode today, highlighting some revelations and providing some broader context.

Read our post here: https://citizenlab.ca/2019/04/dubious-denials-scripted-spin-spyware-company-nso-group-goes-on-60-minutes/

And in case you missed it, the full episode and transcript is available online here:



Another Journalist in Mexico a Target of NSO Group’s Spyware


Today, Citizen Lab is publishing a new report, entitled “Reckless VII: Wife of Journalist Slain in Cartel-Linked Killing Targeted with NSO Group Spyware.” This report continues our investigation of the abuse of commercial spyware manufactured by Israeli company NSO Group. Working with our partners in Mexico, we are now able to confirm that Griselda Triana, a journalist and the wife of Javier Valdez, a journalist who was assassinated while investigating Mexican cartels, was herself targeted with fake SMS messages in the days after her husband’s murder. The SMS messages she received in May 2017 purported to reveal details about the motive behind the murder, and other upsetting updates. We were able to connect the links in both messages to domains that we can verify were at the time part of NSO Group’s exploit infrastructure. Although she did not click on the links, doing so would have immediately infected her phone with NSO Group’s Pegasus spyware, providing the operators complete control of her device. Notably, she was targeted a week after two of Javier’s colleagues were also targeted with Pegasus spyware.

The targeting of Griselda Triana brings the total number of confirmed NSO Group targets in Mexico to 25. NSO Group markets its spyware as a tool strictly limited to government agencies to assist in anti-terror and criminal investigations. None of the 25 targets we identified were criminals or terrorists; rather, they were anti-corruption investigators, advocacy groups, health scientists and researchers, investigators into mass disappearances, and journalists.

NSO Spyware in Mexico: Claims vs Reality

It is notable that NSO Group has bragged about how its Pegasus spyware was used in Mexico to investigate drug cartels and was instrumental in the arrest of El Chapo. However, here we find it was used the other way around: to target individuals who were investigating drug cartels and government corruption. These cases add yet more weight to the mountain of evidence that NSO Group’s surveillance technology is being abused by its clients, and the company is either unwilling or unable to perform the type of due diligence to prevent that from happening.

Tackling The Proliferation of Commercial Spyware

What is to be done about the proliferation and harm caused by commercial spyware such as this? Many point to the need for government regulations, such as tighter export controls. But lacking political will, these are unlikely to be properly enforced. As it stands, NSO Group’s sales are reportedly approved by the Israeli Ministry of Defense, and they did not seem to take issue with the company selling its wares to a rogue’s gallery of autocratic rulers in spite of widespread public reporting of abuse.

Litigation is another avenue that might help bring about reform of companies’ practices. For example, NSO Group is currently embroiled in several lawsuits. Should those succeed and the company is fined or otherwise penalized in a significant manner, ownership groups may decide the liabilities are too steep to continue with business as usual. (As a significant aside, several weeks ago two Citizen Lab staff were targeted by undercover operatives reportedly with links to the Israeli-based private intelligence firm Black Cube. We organized a counter-sting with Associated Press to expose the operation. NSO Group strictly denies it hired Black Cube (if indeed it was them), and we have no solid evidence linking them to the operation. However, the operatives asked us about our research on the spyware vendor and they also attempted to entrap four other individuals around the world all of whom happen to be linked by their involvement in litigation against NSO.)

Communications with NSO Group

We have communicated several times to NSO Group, its previous majority owner, Francisco Partners, and the new ownership group who is seeking to acquire NSO Group, Novalpina Capital, led by Mr. Stephen Peel. The new group has made public statements espousing principles of corporate social responsibility, and has pledged to steer NSO Group sales according to the UN Guiding Principles of Business and Human Rights. However, they have systematically failed to acknowledge the numerous cases of abuse that we and others, including Amnesty International, have identified. Until they do so, these pledges will sound like the same old empty promises that NSO Group, and other spyware companies, have made in the past about “ethics committees” and other oversight mechanisms that allegedly review sales and prevent abuse. It is long past due to turn words into deeds, to acknowledge the facts and undertake real reform to prevent harm.

Submission of the Citizen Lab to the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression

In 1993, the United Nations Commission on Human Rights established the mandate of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression. The current Special Rapporteur is Mr. David Kaye.

Mr. Kaye recently issued a call for submissions on the topic of the surveillance industry and human rights. The call noted that government and non-governmental actors have increasingly used digital surveillance technologies to undermine human rights and sought information on regulatory frameworks for surveillance technologies, on the use of surveillance technologies against individuals and civil society, and on the policies and practices of private companies in this industry.

Over the years, Citizen Lab research has documented the abusive deployment of spyware manufactured and sold by private companies. Our submission first provides a review of our technical research into the application of sophisticated spyware technology sold by NSO Group Technologies Ltd., Cyberbit Ltd., FinFisher GmbH, and Hacking Team S.r.l (a subset of our research on targeted digital threats). Based on this research, and investigations by other organizations into the spyware industry, we have identified a number of overarching practices of concern within the industry that we believe urgently need to be addressed:

  1. The apparently unchecked sale of spyware to authoritarian and repressive governments with poor human rights records;
  2. The justification of such sales by private companies on the basis that they sell exclusively to sovereign nations and with the sole purpose of clients engaging in lawful use;
  3. A non-transparent business environment which insulates companies in the industry from public scrutiny and effective regulation; and,
  4. Private companies in this industry operating in violation of norms and rights set out in the International Covenant on Civil and Political Rights, the Universal Declaration of Human Rights, and the UN Guiding Principles on Business and Human Rights.

In order to assist the Special Rapporteur, we have also articulated a number of recommendations which we hope will inform the Special Rapporteur’s forthcoming report. These recommendations stress the importance of continued support for research into the spyware industry and the need to identify and define high priority practices of concern within the industry, as well as the broader aims of industry reform. Further, we recommend that the Special Rapporteur issue a report describing a comprehensive accountability framework that considers the effectiveness and changes necessary to all available mechanisms for ensuring accountability (e.g. regulation, litigation, due diligence requirements for companies, and export controls) and call on States to do more to protect against human rights in this area with specific actions that should be taken.

The full report can be found here.

Slain Mexican Journalist’s Colleagues Targeted With NSO Spyware

Photo Source: ContraLínea.com.mx

Javier Valdez Cárdenas was an award-winning Mexican investigative journalist known for his reporting on drug trafficking and organized crime. As with dozens of other investigative journalists in Mexico, Cárdenas’ brave reporting ended up having lethal consequences. On May 15, 2017 around noon, Cárdenas was forcibly removed from his vehicle and gunned down on the street, steps away from the offices of Río Doce, the newspaper he founded.

Our latest Citizen Lab report shows that in the days after his death, two of Cárdenas’ colleagues at Río Doce — Andrés Villarreal and Ismael Bojórquez — each received carefully crafted text messages on their iPhones containing links to highly sophisticated surveillance technology sold by Israeli-based “cyber warfare” company, NSO Group. Had they clicked on the links, the operators of the spyware would have been able to silently take over their devices and monitor everything they do, including intercepting emails, text messages (even those encrypted), turn on the camera, and silently record audio.

NSO Group claims that they sell their powerful surveillance technology only to governments to be used strictly for legitimate law enforcement and national security investigations, and have a strict oversight mechanism to ensure their technology is not abused. They also claim that they have rescinded sales to clients who are caught abusing their product. (As is customary, we sent NSO Group a letter prior to publication detailing the findings of this report and offering to publish their response in full, but we have received no reply).

Instead, as this latest case and numerous past reports we and others have published show, their technology is being used repeatedly to target members of civil society, including lawyers, health scientists, human rights defenders, activists, and journalists. These two additional targets bring the total number of individuals we (and our Mexican civil society partners R3D, Article19, and Social Tic) have been able to identify who were targeted with NSO Group spyware in Mexico to 24. None of them are either criminals or terrorists by any reasonable, rights-respecting legal standard.

Of particular concern with this latest report is yet more evidence of the abuse of NSO Group spyware to specifically target journalists and those associated with journalists. The targeting of Cárdenas’ colleagues mere days after his assassination suggests the operators were interested in what the journalists knew about who was responsible. Our prior reporting has shown several other Mexican journalists investigating murders or corruption were targeted with NSO Group spyware in much the same way. In one case, the minor child of Mexican journalist Carmen Aristegui was repeatedly sent text messages laden with NSO Group spyware links in an attempt to infect his phone — while he was attending boarding school in the United States.

Beyond Mexico, there is now growing evidence that NSO Group’s spyware was also potentially implicated in the murder of exiled Saudi dissident and Washington Post journalist Jamal Khashoggi. On October 1, 2018, we published a report detailing our discovery that the iPhone of Canadian permanent resident Omar Abdulaziz was infected with NSO Group spyware. Forbes followed up our report showing that London-based Saudi dissident Ghanem Almasarir had his phone targeted by the same Saudi operator we had earlier identified as targeting Omar Abdulaziz. Notably, both Omar Abdulaziz and Ghanem Almasarir were collaborating with Jamal Khashoggi around social media activism, and were reportedly viewed by Saudi Crown Prince Mohammed bin Salman as major threats.

The reckless and abusive use of commercial spyware to target journalists, their associates, and their families adds to the numerous and growing risks that journalists worldwide now face. Media organizations and investigative journalists are valuable “soft” targets who control important information, including information on sources, that threaten powerful actors. Thanks to companies like NSO Group, unscrupulous dictators and autocrats now have a powerful tool to aid in their sinister aims to stifle dissent and quell controversial reporting.

What is to be done? Unfortunately, liberal democratic governments who ostensibly support human rights and could take concerted action against the proliferation of commercial spyware seem unwilling to address the problem squarely. For example, in spite of the Citizen Lab’s discovery of apparent espionage by Saudi Arabia against a Canadian permanent resident using Israeli-made spyware — seemingly a significant violation of Canada’s sovereignty — the Trudeau government has only barely acknowledged our report possibly out of concern to not offend either Israel or Saudi Arabia (with whom Canada has weapons deals). Meanwhile, Donald Trump’s constant maligning of the press as the “enemy of the people,” and his decision to throw Khashoggi under the bus in favour of naked realpolitik calculations, shows clearly where the United States stands.

What about Israel, the sovereign jurisdiction in which NSO Group is headquartered? Earlier this week, Haaretz published a detailed investigation showing NSO Group may have sidestepped Israeli government export controls and negotiated a sale with Saudi Arabia directly. Revelations such as these may trigger greater scrutiny by the Israeli public and official regulators to strengthen export controls that are apparently very lax, if not ineffective altogether. However, in light of the close links between the Israeli government and the surveillance industry, and the strategic benefits that undoubtedly accrue to Israeli decision makers from the export of such technologies, I wouldn’t hold my breath in hope of something happening there either.

But the lack of government action does not mean there are no avenues left for recourse. The growing number of cases of harm caused by the abuse of commercial spyware we and others have documented may provide strong grounds for civil litigation and / or criminal prosecution. Indeed, NSO Group is currently facing two separate lawsuits (one of which was brought by Mexican journalists and activists), and one of its competitors, UK-based Gamma International Ltd, is the subject of another in the United Kingdom.

Should these legal efforts succeed in bringing real costs to bear on owners, they may prove to be the most effective remedy for the abuses of the commercial spyware market.

Until such time, we are now facing a crisis rich in terrible irony: a service marketed to government clients to assist in “cyber security” is quickly becoming one of the greatest sources of widespread insecurity instead.

Saudi-linked Cyber Espionage Against Canadian Victim Discovered

Figure 1: The Royal Embassy of Saudi Arabia to Canada (September 2018; Credit: Ron Deibert)

Today, the Citizen Lab is publishing a major new report, “The Kingdom Came to Canada: How Saudi-Linked Digital Espionage Reached Canadian Soil,” by Bill Marczak, John Scott-Railton, Adam Senft, Bahr Abdul Razzak, and myself.

Our report details how we discovered Canadian permanent resident and Saudi dissident Omar Abdulaziz was targeted with a fake SMS message and his phone infected with spyware manufactured by Israeli-based “Cyber Warfare” company, NSO Group. We attribute this infection to a spyware operator linked to Saudi Arabia.

The research for this report builds on our recently published “Hide and Seek” report, led by the Citizen Lab’s Bill Marczak, in which we detailed the results of more than two years of Internet scanning into NSO Group’s command and control infrastructure. That scanning revealed more than 45 countries in which we found infected devices “phoning home” to NSO Group’s infrastructure, operated by more than 30 likely government clients — many of them with highly problematic human rights issues.

Among those live infections was a particularly noteworthy one: a Saudi-linked operator, which we call KINGDOM, monitoring an infected device in Quebec, Canada. The surveillance of a victim in Canada is particularly intriguing as it takes place in the midst of a serious diplomatic dispute between Canada and Saudi Arabia that was triggered by tweets critical of Saudi Arabia’s human rights record sent by Canadian Foreign Affairs Minister, Chrystia Freeland, and by the official Twitter account of Global Affairs Canada.

Based on Saudi Arabia’s poor human rights track record and its prior history of abuse of spyware (including by the very same KINGDOM operator), we hypothesized that the target in Quebec would be a person or group connected to Saudi political activism. We then reached out to contacts in the Saudi diaspora and human rights communities to try to identify the target. Remarkably, we succeeded.

Omar Abdulaziz is a Canadian university student, and a prominent Saudi activist who sought and received asylum in Canada in 2014 after Saudi Arabia revoked his scholarship for his outspoken criticism of the regime.  Omar produces a very popular satirical talk show on YouTube that is followed by millions of viewers. He was also featured prominently in media coverage of the Canada-Saudi dispute, including on CBC’s The Current. During his interview on that show, Omar claimed Saudi authorities had threatened his family to try to discourage him from speaking out.

Earlier this summer, Omar received a fake DHL courier notification via SMS. The message arrived only hours after he placed an order on Amazon. When we met with Omar, we searched back through his SMS messages with his consent against a list of known NSO domains we had gathered, and discovered the fake DHL notification SMS. We were able to confirm that he was, indeed, targeted by the KINGDOM operator and that the SMS he received contained a link to the NSO Group’s “Pegasus” spyware infrastructure.

Further verification that Omar was the victim came from matches were able to make to his pattern of life. Our scanning showed the infected device moving between two Quebec-based networks at very specific intervals — Vidéotron and RISQ (Réseau d’informations scientifiques du Québec). Omar confirmed that those “check ins” precisely matched his movements between his home wifi network (Vidéotron), and the wifi network to which he connected during a regular evening activity (RISQ).

NSO’s Pegasus spyware is extraordinarily stealthy and invasive. Once a target clicks on a link, the operator has complete surreptitious control over the target’s device. This control includes being able to silently read emails and chat messages, including those that are encrypted, capture ambient sound, and turn on the camera. During the time Omar’s device was infected, several of his family members and friends disappeared in Saudi Arabia. Although we have no way to confirm it, it is certainly possible these disappearances are the direct result of the KINGDOM operator’s surveillance of Omar’s phone.

No doubt, this revelation of Saudi-linked espionage against a Canadian permanent resident will inflame the already tense Canada-Saudi diplomatic dispute. If it does, it will illustrate one major theme of Citizen Lab’s research: that the unregulated commercial spyware market produces costly negative externalities. It is also noteworthy that what we have unearthed may violate several Canadian Criminal Code offences, including willfully intercepting private communications contrary to section 184(1).

It should go without saying that the multiple cases of abuse we have uncovered over several years cast serious doubt on NSO Group’s claims about a “Business Ethics Committee” and other controls they have over their products. While they may treat it frivolously, NSO Group’s accumulating liabilities must be giving its ownership group, US-based investment firm Francisco Partners, serious cause for concern, particularly since the latter has unsuccessfully shopped NSO Group to potential buyers for a reported 1 billion USD.  Who wants to buy a company whose services routinely end up being abused, inflaming geopolitical tensions, or implicated in criminal conduct? What potential liabilities does NSO’s reckless sales present for its ownership group?

This case also illustrates yet again another major theme of our research: in the absence of controls to the contrary, powerful surveillance technology sold to governments for anti-terror or criminal investigations will inevitably be used by corrupt and autocratic rulers to target journalists, dissidents, human rights defenders, research scientists, and other members of civil society they deem a “threat.” Like Ahmed Mansoor of the United Arab Emirates and numerous other targets of spyware we have discovered, Omar Abdulaziz is neither a terrorist nor a criminal. His only “crime” is hosting what is the equivalent of The Daily Show for the Gulf region directed at a regime that brooks no dissent.

It is probable the cases we have reported on at Citizen Lab are but a tip of the iceberg. If so, numerous members of civil society are — right now — being unwittingly surveilled and effectively neutralized by their adversaries. Should these espionage attacks against global civil society continue unabated, democracy itself will be at growing risk.  

Read the full report here: https://citizenlab.ca/2018/10/the-kingdom-came-to-canada-how-saudi-linked-digital-espionage-reached-canadian-soil/

Watching NSO Group

I am pleased to announce a new Citizen Lab report, authored by Bill Marczak, John Scott-Railton, Sarah McKune, Bahr Abdul Razzak, and myself, entitled “Hide and Seek: Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries.” This report is the latest in a major research area for the Citizen Lab: the proliferation and abuse of commercial spyware.

Commercial spyware is sophisticated surveillance technology sold by companies to governments under the justification of assisting in law enforcement or national security investigations. It typically tricks targets into clicking on links or attachments and then takes advantage of undisclosed and often very valuable software flaws to surreptitiously take control of a target’s device. Once in control, an operator can secretly monitor emails and chats, even those that are protected with encryption, track movements and locations, and record audio and video.

As numerous government agencies have both the resources and a growing appetite for surveillance capabilities, the market for commercial spyware is lucrative and expanding. The company at the centre of our latest report, Israel-based NSO Group, was recently valued at around USD 1 billion.

Naturally, this market is also highly secretive. Spy agencies and the companies that service them do not, as a matter of practice, publicly disclose their contracts or operations. However, even the most sophisticated surveillance operations leave digital traces in the open that careful researchers can discover. One aim of our research is to shed light on what is otherwise opaque principally through structured, peer-reviewed Internet scanning techniques and other technical means we have refined.

The research for our latest report was led once again by Citizen Lab senior fellow Bill Marczak. From August 2016 to August 2018, we scanned the entire Internet on a regular basis for servers associated with NSO Group’s “Pegasus” spyware designed to target iPhones, and found 1,091 IP addresses that matched our fingerprint and 1,014 domain names that pointed to them. Using a novel technique we call Athena as well as a newly designed global DNS Cache Probing method, we were able to identify a total of 45 countries where Pegasus operators (which we group into more than 30 likely government clients) may be conducting surveillance operations. 

Among the likely government clients are a number with a highly-problematic track record not only of human rights abuses, but also prior abuse of commercial spyware. This list includes:

  • Bahrain — a country Amnesty International recently described as descending into “a full-blown human rights crisis”;
  • Kazakhstan — a country with a track record of abusing spyware to target journalists and activists critical of the government;  
  • Mexico — a country that was the focus of six separate Citizen Lab reports that exposed government surveillance of research scientists, health advocates, journalists, and international investigators into mass disappearances, including four reports that were the subject of separate front page exclusives in the New York Times in 2017;
  • Morocco — the subject of a 2012 Citizen Lab report on the use of Italy-based Hacking Team’s spyware to target the Moroccan citizen media and journalism project Mamfakinch;
  • Saudi Arabia — a country whose track record Human Rights Watch describes as including “arbitrary arrests, trials, and convictions of peaceful dissidents.”
  • The United Arab Emirates — the country in which we first encountered NSO Group in 2016 when we determined that the UAE had employed NSO Group technology to target the iPhone of award-winning human rights defender Ahmed Mansoor. Mansoor is presently serving a 10-year jail sentence for social media posts critical of the government.

The companies that sell commercial spyware claim they “follow local laws” and export control requirements. That claim is certainly true, but also precisely part of the problem. Some government clients use technology developed by companies like NSO Group not just to investigate what most reasonable people would describe as genuine “criminals” or “terrorists”; our research has shown they also use it to monitor the private communications of activists, human rights defenders, journalists, and other members of civil society. For corrupt or autocratic rulers whose aims are to limit human rights and public accountability, those are “legitimate” targets. This is the type of “local law” that companies like NSO Group follow.

Meanwhile, export controls are weak, flawed, or in some cases non existent. As a consequence, there is little disincentive for the companies to control the abuse of their technology. They reap the private rewards while passing the responsibility on to others. Clearly, as our report shows, NSO Group is either unable or unwilling to prevent the abuse of its technology and did not take any noticeable measures to restrict the use of its powerful surveillance technology even after widespread public reporting on cases where their surveillance technology was abused.

On 14 September 2018, I sent a letter on behalf of the Citizen Lab to two NSO Group principals, Mr. Omri Lavrie and Mr. Shalev Hulio, notifying them of the details of this report, explaining that we had shared an embargoed copy with journalists, and offering to publish in full any response they wished to communicate on the record.

NSO Group principals responded with initial emails, and a full public statement, which we are posting in full alongside our report.  In part, the statement claims:

“NSO has several times requested a meeting with Citizen Lab so we could present our position and provide additional details on our product. As in the past, Citizen Lab has not responded to our request to meet about this report and published a misleading report.”

I have no record of any such prior requests. More importantly, although I am always willing to listen to and learn from people who are involved in cases that are the subject of our research, I do not believe that a private meeting is a proper substitute for responsible communication on a serious matter of public interest.

The NSO statement also says “NSO Group develops products that are licensed only to legitimate government agencies for the sole purpose of investigating and preventing crime and terror. The company works in full compliance with all applicable laws, including export control laws.” The statement goes on to claim that there is a “Business Ethics Committee” operating at NSO Group “which includes outside experts from various disciplines, including law and foreign relations, [which] reviews and approves each transaction and is authorized to reject agreements or cancel existing agreements where there is a case of improper use.”  However, no comment was made or explanation given about the continued, repeated cases of abuse we have identified in spite of the supposed scrutiny of this committee.

What is to be done, then, about the proliferation and abuse of commercial spyware?

Awareness about these issues is still a very important part of the process. To that end, we at Citizen Lab will certainly continue to refine our methods to allow us to better uncover the continued proliferation and abuse of commercial spyware, and we encourage other research groups to use the methods we have developed to do the same.

Litigation of various sorts may also be an option. It is noteworthy that our report discloses that several of the operators using NSO Group technology are engaged in surveillance across international borders. We have no indication whether the country operators undertaking such cross-border surveillance are doing so with the permission or knowledge of the governments in whose jurisdictions they are spying. However, many countries in which such surveillance is occurring — for example, Canada, the United Kingdom, the United States — have laws that prohibit eavesdropping without a warrant. By facilitating and abetting such cross-border surveillance, NSO Group may be exposed to serious legal risks. Indeed, NSO Group is currently the target of two separate lawsuits alleging illegal spying. These legal risks should certainly cause ownership groups and investors to consider their own liabilities as a result of lax controls. NSO Group is currently owned by US-based investment firm, Francisco Partners.

Lastly, there is the prospect of more effective government oversight concerning the export of commercial spyware. Although the Israeli government has claimed it has strong export controls in this area, our research and other reporting shows clearly there are major gaps. It is ultimately up to Israeli policymakers, and Israeli citizens, to determine whether the continued harms caused by the abuse of commercial spyware that we document warrant new and more stringent export controls. We believe they do.


Digital Security for Whom or What?

With data surrounding us and networked into everything we do, the security of our data, both in transit and while at rest, is an obvious public safety issue. Which makes it puzzling why governments — whose principal job, since at least the time of Thomas Hobbes, is to keep us safe — have repeatedly sought to deliberately weaken the protocols that secure our data.

Figure: GCHQ Network Diagram shows how the agency proposed a system to identify encrypted traffic from its internet cable-tapping programs and decrypt what it could in near-real time. Source: The Guardian


As with much else, the root of this seeming paradox can ultimately be traced to differences in threat paradigms: differences between what are considered to be the principal objects of security (meaning, that which is to be protected). Is it the state, or is it the people? Is it the network within a particular sovereign territorial space, or is it the undifferentiated global network as a whole? A new resource jointly published today by Citizen Lab and CIPPIC will hopefully help unpack these issues.

Generally speaking, government agencies navigate the world through a realist political lens (“realist” in the IR theory sense, à la Thomas Hobbes). From this perspective, the world is divided into territorially-based sovereign states who compete against each other for political advantage. One state’s gain is another’s loss. Through most of modern history, one part of this competition for power involved governments using various forms of cryptography to protect their communications and to hide their machinations from each other while simultaneously racing to find ways to crack each other’s secret codes. (An infamous version of this competition was popularized in the film, The Imitation Game, which told the story of Alan Turing and his Bletchley Park colleagues’ attempts to break Nazi Germany’s Enigma-machine cryptographic algorithms using some of the earliest computing machines.)

While these state-vs-state contests over code may have made sense when the world was neatly divided into territorially-segmented communication spaces, they no longer do. Government agencies that deliberately weaken cryptographic protocols to gain some momentary advantage over their opponents do so at the expense of their own citizens’ security. The reason that they do is that governments, companies, and citizens all over the world increasingly rely on the same communication technologies for everything they do.  

National security concerns are not the only motivation for government agencies to weaken data security. Like intelligence agencies, law enforcement has also sought to keep cryptography contained or deliberately compromised, but for them the principal concern is about being able to investigate criminal behavior. It’s obviously much easier to solve a crime or chase down illegal activity if you can secretly listen in or watch what the criminals are doing. But as is the case as far as national security is concerned, a government agency can only gain such an advantage at the expense of the whole of society. Criminals and law-abiding citizens alike use the same communication systems: weaken them for one and you weaken them for all.

And yet continue to try to weaken them they do.

Time and again, government officials have used national security or lawful access justifications to argue for restrictions or special “back doors” on encryption. Time and again, computer scientists, engineers, and rights activists have argued the opposite case. Not always are the efforts to settle these debates undertaken in the open. One of the most serious revelations coming from the 2013 Edward Snowden disclosures showed that the NSA and its Five Eyes colleagues had surreptitiously foisted a deliberately weakened encryption standard (Dual EC ERGB) on the rest of the world, as part of a secret program codenamed “Bullrun.” Reports from the latest round of the International Organization of Standardization suggests they may still be up to such machinations.

There has been a lot written about these debates from all sides, but not much focusing in particular on the Canadian context. To be sure, it is not for lack of Canadian government agencies trying to influence the space. Canadian law enforcement and intelligence agencies have pushed for weakened encryption, back doors, company cooperation, or some kind of other “compromise” for lawful access as often as other governments do.  Canada’s SIGINT agency, CSE, may have also had a hand in the NSA’s subterfuge around the weakened encryption protocol mentioned above. Meanwhile, for the Canadian public, the issue is only getting more salient. Many Canadians carry with them devices that feature full-disk, biometric-enabled encryption that only they can unlock. Can government agents compel them to do so when they are detained, arrested, or while crossing a border?

To help Canadians navigate these issues, today the Citizen Lab, in collaboration with CIPPIC, is releasing a report, entitled “Shining a Light on the Encryption Debate: A Canadian Field Guide,” authored by the Citizen Lab’s Lex Gill and Christopher Parsons and CIPPIC’s Tamir Israel.  The report provides critical insight and analysis for policymakers, legal professionals, academics, journalists, and advocates who are trying to navigate the complex implications of encryption technology. It is designed to be a “field guide.” The report can be read top-to-bottom, but is also organized so that most sections can be reviewed as self contained references.

Now more than ever, encryption is vital to preserving and extending human rights. Encryption serves as an important guarantor of freedom of expression, opinion, privacy, anonymity, equality, and even physical safety for ordinary citizens, human rights activists, and journalists. With this latest report, we hope that those involved in encryption debates are better able to understand the full spectrum of issues related to the use and potential misuse of these technologies.

Sweeping the Internet for Netsweeper

Figure 1: Results of our Internet-wide scan for Netsweeper installations (John Scott-Railton)

The LGBTQ news website, “Gay Today,” is blocked in Bahrain; the website for Greenpeace International is blocked in the UAE; a matrimonial dating website is censored in Afghanistan; all of the World Health Organization’s website, including sub-pages about HIV/AIDS information, is blocked in Kuwait; an entire category of websites labeled “Sex Education,” are all censored in Sudan; in Yemen, an armed faction, the Houthis, orders the country’s main ISP to block regional and news websites.  

What’s the common denominator linking these examples of Internet censorship? All of them were undertaken using technology provided by the Canadian company, Netsweeper, Inc.

In a new Citizen Lab report published today, entitled Planet Netsweeper, we map the global proliferation of Netsweeper’s Internet filtering technology to 30 countries. We then focus our analysis on 10 countries with significant human rights, insecurity, or public policy issues in which Netsweeper systems are deployed on large consumer ISPs: Afghanistan, Bahrain, India, Kuwait, Pakistan, Qatar, Somalia, Sudan, UAE, and Yemen. The research was done using a combination of network measurement and in-country testing methods. One method involved scanning every one of the billions of IP addresses on the Internet to search for signatures we have developed for Netsweeper installations (think of it like an x-ray of the Internet).

National-level Internet censorship is a growing norm worldwide. It is also a big business opportunity for companies like Netsweeper. Netsweeper’s Internet filtering service works by dynamically categorizing Internet content, and then providing customers with options to choose categories they wish to block (e.g., “Matrimonial” in Afghanistan and “Sex Education” in Sudan). Customers can also create their own custom lists or add websites to categories of their own choosing.

Netsweeper markets its services to a wide range of clients, from institutions like libraries to large ISPs that control national-level Internet connectivity. Our report highlights problems with the latter, and specifically the problems that arise when Internet filtering services are sold to ISPs in authoritarian regimes, or countries facing insecurity, conflict, human rights abuses, or corruption. In these cases, Netsweeper’s services can easily be abused to help facilitate draconian controls on the public sphere by stifling access to information and freedom of expression.  

While there are a few categories that some might consider non-controversial—e.g., filtering of pornography and spam—there are others that definitely are not. For example, Netsweeper offers a filtering category called “Alternative Lifestyles,” in which it appears mostly legitimate LGBTQ content is targeted for convenient blocking. In our testing, we found this category was selected in the United Arab Emirates and was preventing Internet users from accessing the websites of the Gay & Lesbian Alliance Against Defamation (http://www.glaad.org) and the International Foundation for Gender Education (http://www.ifge.org), among many others. This kind of censorship, facilitated by Netsweeper technology, is part of a larger pattern of systemic discrimination, violence, and other human rights abuses against LGBTQ individuals in many parts of the world.

According to the United Nations Guiding Principles on Business and Human Rights, all companies have responsibilities to evaluate and take measures to mitigate the negative human rights impacts of their services on an ongoing basis. Despite many years of reporting and numerous questions from journalists and academics, Netsweeper still fails to take this obligation seriously.

As is customary for our research, we sent Netsweeper a letter prior to publication notifying them of our key findings, asking a series of questions, and offering to publish in full their response.  On the positive side, this report is the first in which Netsweeper has sent a formal reply. (Their only other prior “communication” with us was a defamation suit filed against me and the University of Toronto in January 2016, and then subsequently withdrawn four months later.)

On the negative side, however, its response lacks detail and makes sweeping, dubious assertions.  Rather than address our questions, Netsweeper (writing through its legal counsel) chose instead to disparage our research. It asserted that “Mr. Diebert’s [sic] analysis and conclusions, as well as representations he has made before Parliament, are alarming for the real absence of any sound technical understanding on how internet providers operate, how information technology companies support online operations, and how online programs function.” The careful methods we used to undertake our research are exceedingly well-detailed in Section 1 of our report, and so we will leave it for knowledgeable readers to draw their own conclusions.

Strangely, Netsweeper also asserts that “The ultimate effect of what Mr. Diebert [sic] and his interests propose would be the full-scale shut down of the internet in multiple jurisdictions worldwide.” In fact, by encouraging more transparency, accountability, and proportionality around Internet censorship, we are aiming to do precisely the opposite.

Our report also suggests Canada could be doing more. It should go without saying that the use of Canadian technology by authoritarian and other regimes to undertake Internet censorship undercuts Canada’s own foreign policy and commitment to human rights. The Trudeau Government has prioritized an international stance that promotes “gender equality,” and yet here we have the services of a Canadian company employed to do the exact opposite on behalf of the some of the world’s most illiberal regimes. Worse, both the Government of Canada and some Provincial Government entities have actually facilitated Netsweeper’s exports through grants and other forms of assistance, which we document in the report.  

To be more consistent with its own policies and obligations, we suggest the Canadian government could take measures to prevent these types of human rights violations, including tying whatever government support is provided to clear prohibitions against activities that undermine human rights, and effective and ongoing due diligence, public transparency reporting, and other accountability measures. Canada could also strengthen the control of exports for Internet censorship and surveillance services, and focus transparency and accountability efforts on the “dual-use” technology sector through the newly created Canadian Ombudsperson for Responsible Enterprise (CORE).

Access to information is a human right recognized under international law — yet one that many governments defy in practice through extensive Internet censorship. By facilitating these practices, Netsweeper is profiting from the dark curtain being drawn over the Internet for a large number of users around the world.