Fitness Tracker Applications — Leaky, Insecure, and a Sign of the Times

Last week, the Citizen Lab in collaboration with Open Effect released a new report, “Every Step You Fake: A comparative analysis of fitness tracker privacy and security.” The report contains primarily the background, overview, methods and technical findings.  A subsequent report will include the policy and legal analysis that the team is presently completing.  Open Effect is a non-profit organization led by Citizen Lab research fellow Andrew Hilts, and one on whose board I presently serve.  We work together on a variety of projects in the area of privacy and security, and we’ll have more reports coming down the pipeline together beyond the work on Fitness Trackers. (Open Effect and Citizen Lab also worked together on the Access My Info project).

The “fitness tracker” topic may seem to be a bit of an outlier for us at the Citizen Lab, but lately we have become more and more interested in privacy and security of mobile applications. Part of it has to do with the refinement of reverse engineering and other technical analysis methods that inform several Citizen Lab projects.  A much broader concern of ours is around the privacy and security of the growing number of devices and applications that surround us in the so called “Internet of Things” ecosystem.  Obviously, the implications for consumers of these devices and applications are important from a privacy and security point of view.  But personally speaking, I find it very compelling to try to see how security holes, vulnerabilities, and other unintentional flaws could be exploited by government threat actors, putting users at risk.  Having spent considerable time studying the Snowden disclosures, I have been struck by how seemingly trivial leaks of users’ data can end up being routinely leveraged by SIGINT agencies.  A recent talk by the chief of the NSA’s TAO underscored this point well.  We leave a trail of digital droppings where ever we go, which in and of themselves may seem unimportant but when collated and analyzed together can reveal a lot.

One of the other interesting components of this report was the responsible notification process we undertook, and which is explained in the report. We notified the fitness tracker vendors who had security and privacy problems with their products, and only a few of them got back to us — until journalists reached out to them, that is.   Media strategy is important to creating positive outcomes of research, and this case illustrates it well.  (We gave an exclusive to CBC on the Fitness Tracker report for this reason). For example, although Garmin did not respond to our initial responsible disclosure, they did after the report came out. The updated version of their application seems to suggest they’ve implemented some basic security protocols that were lacking (ht Ryan Budish), which is a positive outcome of the research.

 

 

Canada’s Netsweeper in Yemen

A new Citizen Lab report was published yesterday morning on information controls during the ongoing armed conflict in Yemen.

The report shows in detail how a Canadian company’s technology, Netsweeper, is being used to filter critical political content, independent media websites, and all websites belonging to the Israeli (.il) top-level domain — a major expansion of Yemen’s censorship regime that was implemented following the takeover of Yemen’s capital, Sana’a, by the Houthis in September 2014.

The Shiite Islamic Houthis are one of many groups who have been fighting for power in the war-torn country of Yemen for many years.  Their slogan (which our report shows painted on the front gates of the country’s main ISP, YemenNet) is “Allah Akbar; Death to America, Death to Israel, A curse upon the Jews! Victory for Islam!”

Research for this report was undertaken over 10 months, and included in country field research and highly detailed technical tests which referenced a wide spectrum of data. We were able to determine that most of the political and local news content blocked by Netsweeper was undertaken in a non-transparent way, with fake network error pages delivered back to users instead of an explicit block pages.  Beyond Internet censorship, we also found manipulation of fuel supplies and disruptions to the electrical infrastructure are key ingredients of the armed conflict that aligned with the Houthis overall strategy of information denial in Yemen.

This report is a continuation of research we have done on Netsweeper providing services in questionable country contexts, including Pakistan and Somalia.

On October 9, 2015, Citizen Lab sent detailed questions [pdf] to Netsweeper about their provision of services to YemenNet, their human rights policies, and whether the company undertakes any due diligence, and notified of them their intent to publish a report.  We have included our letter to Netsweeper as an appendix to our report.  As of the time of publication, the company had not replied to us.

The full report is here: https://citizenlab.org/2015/10/information-controls-military-operations-yemen

Our press release is here: https://citizenlab.org/2015/10/netsweeper-censors-internet-yemen

The Globe and Mail: http://www.theglobeandmail.com/report-on-business/yemen-using-canadian-software-to-block-internet-access-amid-civil-war-report/article26898441/

Daily Beast: http://www.thedailybeast.com/cheats/2015/10/20/canadian-web-co-helps-yemen-censor-net.html

Motherboard: http://motherboard.vice.com/read/researchers-accuse-canadian-internet-company-of-helping-yemen-censor-the-web

Toronto Star: https://www.thestar.com/news/canada/2015/10/21/canadian-internet-filtering-company-accused-of-aiding-censorship-in-war-torn-yemen.html

 Al Jazeera: http://america.aljazeera.com/articles/2015/10/22/yemen-rebels-using-canadian-software-to-censor-internet.html

New Citizen Lab Report: Are the Kids Alright?

Today, the Citizen Lab is releasing a new report, entitled: “Are the Kids Alright? Digital Risks to Minors from South Korea’s Smart Sheriff Application.”   South Korea is unique among all countries in having a legal mandate that requires parents whose minor children have mobile phone subscriptions to install a parental content filtering application.  A powerful industry consortium, the Korean Mobile Internet Business Association (MOIBA), had just such an application in hand ready prior to the law being introduced, called “Smart Sheriff.” Smart Sheriff provided a lot more than just content filtering: it went beyond the legal mandate to allow parents to monitor their minor children’s use and receive notifications if their minor children did anything to try and disable the application.

Earlier this summer, a group of researchers who participated at the 2015 Citizen Lab Summer Institute, as well as the European security company Cure53, got together and collaborated on an independent analysis of the application.  What we found was alarming: at least 26 different security vulnerabilities, including lack of industry-standard encryption, outdated software running on servers, and a lack of proper validation or passwords required to register and manage accounts.  All of these represent fundamental failures to follow standard practices for protecting user information and could seriously put minor children at risk.  

We engaged in a process of responsible disclosure to the manufacturers of the application, giving them 45 days to patch the vulnerabilities before we released our report.  At this point, however, we are not confident that the problems have been fixed and we are urging South Koreans to cease using the application until an independent audit can be undertaken.

The research and the report are part of a larger interest we at the Citizen Lab have in understanding the privacy and security implications of mobile applications.

Our press release is here:

https://citizenlab.org/2015/09/press-release-security-privacy-issues-in-smart-sheriff-south-korea

The full report can be found here:

https://citizenlab.org/2015/09/digital-risks-south-korea-smart-sheriff

Open Letter to Hacking Team

Update: An open letter to Hacking Team following its statement on the Citizen Lab “Police Story” report

August 8, 2014

Dear Mr. Vincenzetti and team,

This letter is in response to a statement issued by Hacking Team that has recently come to our attention, concerning Citizen Lab’s report titled “Police Story: Hacking Team’s Government Surveillance Malware” (June 24, 2014). The statement[1] reads as follows:

Statement on Citizen’s Lab/Kaspersky report of June 24, 2014:

Hacking Team is aware of the ongoing efforts of Citizen’s Lab [sic] to attack our business by attempting to disclose confidential information, systems, and procedures that we use. This report is only their latest effort. It is evident that the primary complaint of the authors is about repressive government, however, Citizen’s Lab has chosen to target a private business operating in full compliance with all relevant law.

We believe the software we provide is essential for law enforcement and for the safety of us all in an age when terrorists, drug dealers, sex traffickers and other criminals routinely use the Internet and mobile communications to carry out their crimes. We sell only to government agencies such as police forces. We do not conduct digital investigations. Those are carried out by law enforcement and are, of course, entirely confidential as is any law enforcement investigation.

The June 24 report does not include our customer policy, however, we invite you to read the policy which describes the steps we take to avoid abuse of our software. We believe this policy is unique in our industry and a strong, good-faith effort to prevent misuse of our products. We have both refused to do business with agencies we felt might misuse our software, and we have investigated cases either discovered internally or reported in the press that suggest abuse. We can and have taken action in such cases, however, we consider the results of our investigations and the actions we take based on them to be confidential matters between us and our clients.

We write to address certain factual inaccuracies contained in this statement, as well as apparent misinterpretations by Hacking Team of the content and purpose of Citizen Lab’s report. We clarify those issues here, and present a few additional questions to Hacking Team that are raised by the statement:

* Your reference to the “Citizen’s Lab [sic] / Kaspersky report of June 24, 2014” suggests that we authored the report jointly with Kaspersky (though we note that the complaints lodged in the statement are directed solely at Citizen Lab). We prepared and issued our report independently of Kaspersky.

* Citizen Lab is an academic research institution housed at the Munk School of Global Affairs, University of Toronto, that engages in evidence-based research to document uses of technology with the potential to undermine human rights. We do not undertake our rigorous research, analysis, and reporting in order to “attack” the business of Hacking Team or any other company on which we have previously reported. Rather, we seek to provide concrete data that will inform discussions between civil society, policy makers, and the private sector, so that society can properly determine its stance on the capabilities and deployment of dual-use technologies that impact individuals around the world. While Hacking Team may “believe the software [it] provide[s] is essential for law enforcement and for the safety of us all,” in democratic societies, such a determination is best suited to an informed public debate rather than the closed-door deliberations of a private company. Unfortunately, equating efforts to promote such transparency and debate with an attack against the company only reinforces the impression that Hacking Team wishes to prevent human rights-related inquiries into its products and services.

* We also take issue with Hacking Team’s assertion that “the primary complaint of the authors is about repressive government.” While Citizen Lab is certainly concerned with the use of technologies by repressive governments to undermine human rights, we are equally concerned with the role of companies in equipping those regimes and profiting from activities that threaten human rights. As the UN Guiding Principles on Business and Human Rights make clear, companies are independently obliged to respect human rights.[2] They have the responsibility to avoid causing or contributing to adverse human rights impacts, and to address such impacts when they occur.[3] Indeed, the European Commission (EC) ICT Sector Guide on Implementing the UN Guiding Principles on Business and Human Rights notes that companies may contribute to a harm, and therefore have a responsibility to cease such activity and engage in remediation, when they “provid[e] surveillance technology to a government that uses it to track and persecute human rights defenders, journalists or members of a minority group.”[4]

We encourage Hacking Team and all companies involved in the surveillance technology industry to carefully consider the human rights impact of their products and services, the potential for complicity in government practices that violate human rights, and steps to address these concerns. The aforementioned EC ICT Sector Guide is one resource that companies can utilize in developing appropriate human rights policy commitments as well as due diligence and remediation measures.

* The statement that Hacking Team is “operating in full compliance with all relevant law” raises certain questions to which we urge you to respond publicly.

First, what precisely does Hacking Team consider to be the “relevant law”? Does the company include within that rubric international human rights law embodied in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and the International Covenant on Economic, Social and Cultural Rights, or the European Convention on Human Rights? With the laws of which state or states does Hacking Team comply? How does it account for national laws that may conflict with international human rights law?

Second, does Hacking Team’s assertion of compliance with relevant law rely on the absence of precise law or regulations, given the novelty of the industry, that would control the production or sale of Hacking Team products? As articulated by United Nations Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression Frank La Rue in his April 2013 report to the UN Human Rights Council:

Offensive intrusion software such as Trojans, or mass interception capabilities, constitute such serious challenges to traditional notions of surveillance that they cannot be reconciled with existing laws on surveillance and access to private information. These are not just new methods for conducting surveillance; they are new forms of surveillance. From a human rights perspective, the use of such technologies is extremely disturbing. . . . Although it is clear that many States possess offensive intrusion software, such as Trojan technology, the legal basis for its use has not been publicly debated in any State, with the exception of Germany.

The lack of transparency and public debate surrounding the surveillance technology industry, and its close ties with the apparatus of state security, have resulted in legal and regulatory gray areas in which companies have thus far operated with relative impunity.

It is essential to note, however, that:

The responsibility to respect human rights is a global standard of expected conduct for all business enterprises wherever they operate. It exists independently of States’ abilities and/or willingness to fulfil their own human rights obligations, and does not diminish those obligations. And it exists over and above compliance with national laws and regulations protecting human rights.[5]

Indeed, under the UN Guiding Principles on Business and Human Rights, “Where national law and human rights conflict, companies should respect the principles of internationally recognised human rights to the greatest extent possible in the circumstances. They should also be prepared [to] explain their efforts to do so.”[6] We encourage Hacking Team and other companies in this industry to take a proactive and long-term view of legal compliance, particularly given that initiatives are currently underway at international, regional, and domestic levels to develop suitable controls for the surveillance technology trade.

* We applaud Hacking Team’s efforts to develop a customer policy that incorporates human rights considerations. The policy states that Hacking Team (HT) reviews potential customers before sales are made, assisted by “a panel of technical experts and legal advisors,” and that it will refuse to provide or cease providing products or services to entities that Hacking Team believes use its products to violate human rights. The policy also states: “Should questions be raised about the possible abuse of HT software in human rights cases, HT will investigate to determine the facts to the extent possible.”

While these are admirable commitments, we remain concerned that Hacking Team provides no further information regarding its implementation of the customer policy. In order to credibly invoke the customer policy, more transparency surrounding implementation is necessary (which could take any number of forms and need not identify clients). For example, what procedure is employed for customer reviews? Who sits on the review panel? Does that panel include civil society actors? The Hacking Team statement notes that the company has “refused to do business with agencies we felt might misuse our software”; can you elaborate on the reasons for and frequency of those refusals? And what investigation, if any, has Hacking Team undertaken concerning reports of misuse of the software in Saudi Arabia, the United Arab Emirates, Morocco, and against Ethiopian journalists in the United States?

To further strengthen respect for human rights in its business operations, Hacking Team may also wish to consider establishing an operational-level grievance mechanism (as enumerated in the UN Guiding Principles on Business and Human Rights[7] and the EC ICT Sector Guide[8]) for individuals that have experienced adverse human rights impacts caused or facilitated by Hacking Team technology. Such an effort could set an industry-leading positive example that may generate long-term success for your company.

* Additionally, if Hacking Team is in fact confident that its methods are beyond reproach, opening such methods to independent inspection should only strengthen the company and promote respect for human rights in the surveillance technology industry. We urge Hacking Team to enhance the transparency of its operations by publishing in full on its website the Hacking Team user manuals described in Citizen Lab’s report; all internal policies and procedures related to human rights; statistics regarding the sales and deployment of Hacking Team products as well as sales discontinued out of concern for misuse of the software; and an export control matrix indicating the product classifications relevant to Hacking Team. We note that your company has in the past sought patents worldwide — with the World Intellectual Property Organization under the Patent Cooperation Treaty, as well as in Europe, Canada, the United States, Singapore, Mexico, and Korea — thereby making public details regarding the operation of certain Hacking Team software. Confidentiality is therefore not an obstacle to beginning a public discussion of, at a minimum, those details.

Both Citizen Lab’s report and our ongoing research are intended to provide information that will advance the transparency and accountability that is sorely lacking from this industry. It cannot be denied that surveillance technologies have the potential to seriously impact individual human rights. If Hacking Team wishes to profit from such a business, we urge it to also accept its responsibility for the human rights impacts that business entails. We invite Hacking Team to contact us to discuss these issues in greater depth, and would welcome the opportunity for dialogue around measures to safeguard human rights.

Sincerely,

Professor Ronald Deibert
Director, The Citizen Lab
Munk School of Global Affairs
University of Toronto

________________
[1] Hacking Team did not publicly release this statement; rather, it appears to have sent the statement in response to specific inquiries made to the company regarding Citizen Lab’s June 24 report. See, e.g., Doug Bernard, “Saudi App Appears to Target Residents With Surveillance,” Voice of America, June 27, 2014, http://www.voanews.com/content/saudi-app-appears-to-target-residents-with-surveillance/1946570.html.
[2] Principle 11.
[3] Principles 11 and 13.
[4] Shift and the Institute for Human Rights and Business, European Commission ICT Sector Guide on Implementing the UN Guiding Principles on Business and Human Rights, June 17, 2013, http://www.shiftproject.org/publication/european-commission-ict-sector-guide, at pp. 74-75.
[5] See UN Guiding Principles on Business and Human Rights, Commentary to Principle 11.
[6] Shift and the Institute for Human Rights and Business, European Commission ICT Sector Guide on Implementing the UN Guiding Principles on Business and Human Rights, June 17, 2013, http://www.shiftproject.org/publication/european-commission-ict-sector-guide, at p. 53
[7] Principle 29.
[8] Section 3-VI.

An Internet Free and Secure

I was asked by the Dutch gov to co chair a working group for their next Freedom Online Coalition meeting in 2015.  We have now put out our call for expressions of interest.  This is an opportunity to have civil society input into cyber security discussions.  I’ll do my best to make sure the case is made loud and clear.

Here is the call below

https://www.freedomonlinecoalition.com/how-we-work/working-groups/working-group-1/

Feel free to circulate widely.

Working Group 1 – An Internet Free and Secure

As cybersecurity becomes a critical issue on the international agenda, there is a growing need for an informed debate on the relationship between governance, security, and fundamental rights and freedoms online, involving all stakeholders. In this context, the working group “Internet free and secure” seeks to bring a human rights framing to ongoing debates on cybersecurity and aims to develop, through multistakeholder dialogue, meaningful outputs that feed into existing processes.

Framing

Within the above framing and building on the Tallinn Agenda, while drawing on the outcomes from NetMundial and acknowledging the ongoing discussions on roles and responsibilities of various stakeholders in internet policy debates, the preliminary framing for  this WG is to explore and develop recommendations on how the multistakeholder approach could apply in the field of cybersecurity.

The proposed framing and exact output of the Group will be further refined by its members.

Structure and Membership

The work of the WG will be carried out by its members. The Group will consist of up to 15 selected individuals who will join the WG Co-chairs – the Dutch Government and Ron Deibert of Citizen Lab – and other FOC country members who have expressed interest in participating in the WG. Non-members of the WG will be able to input into the WG at various points in the process through physical meetings and online. Activities of the WG will be supported by the FOC Support Unit.

In an effort to bring a variety of perspectives to the table, the WG Co-chairs are now seeking expressions of interest from individuals and organisations to join the Working Group, help shape its framing, and carry out its work. To submit an expression of interest, please send a short motivation outlining how your experience and expertise could contribute to shaping the Group’s work and outcomes to [email protected] with a subject line “FOC – WG1 expression of interest_name surname”. The deadline for submissions is Friday, May 30th 2014. Please also indicate if you’re planning to attend the upcoming Stockholm Internet Forum and would be available for a short informal brainstorm to develop the framing of the working group.

Expressions of interest will be evaluated by the FOC Support Unit and WG1 Co-chairs, based on the following criteria:

  • Quality of submission
  • Relevance of experience and expertise
  • Regional, gender, and stakeholder balance

Please note that participation in the Working Group is voluntary. Feel free to get in touch if you have any questions.

Working methods and timeline

The bulk of the WG’s work will be done remotely via email, with potential physical meetings on the margins of existing international events like the Internet Governance Forum. A detailed plan of work will be developed by WG members.

Group decisions and approval of final outcomes will be made by consensus among Group members.

The tentative end-date for the WG is the Global Conference on Cyberspace in spring 2015.

TEDx Toronto

My TEDx Toronto talk has been posted.  I discussed how there is a paradox today: as never before are we surrounded by so much technology, and, yet, as never before do we know so little about what goes on beneath the surface of that technology.  I spoke about the Citizen Lab, and some of our research projects, and then encouraged everyone to become a hacker — in the original sense of the term: developing an ethic of experimentation and curiosity about cyberspace.

You can view it here on Youtube

Distributed Security as Cyber Strategy

I wrote a paper for the Canadian Defence & Foreign Affairs Institute titled Distributed Security as Cyber Strategy: Outlining a Comprehensive Approach for Canada in Cyberspace.

Canada recently issued a strategy for cyber security.  I argue that the policy is thin on both commitments and specifics and left many issues unaddressed. The first part of my paper explores “the landscape of cyber security on a global level to give a ‘bird’s eye’ view of the scope of the issues in global cyberspace security and governance”, while the second part lays out some recommendations for “a comprehensive approach to Canadian cyber security following a ‘distributed security’ model that is inspired and derived from liberal democratic and traditional republican security traditions and thought.”

Read the paper [pdf].

RSA Conference on Active Defense

I will take part in RSA Conference’s Special Forum on the Future of Cyber Security and Active Defense with fellow panelists Jim Dempsey, Vice President for Public Policy, Center for Democracy and Technology; Lt. Gen. (Ret) Kenneth Minihan, Managing Director, Paladin; and General Michael Hayden, Principal, Chertoff Group. Jim Lewis, Program Director, Center for Strategic and International Studies, will be moderating. We’ll be discussing “active or dynamic defense”, an approach to proactively deal with cyber attacks.

Click here for more information.