The Citizen Lab Summer Institute (CLSI) brings together technologists, political scientists, academics, researchers, activists, artists, and members of civil society to address some the most pressing issues at the centre of technology and human rights. CLSI reflects the true interdisciplinary nature of the information controls research community and past sessions have lead to cutting-edge work, including: analyzing national security and signals intelligence policy in Canada (2017), investigating censorship of the death of Liu Xiaobo on WeChat and Weibo (2017), conducting security audits of child monitoring apps in South Korea (2017, 2016, 2015), documenting Internet filtering in Zambia (2016), and exposing the “Great Cannon” (2014), an attack tool in China used for large scale distributed-denial of service attacks against Github and

CLSI 2018 was a record breaking year in terms of attendance, representation, and diversity. Below are some of the highlights from the event’s four research streams.

Network Interference and Freedom of Expression Online

In this track, participants focused on measurement and circumvention of network interference, including Internet censorship, throttling, application level censorship, and network shutdowns. Specific CLSI sessions this year focused on methods for integrating gender awareness into digital rights, the economic impact of Internet censorship, information controls in the Commonwealth of Independent States, methods for detecting network shutdowns, emerging issues in Canadian speech and censorship online, and mapping the discriminatory effects of information controls.

In a session hosted by Mallory Knodel of Article 19, participants investigated improving HTTP error/status code 451 as an instrument for increasing transparency around Internet censorship. Inspired by Bradbury’s dystopian novel Fahrenheit 451, HTTP 451 is an error code that is delivered when a user attempts access to a page that is blocked for legal reasons, such as when a site is censored by a government entity.

What originally started as an opportunity for those currently engaged in the field to discuss their work morphed into a series of discussions on the merits of the status code itself for censorship researchers, and included discussions on the application of 451 on political, technical, and practical grounds.

In another session hosted by Joss Wright of Oxford University, attendees examined the discriminatory effects that information controls can have. This included ‘primary’ effects when explicitly aimed at a disadvantaged group, but also ‘secondary’ effects when such groups are not directly the focus of the information controls (i.e., groups who are affected when broad topics like sexual health are blocked).

Participants identified a number of useful key case studies, including Kurdish populations affected by blocking news outlets in Turkey, blocking Russian LGBTQ content, and blocking Telegram in Iran. Additionally, they discussed a number of potential methodologies and data sources, and some key literature on the topic.

Surveillance and Counter Surveillance

Throughout various discussions, participants in this stream analyzed the technologies, laws, and policies that enable targeted and passive surveillance across various sectors. Sessions included strategies for protecting offline high rights defenders, cross-cultural digital security training, ethics in malware disclosures, and issues for journalists in exile.

In particular, one CLSI session brought together various experts to investigate the growing and troubling prevalence of ‘stalkerware’: commercial spyware that is sold as a security-product and marketed to businesses, parents, and intimate partners with the ability to remotely collect and observe text messages, phone conversations, real-time GPS location data, internet browsing data, and the capacity to activate the microphone or camera of the target-device.

A joint Citizen Lab-Deakin University project looking at stalkerware was advanced by way of group members that included technologists, lawyers, political scientists, and criminologists. Participants generated some novel methodological directions for the project. These included finding interesting ways to harness information regarding adwords and SEO practices in relation to content/legal analyses, the use of access-requests as a potential method for malware attribution, developing insights from user-level analysis to assist technical inquiry of iOS apps, and further clarity into the legal and policy questions being pursued in the study.

Policy and Transparency

In this track, participants developed research methods for documenting corporate and government transparency and discussed advocacy strategies for pushing for greater transparency in these sectors. Sessions this year focused on  creating assessment tools for algorithmic accountability, technological issues in electoral systems in Colombia, holding businesses accountable for human rights violations, and the implications of law enforcement “going dark” in developing countries.

Who Has Your Back” (WHYB) is a regional investigation developed between EFF and different partners in Latin America. It seeks to gain a better understanding of the best practices that ISPs and other telecommunication companies can adopt in order to align with human rights standards on the Internet. It additionally aims at a general understanding on how companies are currently working in regard to data protection in order to develop recommendations that can be adopted in the short and long term.

This session brought together various representatives from civil society organizations in Colombia, Paraguay, México, and Argentina to present the results of research carried out in each country, giving an overview of the different contexts as well as similarities in how telecommunications companies operate in the region. Presenters additionally engaged with participants in a round table discussion with insightful questions about the challenges of doing these projects in Latin America. Furthermore, participants gave substantive advice, based on their own experience, to improve the work being done in the region. Lastly, participants discussed how Citizen Lab’s Access My Info project can be ‘merged’ with the WHYB report, by adding a specific category that can be ranked and measured across the companies.

Security and Privacy of Apps

In this track, participants analyzed how applications are secured from unauthorized parties accessing or modifying data, as well as the ways in which personal information is collected, processed, or retained by application developers. Sessions included an end-to-end analysis of VPN services and IoT privacy and security.

In particular, one session investigated privacy issues in budget smartphone operating systems. Facilitated by Francis Monyango from CIPIT (Center for Intellectual Property and Information Technology law, Strathmore University) the session focused on the privacy implications of mobile phone affordability and security vulnerabilities for low income segments of the market. These budget smartphones usually have outdated versions of the Android OS which have more modest hardware requirements. They come loaded with a host of default applications like web browsers, messaging apps, and social media apps and limited ability to adjust permission settings. This has the effect of exposing users to security risks while potentially breaching their privacy.

Only 23 African countries have put in place comprehensive privacy and data protection laws. As a result, many of the smartphone owners in the countries without privacy laws are left to their own devices when it comes to privacy and online data protection. These smartphones may be exposing users to unethical data mining by big internet companies.

The session was specifically aimed at addressing the regulation of smartphone OS standards for the purposes of protecting the privacy of low-end smartphones users. The session and the discussion that followed turned out to be wide-reaching and could easily be split into various future meetings. Following the productive conversations, next steps for this subject could be to split into two areas: one focusing on a legal/regulatory review and another on a technical/social review.

Gender and digital security

For the first time, CLSI convened a  roundtable discussion on gender and digital security. The purpose of the session was to discuss specific concerns related to these issues, intersectional approaches to addressing challenges, gaps in the current literature, and various ways that the Citizen Lan can positively contribute to this area of research.

The session began with an overview of some Citizen Lab work that included a gender component, including a submission to the UN Special Rapporteur on Violence Against Women, a recently launched study on stalkweware, and analyses of Korean child monitoring apps.

The discussion was opened up to all participants to gain a better understanding of the issues at hand. Some of the points raised included:

  • Approaches should be considered that look at the perpetrators of gender-based digital attacks as opposed to only the victims. How can we prevent attacks from happening in the first place?
  • LGBTQ2+ communities would want to have a deeper understanding of technical issues but can often lack the required expertise, so there is a need for digital rights groups to partner with them to ensure their security.
  • Women can often be economically disadvantaged which makes them more vulnerable to surveillance. They are also more likely to use government services which entails handing over data to governments. The institutionalized experiences of being a women/non gender-conforming peoples are integral to these discussions.
  • Analyses put vulnerable communities in situations of victimization. We must find ways of empowering them and keeping them feel empowered. People who are household heads may be reached differently than those who actually facilitate attack.
  • Technology presents a double-edged sword for female and gender non-conforming activists: while technology can help an activist better protect themselves and their communities, it also has the ability to make them vulnerable to targeted attacks and surveillance.

Specifically, suggestions were made for how the Citizen Lab to help address these issues:

  • We need to constantly be asking ourselves: how do we incorporate gender into the tools we develop? What does it mean to have a gender perspective in our work?
  • Citizen Lab can help improve a methodology to understand self-censorship, especially on gender-based attacks. Women often don’t announce attacks because they don’t want to be further attacked.
  • Continue to support the work of gender non-conforming groups and individuals in ICT spaces

CLSI 2019

CLSI 2018 brought together some of the leading experts in the fields of technology and human rights, and the resulting projects and discussions will generate impact in the years to come.

As we look ahead, CLSI 2019 will continue to build on the work of previous years and advance the interdisciplinary and inclusionary nature of the event. Calls for proposals will be released in early 2019, followed by details and logistics of the event.