The second post in this series examines a Chinese mobile payment app feature increasingly covered in foreign media: testing of what may one day be a nationwide official social credit system to replace its traditional analog counterpart. Our exploration of potential security, privacy, and other issues of such a system is meant to raise questions that can inform discussions about how it will evolve.

This research series presents an in-depth examination of mobile payment systems, a rapidly evolving form of financial technology. We will provide an overview of how they are used in China–where they are taking off faster than anywhere else in the world–and what implications their security and data protection practices may have for millions of users, by presenting a case study on Alipay.

Citizen Lab Senior Research Fellow Bill Marczak has co-authored a paper titled “Social Engineering Attacks on Government Opponents: Target Perspectives,” along with Vern Paxson of UC Berkeley.

From January 2 to 13 2017, His Holiness the Dalai Lama is holding a popular Tibetan Buddhist teaching called Kalachakra in Bodh Gaya, India. Increased restrictions from the government of China has barred Tibetans in Tibet from attending the teachings. This report documents blocking of Kalachakra-related keywords on WeChat revealing how restrictions on the ritual extend online.

In this report we track a malware operation targeting members of the Tibetan Parliament that used known and patched exploits to deliver a custom backdoor known as KeyBoy. We analyze multiple versions of KeyBoy revealing a development cycle focused on avoiding basic antivirus detection.

Citizen Lab Senior Research Fellow John Scott-Railton has published an updated version of his “Security for the High-Risk user” paper, first published in the IEEE Security & Privacy in spring 2016. The updates were made based on new evidence of attacks against two-factor and account recovery SMSes, underlining the need for innovation in two-factor authentication.

In this post, we critically examine the Government of Canada’s proposal to indiscriminately access subscriber identity information that is possessed by telecommunications service providers. We conclude by arguing that the government has failed to justify its case for such access to the information.

In this report, we confirm the use of the services of Canadian company Netsweeper, Inc. to censor access to the Internet in the Kingdom of Bahrain.

This report investigates the surveillance capabilities of IMSI Catchers, efforts by states to prevent information relating to IMSI Catchers from entering the public record, and the legal and policy frameworks that govern the use of these devices. The report principally focuses on Canadian agencies but, to do so, draws comparative examples from other jurisdictions. The report concludes with a series of recommended transparency and control mechanisms that are designed to properly contain the use of the devices and temper their more intrusive features.

This report describes how a government targeted an internationally recognized human rights defender, Ahmed Mansoor, with the Trident, a chain of zero-day exploits designed to infect his iPhone with sophisticated commercial spyware.