In one of the largest coordinated crackdowns in the history of hacking and law enforcement, hundreds of people have been raided, questioned, or arrested for being connected with the BlackShades malware. Europol claimed 359 raids connected to the Blackshades investigation, with the FBI confirming 97 arrests in 16 countries.

In 2012, together with Eva Galperin from the EFF, Citizen Lab researchers Morgan Marquis-Boire and Seth Hardy identified the use of BlackShades in the targeting of opposition forces in Syria. This work has been featured in the Washington Post, the Daily Beast, The Telegraph and ThreatPost.

On 11 April, Research Fellow John Scott-Railton gave a presentation at the ICT Humanitarian Forum in Luxembourg. Scott-Railton’s presentation was titled, Humanitarianism in the Cyberwarfare age: The Principled and Secure use of Information in Humanitarian Response.

Hosted by the Government of Luxembourg by the Office for the Coordination of Humanitarian Affairs (OCHA), the 34th Working Group on Emergency Telecommunications (WGET): ICT Humanitarian Forum was held April 10 – 11, 2014 in Luxembourg. The forum focused around three interrelated themes, Communications with Affected Communities (CwC), Mobile Money (MM) and Envisioning the future humanitarian landscape.

View the full meeting agenda.

The WGET is an open forum to facilitate the operational use of telecommunications in the service of humanitarian assistance. The forum seeks to increase the effectiveness of its participants related to regulatory, operational and technical aspects of telecommunications for disaster relief.

Citizen Lab Senior Advisor Robert Guerra was interviewed for a piece in TechNewsWorld on the National Telecommunications and Information Administration (NTIA)’s proposal that the Internet Corporation for Assigned Names and Numbers (ICANN) explore the possibility of turning over a set of domain management functions — called the “Internet Assigned Numbers Authority,” or IANA – to the Internet’s stakeholder community.

“The Snowden revelations accelerated the conversations in regards to spinning off IANA and the U.S. relinquishing it role,” Guerra said.

“Instead of having other governments lead on that conversation, the U.S. has been able to frame the debate and control the conversation in a very smart way,” he added.

Click here to read the full piece.

The Citizen Lab’s Cyber Stewards Network (CSN) was featured in the 2014 Asia Research News magazine.

Asia Research News is an annual publication highlighting interesting on-going research in universities and research institutions in Asia. Asia Research News is part of ResearchSEA’s service to further raise awareness about research and experts in Asia to the international community, including journalists, researchers and policy makers.

“As they work to map, analyse and ultimately influence cybersecurity policies, the cyber stewards are bringing much-needed Southern perspectives on issues of Internet governance.”

View the issue here (page 24 for the CSN profile).

For more information on the Cyber Stewards program, visit the website.

By Christopher Parsons

On April 29, 2014 the Interim Privacy Commissioner of Canada, Chantal Bernier, revealed that Canadian telecommunications companies have disclosed enormous volumes of information to state agencies. These agencies can include the Royal Canadian Mounted Police, Canadian Security Intelligence Service, Canadian Border Services Agency, as well as provincial and municipal authorities. Commissioner Bernier’s disclosure followed on news that federal agencies such as the Canadian Border Services Agency requested access to Canadians’ subscriber data over 19 thousand times in a year, as well as the refusal of Canadian telecommunications companies to publicly disclose how, why, and how often they disclose information to state agencies.

This post argues that Canadians are not powerless. They can use existing laws to try and learn whether their communications companies are disclosing their personal information to state agencies. I begin by explaining why Canadians have a legal right to compel companies to disclose the information that they generate and collect about Canadians. I then provide a template letter that Canadians can fill in and issue to the telecommunications companies providing them with service, as well as some of the contact information for major Canadian telecommunications companies. Finally, I’ll provide a few tips on what to do if companies refuse to respond to your requests and conclude by explaining why it’s so important that Canadians send these demands to companies providing them with phone, wireless, and internet service.

Why You Can Request Your Personal Information

Per Canadian privacy law, all Canadians can request that companies explain and disclose the kinds of personal information that they retain about the requesting Canadian citizen. Principle 4.9 of Schedule 1 and section 8 of Canada’s federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), legitimizes such requests and compels organizations to respond to requests when those companies have significant connections with Canada. Obviously Canadian telecommunications companies that have their headquarters in Canada and that primarily service Canadians meet this requirement.

Using PIPEDA it is possible for Canadians to learn what information their telecommunications companies hold about them, for how long, for what purposes, and when they disclose that information. In effect, it can empower Canadians to understand how companies manage the personal information entrusted to them and then make informed decisions about whether they want to maintain that commercial relationship. Significantly, based on the disclosures from the Privacy Commissioner of Canada, it was only after a telecommunications subscriber complained about how their information might be shared that they learned their information had been disclosed to government state agencies.

A Template to Request Access

The following template can be used to compel information your telecommunications provider to disclose the personal information it collects, retains, manages, and discloses about you. The text is written without an assumption of you sending it by email or letter mail, nor is is written for specific services (i.e. for just wireless or just internet services information). As a result, you should be able to send the letter to whatever companies that are providing you with telecommunications service.

Feel free to modify the text as you deem necessary. Sections that are bolded require you to insert information, such as the company, the mailing address, your personal information, or your account information.

[Subscriber mailing address]

[Date]

[Mailing information for company]

To: [Company] Privacy Officer,

Re: [Name of Account Subscriber]

Dear Privacy Officer:

I am a subscriber to your telecommunications service, and am interested in understanding the kinds of personal information that you maintain and retain about me. So this is a request to access my personal data under Principle 4.9 of Schedule 1 and section 8 of Canada’s federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA).

I am requesting a copy of all records which contain my personal information from your organization. The following is a non-exclusive listing of all information that [name of company] may hold about me, including the following:

  • All logs of IP addresses associated with me, my devices, and/or my account (e.g. IP addresses assigned to my devices/router, IP addresses or domain names of sites I visit and the times, dates, and port numbers)
  • Listing of ‘subscriber information’ that you store about me, my devices, and/or my account
  • Any geolocational information that you may have collected about me, my devices, and/or associated with my account (e.g. GPS information, cell tower information)
  • Text messages or multi-media messages (sent and received, including date, time, and recipient information)
  • Call logs (e.g. numbers dialed, times and dates of calls, call durations, routing information, and any geolocational or cellular tower information associated with the calls)
  • Information collected about me, or persons/devices associated with my account, using one of your company’s mobile device applications
  • Any additional kinds of information that you have collected, retained, or derived from the telecommunications services or devices that I, or someone associated with my account, have transmitted or received using your company’s services
  • Any information about disclosures of my personal information, or information about my account or devices, to other parties, including law enforcement and other state agencies

If your organization has other information in addition to these items, I formally request access to that as well. Please ensure that you include all information that is directly associated with my name, phone number, e-mail, or account number, as well as any other account identifiers that your company may associate with my personal information.

You are obligated to provide copies at a free or minimal cost within thirty (30) days in receipt of this message. If you choose to deny this request, you must provide a valid reason for doing so under Canada’s PIPEDA. Ignoring a written request is the same as refusing access. See the guide from the Office of the Privacy Commissioner at: http://www.priv.gc.ca/information/guide_e.asp#014. The Commissioner is an independent oversight body that handles privacy complaints from the public.

Please let me know if your organization requires additional information from me before proceeding with my request.

Here is information that may help you identify my records:

Full Name: [Name]
Account Number: [Number]
Email Associated With Account: [Email address]
Phone Number Associated with Account: [Phone number]

Sincerely,
[Name]

Contact Information

The following includes contact information for many of Canada’s telecommunications companies. It parallels the list of companies that Citizen Lab previously asked to voluntarily disclose how, how often, and why they share information with government agencies.

Bell

The Office of the Bell Privacy Ombudsman
160 Elgin St.
Ottawa ON K2P 2C4

email: [email protected]

Bell Aliant

Bell Aliant
Attn: Privacy Manager
1st Floor, Fort William Building
P.O. Box 2110
St. John’s, NL A1C 5H6

email: [email protected]

Bragg Communications

Eastlink
Attn: Privacy Officer
P.O. Box 8660, Station A
6080 Young Street, 8th Floor
Halifax, NS, B3K 5M3

e-mail: [email protected]

Cogeco

COGECO CABLE INC.
Attn: Caroline Dignard, Chief Privacy Officer
5 Place Ville-Marie, Suite 1700
Montréal, Québec, H3B 0B3

email: [email protected]

Distributel

Distributel Communications Limited. c/o Privacy Officer
177 Nepean St. Suite 300,
Ottawa, ON, K2P 0B4

email: [email protected]

Fido

Chief Privacy Officer
Fido Solutions
800 De La Gauchetière Street West
Suite 4000
Montréal, Quebec, H5A 1K3

MTS Allstream

Allstream Privacy Officer
200 Wellington Street West, Suite 1200
Toronto, Ontario M5V 3G2

email: [email protected]

Primus

Primus Telecommunications Canada Inc.
Primus Legal Department c/o Privacy Officer
5343 Dundas Street West
Toronto, ON, M9B 6K5

Rogers

Chief Privacy Officer
Rogers Group of Companies
333 Bloor Street East
Toronto, Ontario, M4W 1G9

Sasktel

Chief Privacy Officer
SaskTel
13th Floor, 2121 Saskatchewan Drive
Regina , SK. S4P 3Y2

e-mail: [email protected]

Shaw

Shaw Privacy Officer
630–3rd Ave. S.W.
Calgary, AB, T3P 4L4

email: [email protected]

TekSavvy

Privacy Ombudsman
TekSavvy Solutions Inc.
800 Richmond Street
Chatham, Ontario N7M 5J5

Fax: 519–360–1716
email: [email protected]

TELUS

TELUS Communications Company Privacy Request Centre
PO Box 2590, Station M
Calgary, Alberta
Canada T2P 5J6

email: [email protected]

Videotron

Videotron
Attn: Alain Charlebois, Vice-President, Human Resources
612 St-Jacques Street West, 4th floor, North Tower
Montreal (Quebec) H3C 4M8

Wind Mobile

Globalive Wireless Management Corp.
Chief Privacy Officer
207 Queen’s Quay West
Suite 710, PO Box 114
Toronto, ON M5J 1A7
Canada

email: [email protected]

Xplornet

Xplornet Communications Inc.
Attn: Chief Privacy Officer
300 Lockhart Mill Road
P.O. Box 9060
Woodstock, NB, E7M 6B5

Dealing with Non-Responses

Most Canadian companies, and their associated privacy officers, should be familiar with receiving, processing, and responding to these requests for personal information. However, you may find that companies ignore you, or actively resist disclosing information, or attempt to mislead you. Here are a few tips to try to get your personal information if you think the company that you’re working with is failing to comply with your request.

A Reminder

Many of Canada’s ISPs have significant bureaucracies and not all of them are equally resourced or staffed. As a result, sometimes things just get lost. The first thing you can do if you don’t receive a response (including an acknowledgement of receiving your request) is to send a polite note or reminder. This will, ideally, (re)initiate’s the company’s policies and bureaucratic structures to respond to your request. If thirty days go by and you don’t hear anything, then send a polite note asking why they have failed to provide you with your personal information. If you still haven’t heard from them after this reminder, then you can complain to the federal privacy commissioner.

Complaint to the Privacy Commissioner of Canada

The federal Office of the Privacy Commissioner of Canada (OPC) is a designated ombudsperson; the office effectively acts as the federal point-institution for all things privacy. If a company either refuses to disclose your information, or is providing information in a manner that you think is misleading or false (e.g. they say they’ve given you everything, but you have very good reason to believe that the company has/is collecting further information about you) then you have the option of filing a written request to the Office. In your written complaint you’ll want to explain everything that you’ve done to date: when you sent your first request, responses from the company (if there have been any), and why you have a problem with their (lack of) response. Importantly, you don’t need to be a lawyer of privacy specialist to file a complaint!

Note that the OPC does not accept complains by email so you’ll need to file by letter mail to the below address or submit via their website:

Office of the Privacy Commissioner of Canada
Place de Ville, Tower B
112 Kent Street, 3rd Floor
Ottawa, Ontario K1A 1H3
Telephone: 613–947–1698 or 1–800–282–1376
Fax: 613–947–6850

Web complaint address: https://complaint-plainte.priv.gc.ca/en/

The OPC can act as a mediator between you and the telecommunications company in question, helping all parties involved to resolve the company’s failure to disclose your information. Alternately, they can investigate the company’s practices to see if they are actively flouting federal law. Ideally, however, getting the OPC involved will mean that the company will (eventually) disclose your personal information.

Why Your Requests Matter

Beyond simply exercising your legal rights, these requests matter on both the personal and the national level. Personally, by filing these requests you will be empowered to think about whether you’re OK with the amount(s) of information that your telecommunications companies collect or record about you, the duration of time they record that information, and their willingness to explain who they share information with. In effect, you won’t be at the mercy of pundits and talking heads to explain whether the collection of data matters to your life, in the abstract, because you’ll have the data in hand to make your own decisions and reach your own conclusions.

Beyond self-empowerment, it’s important for Canadians generally to file these requests to telecommunications companies because the companies have so steadfastly refused to communicate with the experts, with government bodies, and with interested members of the press. Almost all of the ‘polite’ ways of figuring out what these companies are up to have been exhausted: it’s time, unfortunately, to compel these companies to explain why they collect data, how much of it they collect, and explain why they disclose the information. To be clear, telecommunications companies in the United States and Europe have already begun releasing ‘transparency reports’, or documents explaining how and why the companies share information with state agencies. Those reports are the result of American and European publics supporting their civil advocates and privacy officers, lending their incredibly powerful voices to the policy and legal efforts that had been ongoing for years. Canadians are amongst the most digitally connected populations on earth: now it’s time for us all to figure out who’s been monitoring, and disclosing, who we’ve been connecting to and whether existing practices need to be reined in.

Ron Deibert was interviewed by Amanda Lang on CBC’s Lang & O’Leary Exchange about what’s changed with regard to online privacy since Edward Snowden’s revelations about the NSA.

Watch the video.

Summary

This report is the third in a series which analyzes regionally-based keyword censorship in LINE, a mobile messaging application developed by LINE Corporation (a subsidiary of South Korean Naver Corporation) based in Japan. We document recent changes to the list of keywords used by LINE to trigger regionally-based keyword filtering for users with accounts registered to Chinese phone numbers.

Previous Keyword List Changes

In November 2013, we reported on results from reverse engineering LINE in which we reveal that when the application is registered to a Chinese phone number, censorship functionality is enabled.

The code analysis in our first report was performed on LINE v3.8.5 for Android and the keyword blocking behaviour was confirmed on an Android device running v3.9.3 downloaded directly from the Google Play store. We confirmed the presence of censorship functionality going back to v3.4.2, released on January 18 2013.

The LINE keyword lists were modified in v3.9.4 released on November 18 2013.  In our original analysis we found LINE has an internal keyword list built in to the APK. If the user’s registered phone number is set to a Chinese number the application will download an additional keyword list from Naver’s server and block transmission of any messages that contain any of those keywords. The downloaded keyword file is stored in the application’s cache directory as cbw.dat. If this list is unavailable, LINE will default to using an internal list of 50 keywords. In LINE v3.9.4 the internal list was removed from the application.

The content of the list includes keywords that relate to domestic Chinese politics, human rights, and sensitive political events–many of which are rather obscure and only mentioned in media known for being critical of the Communist Party of China (CPC). A number of these keywords relate to lightly reported incidents that did not go viral, which raises questions as to why they were included. The fact that some of these censored incidents are not high profile seems to indicate that they have been added by LINE as a pre-emptive, preventative measure or could potentially have been intended for testing and not production use. Thus, the internal list may have been removed because these keywords no longer merit inclusion.

Keyword List v22 Analysis

On April 8 2014, the keyword list that the application retrieves from Naver servers was updated from v21 to v22. This change is current as of LINE v4.3.0 released on April 26 2014. As with the previous version, list v22 is Base64 encoded and encrypted using AES in cipher block chaining mode with PCKS#7 padding. Decryption is done through a static key stored in the binary that remains the same as the previous list version.

We translated each keyword from Chinese to English and assigned them content categories using a set of categories we developed to analyze keywords used to trigger both keyword filtering and surveillance in TOM-Skype and keyword filtering only in Sina UC.

List v22 contains 535 keywords in total. Comparing list v21 and v22 reveals that 312 new keywords have been added and 147 keywords have been deleted. The keywords are almost entirely in Chinese script; only 7 of 535 keywords do not contain Chinese characters. Some are combinations of scripts, such as ‘天安门1989’ (‘Tiananmen 1989’), a reference to the 1989 Tiananmen Square massacre.

All of the 147 removed keywords relate to the Bo Xilai scandal, which involved a prominent Chinese politician being jailed for corruption while his wife was convicted of murder. In previous research on the microblogging platform Sina Weibo we found that the keyword ‘薄熙来’ (‘Bo Xilai’) was blocked and unblocked in patterns that appear to be correlated with authorities filtering his name when online conversations got too unpredictable to control and unblocking it when Bo fell out of favor with the CPC. For example, following the official expulsion of Bo Xilai from the CPC in September 2012, his name was unblocked on Sina Weibo, which possibly reflects authorities easing censorship requirements around the scandal to provide netizens a space to discuss and criticize the disgraced leader. The removal of 147 keywords from LINE related to Bo Xilai may also be the result of directives allowing discussion of Bo. However, 10 new keywords relating to Bo Xilai were added to list v22, and 2 of the Bo Xilai keywords from v21 were not removed. The 12 remaining Bo Xilai keywords on list v22 do not appear to be qualitatively different from the 147 deleted keywords and it is unclear why they are retained while the others are removed.

The majority of the 312 new additions to the keyword list relate to Chinese government officials or notable political events. These keywords include references to government officials (22.7% of the total new keywords), criticism of the CPC (8.9%), references to the June 4, 1989 Tiananmen Square massacre (7.6%), references to the relatives of political figures (8.3%) and references to political scandals (5.1%). References to Tiananmen Square previously accounted for 15% of the keywords on list v21, second only to the Bo Xilai scandal. After these 5 categories, the next most common categories of keywords added to list v22 were those relating to the CPC generally (4.8%) and content relating to dissidents/activists (4.1%).

See Figure 1 for a breakdown of the content categories of the new keywords added to list v22:

V22 Additions-v3
Figure 1
Categories of new keywords added to LINE list v22.

The complete list v22 shows that keywords relating to Tiananmen Square (15%) make up the largest single category.

See Figure 2 for a breakdown of the all the categories in list v22.

V22 Complete-v4
Figure 2
Categories of all keywords on LINE list v22.

Comparing LINE Keyword Lists to TOM-Skype and Sina UC

Our dataset on TOM-Skype and Sina UC comprises 88 separate keyword lists, which combined contain 4,256 unique keywords. Comparison of TOM-Skype and Sina UC keyword lists revealed that of the 4,256 unique keywords, only 138 terms (3.2%) were shared in common between two clients.

Of the 535 total keywords on LINE list v22, 45 are an identical match on TOM-Skype lists, 19 on Sina UC lists and 34 on the lists of both clients for a total of 98 (18%) keywords on list v22 matching the China Chats dataset.

Compared to the 370 total keywords of LINE list v21, 8 are an identical match on TOM-Skype lists, 10 on Sina UC lists and 9 on lists of both clients for a total of 27 (0.7%) keywords on list v21 matching the China Chats dataset.

The top categories for keywords which appear on both the v22 list and either of the TOM-Skype/Sina UC lists are content relating to CPC members/government officials (22% of these 98 keywords), content relating to the Tiananmen Square massacre (12%), content relating to dissidents/activists (12%) and keywords related to the Falun Gong (10%).

We observe a similar lack of overlap between the LINE, TOM-Skype, and Sina UC lists. The inconsistencies between the lists used for the three clients suggests that no common keyword list is provided to companies operating chat programs in the Chinese market.

Conclusion

It is unclear how the content of LINE keyword lists are determined. LINE previously had a partnership with Chinese software company Qihoo 360 Technology Co., Ltd to distribute a Chinese branded version of the application called Lianwo (连我). This week LINE announced that it changed domestic Chinese partners from Qihoo 360 to Beijing Zhuoyi Xunchang Technology Co. Ltd also know as “wandojia” (豌豆莢). In the official announcement of this new partnership its noted that amongst its responsbilities Wandojia will provide technical support to LINE operations in China. How this new relationship affects the implementation and content of keyword filtering for Chinese users is uncertain. 

Following our first report we sent LINE Corporation a letter asking a number of questions including a request for clarification of the relationship between the LINE and Qihoo 360 and information on the process for determining the content of keyword lists. We received a terse reply:

“LINE had to conform to local regulations during its expansion into mainland China, and as a result the Chinese version of LINE, ‘LIANWO,’ was developed. The details of the system are kept private, and there are no plans to release them to the public”.

Despite the lack of information provided by LINE Corporation around its operations in China, it is clearly maintaining keyword filtering features for users in the country. Previous work on the censorship practices of chat clients, blog services, and search engines in China reveal inconsistencies in the specific keywords and content that are targeted for blocking, but general similarities in content categories. These differences suggest that companies may be given general guidelines from government authorities on what types of content to target but have some degrees of flexibility on how to implement these directives. The LINE keyword lists appears to fit these findings, but the process of developing and implementing content filtering policies and the interactions between LINE Corporation, its domestic partners, and Chinese authorities remain unknown.

Resources

Christopher Parsons was interviewed by a number of news outlets throughout April, loosely on the subjects of national security, critical digital infrastructure, and government transparency. He spoke with Vice’s Motherboard about the motivations and concerns associated with the Government of Canada’s purchase of encrypted telephones and fax machines from the National Security Agency, and with Global News, Vice, CBC, and SiriusFM about the threats that the ‘Heartbleed’ OpenSSL vulnerability created for Canadians.

Related to software vulnerabilities, Parsons discussed the challenges that Canadian ‘white hat’ hackers can face when they report about software vulnerabilities in commercially sold software products.

He was also interviewed by the Toronto Star as part of an article that investigated the strength of Canadian Access to Information laws. Specifically, he spoke about how mobile and personal communications systems have brought about both opportunities and challenges for learning about how and why governments create the laws and policies that they do.

Senior Security Researcher and Technical Advisor Morgan Marquis-Boire was interviewed for a piece in Wired magazine on Heartbleed, “a bug in the internet’s infrastructure that some are calling the worse thing they’ve seen in years.”

“Does the internet need to do a global password reset? ” says Marquis-Boire. “Possibly not. Should they? Probably?”

To read the piece, click here.

Senior Security Researcher Seth Hardy was also featured in the Financial Post, the Globe and Mail, CBC, Sun News Network
and U of T News.

“Writing security software, cryptographic libraries, and programs that secure Internet traffic, it’s really difficult,” said Seth Hardy… “A lot of people don’t really understand the incredible amount of detail and attention to every possible outcome that needs to be made, because one mistake in the entire library can bring a system down. And that’s a flaw of the type we’re seeing with Heartbleed.”