S is for Surveillance It was the IMSI Catchers, as much as anything else, that blew Gus Hosein away.
Cellphones are designed to lock onto the most powerful base station available to them. Put a fake base station with a strong signal in range of GSM cellphones, and they’ll lock onto its signal instead. And as they log in, the fake base station will catch their unique IMSI identifier codes—identifiers that can be cross-referenced with telcos to determine their owners’ identities. Put one of these nondescript gadgets in a public square, and you could determine the name of every cellphone-owner there.
Meanwhile, industrial-grade surveillance equipment has appeared on the private market. These technologies were once the domain of national spy agencies, but now they’re being marketed to corporations and police forces. “Up until six months ago, we had no idea of these technologies,” says Hosein, the executive director of London-based Privacy International, an advocacy group. “And we’re the most paranoid people in the human rights movement.”
The gear ranges from spy gadgets to software tools that help sift through vast quantities of network traffic, extracting clear pictures of who knows who, and who’s been talking about what.
And when police get into the spy game, the lines between government and hacker can get fuzzy. The same tools that criminals use to pursue financial gain can be used by repressive governments to monitor dissidents. One British company, Gamma Group, sells what it calls “Governmental IT Intrusion” tools—which turn out to be malware attacks that install monitoring software on an individual’s devices.
Canadians can’t sit pretty, either. Guelph-based Netsweeper has attracted scrutiny for providing countrywide web-censoring services for repressive regimes like Yemen. Meanwhile, the Canadian “lawful access” legislation that raised an uproar this year would force Internet companies to install data-sorting equipment to comply with the government’s demand that online communications be interceptable.
“The most useful information is access to traffic data, subscriber data,” Hosein says. “That’s when you can start doing mass surveillance: drawing the lines between who’s speaking to who, what websites you’re visiting; your political interest, your sexual interests, your social interests.” As he speaks to legislators, Hosein struggles to make clear that Internet surveillance isn’t a natural evolution of wiretapping: Information captured from a single conversation pales next to the aggregated data of a user’s online life. And once this data is collected, it’s bound to be used.
T is for Telco One day in March, a Rogers customer publicly informed the company via Twitter that he’d been receiving spam text messages.
“Thanks for sharing that,” the Rogers rep replied. “I don’t see anything related to us in that SMS [text]though.”
“Was sent over your network,” said the complainant. “Do you not investigate phishing attacks?”
It’s a question that becomes more loaded by the day: Are ISPs responsible for policing what traverses their networks? Telecom companies have a view into what’s happening on their networks that few can match. Just as police demand that ISPs report activity by child pornographers, and copyright holders wonder whether telcos shouldn’t filter for infringement, security experts ask whether telcos shouldn’t take the lead in monitoring for threats like malware and botnets.
Observers like Melissa Hathaway, who worked as a cybersecurity adviser to the Bush and Obama administrations, argue that ISPs, as the first line of defence, should assume a series of duties, including educating customers about threats, and notifying them of malware infections spreading across their infrastructure. In Australia, some 30 leading ISPs have taken the cue: They teamed up to provide a single threat-notification and education service for consumers, and they report the threats they find to a national body.
Rogers does investigate user complaints against specific IP addresses, according to a spokesperson; the ISP also “reserves the right” to manage its network to control spam and malware.
U is for Undisclosed Big breaches make news. But who knows how many security breaches go unreported? In Canada, there is no statutory requirement for private firms to report breaches of user data—but there could be. Such an update to Canada’s digital privacy law has been introduced in Parliament, but is sitting idle.
V is for fake anti-Virus software A recent but ubiquitous ploy: tricking users into installing free anti-virus software (or, worse, paying for it) that will do the opposite, and infect the user’s computer. Stick to brands you trust, and treat anything claiming to be a “free virus scanner” as gingerly as you can.