Skip to main content
The Globe and Mail
Support Quality Journalism.
The Globe and Mail
First Access to Latest
Investment News
Collection of curated
e-books and guides
Inform your decisions via
Globe Investor Tools
per week
for first 24 weeks

Enjoy unlimited digital access
Enjoy Unlimited Digital Access
Get full access to
Just $1.99per week for the first 24weeks
Just $1.99per week for the first 24weeks
var select={root:".js-sub-pencil",control:".js-sub-pencil-control",open:"o-sub-pencil--open",closed:"o-sub-pencil--closed"},dom={},allowExpand=!0;function pencilInit(o){var e=arguments.length>1&&void 0!==arguments[1]&&arguments[1];select.root=o,dom.root=document.querySelector(select.root),dom.root&&(dom.control=document.querySelector(select.control),dom.control.addEventListener("click",onToggleClicked),setPanelState(e),window.addEventListener("scroll",onWindowScroll),dom.root.removeAttribute("hidden"))}function isPanelOpen(){return dom.root.classList.contains(}function setPanelState(o){dom.root.classList[o?"add":"remove"](,dom.root.classList[o?"remove":"add"](select.closed),dom.control.setAttribute("aria-expanded",o)}function onToggleClicked(){var l=!isPanelOpen();setPanelState(l)}function onWindowScroll(){window.requestAnimationFrame(function() {var l=isPanelOpen(),n=0===(document.body.scrollTop||document.documentElement.scrollTop);n||l||!allowExpand?n&&l&&(allowExpand=!0,setPanelState(!1)):(allowExpand=!1,setPanelState(!0))});}pencilInit(".js-sub-pencil",!1); // via darwin-bg var slideIndex = 0; carousel(); function carousel() { var i; var x = document.getElementsByClassName("subs_valueprop"); for (i = 0; i < x.length; i++) { x[i].style.display = "none"; } slideIndex++; if (slideIndex> x.length) { slideIndex = 1; } x[slideIndex - 1].style.display = "block"; setTimeout(carousel, 2500); } //

Ron Deibert is the director of the Citizen Lab at the University of Toronto's Munk School of Global Affairs.

Imagine if the government had knowledge of a critical vulnerability in a heart pacemaker, but decided to keep the information secret in order to exploit it as a weapon. Would that be okay? What about flaws in the electronic controls of a 747 that could be manipulated remotely to cause the plane to crash? Or a nuclear enrichment facility? Should they publicly disclose these vulnerabilities in the interests of user safety? Or should they keep them classified in case they provide comparative advantage in matters of national intelligence or warfare?

Whatever each of us may think about these questions, it appears the world's most powerful spy agencies have already resolved on an answer: for them, national security trumps user security.

Story continues below advertisement

Today, the University of Toronto's Citizen Lab is publishing a report documenting major security and privacy vulnerabilities in one of the world's most widely used mobile applications: UC Browser. Chances are if you are a North American reading this, you have never heard of UC Browser. But if you live in China or India, it's probably as familiar as Microsoft Explorer. In fact, UC Browser is used by over 500 million people, and is the fourth most popular mobile browser in the world.

Popularity aside, UC Browser has fundamental problems (problems the company is working to repair after our notification): it leaks a huge torrent of highly detailed personally identifiable data about its users. Those leaks include the unique identification number hard-baked into the device (IMEI), personal registration data on the user's SIM card (IMSI), any queries sent over the browser's search engine, a list of the names of any WiFi networks to which the device has recently connected, and the geolocation of the device. Some of this data is sent entirely "in the clear" without encryption; others are sent using weak encryption that could be easily decrypted. Some of it is sent the moment the application is turned on, in an "idle state." None of it is sent with the explicit permission of its users.

What is the significance of this data leakage for UC Browser's hundreds of millions of users? It means any operator of a network through which this data passes – from the telecommunications companies to the cellular and Internet providers to the WiFi hotspots, and any other third parties with whom any of those operators share data – could find out a user's identity, the device they use, where and when they've been with that device, what they're searching for, and with whom they socialize.

Such leaks would be a treasure trove to a lot of different groups: advertisers, looking to sell consumer preferences and habits; criminals, seeking to engage in identity fraud; unethical businesses, tracking their competitors; secret police, looking for activists and their co-conspirators; and, of course, modern intelligence agencies looking to vacuum up as much data from as many possible sources as they can.

Which brings us to how Citizen Lab became interested in UC Browser in the first place. Our research was prompted when we spotted references to UC Browser's leaky setup in a top secret document prepared in 2012 by Canada's spy agency, the Communications Security Establishment (CSE). The document was among those that former NSA contractor Edward Snowden leaked to the media. The Canadian Broadcasting Corporation (CBC), in collaboration with The Intercept, contacted us requesting comment about the document. Given the possibilities of vulnerabilities affecting a larger number of at-risk users, we conducted an independent investigation of UC Browser.

As the Snowden document makes plain, CSE and its allies in the United States, United Kingdom, Australia and New Zealand knew about UC Browser's privacy and security problems since at least 2012. But rather than disclose them to the public and notify the company (as we felt compelled to do), they sat on and exploited them.

Of course, a leaky browser application is not as critical as a fault in a pacemaker, a 747, or a nuclear enrichment facility. Or is it? Consider that in China where the browser is most popular, all network operators are required by law to retain customer data and turn it over to security agencies upon request. The Chinese regime does not look fondly on political opposition and public demonstrations, the organization of which is now almost entirely dependent on mobile devices. Each year, China executes thousands of people for crimes against the state, and sends thousands of others to re-education labour camps. Chinese dissidents with UC Browser on their mobile device have been sitting ducks for China's targeted surveillance, for years.

Story continues below advertisement

Did CSE and its allies deliberate seriously about these moral tradeoffs? Hard to say, as such deliberations are classified. For what it's worth, the White House's Cybersecurity Coordinator, Michael Daniels, has said the United States has a "disciplined, rigorous, and high-level decision-making process for vulnerability disclosure" in which "all of the pros and cons are properly considered and weighed." The top secret documents, however, evince a different attitude, one full of only excitement at the discovery and the prospects for exploitation.

The case of UC Browser is one illustration of a larger public policy problem around cybersecurity. We stand at a crossroads. Down one path is a future where governments secretly stockpile information vulnerabilities as weapons, weaken encryption to make eavesdropping easier, and engineer secret "back doors" into our networks to steal info and sabotage systems. Heading down this path will turn the global information commons into an inter-state battlefield. In worst case scenarios involving the targeting of critical infrastructure, it will lead inevitably to large-scale loss of life.

There is another path we can head down, one in which the security of users, regardless of nationality or geography, is the primary concern. Going down this path would begin with the premise that cyberspace is a shared common resource requiring stewardship. It would imply a much greater role for civilian, as opposed to military, agencies. From this view, securing cyberspace would be undertaken by independent and globally distributed individuals and groups insulated from national rivalry. The core of this approach would involve the public disclosure of vulnerabilities wherever they occur in the interests of global public policy, human rights and international humanitarian law.

Are we confident our governments are on the right path?

Report an error
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to If you want to write a letter to the editor, please forward to

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

If you do not see your comment posted immediately, it is being reviewed by the moderation team and may appear shortly, generally within an hour.

We aim to have all comments reviewed in a timely manner.

Comments that violate our community guidelines will not be posted.

UPDATED: Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies