They're watching you
University of Toronto professor and counterespionage hacker Ron Deibert has made plenty of enemies—including Canada's own intelligence services
Since founding Citizen Lab in 2001, University of Toronto professor Ron Deibert has led a team of counterespionage hackers—he prefers "researchers"—who have uncovered some of the Internet's deepest secrets. Citizen Lab produced the first report on Chinese cyberespionage when it cracked GhostNet, a network found spying on political targets around the world. More recently, Deibert's group discovered an exploit in iPhone software that turned the phones into covert data-tracking devices, before even Apple knew about it. Deibert has literally written the book on how authoritarian governments are turning the Internet into a malign force of control, and that book, Black Code, is now the basis for a feature documentary. From Citizen Lab's top-floor perch at U of T's Munk School of Global Affairs, and hidden locations around the world, Deibert and his staff of 20 map censorship patterns, investigate app security and push for transparency across the digital realm. Along the way, they've made some enemies, and increasingly, the word "crisis" is a fixture in Deibert's vocabulary.
You're in favour of the term "hacktivism."
Yeah, although it's become a bit of an albatross. Most people associate hacking with criminal behaviour. I mean the exact opposite. If you look at the origin of the term, it meant somebody who is interested in technology, who likes to experiment. This should be a civic ethic in the world we live in today.
You've spoken out strongly about Canada's Communications Security Establishment, the CSE, this country's version of the NSA. Why?
According to experts in signals intelligence (1), it is the least accountable of all the "five eyes"—the major signals intelligence agencies in the West. Its budget has ballooned at the same time that we as citizens are immersing ourselves in this digital space and effectively turning our lives inside out—carrying that device around with you [he points to my iPhone] that they have access to and can track everything you're doing. It's a bad, bad set-up. Right now, the fact that you're here with me, they know about. Conceivably.
This specific visit?
Do you have a full and complete sense of what the CSE does?
No. Nor does anyone else in Canada, other than them.
Not even Trudeau?
Absolutely not. They are not compelled to go before Parliament (2). A retired judge with a staff of 11 does a review once a year to verify that CSE is following its own secret interpretations of laws that themselves are secret.
Well that's frightening.
It's very frightening. Not to say there's abuse taking place, but it's a recipe for the abuse of power.
John Adams, the former head of CSE, told you there were people within government who thought you should be arrested, and he agreed with them.
It was an aside, after a panel.
Why did he think that?
That's a good question. I think it might have been a joke. I don't know.
It seems like an odd joke.
It's an odd joke to make. I did hear, sort of entre nous, that there was a very negative analysis done of our GhostNet report that went right up to the Prime Minister.
Harper at the time.
Yes. And there were questions about our methods. This is where the "hacktivism" thing might have caused some confusion.
Harvey Rishikof at the National Defense University in Washington described what you do as "trespassing and violating computers in foreign jurisdictions."
Yeah. It's just absolutely nuts.
Your phrasing is you're "browsing computers that are connected to the Internet." It suggests roaming through the hallways of a computer to look at all the data.
Which is to a certain degree true. But none of this is illegal. We've published our methods in refereed scientific journals. There's a lot of scrutiny around our methods. A computer that's attached to the Internet gives off a lot more information than just the website you see. There are ports you can scan. There are things you can do that tell you a lot about that computer.
And it's different from—
Breaking into a computer. These are Internet-networked computers. The whole purpose of them is to communicate with each other over the Internet.
You're talking about something that can be googled.
That's the irony. While these people are saying this about us, meanwhile, these agencies are doing exactly what they are condemning us for and which we would never do: break into computers! CSE does that all the time!
One of the reasons that I speculate that John Adams and others were upset by our [GhostNet] report—it turns out that they had been piggybacking off that very same network, behind the backs of the Chinese. They were gathering up the stuff the Chinese were stealing and taking it for themselves. It's called fourth-party collection. This is standard in espionage. When we published our report, we broke up the party.
So you were, in their view, thwarting Canada's national security efforts.
Well, in their narrow way of understanding that, which is, "As few people should know about this as possible."
Staying within Canada, Netsweeper sued you. Why?
We have done several country reports in which we've identified that the technology being used to censor the Internet has been Netsweeper (3). And we started thinking, "Maybe, before our report comes out, let's send a letter to them, see what their reaction is, and offer to publish it in full." They never responded to us. So this lawsuit came out of the blue.
And it was a result of your report on Yemen.
The Houthi rebels—an Islamist, very radical group within Yemen—took over the capital and, by extension, the Internet service provider. And they put in place the most draconian Internet censorship regime we've ever seen, blocking the entire Israeli domain. To us this is remarkable—that a Canadian company would be assisting in that effort, at a time of civil war, when restriction of information could put people's lives at risk. They claimed that remarks I'd made in the media, and our report, was defamation (4).
Canada has export controls. How has Netsweeper avoided being caught up in those export controls?
Canada has many export controls, but the regime presently doesn't restrict the sale of this type of technology.
Are the laws in Canada equipped to deal with concerns about invasions of privacy?
I think we have pretty robust privacy laws. In terms of what Netsweeper is doing, I definitely think there should be more robust regulation. You have this company that's a world leader in Internet censorship. Worldwide. It provides technical support to some of the world's worst authoritarian regimes. It runs the great firewall of Pakistan, one of the world's worst censors of the Internet. This is contrary to, I think, most Canadians' values and our government's own stated foreign policy.
Maybe the problem, in trying to bring officials up to speed, is that the subject is so complex and the language of it is beyond most people.
Frankly, I think the bigger problem here is that when we say "cybersecurity," most people think immediately of the military, intelligence agencies, the government. To me, this is a civilian issue, because it impinges on every aspect of our behaviour, our thought, our social networking with one another. There's nothing that's not networked today. You walk around with this device [ my iPhone] 24 hours a day. It sits at your bed, it transmits information when you're sleeping, and yet we are entrusting the security of this domain to the world's least accountable agencies. This is a disaster, on a number of levels, waiting to happen.
And so what do we do?
We have to rethink what it means to secure cyberspace. How do we go about doing this in a way that is in conformity to basic liberal democratic principles.
That's high-level. I'm talking about someone reading this interview. You're presenting this crisis in the making. What do we do?
What I like to encourage people to do at a most basic level is not to take the technology for granted. If I send you a text right now, even though you're sitting across from me, it transits through this vast physical infrastructure. And the data is shared with multiple third parties. There is a real crisis of democracy happening here.
You've written, "Our findings are only touching on a small area of what is a very disturbing larger picture." There's a lot of negativity coming out of what you do.
I guess I'm looking for a glimmer of hope.
There are a growing number of people who believe that the model of the old nation-state system is not sustainable. We need to think of ourselves increasingly as having this shared common space—the planet as a whole. As part of that, there needs to be a sense that we have a shared communications space. And we have to be vigilant about our rights. Right now, this very precious thing we've created within the last 25 or 30 years is at risk of serious degradation, weaponization, surveillance. We've sleepwalked into this. And now people are waking up to it. A movement is growing worldwide around this. That's the glimmer of hope for me.
(1) The practice by government agencies of intercepting communications, cracking codes, and monitoring the world's communications traffic.
(2) By comparison, the NSA is subject to oversight by Senate intelligence committees and compelled to testify before elected officials. In addition, there are 11 judges who adjudicate requests for surveillance warrants against foreign spies on U.S. soil.
(3) Based in Waterloo, Ontario, Netsweeper sells Internet blocking software—or "content filtering and web threat management solutions"—to organizations and governments around the world.
(4) Netsweeper has since dropped the lawsuit.
Trevor Cole is the award-winning author of five books. His latest is The Whisky King, a non-fiction account of Canada's most infamous mobster bootlegger.