For a variety of reasons, I haven't posted anything here for almost two years. Things have settled down a bit and I'm feeling motivated to start posting again, so I thought I'd kick it off with a short post to provide updates on just a few things that have happened over the last two years which I might have written about if I was better at this blogging thing:
Posted by Matt on June 04, 2014
Tagged with: prostitution
When the SCC declared the existing Criminal Code provisions respecting the sale of sex invalid, they postponed that declaration of invalidity for a year to give the Conservative government time to respond with some new laws. And now the government has answered that call.
A new bill tabled in Parliament, named the The Protection of Communities and Exploited Persons Act, targets johns and pimps but also criminalizes the sale of sex in areas in which children could reasonably be expected to be present.
I haven't read the full text of the bill yet so for now I'll just leave you with that link.
In Parliament, the Justice and Human Rights Committee is discussing Bill C-13, also known as the Protecting Canadians From Online Crime Act, also known as "the cyberbullying law". I've discussed the bill before. The bill is being pitched as a way to protect innocent Canadians from cyber-predators, but concerns have been raised that it grants law enforcement more power to compel disclosure of subscriber information from telecommunications providers than is necessary. One of those with concerns about the bill is David Fraser, who has been invited to appear before the Committee. He's posted the text of his testimony on his blog and it's worth a read.
Posted by Matt on April 16, 2014
Tagged with: heartbleed
You may have heard of a little thing called the Heartbleed bug, which has basically absolutely devastated the Internet over the last few weeks. Basically, anyone who wasn't freaking out about this, either isn't paying attention or doesn't understand what's going on.
The gist of it is this: web servers which want to communicate securely with their users use a security protocol called TLS. Anytime you visit your bank's web site and you see that little padlock icon appear near the address bar, that's TLS in action. Well, it was recently discovered that there was a way to get servers using TLS to spew out some of what was being stored in the server's memory at the time. XKCD has an excellent illustrated explanation of how it works. This memory might contain nothing of interest, or it might contain really valuable pieces of information like usernames, passwords or even the keys which the server relies on to protect itself from eavesdroppers. There's no way for an attacker to know exactly what they're going to get when they exploit this bug, but since they can exploit it over and over, eventually a determined attacker will get something of interest.
One organization that discovered their servers were vulnerable was the Canada Revenue Agency. They disabled the affected servers quickly, but unfortunately not quickly enough: on April 11, it was discovered that the Social Insurance Numbers of over 900 Canadians had already been stolen.
Posted by Matt on April 16, 2014
Tagged with: music, musicvideo
Since it's release last June, Queens of the Stone Age's ...Like Clockwork has probably been the most played album in my collection. And now, behold the video for Smooth Sailing, in which Josh Homme and a group of Japanese businessmen engage in all sorts of unsavory activities that you should probably not emulate.
There have been at least two noteworthy Canadian law & technology stories in the last two weeks. I haven't covered them, but if you're reading Michael Geist's and David Fraser's blogs (and you should be), then you'll be up to speed. If not:
The Government of Canada released Digital Canada 150, the latest communication in their ongoing "Digital Strategy". You can see a version with fancy animations here or just look at the PDF. You can read Michael Geist's take on it here. He is more generous about the document than I am, finding it succeeds on at least three levels. My brief analysis: sound & fury, signifying nothing.
Bill S-4, the Digital Privacy Act, was tabled in the Senate. The bill makes a number of amendments to PIPEDA, the federal privacy legislation. One amendment of note: organizations which collect and store personal information will be permitted to share that information with other organizations, including law enforcement agencies, for the purposes of "investigating a breach of an agreement or a contravention of the laws of Canada". This significantly broadens the circumstances in which organizations can share private information without consent or a court order. It also comes not two weeks after the revelation that Canadian telecommunication companies were already voluntarily disclosing a huge amount of information about their subscribers to various law enforcement agencies. I've discussed the topic of law enforcement having warrantless access to subscriber data before. Well, the issue of warrants becomes moot if companies are just voluntarily handing this information over to law enforcement. The amendments in S-4 will only encourage these kind of practices.
Posted by Matt on April 03, 2014
Tagged with: csec, surveillance, bccla
The BCCLA has commenced another lawsuit against the Communications Security Establishment in the Federal Court. This is one is a class action lawsuit, with Lindsay Lyster, the President of the BCCLA, as the representative plaintiff. The proposed class is anyone in Canada who has used a wireless device since 2001. The term "wireless device" includes "cellular telephone, smartphones including iPhones, Blackberries, laptop computers, iPads and similar devices".
So anyone in Canada who has used a laptop or cellular telephone in the last 13 years. That's a lot of people.
BCCLA's first lawsuit asked the Court to determine that CSEC's warrantless surveillance activities violated Canadian's constitutionally protected rights. If that case is successful, then this class action will hopefully provide Canadians with remedies beyond CSEC getting a stern scolding.
Posted by Matt on March 25, 2014
Tagged with: gchq, surveillance
A brief followup on the GCHQ snoops Yahoo webcam chats story that I posted about earlier. As a consequence of that surveillance, Yahoo has decided to move the center of their European operations from London to Dublin. This would put them beyond the reach of the UK's Regulation of Investigatory Powers Act, which compels UK companies to provide access to communications stored on their server. (It's not quite that simple of course; it never is, but that's the gist). Understandably, this has the UK intelligence community concerned:
"There are concerns in the Home Office about how RIPA will apply to Yahoo once it has moved its headquarters to Dublin," said a Whitehall source. "The home secretary asked to see officials from Yahoo because in Dublin they don't have equivalent laws to Ripa. This could particularly affect investigations led by Scotland Yard and the national crime agency. They regard this as a very serious issue."
As Techdirt points out, Yahoo's probably sees this "very serious issue" as precisely the reason they're moving to Dublin in the first place.
Posted by Matt on March 17, 2014
Tagged with: encryption
A while ago I wrote a post which briefly touched on whether the authorities in the UK, Canada and the US could force a suspect to divulge their decryption key. In short, I answered yes, no and maybe, respectively.
Australia's itnews has published an article about a submission from the Australian Attorney General suggesting laws be made which would place new obligations on services which use encryption to protect their data, as well as individual users. This is very, very far away from being a law. This is just the AG's wish list. However, it appears that the law the AG envisions would permit the court to order a service or end user to provide any assistance that intelligence agencies require to decrypt an encrypted communication.
The relevant portion starts on page 19 of the submission and is reproduced below.
In January, the Citizen Lab conducted a survey of Canadian telecommunications companies about their practices when it came to disclosing subscriber information to government agencies. Today, they posted the results of that survey.
We asked the companies to reveal the extent to which they voluntarily, and under compulsion, disclose information about their subscribers to state agencies, as well as for information about business practices and data retention periods. The requested information would let researchers, policy analysts, and civil liberties groups better understand the current telecommunications landscape and engage in evidence-based policy analysis of current and proposed government surveillance activities. The companies were asked to provide responses by March 3, 2014.
The results weren't spectacular. Most companies provided answers which were not responsive to the specific questions asked. Not only were they unresponsive, but they didn't even want to indicate why they were unresponsive.
For almost all questions, it seems, companies are unwilling to assert whether they cannot or will not respond; instead, they have deliberately left unclear whether they are legally barred from providing responses to specific questions or have simply decided that they would prefer not to respond to these these questions
Of all the telcos, it sounds as if Telus was the most open. They provided some indication of their policies on information disclosure, bragged about the time they pushed back on general warrants and discussed the legal framework they would like to see in place.