On January 28, International Data Privacy Day, my thoughts will be with the people around the globe who are imprisoned because of their online actions, and I am reminded of the imperative precautions we must take in protecting our online identity. It has become clear in Canada that people need to become more vigilant about acquiring the necessary tools and knowledge to prevent the state from recording and documenting our online activities.
In the past year, there have been significant developments in surveillance powers and procedures in Canada, which are primarily conducted by law enforcement. Canada is part of the Five Eyes alliance, which conducts surveillance on Canadian and international citizens to collect information about their online activity. There were many concerning revelations released about spying on Canadians with the release of the NSA files leaked by Edward Snowden. The three departments in Canada that are primarily connected to the Five Eyes alliance are the Communications Security Establishment Canada (CSE), the Canadian Security Intelligence Service (CSIS), and the office of the Chief of Defence Intelligence. Along with these agencies, the RCMP and other security institutions are involved in gathering online and personal data about people living in Canada. Given these changes in the law, it must be assumed that without taking the necessary precautions, everything you do on the Internet is being collected by an agency that is part of the Five Eyes Alliance, from your Facebook chats to your Social Justice Google Group discussion.
We can expect more powers being given to the mentioned Canadian security agencies in the next week as Stephen Harper proposes a new anti-terrorism bill. This coming week may be the last sitting in Parliament Hill for Stephen Harper and his majority Conservative government to propose new bills. Colin Freeze of The Globe and Mail reports that critics of the new anti-terrorism bill are concerned about how the government will be drawing the line "between free expression and endorsing terrorism".
The new anti-terror bill is preceded by the Protecting Canadians from Online Crime Act (Bill C-13) which passed on December, 12 2014 and has garnered the attention of Internet freedom groups and news agencies that were "troubled….by the sharing of Canadians privacy without proper legal process". Bill C-13, also known as the anti-cyber bullying law, has provided law enforcement agencies with new tools and powers to investigate the posting of images on the Internet and take legal action against people who engage in the non-consensual distribution of images.
Lastly, as of January 1, 2015, Canada's Copyright Modernization Act went into effect. The act is a new anti-piracy bill that allows copyright holders to sue users who download illegal content in Canada. Furthermore, the act gives corporations and people who hold the copyrights to media content a legal standing to work with law enforcement officials "to pursue those who enable online copyright infringement." All three of these recent bills are clearly an aggressive move by the Conservatives to limit the protections and privacy that the Canadian populace once had on the Internet.
Harper has been clear that he will be proposing new anti-terror legislation that is expected to increase the powers of police forces to prevent terror activities. Law professors Craig Forces and Ken Roach detailed in a recent paper that "'On several occasions since 2007, government politicians have expressed interest in a terrorism 'glorification' offence...we conclude that a glorification offence would be ill-suited to Canada's social and legal environment."
Although there is a chance that the anti-terrorism bill will not pass in the House of Commons, it is likely that Harper and the Conservative government will be able to garner support in light of recent events, such as the Charlie Hebdo Paris shootings and the shooting on Parliament Hill. However, Bill C-13 (the anti cyber-bullying law) was proposed numerous times before its passing in late 2014. The actions of European governments on surveillance of citizens and the recent shootings in Paris may be used by Prime Minister Harper to gather support for the anti-terrorism bill.
As we have seen in France in recent weeks since the Charlie Hebdo shootings, actions taken by state agencies to address terrorism usually means greater surveillance of everyones' online activities, which has led to numerous unjustified arrests and detentions. In addition to new surveillance policies, there have been investments into infrastructure for greater surveillance activities. CSE has recently developed a new $1.2-billion building in Ottawa with advanced technologies and a large staff. CSE has been active in recruiting university students into surveillance work, as a mass call for applications just ended on January 25 which included a call for computer scientists and engineers.
Documents from whistleblowers and data acquired by journalists and researchers has shown some of the extent of surveillance on people in Canada. A recent VICE Canada article revealed the extent of monitoring by the Royal Canadian Mounted Police (RCMP) and telecom providers such as Bell and Telus. The relationship between telecom providers and state surveillance agencies is a beneficial marriage. However, like any marriage, they are not without their squabbles. The RCMP and the Canadian Association of Chiefs of Police refused to pay the fees that Rogers requested for providing information about Rogers's clients. The amount of requests to Rogers from the RCMP total 174, 917 user information requests in 2013, and Rogers pays for many of the judicially approved requests and has requested fee payment for other requests as well. Tim Smith, a spokesman for the Canadian Associations of Chiefs of Police, told the Canadian Press that despite their refusal to pay they "enjoy a positive business relationship" with Rogers. Lastly, and importantly, Micah Lee of The Intercept detailed the new documents released about the BADASS program that Canadian intelligence agencies employ. The BADASS program intercepts fragments of data from smartphone browsing of Canadians, which can be used to identify users and reveal their online behaviours. The BADASS program has the ability to reveal Canadian's behaviours and information from their smartphones.
Given all of this, people living in Canada and in countries that the Five Eyes operate in need to protect themselves. In particular anyone engaging in activism, journalism, and the support of freedoms and human rights must be especially careful. Many people know how to cover their faces when attending a protest so as to not be photographed by law enforcement officials. Yet, there are many social justice and community groups that organize protests and direct action activities through Google Groups, where a bandana over ones face cannot protect them. It is imperative that everyone knows how to protect themselves online by limiting their identities, information, and private correspondences. Below is a toolkit that I think most people should generally practice, but it is especially imperative for journalists and activists. This is not a comprehensive list, and I appreciate any contributions through the comments for people to better protect themselves. Please also consider contributing your time or resources to collectives that promote privacy online.
Baby steps (for everyone):
1) Change your password to something you do not use elsewhere.
2) Change your password to something *strong*. Use upper and lower case letters, numbers and symbols. Make it at least 12 characters.
3) To keep track of all of these password changes use something like LastPass. This will help you organize your passwords, and provide you with a security tool to help detect the strength of your passwords and generate secure passwords when needed. Do not save your passwords in your browser (Firefox, Chrome) or onto KeyChain (for Mac Users).
4) Always use HTTPS. In order to do this, get the HTTPS Everywhere extension for Chrome or Firefox. HTTPS secures (encrypts) your connection and prevents people from intercepting your browser data.
5) Use Disconnect or Ghostery. This prevents a lot of data gathering tools from working.
6) For Windows users use Detekt. To see if there is any malware on your computer that has been identified as being used by state surveillance agencies
Bigger steps (for activists and journalists):
6) If chatting with someone where you want to protect anonymity use programs like Off The Record Chat. This will encrypt the data and will not be able to be seen through a third party. Through the release of NSA files it was made clear that the PRISM program allows state agencies to gather information directly from the servers of big companies like Facebook, and Google. Setting "Chat Off The Record" on Google Chat is not sufficient to protect your conversations.
7) Download the different applications provided through the TORProject. The TorBrowser and TorMail will allow you to browse the Internet safely. However, you cannot access sites that use Flashplayer as this makes your connection insecure and there is a possibility of being monitored. Or consider using RiseUp servers. RiseUp will allow you to create an email and mailing lists, to send to other members. Consider using only OpenSource programming it allows you to look at the code and trust that the software isn't malicious. Any non-open source software can potentially have backdoors to allow companies/government to spy on your computer.
8) For journalists it is important to protect the anonymity of your sources. Many journalists are now using a PGP key with the GPG Suite and/or a SecureDrop provided through the Freedom of the Press Foundation. It may take some patience to learn the ins and outs of a PGP key and SecureDrop, but it is an invaluable resource and essential to protect the people who are risking sending you information. More tips for journalists and great writing can be found here.
Lastly, Happy International Data Privacy Day!