The Cyber Index: International Security Trends and Realities
The Cyber Index is intended to serve as a “snapshot” of current cybersecurity activities at the national, regional, and international levels, to help policymakers and diplomats understand the complexity of the arena. In addition, the Index seeks to elucidate some approaches towards mitigating the risks of misperceptions in the cyber domain that threaten to elevate international tensions or perhaps even lead to conflict. The subject matter is multifaceted, highly complicated, and controversial—thus no one study could adequately cover all aspects in depth. Nonetheless, the Cyber Index will help to underpin ongoing discussions and debates by providing facts and fact-based analysis of today’s challenges and opportunities regarding international stability and security in the cyber domain.
National Capabilities, Doctrine, Organization and Building Transparency and Confidence for Cyber Security: An Assessment
Cyber Threats: Information as a Weapon?
Over the past six months, the steady stream of disclosures from former U.S. National Security Agency (NSA) contractor Edward Snowden has revealed a massive surveillance infrastructure that seemingly touches all Internet and telephone communication across the globe.
While the issue has generated robust debates in many countries, the Canadian political response has been relatively quiet. In an effort to address the lack of oversight over Canadian surveillance activities, Liberal MP and former public safety minister Wayne Easter recently introduced Bill C-551, which would establish a National Security Committee of Parliamentarians.
Gabriel J. Michael / gmichael at gwu dot edu
Update 12/12: This post is now available in a significantly less technical form at The Washington Post's Monkey Cage Blog. If you notice differences between the graphs, you're paying attention. They exist for two reasons. First, in order to keep things understandable, I used simpler axis scales in the other piece.
Taking note of the publication of the report, but unconvinced about the five priorities suggested below, in particular of the distinction between “collection” and “uses”:
Reinventing Privacy Principles for the Big Data Age – New Report
6 December 2013 Oxford Internet Institute
A report co-authored by OII Professor Viktor Mayer-Schönberger together with Professor Fred Cate of Indiana University) and Peter Cullen (General Manager, Trustworthy Computing Governance, Microsoft) and made public today (6 December 2013) through the Oxford Internet Institute sketches out core principles to protect information privacy in the age of Big Data.
The Data Protection Principles for the 21st Century report is based on a drafting workshop hosted by the Oxford Internet Institute, and co –chaired by Professors Mayer-Schönberger and Cate in January 2013.
Viktor Mayer-Schönberger, OII Professor of Internet Governance and Regulation, co-convener of the workshop, pointed at the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data that were first issued more than three decades ago in 1980 as an early and important framework of privacy principles. In the age of Big Data, however, these principles need to be augmented and improved to ensure that they remain relevant. “The OECD Privacy Principles served us well for the first decades of the digital revolution, but now they need updating, so that we can ensure effective privacy protection in the future – while enabling the many benefits (including for society) that Big Data promises to bring.”
The report offers five priorities in revising and updating the existing OECD principles, including:
Reduce the focus on data collection and the attending notice and consent requirements, and focus more on a practical assessment of the risks (and benefits) associated with data uses.
Eliminate or substantially reduce the role of the Purpose Specification and Use Limitation principles, which require a specific, articulated purpose for collecting personal data usually at the time of collection and restrict data uses to that purpose or related, “not incompatible” purposes.
Restore the balance between privacy and the free flow of information that was the original goal of the OECD Guidelines, and avoid suppressing innovation with overly restrictive or inflexible data privacy laws.
Make data users more accountable for the personal data they access, store, and use, and hold them liable when harm to data subjects occurs.
Adopt a broader definition of the “harms” that inappropriate uses of personal data can cause, and put in place practical frameworks and processes for identifying, balancing, and mitigating those harms.
The report is the most recent in a series of initiatives designed to make privacy protection more workable and more effective that began with global data protection dialogues convened in 2012 by Microsoft in Washington, D.C., Brussels, Singapore, Sydney, and São Paulo for small groups of leading regulators, industry executives, public interest advocates, and academic experts.
These events culminated in a global privacy summit in Redmond, Washington, at which Microsoft convened more than 70 privacy and data protection experts from 19 countries on five continents to consider the future of data sources and uses and practical steps to enhance privacy protection. The summit called for reexamination of the OECD Fair Information Privacy Principles in today’s report as well as the examination of data uses and impacts that is discussed in a companion report released today by Center for Applied Cybersecurity Research (CACR) at Indiana University. That report, too, is co-authored by Professors Cate and Mayer-Schönberger as well as Microsoft’s Peter Cullen and available online.
The next step in this reconsideration of privacy protection is a series of events focusing on assessing and managing risks surrounding the use of data. CACR hosted one of those events—a tutorial on risk management for data protection experts—in November and will be hosting another—a workshop to help create frameworks for identifying and assessing risks presented by data uses—in late spring 2014. Both events have been funded by The Privacy Projects.
F. H. Cate, P. Cullen, V. Mayer-Schönberger (2013) Data Protection Principles for the 21st Century: Revising the 1980 OECD Guidelines. Microsoft Corporation.
Oxford Internet Institute, University of Oxford, 1 St Giles Oxford OX1 3JS, United Kingdom Telephone: +44 (0)1865 287210 Fax: +44 (0)1865 287211 Email: email@example.com
Last updated on: 6 December 2013
Web We Want
Help Build and Defend the Future of the Web
Posted on December 5, 2013 by Josh Levy
Millions of people together have made the Web great.
So, during the Web’s 25th birthday year in 2014, millions of people can secure the Web’s future. We must not let anybody – governments, companies or individuals – take away or try to control the precious space we’ve gained on the Web to create, communicate, and collaborate freely.
This was the message from Sir Tim Berners-Lee, founding director of the World Wide Web Foundation, as he addressed a UN gathering in Geneva this week.
Sir Tim used his address to unveil a new campaign – the Web We Want. During the Web’s 25th birthday in 2014, the Web We Want campaign will ask everyone, everywhere to play a part in defining the Web’s future, and then help to build and defend it. Ultimately, the Web We Want campaign hopes to see people’s online rights on a free, open and truly global web protected by law in every country.
Want to get involved? Submit your name on the form on the right. Help us build and defend the Web we want.
Sign Up; Join us in creating the Web We Want.
Much has already been written about Bill C-13, the Canadian government's omnibus legislation that is ostensibly aimed at making cyber-bullying illegal, but which also shovels in a whole bunch of unrelated stuff. Academics, journalists and privacy commissioners alike have roundly criticized it for what it is - a thinly veiled resurrection of the failed Bill C-30, which sought to give authorities all kinds of new spying powers.
Electronic Frontier Foundation (EFF.org):
“The latest update to our Encrypt the Web report includes new data from Microsoft and more. Check it out! Details at : https://www.eff.org/deeplinks/2013/11/encrypt-web-report-whos-doing-what
“The Five Eyes alliance of States – comprised of the United States National Security Agency (NSA), the United Kingdom’s Government Communications Headquarters (GCHQ), Canada’s Communications Security Establishment Canada (CSEC), the Australian Signals Directorate (ASD), and New Zealand’s Government Communications Security Bureau (GCSB) – is the continuation of an intelligence partnership formed in the aftermath of the Second World War. Today, the Five Eyes has infiltrated every aspect of modern global communications systems.
This notion must be rejected. The Five Eyes agencies are seeking not only defeat the spirit and purpose of international human rights instruments; they are in direct violation of their obligations under such instruments. Human rights obligations apply to all individuals subject to a State’s jurisdiction. The obligation to respect privacy extends to the privacy of all communications, so that the physical location of the individual may be in a different jurisdiction to that where the interference with the right occurs.
This paper calls for a renewed understanding of the obligations of Five Eyes States with respect to the right to privacy, and demands that the laws and regulations that enable intelligence gathering and sharing under the Five Eyes alliance be brought into the light.
It begins, in Chapter One, by shining a light on the history and structure of the alliance, and draws on information disclosed by whistleblowers and investigative journalists to paint a picture of the alliance as it operates today. In Chapter Two, we argue that the laws and regulations around which Five Eyes are constructed are insufficiently clear and accessible to ensure they are in compliance with the rule of law. In Chapter Three, we turn to the obligations of Five Eyes States under international human rights law and argue for an “interference-based jurisdiction” whereby Five Eyes States owe a general duty not to interfere with communications that pass through their territorial borders. Through such a conceptualization, we argue, mass surveillance is cognisable within a human rights framework in a way that provides rights and remedies to affected individuals.”
The National Defence Act pertains to the Communications Security Establishment Canada (CSEC) and establishes that the mandate of CSEC is (s273.64 (1))
(a) to acquire and use information from the global information infrastructure for the purpose of providing foreign intelligence, in accordance with Government of Canada intelligence priorities;
(b) to provide advice, guidance and services to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada; […]
Para (2) of the section provides that activities
(a) shall not be directed at Canadians or any person in Canada; and
(b) shall be subject to measures to protect the privacy of Canadians in the use and retention of intercepted information.”
Federal Ct Takes CSIS To Task In Case Involving CSEC Requests for Foreign Agency Spying on Canadians
Tuesday November 26, 2013
Since the first Snowden revelations earlier this year, there has been much speculation about the use foreign intelligence agencies (such as the NSA) to conduct surveillance on Canadians. While the government is always careful to say that CSEC does not spy on Canadians, many suspect that each of the \”five eyes\” agencies (the US, UK, Canada, Australia, and New Zealand) do it on their behalf. Yesterday, a federal court judge confirmed (IN THE MATTER OF an application by [XXX] for a warrant pursuant to Sections 12 and 21 of the Canadian Security Intelligence Service Act, R.S.C. 1985, c. C-23 [CSIS Act]; AND IN THE MATTER OF [XXX]) the practice as part of a decision that found CSIS \”breached its duty of candour to the Court by not disclosing information that was relevant to the exercise of jurisdiction by the Court and to the determination by the Court that the criteria of investigative necessity and the impracticality of other procedures set out in subsection 21 (2) of the CSIS Act had been satisfied.\”
The lack of candour appears to arise from the failure to disclose that the CSIS warrants would involve seeking CSEC assistance in requesting foreign interception of Canadian communications:
the Court has determined that the execution of the type of warrants at issue in Canada has been accompanied by requests made by CSEC, on behalf of CSIS, to foreign agencies (members of the “Five Eyes” alliance), for the interception of the telecommunications of Canadian persons abroad.
The release from the court leaves little doubt about its view of the practice:
the Court considers it necessary to state that the use of \”the assets of the Five Eyes community\” is not authorized under any warrant issued to CSIS pursuant to the CSIS Act. The question of whether CSIS may, with the assistance of CSEC, engage the surveillance capabilities of foreign agencies was not raised in the application that resulted in the issuance of the first such warrant or in any subsequent warrants of this type.
The Globe reports it has received records indicating that CSEC receives dozens of these kinds of requests each year from CSIS, the RCMP, CBSA, and National Defence.
And now to top it off, we learn in an exclusive report from CBC-SRC that Canada was complicit to American spying at the G-20 in Toronto, 2010:
In trying to defend the government's lawful access legislation last year, then public safety minister Vic Toews said that Canadians can either "stand with us, or with the child pornographers." Given that the proposed Internet-spying legislation was incredibly unpopular, this statement didn't sit well with many people. Surely law-abiding citizens could object to living in an online surveillance state without siding with child pornographers.