cyber-security and civil society

browser beware img
A hacker from Ukrainian “hacktivist” group RUH8 is seen during an interview with Reuters in Kiev, November 2016.
REUTERS/Gleb Garanich

The technology that connects us also makes us more vulnerable.

The digital revolution has given us unprecedented control over our lives. We have instant access to vast amounts of information. We can connect with each other anywhere. And we’re able to manage everything from personal finances to health care on the move. But the same liberating technology opens a potential door for others – from aggressive marketers to intrusive governments to criminal hackers – to take some of that control away.


Calling Security image
Prof. Jon Lindsay.

Calling Security

The MGA program curriculum was further enhanced this year with two new courses focusing on security – both taught by Prof. Jon Lindsay, an expert in modern technological warfare. The first, Intelligence and Special Operations, explores the increasingly blurred boundaries between military and civilian affairs as policy-makers and generals turn to non-traditional sources of intelligence whose sources are harder to pin down. The other new course, Grand Strategy and Global Threats, looks at how states of all sizes – and even some non-state actors – use various instruments of power to advance their security interests. New technologies, economic globalization and dramatic changes in states’ political fortunes have created a complex and uncertain threat environment. Within this context, students examine the proliferation of nuclear weapons among new players, the development of autonomous conventional weapons, the growing dependence of many nations on satellites and cyberwarfare, and the rise of global terrorism – all through the lens of national security policy. In this radically changed world, traditional great-power politics may not loom as large as it did a generation ago; but in many ways it’s more important than ever.

New technologies, economic globalization and dramatic changes in states’ political fortunes have created a complex and uncertain threat environment.


The China Syndrome

Users of digital technology in China have long been aware that their personal data is not protected and all communications are subject to official censorship. This lack of security and confidentiality has been widely criticized abroad and has led to growing discontent at home. Yet a pair of 2016 reports from the Munk School’s Citizen Lab revealed that the vulnerabilities faced by Chinese web users are as problematic as ever. And a third study found that government monitoring of a popular chat application has simply become more nuanced, enabling authorities to pinpoint specific topics they don’t want discussed while allowing conversations they consider innocuous to continue uninterrupted.

The Citizen Lab research team examined the performance of two leading Chinese web browsers, Baidu and QQ. Both were found to have extensive privacy and security issues that put millions of users’ communications at risk. Specifically, researchers determined that the Windows and Android versions of the browsers transmit personally identifiable data with weak or non-existent encryption. Moreover, neither application adequately protects against so-called “man-in-the-middle” cyber-attacks as software updates are relayed between servers and users’ devices.

A parallel investigation of WeChat, the popular social media platform operated by Internet giant Tencent, showed the unmistakable intervention of Chinese government censors – and a previously unrecognized difference in their treatment of domestic and international users. People with phone numbers registered in mainland China find that references to topics deemed sensitive by the authorities simply disappear from their chats. This is particularly evident in group discussions as opposed to two-way exchanges, presumably because wider conversations are perceived to be potentially more subversive.

WeChat’s browser also blocks China-based users from many websites, including those devoted to the Falun Gong spiritual movement and news reporting critical of the Chinese government. Significantly, accounts linked to international phone numbers have virtually free access to the same sites (albeit with some intermittent blocking), and WeChat conversations among international users are not subject to the same censorship. The conclusion of Citizen Lab researchers is that the authorities have deployed more sophisticated systems to target perceived threats – and are apparently using artificial intelligence to analyze clusters of keywords and assess the degree of risk. In other words, China’s online intrusions are no less aggressive; they’re just more technologically subtle.

Hacking Human Rights

The text message was clearly meant to pique the interest of Ahmed Mansoor, promising to reveal “new secrets” about the torture of political detainees in his native United Arab Emirates (UAE). But the well-known human rights defender was immediately suspicious, and instead of clicking on the embedded link, he forwarded the message from his iPhone to researchers with the Munk School’s Citizen Lab. They quickly recognized a hacking attempt and connected the link back to NSO Group, an Israel-based cyberwarfare company that sells “lawful intercept” spyware products exclusively to governments.

After alerting Mansoor that his caution was well founded, the researchers notified Apple of their discovery. The company responded by releasing the iOS 9.3.5 patch, which closed the vulnerabilities that NSO appeared to have been exploiting to remotely hack iPhones. This was the first known instance of governmental spyware being used to target iOS devices with what are called “zero-day exploits,” referring to malware that becomes active without prior warning. The update, applicable to over 800 million iOS devices worldwide, was released outside of Apple’s usual patch schedule, just two weeks after the warning – a clear indication of the seriousness of the hack.

Citizen Lab’s report on the incident attracted worldwide media coverage from The New York Times, The Washington Post, The Wall Street Journal and the Associated Press news agency, among many others. The story generated 3,270 media hits globally, while nearly 200,000 unique visitors accessed the full report at Meanwhile, in March 2017 Mansoor was detained by UAE authorities on suspicion of disseminating “false news” via social media to “incite sectarian strife and hatred” and “harm the reputation of the state.” Condemned by international human rights groups, the continued persecution of Mansoor is part of a broader campaign against Emirati activists, dissidents and journalists – many of them targets of spyware attacks by a sophisticated operator dubbed “Stealth Falcon” in another Citizen Lab report released in May 2016.

Hacking Human Rights
Human rights defender Ahmed Mansoor was the target of an attack using zero-days exploits against Apple’s iOS operating system.


The Big Data Idea

For every call we make or email we send, and with each website visit or media download or online transaction, we leave a digital trail containing a wealth of information about our relationships, preferences, habits and movements around the planet. The exact nature of this “big data” – and the opportunities, trade-offs and risks it presents – were explored by the CBC Radio program Ideas in May 2016 as part of the broadcaster’s continuing partnership with the Munk School. (Listen to part one and part two.)

The big data idea image
Live taping of CBC Radio program Ideas. Left to right: Ann Cavoukian, Prof. Ron Deibert and Prof. Stephen Toope.

Back to top

Share this page: Share to Facebook Share to Twitter Share to LinkedIn