What do we expect from Canadian spy and policy agencies empowered to intercept suspicious mobile communications — warn the public of a vulnerability discovered, or quietly exploit it?
That’s a question raised by a CBC report today from documents purloined by former U.S. whistleblower Edward Snowden.
They show that Canada and the other countries in the Five Eyes spying partnership — the U.S., Britain, Australia and New Zealand — began targeting UC Browser in late 2011Â after discovering it leaked revealing details about its half-billion users as part of a strategy to find ways to implant spyware on smartphones. Among the targets were servers used by Google and Samsung mobile app stores, ideal places to introduce spyware.
What the agencies didn’t do, says the CBC report, was warn the public, Google, Samsung, or UC Brower’s maker of any vulnerabilities they found. “That potentially put millions of users in danger of their data being accessed by other governments’ agencies, hackers or criminals,” said the CBC.
The report raises a lot of other questions, including how worried CISOs should be about the apps on the wide number of mobile devices allowed to connect to their networks. At the very least it shows data loss prevention software has to be part of every organization’s arsenal.
But it also asks readers to consider what is expected of the Canadian government. One thing we know is that most Canadians don’t want to give the Communications Security Establishment (CSE) nor police departments the right to engage in mass communications interception of people in this country without a search warrant. CSE has experimented with collecting metadata here, and says it’s legal.
Today’s CBC report quotes CSE as saying it doesn’t direct its foreign signals intelligence activities at Canadians or anywhere in Canada.” Which means that the revelations about UC Browser raises the other question: When should the government warn the public about a vulnerability — when Public Safety Canada discovers it through the Cyber Incident Response Centre, or when CSE agency does?
Taking advantage of weaknesses “may make sense from a very narrow national security mindset, but it happened at the expense of the privacy and security of hundreds of millions of users worldwide,” the CBC quotes Ron Diebert of the University of Toronto’s Citizen Lab as saying.
But it also quotes Christian Leuprecht, a Royal Military College professor and fellow at Queen’s University’s Centre for International and Defence Policy saying “the fact that certain channels and devices are vulnerable is not ultimately the problem of signals intelligence.”
Got a comment? Send it to us in the section below.