Leaving the backdoor open: Is the government putting your personal data at risk?
Giant. Unsecured. Data registries.
As if it wasn’t bad enough that secretive government agencies are intercepting our personal data.
Our government has become notorious for how badly it handles data. In an article bluntly titled Your information is not secure, law professor Michael Geist wrote that the federal government “may represent the biggest risk to the privacy of millions of Canadians”, following disturbing revelations of a massive number of data breaches – of which many went unreported.
Your information is not secure.
After the Conservatives announced that they would be moving forward with warrantless online spying—a move that yielded wide public outcry, ultimately leading to the defeat of the proposed legislation—numerous letters, studies, and reports came out detailing why mass Internet surveillance was such a bad idea. Among the reasons was this: such surveillance would actually increase the risk of cyber-security attacks.
In a letter to Public Safety Minister Vic Toews, NDP leader Thomas Mulcair cautioned that such surveillance would “force every telecom, telephone, Internet, wireless provider to create elaborate spy backdoors that will become a gold mine for hackers”.
The online spying bill failed—Canadians spoke out against it (loudly) and we won—but we now know that behind our backs, a similar type of mass communications surveillance is taking place: secretive Canadian spy agency CSEC has been called out for spying on our sensitive personal data, without oversight from the Privacy Commissioner.
Though we don’t know exactly how CSEC gathers our data, we do know that in general, creating backdoors in our communications systems means compromising network security. It’s as simple as that. As CSEC and other agencies like CSIS pull our personal information out through those backdoors, or have it stored in giant data registries, we know we have something to worry about.
Even if the current government wasn’t infamous for numerous unreported data breaches, we would have something to worry about. Even if Canadians hadn’t recently felt the shock of a relatively low-ranking military officer selling secrets to a foreign spy agency.
The most famous example, perhaps, is one referred to by MPs Charlie Angus and Jasbir Sandhu in a letter to Toews: In Greece, criminals exploited backdoors of this nature to spy on Greek government officials. Software extensions in Ericsson equipment—which were meant to permit the “lawful interception” of mobile messages and calls—were subverted to allow criminals to hack not just the communications of everyday citizens, but the communications of the Greek Prime Minister, the Mayor of Athens, and other prominent figures. The hack went on for nearly a year, and those behind it were never identified.
Your information is not secure.
In 2012, a BC Civil Liberties Association report made a reasonable request of the government: “Before requiring [telecom providers] to compromise network security by creating access points for law enforcement, there needs to be a thorough review and analysis of vulnerabilities that would be thereby created, so as to minimize the potential for unauthorized access.”
They added: “...the government owes a duty to Canadians to ensure that the intercept capability it is forcing on [providers] for the alleged purpose of enhancing their security will not in fact have the opposite effect of compromising the security of their communications.”
The government needs to be accountable when it comes to the handling of our personal data. We can’t have secretive agencies compromising our data security in the name of... well... security – it just doesn’t make sense (even as a sentence it’s a little rocky). For the sake of Canada’s digital future, we can’t be left vulnerable.