Canada


I thought given the wire-tapping excitement going on now, that I’d post some of the practices going on world-wide that maybe you are not aware of, all excepts from Virtual Shadows (2009), so there could be some updates since, I haven’t checked. If there are updates it will surely include social media as per USA with PRISM.

ILETS
Many of the international laws on wiretapping date back to a series of seminars hosted by the FBI in the United States in 1993 at its research facility in Quantico, Virginia, called the International Law Enforcement Telecommunications Seminar (ILETS) together with representatives from Canada, Hong Kong, Australia and the EU. The product of these meetings was the adoption of an international standard called the International Requirements for Interception that possessed similar characteristics to CALEA from the United States. In 1995 the Council of the European Union approved a secret resolution adopting the ILETS. Following its adoption and without revealing the role of the FBI in developing the standard, many countries have adopted laws to this effect. Following adoption of the standard the European Union and the United States offered a Memorandum of Understanding (MoU) for other countries to sign to commit to the standards. All participating countries were encouraged to adopt the standards so it was natural that international standards organisations, such as the International Telecommunications Union (ITU) and the European Telecommunication Standardization Institute (ETSI), would adopt the standards.

Adoption of wire-tapping laws
Australia was one of the first countries to sign the MoU along with Canada. In Australia the Telecommunications Act expects the telecommunications operators to proactively assist law enforcement by providing an interception capability.

In the UK RIPA requires that telecommunications operators maintain a ‘reasonable interception capability’ in their systems and be able to provide on notice certain ‘traffic data’.
In the Netherlands all ISPs have to have the capability to intercept all traffic with a court order and maintain users’ logs for three months.

In New Zealand the Telecommunications (Interception Capabilities) Act 2004 obliges telecommunications companies and ISPs to intercept phone calls and emails on the request of the police and security services.
In Switzerland ISPs are required to take all necessary measures to allow for the interception of mail and telecommunications.

In June 2008 Sweden’s parliament approved controversial new laws (FRA-lagen) allowing authorities to spy on cross-border email and telephone traffic. The Swedish press claim that this will make Sweden the most surveyed country in Europe. This wiretapping law enables the intelligence authorities to ‘listen’ to all traffic, Hotmail, MSN, SMS etc., across Sweden’s borders. The law becomes effective at the end of 2009. Given Sweden’s stance on human rights the passing of this law is quite remarkable. It was following some pretty heated dis- cussions in parliament that the law was passed on a very fine majority (47 against and 52 for). The argument for tapping of international lines is ‘terrorism’. Of course any ‘terrorists’ will encrypt their communications and there is nothing that the Swedish authorities can do about this. Of course one can always monitor ‘traffic patterns’ on identified suspect com- munication which can be as revealing as the communications’ contents themselves in certain situations. However the use of the contents of such communications in a court of law will be impossible without the decryption key and they cannot obtain this unless there is a law enacted similar to the RIPA in the UK, which forces the key-holder to give the encryption or decryption key to the authorities on request and if they refuse they can be convicted for concealing evidence.

There was also a telecommunications driven incentive in 2008 called Phorm. I have not checked out the present status in 2013.

It’s amazing the amount of discussions there are on how to secure information in the cloud when we are walking around with sensitive information on a portable hard drive, maybe even a USB stick!

There have been two cases recently of lost personal information one was information pertaining to Canadian students and the other in April 2013, the Investment Industry Regulatory Organization (IIROC) admitted that the personal information of 52,000 clients from dozens of investment firms had equally been compromised.

Remember the UK HM Revenue and Customs that lost computer discs containing the entire child benefit records, including the personal details of 25 million people – covering 7.25 million families overall in 2007. There are loads of reported cases and probably many more unreported!

OK so how do we solve this? According to Daniel Horovitz it is about security awareness and policies that are enforced. With this I concur with completely. However I am also thinking that if no personal data was stored on any local device anywhere, that it was all web-enabled, private cloud, shared cloud. It would bring closer the BYOD device movement, and surely it must be safer than a mobile HD? Clearly security awareness and policy enforcement is essential, but it still does not seem to be working. If it was then these incidents would not be happening.

Do you remember that film with the guy that is married and has a fling with a beautiful young lady that also happens to be a psychopath? I can’t remember the name of it. Well watch out guys because they are online too. Cyerstalking, just as in the real world can ruin your life. Read more here.

I knew that the privacy laws in Canada were pretty strict, at least when compared with the U.S. variants 😉 Although compared to the E.U. they are lacking in that the privacy commissioners don’t have the power to impose fines on offenders. This could be changing as there is some pressure now to change this. Read more in the Financial Post.

Oh dear, Google is in trouble…. they have been -surprise, surprise- criticized by privacy commissioners around the world on their privacy, or lack of privacy practices 😉

Read more at The New York Times. btw. I need to thank Jack for his tweet on this 🙂

A bit old news, which I picked up from the excellent Bruce Schneiers blog.

The Canadian government conducted a security audit of the electronic health record implementation in British Columbia. It shows just what you could expect: a severe lack of security of any kind.

The Vancouver Sun reported on this last month. The report is available as a pdf here.

A revised version of the Generally Accepted Privacy Principles published by AICPA and Canadian Institute of Chartered Accountants (CICA) in August 2009 and are worth a read. You will find some similarities with those published by the The Chartered Institute of IT Personal Data Guidelines on this side of the Atlantic ocean 😉 Andrea Simmons writes a little about this on her blog.

Next Page »