Of Privacy Awareness Week and the Canadian Mavens of Reddit’s AMA

Privacy Awareness Week runs from May 3 – 9 and is an event hosted by the Asia Pacific Privacy Authorities forum (APPA) each year to “promote awareness of privacy issues and the importance of the protection of personal information.”

Do you ever long for an excuse to zip your Android phone into a Faraday bag, paint your face with irregular lines and slip into incognito mode to evade facial recognition software? Well, now is the season!

Canadian participants this time-around included the Office of the Privacy Commissioner of Canada, which is promoting a few nifty resources, as well as British Columbia’s OIPC. But more interesting than any of the usual suspects has been the multi-disciplinary team of Canadian privacy aficionados who converged last Friday on www.reddit.com for an Ask Me Anything (“AMA”) session.

You may recall AMAs are an internet phenomenon President Obama made relevant when he took part in one a few years back, but for those new to “Ask Me Anything”, they’re essentially crowd-sourced interviews. Reddit users post questions for the person being interviewed, and — generally — the most interesting ones are upvoted and answered.

On Friday several well-known privacy experts paired up to offer a distinctly Canadian perspective on privacy and web security:

  • Kris Constable from PrivaSecTech,
  • Professor Andrew Clement who researches surveillance and privacy at University of Toronto, and who leads the IXmaps.ca project as well as the Snowden Surveillance Archive,
  • John Wunderlich a privacy consultant with wunderlich.ca ,
  • BC privacy lawyer Sara Levine,
  • Nova Scotia-based privacy lawyer David T.S. Fraser (who was a professor of mine at Dalhousie, it so happens) posting as “privacylawyer”,
  • BC Civil Liberties Association policy director, Michael Vonn, and
  • Stephanie Perring who is the president of Digital Discretion.

Some of the takeaways from this greatly illuminating session have great relevance for lawyers, and it is somehow refreshing, sobering and all the more unsettling to hear Canadian lawyers and security professionals with expertise in this field be very forthright in their assessment of just how difficult it is to protect law firms’ (and therefore clients’) information.

If you have one thing to do this Privacy Week, take a gander at some of the Q&A from the May 1st session. Highlights include:

  • The “very likely” chance that RCMP or CSIS is using International Mobile Subscriber Identity (IMSI) catchers, like Stingrays, to track the location of mobile phones and devices—even as the Office of the Privacy Commissioner of Canada has reportedly said they would expect to be consulted if that were the case.
  • Protocols for preparing digital devices and data systems prior to border crossings, such as using a freshly cloned machine with no data downloaded to it, or encrypting devices with a new password that you know only half to and which your lawyer knows the other half to (something that could make you very unpopular, admittedly).
  • The rights of citizens to video police actions, so long as this does not interfere with law enforcement.

One common concern appears to be some variant on “what can people reasonably do to protect themselves from privacy invasions?” Blocking and deleting cookies, using the “noscript” extension for Firefox, blocking web beacons, and running antivirus plus firewall, were all touted, as was not using Facebook, Twitter, Snapchat, Google+ or even PayPal or Craigslist. One excellent suggestion was to check out the Electronic Frontier Foundation’s Panoptoclick service, which quickly tells you how trackable you are using your browser, i.e. how many bits of identifying information does your browser fingerprint reveal?

PrivaSecTech’s Kris Constable, posting as “cqwww”, repeated the mantra “Encrypt all things!”, and “For any tool you use, I would ask:

  1. Is it open source, as if you can’t see the source code for yourself, why would you trust it?
  2. If it’s for communication of any kind, does it do end-to-end encryption (don’t ever trust the server)
  3. Does it and offer forward secrecy and plausible deniability?”

If you’re at all interested in these questions, give the AMA a read.

I’ll leave off with one interesting point made by one of the participants when asked about the privacy problems of Bill C-51:

I am concerned that the fear of terrorism within our governments is overstated to such an extent that it actually accomplishes the objectives of the terrorists. Thousands of people die annually in car accidents, but we do not think it’s OK to have a 20kph speed limit. More people are killed by bears in North America than terrorists, but we don’t put all bears in enclosures. The fear of terrorists is being used as an excuse to dramatically alter the relationship between the public and governments to such an extent that we are less free. If “they hate our freedoms”, then is the response not to thumb our noses at them and guarantee more freedoms?

Did anyone else catch this AMA? What did you think?

Comments are closed.