By Christopher Parsons

Lawful access legislation was recently (re)tabled by the Government of Canada in November 2013. This class of legislation enhances investigative and intelligence-gathering powers, typically by extending search and seizure provisions, communications interception capabilities, and subscriber data disclosure powers. The current proposed iteration of the Canadian legislation would offer tools to combat inappropriate disclosure of intimate images as well as extend more general lawful access provisions. One of the little-discussed elements of the legislation is that it will empower government authorities to covertly install, activate, monitor, and remove software designed to track Canadians’ location and ‘transmission data.’

In this post I begin by briefly discussing this class of government-used malicious surveillance software, which I refer to as ‘govware’. Next, I outline how Bill C–13 would authorize the use of govware. I conclude by raising questions about whether this legislation will lead government agencies to compete with one another, with some agencies finding and using security vulnerabilities, and others finding and fixing the vulnerabilities such tools rely. I also argue that a fulsome debate must be had about govware based on how it can broadly threaten Canadians’ digital security.

Existing Research About ‘Govware’

Malware designed for, or purchased by, government agencies bears the technical traits of software that exploits security vulnerabilities though it carries one significant exception: government sponsored or used malware is legitimized through law and (in some cases) judicial oversight of the software’s use. Over the past several years research institutions, including the Citizen Lab, have identified and analyzed govware that is used by a variety of governments. Some of the most prominent govware identified to date has been developed by Gamma International and Hacking Team, as well as the govware used by the German federal police.

Gamma International markets a piece of software to governments called FinFisher. The software is used to infect a target’s computer and, once installed, enables the organization which installed it to monitor the targeted computer and (in many cases) the computer’s surrounding environment. FinFisher is not detected by anti-virus or anti-spyware software and is designed to: steal passwords from your computer, access your email accounts, wiretap Skype calls, turn on the computer’s camera and microphone to record conversations and video from the room that you are in. [1]

There are other vendors who produce and sell similar kinds of malware. Hacking Team, as an example, infects targets and then similarly exfiltrates data. Like Gamma’s FinFisher product, Hacking Team’s malware is capable of enabling “government surveillance of a target’s encrypted communications, even when the target is connected to a network that the government cannot wiretap” as well as “copy files from a computer’s hard disk, record skype calls, e-mails, instant messages, and passwords typed into a web browser. Furthermore, [the malware] can turn on a device’s webcam and microphone to spy on the target.”

Gamma International’s and Hacking Team’s malware has been found in international markets. Combined, it is suspected that their software has been used to target residents or citizens of: Bahrain, Ethiopia, Malaysia, the United States, the United Kingdom, Mexico, Colombia, Panama, hungary, Italy, Turkey, Poland, Oman, Saudi Arabia, UAE, Egypt, Morocco, Nigeria, Sudan, Azerbaijan, Kazakhstan, Thailand, South Korea, and Uzbekistan. In some cases the malware was also used by nations to spy on expats living in the United States and United Kingdom.

Other high-profile malware includes the German federal police’s Bundestrojaner trojan. This trojan was capable of “establishing a backdoor on compromised machines and keystroke logging. The backdoor creates a means for third parties to hijack compromised machines, while the lack of encryption creates a mechanism for miscreants to plant false evidence.” The trojan received significant analysis in the press and, following its publicity and analysis by anti-virus companies, can now be detected by anti-virus programs.

Of course, less sophisticated uses of malware are also possible. They don’t all necessarily need to pervasively capture content or engage in wiretapping functionality. Greater or lesser capabilities can be designed into the software. And it’s those modified functionalities that are currently envisioned in the lawful access legislation that is currently before Parliament.

Malware and C–13

Bill C–13 includes significant changes to the criminal code. Two of those changes specifically relate to the installation of software code on target devices, as found in the proposed revisions to sections 492.1 and 492.2 of the Criminal Code. Proposed section 492.1 would allow for tracking device locations whereas proposed section 492.2 allows for the tracking of transmission data, which is more popularly referred to as metadata.

Under revised proposed sub-section 492.1(1) a warrant for tracking device locations can be issued if a

“justice or judge who is satisfied by information on oath that there are reasonable grounds to suspect that an offence has been or will be committed under this or any other Act of Parliament and that tracking the location of one or more transactions or the location or movement of a thing, including a vehicle, will assist in the investigation of the offence may issue a warrant authorizing a peace officer or a public officer to obtain that tracking data by means of a tracking device.”

Moreover, under proposed sub-section 492.1(2)

“[a] justice or judge who is satisfied by information on oath that there are reasonable grounds to believe that an offence has been or will be committed under this or any other Act of Parliament and that tracking an individual’s movement by identifying the location of a thing that is usually carried or worn by the individual will assist in the investigation of the offence may issue a warrant authorizing a peace officer or a public officer to obtain that tracking data by means of a tracking device.”

Tracking devices are defined as “a device, including a computer program within the meaning of subsection 342.1(2), that may be used to obtain or record tracking data or to transmit it by a means of telecommunication”, and tracking data is broadly understood as “data that relates to the location of a transaction, individual or thing.”

While the existing section 492.1 allows the installation for tracking devices, it doesn’t refer to software, only hardware. The addition of ‘computer programs’ to the definitions of tracking devices means authorities – after receiving a warrant based on grounds to suspect – could covertly install computer programs that are designed to report on the location of targeted persons, devices (e.g. mobile phones), or vehicles. The government is attempting to legitimize the secretive installation of govware on devices for the purpose of tracking Canadians.

Whereas proposed s. 492.1 focuses on locational data, proposed s. 492.2 outlines how authorities can get warrants for transmission data. Based on reasonable grounds to suspect that it will assist in an investigation a judge can issue a warrant “authorizing a peace officer or a public officer to obtain the transmission data by means of a transmission data recorder.” As with tools to monitor locational data, the transmission data warrant will authorize “a peace officer or a public officer to obtain the transmission data by means of a transmission data recorder.” Transmission data recorder is defined as “a device, including a computer program within the meaning of subsection 342.1(2), that may be used to obtain or record transmission data or to transmit it by a means of telecommunication.” Bill C–13 defines transmission data as data that:

(a) relates to the telecommunication functions of dialling, routing, addressing or signalling;
(b) is transmitted to identify, activate or configure a device, including a computer program as defined in subsection 342.1(2), in order to establish or maintain access to a telecommunication service for the purpose of enabling a communication, or is generated during the creation, transmission or reception of a communication and identifies or purports to identify the type, direction, date, time, duration, size, origin, destination or termination of the communication; and
(c) does not reveal the substance, meaning or purpose of the communication.

Some ambiguity remains as to whether both of these powers extend to the exploitation of end devices (e.g. mobile phones, laptop computers). While proposed s. 492.1 refers explicitly to tracking software installed on end devices and vehicles, s. 492.2 does not, meaning installation might be limited to network equipment. However, regardless of whether the surveillance software is installed on mobile phones or on network routers, the fact remains that software can be installed and used in covert manners under 492.2.

So, in effect proposed s. 492.1 would authorize government authorities to covertly install spyware on Canadians’ computers, mobile phones, vehicles, and potentially the networks of telecommunications providers to track suspects’ locations. Proposed s. 492.2 may be slightly more limited in what devices can be legitimately intruded upon by government, but any limitations will need to be tested before the courts. By passing C–13 the government would gain the explicit legal authority to hack Canadians on grounds of reasonable suspicion or belief. It would also provide the government with legal authority to install surveillance equipment on telecommunications providers’ routers, perhaps with or without those providers consent. As a result, C–13 would provide government significant and unprecedented tools to infiltrate digital equipment to conduct surveillance. And all of this surveillance could be conducted without the government ever reporting to targeted Canadians or to parliament that the surveillance had occurred unless charges were laid against the individual(s) targeted.

Broader Implications of ‘Govware’

Should Bill C–13 pass with its lawful access provisions intact, the Government of Canada will have effectively introduced govware to Canada. Again, this is a class of intrusion software that, if used by a Canadian citizen, would result in a criminal action, whereas the government could legally use the software so long as it first received a warrant. Govware could take one of at least two forms:

1. It could exploit ‘0-days’, or vulnerabilities in software for which there are no protections. As a result, targets of government surveillance would be unable to detect or block government surveillance software.
2. It could use well-publicized software vulnerabilities for which there are protections. As a result, targets of government surveillance could potentially detect or block government surveillance software.

Regardless of the form that Canadian govware assumes, the Government of Canada would foster the burgeoning surveillance software market by further legalizing and legitimizing such software. Companies which develop and sell vulnerabilities to government customers will have another major customer, and thus further reduce the likelihood that vulnerabilities would be reported to vendors and subsequently patched because government may (and currently often do) handsomely pay exploit developers. Getting into the hacking business means that the Government of Canada is put at odds with itself: on the one hand, government has established organizations to better secure critical governmental and commercial digital infrastructure and, on the other, govware would be instrumentally more useful if there were no ways for targeted individuals to detect or block its presence or activities.

This dual purpose – to protect and investigate – is made worse when federal agencies designated to protect critical government infrastructure are also tasked to provide technical assistance to government agencies which seek to monitor domestic residents of Canada. Canada’s foreign signals intelligence agency, the Communications Security Establishment Canada (CSEC) enjoys such a mandate. Per its Mandate B, CSEC is tasked to “provide advice, guidance and services to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada.” The agency’s Mandate C requires CSEC to “provide technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties.” So, if a critical vulnerability is found under its Mandate B – a vulnerability CSEC knows is used to conduct lawful surveillance of Canadians under either 492.1 or 492.2 – how is the agency to respond? Will there be a weighing of relative value of a vulnerability (protection of national assets and critical infrastructure versus protection of domestic security) or a reluctance of officers working under different mandates to disclose their vulnerability findings to one another? Would various federal and provincial agencies begin to contract third-parties to explicitly develop govware with the aim of never reporting vulnerabilities despite the fact that Canadian electronic devices would be less secure by merit of the government not report the vulnerabilities?

In effect, by getting into the govware business the federal and potentially provincial governments of Canada would be confronted with an ongoing reality: is the role of government to maximally protect its citizens, including from criminals leveraging vulnerabilities to spy on Canadians, or is it to partially protect citizens so long as such protections do not weaken the state’s ability to secure itself from persons suspected of violating any Act of Parliament?

Neither Canadians nor parliamentarians have debated whether the government should be infecting Canadians’ devices or telecommunications infrastructure with malware for surveillance purposes. At a bare minimum there should be debate about amending the legislation to include reporting requirements over the use of govware. Canadians deserve such a debate given that such software could seriously threaten the digital security of all residents of Canada, not just the security of those targeted by warrant for surveillance. Ultimately, getting into the govware business endangers us all: does the limited benefit to government surveillance capacities really justify putting all Canadians at risk of malicious hackers who use the same, or similar, vulnerabilities as government authorities?