Ron Deibert is the director of the Citizen Lab at the University of Toronto's Munk School of Global Affairs.
Imagine if the government had knowledge of a critical vulnerability in a heart pacemaker, but decided to keep the information secret in order to exploit it as a weapon. Would that be okay? What about flaws in the electronic controls of a 747 that could be manipulated remotely to cause the plane to crash? Or a nuclear enrichment facility? Should they publicly disclose these vulnerabilities in the interests of user safety? Or should they keep them classified in case they provide comparative advantage in matters of national intelligence or warfare?
Whatever each of us may think about these questions, it appears the world's most powerful spy agencies have already resolved on an answer: for them, national security trumps user security.
Today, the University of Toronto's Citizen Lab is publishing a report documenting major security and privacy vulnerabilities in one of the world's most widely used mobile applications: UC Browser. Chances are if you are a North American reading this, you have never heard of UC Browser. But if you live in China or India, it's probably as familiar as Microsoft Explorer. In fact, UC Browser is used by over 500 million people, and is the fourth most popular mobile browser in the world.
Popularity aside, UC Browser has fundamental problems (problems the company is working to repair after our notification): it leaks a huge torrent of highly detailed personally identifiable data about its users. Those leaks include the unique identification number hard-baked into the device (IMEI), personal registration data on the user's SIM card (IMSI), any queries sent over the browser's search engine, a list of the names of any WiFi networks to which the device has recently connected, and the geolocation of the device. Some of this data is sent entirely "in the clear" without encryption; others are sent using weak encryption that could be easily decrypted. Some of it is sent the moment the application is turned on, in an "idle state." None of it is sent with the explicit permission of its users.
What is the significance of this data leakage for UC Browser's hundreds of millions of users? It means any operator of a network through which this data passes – from the telecommunications companies to the cellular and Internet providers to the WiFi hotspots, and any other third parties with whom any of those operators share data – could find out a user's identity, the device they use, where and when they've been with that device, what they're searching for, and with whom they socialize.
Such leaks would be a treasure trove to a lot of different groups: advertisers, looking to sell consumer preferences and habits; criminals, seeking to engage in identity fraud; unethical businesses, tracking their competitors; secret police, looking for activists and their co-conspirators; and, of course, modern intelligence agencies looking to vacuum up as much data from as many possible sources as they can.
Which brings us to how Citizen Lab became interested in UC Browser in the first place. Our research was prompted when we spotted references to UC Browser's leaky setup in a top secret document prepared in 2012 by Canada's spy agency, the Communications Security Establishment (CSE). The document was among those that former NSA contractor Edward Snowden leaked to the media. The Canadian Broadcasting Corporation (CBC), in collaboration with The Intercept, contacted us requesting comment about the document. Given the possibilities of vulnerabilities affecting a larger number of at-risk users, we conducted an independent investigation of UC Browser.
As the Snowden document makes plain, CSE and its allies in the United States, United Kingdom, Australia and New Zealand knew about UC Browser's privacy and security problems since at least 2012. But rather than disclose them to the public and notify the company (as we felt compelled to do), they sat on and exploited them.
Of course, a leaky browser application is not as critical as a fault in a pacemaker, a 747, or a nuclear enrichment facility. Or is it? Consider that in China where the browser is most popular, all network operators are required by law to retain customer data and turn it over to security agencies upon request. The Chinese regime does not look fondly on political opposition and public demonstrations, the organization of which is now almost entirely dependent on mobile devices. Each year, China executes thousands of people for crimes against the state, and sends thousands of others to re-education labour camps. Chinese dissidents with UC Browser on their mobile device have been sitting ducks for China's targeted surveillance, for years.
Did CSE and its allies deliberate seriously about these moral tradeoffs? Hard to say, as such deliberations are classified. For what it's worth, the White House's Cybersecurity Coordinator, Michael Daniels, has said the United States has a "disciplined, rigorous, and high-level decision-making process for vulnerability disclosure" in which "all of the pros and cons are properly considered and weighed." The top secret documents, however, evince a different attitude, one full of only excitement at the discovery and the prospects for exploitation.
The case of UC Browser is one illustration of a larger public policy problem around cybersecurity. We stand at a crossroads. Down one path is a future where governments secretly stockpile information vulnerabilities as weapons, weaken encryption to make eavesdropping easier, and engineer secret "back doors" into our networks to steal info and sabotage systems. Heading down this path will turn the global information commons into an inter-state battlefield. In worst case scenarios involving the targeting of critical infrastructure, it will lead inevitably to large-scale loss of life.
There is another path we can head down, one in which the security of users, regardless of nationality or geography, is the primary concern. Going down this path would begin with the premise that cyberspace is a shared common resource requiring stewardship. It would imply a much greater role for civilian, as opposed to military, agencies. From this view, securing cyberspace would be undertaken by independent and globally distributed individuals and groups insulated from national rivalry. The core of this approach would involve the public disclosure of vulnerabilities wherever they occur in the interests of global public policy, human rights and international humanitarian law.
Are we confident our governments are on the right path?