Special to National Post
Publishing date:Nov 28, 2021
On Nov. 23, Apple announced it is suing a global software developer following a security breach that left its operating systems vulnerable to surveillance. In September, Apple scrambled to issue a protective patch for a reported 1.65 billion devices that were vulnerable to the NSO Group’s notorious Pegasus spyware. How did Apple find out that it had been hacked? Canada’s Citizen Lab sounded the alarm.
NSO Group has licensed Pegasus to militaries, as well as intelligence and law enforcement agencies worldwide. Citizen Lab identified a flaw that left Apple devices vulnerable to a “zero-click” hack, in which malicious code can be planted on a device without any action by the user, that Pegasus had been exploiting.
Citizen Lab is an interdisciplinary human rights, security and technology research group founded in 2001. Part of the University of Toronto’s Munk School of Global Affairs and Public Policy, examples of the lab’s focus areas include digital espionage, online freedom of expression, app privacy and security, and uses of personal data and surveillance tools.
The U of T group is not alone among Canadian academic and private institutional research groups, such as the Cyber Security Evaluation and Assurance Research Lab at Carleton University , which is exploring ways to protect Canada’s critical infrastructure from cyberattacks. The SecDev Foundation, the Waterloo Cybersecurity and Privacy Institute, Canadian Institute for Cybersecurity at University of New Brunswick and others also operate in this space.
What makes Citizen Lab stand out is how action-oriented it is at the confluence of public policy, rights, liberties and cybersecurity. One reason for this diverse approach is the background and skill set of its director and founder, Ron Deibert , who was first trained as a professor of political science, not a programmer or tech wizard.
The lab has a long track record of uncovering digital threats like the Apple attack. In recent months, it has also made headlines for exposing the use of Pegasus against New York Times bureau chief Ben Hubbard, and for a report analyzing how health data was used in the fight against COVID-19.
In today’s polarized world, another asset for Citizen Lab is that it’s difficult to detect any overt ideological or political biases. For example, its researchers thoroughly investigated both the hacking of Palestinian activists’ cellphones earlier this month (also via Pegasus), and what, in 2019, it dubbed “ Endless Mayfly ” — “an Iran-aligned network of inauthentic personas and social media accounts that spreads falsehoods and amplifies narratives critical of Saudi Arabia, the United States and Israel.”
Here at home, Citizen Lab has shown itself to be unafraid to apply the same even-handed approach and detailed critiques to Canadian public policy. For example, it has railed against the many forms of Chinese censorship, but went against the grain with a general conclusion on 5G that “Canada does not have a ‘Huawei problem’ per se.”
In September, in response to the federal Liberal government’s proposed online harms legislation (Bill C-36, which was at least temporarily scuttled by the election), Citizen Lab wrote a scathing submission to the Heritage Ministry, in which it called out what it saw as a “inadequate” consultation process, and an approach that will lead to “disproportionate levels of user censorship.”
It went on to call the draft regulation “an aggressive, algorithmic and punitive regime for content removal … without any substantive equality considerations or clear safeguards against abuse of process.” The authors also point to powers that would “explicitly deputize technology companies in the surveillance and policing of their users on behalf of Canadian law enforcement and intelligence agencies.”
This is the type of intelligent policy-making input that’s desperately needed in the current vacuum at the federal level. Governments everywhere are struggling to meaningfully protect privacy and curtail disinformation, without limiting speech, over-reaching on surveillance or curbing reasonable business interests. Yet governments simply don’t have the cutting-edge technological expertise found commercially or in the private sector and civil society. This is where an organization like Citizen Lab can play a major, forward-looking role.
Deibert told the Globe and Mail back in 2019 that the aforementioned Mayfly operation “may be a sign of things to come in an era when unsuspecting readers are increasingly preyed upon by far-flung factions out to manipulate the public discourse with disinformation spread by social media.”
Sound familiar here in 2021? There’s no end in sight to social media manipulation, state espionage, ransomware attacks and the like, and ideas like an international cyber arms control treaty seem laughable against the power of non-state actors. Now more than ever, we need independent, expert NGOs like Citizen Lab to identify and expose threats in the digital world.