The Dalai Lama is charged with watching over Buddhist tradition, but on March 29, 2009 The New York Times revealed a shadowy presence was secretly watching him, invisibly sending information about the religious leader to his anonymous attackers. When the story broke, the office of the Dalai Lama believed it was dealing with an ordinary computer virus. It turned out to be something more widespread, organized, and ominous.
Long before The New York Times, Canada’s Citizen Lab was on the case. Based at the University of Toronto, Citizen Lab is a global leader in documenting and analyzing the exercise of political power in cyberspace. The Lab’s 10-month investigation into the virus that had lodged in the Dalai Lama’s desktop revealed it was in fact just one of 1,295 compromised computers in 103 countries, many found in embassies, government agencies, and significantly, Tibetan expatriate organizations. The researchers at Citizen Lab dubbed the network GhostNet, which spread through a malicious software program—“malware,” in technical circles—called Gh0st RAT. Gh0st RAT spread via email to high value targets: diplomats, politicians, the Dalai Lama. Once installed on a target’s computer it provides barrier-free access to an intruder, giving them full control of the system as if it were their own. This allowed the thieves to bring sensitive documents back to four control servers in China. Worse, Gh0st RAT allows its operators to take control of an entire computer in real-time, giving them the unfettered ability to see and hear their targets through the computer’s webcam and microphone.
It’s virtually impossible to determine whether GhostNet was a work of cyber-espionage by the Chinese government or a single hacker who wanted to make it look that way. In January 2010, search giant Google admitted they were one of 30 companies attacked by the latest version of Gh0st RAT and threatened to shut down the Chinese version of its site. Computer security firm Verisign reported it had traced the attacks back to “a single foreign entity consisting either of agents of the Chinese state or proxies thereof.” Beyond China, countries around the world are increasingly using the internet for espionage and intelligence-gathering. Observers report more viruses, more trojan horses, more botnets, more surveillance, more censorship and more denial-of-service attacks. The tactics are being used by governments and independent groups alike for intelligence gathering, terrorism, national security and religious or political propaganda. Most of it happens secretly, obscured by layers of technical complexity. In the early 2000s, China was a leader in cyber-espionage, but it has lately been joined by more players: Saudi Arabia, Russia, North Korea, Iran, the U.S., and Canada.
We are witnessing, the Citizen Lab researchers believe, the weaponization of cyberspace.
“I realized there was a major geopolitical contest going on in the domain of telecommunications,” says Professor Ron Deibert, Citizen Lab’s founder and head researcher. “The information environment today is mediated through telecommunications. So being able to control, access and retain information through those networks are vital sources of intelligence. This was happening, but it wasn’t being talked about.”
Deibert isn’t new to the intelligence game. He worked as policy analyst for satellite reconnaissance in the Canadian Ministry of Foreign Affairs, but it wasn’t until he wrote a book about major technological shifts in history, and started researching his PhD—documenting how rapid technological changes of the information age affected global politics—that he began investigating the war that would set him on the path to being the “M” behind the Citizen Lab.
“Our technological advantage is key to America’s military dominance,” said U.S. President Barack Obama in a May 2009 speech on his administration’s plans for the militarization of the internet. “From now on, our digital infrastructure—the networks and computers we depend on every day—will be treated as they should be: a strategic national asset. Protecting this infrastructure will be a national security priority…. We will deter, prevent, detect and defend against attacks, and recover quickly from any disruptions or damage.” In the same speech he assured the world his security plan would not infringe on internet freedom or personal privacy. The U.S. Department of Justice, however, argues (though far less publically) it can’t be sued for illegally intercepting phone calls or emails—unless they admit what they’re doing is illegal, which they won’t.
It’s this kind of secrecy (in the name of national security or not) that Citizen Lab exposes. The small team of researchers and benevolent hackers, who work in the basement of the Munk Centre for International Studies at Devonshire Place in Toronto, watch the watchers and document the shadow war most are too busy updating their Facebook pages to notice. But more than that, Deibert wants to see Canada put its peacemaking reputation to work to lead the way in drafting a constitution for cyberspace among the nations of the G8. He believes Canada can be a leading guardian of the free and open internet, a valuable global commons worth preserving, on par in importance with land, sea, air and space.
Average internet users—the ones doing their banking, their shopping, or their FarmVille cultivating on the brightly lit thoroughfares of the web—are relatively safe from the cyber-spooks of the world. But if you challenge your government, expose injustice, or work for humanitarian ends in hostile places like China, Iran, Syria, Sudan, and Pakistan, it can become a dark, threatening place pretty quickly.
Deibert wanted to expose these injustices on behalf of citizens everywhere, but quickly discovered there were places he couldn’t go as a political scientist. So, with a research grant from the Ford Foundation, he launched the Citizen Lab in 2001 and began assembling a team dedicated to his two-pronged mission: monitoring and analyzing information warfare, and documenting patterns of internet censorship and surveillance.
The first major partner for the Citizen Lab was the SecDev Group, an Ottawa-based think tank that engages in evidence-based research targeting countries at risk from violence and insecurity. Its CEO, Rafal Rohozinski, was the man originally responsible for connecting all the countries in the former Soviet Union to the internet.
That meant he knew everyone who was anyone when it came to cyber-espionage in a region known for its deep ranks of hackers. This was the beginning of a vast network of agents who would later prove invaluable to all Citizen Lab operations. In those first days together with Rohozinski, Deibert also developed the methodology from which all Citizen Lab missions stem: A combination of technical reconnaissance, interrogation, field investigation, data mining, and analysis. In other words, the very same techniques used by government intelligence agencies like the National Security Agency in the U.S. and its Canadian equivalent, Communications Security Establishment Canada (CSEC). But this time, the expertise would be in the hands of the people.
“We wanted to take that combination of technical and human intelligence to turn it on its head,” Deibert said. “These organizations are using these techniques for national security purposes. They are watching everybody else, no one is watching them, and we wanted to watch them.”
Next, Deibert needed a powerhouse legal team. “We don’t break Canadian laws, but we do break the law in just about every other country,” he says. That’s why he partnered with the Berkman Center for Internet and Society. Based at Harvard Law School, this gives Deibert and his team access to a network of some of the best legal scholars in the country.
None was more vital than the final piece of the puzzle. All wars need soldiers and Citizen Lab needed the very best computer scientists, programmers, software developers and data analysts. All of whom were handpicked by Deibert from an unlikely recruitment pool: his own political science course.
The Munk Centre has all the architectural hallmarks of an English boarding school, left over from its days as a men’s university residence at the turn of the century. Few visitors have any idea what goes on beneath their feet in Citizen Lab’s dimly lit basement headquarters, but two of Deibert’s lieutenants have agreed to let me ride along on one of their online patrols.
Born and raised in Singapore, research associate James Tay has a personal stake in Citizen Lab’s mission. “I came from a country where those in power were willfully blocking access to the net. I just thought it wasn’t right, so when I heard about the lab tracking censorship and finally holding these governments accountable, I was like, ‘Okay, yeah, this is something I want to do.’”
That’s why, when riots broke out in Iran following its corrupted June 12, 2009, election, Tay was at Citizen Lab, keeping Iran’s lines of communication open. The Iranian government was blocking opposition leader Mir-Hossein Mousavi Khamenei’s website, along with Western-run sites such as YouTube and Twitter. Opposition supporters needed a way to stay connected online, to share information and coordinate their response to the crackdown.
The battering ram that broke through Iran’s online barriers is called Psiphon. Developed first by Citizen Lab, the software is now its own commercial entity, helping to fund the lab’s academic research. Through small chinks in the Iranian government’s armour, Tay was able to send a short, crucial message to people inside Iran who needed unrestricted access to the web: the snippet of text he was charged with sneaking over the border through TweetDeck—software that communicates through Twitter without requiring an actual visit to its website— was an encrypted link to the Psiphon web server, a tunnel through the blockaded border that allowed users to see the web unhindered by Iran’s online filters. Once connected, Psiphon is simple to use: It appears as a second address bar in the web browser and delivers internet traffic through proxy sites that haven’t been blocked yet. Block one, and the data simply changes its route to the user. During the crisis, Tay was trusted with making sure Psiphon ran without Iranian governmental interference, allowing thousands of people to liberate their internet connections.
“Psiphon is open-source and free to the user, but the BBC and big media pay us money for the right to spread our proxy to their readers and viewers,” says Tay.
Psiphon isn’t for everyone, though. It doesn’t provide anonymity, for one, something that Psiphon users are made aware of before using it. Even so, many Iranians still used the service, often at great personal risk.
“Some of them were trying to organize rallies,” says Tay. “I saw that on Twitter a lot.”
But even more dangerous research is directed by the lab, just collecting the data risks the threat of imprisonment or torture if discovered by the offending country’s oppressive government. The project is known as The OpenNet Initiative.
If you stumble upon a site a sitting government doesn’t agree with, it may simply look like a problem with your internet connection. But that error page could be a fake. “These governments may publicly claim to block sites to protect the morals of their citizens, then use the same technique to block the site of a politician they don’t agree with,” says Jonathan Doda, Citizen Lab’s software developer for OpenNet. “They set up the error page because they don’t want people to know. The good news is they’re pretty easy to spot.”
“What’s most popular these days is proxy based blocking,” Doda says—in which a country’s internet connection is shunted through a single gateway that allows a regime to filter all the web traffic in and out— “or some American filtering software—the same thing you find in libraries and schools or some private businesses.” In every case, the country’s internet service provider intercepts your connection and substitutes an error page.
Sometimes, the error is legitimate. After all, internet connectivity in many parts of the world can be slow and unreliable. That’s why Doda must gather evidence of governments’ intent through extensive testing. His team accesses sites multiple times and compares what happens from within Canada to what happens from inside the suspected country.
Doda’s been programming since he was a kid, making software in BASIC on his PC Jr. It was fairly easy for him to create “rTurtle,” the software that collects the data, looking for anomalies like dummy IP addresses, weird-looking address headers and missing keywords in the returned page. The lab needed a way to test within the offending countries, but the lists of blocked sites are determined by religious or political elites and implemented by centralized internet providers in target countries—closed systems that are virtually impossible to penetrate as an outsider.
But Rafal Rohozinski’s international reach gave Citizen Lab the ability to recruit agents within those ISPs and other high-value positions in repressive countries’ internet hierarchies. “In Central Asia alone, we have a network of about 40 individuals working for us,” says Deibert. Some of them are literally putting their life on the line—guilty of treason for working with Citizen Lab.
“Going to Burma and running the software that Jonathan developed in an internet café—that’s life-threatening research,” says Deibert. “The person doing that would have to be aware of the risks.” Those risks range from arrest, imprisonment, and interrogation, to torture and death. Deibert knows people have been arrested under similar circumstances, so OpenNet’s work requires a delicate protocol.
“Jonathan might not know the names of testers in certain countries. I might not even know their names,” says Deibert. “They’ll have a key and it’ll be used to unlock that data they need to run the software. We don’t know who they are. There will be a person who mediates their communication with us. If Jonathan were sent to Syria and got captured, he wouldn’t be able to give out a tester’s name.” For everything at stake, you’d never know the risks by stepping into the lab. Among the islands of computer terminals and the big red vinyl couch off to one side, the only thing remotely James Bond-ish is a hollow world globe stocked with contraband cigars and bottles of alcohol from the countries they’ve visited. But for all they do for others, the Citizen Lab largely ignores internet censorship and surveillance at home.
“I’m not worried as much about Canada. We have a government that’s largely accountable. Despite all the problems, we still live in a democracy that includes the benefits of humanitarian law and respect for human rights. If I did this research in Uzbekistan, I’d be jailed and tortured within the hour,” says Deibert.
Canada has cyber secrets of its own that often escape public notice. There are two bills before parliament collectively called “lawful access” meant to aid law enforcement in obtaining information needed to make an arrest. (Both bills were put on hold when parliament prorogued in December, but they appear to be Conservative government priorities and are likely to be reintroduced.)
“The approach we’ve taken is to respect civil liberties to the fullest extent possible by recreating in the cyber world the exact same principles that have been applied in the analog world. In order for police to obtain the content of emails, or intercept phone calls over the net, they will require a warrant,” says Peter Van Loan, Canadian Minister of Public Safety.
That isn’t the whole story, says David Fewer, director of the Canadian Internet Policy and Public Interest Clinic, based at the University of Ottawa’s Faculty of Law.
At the moment, police can’t force ISPs to hand over a customer’s name and address without a warrant, but the lawful access legislation will allow them to do just that.
“It’s bad enough that ISPs can give over that information if they want,” says Fewer. “Obviously our view is it shouldn’t be made available.” For now, there’s an unofficial compromise: for child pornography allegations, most ISPs give up the information, but for other crime such as fraud, police still need a warrant. Fewer says the informal understanding isn’t good enough.
“The system should be formalized, so there’s a formal response across the board,” Fewer says. “Police should be obliged to get a warrant except in cases of imminent harm, akin to a search warrant.” But police forces are currently demanding search warrant standards be relaxed. “There are sliding scales they’re demanding on certain search warrants. Ordinarily, police have to give ‘probable cause’ and they want that standard to be replaced with ‘reasonable suspicion.’”
Canada’s democratic laws don’t keep you immune from the government’s roving eye in cyberspace, either. “We have to start with the assumption that everything we do on the internet is public,” says Deibert, “and then work backwards and say, ‘What of my communication is private?’ Since potentially, at every step along the way, you can be monitored.”
In your terms of service agreement with Rogers or Bell they have the right to retain, store or turnover any information they provide you as a service including web history, web addresses, emails, and chat logs to the Canadian government for intelligence gathering and law enforcement purposes. CIPPIC is fighting various court battles around the disclosure of user identity to thirdparties online.
“We need courts to carve out some mechanism for preserving respect for privacy online,” says Fewer, “because privacy is a human right.”
Deibert wants the nations of the world to establish their own formalized treaty for the internet, one that treats cyberspace as a public commons and halts the aggressive arms race that threatens to further erode our basic rights. But drafting such an agreement will prove difficult, as security concerns continue to override basic rights.
Incidents like GhostNet demonstrate that even when all signs point to a massive national espionage plot, online attacks are difficult to trace, and governments nearly always enjoy plausible deniability.
“Even when we have lots of evidence that indicates a country may be behind it, the government denies any association,” says Van Loan. “Attacks are extremely hard to trace. What would likely happen is wholesome, good players would follow it, but the bad operators would continue to operate outside of it.”
And such a treaty could abuse as much as protect. “Anonymity is viewed [by governments] as a tool of terrorists and hate-mongers and—in the negative sense— whistle-blowers,” says Fewer. He fears any such treaty would inevitably morph into a cyberspace trade agreement, further tightening abusive intellectual property laws and scaling back civil liberties at an accelerated pace. “You need a tragedy for anything good to come out of a treaty like that. The International Declaration of Human Rights was the result of the First World War.”
With six billion people on the planet facing global problems, Deibert says the real tragedy is losing the open and unfettered ability to communicate globally, but Van Loan sees no other choice. “It is really the new arms race. Every time we erect new barriers and protections some smart, tech-savvy individual comes along and finds ways around those defenses.”
For the moment, it will have to be enough to know that Citizen Lab will be watching the watchers. James Tay admits he takes his work a little too seriously. “I don’t sleep,” he says. “This isn’t your typical 9-5 job. I regularly find myself responding to emails in the middle of the night. Ron wants us to sleep, but this isn’t a job for me. It’s something I live and breathe.”