Categories
Blogroll

What is the UN doing with your data?

If you allow another country to gain access to really critical data about your society, over time that will erode your sovereignty, you no longer have control over that data.

MI6 chief Richard Moore to BBC News (30 November 2021).

2011

France24: UN among victims of massive cyber-spying campaign

“Cyber-security experts have unveiled one of the biggest computer hacking campaigns to date, releasing a list of 72 organisations whose networks were attacked over a five-year period. Victims include the UN and several governments.

REUTERS – Security experts have discovered the biggest series of cyber attacks to date, involving the infiltration of the networks of 72 organizations including the United Nations, governments and companies around the world. … 

In the case of the United Nations, the hackers broke into the computer system of its secretariat in Geneva in 2008, hid there for nearly two years, and quietly combed through reams of secret data, according to McAfee.”

2017

June

BBC: Accenture and Microsoft plan digital IDs for millions of refugees

December

UNHCR: ID2020 and UNHCR Host Joint Workshop on Digital Identity

2019

June

Xinhua: China, UN to build big data research institute in Hangzhou

2020

January

The New Humanitarian: EXCLUSIVE: The cyber attack the UN tried to keep under wraps

“If there are no consequences for the [UN] agencies for failures like these … there will be more breaches.”

About this investigation:
While researching cybersecurity last November, we came across a confidential report about the UN. Networks and databases had been severely compromised – and almost no one we spoke to had heard about it. This article about that attack adds to The New Humanitarian’s previous coverage on humanitarian data. We look at how the UN got hacked and how it handled this breach, raising questions about the UN’s responsibilities in data protection and its diplomatic privileges.

https://www.forbes.com/sites/daveywinder/2020/01/30/united-nations-confirms-serious-cyberattack-with-42-core-servers-compromised/?sh=4cb9c05d633d

UN confirms it suffered a ‘serious’ hack, but didn’t inform employees

Approximately 4,000 employees may have had their data compromised.

April

Quartz: The UN is partnering with China’s biggest surveillance software company

Foreign Policy: EXCLUSIVE U.N.: Backs Down on Partnership With Chinese Firm for 75th Anniversary: The decision comes after U.S. officials and human rights advocates complained that Tencent aids Beijing in surveillance.

October

WSJ Opinion: China Uses the U.N. to Expand Its Surveillance Reach | In the name of ‘sustainable development,’ Beijing takes the lead in data collection efforts.

December

United Nations: Inauguration Ceremony Regional Hub for Big Data in China in support of the United Nations Global Platform

“I am very honoured to join you today in this inauguration ceremony of the Regional Hub for Big Data in China, in support of the United Nations Global Platform. The inauguration of this Regional Hub is most important, and timely. 

The demand for data, especially during the COVID-19 pandemic, is greater than ever.  Governments are in need of detailed data on the spread of the virus and its impacts on society. Under these challenging circumstances, statistical institutes have had to respond urgently to the demand for data, and to present innovative solutions. Consequently, in these times of need, the statistical community is now able to effectively use Big Data and advanced technologies. 

For example, census data – together with detailed geospatial information – can help identify the most vulnerable populations during the pandemic. And, real-time data on the position and movement of ships, for example, can estimate the volume of cargo being transported, and thus help produce estimates on the state of the economy. These real-time shipping data are available as a global data set on the United Nations Global Platform, and can be accessed by the whole statistical community.”

2021

January

ITPro: United Nations suffers potential data breach: Hackers could have breached the database long before the UN applied a patch

March

Financial Times: Opinion Technology sector: As digital trade grows, so does western distrust of Beijing: China is moving to the forefront of global innovation but governments fear privacy breaches

April

Nikkei Asia: Comment: Data suspicions threaten to tear China and west apart: Applications by Chinese companies see 200-fold increase since 1999

May

UNHCR: Government of Pakistan delivers first new biometric identity smartcards to Afghan refugees

July

ODI: Although shocking, the Rohingya biometrics scandal is not surprising and could have been prevented

“The data privacy and security of Rohingya refugees in Bangladesh has reportedly been jeopardised by the UN Refugee Agency. In an exposé published on 15 June by Human Rights Watch (HRW), UNHCR stands accused of improperly collecting the Rohingya’s biometric information and later sharing it with the Myanmar government without the Rohingya’s consent. Refugees said they had been told to register to receive aid, but the risks of sharing their biometrics had not been discussed, and the possibility this information would be shared with Myanmar was not mentioned.

The potential harm of sharing information with a regime that has a long history of manipulating registration systems to exclude and marginalise Rohingya populations is obvious. That biometrics are involved makes it worse. Unlike names or other personal information, biometrics are sticky – it’s not something you can change or escape.”

August

Reuters: ANALYSIS-Afghan panic over digital footprints spurs call for data collection rethink

Biometric Update: Concerns over Taliban accessing aid agency biometric data

“People in Afghanistan are fearful of the Taliban accessing personal information captured and stored by aid agencies including biometric data which could be used to identify individuals. Experts have raised concern that approaches used by security firms and United Nations development agencies could prove problematic for refugees and vulnerable groups, reports the Thomson Reuters Foundation, the charitable trust of Thomson Reuters.

The Intercept reported that equipment used by the U.S. army for biometric collection has already been seized by the Taliban. Biometric data on Afghans who assisted the U.S. were widely collected, making anybody identified vulnerable to persecution from the Taliban.

Sources told the Intercept that there was little planning for such an event, while the U.S. Army plans to continue to spend another $11 million on biometrics capture equipment including 95 more devices.

The UNHCR has been using biometrics in the region since 2002 when it tested iris recognition technology on Afghan refugees in the Pakistani city of Peshawar. Aid agencies praise biometric technology’s anti fraud and contactless capabilities.”

September

Bloomberg: Cybersecurity

UN Computer Networks Breached by Hackers Earlier This Year

“Hackers breached the United Nations’ computer networks earlier this year and made off with a trove of data that could be used to target agencies within the intergovernmental organization. 

The hackers’ method for gaining access to the UN network appears to be unsophisticated: They likely got in using the stolen username and password of a UN employee purchased off the dark web.”

“Organizations like the UN are a high-value target for cyber-espionage activity,” Resecurity Chief Executive Officer Gene Yoo said. “The actor conducted the intrusion with the goal of compromising large numbers of users within the UN network for further long-term intelligence gathering.”

CPO Magazine: United Nations Data Breach: Hackers Obtained Employee Login From Dark Web, Are Executing Ongoing Attacks on UN Agencies

“A spokesperson for the United Nations has confirmed that the organization was breached by hackers in early 2021, and that attacks tied to that breach on various branches of the UN are ongoing. The data breach appears to stem from an employee login that was sold on the dark web. The attackers used this entry point to move farther into the UN’s networks and conducted reconnaissance between April and August. Information gleaned from this activity appears to have been put to use in further attacks, with attempts made on at least 53 accounts.”

UN data breach creates long-term havoc for organization

“The UN has a unique need for cutting-edge cybersecurity given that it is one of the world’s prime targets for hackers, and that it fields regular attacks from advanced operators. Many of these go unrecorded, but the organization has weathered some high-profile attacks in recent years.”

“Unique Identity for All”: Biometric identity is being rolled out across the planet. HSB is one of the many players in this fast-growing data collection sector. Companies such as HSB collect data on behalf of international organisations.
This story is from 1992 and is a rare glimpse into Canada’s data sharing agreements with the US and other countries.

Data integrity and cross-border data sharing have been concerns for a very long time. False Data Makes Border Screening Corruptible

Further Reading:

There’s a War Going On But No One Can See It by Huib Modderkolk, Bloomsbury, 02 Sept. 2021

“Based on the cases he investigated over a period of six years, award-winning Dutch journalist Huib Modderkolk takes the reader on a tour of the corridors and back doors of the globalised digital world. He reconstructs British-American espionage operations and reveals how the power relationships between countries enable intelligence services to share and withhold data from each other.”  

The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power by Shoshana Zuboff, Profile Books, 2019

“Surveillance Capitalism: A new phase in economic history in which private companies and governments track your every move with the goal of predicting and controlling your behaviour. Under surveillance capitalism you are not the customer or even the product: you are the raw material.”

BBC News: MI6 boss warns of China ‘debt traps and data traps’

“In a wide-ranging interview ahead of his first major public speech since taking on the role as head of MI6, Mr Moore:

  • warned China has the capability to “harvest data from around the world” and uses money to “get people on the hook” …

“Speaking about the threat posed by China, Mr Moore described its use of “debt traps and data traps”.

He said Beijing is “trying to use influence through its economic policies to try and sometimes, I think, get people on the hook”.

Explaining the “data trap”, he said: “If you allow another country to gain access to really critical data about your society, over time that will erode your sovereignty, you no longer have control over that data.

“That’s something which, I think, in the UK we are very alive to and we’ve taken measures to defend against.”

Creative Commons License

This work is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License.

ORCID iD: https://orcid.org/0000-0001-5311-1052.

© David South Consulting 2021

Categories
Archive Blogroll

False Data Makes Border Screening Corruptible

“Big Brother” system could violate rights of Canada’s visitors

By David South

Now Magazine (Toronto, Canada), May 21-27, 1992

New technology that can spew out a person’s life history in less than six seconds is now available to Canada’s customs and immigration officials.

And while Canada customs and immigration officers say this toy is a boon – replacing the need to memorize names of so-called undesirables – civil rights workers and refugee activists point out that the gizmo could have serious consequences, with little recourse.

The technology is called PALS, or primary automated look out system, and is already in operation at airports in Toronto, Montreal, Calgary, Winnipeg, Ottawa and Vancouver.

PALS’ operation is based on the use of computer-readable passports. Canada is one of several countries that have started including computer strips on passports and identity cards. Officers use PALS by either keying in a special number printed on the passport or identity card or using a scanning machine to read the strip.

The system went into effect at Toronto’s Pearson airport on January 20, after a three-year pilot project in Vancouver, adding Canada to the 11 countries that have machine readers for passports. Under the old system, customs officers combined judgement, questioning and the most-wanted list to decide if a passenger required further interrogation and search.

During a demonstration of the system, customs officials at Pearson airport boast about the system’s role in apprehending a drug smuggler in PALS’ first week of operation.

Sinister sign

But to civil libertarians with experience of such systems in other countries, PALS hasa sinister implication. Many say that PALS spews out what is fed into it. And depending on the country involved, what is fed into it may not necessarily be true.

While customs emphasizes PALS’ role in apprehending popular targets like drug smugglers, terrorists and child kidnappers, its reach also includes people who have smuggled in too many cigarettes or bottles of alcohol, convicted criminals who have finished serving their time, immigrants, refugees and a range of petty offenders.

All of these face a second interrogation and detention based on what their governments have decided to incorporate into the computer strip. And it is this that worries civil libertarians and refugee workers.

Consider the case of a legally sponsored Portuguese immigrant who arrived at Pearson just after PALS had been introduced. He was detained based on information stored in PALS. His immigration lawyer Ali Mohideen recalls how the man was held because of a cheque that he bounced in his native Portugal about eight years ago.

Ed Lam, director of research for the Canadian Ethnocultural Council, feels customs and immigration already have “too many powers.” He regularly receives complaints from visible minorities and immigrants who feel they are singled out for harassment at the airport.

“This is big brother. Legal protection is not enough,” he argues. “It leads to costly court battles with the government. I would like to see an ombudsperson or complaints bureau set up. As for refugees turned back at the border, we will never hear from them.”

False data

Other critics, especially those in the US, where a PALS-type system has been in operation for more than a decade, worry that the system will simply accept information given by tyrannical governments.

“It is hard to trace false information to a foreign government,” says Jeanne Woods, legislative counsel to the American Civil Liberties Union, which monitors abuse under the United States system.

“People have been accused of being communists or terrorists who have denied it. The El Salvadoran government is one example of a regime which has called prominent human rights activists and lawyers terrorists.”

She would like the Canadian Parliament to pass a law similar to one passed last November in the US requiring the state department to report to Congress when somebody is denied access because they have been called a terrorist, so that the origin of the information can be tracked.

“People have been accused of being communists or terrorists who have denied it. The El Salvadoran government is one example of a regime which has called prominent human rights activists and lawyers terrorists.”

The Canadian database draws its information from several sources, according to customs spokesperson Suzanne Bray. The sources include immigration records and the Police Information Retrieval System, which is a database shared between customs and the RCMP.

Bray refuses to divulge any other sources, citing security, but both RCMP and customs operate their own intelligence services, sharing information with their counterparts all over the world, especially the US. Information is also drawn from the Canadian Security Intelligence Service (CSIS) and its sister organizations such as the CIA. However, CSIS spokesperson Ray Boisvert says they have adequate safeguards against false information provided by countries known to be human rights abusers.

“CSIS does look at bias in intelligence reports,” he says.

The US equivalent of PALS has been criticized after several cases of abuse were detected. Gara LaMarche, executive director of the Fund for Free Expression, a project of US-based Human Rights Watch, has documented abuse on political and ideological grounds.

“The US public has a right to hear dissenting views under the first amendment of the Constitution,” he says. “I don’t think improving the technology of border control violates civil liberties, but keeping a massive database of information which includes people’s political associations is bad.”

Similar concerns are expressed by John Tackaberry of Amnesty International in Ottawa, which is only now beginning its own analysis of PALS. “We have concerns over data input, who controls information and basic civil liberties.”

Even as Canadian civil rights activists take stock of PALS, Canada customs is planning to use it to check cross-border shopping by expanding the system to all land entry points.

As for those visitors who feel wronged by PALS, they may have a problem seeking redress from such organizations as the Canadian Human Rights Commission. A spokesperson says the CHRC can only help those who have been admitted to Canada. And visitors turned back at the border are not considered admitted.

Sherry Gerstl, a customs superintendent responsible for the implementation of PALS at Pearson, says that people can also appeal to the Privacy Act to see information that is kept on them. But two fact sheets explaining how this can be done are located in a corner, pretty much out of public view.

Bray acknowledges that “honest” passengers could face the prospect of a search with PALS, but given its positive attributes, she says, passengers involved in such delays should simply “grin and bear it.”

This work is licensed under a Creative Commons Attribution 4.0 International License.

ORCID iD: https://orcid.org/0000-0001-5311-1052.

© David South Consulting 2021