Watching the watchers: U of T’s Ron Deibert blazing new trails with the Citizen Lab
Faculty of Arts & Science professor Ron Deibert is director of the Citizen Lab, a “hacktivist hothouse” that is internationally renowned for detecting abuses of power online.
Cybercrime is a serious problem, but governments deploying the tools of cybercrime for political repression and control are an existential threat. In 2009, Deibert and the Citizen Lab, located at U of T's Munk School of Global Affairs, made headlines around the world for their role in exposing GhostNet, a massive espionage ring that had compromised the computer networks of civil rights organizations and the government agencies of dozens of countries.
Deibert’s team made global headlines again in August 2016, after human rights activist Ahmed Mansoor showed them a suspicious text message. They discovered an exploit designed to remotely jailbreak and spy on iPhones, prompting Apple to issue a rapid security update.
Deibert was awarded a 2013 Queen Elizabeth II Diamond Jubilee Medal for recognizing and mitigating the “growing threats to communications rights, openness and security worldwide,” but he says there is still much more to do.
“Targeted digital attacks are a silent epidemic that threaten us all. We need to work together to protect cyberspace as an open and secure forum for free expression and access to information for all citizens.”
Deibert recently spoke with U of T News reporter Jennifer Robinson about his journey in “lifting the lid” on the Internet, as well as what the future holds for the pioneering work of the Citizen Lab.
Professor Ron Deibert (left) and Citizen Lab researcher Adam Senft (photo by Riley Stewart)
What is the Citizen Lab and what kind of research does it do?
The Citizen Lab is a research lab that I found in 2001. Our mission is to document information control that impacts the openness and security of the Internet and threatens human rights.
We produce evidence-based research on cyber-security issues that are associated with human rights concerns like tracking Internet censorship, documenting cyber-espionage attacks against civil society networks and carefully analyzing privacy and security risks associated with widely used applications and services.
You’ve had some recent successes that have gotten a lot of attention. For example, I know there was a piece in The New York Times not too long ago. Can you tell us about some of the big successes that your lab and researchers have had?
We’ve been fortunate to have a lot of media interest in our reporting – something like 13 separate reports of ours over the last eight years have been featured on the front pages of either The New York Times, Washington Post, The Globe and Mail or Toronto Star, which I think is probably an unparalleled track record.
One recent one that I think you might be referring to concerned our research into a targeted digital attack on the human rights defender in the United Arab Emirates. We did a technical analysis of a link that was sent over SMS [text message] to this human rights defender who shared it with our researchers. They were able to determine he was being targeted by an Israeli company called the NSO Group, which had apparently been contracted for services by the United Arab Emirates security service.
When we analyzed the attack, we discovered it involved three separate, what are known as, zero day or unpatched vulnerabilities in his iPhone operating system. Those are extraordinarily rare, precious commodities worth millions of dollars each. When we discovered it, we reported it to Apple resulting in a patch of not only the iOS but OSX and Safari, as well, for probably close to a billion people worldwide. That was an unusually big impact from our research but like I said we’re fortunate to receive a lot of media attention for the work that we do.
We often hear that Canadians don’t care all that much about the privacy of their information. Why should people care about the work you do with the Citizen Lab?
Well, the aim of our research is, to put it metaphorically, to lift the lid on the Internet or cyberspace or the big data universe or whatever you want to call it that surrounds us and within which we communicate. It’s essentially the new environment in which we live and for most users there’s very little recognition of what goes on beneath the surface of this environment.
It is important to lift the lid on the Internet and see what goes on underneath the surface because often that’s where decisions are made and power is exercised, hidden from the view of the average Internet user. A simple analogy would be the terms of service that few people actually read may constrain what you can do online or with certain applications.
Then going further, when we reverse-engineer applications we sometimes find there’s hidden surveillance or content filtering that applications many hundreds of millions of people use affect and structure what they can do and this is sometimes being done at the request of government. For example, our work on Chinese live streaming and mobile browser application has found extensive Internet censorship and surveillance hidden in the application.
The Citizen Lab seems to involve collaborations among a wide variety of different faculties and people with expertise at U of T. Can you give us an example of some of the different groups you work with here?
Within U of T, we’ve had some pretty fruitful collaborations with students and researches from computer science ad electrical engineering and the Faculty of Information Studies.
Outside the University of Toronto, we have partnerships with researchers from most disciplines in universities ranging from Princeton, Berkeley, Harvard, Cambridge and others.
The importance of this type of mixed methods approach to the topic can’t be stressed enough. It’s one of those areas that requires being able to incorporate methods and techniques from not only computer science and engineering but also law and social sciences.
We also work a lot with groups in the developing world – sometimes advocacy groups, sometimes researchers – because a growing number of Internet users come from the global south and that’s where I think the most important challenges are.
Here in Canada, it may feel like we’re communicating using infrastructure developed here in North America, but the reality is now and into the future, we’re going to be communicating on terms largely determined elsewhere primarily within innovation centres in the global south. So we really need to understand the political context within which that technological development is occurring because it’s going to affect us down the road.
When you started the Citizen Lab in 2001 was there anything else like it? And are you starting to see similar operations set up at other universities in the world now?
When I started there were very few other centres that I can think of that were doing exactly what we aim to do.
Now, it certainly is a growing community of researchers of which we’re a part, and we try to help spearhead that through our collaborations, workshops and our annual summer institute, which was seeded by the Connaught Fund and now is self-sustaining thanks to our funders who recognize the importance of this event. We bring together researchers who are working on the information controls from the next methods perspective. We’ve had hundreds of researchers from dozens of universities attend this annual event and because of that we’re seeing now centres like the Citizen Lab sprouting up different universities.
You're a professor of political science at the Faculty of Arts & Science and the Munk School of Global Affairs. What made you in 2001 come up with this idea?
My area of expertise in political science has been international security with a special focus on information technology.
Early in my career, I was very much interested in how intelligence agencies operate and looking at the methods that they employ, especially signals intelligence. It dawned on me that there is no analogue in the civil society world. By that I mean, you know watching government, watching the watchers so to speak, wasn’t very well developed.
Meanwhile in academia, approaches to the Internet were really siloed. You had engineers and computer science experts working on technical issues, political scientists to social
scientists looking at policy issues and not understanding the technology.
I was lucky to receive a grant from the Ford Foundation in 2000. They asked me to put together a project proposal. I had this idea to build a lab where I would bring together or recruit researchers from computer science and engineering, take their tradecraft and skills to set up something like a civil society counter-intelligence capacity.
At the beginning this sounded like a lot of hubris – and it was – but now we’ve come close to building that sort of capacity. It’s really rewarding to see how it has evolved.
What comes next? What would you like the University of Toronto to do next with the Citizen Lab?
I think we’re very fortunate to have funders who recognize the work that we do and most of our grants are of the general support variety. In other words, we don’t have to put in project grants. We received a large endowment – a $1-million-dollar award – from the MacArthur Foundation in 2013 that we hope to build upon.
Of course, an issue for the Citizen Lab is sustainability and also succession because it really is a professor’s lab. It’s not a centre or an institute in the way we think about those terms in the university environment. If it’s going to sustain itself beyond my career then I have to start thinking about succession and putting in that foundation for long-term sustainability.
If anyone, say in the developing world, that’s involved in human rights work feels like they’re being watched, what’s the best way to get in touch with you guys?
We get a lot of outside contact from many people who read about our work or are worried about something they read in the news, like maybe the Snowden disclosures or some kind of surveillance happening. We’re overwhelmed with types of requests for a small research lab. We’re not a service organization. We can’t receive inquiries from the public and investigate every concern that comes our way. I wish we could but it’s just not within our capacity.
But there is a community of human rights groups, advocacy groups and technology groups of which we’re a part, and we can point people in the right direction so if anyone has concerns they can definitely contact us at firstname.lastname@example.org. We’d hopefully steer them in the right direction.