Citizen Lab


The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, Canada. Founded and directed by Professor Ronald Deibert, the Citizen Lab studies information controls—such as network surveillance and content filtering—that impact the openness and security of the Internet and that pose threats to human rights. The Citizen Lab collaborates with research centres, organizations, and individuals around the world, and uses a "mixed methods" approach, which combines computer-generated interrogation, data mining, and analysis with intensive field research, qualitative social science, and legal and policy analysis methods.
The Citizen Lab was a founding partner of the OpenNet Initiative and the Information Warfare Monitor projects. The organization also developed the original design of the Psiphon censorship circumvention software, which was spun out of the Lab into a private Canadian corporation in 2008.
The Citizen Lab's research outputs have made global news headlines around the world, including front page exclusives in The New York Times, The Washington Post, and The Globe and Mail. In Tracking GhostNet, researchers uncovered a suspected cyber espionage network of over 1,295 infected hosts in 103 countries, a high percentage of which were high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs. This seminal study was one of the first public reports to reveal a cyber espionage network that targeted civil society and government systems around the world. In Shadows in the Cloud, researchers documented a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other computer network systems in India, the offices of the Dalai Lama, the United Nations, and several other countries. In Million Dollar Dissident, published in August 2016, researchers discovered that Ahmed Mansoor, one of the UAE Five, a human rights defender in the United Arab Emirates, was targeted with software developed by Israeli "cyber war" company NSO Group. Using a chain of zero-day exploits, operators of this spyware attempted to get Mansoor to click on a link in a socially engineered text message that would have given them access to everything in his phone. Prior to the releases of the report, researchers contacted Apple who released a security update that patched the vulnerabilities exploited by the spyware operators.
The Citizen Lab has won a number of awards for its work. It is the first Canadian institution to win the MacArthur Foundation’s MacArthur Award for Creative and Effective Institutions and the only Canadian institution to receive a "New Digital Age" Grant from Google Executive Chairman Eric Schmidt. Past awards include the Electronic Frontier Foundation Pioneer award, the Canadian Library Association's Advancement of Intellectual Freedom in Canada Award, the Canadian Committee for World Press Freedom's Press Freedom Award, and the Canadian Journalists for Free Expression’s Vox Libera Award.
According to a January 24, 2019 AP News report, Citizen Lab researchers "are being targeted" by "international undercover operatives."

Funding

Financial support for the Citizen Lab has come from the Ford Foundation, the Open Society Institute, the Social Sciences and Humanities Research Council of Canada, the International Development Research Centre, the Government of Canada, the Canada Centre for Global Security Studies at the University of Toronto’s Munk School of Global Affairs, the John D. and Catherine T. MacArthur Foundation, the Donner Canadian Foundation, the Open Technology Fund, and The Walter and Duncan Gordon Foundation. The Citizen Lab has received donations of software and support from Palantir Technologies, VirusTotal, and Oculus Info Inc.

Research areas

Threats against civil society

The Citizen Lab’s Targeted Threats research stream seeks to gain a better understanding of the technical and social nature of digital attacks against civil society groups and the political context that may motivate them. The Citizen Lab conducts ongoing comparative analysis of a growing spectrum of online threats, including Internet filtering, denial-of-service attacks, and targeted malware. Targeted Threats reports have covered a number espionage campaigns and information operations against the Tibetan community and diaspora, phishing attempts made against journalists, human rights defenders, political figures, international investigators and anti-corruption advocates in Mexico, and a prominent human rights advocate who was the focus of government surveillance in the United Arab Emirates. Citizen Lab researchers and collaborators like the Electronic Frontier Foundation have also revealed several different malware campaigns targeting Syrian activists and opposition groups in the context of the Syrian Civil War. Many of these findings were translated into Arabic and disseminated along with recommendations for detecting and removing malware.
The Citizen Lab’s research on threats against civil society organizations has been featured on the front page of BusinessWeek, and covered in Al Jazeera, Forbes, Wired, among other international media outlets.
The group reports that their work analyzing spyware used to target opposition figures in South America has triggered death threats. In September 2015 members of the group received a pop-up that said:

We're going to analyze your brain with a bullet — and your family's, too... You like playing the spy and going where you shouldn't, well you should know that it has a cost — your life!

Measuring Internet censorship

The OpenNet Initiative has tested for Internet filtering in 74 countries and found that 42 of them—including both authoritarian and democratic regimes—implement some level of filtering.
The Citizen Lab continued this research area through the Internet Censorship Lab, a project aimed at developing new systems and methods for measuring Internet censorship. It was a collaborative effort between the Citizen Lab, Professor Phillipa Gill's group at Stony Brook University's Department of Computer Science, and Professor Nick Feamster's Network Operations and Internet Security Group at Princeton University.

Application-level information controls

The Citizen Lab studies censorship and surveillance implemented in popular applications including social networks, instant messaging, and search engines.
Previous work includes investigations of censorship practices of search engines provided by Google, Microsoft, and Yahoo! for the Chinese market along with the domestic Chinese search engine Baidu. In 2008, Nart Villeneuve found that TOM-Skype had collected and stored millions of chat records on a publicly accessible server based in China. In 2013, Citizen Lab researchers collaborated with Professor Jedidiah Crandall and Ph.D. student Jeffrey Knockel at the University of New Mexico to reverse engineering of TOM-Skype and Sina UC, another instant messaging application used in China. The team was able to obtain the URLs and encryption keys for various versions of these two programs and downloaded the keyword blacklists daily. This work analyzed over one year and a half of data from tracking the keyword lists, examined the social and political contexts behind the content of these lists, and analyzed those times when the list had been updated, including correlations with current events.
Current research focuses on monitoring information controls on the popular Chinese microblogging service Sina Weibo, Chinese online encyclopedias, and mobile messaging applications popular in Asia. The Asia Chats project utilizes technical investigation of censorship and surveillance, assessment on the use and storage of user data, and comparison of the terms of service and privacy policies of the applications. The first report released from this project examined regional keyword filtering mechanisms that LINE applies to its Chinese users.
Analysis of a popular cellphone app called "Smart Sheriff", by Citizen Lab and the German group Cure53, asserted the app represented a security hole that betrayed the privacy of the children it was meant to protect and that of their parents.
South Korean law required all cellphones sold to those under 18 to contain software designed to protect children, and Smart Sheriff was the most popular government approved app—with 380,000 subscribers. The Citizen Lab/Cure53 report described Smart Sheriff's security holes as "catastrophic".

Commercial surveillance

The Citizen Lab conducts groundbreaking research on the global proliferation of targeted surveillance software and toolkits, including FinFisher, Hacking Team and NSO Group.
FinFisher is a suite of remote intrusion and surveillance software developed by Munich-based Gamma International GmbH and marketed and sold exclusively to law enforcement and intelligence agencies by the UK-based Gamma Group. In 2012, Morgan Marquis-Boire and Bill Marczak provided the first public identification of FinFisher's software. The Citizen Lab and collaborators have done extensive investigations into FinFisher, including revealing its use against Bahraini activists, analyzing variants of the FinFisher suite that target mobile phone operating systems, uncovering targeted spying campaigns against political dissidents in Malaysia and Ethiopia, and documenting FinFisher command and control servers in 36 countries. Citizen Lab's FinFisher research has informed and inspired responses from civil society organizations in Pakistan, Mexico, and the United Kingdom. In Mexico, for example, local activists, and politicians collaborated to demand an investigation into the state's acquisition of surveillance technologies. In the UK, it led to a crackdown on the sale of the software over worries of misuse by repressive regimes.
Hacking Team is a Milan, Italy-based company that provides intrusion and surveillance software called Remote Control System to law enforcement and intelligence agencies. The Citizen Lab and collaborators have mapped out RCS network endpoints in 21 countries, and have revealed evidence of RCS being used to target a human rights activist in the United Arab Emirates, a Moroccan citizen journalist organization, and an independent news agency run by members of the Ethiopian diaspora. Following the publication of Hacking Team and the Targeting of Ethiopian Journalists, the Electronic Frontier Foundation and Privacy International both took legal action related to allegations that the Ethiopian government had compromised the computers of Ethiopian expatriates in the United States and UK.
In 2018, the Citizen Lab released an investigation into the global proliferation of Internet filtering systems manufactured by the Canadian company, Netsweeper, Inc. Using a combination of publicly available IP scanning, network measurement data, and other technical tests, they identified Netsweeper installations designed to filter Internet content operational on networks in 30 countries and focused on 10 with past histories of human rights challenges: Afghanistan, Bahrain, India, Kuwait, Pakistan, Qatar, Somalia, Sudan, UAE, and Yemen. Websites blocked in these countries include religious content, political campaigns, and media websites. Of particular interest was Netsweeper's ‘Alternative Lifestyles’ category, which appears to have as one of its principal purposes the blocking of non-pornographic LGBTQ content, including that offered by civil rights and advocacy organizations, HIV/AIDS prevention organizations, and LGBTQ media and cultural groups. The Citizen Lab called on government agencies to abandon the act of filtering LGBT content.
Since 2016, Citizen Lab has published a number of reports on "Pegasus", a spyware for mobile devices that was developed by the NSO Group, an Israeli-based cyber intelligence firm. Citizen Lab's ten part series on the NSO Group ran from 2016 through 2018. The August 2018 report was timed to coordinate with Amnesty International's in-depth report on the NSO Group.
In 2017, the group released several reports that showcased phishing attempts in Mexico that used NSO Group technology. The products were used in multiple attempts to gain control of mobile devices of Mexican government officials, journalists, lawyers, human rights advocates and anti-corruption workers. The operations used SMS messages as bait in an attempt to trick targets into clicking on links to the NSO Group's exploit infrastructure. Clicking on the links would lead to the remote infection of a target's phone. In one case, the son of one of the journalists—a minor at the time—was also targeted. NSO, who purports to only sell products to governments, also came under the group's focus when prominent UAE human rights defender Ahmed Mansoor's mobile phone was targeted. The report on these attempts showed the first time iOS zero day exploits in the wild and prompted Apple to release a security update to their iOS 9.3.5, affecting more than 1 billion Apple users worldwide.
The Citizen Lab's research on surveillance software has been featured on the front pages of The Washington Post and The New York Times and covered extensively in news media around the world, including the BBC, Bloomberg, CBC, Slate, and Salon.
The Citizen Lab's research on commercial surveillance technologies has resulted in legal and policy impacts. In December 2013, the Wassenaar Arrangement was amended to include two new categories of surveillance systems on its Dual Use control list—"intrusion software" and "IP Network surveillance systems". The Wassenaar Arrangement seeks to limit the export of conventional arms and dual-use technologies by calling on signatories to exchange information and provide notification on export activities of goods and munitions included in its control lists. The amendments in December 2013 were the product of intense lobbying by civil society organizations and politicians in Europe, whose efforts were informed by Citizen Lab's research on intrusion software like FinFisher and surveillance systems developed and marketed by Blue Coat Systems.

Commercial filtering

The Citizen Lab studies the commercial market for censorship and surveillance technologies, which consists of a range of products that are capable of content filtering as well as passive surveillance.
The Citizen Lab has been developing and refining methods for performing Internet-wide scans to measure Internet filtering and detect externally visible installations of URL filtering products. The goal of this work is to develop simple, repeatable methodologies for identifying instances of internet filtering and installations of devices used to conduct censorship and surveillance.
The Citizen Lab has conducted research into companies such as Blue Coat Systems, Netsweeper, and SmartFilter. Major reports include "Some Devices Wander by Mistake: Planet Blue Coat Redux", "O Pakistan, We Stand on Guard for Thee: An Analysis of Canada-based Netsweeper’s Role in Pakistan’s Censorship Regime", and Planet Blue Coat: Mapping Global Censorship and Surveillance Tools.
This research has been covered in news media around the world, including the front page of The Washington Post, The New York Times, The Globe and Mail, and the Jakarta Post.
Following the 2011 publication of "Behind Blue Coat: Investigations of Commercial Filtering in Syria and Burma", Blue Coat Systems officially announced that it would no longer provide "support, updates. or other services" to software in Syria. In December 2011, the U.S. Department of Commerce's Bureau of Industry and Security reacted to the Blue Coat evidence and imposed a $2.8 million fine on the Emirati company responsible for purchasing filtering products from Blue Coat and exporting them to Syria without a license.
Citizen Lab's Netsweeper research has been cited by Pakistani civil society organizations Bytes for All and Bolo Bhi in public interest litigation against the Pakistani government and in formal complaints to the High Commission of Canada to Pakistan.

Corporate Transparency and Government Accountability

The Citizen Lab examines transparency and accountability mechanisms relevant to the relationship between corporations and state agencies regarding personal data and other surveillance activities. This research has investigated the use of Artificial Intelligence in Canada's immigration and refugee systems, an analysis of ongoing encryption debates in the Canadian context, and a close look at consumer personal data requests in Canada.
In the summer of 2017, the Government of Canada introduced new national security legislation, Bill C-59. It proposed to significantly change Canada's national security agencies and practices, including Canada's signals intelligence agency. Since the Bill was first proposed, a range of civil society groups and academics have called for significant amendments to the proposed Act. A co-authored paper by the Citizen Lab and the Canadian Internet Policy and Public Interest Clinic represented the most detailed and comprehensive analysis of CSE-related reforms to date. This analysis was produced to help members of parliament, journalists, researchers, lawyers, and civil society advocates engage more effectively on these issues and was included in parliamentary committee debates and highlighted in dozens of media reports.

Policy engagement

The Citizen Lab is an active participant in various global discussions on Internet governance, such as the Internet Governance Forum, ICANN, and the United Nations Government Group of Experts on Information and Telecommunications.
Since 2010, the Citizen Lab has helped organize the annual Cyber Dialogue conference, hosted by the Munk School of Global Affairs’ Canada Centre, which convenes over 100 individuals from countries around the world who work in government, civil society, academia, and private enterprise in an effort to better understand the most pressing issues in cyberspace. The Cyber Dialogue has a participatory format that engages all attendees in a moderated dialogue on Internet security, governance, and human rights. Other conferences around the world, including a high-level meeting by the Hague-based Scientific Council for Government Policy and the Swedish government's Stockholm Internet Forum, have taken up themes inspired by discussions at the Cyber Dialogue.

Field building

The Citizen Lab contributes to field building by supporting networks of researchers, advocates, and practitioners around the world, particularly from the Global South. The Citizen Lab has developed regional networks of activists and researchers working on information controls and human rights for the past ten years. These networks are in Asia, the Commonwealth of Independent States, and the Middle East and North Africa.
With the support of the International Development Research Centre, the Citizen Lab launched the in 2012, which consists of South-based researchers, advocates, and practitioners who analyze and impact cybersecurity policies and practices at the local, regional, and international level. The project consists of 24 partners from across Asia, sub-Saharan Africa, Latin America, and the Middle East and North Africa including 7iber, OpenNet, and the Centre for Internet and Society.
Citizen Lab staff also work with local partners to educate and train at-risk communities. For example, in 2013 it collaborated with the Tibet Action Institute to hold public awareness events in Dharamshala, India, for the exiled Tibetan community on cyber espionage campaigns. In the winter of 2013, the Citizen Lab conducted a digital security training session for Russian investigative journalists at the Sakharov Center in Moscow.

In the media

The Citizen Lab's work is often cited in media stories relating to digital security, privacy controls, government policy, human rights, and technology. Since 2006, they have been featured on 24 front-page stories at publications including The New York Times, Washington Post, Globe and Mail and International Herald Tribune.

Citizen Lab Summer Institute

Since 2013, Citizen Lab has hosted the as an annual research workshop at the Munk School of Global Affairs, University of Toronto. It brings together researchers and practitioners from academia, civil society, and the private sector who are working on Internet openness, security, and rights. Collaborations formed at CLSI workshops have led to publication of high impact reports on Internet filtering in Zambia, a security audit of child monitoring apps in South Korea, and an analysis of the "Great Cannon", an attack tool in China used for large scale distributed-denial of service attacks against Github and GreatFire.org.

Undercover agents target Citizen Lab

According to a report by AP News journalist Raphael Satter, Citizen Lab researchers who reported in October 2018, that Israeli NSO Group surveillance software was used to spy on the "inner circle" of Jamal Khashoggi just before his murder, "are being targeted in turn by international undercover operatives." Citizen Lab October report revealed that NSO's "signature spy software" which had been placed on the iPhone of Saudi dissident Omar Abdulaziz, one of Khashoggi’s confidantes, months before. Abdulaziz said that Saudi Arabia spies used the hacking software to reveal Khashoggi's "private criticisms of the Saudi royal family". He said this "played a major role" in his death.
In March 2019, The New York Times reported that Citizen Lab had been a target of UAE contractor DarkMatter.
In November 2019, Ronan Farrow released a Podcast called "Catch and Kill," an extension of his book of the same name. The first episode includes Farrow's reporting on an instance in which a source of Farrow's was involved in a counter-espionage incident while operatives from Black Cube were targeting Citizen Lab.