Mini-Grants Recipients
2023
Peer Harm Reduction on the Darknet
Dr. Richard Frank, Simon Fraser University
Dr. Tibor Kiss, University of Public Service
Akos Szigeti, University of Public Service
The volume of drug trafficking on darknet markets is at an all-time high. While harm reduction is a well-researched topic in general, only a few studies have examined harm reduction on the darknet. Actors on the supply-side of darknet drug trade (operators and vendors) deal with harm reduction because of their economic interests. Many darknet markets share information on harm reduction on their info pages, and vendors often provide instructions for safe drug use in product descriptions. Harm reduction activities also take place on the demand-side, drug users share important information with each other on forums. The goal of this research is the in-depth examination of this information and its evaluation with the active involvement of stakeholders.
Findings from this in-depth examination and evaluation of peer harm reduction on the darknet can be exploited both by policy makers and practitioners. On the one hand, re-evaluating the darknet drug trade from a community point of view may have implications for darknet policing. On the other hand, the practical evaluation of the phenomenon can influence the development of targeted harm reduction programs. In line with the global nature of drug trafficking on the darknet, this research is designed to enable cross-country comparison and intercontinental knowledge transfer, and thus to have an impact in Canada, in the European Union and beyond.
China’s Weaponization of Disinformation to Undermine Democracy in Canada
Dr. Benjamin Fung, McGill University
Dr. Simon Hogue, Université du Québec à Montréal
Marcus Kolga, DisinfoWatch
Over the last several years political actors worldwide have begun harnessing the digital power of social media, where once described as “liberation technology” (Diamond, 2010) is now being observed as a possible weapon used to disrupt multilateral diplomacy and threaten liberal democratic norms and values. This project studies the way China in particular utilizes digital techniques to undermine democracy in countries such as Canada. China serves as a compelling case study concerning the weaponization of disinformation as the tactics they utilize include subtle, indirect as well as forms of digital subversion through the spread of digital disinformation in domestic as well as international politics. The project will also examine the tactics used by China to disrupt electoral politics in the U.S. and Taiwan in order to gain profound insight of the extent to which China’s interference in Canadian politics could become much more severe and insidious.
​
A fair, transparent democratic process is the basis of protecting the human rights stated in our constitution. Recent evidence suggests that our election system has been influenced by powerful foreign totalitarian state. There is a pressing need to respond to the situation. The PI, Benjamin Fung, is a Professor and Canada Research Char in Data Mining for Cybersecurity at McGill University. He will contribute his expertise of AI and digital forensics to analyze the collected disinformation. The Co- Investigator, Simon Hogue, is Assistant Professor at the Royal Military College Saint-Jean. His research specialty is in the areas of surveillance studies and democracy, political participation and citizenship in the digital age. The research partner is DisinfoWatch, a Canadian-based disinformation monitoring and debunking platform. Part of the disinformation will be collected via DisinfoWatch. The research results will be shared with DisinfoWatch and the Vice Chair of the Special Committee on the Canada–People’s Republic of China Relationship in the Parliament.
Modeling false claims against politicians alleged on social media: An ontology and knowledge graph of conflicts of interest, nepotism, bribery, and corruption
Dr. Stéphane Gagnon, Université du Québec en Outaouais
Dr. Romilla Syed, University of Massachusetts Boston
As it is the nature of democracy, politicians normally face opposition by various groups. For example, major international business deals, regulatory concessions, and large procurement contracts can be criticized. However, democratic institutions being open and free, allegations of conflict of interest, bribery, and corruption are one of the most damaging and difficult forms of opposition. They can be as simple as raising doubts about some connections among decision makers. Libel is difficult to sue if democratic discussions are formulated in questions instead of accusations.
​
Disinformation attackers can use social media to spin actual news about government projects and add false claims that make them appear as blame to a specific person, group, organization, or business. The claims rely on assumptions and/or fabricated facts, both very difficult to verify beyond reasonable doubt. Emotions are also stirred as opponents thereby rely on noble feelings to fabricate divisions. Their arguments use citizens’ fears of mistaken trust, anger for misuse of public funds, and due diligence error by oversight agencies. Mismanagement of these attacks can damage democracy for several years with risk of irrecoverable trust.
We propose to develop an ontology and knowledge graph, both published under open-source licenses, to enable future research and help model how disinformation attackers use social media to create false dissension. An empirical study of past events and public opinion can serve to reveal patterns of attack. A survey of political staffs in both Parliament of Canada and US Congress will help connect with the practitioner community, identify salient cases of disinformation campaigns against politicians, especially cross-sectional (gender, ethnicity, identity), and develop a joint research-learning community to help strengthen democracy.
From this learning process, new research assets will be developed to help future research. A dataset of curated news and discussions is developed, serving to identify disinformation indicators from factual data.
Improving security and privacy of low-SES Youth
Dr. Sana Maqsood, York University
Roger Léger, CyberCap
Prior research in usable security primarily focuses on the security and privacy experiences of users from medium-high socio-economic backgrounds, similar physical and cognitive abilities, and ethnic backgrounds. Thus, the needs of underrepresented users, such as those from low-SES areas has not been explored. These users may face different security and privacy risks due to their backgrounds, circumstances, or experiences, so it is important to understand their security and privacy behaviours. For example, low-SES users may have lower overall cybersecurity literacy, due to limited learning opportunities, which may make them more susceptible to security and privacy risks. This project aims to understand the security and privacy behaviours and mental models of youth (12-17-year-olds) from low-SES areas. The long-term objective of our research is to use the findings from this project to design tailored interventions to improve the security and privacy of low-SES youth.
With regards to context, this project will focus on low-SES youth’s security and privacy behaviours online and their mental models of various online risks.
The Security of Self: An Interdisciplinary Edited Collection
Dr. Emily Laidlaw
Dr. Florian Martin-Bariteau
University of York
University of Ottawa
Cybersecurity is commonly explored in terms of the national security and organizational risks of data breaches, and the technical and legal mechanisms that can be used to protect, prevent and redress such breaches. There is another dimension to cybersecurity: the extent to which individual security and dignity can be compromised. This edited collection will explore the technical and legal dimensions of the security of self, such as technology-facilitated abuse, social media, the sharing culture, and reputational harm. The collection will have a Canadian focus, and be open access (probably with uOttawa Press).
Because the mere concept of “Security of Self” may need to be brainstormed and unpacked, we are hoping to first convene all interested authors for a workshop where we will discuss and try to draft a common understanding of the concept. The workshop will also be an opportunity for colleagues to share the topic/idea they want to develop in their chapter, so everybody is aware of what is in the collection (making it easy to build links across chapters; but also helping us highlight potential gaps in the collection).
[Cyber]Theft of Crypto Tokens: Understanding Attackers’ and Victims’ Behaviors
Dr. Masarah Paquet-Clouston, Université de Montréal
Bernard Haslhofer, Complexity Science Hub Vienna
The decentralized finance (DeFi) industry is broadly defined as transparent, open-source and permissionless online financial products and services developed by enterprises and/or individuals. Among growing financial products are crypto tokens, such as UniCrypt or DIA, which are online fungible assets created through smart contracts enabled by decentralized blockchain platforms. Ethereum is one such platform, hosting over 450,000 smart contracts issuing crypto tokens which, altogether, had a market cap of over 150 billion US dollars in 2022. Such worth, coupled with the decentralized and pseudo-anonymous features of crypto transactions, creates an appealing setting for hacks leading to [cyber]thefts. Indeed, hacks targeting DeFi software and incurring losses of millions of dollars have been recorded weekly. Given the transparency of blockchain platforms (and their related crypto tokens) and the frequent publications of hacks, there exists a unique research opportunity to better understand hackers’ target selection that leads to successful thefts, and the financial behaviors of their victims once such an event has taken place.
​
Moreover, crime opportunity theory (Cook, 1986) provides a framework to understand the interaction between victims and offenders in such predatory crimes. It uses the theory of markets to describe and predict how offenders and victims interact. Cook (1986) assumes that offenders are rational and selective and will choose targets with higher payoffs and fewer risks of legal consequences. Meanwhile, victims respond to crime with self-protective measures.
Shaping Cyberhate against Women: Anti-Feminist Discourse and Content on TikTok
Dr. Samuel Tanner, Université de Montréal
François Gillardin, Université de Montréal
According to the Pew Research Center, TikTok is one of the most popular social media platforms in recent years (Pew Research Center, 2022). In 2021, 5 years after its inception, it already had over 800 million subscribers (Li et al., 2021). Like YouTube, Instagram or Facebook, TikTok promotes user experience by offering content powered by a recommendation algorithm calibrated on a series of variables, such as “likes”, comments, and time spent on each video, or content (Golden & Danks, 2021). Through its immersive infrastructure, TikTok has supported multiple phenomena that have gone viral, such as "handwashing" during Covid-19 (Basch et al., 2022). However, it differs from other social media platforms by the challenges, dances and lip- syncing initiated by its users, which comes with great potential for attraction and imitation. Also, TikTok's algorithm puts users at greater risk of unintentionally encountering disturbing contents (Fang et. al., 2019). These features have been appropriated by radical and extremist movements such as the Boogaloo Boys (Clayton, 2020), the Islamic State (Weimann & Masri, 2020), or anti- Semitism groups (Weimann & Marsi, 2021). The purpose of this project is to explore the various facets of anti-women (anti-feminist) hate speech on TikTok, a topic that has not yet been the subject of much research.
To do so, and based on the Canadian center for Cyber Security (2022), we will adopt a socio-technical approach, considering anti-feminist and cyber-hate as the result of a mediation between technology and humans. We will deploy a digital qualitative method of observation by "immersion" in the TikTok environment and proceed to the collection and content analysis of videos, posts, hashtags, and accounts, related to antifeminism. Our entry point into this ecosystem will be the identification of hashtags with hateful connotations toward women.
Study on the Effectiveness of Data Breach Notification Laws in Canada
Dr. Nicolas Vermeys, Université de Montréal
Faculté de droit
Across Canada, corporations have a duty to notify authorities – and, in most cases, consumers – should they suffer a data breach that is believed to have created a “real risk of significant harm” to said consumers’ personal information. While such an obligation can be found in a number of Federal and Provincial laws, as well as in US and European legislation, there is little data available to establish whether it has had its desired effect, i.e. whether it truly helps protect consumers’ personal information. Furthermore, the data that is available seems to indicate that only a fraction of detected data breaches are divulged to the proper agencies, which in turn suggests that there is a lack of effectiveness pertaining to these obligations or, rather, to the legal dispositions that created them. In 2022, the Federal Government presented Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts. Among its numerous goals, the Act aims to reform personal information protection on a federal level. The timing is therefore perfect to study the effectiveness of data breach notification laws to gather a better understanding of why several corporations seem to disregard their obligation. Such a study could help guide legislative changes.
​
Our research will therefore aim to answer the following question: How can we improve the effectiveness of data breach notification laws in Canada? To do so, we will approach the three Canadian bodies that receive data breach notification notices (the Commission d’accès à l’information du Québec, the Office of the Privacy Commissioner of Alberta, and the Office of the Privacy Commissioner of Canada) to gather as much data as possible on the number and types of notices that were received in past years. By crossing this data with existing legal and security studies, we aim to gather a better understanding of the relative impact of breach notification laws and how to improve their effectiveness.
Policing financially motivated cybercrime: Current and emerging challenges
Dr. Chad Whelan, Deakin University
Dr. James Martin, Deakin University
Dr. Diarmaid Harkin, Deakin University
Dr. Benoit Dupont, Université de Montréal
Dr. Masarah Paquet-Clouston, Université de Montréal
Chris Lynam, RCMP
This project aims to identify and analyse current and emerging challenges concerning the policing of financially motivated cybercrime. Financially motivated cybercrimes include cyber-enabled crimes typically thought of as frauds and scams as well as cyber-dependent crimes extending to exfiltrating and selling stolen data as well as ransomware attacks. The project will therefore extend to cybercrimes, including cyber frauds, business email compromise, identity theft, malware/ransomware, and other potential extortion offences.
Adopting a comparative perspective between Australia and Canada, the project will leverage qualitative interviews with sworn and unsworn members of law enforcement agencies concerning the perceived challenges now and over the next 3-5 years. These challenges will be framed according to endogenous factors – including organisational design; knowledge, capabilities, and resources of cybercrime teams – and exogenous factors including the nature and evolution of diverse cyber-criminal harms. By focusing on two countries with similar political systems as well as socio-economic structures, the project will identify insights relevant for both countries independently and collectively. Furthermore, the comparative approach will ensure these findings are likely to be relevant for many other countries, most notably the Five Eyes. The findings will advance research related to financially motivated cybercrime and policing in addition to police policy and practice.
Twitter As A School for Crime
Dr. David Décary-Hétu, Université de Montréal
Dr. Richard Frank, Simon Fraser University
Almost 5 billion individuals worldwide use social networking sites (SNS) today, and 78% of Canadians visit such sites regularly. SNS play an important part in how individuals communicate, get news and even learn new skills. A good example of the educational potential of SNS is the information security (infosec) community on Twitter. This community is extremely active in sharing information about threat actors, security tools and techniques and strategies to protect corporate networks. Recent research suggests that hackers are also active users of Twitter, first to take advantage of all the infosec knowledge published on the network, and second to network with and learn from other hackers. This implies that Twitter is a double-edged sword that helps security professionals secure their corporate network, but also enhance hackers’ attacks. The extent to which Twitter can and is used to advance malicious attacks remains unknown at this point.
The general aim of this project is to assess the impact of Twitter on the effectiveness of hackers’ attacks on corporate networks. To do so, we will collect all hacking-related tweets, whether they come from the infosec or hacking community. We will map the diffusion of information and relationship ties across both communities, to identify key players and determine whether hackers appear to improve their skills as they become more exposed to information security tweets and users. The outcome of this project will be an understanding of the structure of the hacking community on Twitter, and the evolution of this community over a period of 2 years. Our findings will shape policies on the investigation and monitoring of malicious hackers online, as well as offer practical indications of how and what hackers learn that can be used to enhance today and tomorrow’s corporate defenses.