Thursday, April 10, 2014

CSEC roundup 10 April 2014

Recent news and commentary items related to CSEC:

- Jim Bronskill, "Canadian cyberspy agency CSEC fretted about staff after Snowden leaks," Canadian Press, 7 April 2014

- Joe Lofaro, "Canadians ‘should be outraged’ by WiFi spy allegations: Borg," Metro, 3 April 2014

- Trevor Greenway, "Government spying: What’s legal? What’s not?" Metro, 3 April 2014

- Mark Stone, "Think Canadians are Less Immune to Government Spying Than Americans? Think Again," Tech Vibes, 3 April 2014

- Daniel Tencer, "U.S. Pushes Canada To Loosen Privacy Laws," Huffington Post Canada, 3 April 2014. See also Ken Hanley, "Op-Ed: U.S. claims using EU companies to circumvent NSA spying unfair," Digital Journal, 10 April 2014.

- "Hey CSEC, stop spying on me," editorial, Globe and Mail, 2 April 2014

- David Christopher, "Canada talks back about secret spying," rabble.ca, 19 March 2014

- Jim Bronskill, "ISPs Handing Over Data To Spies? Surprisingly, They Don't Want To Say," Canadian Press, 27 March 2014

- Christopher Parsons, "Accountability and Government Surveillance," Technology, Thoughts & Trinkets blog, 27 March 2014. Parsons reports on the government's response, or lack thereof, to a series of questions from MP Charmaine Borg concerning subscriber-related information obtained from telecommunications service providers. Full text of the responses from government departments here. As Parsons notes, CSEC's response (see page 66) was limited to uninformative boilerplate. Other coverage: Colin Freeze, "Border agency asked for Canadians’ telecom info 18,849 times in one year," Globe and Mail, 27 March 2014; Michael Geist, "Who Needs Lawful Access?: Cdn Telcos Hand Over Data on Thousands of Subscribers Without a Warrant," Michael Geist blog, 26 March 2014

- Derek James, "Bill C-13: Tories trying again to open door to undue state intrusion," Toronto Star, 26 March 2014

Also of interest, commentary related to Bill S-4, the new Digital Privacy Act (government backgrounder here):
- Michael Geist, "Why the Digital Privacy Act Undermines Our Privacy: Bill S-4 Risks Widespread Warrantless Disclosure," Michael Geist blog, 10 April 2014
- Tim Banks, "Canada’s Digital Privacy Rethink: Fines, Enforceable Compliance Agreements and More!" Privacy and Data Security Law blog, 9 April 2104

March 2014 CSEC staff size

2171.

(If you click through on the link and get a different figure, it's probably because the Canada Public Service Agency has updated its website; they update the numbers once a month.)

Thursday, April 03, 2014

CSEC Chief testifies to National Defence committee

CSEC Chief John Forster and Minister of National Defence Rob Nicholson testified to the House of Commons Standing Committee on National Defence on April 3rd. (Audio available here; the transcript of the testimony won't be available for some time.)

Nicholson and Forster were originally scheduled to appear before the committee on March 6th, but that session was cancelled at the last minute, leaving observers wondering if Forster would appear before the committee at all.

It's reassuring to see that Forster's testimony did eventually take place.

The scheduled topics of discussion included questions related to the Supplementary Estimates (C) (and the activities in general) of the Department of National Defence as well as questions related to CSEC, so only part of the committee's time was dedicated to CSEC. But a lot of the discussion during the session did focus on CSEC.

Some detailed questions were posed by NDP defence critic Jack Harris and his colleague Elaine Michaud (although not perhaps the ones I or other outside observers might have asked), and some were also asked by Liberal Joyce Murray, but I don't think any especially new or enlightening information was provided by Forster or Nicholson in response. In some cases, Forster was unwilling even to provide information that has already been made public. Forster was very reluctant to confirm, for example, that one of the forms of support that CSEC may provide to federal law enforcement and security agencies is to intercept the communications of specific Canadians in cases where those agencies have a warrant to obtain those communications. (See here for confirmation of that role.)

We also got some softball questions from the government members. Ragging the puck is about all that government members are useful for on these committees, so I guess we shouldn't be too disappointed if that's all they do. Hope you enjoy your gold-plated pensions.

All in all, the meeting didn't do a lot to validate the government's claim that the National Defence committee is capable of performing genuine oversight over CSEC, but at least it was a start.

Let's hope the committee's "study of Communications Security Establishment Canada intelligence-gathering policies and practices" amounts to more than just this one part of one meeting.

Update 5 April 2014:

News coverage:

Colin Freeze, "CSEC dodges questions on relationship with Big Three telecom companies," Globe and Mail, 4 April 2014.

Update 10 April 2014: See excerpt of Harris's subsequent e-mail comments to Freeze here: "What happened on Thursday certainly couldn't pass for parliamentaey oversight when MP's can't get straight answers on straightforward questions."

Tuesday, March 25, 2014

Robinson PGP key

I've decided I should (re)acquire the capability to use PGP (GnuPG to be precise).

I work under the assumption that any major SIGINT agency that decides it has a specific interest in my correspondence will always be able to find the means to access it regardless of whatever crypto precautions I might try to take, so don't take this step as an invitation to send me things you wouldn't want our five-eyed friends and their counterparts elsewhere to know about.

But nothing says that everyone in the general public should be forced to leave all of their correspondence open for anyone to read at any time, so acquiring PGP seems like a reasonable thing to do.

Here is my public key (key ID EFF608B9):

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (MingW32)

mQENBFMrpZUBCADHn1SqFq7HWqQ7BD0xoPI0/ekI9ypoHSe5q0eZFc+KtkTGRhNs
PsB7k1SgXyKFI/U6KDLLiHNrC3RMQWrnjP503pGcmq+x19fqCi+FwsXxDrjDoEHU
x5rNeHOGlCUSJHpb3Sr2XebvweOBrEFT8Si3Q9e6AJkJ9comNC4uNDhaGRdDRvE9
u5rXKKBupmgu9N6CJPjyJcz1ZPYB9c7ZfjfWECROvF4HmEdCtzTRhzPtnLu5ihhb
Za8WpCYJLBpSGNZLVI+eZ7mjA2rn8R+FLMc18tsBB0APnf1Vh5zL9ph0F7eMIsIh
E424ugHtYm2L5VG/hAzi2ZybUbK7wpc4daStABEBAAG0KkJpbGwgUm9iaW5zb24g
PG5ld21hbi1yb2JpbnNvbkByb2dlcnMuY29tPokBPwQTAQIAKQUCUyullQIbIwUJ
CWYBgAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJENt9SEPv9gi5/U8IALeA
GG+EJTpchJeTqk30vWKEBNYmQurEaLWh3gBBHCpf0BDwz3IPOI52zqVKE9xIHplS
nDZ8TLR9JlcDr/ezF0/UKBV3aH3D6l1mgsGk+6i3bXvFsyVyoumHTfWwwj7siCs+
qV6UaS685Pa7P9OKeJODD0V8z/SmflRPtl3yeKP1jt/NuBsbrZTevCujRe7BtPYs
0g1ib0n+bp/8yHZnzyjToZmKsklFIgVhYc8lD/n0BZp/lY9huk5MsFoiyzzV387a
VjGR7if1pQ+xh84FKEhshwGCnSm8+N57jHnJQ/DS6A/GL7xlLzhKuW3gK+zzBXoe
CfSFFinbbyWoCzgxD1G5AQ0EUyullQEIAL1M9+nx0XwuP0G/n/32UBMYn35lNLyr
ADx1OZqC30po7qud4T0eotoKgIAPNuCUPtRYOhADSqOXbJ0XJ72kXMJS1uVSMxsr
JtEAe6kFGOKQjMvAyQKdQypwDLl8YjVc03HlgyqtmKv9H1fK4jcFlx6+oFz6CcOW
hw6HKnizHFHZf58jadI07szU1UhqSh2vdtWV4LJMEfgboApg8DndYQoBQDqS7/Fy
Bfbls3ndI36urVCqOxlsWCr5UaZoQuJzrUZgkts/1tHIfsnGA6LAg+N2LBvgFaBn
gR8kbNSYP4pqssTDCzoI7cHQWfo+5xTfQiQPS3R4TsrH8UZbsfx/k0EAEQEAAYkB
JQQYAQIADwUCUyullQIbDAUJCWYBgAAKCRDbfUhD7/YIubBSB/415D3pUbEZzdYh
P29U5YVYKn/OdyUipbrIMboNdJI5YwRjBBQum1piu5ryOxP4w/lLYSojfptAjSyB
ZpSQQYQpY757cPJZzQEZpnqgiCUbNHDVWqp/D4y4z3MZErgb+6yJhgQ5zvWwoXPm
JFosja2U6+dao5P8Q1OASiHZh0PAKPcUn4FdCYB+4RLxVxq2cXd4jtNRPAw7bJ73
/c/XxvjnidtR/vDLowIEDxvjsRe+e0hh7M3s3f8p/nms+7LMg1mIK2Yx89PMyeuM
8hEPGTturOG9cBbAQ7NaZ22tKtyFXM/t/Wj5zhGLWG9bC1atCbLMob9mM8ly0qip
JqyYSAbe
=572q
-----END PGP PUBLIC KEY BLOCK-----

Monday, March 24, 2014

Freeze on CANADALAND

The latest edition of Jesse Brown's CANADALAND podcast features a conversation with Globe and Mail reporter Colin Freeze on the difficulties of covering intelligence/privacy issues in Canada even in the post-Snowden world: How Canada's Spies Game the Media

Freeze is one of the few journalists who has done extended coverage of intelligence-related issues in Canada and he has taken the lead on recent CSEC coverage. (Others worth mentioning include Jim Bronskill, Greg Weston, Michelle Shephard, Stewart Bell, Ian MacLeod, and Andrew Mitrovica.)

Well worth a listen.

(Oh, and thanks for the plug on your website, Jesse!)

Saturday, March 22, 2014

Meta-truth on mega-data

Every now and then it's fun to look back at earlier official assurances and compare them to what we know today.

This June 2013 statement by then-Defence Minister Peter MacKay, which I recently re-read while checking some other information, is a good example:
Mega-data is collected only on international, not domestic, communications.
Yes, he really did say mega-data instead of metadata.

But the fun part is re-reading MacKay's statement in the context of this recent revelation. (Further discussion here and here.)

SNOWGLOBE: CSEC analysis of suspected French spyware

Le Monde has published a report on CSEC's analysis of an e-mail spying operation that it discovered in November 2009. The operation targeted a number of organizations around the world, including a French-language media outlet in Canada. CSEC concluded that the source of the operation was probably France (Jacques Follorou & Martin Untersinger, "La France suspectée de cyberespionnage," Le Monde, 21 mars 2014).

See also: Jacques Follorou & Martin Untersinger, "Quand les Canadiens partent en chasse de « Babar »," Le Monde, 21 mars 2014.

The newspaper also published several slides from the CSEC powerpoint presentation, one of the documents leaked by Edward Snowden, on which the Le Monde reports were based.

Globe and Mail coverage here: Tu Thanh Ha, "French spy software targeted Canada: report," Globe and Mail, 21 March 2014.

Monday, March 17, 2014

Recent news/commentary

Recent news and commentary items related to CSEC:

- Jim Bronskill, "Canada's electronic spy agency uncovers wrongdoing, ethics breaches," Canadian Press, 16 March 2014.

- Matthew Braga, "Why can't, or won't, your phone company detail data it shares with the feds?" Globe and Mail, 16 March 2014; see also Christopher Parsons, "The Murky State of Canadian Telecommunications Surveillance," citizenlab.org, 6 March 2014.

- John Adams, "Making the case for metadata," iPolitics, 14 March 2014; see also the longer version here. (The former Chief of CSEC defends the agency's operations, while reiterating his support for greater parliamentary scrutiny. In the iPolitics version, but not the longer version, Adams also makes the intriguing statement that there is within CSEC "an internal audit committee which includes external-to-government members, with access to any and all activities carried out by CSEC" in order to help keep an eye on the agency (emphasis added). He is not talking about the CSE Commissioner, whom he discusses separately. What is the nature of this committee, and who are these external-to government individuals?)

- Alex Boutilier, "Ottawa imposes life-long gag order on bureaucrats, lawyers," Toronto Star, 13 March 2014. (Additional organizations added to the list of persons "permanently bound to secrecy".)

- Jordan Press, "Canada’s military squeezed out of cyber-defence, emails warn," Vancouver Province, 12 March 2014

- Michael Geist, "If U.S. Cloud Computing Isn't Good Enough for the Canadian Government, Why Should It Be for You?" Michael Geist blog, 12 March 2014

- Colin Freeze, "Spy agency’s memos to minister shed light on secretive practices," Globe and Mail, 7 March 2014 (available only to subscribers, but you can read the bits of the memos that were released here)

Saturday, March 15, 2014

CSEC OLYMPIA software analyzed



The Top Level Communications blog has published a detailed and convincing analysis of the functions and capabilities of CSEC's OLYMPIA target development software, as revealed in a leaked June 2012 powerpoint presentation (part of the Snowden documents): OLYMPIA: How Canada's CSEC maps phone and internet connections (13 March 2014).

The topics discussed are way beyond my very limited technical knowledge, so there's very little I can add, but FWIW the explanations provided do seem to ring true.

One small note: While I agree that the TAO referred to in the presentation is most likely NSA's Tailored Access Operations unit, there is some reason to believe that CSEC's parallel unit may also use the name "Tailored Access".

Previous discussion of OLYMPIA here, here, and here.