Wednesday, May 27, 2015

CSE and friends target mobile phones

More Snowden revelations were reported last week by the CBC (Amber Hildebrandt & Dave Seglins, "Spy agencies target mobile phones, app stores to implant spyware," CBC News, 21 May 2015):
Canada and its spying partners exploited weaknesses in one of the world's most popular mobile browsers and planned to hack into smartphones via links to Google and Samsung app stores, a top secret document obtained by CBC News shows.

Electronic intelligence agencies began targeting UC Browser — a massively popular app in China and India with growing use in North America — in late 2011 after discovering it leaked revealing details about its half-billion users.

Their goal, in tapping into UC Browser and also looking for larger app store vulnerabilities, was to collect data on suspected terrorists and other intelligence targets — and, in some cases, implant spyware on targeted smartphones.

The 2012 document shows that the surveillance agencies exploited the weaknesses in certain mobile apps in pursuit of their national security interests, but it appears they didn't alert the companies or the public to these weaknesses. That potentially put millions of users in danger of their data being accessed by other governments' agencies, hackers or criminals.
The Citizen Lab released a separate report on the particular vulnerabilities of the UC Browser (A Chatty Squirrel: Privacy and Security Issues with UC Browser, Citizen Lab, 21 May 2015) in conjunction with the CBC report.

The CBC article also reported that
The so-called Five Eyes intelligence alliance — the spy group comprising Canada, the U.S., Britain, Australia and New Zealand — specifically sought ways to find and hijack data links to servers used by Google and Samsung's mobile app stores, according to the document obtained by Snowden.

Over the course of several workshops held in Canada and Australia in late 2011 and early 2012, a joint Five Eyes tradecraft team tried to find ways to implant spyware on smartphones by intercepting the transmissions sent when downloading or updating apps.


Ultimately, the spy agencies wanted to implant spyware on certain smartphones to take control of a person's device or extract data from it, the document suggests.

The spy agencies also sought to match their targets' smartphone devices to their online activities, using databases of emails, chats and browsing histories kept in the Five Eyes' powerful XKeyScore tool to help build profiles on the people they were tracking.

Making that connection was a much desired goal of the agencies because of the growing use of smartphones and the wealth of data they contain.
There's much more worth reading in the CBC report.

The Intercept also published a report on the document, focusing more on the NSA and the app store angle: Ryan Gallagher, "NSA Planned to Hijack Google App Store to Hack Smartphones," The Intercept, 21 May 2015.

The document that the reports are based on was produced by a "Network Tradecraft Advancement Team" that appears to be composed of representatives from all five Five Eyes agencies.

The redacted version of the document, released by the CBC, is well worth a close look.

Page 20, for example, seems to show that at least one of the app suppliers that shows up—apparently repeatedly—in the demonstration depicted in the presentation is a Calgary-based company. Multiple communications from Blackberry devices in Bahrain and Saudi Arabia to the supplier in Calgary, monitored by CSE's own EONBLUE system, are shown.

Some people might call that spying on Canadians.

But CSE would undoubtedly classify it as "incidental collection", while the CSE Commissioner would use the term "unintentional collection".

So fear not. As usual, it's all good.

Wednesday, May 13, 2015

April 2015 CSE staff size

2143. Fifth drop in a row.

See last month's post on this topic for further comments.

(If you click through on the link and get a different figure, it's probably because the Canada Public Service Agency has updated its website; they update the numbers once a month.)

Tuesday, May 12, 2015

Ten years of blogging!

I missed my blog's tenth anniversary earlier this month!

(First post here.)

How the time flies when you're having fun.

To celebrate the anniversary, all blog posts will be available for public reading for half price for all of this month!

Allan Lawrence on CSE and speech recognition

A previous post noted some comments from olden times—the 1990s—about the threat to privacy posed by SIGINT agency speech-recognition capabilities.

Which reminded me of this extraordinary speech by former Progressive Conservative Solicitor General Allan Lawrence—one of the few cabinet ministers ever to tour CSE headquarters—which he delivered in the House of Commons more than 30 years ago, on March 16th, 1984:
There are other measures which are terribly absent from the [CSIS Act, which was then under debate] which should protect and concern us all. One that has not been referred to by any Hon. Member yet—and I want to speak about it in the very limited time I have available to me today—is the terrible lack of control and monitoring in regard to electronic eavesdropping in the country at the moment, and as certainly would be the case if the Bill were passed in its present form.

I am not contravening my oath of office in indicating some of these concerns. I am not contravening the Official Secrets Act in publicizing some of the things I want to publicize in the House today. Anything I intend to say here today has already been published in Canada by others. ...

Hundreds of sophisticated tape recorders are turning right now in Canada, recording conversations that have been activated by the use of certain code words or phrases which automatically turn them on.

The eavesdropping of conversations is one of the major and most efficient tools being used today in the battle against crime and the gathering of information of all sorts, both by public agencies and, I suspect, by private organizations. ...

I suspect, although I have no proof, that accountable, effective control, supervision or prohibition, as the case may be, is largely illusory in this country. There is simply too much of it going on both within and without the Government. ...

I am concerned that there is still at least one very large gap in this whole process over which neither the Minister nor this Bill seems to envisage any accountable control in any way whatsoever. The impression the Minister attempts to convey is that this Bill, in conjunction with Part VI of the Criminal Code which deals with criminal investigation, specifies that henceforth all legal authorizations for third party eavesdropping or the obtaining of information by electronic or other means will have to be judicially authorized. That quite definitely, quite seriously and quite dangerously is totally wrong.

We have a so called ultra secret agency in this country that quite closely works with, feeds into and extracts from both the huge National Security Agency's sprawling facilities and the computer complex in Fort George Mead [sic] in Maryland, Washington [sic], and also the large listening and cryptological centre in the United Kindgom [sic] that has been in the news lately because of certain spy and union problems.

Canada's agency is mainly operational here in the Ottawa area and is called the Communications Security Agency [sic], the CSE. ... In the scheme of things, it is located under the jurisdiction of the Department of National Defence, although it is never listed in the Estimates, never mentioned in any budgetary item in the House or any of its committees and rarely appears on departmental organizational charts. ...

The purpose of the three or more nation group is to monitor all telephone, telegraph, telex, microwave, or radio emission signals or messages anywhere in the world or in space, and they do it. Sensitive radio receivers tap microwave and satellite transmissions of telephone conversations, for instance, while a computer equipped with limited speech recognition capability quickly filters through thousands of tapes and intercepts by seizing on key words. It would not take too much imagination to believe that four triggering words would be 'diplomat, terrorist, bomb' and 'explosion'. I leave it to Members to think of some of the other trigger words. [In this section of the speech, Lawrence was drawing on a Globe and Mail article (Jonathan Chevreau, "Spy technology can outdo Big Brother," Globe and Mail, 23 December 1983]

Decoding devices and unscrambling gear are obviously an integral part of its facilities. These agencies, Canada's included, obviously not only listen to international wavelengths. By their nature, they have the potential to listen in to everything and anything that hits the airwaves and more, both outside and inside Canada. Computer data banking information is fed by telephone facilities. Telephonic communications are carried on by microwave. Microwaves are intercepted by this agency.

I am not arguing that these facilities for both security and economic purposes are not necessary or useful. I am arguing that this Bill does not seem to recognize either that ministerial knowledge or judicial approval that is designed to lull us into the comfortable belief that all is well and being controlled, authorized and monitored.

There is a terrible potential for abuse in the CSE and its allied and international agencies in other countries. They can, and I am convinced they do, listen in, break into, decodify and store conversations of people in this country with no independent control, supervision, or monitoring.

In conclusion, may I say that at a time when more and more personal, private, governmental and commercial communication and transmission is being handled through the airwaves, including easy access to data banks, it is simply appalling that this Bill, which is designed to allay our fears respecting some elements of personal privacy and civil liberties and at the same time provide an efficient framework for our protection from foreign influences, both hostile and friendly, ignores this rapidly expanding capability.
The "limited speech recognition capability" available at Lawrence's time was very, very limited indeed, but the efforts being made to produce more effective systems were very real.

Just a couple of years later, for example, Aviation Week (14 December 1987) reported that the "USAF's Rome Air Development Center plans to develop an architecture to automatically process up to 150 audio channels in real time for human communications intelligence analysis. The effort will use the center's automatic speech processing capabilities including speaker identification, language identification, keyword recognition and speech enhancement."

Sunday, May 10, 2015

Can you hear me now?

The Intercept had a story last week on the state of speech processing capabilities within the SIGINT community (Dan Froomkin, "The Computers are Listening: How the NSA Converts Spoken Words Into Searchable Text," Intercept, 5 May 2015):
Top-secret documents from the archive of former NSA contractor Edward Snowden show the National Security Agency can now automatically recognize the content within phone calls by creating rough transcripts and phonetic representations that can be easily searched and stored.

The documents show NSA analysts celebrating the development of what they called “Google for Voice” nearly a decade ago.

Though perfect transcription of natural conversation apparently remains the Intelligence Community’s “holy grail,” the Snowden documents describe extensive use of keyword searching as well as computer programs designed to analyze and “extract” the content of voice conversations, and even use sophisticated algorithms to flag conversations of interest.

The documents include vivid examples of the use of speech recognition in war zones like Iraq and Afghanistan, as well as in Latin America. But they leave unclear exactly how widely the spy agency uses this ability, particularly in programs that pick up considerable amounts of conversations that include people who live in or are citizens of the United States.

Spying on international telephone calls has always been a staple of NSA surveillance, but the requirement that an actual person do the listening meant it was effectively limited to a tiny percentage of the total traffic. By leveraging advances in automated speech recognition, the NSA has entered the era of bulk listening.
It does not appear to be practical yet for NSA and its partners to capture and process into searchable (and permanently storable) text all the speech that passes through the SIGINT system.

Still, it is clear that the intelligence community's ability to process speech is rapidly growing.

None of this should come as a surprise if you've been paying attention, of course.

CSE and its Five Eyes partners have been working on computer speech recognition, and related technologies such as speaker identification, for a long, long time.

And some of us on the outside have been worrying—the less charitable might say panicking—about the potential privacy implications of such technologies for nearly as long:

“CSE's interest in high-tech devices that help locate specific conversations and documents is a clear indication the five-member alliance collects and sifts large volumes of civilian traffic, said Bill Robinson, a researcher in Waterloo, Ont., who has long studied the spy agencies. "This technology is needed to process vast communications streams when you're hunting for nuggets within it." Mr. Robinson said the devices have legitimate uses, but hold "potentially frightening" implications for people's privacy as the technology advances. "They'll be able to do things they never could've done in the past.”” (Jim Bronskill, "High-tech snooping tools developed for spy agency," Vancouver Sun, 24 May 1999)

“Mr. Robinson says that while the federal government last year appointed a commissioner to oversee the CSE, he remains concerned that the SIGINT system as it sweeps through global, civilian communications could pose a threat, perhaps inadvertently, to the privacy of Canadians. "Not that the government is systematically monitoring citizens, but it's risky when the capabilities are developing to do that," he says.” (Peter Hum, "I spy," Ottawa Citizen, 10 May 1997)

“Since 1989, the CSE has awarded three contracts worth $1.1 million to a Montreal firm to make machines that can quickly isolate key words and phrases from millions of signals CSE monitors each day, CTV reported Sunday [based on Access to Information requests made by me]. “It’s frightening,” says Bill Robinson…. “It has Orwellian potential to sweep through everybody’s conversations. As computers get faster and faster, theoretically one would be able to keep records of all conversations.”” (“Spy agency works on eavesdropping device for phones, fax,” Ottawa Citizen, 31 January 1994)

Those capabilities don't appear to be here quite yet.

But they're a whole lot closer than they were 20 years ago.

Update 11 May 2015:

Follow-on story from The Intercept (Dan Froomkin, "The Computers are Listening: Speech Recognition is NSA’s Best-Kept Open Secret," Intercept, 11 May 2015):
It’s not surprising that the NSA isn’t talking about [speech recognition]. But oddly enough, neither is anyone else: Over the years, there’s been almost no public discussion of the NSA’s use of automated speech recognition.

One minor exception was in 1999, when a young Australian cryptographer named Julian Assange stumbled across an NSA patent that mentioned “machine transcribed speech.”

Assange, who went on to found WikiLeaks, said at the time: “This patent should worry people. Everyone’s overseas phone calls are or may soon be tapped, transcribed and archived in the bowels of an unaccountable foreign spy agency.”

Update 12 May 2015:

See also Allan Lawrence's 1984 speech to the House of Commons.

Saturday, May 09, 2015

"The Espionage Establishment" now available for viewing

The groundbreaking CBC documentary The Fifth Estate: The Espionage Establishment, originally broadcast on January 9th, 1974, is finally available for viewing online.

Among other revelations, The Fifth Estate: The Espionage Establishment was the first to reveal the existence of Canada's signals intelligence agency, then called the Communications Branch of the National Research Council (CBNRC), to the Canadian public and parliament. It even showed CBNRC's director, Kevin O'Neill, as he left his home to go to work (see screen cap above).

CBNRC's exposure led to extensive questioning in parliament and wide coverage in Canadian newspapers, and it is thought to have played an important role in the Trudeau government's 1975 transfer of the agency to the Department of National Defence, where it received its current name, the Communications Security Establishment.

Further comments on the documentary here.

H/T to Anonymous—no, not that one—for tipping me to the link.

Update 26 May 2015:

The CBC posted a brief introduction to the documentary here: Amber Hildebrandt, "How CSE's existence was first revealed by CBC TV," CBC News, 21 May 2015. They have also posted a link to the transcript of the program.

Friday, April 10, 2015

March 2015 CSE staff size

2168. Down slightly from last month's 2175.

This is the fourth drop in a row from CSE's peak staff size, 2254, which was recorded last November. Extended fluctuations in CSE's staffing sometimes occur, but this could be a sign that CSE's long growth period is finally over, at least for the time being, with its staff size stabilizing at roughly 2200—which appears to be around the size its new headquarters was designed for.

(Alternatively, we could be seeing a temporary slowdown in hiring as Ottawa struggles to make the books look good for the government's pre-election budget.)

(If you click through on the link and get a different figure, it's probably because the Canada Public Service Agency has updated its website; they update the numbers once a month.)

Thursday, April 09, 2015

Recent items of interest

Recent news and commentary items related to CSE, signals intelligence, and related issues:

- Ian MacLeod, "MP Rathgeber wants tougher oversight of electronic spy agency," Ottawa Citizen, 4 April 2015.

- Editorial, "Canada, the Five Eyes – and the hackers’ arms race," Globe and Mail, 30 March 2015.

- Jim Bronskill, "Conservative MP Michael Chong wants more parliamentary spy oversight," Canadian Press, 24 March 2015.

- Jillian Kestler-D’Amours, "Majority of Canadians oppose state surveillance, new report says," Toronto Star, 23 March 2015.

- Craig Forcese, "Bill C-44: Statement to Standing Senate Committee," National Security Law blog, 23 March 2015. (There is much more worth reading at Forcese's blog, particularly on the analysis he and Kent Roach have done on Bill C-51.)

- Colin Freeze & Christine Dobby, "Watchdog presses Ottawa for strong rules on sharing surveillance data," Globe and Mail, 18 March 2015.

- Ian MacLeod, "Spy versus spy: Australian security oversight holds lessons for Canada," Ottawa Citizen, 18 March 2015.

- Jordan Pearson, "NSA Targeted a Canadian Bank and Telecom Company Reveals New Snowden Doc," Motherboard, 17 March 2015. Follow-up to this Globe and Mail story.

- Mathew Ingram, "We can’t accept Internet surveillance as the new normal," Globe and Mail, 17 March 2015.

- Justin Ling, "Support Plummets For Harper’s Anti-Terror Bill, New Poll Shows," Vice, 17 March 2015.

- Jordan Press, "Cyber attack at NRC kept secret from other departments," Ottawa Citizen, 16 March 2015.

- Tony Burman, "Canadians should heed Edward Snowden’s warning: Burman," Toronto Star, 14 March 2015.

- Jordan Pearson, "Internet Providers are Keeping Canadians In the Dark About Their Privacy," Motherboard, 12 March 2015.

- Emily Chung, "Internet carriers may be breaching Canadian privacy laws," CBC News, 12 March 2015.

- Peter Jones, "Security review or oversight? The critical difference," Globe and Mail, 11 March 2015.

- Kent Roach & Craig Forcese, "Roach & Forcese: A parliamentary review is not redundant red tape," National Post, 9 March 2015.

Also worth checking out:

- "CSE Codewords and Abbreviations," Top Level Telecommunications blog, 5 April 2015.

- Christopher Parsons, "Five New Additions to the SIGINT Summaries," Technology, Thoughts & Trinkets blog, 27 March 2015.

SIGINT history

And for those interested in SIGINT history:

- Jerry Proc has put together some notes on the little-known radio operations at Prince Rupert, B.C., which served as one of Canada's intercept sites in the early post-war period.

- Second World War intercept operator Eileen Glavin is profiled here: Theresa McManus, "New West resident proud of her Top Secret work during the war," New West Record, 6 February 2015.

- And a visit to the U.K. National Archives by Jonjo Robb turned up a document that shows the Queen was receiving briefings classified Top Secret EIDER during the Suez Crisis in 1956. EIDER was the codeword for communications intelligence at the time. I wonder if the Queen still gets SIGINT-related briefings. Does she get stuff from the Canadian government too? Every now and then the Queen and other members of the family firm turn up for tours of GCHQ facilities.