Sunday, March 01, 2015

The Fifth Estate: The Espionage Establishment

On January 9th, 1974, the CBC broadcast a documentary about the Canadian intelligence community report entitled "The Fifth Estate: The Espionage Establishment." Unrelated to the investigative journalism program The Fifth Estate, which wasn't created until a year later, the documentary contained extensive details of the U.S. Central Intelligence Agency's activities around the world, discussed Canada's cooperation with the CIA, and outed the CIA's Chief of Station in Ottawa.

It also revealed to the Canadian public and parliament that Canada had a signals intelligence agency, the Communications Branch of the National Research Council (CBNRC). The documentary included an extensive interview with NSA whistleblower Perry Fellwock (using the pseudonym Winslow Peck), who had earlier named CBNRC to the U.S. counterculture magazine Ramparts, in which he explained the nature of the National Security Agency and discussed CBNRC's role as a partner in the UKUSA SIGINT community.

CBNRC's exposure led to immediate questioning in parliament by Conservative and NDP MPs and wide coverage in Canadian newspapers, and it is thought to have played an important role in the Trudeau government's 1975 transfer of the agency to the Department of National Defence, where it received its current name, the Communications Security Establishment.

Although it took almost a decade for the government to formally acknowledge, in late 1983, CSE's signals intelligence role, the 1974 broadcast marked the beginning of public and parliamentary discussion of the agency and Canada's role in the SIGINT community and thus, in a sense, the beginning of public oversight over the agency.

CSE itself has a slightly garbled version of the story on its website:
In 1974 the television program "The Fifth Estate" broadcast an exposé of Canadian involvement in signals intelligence. The program revealed the existence of the hitherto low-profile CBNRC, and explored the nature of its signals intelligence program and its US partners. The Fifth Estate's revelations were raised in the House of Commons over the next week. As a result of the unwelcome publicity, the government soon transferred Canada's SIGINT and Communications Security organization to the Department of National Defence portfolio, and renamed it the Communications Security Establishment (CSE).
I have pointed out on more than one occasion that the documentary had no relation to "the television program 'The Fifth Estate'", but our listening agency just isn't listening on that subject. Maybe I need to send an e-mail to some department of the government.

As far as I know, the documentary was never re-broadcast, and it does not appear to be available for viewing.

A transcript of the program does exist, however.

And here it is:

The Fifth Estate: The Espionage Establishment (produced and directed by William Macadam; research directed by James R. Dubro).

Update 2 March 2015:

While we're on the subject of garbles on the CSE website, let's consider another portion of the same web page:
On September 27, 2007, the Treasury Board Secretariat of Canada approved the registration of a new applied title for the organization. This change was made in order to become compliant with the federal government's Federal Identity Program (FIP), which requires all departments and agencies have the word 'Canada' as part of their corporate title. From this point forward, the organization became known as Communications Security Establishment, with an abbreviation of CSE. It is important to note that while the applied title changed, the legal title remains Communications Security Establishment and continues to be used for all legal documents.
Now, this passage actually made some sense in the days when it read "From this point forward, the organization became known as Communications Security Establishment Canada, with an abbreviation of CSEC." But last summer CSE quietly reverted to its legal name, the Communications Security Establishment, for its public identification purposes, and apparently somebody at CSE thought the best way to update the explanation was simply to delete the word Canada.

So now hapless readers get informed that Canada's SIGINT agency, renamed CSE in 1975, became known as CSE in 2007, but this was only a change in applied title, since its legal name remained CSE.

Does anybody there read the stuff they post?

Let's not even talk about the hopelessly outdated "Quick Facts about CSE" at the bottom of the web page.

Wednesday, February 25, 2015

Bcc: CSE

The CBC and The Intercept have published new reports on the collection by CSE's cyberdefence program of e-mail and website contacts between Canadians and the federal government (Amber Hildebrandt, Michael Pereira & Dave Seglins, "CSE monitors millions of Canadian emails to government," CBC News, 25 February 2015; Ryan Gallagher & Glenn Greenwald, "Canadian Spies Collect Domestic Emails in Secret Security Sweep," The Intercept, 25 February 2015).

As explained in the CBC report,
A top-secret document written by Communications Security Establishment (CSE) analysts sheds new light on the scope of the agency’s domestic email collection as part of its mandate to protect government computers. ...

The surveillance service vacuums in about 400,000 emails to and from the government every day and then scans them using a tool called PonyExpress to look for any suspicious links or attachments, according to the top-secret document.

That automated system sifts through them and detects about 400 potentially suspect emails each day — about 146,000 a year. That system sends alerts to CSE analysts, who then can take a closer look at the email to see if it poses any threat.

Only about four emails per day — about 1,460 a year — are serious enough to warrant CSE security analysts contacting the government departments potentially affected. ...

CSE holds on to emails for “days to months,” while metadata -- the details about who sent it, when and where -- is kept for “months to years,” according to the document. The agency also records metadata about visits to government websites.
The number of e-mails said to be serious enough to take action on (~1460/year) corresponds well to the range for e-mails "used or retained" by the CSE cyberdefence program (1000-3996/year) that I reported here based on analysis of CSE documents released under the Access to Information Act.

As the CBC notes, the number of e-mails and other contacts monitored and the number ultimately flagged for action are likely to have increased since the 2010 document was written. In 2010 CSE routinely monitored only its own communications and those of the Department of National Defence and the Department of Foreign Affairs. It has since also become responsible for monitoring communications to the rest of the Government of Canada through the Shared Services Canada network. However, the Access documents suggest that, as of a year or two ago, the total number used or retained per year remained lower than 4000.

The CSE document that today's reports are based on, another one of the Five Eyes documents leaked by Edward Snowden, can be found here. (Be sure to check the second half of the file, where the speaker's notes accompanying the powerpoint slides were also reproduced.)

The CBC also published a very interesting set of CSE responses to questions that its reporters put to the agency. (But don't expect all the questions to be answered.)

The activities revealed in today's reports are the kinds of things we would expect a cyberdefence program to do, and the CBC was right, I think, to report the information without trying to make a scandal out of it. That said, there are legitimate questions about how much information concerning Canadians' interactions with their government is retained by CSE, how long that information can be held, and what purposes that information can be used for, and the CBC was also right to report those questions‐and CSE's partial responses.

Update 1 March 2015:

Further coverage/commentary:

- Nicole Bogart, "CSE monitors your emails to the government: What you need to know," Global News, 25 February 2015

- Adrian Lee, "So, when do we start caring about privacy?" Maclean's, 25 February 2015

- Craig Desson, "Leaked files show Canadian spy agency struggling with flood of data," Toronto Star, 26 February 2015

- Ken Hanly, "Op-Ed: Canadian spy agency collects Canadian emails to government sites," Digital Journal, 26 February 2015

Tuesday, February 24, 2015

CSE 2015-16 budget $538 million

The Main Estimates for fiscal year 2015-2016, which were tabled in parliament today, show that CSE's budget is projected to be $538 million in the coming year.

The agency's 2015-16 budget is down significantly from its 2014-15 budget, but the difference is almost entirely due to the one-time $300-million payment made to the builders of CSE's new headquarters complex on its completion last year. As the Main Estimates note, "Following delivery of CSE's new facility in 2014–15 and its associated one-time contract costs, [the 2015-16 budget will feature] a combined reduction in funding of $306.7 million for operating and accommodations".

CSE's 2014-15 budget authority currently stands at $849 million, although it is possible that not all of that sum will be spent by the end of the fiscal year. If the $306.7 million reduction is excluded, the current budget and the coming budget are almost identical, and the amount that is actually spent in the coming year could well be higher.

Although CSE's budget transparency declined significantly after it became a stand-alone agency in 2011, one point of new information did begin to be regularly reported by the government: the breakdown in CSE's budget between its two main activities, the SIGINT program and the Information Technology Security (ITS) program.

According to the Main Estimates, in 2015-16 the SIGINT program will account for $388 million, or 72%, of CSE's budget, while the ITS program will account for $150 million, or 28%.

For comparison, here is the breakdown in previous years:

2014-15: 72/28
2013-14: 68/32
2012-13: 69/31

These numbers suggest that, despite increasing concern about Canada's vulnerability to cyberattacks and cyberespionage, CSE's SIGINT program has been growing faster than the ITS program in recent years. However, such numbers are likely to fluctuate quite significantly from year to year as capital spending related to specific projects starts and stops, so it is probably too early to draw conclusions about overall trends.

The ITS program (then known as COMSEC) accounted for only about 20% of CSE personnel in the mid-1970s, whereas the figure now is probably about 25%, so the long-term trend has been a gradual increase in the relative size of the ITS program.

Sunday, February 22, 2015

Minor budget boost for CSE

The Supplementary Estimates (C), which were tabled in parliament on February 19th, show that CSE's budget authority for the current fiscal year (2014-15) has been boosted by an additional $610,528, for a total budget authority of $849,407,283. (Previous discussion of the 2014-15 budget here and here.)

The primary cause of the latest boost is a $600,000 transfer from the Department of National Defence in return for "the permanent transfer of two generators to Canadian Forces Base Trenton". The two generators in question are presumably the large containerized generators that used to supply back-up power to CSE's high-performance computing centre, the new headquarters building's Pod 1. I noted the recent disappearance of those two generators here.

The remainder of the budget boost comes from a $10,527 transfer from Public Works and Government Services for "reimbursement of funds for the transformation of pay administration".

The document also provides for a $1 appropriation to "authorize" the abovementioned transfers. To the best of my knowledge, this last is a form of a ritual sacrifice to the Gods of fiscal management.

Friday, February 13, 2015

January 2015 CSE staff size

2179: another decline, but quite possibly reflecting normal fluctuation.

(If you click through on the link and get a different figure, it's probably because the Canada Public Service Agency has updated its website; they update the numbers once a month.)

Wednesday, February 11, 2015

Recent items of interest

Recent CSE-related news/commentary items:

- Justin Ling, "Bankers Tell Canadian Government They Want Spy Briefs Too," Vice, 10 February 2015.

- Christopher Parsons, "Six New Additions to the SIGINT Summaries," Technology, Thoughts & Trinkets blog, 6 February 2015.

- Colin Freeze, "Canadian agencies use data stolen by foreign hackers, memo reveals," Globe and Mail, 6 February 2015.

- Alex Boutilier, "Canadian military wants to be ‘main player’ in global intelligence, document shows," Toronto Star, 6 February 2015.

- Jim Bronskill, "Supreme Court to weigh legality of CSIS’s overseas spying," Canadian Press, 5 February 2015.

- Glenn Greenwald, "Western Spy Agencies Secretly Rely on Hackers for Intel and Expertise," The Intercept, 4 February 2015.

- Justin Ling, "The Harper Government Still Thinks CSE Is Acting Legally," Vice, 4 February 2015.

Also of interest are these two articles analyzing Five Eyes (including CSE) malware activities (h/t to Bruce Schneier):

- Claudio Guarnieri, "Everything we know of NSA and Five Eyes malware," blog, 27 January 2015.

- MH, "If the NSA has been hacking everything, how has nobody seen them coming?" thinkst thoughts blog, 27 January 2015.

EONBLUE: CSE cyber threat detection system "deployed across the globe"

Matthew Braga has written a very interesting and informative report on CSE's EONBLUE cyber threat detection system ("How Canadian Spies Infiltrated the Internet's Core to Watch What You Do Online," Motherboard, 11 February 2015):
[A]t over 200 locations around the world, spies from Canada's cyberintelligence agency have been monitoring huge volumes of global internet traffic travelling across the internet's core.

​From these locations, Communications Security Establishment (CSE) can track who is accessing websites and files of interest. Its analysts can also log email addresses, phone numbers and even the content of unencrypted communications—and retain encrypted communication for later study, too—as well as intercept passwords and login details for later access to remote servers and websites.

​But perhaps more importantly, tapping into global internet traffic is a means for CSE to monitor, and also exploit, an ever growing list of digital threats, such as vulnerabilities in networks and computers and the spread of malware as well as botnets and the computers under their control. In the process, analysts can keep tabs on both friendly and foreign governments conducting covert cyber attacks and infiltration of their own.

Such vast access to the backbone of the internet is achieved through a program called EONBLUE. According to documents disclosed by whistleblower Edward Snowden, ​and published by Der Spiegel last month, the program is designed to "track known threats," "discover unknown threats," and provide "defence at the core of the Internet.” ...

While the locations of EONBLUE sites are not disclosed in the documents, one slide makes reference to the internet's "core" and describes EONBLUE's ability to "scale to backbone internet speeds"—implying possible access to telecom operators, data centers, undersea cables and other infrastructure providers worldwide.

Such access would mean that much, if not all of the data, travelling through a location tapped by CSE could be subject to surveillance. Though the agency maintains it cannot legally track Canadians at home or abroad it is hard to fathom how such data could be exempt.
And in fact it wouldn't be exempt. CSE can and does monitor Canadian communications and other Canadian data that pass through its foreign-intelligence and cyber-threat collection sensors, and it is entirely legal for it to do so as long as that data wasn't specifically targeted for collection on the basis of its being Canadian or being related to a specific Canadian or person in Canada (i.e., the National Defence Act requires only that CSE's Mandate (a) and (b) activities "not be directed at Canadians or any person in Canada" [emphasis added]). If CSE targets material on some other basis and some percentage of the information pulled in turns out to be Canadian-related, as inevitably some will, that is considered "incidental" collection, which is permitted under the law as long as a suitable Ministerial Authorization is in place.

(I'm not saying that incidental collection is not an issue worthy of concern, by the way—just pointing out that the government, which wrote the law specifically to permit this kind of activity, is not breaking the law when it engages in it.)

It is also worth noting that CSE does have the ability to target Canadians when it is operating under its Mandate (c), i.e., providing support to federal law enforcement or security agencies, but in that case the targeted Canadian must be the subject of a judicial warrant obtained by one of those agencies.

More from Braga:
One slide suggests that EONBLUE sits on-top of existing collection programs, such as SPECIALSOURCE, and ​sometimes referred to as Special Source Operations (SSO)—a term that has been used in other documents to indicate direct access to fibre-optic cables and ISPs.

In other words, CSE’s partner agencies—or another division within CSE itself—are likely responsible for gaining physical access to internet infrastructure, and then making that data available to programs such as EONBLUE.
I think that's correct. Note also that the slide (which is reproduced in Braga's article) shows that EONBLUE is also deployed at "CANDLEGLOW (FORNSAT)", which apparently refers to CSE's foreign satellite monitoring activities at CFS Leitrim, just south of Ottawa.

Wednesday, January 28, 2015

LEVITATION: CSE and free file upload sites

Excellent new CBC report on another CSE document leaked by Edward Snowden (Amber Hildebrandt, Michael Pereira and Dave Seglins, "CSE tracks millions of downloads daily: Snowden documents," CBC News, 28 January 2015):
Canada's electronic spy agency sifts through millions of videos and documents downloaded online every day by people around the world, as part of a sweeping bid to find extremist plots and suspects, CBC News has learned.

Details of the Communications Security Establishment project dubbed "Levitation" are revealed in a document obtained by U.S. whistleblower Edward Snowden and recently released to CBC News.

Under Levitation, analysts with the electronic eavesdropping service can access information on about 10 to 15 million uploads and downloads of files from free websites each day, the document says.

"Every single thing that you do — in this case uploading/downloading files to these sites — that act is being archived, collected and analyzed," says Ron Deibert, director of the University of Toronto-based internet security think-tank Citizen Lab, who reviewed the document. ...

According to the document, Canada can access data from 102 free file upload sites, though only three file-host companies are named: Sendspace, Rapidshare and the now-defunct Megaupload.

Sendspace told CBC News that "no organization has the ability/permission to trawl/search Sendspace for data," and its policy states it won't disclose user identities unless legally required.

No other file-sharing company responded to CBC requests for comment.

However, the Levitation document says that access to the data comes from unnamed "special sources," a term that in previous Snowden documents seemed to refer to telecommunications companies or cable operators.

It is also unclear which, or how many, of the Five Eyes access information on these uploaded files and whether the companies involved know the spy agencies have this access.

Many people use file-sharing websites to share photos, videos, music and documents, but these cyber-lockers have also been accused of being havens for illegally sharing copyrighted content.

Not surprisingly, extremists also use the online storage hubs to share propaganda and training materials.

To find those files, the document says Canada's spy agency must first weed out the so-called Glee episodes as well as pictures of cars on fire and vast amounts of other content unrelated to terrorism.

Analysts find 350 "interesting download events" each month, less than 0.0001 per cent of the total collected traffic, according to the top-secret presentation.

Surveillance specialists can then retrieve the metadata on a suspicious file, and use it to map out a day's worth of that file user's online activity.

By inputting other bits of information into at least two databases created by the spying partners, analysts can discover the identity and online behaviour of those uploading or downloading these files, as well as, potentially, new suspicious documents.

The Levitation project illustrates the "giant X-ray machine over all our digital lives," says Deibert.

Once a suspicious file-downloader is identified, analysts can plug that IP address into Mutant Broth, a database run by the British electronic spy agency Government Communications Headquarters (GCHQ), to see five hours of that computer's online traffic before and after the download occurred.

That can sometimes lead them to a Facebook profile page and to a string of Google and other cookies used to track online users' activities for advertising purposes. This can help identify an individual.

In one example in the top-secret document, analysts also used the U.S. National Security Agency's powerful Marina database, which keeps online metadata on people for up to a year, to search for further information about a target's Facebook profile. It helped them find an email address.

After doing its research, the Levitation team then passes on a list of suspects to CSE's Office of Counter Terrorism.

The agency cites two successes as of 2012: the discovery of a German hostage video through a previously unknown target, and an uploaded document that gave it the hostage strategy of a terrorist organization.
There is much more worth reading in the CBC's story.

The CBC also published CSE's response to the questions that CBC submitted to the agency concerning the program.

You can listen to the CBC's Dave Seglins discussing the story on CBC Radio's The Current here. (I get my own two cents' worth in at the end of the segment. One minor correction: as I mentioned here, my father was never part of the SIGINT world.)

The CBC's reporting on the document was done in conjunction with Glenn Greenwald and The Intercept, whose take on the story can be read here: Ryan Gallagher & Glenn Greenwald, "Canada Casts Global Surveillance Dragnet Over File Downloads," The Intercept, 28 January 2015.

It is probably worth noting that none of the above means that CSE has been "targeting" or "directing its activities at" Canadians. As the agency frequently points out, it is not permitted to target Canadians anywhere or any person in Canada (except of course, as it much more rarely points out, when operating under its Mandate C). CSE is very much permitted, however, to collect the communications of or information about Canadians etc. if that collection is "incidental" to its efforts to collect information on its foreign targets, assuming a suitable Ministerial Authorization is in place (and you can rest assured, one is).

But when your 100% legal foreign target includes all traffic to or from all (presumably foreign-based) free upload sites in the world, then your "incidental" collection will include not just some, not just a lot of, but all Canadian traffic to or from those sites as well.

Which sort of makes the distinction between directing or not directing your activities at Canadians moot.

No Canadian transaction with these sites was targeted for collection. But every last one of them was in fact collected, either by CSE itself or by its partners, who then made it available for CSE's examination.

Other coverage/commentary:

- "Canadian spies scoured file-sharing sites to track jihadis, document shows," Globe & Mail, 28 January 2015.

- Matthew Braga, "Spies Know What You're Downloading on Filesharing Sites, New Snowden Docs Show," Motherboard, 28 January 2015. Includes interesting speculation on EONBLUE.

- "Spy agency CSE is monitoring our private online activities on a massive scale and sharing sensitive data with other governments,", 28 January 2015.

- David Ljunggren, "Snowden files show Canada spy agency runs global Internet watch: CBC," Reuters, 28 January 2015.

- Andy, "Canadian Government Spies on Millions of File-Sharers," TorrentFreak, 28 January 2015.

- Jim Bronskill, "Spies agency defends Internet terror hunt," Canadian Press, 28 January 2015.

- Jamie Condliffe, "Canadian Spies Monitor Millions of International File Downloads Daily," Gizmodo, 28 January 2015.

- Laura Tribe, "Mass surveillance program in Canada revealed on International Data Privacy Day," CJFE blog, 28 January 2015.

- "Cyber surveillance worries most Canadians: privacy czar's poll," CBC News, 28 January 2015.

- "Project Levitation and your privacy: Politicians call for cybersurveillance oversight," CBC News, 28 January 2015.

- Alex Boutilier, "Mass surveillance program defended by Conservatives," Toronto Star, 28 January 2015.

- Colin Freeze, "Spy program raises concerns about Internet anonymity," Globe & Mail, 28 January 2015.

- Ian Austen, "Canada Agency Monitors File-Sharing, Reports Say," New York Times, 28 January 2015.

Update 29 January 2015:

- Amber Hildebrandt, Michael Pereira and Dave Seglins, "CSE's Levitation project: Expert says spy agencies 'drowning in data' and unable to follow leads," CBC News, 29 January 2015.

- John Leyden, "Snowden reveals LEVITATION technique of Canada’s spies," The Register, 29 January 2015.

- Editorial, "Snowden and the dark sophistry of CSEC," Globe & Mail, 29 January 2015.

- Eva Prkachin, "The Mega-spies on Megaupload,", 29 January 2015.

Update 2 February 2015:

- Jesse Brown, "Your Government is Spying on Your Downloads," Canadaland, Episode 68, 1 February 2015. Brown interviews Christopher Parsons of CitizenLab on the LEVITATION document and broader CSE-related questions. Highly recommended.

Update 3 February 2015:

- Michael Geist, "The Canadian Privacy and Civil Liberties Punch in the Gut (or Why CSE/CSIS Oversight is Not Enough),", 3 February 2015. "Mass surveillance of a hundred million downloads every week by definition targets Canadians alongside Internet users from every corner of the globe. To argue that Canadians are not specifically targeted when it is obvious that the personal information of Canadians is indistinguishable from everyone else’s data at the time of collection, is to engage in meaningless distinctions that only succeed in demonstrating the weakness of Canadian law. Better oversight of CSE is needed, but so too is a better law governing CSE activities."