Monday, January 16, 2017

ATIpper #9: CSE releases its definition of data

More from the Access to Information files:

Behold the CSE definition of data:

Access release A-2014-00013

Ouf, a bit heavily redacted, don't you think?

Let's try again.

Access release A-2015-00005

Oh, sure, much better. Thanksabunch.

Another try.

Released in 2016 Federal Court filing

All right, now we're starting to make some progress.

And finally...

Access release A-2011-00566

This. This is the kind of access to information response I like!

Which is great until you realize that this final response was in fact the first of the four releases.

Sunday, January 15, 2017

CSE recruiting the "best & brightest"

CSE is looking to recruit the "best & brightest"... er... hipsters, apparently, for its next student co-op period.

Now, I have absolutely nothing against hipsters, and I'm glad CSE doesn't either. Even the CIA has baristas these days. If the Edward Drake Building didn't get a kick-ass espresso machine or two as part of its $880-million price tag, it certainly should have.

But I do have qualms about any part of the national security state using the phrase "the best and the brightest" in an evidently non-ironic sense.

Maybe CSE's PR folks need to read the book.

What's going on in Washington these days is certainly not a repeat of the "best and brightest" episode.

But as a certain German once popular in Russia wrote, "all great world-historic facts and personages appear, so to speak, twice.... the first time as tragedy, the second time as farce."

Discrimination Unit, 283 Bank Street

Here are a couple of photos of the building that housed the Canadian Army's Discrimination Unit from early 1943 to August of that year.

Bank Street facade

Somerset Street facade

The Discrimination Unit (DU) was established in 1942 to sort the communications intercepted by the Army's Special Wireless Stations and analyze the "to" and "from" addresses and other external features of Japanese army and air force communications. According to the History of the Examination Unit, "Their work was chiefly the deriving of intelligence concerning the movement of Japanese troops in the Pacific area through a study of the preambles of military messages." Today we might call this work metadata analysis, but at the time it was known as Traffic Analysis, or T/A.

Most of the Japanese messages received at the Discrimination Unit were subsequently relayed to the U.S. Army's Signal Security Agency, which had the facilities to break the Japanese encryption systems and read the messages' content. Some were also processed at the Examination Unit (XU), Canada's own code-breaking agency.

When it was created in March 1942, the DU shared quarters with the XU in a house at 345 Laurier Avenue East, adjacent to Prime Minister Mackenzie King's residence. By the beginning of 1943, however, the two units had outgrown the space available in the house. As a result, the DU was moved to new offices at 283 Bank Street, at the northeast corner of Bank and Somerset, where it occupied some or all of the space used by the Gowling Business College. It's not clear what the Gowling Business College did at this point; by the end of 1943, however, newspaper ads show that it was again (or still) in operation at the Bank Street building.

By that time, the DU had already decamped for a new location, the top floor of the La Salle Academy, a Catholic boys' school on Guigues Street at Sussex Drive. In August 1943, the Army DU, the nascent RCAF Discrimination Unit, and a group of RCN T/A personnel jointly occupied the Guigues Street facility, while the school continued to operate on the floors below. In November 1943 they were joined by a Joint Machine Unit operating IBM punched-card machines to assist the traffic analysts. The JMU also assisted the cryptanalysts at the XU.

These units were later amalgamated with the Japanese section of the XU to form the Joint Discrimination Unit, which eventually evolved into Canada's postwar SIGINT organization, the CBNRC, now called CSE.

As can be seen in the photographs above, the Bank Street building was a multi-use facility with retail spaces on the ground floor, offices or other commercial space on the second floor, and a hall used for public events on the top floor.

Over the years it hosted a variety of businesses, including the Gowling Business College, a hardware store, a jewellers, a Chinese restaurant, Imperial Cleaners & Dyers, the offices of the British Canadian Industrial Company and the International Land and Lumber Company, an 18-hole miniature golf course, and the public events hall, known originally as Queen's Hall and later as Hollywood Garden.

According to this article, the building was destroyed by fire in the mid-1960s.

The site is now occupied by the Primecorp Building (275 Bank Street), which offers a similar mix of retail space and offices.

Friday, January 13, 2017

ATIpper #8: CANUSA "almost identical" to UKUSA Agreement

Another item from The Canadian Intelligence Community (16 March 1990; Library and Archives Canada release A-2016-00658, p. 19):

This snippet contains a number of useful bits of information:
  • Canada "agreed to be party" to the UKUSA Agreement at the Commonwealth SIGINT Conference of 1946;
  • The 1949 CANUSA Agreement was "almost identical" to the UKUSA Agreement; and
  • The CANUSA Agreement was "revised slightly in 1960".
The first point confirms this U.S.-U.K. document (p. 4), which reported that "The terms of the U.S. - British Communication Intelligence agreement had been explained to the Dominion representatives [at the February-March Commonwealth SIGINT Conference], in so far as they were affected, and had been accepted by them." Canada did not actually become party to the UKUSA Agreement (or BRUSA Agreement, as it was then known), but Canada, Australia, and New Zealand did agree to abide by its provisions and were accepted as partners.

On the second point, it has been clear for some time that the CANUSA Agreement was based closely on the UKUSA Agreement, but it's very useful to see it officially confirmed that the two agreements are "almost identical". The UKUSA Agreement was declassified and made public by the U.S. and U.K. in 2010. Surely it's long past time for the U.S. and Canada to do the same with the CANUSA Agreement. Because it's 2017.

Finally, we have the revelation that the CANUSA Agreement was "revised slightly" in 1960. The various appendices of the UKUSA and CANUSA agreements, which spell out details such as security procedures and communications systems, were under almost continuous revision in the early years of the agreements, so the change made in 1960 must have been something more fundamental than that. The Canadian Intelligence Community doesn't explain the nature of that change, unfortunately.

However, we do know from p. 32 of the document that the 1957 Tripartite [U.S.-U.K.-Canada] Alerts Agreement, which had originally covered only intelligence-sharing with respect to military threats from Communist countries, was extended in 1960 to include intelligence-sharing on a global basis ("consultations on threats to world peace and security anywhere in the world from any source").

Unlike its UKUSA model, the original CANUSA Agreement foresaw only limited intelligence-sharing between Canada and the U.S. on topics related to agreed-upon tasks, although in practice Canada got extensive access to Allied intelligence products from the beginning. Perhaps the 1960 amendment of the Tripartite Alerts Agreement led to or inspired a similar amendment formally recognizing that broader range of intelligence-sharing within the CANUSA Agreement as well.

Sunday, January 08, 2017

ATIpper #7: 1948 Quinquepartite SIGINT Agreement

The Canadian Intelligence Community (16 March 1990; Library and Archives Canada release A-2016-00658, p. 32) is also the source of this interesting summary of Canada's early SIGINT agreements:

(Note that the snippet incorrectly asserts that the BRUSA Agreement was signed in 1945: its text was negotiated during the fall of 1945, but the actual signing by the U.S. and the U.K. took place on 5 March 1946.)

The BRUSA (later called UKUSA) Agreement and the 1949 CANUS (or CANUSA) Agreement are by now well known, but much less is known about the 1948 Quinquepartite (i.e., five-party) SIGINT Agreement listed in the snippet.

A number of public sources have suggested that this agreement, said to have been signed in June 1948, was in fact the UKUSA Agreement, which then replaced the 1946 BRUSA Agreement.

However, the BRUSA/UKUSA documents declassified in 2010 don't seem to support this interpretation. Those documents demonstrate that the two-party BRUSA Agreement was subsequently renamed UKUSA, and that it remained a two-party agreement even in 1956. (Indeed, it still is today.)

Another BRUSA/UKUSA document (p. 4) does seem to confirm, however, that Canada, Australia, and New Zealand agreed at the February-March 1946 Commonwealth SIGINT Conference to abide by the provisions of the BRUSA Agreement:
Referring to the Commonwealth Conference just concluded, the Chairman reported that this had been highly successful. The terms of the U.S. - British Communication Intelligence agreement had been explained to the Dominion representatives, in so far as they were affected, and had been accepted by them. The Dominions had also agreed to abide by Joint Security Regulations to be issued from London after they had been agreed between STANCIB and the London Sigint Board.
So what was the nature of the five-party agreement signed in 1948?

One possibility is that the five countries signed a document formalizing the commitments made in 1946 by Canada, Australia, and New Zealand to abide by the provisions of the BRUSA Agreement and the related SIGINT security rules. What the "minor changes from the BRUSA agreement" would have entailed, I don't know.

If more information has been released about this agreement I would appreciate hearing about it.

Friday, January 06, 2017

ATIpper #6: 1957 Division of Effort

More from the Access to Information (ATI) files:

Some nice information here from the Isbister Report (Intelligence Operations in the Canadian Government, 9 November 1970) about how CBNRC (now CSE) set its intelligence processing tasks and priorities at that time:

Note especially the revelation that "the division of main responsibilities for SIGINT tasks [was] reached at a Tripartite (US-UK-Canada) SIGINT Conference in 1957 in the interests of avoiding unnecessary duplication. A working arrangement for the allocation of tasks was proposed by CBNRC/GCHQ/NSA. It was approved by [the Director of Communications Security] and reported in October 1957 to [the Communications Security Board] which exercised policy control before [the Intelligence Policy Committee] was formed."

A 1990 document (The Canadian Intelligence Community, 16 March 1990; discussed here earlier) adds the further detail that "Canada undertook to bear the main responsibility for the collection and analysis of SIGINT on the Soviet Arctic."

The passage also suggests that the 1957 division of effort may have been part of a larger Canada-United Kingdom-United States CANUKUS Agreement, the exact date of which has never been clear to me. (Tripartite COMINT conferences were already being held by the three countries by 1950.)

The allied division of effort was subsequently expanded to all of the Five Eyes members and covered "not only the exchange and exploitation of intelligence on Communist countries, but also on the most important strategic areas of the world."

Canada's decision to largely abandon its cryptanalysis program in 1957 was probably related to the task-allocation decisions made by the three partners that year. (CSE's cryptanalytic capabilities were revived in the 1980s.)

The end of the Cold War may well have spelled the end to any formal division of effort among the Five Eyes allies.

CSE's statutory mandate, added to the National Defence Act in 2001, specifies that CSE foreign intelligence collection must be done "in accordance with government of Canada intelligence priorities", and CSE Chief John Adams, testifying in 2007, denied that any sort of formal division of effort then existed among the allies:
The Chairman: Do protocols exist where you have divided up the spectrum, as it were?

Mr. Adams: No, they do not, senator. It is based purely on our priorities as defined by the government.

The Chairman: Allied countries do not get together and say, ``You seem to be doing fairly well in this area, but we have a bit of a gap over here; any chance of you moving into it?''

Mr. Adams: No, we do not. If it is important to Canada, we will be there, if we can get there, obviously.

In discussions, as I said earlier, knowing the priorities that we have, we would share if there are mutual priorities and mutual national interests.
That being said, I rather suspect that, formally or informally, one of our national intelligence priorities is to make sure that we continue to collect enough intelligence of sufficient interest to our Five Eyes allies to ensure that they continue to see value in sharing the intelligence they collect with us.

ATIpper #5: 200,000 end product reports produced per year in 1990

A 16 March 1990 document called The Canadian Intelligence Community, released by Library and Archives Canada (release A-2016-00658), has quite a lot of really interesting information in it, including a couple of unprecedented details on the production of end product reports by Canada and its Five Eyes allies:

"The extremely close relationships existing between CSE and the counterpart organizations in the USA (National Security Agency) and the UK (Government Communications HQ) entail extensive technical co-operation as well as the exchange of end-product reports. On the latter point, the activities carried out by CSE result in the availability to the government of about 200,000 reports a year, only 10,000 of which are actually produced in Canada."

The report also specifies that NSA alone "produces in excess of 100,000 reports each year, most of which are shared with Canada."

I'm guessing that the temperature in Hell would have to be pretty close to 0 degrees Kelvin for CSE's redactors to ever release a comparable set of numbers.

Much has changed since 1990, but it seems likely that CSE and its allies are still producing a similar or perhaps even greater number of end product reports every year.

Tuesday, January 03, 2017

ATIpper #4: CANUSA confusion

More from the Access to Information (ATI) files:

Some secrets are worth protecting, and some aren't. A good example of the latter category is the 1949 Canada-U.S. COMINT Agreement, otherwise known as the CANUSA Agreement.

For some reason, CSE continues to believe that almost all information about this 68-year-old agreement is a deep national secret that must never be revealed.

As a result, even a simple introductory sentence about the agreement gets redacted, as in this example from access release A-2014-00062:

Or this example, redacted from a separate version of the same document released to the British Columbia Civil Liberties Association and subsequently made public in a Federal Court filing:

Clearly CSE does not want this information revealed.

But no one is perfect, so here—thanks to another access release, A-2013-00084—is what the redacted sentence actually said:

“The CANUSA Agreement established the relationship between the Canadian Communications Research Committee (a predecessor of CSEC) and the U.S. Communication Intelligence Board (a predecessor of NSA) respecting COMINT.”

Let's hope the nation's security will someday recover from this blow.

Personally I have no doubt that it will, and very quickly too, as the newly revealed secret information is not actually correct.

The Communications Research Committee was not a predecessor of CSE, and the U.S. Communication Intelligence Board was not a predecessor of NSA. The Communications Research Committee was an interdepartmental committee chaired by External Affairs and set up, as the History of CBNRC explains, to "control all SIGINT activities, including policy control of CBNRC and Canadian intercept stations". The U.S. Communication Intelligence Board was the parallel U.S. body that controlled U.S. SIGINT policy. The actual SIGINT organizations at the time were the CBNRC (the Communications Branch of the National Research Council, CSE's original name) and AFSA (the Armed Forces Security Agency), respectively.

CSE was probably thinking of a different CRC. The organization that became CBNRC in September 1946 was briefly known as the Communications Research Centre earlier in 1946. By 1949, however, that name was long gone.

What is correct is that the Communications Research Committee and the U.S. Communication Intelligence Board were the signatories of the CANUSA Agreement.

The good news here for CSE is that the document that contains this sadly misinformed sentence was written by CSE's watchdog agency, the Office of the CSE Commissioner (OCSEC), not CSE itself.

The bad news is that OCSEC reports are submitted to CSE in draft form so that CSE can check them for factual accuracy. And although we don't know what the good folks at OCSEC originally drafted, editorial notes that were also released as part of access release A-2014-00062 confirm that it was CSE that suggested the incorrect interpretation:

Pardon me while I address our national cryptologic agency directly for a moment:

You know, if you just proactively declassified the whole CANUSA Agreement—like the U.S. and the U.K. did with the CANUSA Agreement's model, the UKUSA Agreement, more than six years ago—you might save yourselves a lot of embarrassment.

Just saying.

Saturday, December 31, 2016

A century of Canadian SIGINT

The Communications Security Establishment recently celebrated its 70th birthday, but Canada's SIGINT history began well before September 1946.

As I've mentioned before, Canadian SIGINT activities during the Second World War laid the foundations for Canada's participation in the post-war Five Eyes SIGINT alliance. But WWII wasn't the beginning of the story either.

In fact, the first recorded Canadian SIGINT activity took place on or about the 1st of January 1917, exactly one century ago.

According to Major Rob Martin (Cracking the Code, Winter 2004),
the earliest record of Canadian Corps intercept of German communications—predominantly telephone (non-wireless)—occurred about 1 January 1917, at "No 6 Post", Neuville St. Vaast
Regular monitoring of German radio communications began later in 1917 and continued until at least August 1918.
At demobilization, however, the fledgling wireless intercept elements suffered the same fate as many other Canadian Expeditionary Force (C.E.F.) wartime establishments—they were struck off strength—and no effort was made to create or sustain any organic Canadian Army capability in wireless intelligence, strategic or tactical, until the spring of 1938...

[Update 17 January 2017: Oops, judging from the comment below, 1917 may have been the start of army SIGINT activities, but Canadian naval SIGINT activities began shortly after the beginning of the First World War.]

Image source