Tuesday, March 25, 2014

Robinson PGP key

I've decided I should (re)acquire the capability to use PGP.

I work under the assumption that any major SIGINT agency that decides it has a specific interest in my correspondence will always be able to find the means to access it regardless of whatever crypto precautions I might try to take, so don't take this step as an invitation to send me things you wouldn't want our five-eyed friends and their counterparts elsewhere to know about.

But nothing says that everyone in the general public should be forced to leave all of their correspondence open for anyone to read at any time, so acquiring PGP seems like a reasonable thing to do.

[Update 31 October 2022 with new key]

Here is my public key (fingerprint: D3AA D0C0 29A9 694A A82A DB20 EE2F A666 3C7C 280F):

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsDNBGNgKAoBDACz0omKTqRghmqcoL8HFo9LwGo3NJQOMu8sRhe1zq2EA4LiV7fU
FpXcThViD2OLdjmTHxCEPRtPkOMLE0GbMInCP89Hpq0gP8rE+O0Gy9mbkThRKGgS
GAwEKW5xhQ/H/xvzqwDkF6gDIgWNCWccsUW4FLv3MKkqMqGbr8Aact51qeH8Pn1e
ZKBm6y2PwzDldtn3Iclg2hOZQxz4DACJr7nkJrEm4BQ2vXVvHyPNY6q2wX1nYeFu
8fgTyrWKSwY9YEHet5Gaj1m7vJKKRf5eWfeFmOHqRNrtQdksEvAEi9jWjMyVVsFG
OzK5EpNtgwvxKhphETm3MIM8hn5Xg4h38iNJ2+fN7//2Vo7Q9h5WMF2gOQ7G2vrU
yfbTu+iFu9KXeTfEyt6S4hQToFxvgXxNUDN5Om+JMTRiHCn6uLjrHIjfnGdT2oGB
TMFpxGufx5oo0MZ7PPHrSB9jtvfxVeTpSs2zYoORE2A5/QsicvWSoXV5OmW3fI6m
9AvnlVlnWexs6yUAEQEAAc0sQmlsbCBSb2JpbnNvbiA8YmlsbHJvYmluc29uY2Fu
YWRhQGdtYWlsLmNvbT7CwQcEEwEIADEWIQTTqtDAKalpSqgq2yDuL6ZmPHwoDwUC
Y2AoDwIbAwQLCQgHBRUICQoLBRYCAwEAAAoJEO4vpmY8fCgPXBQL/0DeoYaPZP+n
STvVMt3QwwyBvJonyv/G1d5ZwFwXIMmcID6Hhjip03NxErIKmCdkCnxr9O3UJzJf
Q7BGqKNXstVKnzj4s5PbLf1Z7ZKMeZrrnWqQrquNBnc09UDvNaDLeqW718mZn4LU
j6CVaBOBworbGLHxLEUowV5myOt1rd8dCkjS04BXp1xeQQbBlcfFQ8f5vBKR7+I4
T12eiAI4qGKGQWbLV44L92thP1ZaI24ExSJLzmEsMA5ZQfKN/fV+0DdLBv6N96TX
h/FjW2SqtYaeMQczabazAUEuArrHzIxIiore/7VNkHPYTygZTtk+2FG1g1jE+Iy/
s43kiMegv6TaMnVpE+5Z2S5Ha4n9TFQBMJIi43P2aFe8GIpnU3SHuvb1P40Ibmh8
FNvbq+YqDPsZFSpoqk584OeeiYK6kw1cxdHCTlm6utdjow+/EDaNz+EqTwc8DKLL
OfZV4by3OHF36O+NpPKGjBQqD5Vmfp7g6Xd6tXvsWLus/JfaCEeipM7AzQRjYCgP
AQwAuyJhYSQ8JtNOwnP16c41GXYblwKnk+OSlR5qpu2bpZnohGpEH/3/p27EpQMa
uuE9q6JmTwCZRAKojyV97QGgJleXAwWtaF/X5Qjnzul6B2ebs+IaBS30tPrVyOU3
Az4fHbQg+8+xvVeMK0CktqvjqamOKL2Z4CqicWFqmVrRYlpYrsqx8PC9brTzMNZ/
HVzkhMouPBalw5BZf9YwVhAdoDGcw6fuyZhin+JKjCkhIepd/wR9QxLRmKDGD8w0
+V4ETIb9vUfsEmbXvPNiideVmk2INTc8UXsLb5spxrr0Th+ps4b5wAZMyBSNgLIT
c0PJjoWuvgqQoHvoCZEhL/tI0v2w7cljhIGWlkFlGCZdePbz0q3J9qJrR7ubRqx2
Vlvs42rZyFekjCf+2XKvczDTC1GOe6HsEyuXPbDIo7UR2FqgyWYzShoe9D3BXeXk
pbb5pL0RMOJumBZH6kMlQ5y9Nw0J078mc8DtGbsUQUmtGGmsAe5+Ndjt2XKVJ+J6
fI53ABEBAAHCwPYEGAEIACAWIQTTqtDAKalpSqgq2yDuL6ZmPHwoDwUCY2AoFQIb
DAAKCRDuL6ZmPHwoD0KxC/9qHFBq0x9YaA40wCxzA35plxaKLPq+W+mwoVUyfsaz
xTiO2CQn3J9pwpxpLOMD5qD/XDZS9RnQyXin1XJf7d+3rBFhQAo4FN1I+mKTo5Uc
OXsEIQr4xdgz+CAajr7TIzQuf2BkbNU+pG4D0chWVlVlij0ovPW/JysR+/hyK5e3
vc0c3U6n5KOJYR12Xaxco21sjxroNz0XmHwrWS5Db4OckccBOtfQpf7WMm6IzC2u
Zp0Qfkd8nB7w9alXyCNWFF1jUuFI6Oj5w1IQLKjOT7NAz2rzl+LTO6GQ6eomQCRL
qdjosfP/pZ/3f89BO5Gs9uvbPdmgCDskEIo5CHrP3Bj0Ao1QrpXNvYlw0rJ8OURl
P4Ku5ctsIcVQbza2MIK2iYXmTkIqeMVKyvVMErMqMsKyBKPusPTpnKl6TKR3tN6y
rrhDJSGLhZjMfzxELG+im4DHbhFkq8O++8E7KTAXFeRRkQI2IPt6a3uIfynioIut
bxFC2ZToJMbOLAf9YKEP2Cg=
=NEt+
-----END PGP PUBLIC KEY BLOCK-----

Monday, March 24, 2014

Freeze on CANADALAND

The latest edition of Jesse Brown's CANADALAND podcast features a conversation with Globe and Mail reporter Colin Freeze on the difficulties of covering intelligence/privacy issues in Canada even in the post-Snowden world: How Canada's Spies Game the Media

Freeze is one of the few journalists who has done extended coverage of intelligence-related issues in Canada and he has taken the lead on recent CSEC coverage. (Others worth mentioning include Jim Bronskill, Greg Weston, Michelle Shephard, Stewart Bell, Ian MacLeod, and Andrew Mitrovica.)

Well worth a listen.

(Oh, and thanks for the plug on your website, Jesse!)

Saturday, March 22, 2014

Meta-truth on mega-data

Every now and then it's fun to look back at earlier official assurances and compare them to what we know today.

This June 2013 statement by then-Defence Minister Peter MacKay, which I recently re-read while checking some other information, is a good example:
Mega-data is collected only on international, not domestic, communications.
Yes, he really did say mega-data instead of metadata.

But the fun part is re-reading MacKay's statement in the context of this recent revelation. (Further discussion here and here.)

SNOWGLOBE: CSEC analysis of suspected French spyware

Le Monde has published a report on CSEC's analysis of an e-mail spying operation that it discovered in November 2009. The operation targeted a number of organizations around the world, including a French-language media outlet in Canada. CSEC concluded that the source of the operation was probably France (Jacques Follorou & Martin Untersinger, "La France suspectée de cyberespionnage," Le Monde, 21 mars 2014).

See also: Jacques Follorou & Martin Untersinger, "Quand les Canadiens partent en chasse de « Babar »," Le Monde, 21 mars 2014.

The newspaper also published several slides from the CSEC powerpoint presentation, one of the documents leaked by Edward Snowden, on which the Le Monde reports were based.

Globe and Mail coverage here: Tu Thanh Ha, "French spy software targeted Canada: report," Globe and Mail, 21 March 2014.

Monday, March 17, 2014

Recent news/commentary

Recent news and commentary items related to CSEC:

- Jim Bronskill, "Canada's electronic spy agency uncovers wrongdoing, ethics breaches," Canadian Press, 16 March 2014.

- Matthew Braga, "Why can't, or won't, your phone company detail data it shares with the feds?" Globe and Mail, 16 March 2014; see also Christopher Parsons, "The Murky State of Canadian Telecommunications Surveillance," citizenlab.org, 6 March 2014.

- John Adams, "Making the case for metadata," iPolitics, 14 March 2014; see also the longer version here. (The former Chief of CSEC defends the agency's operations, while reiterating his support for greater parliamentary scrutiny. In the iPolitics version, but not the longer version, Adams also makes the intriguing statement that there is within CSEC "an internal audit committee which includes external-to-government members, with access to any and all activities carried out by CSEC" in order to help keep an eye on the agency (emphasis added). He is not talking about the CSE Commissioner, whom he discusses separately. What is the nature of this committee, and who are these external-to government individuals?)

- Alex Boutilier, "Ottawa imposes life-long gag order on bureaucrats, lawyers," Toronto Star, 13 March 2014. (Additional organizations added to the list of persons "permanently bound to secrecy".)

- Jordan Press, "Canada’s military squeezed out of cyber-defence, emails warn," Vancouver Province, 12 March 2014

- Michael Geist, "If U.S. Cloud Computing Isn't Good Enough for the Canadian Government, Why Should It Be for You?" Michael Geist blog, 12 March 2014

- Colin Freeze, "Spy agency’s memos to minister shed light on secretive practices," Globe and Mail, 7 March 2014 (available only to subscribers, but you can read the bits of the memos that were released here)

Saturday, March 15, 2014

CSEC OLYMPIA software analyzed



The Top Level Communications blog has published a detailed and convincing analysis of the functions and capabilities of CSEC's OLYMPIA target development software, as revealed in a leaked June 2012 powerpoint presentation (part of the Snowden documents): OLYMPIA: How Canada's CSEC maps phone and internet connections (13 March 2014).

The topics discussed are way beyond my very limited technical knowledge, so there's very little I can add, but FWIW the explanations provided do seem to ring true.

One small note: While I agree that the TAO referred to in the presentation is most likely NSA's Tailored Access Operations unit, there is some reason to believe that CSEC's parallel unit may also use the name "Tailored Access".

Previous discussion of OLYMPIA here, here, and here.

Friday, March 14, 2014

February 2014 CSEC staff size

2162.

(If you click through on the link and get a different figure, it's probably because the Canada Public Service Agency has updated its website; they update the numbers once a month.)

Sunday, March 09, 2014

Parliamentary oversight at work



On January 29th, James Bezan, the Parliamentary Secretary to the Minister of National Defence, assured the House of Commons that improved parliamentary oversight of the Canadian intelligence community is unnecessary because existing committees already have the power to provide oversight (previous discussion here):
The Standing Committee on National Defence has the authority and the power to call the commissioner of the Communications Security Establishment as well as Communications Security Establishment Canada before committee. It also has the opportunity, if it so desires, to meet with CSEC staff on its premises. They have a new building that members could easily tour around.

Those opportunities already exist. Parliamentary oversight is already in place. We do not need to be reinventing the wheel.
The screen capture reproduced above demonstrates that Mr. Bezan did indeed have a straight face as he made those comments.

On February 4th, the Conservatives defeated a Liberal motion that called on the government to establish a special intelligence oversight committee. Bezan once again took the lead in arguing against the motion:
The member is calling for more parliamentary oversight, yet Parliament has always had the ability to have these individuals appear before committee. I sit on the national defence committee, and CSEC is one of the agencies that is responsible under the Department of National Defence. Our committee has the power at any point in time to call on those people who are appointed either as the chief or commissioner of Communications Security Establishment Canada. We can call them in to talk about budget and activities.
The committee the Liberals are advocating would have a wider remit, covering all national security agencies, not just CSEC, and unlike normal committees, its members would be cleared to receive classified information.

But it is true that the National Defence committee could provide some additional oversight of CSEC—as long as the government is willing to permit it to perform that role.

On February 13th, the members of the committee voted to "invite the Minister of National Defence and the Chief of Communications Security Establishment Canada (CSEC) as witnesses to appear before the Committee to answer questions about CSEC's intelligence-gathering policies and practices, for one hour each, as soon as possible."

But on March 6th, the day the Minister and CSEC Chief John Forster were scheduled to appear, the committee unexpectedly went in camera and cancelled the session. The minutes of the discussion show that no new appearance date has been sought. The committee agreed to invite the Minister back to discuss the departmental Estimates, but the only formal decision made with respect to CSEC was "That the speaking notes for the Minister of National Defence on the Supplementary Estimates (C) 2013-14 and Communications Security Establishment Canada intelligence-gathering policies and practices, distributed today, be handed over to the Clerk."

Why was the session cancelled?

We don't know. But it is hard not to suspect that it was the government, which ultimately controls the committee's agenda through its majority membership on the committee, that made the decision.

Is that supposed to be oversight?

[Update 4 April 2014: Forster and Nicholson testified to the committee on April 3rd.]

Thursday, March 06, 2014

CSE Commissioner budget cuts not really cuts

The CSE Commissioner's 2014-15 Report on Plans and Priorities, tabled today in the House of Commmons, indicates that the apparent reduction in the Commissioner's budget over the past two years (discussed earlier here) is not a reduction in the core budget of the office.

According to the report, the significant increase in the Commissioner's budget that took place in 2012-13 "was entirely attributable to the cost of [a] security retrofit and expansion of the physical space" of the offices of the Commissioner, due in large part to the recent expansion of the Commissioner's staff. The reductions of the past two years have simply returned the Commissioner's budget to its core level.

The Executive Director of the Office of the Communications Security Establishment Commissioner, William Galbraith, e-mailed me with additional details (re-posted here with permission):
Here is some explanation of the arcana of government finances, in this instance the "Estimates": the decrease this year is due to re-payment of prior year borrowing from future years to pay for construction costs that allowed the Commissioner to accommodate more staff (now 11 full-time positions plus office space for subject matter experts engaged by the Commissioner); the official term for this is
"re-profiling". Construction was completed a year ago.

Here are figures that follow the construction and security retrofit:

i) The 12-13 budget included $290,000 received in Supplementary Estimates for the costs of the security retrofit and expansion of the physical space.

ii) The 13-14 budget included $100,000 that had to be set aside for partial "repayment" of the supplementary estimate monies received in 12-13.

iii) The 14-15 budget was reduced $100,000 pre-estimates for another partial "repayment" of the supplementary estimate monies received in 12-13.

iv) The 15-16 budget was reduced $90,000 pre-estimates for the final "repayment" of the supplementary estimate monies received in 12-13.

You'll see that ii, iii and iv add to the $290,000 which was received, as described in i. If you were to include the $100,000 in 14-15 in the Estimate total, the revised total would be $2,124,000 (an increase of $11,000).

If you examine the 2014-15 Report on Plans and Priorities, you will see that the Commissioner's office funding (appropriation from Parliament) is stable around $2 million, increasing in 2016-17. However, Commissioners regularly ask whether they have adequate resources to fulfill their mandate effectively.

Saturday, March 01, 2014

CSEC talks to the Globe and Mail

Colin Freeze has a fascinating article in today's Globe and Mail based on a two-hour meeting he had with seven CSEC officials at the new headquarters building on January 31st (Colin Freeze, "The Globe goes inside Canada’s top-secret spy agency," Globe and Mail, 1 March 2014).

The article starts with a classic example of CSEC's idea of openness:
The seven officials at the boardroom table insist that their identities cannot be published – the risk, one explains, is that they would become targets of a “hostile foreign intelligence service.”

Given the top-secret nature of their work, that request is understandable. That this conversation is taking place at all is unprecedented – and, to use one official’s word, “uncomfortable.”
CSEC does have secrets it needs to keep, and it is probably sensible to restrict some information about who does what at the agency.

But part of the problem Canadians have in trying to debate the issues surrounding surveillance is that CSEC and the government as a whole often try to withhold information that doesn't need to be secret, that is not actually considered to be secret by the government, and that may indeed already be in the public domain.

As the article later notes, the meeting's attendees included "a cyberdefence director-general" and "a very senior female boss". Many of the names of CSEC officials at the director-general level and above have already been officially divulged by the government, including the identity of the Director-General of Cyber Defence, who is Scott Jones. And the "very senior female boss" at the meeting was very likely the Deputy Chief SIGINT, who is Shelly Bruce. Three of the other staffers at the meeting were in corporate communications, so the chances are most or all of those names are also in the public domain.

The odds are good, in other words, that in the case of well over half the CSEC personnel at the meeting with Freeze, the only thing not mentioning their names keeps from "hostile intelligence services" is the fact that they recently met with a reporter from the Globe and Mail.

Still, it was a step towards greater openness that CSEC met with the Globe and Mail at all.

The primary purpose of the meeting was to discuss CSEC's use of metadata.
[W]e are here to discuss how “metadata” emanating from computers and smartphones – presumptively, Internet protocol addresses, phone logs and smartphone geolocation data – give CSEC a view of a world’s worth of communications.

The problem is that, in a broad sweep of metadata, capturing a Canadian conversation – private chat that is protected by law and accessible only with a warrant – is always a possibility.

To simplify how CSEC works, the signals-intelligence director outlines a cloud on a white board: This is the Internet. He then draws five boxes inside and labels them “covert collection sites.”

He stops short of elaborating. ...

“They are positioned where they need to be,” he says.

The collection process at these covert sites begins when CSEC machinery logs global telecommunications traffic in bulk. During this first pass, the raw data arrive as an undifferentiated mess, and no one knows – or could know, if they wanted – whether any Canadian metadata are in the mix.

It’s only during the next step, “processing and analysis” that identifying information starts to be revealed – and those pesky privacy concerns begin to kick in.

CSEC computers sift out the metadata, then analysts boil them down some more. This is where telling patterns emerge, including whether Canadian data are part of the sweep. CSEC says it treats Canadian material differently, but won’t say how.

The final step is “targeting.” Now knowing rough patterns worth watching, and how to avoid Canadians, the analysts task the covert collection sites to be on the lookout for communications from identifiable groups of foreigners.
Worth reading the whole article.