Sunday, September 28, 2014

Harper, CSEC, and metadata

Comments made by Prime Minister Stephen Harper in New York on September 24th have raised questions about CSEC's use of metadata and about how well the prime minister understands CSEC's activities.

The comments came in an exchange between the prime minister and Wall Street Journal editor-in-chief Gerard Baker during a live interview in front of a New York business audience:
Baker: How do you deal with this challenge between, on the one hand, individual liberty and the need for security? Canada is a country which takes very seriously the notion of human rights and individual rights and is understandably protective of those, and yet, you know, there has been this whole furore here in the United States and around the world about government surveillance. And yet we're starting to see that perhaps some of that government surveillance actually, whether you like it or not, is perhaps necessary actually to avert some of these threats and to stop some of these radicalized people coming and doing these terrible things. How do you get that balance right between on the one hand protecting the security of your people and preserving their right to go about their lives?

Harper: Well, I think broadly the answer to that is actually quite straightforward—which is that you focus your energies: you have, obviously, a system that can identify potential threats, track them, and zero in on surveillance on those particular threats, as opposed to systems that are just broadly based on widespread surveillance of everyone. I’m not a big believer in those kinds of systems, not just because they have the potential to infringe civil liberty, but they usually overwhelm you with data in a way that you can’t actually process or make any use of. So the real challenge, I think, is using these tools, and using them in a way that you can focus in on the people you know are actually going down the wrong path. Just as, frankly, we would do with much traditional crime: we try and focus on people we know become associated with criminal gangs or criminal activity. We don't focus on entire cities or entire populations from which they come.

Baker: Yeah, but, again, the U.S. law enforcement authorities would say that—especially the use of metadata to figure out patterns in phone conversations and that kind of stuff—that's how you do sift down this enormous amount of data, and you can establish that in order to do that effectively, to trace whether some guy in Buffalo is planning to either fly out to the Middle East or blow up a plane somewhere, it's very important to detect patterns in that guy's mobile phone conversations at home and abroad. And that's how you do it, isn't it? Isn't that how you do it?

Harper: Well, they may say that.

Baker: Do you do that in Canada?

Harper: We don't do that in Canada. We don't use metadata as a surveillance tool. And as you note we have had not only radicalized individuals, we have broken up plots and actions of individuals who were planning terrorist actions, and we've done that through targeted, on-the-ground surveillance of people.
Transcription by me. You can watch the entire exchange here (discussion starts around 2:40).

If the prime minister's comments were intended to deny that CSEC uses metadata at all, then he was certainly wrong and should have known better.

CSEC's reliance on metadata has been acknowledged officially many times. CSEC Chief John Forster testified in April, for example, that the agency uses metadata
for three things. One is to understand global communication networks, so we use it to analyze networks so that when we're searching for a foreign target, it helps us to find where our best chance of success is in identifying targets in a sea of billions of communications. Two, we use it to make sure that we're actually targeting a foreign communication and not a Canadian communication. Three, we use metadata to help us detect and identify cyber-attacks against government systems and the information they contain. We can only use metadata either to understand global networks and analyze them, or to define our foreign targets. We don't use it to identify or target Canadians.
It is possible that the prime minister was wrong or was simply being disingenuous, but I suspect his remarks were actually, as their context suggests, intended specifically to refer to the possible use of domestic Canadian metadata to systematically analyze the telephone and/or internet activities of Canadians in order to identify previously unknown suspicious individuals or activities.

The NSA does "contact chaining" searches through both domestic and international metadata, including metadata concerning its Five Eyes allies, and it also does broader, "pattern of life" searches through at least some of that data. We also know that at least some Canadian metadata is shared with those allies, and presumably subjected to some of these analyses.

With respect to Canada itself, we know that CSEC has access to a significant amount of Canadian metadata (although how comprehensive, we don't know) and that the agency can be called upon to analyze such data in support of domestic investigations. The 2006 version of OPS-1-10, Procedures for Metadata Analysis, a CSEC policy document, noted that specific procedures exist for handling domestic metadata analysis: "Metadata analysis conducted in support of Federal Law Enforcement or Security Agencies (LESAs) to obtain Security or Criminal Intelligence (mandated under paragraph 273.64(1)(c) of the NDA, known as ‘Mandate C’) is handled only in accordance with OPS-4-1, Procedures for CSE Assistance to Canadian Federal Law Enforcement or Security Agencies, and OPS-4-2, Procedures for CSE Assistance Under Section 12 of the CSIS Act."

In April 2014, Chief Forster confirmed CSEC's continued support to domestic agencies in this respect: "Again, although we collect metadata, it's very much limited in its use to our existing mandate, which is foreign intelligence collection and cyber-defence. The restrictions we have around that is to understand global networks to find foreign targets. We're not using it to target Canadians or anyone in Canada for our intelligence-gathering activities unless we're assisting CSIS and RCMP under a court warrant." (emphasis added)

Or a few other agencies.

Clearly, CSEC can and does use metadata in support of targeted domestic investigations undertaken by Canadian law enforcement and security agencies. And such support probably includes "contact chaining" analysis of those targets. CSEC can also analyze metadata related to its foreign intelligence targets located outside Canada, even if that data extends back into Canada (e.g., a Canadian telephone number in contact with a target in Yemen).

But can CSEC trawl through Canadian metadata searching for suspicious activities or connections without a direct connection to a specific individual targeted for specific reasons?

I think perhaps this is what the prime minister was saying CSEC does not do.

It would be interesting to know if this is indeed what he meant, and if so, if he was right.


News coverage:

- "Stephen Harper says Canadians' metadata not collected," Toronto Star, 25 September 2014
- "Stephen Harper on Canada's spy agency," The National (CBC), 25 September 2014

Update 30 September 2014:
And Question Period (26 September 2014) once again proves useless for bringing any clarity to the issue.

Thursday, September 25, 2014

Forster provides words

CSEC Chief John Forster has given a low-entropy "interview" to something called Global Government Forum:

Graham Scott, "Interview: John Forster, Chief of the Communications Security Establishment (CSE), Canada," Global Government Forum, 24 September 2014:
What is CSE For?

There are around 2200 staff in CSE, who will soon be in a new purpose-built facility with cutting-edge technology. At their head is John Forster, a man who has been a Canadian public servant for over 30 years. What does he see as his primary role?

‘As the Chief of CSE, it is a pleasure to lead an exceptional organization and work with some of the brightest public servants in Canada. I see my role in helping to create an organization and climate where their talents, expertise and commitment can flourish for the benefit of Canada.

‘To do that we need clarity of mandate; a vision of what we need to do to be successful five years from now; an environment that supports innovation and collaboration; a facility and technology that allows us to excel in meeting the needs of our clients and partners; a policy framework and culture of lawfulness and protecting the privacy of Canadians; and a commitment to recruit, retain and develop the skills and people we need to succeed.

‘Delivering on our mission to protect Canadians from global threats, while at the same time managing a significant transition in the organization is both daunting and exciting.’
He could go on. And he does.

Tuesday, September 23, 2014

CSEC in the limelight

OpenMedia.ca has released a new and very slick video about CSEC: How much does spy agency CSEC know about your private life?



OpenMedia has been doing great work raising awareness about electronic snooping and other issues related to the future of the Internet, and the video is well worth a watch.

But it's quite off target in my view, in terms both of the degree to which Canadian communications are likely to be collected by CSEC and of the legality of the activities that CSEC does undertake.

There is good reason to believe that CSEC is scrupulous about obeying the law as it is interpreted for the agency by the Department of Justice. Whether all of those interpretations would survive a court challenge is open to question, of course, and there is some chance that we will eventually get an answer to that question.

But the fact that CSEC's activities are, in the eyes of the government, legal does not erase all of the possible privacy, liberty, security, and public benefit concerns that can be raised about those activities or those of CSEC's Five Eyes allies. OpenMedia would do better to focus on those issues, in my view, than on the narrow question of legality.

Justin Ling has more on the OpenMedia campaign here: "The New Offensive On Canadian Government Spying," Motherboard, 22 September 2014.

There's a nice irony in the fact that one of the "usual suspects" that Ling notes supports the campaign is Amnesty International. Amnesty's founder, Peter Benenson, was a codebreaker at Bletchley Park during the Second World War, and he worked in the same section as Kevin O'Neill, who later became Chief of CSE.

Other recent items of interest:

- Ben Makuch, "Canada's Spy Agency Partnered with Quebec's Hackfest to Recruit New Hackers," Motherboard, 17 September 2014.

- Matthew Braga, "Cyber Insecurity: What we don’t know about Canada’s digital spy agency," The Walrus, October 2014. Good piece.

Monday, September 22, 2014

Metadata sharing through GLOBALREACH

Last month's Intercept report on ICREACH, NSA's program for sharing metadata with the broader U.S. intelligence community, also contained some information about GLOBALREACH, a similar program for sharing metadata among the Five Eyes countries.

As explained in the article (Ryan Gallagher, "The Surveillance Engine: How the NSA Built Its Own Secret Google," The Intercept, 25 August 2014),
The creation of ICREACH represented a landmark moment in the history of classified U.S. government surveillance...

“The ICREACH team delivered the first-ever wholesale sharing of communications metadata within the U.S. Intelligence Community,” noted a top-secret memo dated December 2007. “This team began over two years ago with a basic concept compelled by the IC’s increasing need for communications metadata and NSA’s ability to collect, process and store vast amounts of communications metadata related to worldwide intelligence targets.”

The search tool was designed to be the largest system for internally sharing secret surveillance records in the United States, capable of handling two to five billion new records every day, including more than 30 different kinds of metadata on emails, phone calls, faxes, internet chats, and text messages, as well as location information collected from cellphones. Metadata reveals information about a communication—such as the “to” and “from” parts of an email, and the time and date it was sent, or the phone numbers someone called and when they called—but not the content of the message or audio of the call. ...

In 2006, NSA director Alexander drafted his secret proposal to then-Director of National Intelligence Negroponte. ...

Alexander explained in the memo that NSA was already collecting “vast amounts of communications metadata” and was preparing to share some of it on a system called GLOBALREACH with its counterparts in the so-called Five Eyes surveillance alliance: the United Kingdom, Australia, Canada, and New Zealand.

ICREACH, he proposed, could be designed like GLOBALREACH and accessible only to U.S. agencies in the intelligence community, or IC.

A top-secret PowerPoint presentation from May 2007 illustrated how ICREACH would work—revealing its “Google-like” search interface and showing how the NSA planned to link it to the DEA, DIA, CIA, and the FBI. Each agency would access and input data through a secret data “broker”—a sort of digital letterbox—linked to the central NSA system. ICREACH, according to the presentation, would also receive metadata from the Five Eyes allies.

The aim was not necessarily for ICREACH to completely replace [the earlier CIA-hosted] CRISSCROSS/PROTON, but rather to complement it. The NSA planned to use the new system to perform more advanced kinds of surveillance—such as “pattern of life analysis,” which involves monitoring who individuals communicate with and the places they visit over a period of several months, in order to observe their habits and predict future behavior.
The documents released by The Intercept in conjunction with its report can be found here.

The system began operating on a pilot project basis in 2007.

The following graphics from the May 2007 presentation (see pages 31 and 33 of the documents) show that data brokers had already been created to facilitate metadata sharing between NSA and GCHQ, and that brokers were planned for the other Five Eyes agencies, CSE, DSD (now ASD), and GCSB.





The presentation also showed (see page 21) that NSA databases already contained metadata concerning roughly 126 billion telephone "call events" obtained from Second Parties (mostly probably pertaining to communications outside their own countries), but that no Digital Network Information (Internet-related) metadata had "yet" been provided by the Second Parties.

Notes taken at a Five Eyes metadata-sharing conference hosted by GCHQ in 2008 (page 44 of the documents) indicate that "Second Party derived data" had not at that point been "made available to US Intelligence Community (IC) (domestic) agencies" (as opposed to the NSA itself), but that this broader access was being sought. "In the hope that such agreement will be forthcoming, NSA has persuaded other US IC agencies to make almost 100 bn previously NOFORN records [in the PROTON database] shareable with the 5-eyes via GLOBALREACH."

The conference also discussed the willingness of NSA's partners to share metadata relating to their own nationals/residents. DSD indicated that it was able to "share bulk, unselected, unminimised metadata as long as there is no intent to target an Australian national – unintentional collection is not viewed as a significant issue. However, if a ‘pattern of life’ search detects an Australian then there would be a need to contact DSD and ask them to obtain a ministerial warrant to continue."

CSEC, by contrast, was of the view that "bulk, unselected metadata presents too high a risk to share with second parties at this time, because of the requirement to ensure that the identities of Canadians or persons in Canada are minimised". Re-evaluation of this stance was underway at the time of the conference, the notes indicate, but a 2013 report by the CSE Commissioner indicated that CSEC continues to "[suppress] Canadian identity information in metadata and reports shared with the Second Parties". The same statement does confirm, however, that at least some minimized Canadian metadata is indeed shared. (And, of course, it remains possible for the relevant Canadian identity information to be provided if the other party can produce what may well be little more than a form letter justifying its provision.)

NSA, for its part, indicated that "Sharing unmasked US identifiers with second party SIGINT partners will be easier than with some US domestic partners.” (See page 43.)

The Intercept report notes that the total number of metadata records shared through ICREACH (and presumably GLOBALREACH) is "more than 850 billion". In fact, the total is likely to be much larger than that. By 2007 the databases were growing by about 570 billion records a year (page 22), and the annual collection rate has almost certainly increased substantially in the years since.

Older records may well have been purged of course, but even assuming no increase in collection and, for the sake of argument, a short, five-year data retention period, the total number of metadata records available must be close to three trillion. The actual number could be many trillions higher than that.

In addition, as The Intercept reported, "The intelligence community’s top-secret 'Black Budget' for 2013… shows that the NSA recently sought new funding to upgrade ICREACH to 'provide IC analysts with access to a wider set of shareable data.'"

Use of Five Eyes-related metadata is also getting more extensive. On 29 November 2010, the NSA's SID Management Directive 424 changed the procedures regarding metadata analysis to "permit contact chaining, and other analysis, from and through any selector, irrespective of nationality or location, in order to follow or discover valid foreign intelligence targets." As this document explains, "The impact of the new procedures is two-fold. In the first place it allows NSA to discover and track connections between foreign intelligence targets and possible 2nd Party or US communicants. In the second place it enables large-scale graph analysis on very large sets of communications metadata without having to check foreignness of every node or address in the graph."

What procedures are in place to protect the privacy of Canadians during such analyses?

As former NSA Director Michael Hayden famously said, "We kill people based on metadata". It is not impossible to imagine occasions when a Canadian might end up on the wrong end of a Hellfire missile, a practice we used to call "extrajudicial execution".

In his most recent annual report, the CSE Commissioner reported that he began, this year, to include "disclosures of Canadian identities to second party partners" in his annual review of disclosures of Canadian identity information.

Friday, September 12, 2014

August 2014 CSEC staff size

2168.

(If you click through on the link and get a different figure, it's probably because the Canada Public Service Agency has updated its website; they update the numbers once a month.)