Monday, June 10, 2013

CSE metadata monitoring began in 2005 or earlier

Government documents obtained by the Globe and Mail under the Access to Information Act indicate that CSE has been collecting and analyzing the communications metadata of Canadians since at least 2005 (Colin Freeze, "Data-collection program got green light from MacKay in 2011," Globe and Mail, 10 June 2013; documents here; see also my earlier post concerning indications of CSE interest in monitoring metadata).

[Update 3 December 2013: Make that CSE has been analyzing metadata since at least 15 March 2004 (see Communications Security Establishment Canada 2004 ministerial directive/authorization).]

The documents show that an updated version of a 2005 Ministerial Directive on the Collection and Use of Metadata was approved by Defence Minister Peter MacKay in November 2011.

The documents note that the data is "acquired in the execution of CSE foreign intelligence acquisition programs", but the details of the activities have all been redacted.

What is the nature of the metadata being collected? Telephone records? E-mail transactions? More? And does the data concern only cross-border activities, such as international telephone calls? Or is it nationwide as in the U.S. program? How is the data being processed? And, most importantly, to what uses are the data being put?

One possible use of the metadata is to assist CSE in its efforts to distinguish between the communications of Canadians and those of foreigners. CSE is not permitted to "target" Canadians while it is pursuing the foreign intelligence part of its mandate and is required to take measures to minimize the inadvertent collection of Canadian communications. Thus, metadata concerning Canadians might be used in part to protect some communications from collection.

If that were its only use, however, you wouldn't expect there to be so many blanked out sections in the documents justifying the program.

In fact, such data are undoubtedly also collected to help determine the identities (or at least the communications addresses) of the people in Canada that CSE's foreign intelligence targets are communicating with. The person at the Canadian end of the conversation would not be the "target" in such cases, but CSE would still want to monitor both ends of the communication in order to find out what the foreign target at the other end of the conversation was up to.

If the Canadian participant turned out to also be of intelligence interest, CSE would then pass that information to CSIS, the RCMP, or another relevant agency, which if it agreed would then obtain authorization to monitor the Canadian under its own legal procedures. That authorization, in turn, would clear the way for CSE to conduct further monitoring of the Canadian in fulfillment of Part C of its mandate.

Another possibility is that CSE is performing more elaborate social network analysis of the metadata it collects -- "datamining" it to try to identify other individuals separated by two or more degrees of separation from known intelligence targets. These could be people who are part of a broader group of conspirators or providing support services or information, or perhaps who just happen to have contact with people who might eventually try to involve them in something the government wouldn't like.

This last sort of analysis -- which NSA has been doing -- is much more problematic than the others. Such analysis is not only vastly more intrusive, enabling security agencies to in effect search your online life without a warrant, but it also raises the spectre of huge numbers of "false positives", instances in which completely innocent people become secret suspects, with possible consequences for their jobs, travel, etc. that they may never even know about.

Is CSE also engaged in this kind of metadata-mining? Not surprisingly, we can't tell from the documents released to date. But we do know that the agency has conducted research on exactly this kind of data mining (see my discussion here). We also know that it continues to hire data miners, and that data mining research is one of the two research priorities of the Tutte Institute, CSE's cryptologic research institute.

[Update 11 June 2013: Defence Minister Peter MacKay has bravely stepped forward to reassure us all by garbling some talking points in Question Period. Mostly he gave the usual boilerplate answers, but I think he messed up a bit when he declared in response to a question about metadata that "this program is specifically prohibited from looking at the information of Canadians." As MacKay also noted during Monday's Question Period, CSE's oversight commissioner found in his 2010-11 Annual Report that the metadata program incorporates "satisfactory measures to protect the privacy of Canadians" (the Commissioner didn't actually identify the program in his report, but MacKay's response helpfully confirmed that it was indeed referring to the metadata program). Unmentioned by MacKay was the fact that the Commissioner's report also definitively states that "these activities involve CSEC's use and analysis of information about Canadians for foreign intelligence purposes". What was that first thing the Minister said again? Oh, yeah, "this program is specifically prohibited from looking at the information of Canadians." So let's just put those two statements together: evidently we are to understand that this program involving the use and analysis of information about Canadians is specifically prohibited from looking at the information of Canadians.

One of these people, either the CSE Commissioner or the Minister of National Defence, is using words that do not mean what he thinks they mean. Perhaps MacKay was trying to voice the usual bland assurances that CSE is itself prohibited from directing its activities at Canadians. He certainly did say that quite a bit, although at another point in the proceedings he broke rather dramatically with tradition by accurately declaring that CSE only targets foreign threats -- "unless, of course, there is a request from an accompanying department under warrant." Of course. In that case, as MacKay knows but CSE public affairs folks almost never acknowledge, they can target us. So everybody just chillax. The scandal-plagued CSIS, which has eliminated its Inspector General but does still have a part-time oversight committee whose former chairman is currently facing extradition to Canada to face a variety of charges, is going to look after the privacy thing for us.

All in all, the Minister didn't do much to improve the signal-to-noise ratio on the question of metadata monitoring. Is the collection and use of Canadian metadata restricted to that associated with cross-border communications? He did declare that "Metadata is collected only on international, not domestic communications." But then he followed that up immediately with the line about a request from an accompanying department. So is CSE helping to collect and/or analyze metadata related to Canadian domestic communications on behalf of one or more of our domestic security agencies? He didn't say that. But then again he didn't rule it out very clearly either.

As my partner often says, there's a reason they don't call it Answer Period.]


Post a Comment

<< Home