Tuesday, September 24, 2013

Worth reading...

Some recent commentaries on CSE, surveillance, and privacy:

Michael Geist, "Canada complicit in undermining Internet privacy: Geist," Toronto Star, 13 September 2013
As the tidal wave of disclosures on widespread U.S. surveillance continues - there is now little doubt that the U.S. government has spent billions creating a surveillance infrastructure that covers virtually all Internet and wireless communications - the question of Canada’s role in these initiatives remains largely shrouded in secrecy.

The Canadian government has said little, but numerous reports suggest that agencies such as the Communications Security Establishment Canada (the CSE is the Canadian counterpart to the U.S. National Security Agency) are engaged in similar kinds of surveillance. This includes capturing metadata of Internet and wireless communications and working actively with foreign intelligence agencies to swap information obtained through the data mining of Internet-based surveillance.

The active connection between Canadian and U.S. officials moved to the forefront last week with reports that Canadian officials may have played a starring role in facilitating U.S. efforts to create a “backdoor” to widely used encryption standards. That initiative has been described as “undermining the very fabric of the Internet.”

Ron Deibert, "To protect Canadians' privacy, telcos must shut the 'back door'," Globe and Mail, 16 September 2013
Recently leaked Edward Snowden documents reveal the U.S. National Security Agency, in its quest to vacuum as much digital data as possible, has been compelling communications companies to build secret vulnerabilities into their systems, otherwise known as “back doors.” These special methods of bypassing normal authentication procedures to secretly access encrypted communications are known only to the companies that build them and the NSA agents that have access to them. Not surprisingly they prefer to keep such dalliances hidden in the dark.

Given Canada’s special relationship with our cousins south of the border, it should come as no surprise that our own security agencies also prefer the back door. According to The Globe and Mail, “for nearly two decades, Ottawa officials have told telecommunications companies that one of the conditions of obtaining a licence to use wireless spectrum is to provide government with the capability to bug the devices that use the spectrum.” Documents obtained by The Globe also reveal that as part of these requirements, Ottawa has demanded companies scramble encryption so that it can be accessed by Canada’s law enforcement agencies – encryption that protects our intimate conversations, banking transactions, transmission of health and financial records, and so on. Remarkably, Ottawa deems such requirements too sensitive to be shared with the public. ...

The back door approach is symptomatic of a larger trend, and a particular approach to securing cyberspace prominent today that privileges intelligence and security agencies over other stakeholders, designs security through obscurity, and undermines checks and balances around government.

Law enforcement and intelligence agencies are necessary and important to liberal democracy, but there is more than one way for them to go about their missions. In the world of Big Data, in which so much personal information is readily available, new methods of “connecting the dots” must be explored other than those that drill holes into our communications infrastructure from the inside out and leave users dependent on the digital equivalent of Swiss cheese. Government surveillance needs re-thinking today, beginning with a loud and clear call to “shut the back door!”

Ann Cavoukian, Ron Deibert, Andrew Clement & Nathalie Des Rosiers, "Real privacy means oversight," Globe and Mail, 16 September 2013
In democratic societies, governments must be accessible and transparent to their citizens. And individuals must be free to make informed choices about what personal details to reveal about their lives. Governments are permitted to access personal information only when authorized by law. When it comes to the state's power to conduct surveillance, critical privacy protections must include independent oversight.

While there is much criticism of the U.S. Foreign Intelligence Surveillance Court, at least it has oversight of NSA activities. There is no equivalent in Canada. CSEC's operations rely on ministerial approval, with little transparency or accountability. Canadians know startlingly little about what our government is doing - and, potentially, what foreign intelligence agencies are doing - with their personal information. It is disturbing that there's been so little debate on this important issue, even in Parliament.

CSEC's only meaningful accountability rests on a single annual review undertaken by a single individual - woefully inadequate. In his report this summer, CSEC Commissioner Robert Décary, a retired judge, issued a rare public critique, acknowledging that he'd been unable to reach a definitive conclusion about the agency's compliance or non-compliance with the law for various foreign signals intelligence activities. Some activities, he said, "may have been directed at Canadians, contrary to the law."

CSEC, and the government, must account for what's taken place. Canadians rightly deserve answers on the scope of domestic spying powers. How much will we allow in the name of security and public safety? There is no question that some measures are necessary to counter terrorism, but must they always be at the exclusion of privacy? We say no.

There can be little doubt that surveillance is a global issue, with personal information being shared across jurisdictions, sometimes in a manner that contravenes the most basic principles of privacy and freedom. We must engage citizens so the message of "respect our privacy, respect our freedoms," can be heard, loud and clear. In a free and open society, we deserve no less.

David Lyon, "Can citizens roll back silent army of watchers?" Toronto Star, 23 September 2013
...[A]sking questions is long overdue. Fears fanned by 9/11 “security” and the fun fostered by Facebook distracts us from what’s really going on: the surveillance playing field now tilts perilously in favour of large organizations and away from individuals and groups. Such surveillance undermines our relationship as citizens to the state — we may naively comply but we didn’t consent. ...

Who will ask these questions and more? It isn’t just a matter of “catching up” with new technology, although recognizing that Canadian law lags pathetically behind reality would be a start. It’s also about why technological potential is permitted to become political destiny, why everyone has become a suspect and why organizations are so resistant to calls for accountability for sensitive personal information.

Canada, blessed with much better personal data protection than many other countries and a long history of innovative thinking about communications, could still take the lead in reversing the trend toward unwarranted and disproportionate surveillance. The so-called digital era is not self-propelling, nor is it inevitably destructive of trust or care for vulnerable groups.

It’s up to us to keep up the pressure for answers and, more important, for public debate on surveillance today. There’s already a palpable groundswell. One key site for information is SecretSpying.ca.

Friday, September 20, 2013

Stop the asterisks!

Colin Freeze's article on the William Binney visit notes that "CSEC circulated a rare statement last month reaffirming it does not eavesdrop inside Canada." (Colin Freeze, "Beware of data spying, former NSA official warns Canadians," Globe and Mail, 19 September 2013):
“CSEC does not direct its activities at Canadians and is prohibited by law from doing so,” its chief, John Forster, said in a rare public statement.
But that's just what CSE says for public consumption.

Here's what the agency tells its oversight commissioner in private (text from documents released under ATIP request CSEC_A-2012_00035):
CSEC advised the Commissioner’s office during discussions that it uses part (c) of its mandate for three purposes: 1. to provide technical assistance to CSIS/LEAs [Canadian Security Intelligence Service and Canadian law enforcement agencies]; 2. to assist CSIS under s. 16 of the CSIS Act; and 3. to assist CSIS/LEAs by intercepting the communications of a Canadian/person in Canada that is subject to a CSIS warrant (s. 12 of the CSIS Act) or an LEA’s authorization (under Part VI of the Criminal Code). [Emphasis added]
Let me repeat that last bit: "intercepting the communications of a Canadian/person in Canada".

Now, Chief Forster probably thinks he's telling the truth - or some reasonable facsimile thereof - when he says CSE doesn't "direct" "its activities" at Canadians. He, like other CSE spokespeople, always has a secret asterisk appended to these statements in his head that goes something like this: Monitoring of Canadians undertaken in support of CSIS and LEAs is not a CSE activity; when CSE conducts what it calls mandate (c) operations, it is actually providing support to a CSIS/LEA activity, not conducting its own activity. CSE's own "activities" are undertaken under the agency's mandates (a) and (b) (foreign intelligence collection and protection of critical information infrastructures), and although information about Canadians is sometimes also collected in the course of those operations, in those cases the collection is "directed" at foreign targets and, thus, although Canadian communications may be intercepted, such operations are not "directed" at Canadians.

But the foregoing is not what the average Canadian, or even the average member of parliament, would conclude when given the assurance that “CSEC does not direct its activities at Canadians and is prohibited by law from doing so.”

And CSE knows that very well.

It may be that CSE's collection of Canadian communications is limited, reasonable, lawful, and subject to rigorous policies and procedures designed to protect the privacy of Canadians.

But how can we trust people whose public assurances all have to be parsed for secret asterisks?

How can Canadians have a public debate about where to draw the line between privacy and security when their government refuses to give honest, straight answers to the most basic questions at issue?

When will they respect us enough to stop the asterisks?

Binney to Canadians: Watch CSE

NSA official turned whistleblower William Binney warns Canadians to keep an eye on CSE (Colin Freeze, "Beware of data spying, former NSA official warns Canadians," Globe and Mail, 19 September 2013):
A former top U.S. surveillance official is heading north, to warn Canadians that they, too, could become susceptible to massive data-spying programs launched by their own government.

“Every democracy is going this way,” William Binney, a former technical director of the U.S. National Security Agency, said ahead of a planned trip to a civil-liberties conference in Toronto on Friday.

“Unless democracies wake up and start saying ‘We don’t want our government to hold this data,’ then they have a really good chance of losing their democracy.”

Speaking from his home near Fort Meade, Md., – in a phone interview that he said would certainly be transcribed by the U.S. authorities – the crypto-mathematician recalled how he spent decades working for the NSA before his relationship with U.S. security agencies soured.

During his career, he said, he had many opportunities to assess the capabilities of Canada’s electronic-eavesdropping technicians. And “some of them are as good as anybody over here.”

Yet, while Mr. Binney compliments the surveillance acumen of Communications Security Establishment Canada, he also urged the Canadian public to scrutinize CSEC – especially given its long-standing close ties to the NSA.

“They have integrated reps,” he said, referring to how the agencies swap personnel. He pointed out that they also share technology, such as a very powerful, recently revealed Internet-surveillance tool, code-named “XKeyscore.”

CSEC and NSA have been allies since forming as “foreign intelligence” agencies during the Cold War.
Indeed, the signals intelligence alliance goes back to the Second World War, pre-dating the formal creation of both countries' current agencies.

Freeze's article also quotes CSE's standard assurance that “CSEC does not direct its activities at Canadians and is prohibited by law from doing so.”

Unfortunately, as I explain here, that's only "true" if you add a secret asterisk or two.

It's long past time for CSE to stop with the bullshit. In the meantime, Canadians would do well to listen very closely to the warnings of people like Mr. Binney.

Monday, September 16, 2013

Accessing wireless communications in Canada

Some valuable articles in the Globe and Mail today about how Canadian law enforcement agencies access wireless communications (Colin Freeze & Rita Trichur, "Wireless firms agree to give Ottawa ability to monitor calls, phone data," Globe and Mail, 16 September 2013):
When wireless companies apply this week to bid on newly available public airwaves, they will also be committing – again – to an unpublicized accord that governs how they will help police and intelligence agencies monitor suspects.

For nearly two decades, Ottawa officials have told telecommunications companies that one of the conditions of obtaining a licence to use wireless spectrum is to provide government with the capability to monitor the devices that use the spectrum. The Sept. 17 kickoff of the auction-countdown process will underscore that commitment, made out of sight of most Canadians because it is deemed too sensitive by the government.

Documents show that court-approved surveillance in Canada is governed by 23 specific technical surveillance standards known as the Solicitor General’s Enforcement Standards (SGES).

Any firm taking part in a wireless auction can obtain a copy, but the contents are not available to the general public.

But The Globe and Mail has obtained past and current versions of the accord, which governs the way that mobile-phone companies help police pursue suspects by monitoring telecommunications – including eavesdropping, reading SMS texts, pinpointing users’ whereabouts, and even unscrambling some encrypted communications.

Wireless carriers are told they must be ready to hand over such data should police or intelligence agencies compel the release of the information through judicially authorized warrants. Such information goes well beyond traditional wiretaps, and also includes phone logs and keystrokes. ...

“Real-time, full-time” eavesdropping on conversations is just one of the capabilities sought by police, according to the standards. Authorities also want records of call logs, texts, keystrokes and other data, including “the most accurate geographical location known.”
The G&M helpfully posted the unredacted text of the 2008 version of a document that explains the standards, Solicitor General's Enforcement Standards for Lawful Interception of Telecommunications - Compliance Table.

The article refers to the provision of data to both law enforcement agencies and intelligence agencies, but the SGES document describes only the rules pertaining to law enforcement agencies. (Intelligence agencies such as CSIS do not have law enforcement powers and are not considered law enforcement agencies.) CSIS is mentioned on page 9 of the document, however, where it is noted that "The level of security for [sending intercepted data to] the RCMP and other law enforcement agencies will be met if the service providers can achieve the required level of security for CSIS."

Presumably a similar but separate document exists that lays out the rules for providing intercepts to CSIS. If so, it would be interesting to know if it differs in any way from this document.

Another article in today's paper reports that the government recently moved to update and expand its access to smartphone data under the SGES rules but it has run into opposition from the wireless industry (Colin Freeze & Rita Trichur, "Ottawa sought broader access to smartphone user data, records show," Globe and Mail, 16 September 2013):
The federal government tried to use an impending public-airwaves auction to alter the language of a surveillance accord with mobile-phone companies, acting on concerns that police lack the tools to lawfully intercept Internet data that passes through smartphones.

Records show that, following consultation with industry officials, the government pulled back on some of the proposed changes, which were not discussed publicly.

Police and mobile telecommunications companies now are calling for Parliament to update laws that would make explicit how authorities can lawfully access corporate repositories of telecommunications data. ...

While never actually publishing the existing SGES standards, the Industry Canada consultation document went on to say the directives had been largely unchanged since 1995. It added that one “proposed change is to remove the text ‘circuit-switched voice telephony’ from the lawful intercept condition, as networks are no longer limited to circuit-switched technology.”

Cutting through the jargon, observers say the proposed change would have opened up a vast new realm of surveillance on Internet data passing through Canadian mobile phones – not to mention a Pandora’s box of potential privacy problems.

“The changes that are proposed by Industry Canada represent a significant expansion of what communications could be placed under surveillance,” wrote Christopher Parsons, a PhD candidate at the University of Victoria and an expert in digital-privacy issues, in a blog posting early this year.

He wrote that the contemplated change would amount to an “entirely new means of communication that may be captured (e.g. e-mail, streaming music and video usage, TV-watching, gaming over wireless networks, etc.). … Thus, whereas carriers previously had a limited set of clear interception requirements, this simple change in language would substantially expand what they would be required to be able to intercept and preserve.”

While the 1995 SGES accord specifies interception standards for voice, SMS texts, geolocation information and other “telephony metadata,” it is silent on how authorities are to capture data moving through today’s smartphone Internet browsers.

Police argue they need this capacity better spelled out to advance their lawful investigations, but mobile-carriers have resisted, pointing out that they don’t control such data and that capturing it is, for them, a more difficult and expensive proposition than more standard surveillance.

Parliament has failed to pass successive “lawful-access” bills that were introduced over the past 10 years, meaning there are few explicit ground rules for how surveillance practises are to keep pace with evolving technology.

Industry-government accords such as the SGES have emerged instead, evolving behind closed doors as a conversation between government and industry officials.

Thursday, September 12, 2013

August 2013 CSE staff size


(If you click through on the link and get a different figure, it's probably because the Canada Public Service Agency has updated its website; they update the numbers once a month.)

Wednesday, September 11, 2013

CSE, NSA, and computer security standards

The New York Times recently reported (Nicole Perlroth, Jeff Larson & Scott Shane, "N.S.A. Able to Foil Basic Safeguards of Privacy on Web," New York Times, 5 September 2013) that
The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.
Among other methods used by the agency,
the N.S.A. has been deliberately weakening the international encryption standards adopted by developers. One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” the most common encryption method.

Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology and later by the International Organization for Standardization, which has 163 countries as members.

Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.”

“Eventually, N.S.A. became the sole editor,” the memo says.
Yesterday, the Times provided more details of how the NSA pushed the flawed standard forward (Nicole Perlroth, "Government Announces Steps to Restore Confidence on Encryption Standards," New York Times, 10 September 2013):
Internal N.S.A. memos describe how the agency subsequently worked behind the scenes to push the same standard on the International Organization for Standardization. “The road to developing this standard was smooth once the journey began,” one memo noted. “However, beginning the journey was a challenge in finesse.”

At the time, Canada’s Communications Security Establishment ran the standards process for the international organization, but classified documents describe how ultimately the N.S.A. seized control. “After some behind-the-scenes finessing with the head of the Canadian national delegation and with C.S.E., the stage was set for N.S.A. to submit a rewrite of the draft,” the memo notes. “Eventually, N.S.A. became the sole editor.”
One possible interpretation of this passage is that the naive Canadians were pwned by the crafty NSA delegation, whose real goals were unknown to the Canadians.

I don't subscribe to that interpretation. Much more likely, in my view, is that CSE and the NSA worked hand-in-glove to game the standards process.

None of which, perhaps, should be surprising.

But it's a useful reminder that when, for example, CSE "presents" a computer security conference that features talks like "Bypassing Security Controls with Mobile Devices" and provides associated training events like "Bypassing Security Defenses – Secret Penetration Testing Techniques", its goal is not always to make your computers and communications devices more secure.

[Update 12 September 2013: Jesse Brown takes up the story and gets a non-denial from CSE: Jesse Brown, "NSA says it ‘finessed’ Canada, seizing control of global crypto," Macleans.ca, 11 September 2013]

Monday, September 09, 2013

Big Brother goes all meta on your data

Gotta love the self-referential chutzpah of the following NSA slides, drawn from the Snowden corpus:

But I can't say I appreciate the attitude to the general public (AKA "zombies") quite as much.

And since when did 1984 have zombies?