Thursday, October 10, 2013

Your metadata at work

I was re-examining this slide from the CSEC Olympia presentation when suddenly it hit me (head slap) -- some of the communications shown on this chart extend into Canada!

What we have here is a teachable moment.

Two communications (or perhaps collections of communications) in particular are labeled as connecting to Canada, one through Autonomous System Number (ASN) 6453 and the other through ASN 32613. The former is Tata Communications, a global communications provider largely built upon the facilities of the former Teleglobe. The other is iWeb Technologies, a Montreal-based service provider. The chart doesn't show who in Canada was ultimately at the other end of the communications, but it does make it clear they were in Canada.

Now, some of you may be thinking, didn't that nice man who heads CSE, Mr. Forster, just finish telling everybody that CSE can't listen to the communications of Canadians?

Wasn't he just quoted to that effect in the Globe and Mail (and probably a couple of dozen other places)?

Yes, indeed, he was (Steven Chase, "CSEC defends practices in wake of Brazilian spy reports," Globe and Mail, 9 October 2013):
I can tell you that we do not target Canadians at home or abroad in our foreign intelligence activities, nor do we target anyone in Canada. In fact, it’s prohibited by law. Protecting the privacy of Canadians is our most important principle.
So what gives?

Well, there's a reason why Mr. Forster and his fellows always use terms like "target" or "direct at" when issuing their blanket assurances.

You see, the operation depicted on the Olympia slide was directed at non-Canadians who were not in Canada. The targets of the monitoring were Brazilians in Brazil.

The fact that some of the communications analyzed also involved Canadians or persons in Canada is incidental. Such monitoring is considered "inadvertent".

Well, OK, accidents do happen. But the data concerning the communications of the Canadians/persons in Canada is immediately deleted, right?

Look again at that slide. Does that information look deleted to you?

In fact, CSE is allowed to retain such communications as long as they are relevent to the "foreign intelligence" being sought.

The identity information of the Canadians involved must be replaced by a stock phrase like "Canadian person" in any reporting involving that communication, but if analysts or their customers believe that your identity is important to understanding the intelligence (and they subsequently hop through the right hoops) it can be retrieved from CSE's databases.

In short, you have the right to privacy as long as they consider your identity to be of no interest to them.

The example on the slide involves metadata. We don't know whether the content of these communications was also examined, but my guess is that at this stage of the "target development" process it was not.

But the point remains the same. The laws pertaining to the interception of communications do not apply to the monitoring of metadata, but the assurances that CSE makes about not targeting Canadians do apply to our metadata.

The reason that CSE can -- and does -- examine the metadata of some communications that involve Canadians is that those absolute-sounding assurances do not mean what they'd like you to think they mean. There is always a secret asterisk attached.

Update 10:50 PM: You can also make out the Canadian communications on this slide (H/T to Canleaks):


Post a Comment

<< Home