Friday, January 31, 2014

CSEC support to CSIS, RCMP, and others

Colin Freeze has obtained more information on the number and nature of "support to lawful access" requests received by CSEC from CSIS, the RCMP, and other agencies (Colin Freeze, "Spy agency’s work with CSIS, RCMP fuels fears of privacy breaches," Globe and Mail, 31 January 2014):
A disclosure from Communications Security Establishment Canada, obtained by The Globe through an Access to Information request, shows the Canadian Security Intelligence Service sought help from CSEC 205 times between 2009 and 2012. The RCMP made 85 such requests during the same time span.

These “support to lawful access” figures – which have never been released before – show that close collaboration with other federal agencies is routine for Canada’s electronic-eavesdropping agency.
Lots of interesting information on the different ways in which CSEC support can be provided.

More on CSEC metadata spying

The CBC has posted the CSEC document (IP Profiling Analytics & Mission Impacts, 10 May 2012) describing its efforts to analyze the metadata of Canadians and other persons in Canada travelling through a Canadian airport and other locations (original story: Greg Weston, Glenn Greenwald & Ryan Gallagher, "CSEC used airport Wi-Fi to track Canadian travellers: Edward Snowden documents," CBC News, 30 January 2014).

Ron Deibert's op/ed on this new information is a must-read: Ron Deibert, "Now we know Ottawa can snoop on any Canadian. What are we going to do?," Globe and Mail, 31 January 2014.

CSEC has posted an official response to the CBC story in which it denies that the agency did anything unlawful (CSE statement re: January 30 CBC story):
CSE is mandated to collect foreign signals intelligence to protect Canada and Canadians, and by law, only directs its foreign intelligence activities at foreign entities.

In order to fulfill this key foreign intelligence role for the country, CSE is legally authorized to collect and analyze metadata. In simple terms, metadata is technical information used to route communications, and not the contents of a communication. ...

It is important to note that no Canadian or foreign travellers were tracked. No Canadian communications were, or are, targeted, collected or used.

The Defence Minister has also assured Canadians that CSEC has done nothing wrong (Laura Payton, "CSEC Snowden docs: Spy agency does not target Canadian communications, minister insists," CBC News, 31 January 2014):
Under repeated questioning by opposition MPs, Nicholson didn't directly deny the story, but said that the document detailing work by the Communications Security Establishment Canada doesn't show that Canadian communications were targeted or used.

"It's my understanding that CSEC made it clear to CBC that nothing in the documents that they had obtained showed that Canadian communications were targeted, collected, or used, nor that travellers' movements were tracked," Nicholson said in the House of Commons. ...

New Democrat MP David Christopherson asked Nicholson to categorically deny the agency has tracked Canadians, but Nicholson returned to his response about the CSEC commissioner.
Others are unconvinced that CSEC has the legal right to conduct the kinds of monitoring detailed in the leaked document.

The government's defence seems to rely primarily on the distinction between a "private communication" and metadata (information about the source, address, route, etc. of a communication but not about its content, or other data, such as geolocation information, transmitted by computers and smartphones and software applications). Despite its potential to reveal a vast array of private information about individuals, metadata, the government argues, is subject to much less stringent laws and rules concerning its collection, use, retention, and provision to others.

The distinction has always mystified me a bit. Metadata is not a series of random bytes spewed into the ether for no purpose. It is information that is sent to or from a device for a reason, to tell a computer server what file to send, to tell a router where to send a packet, to provide billing information to a telecommunications provider, to provide phone book data to an app provider for resale to others, or whatever. All of those exchanges of data are communications between an individual who (wittingly or not) has consented to the provision of that information to a company, or communications between companies, or internal communications within a company.

In the Criminal Code, "private communication" means "any oral communication, or any telecommunication, that is made by an originator who is in Canada or is intended by the originator to be received by a person who is in Canada and that is made under circumstances in which it is reasonable for the originator to expect that it will not be intercepted by any person other than the person intended by the originator to receive it...."

So why would a metadata communication that originates or ends in Canada not be a "private communication"? Some metadata communications may be quite distant from any direct human agency, and perhaps the claimed distinction lies somewhere in that fact, but if I dial a number on my telephone am I not communicating with the telephone company to ask it to connect me to a specific other phone? Is there any valid distinction to be drawn between that communication and asking an operator to make the connection for me? If I click on a hyperlink, am I not communicating with a computer server at some other location to ask it to send me a file?

Anyway, I'm not a lawyer, and the ways of the law are strange and mysterious to me.

Privacy lawyer David Fraser is a lawyer, however, and he concludes that CSEC has no legal authority to collect metadata (including WiFi) of Canadians without a warrant.

See also the B.C. Civil Liberties Association's response to the controversy: "Canada’s illegal spying on airport travellers must stop: BCCLA," 31 January 2014.

The question of lawfulness is of vital importance, and we need a definitive answer concerning the kinds of activities CSEC and other government agencies are permitted to undertake.

But lawfulness is not the only important question.

Let's assume for the moment that the government's secret interpretation of Canadian law does in fact allow for CSEC to conduct the kind of operations described in the leaked document, and let's assume further that this secret interpretation would in fact be upheld by Canadian courts if put to the test (we may soon find out as a result of the BCCLA's case).

Personally, I have little doubt that the government does believe that it has been acting legally.

But if CSEC's actions in this case have in fact been lawful, what does that mean for Canadians?

It means:

1) CSEC can legally obtain, analyze, use, retain, and share bulk metadata concerning communications and non-communications activities that take place in whole or in part in Canada, irrespective of the nationality of the participants in those activities and with no apparent upper limit. It might very well be legal for CSEC to obtain, analyze, use, retain, and share, without any kind of judicial warrant, all of the communications and non-communications metadata generated in Canada or transmitted into or through Canada. (There are privacy rules that apply to information concerning Canadians obtained by CSEC, but their principal effect is to require that such information be used, retained, shared, etc. only if it is relevant to the purposes for which it was collected. The rules also require that Canadian identity information be withheld except when it is needed to understand the information.)

2) Such activities can be conducted under CSEC's foreign intelligence mandate without violating s.273.64(2)(a) of the National Defence Act, which requires that CSEC's foreign intelligence activities "shall not be directed at Canadians or any person in Canada". In other words, while this provision may prevent CSEC from singling out a specific, individual Canadian for targeted monitoring (such monitoring would have to be done through other legal processes), it does not, contrary to what any reasonable Canadian might have thought, present any impediment to CSEC collection of vast amounts of information generated by or about Canadians in Canada or abroad or any person in Canada, even if the goal is to analyze activities that are taking place in Canada.

3) It is possible that such metadata could also be made available to other agencies of the government in the performace of their duties. Unlike CSEC, federal law enforcement and security agencies such as CSIS and the RCMP do have the mandate to target individual Canadians. They require judicial warrants to conduct intrusive investigations, but they do not require warrants to use non-intrusive investigative techniques. And CSEC is legally empowered under part (c) of its mandate to "provide technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties." As CSEC has noted, such agencies "must have the proper legal authority, such as a warrant from a court"; however, as the phrase "such as" indicates, not all such activities require a warrant. Does CSIS require a warrant to analyze metadata (or receive the results of such analyses)? Does the RCMP?

Maybe all of the above is in fact legal.

But, if so, is that supposed to reassure us?

Update 4 February 2014:

The CSE Commissioner says it's all good: "Statement by CSE Commissioner the Honourable Jean-Pierre Plouffe re: January 30 CBC story," 31 January 2014.

CBC: CSEC spied on Canadians' metadata

A CSEC document leaked by Edward Snowden shows that CSEC spied on the metadata of Canadians and other persons in Canada as part of a program to track travellers through their connections to Wi-Fi hotspots at airports and other locations (Greg Weston, Glenn Greenwald & Ryan Gallagher, "CSEC used airport Wi-Fi to track Canadian travellers: Edward Snowden documents," CBC News, 30 January 2014):
A top secret document retrieved by U.S. whistleblower Edward Snowden and obtained by CBC News shows that Canada's electronic spy agency used information from the free internet service at a major Canadian airport to track the wireless devices of thousands of ordinary airline passengers for days after they left the terminal.

After reviewing the document, one of Canada's foremost authorities on cyber-security says the clandestine operation by the Communications Security Establishment Canada (CSEC) was almost certainly illegal.
Additional coverage here:

- Jessica McDiarmid, "Canadian spy agency gleaned passengers’ data from airport’s wifi: CBC," Toronto Star, 30 January 2014

CBC plans to post the source document soon. More comments then.

Thursday, January 30, 2014

Parliamentary oversight? Who needs it?

Yesterday former solicitor general Wayne Easter once again asked the government to consider establishing a special parliamentary committee to monitor the activities of CSEC and other Canadian intelligence agencies. (Previous discussion here.)

The government's response? Easter got the brush-off from James Bezan, the parliamentary secretary to Minister of National Defence Rob Nicholson:
Mr. Speaker, I should remind the hon. member that in actuality, Parliament has the power, through its committees, to call agencies before the committee that is responsible for them. The Standing Committee on National Defence has the authority and the power to call the commissioner of the Communications Security Establishment as well as Communications Security Establishment Canada before committee. It also has the opportunity, if it so desires, to meet with CSEC staff on its premises. They have a new building that members could easily tour around.

Those opportunities already exist. Parliamentary oversight is already in place. We do not need to be reinventing the wheel.
As Bezan knows (if he did his homework) the committee proposed by Easter, and earlier by the Martin government, is very different from the Standing Committee on National Defence. Notably, it would consist of members from both houses of parliament, it would examine all national security agencies, and its members would be authorized to receive classified information, enabling it to examine the operations of those agencies in much greater detail than is possible today.

Whether it would be wise to provide classified information to such a committee may be open to question. I'm inclined to think that parliamentarians would do better to push for much more extensive and regular reporting of unclassified information, which could then be openly discussed and debated, than for a small group to receive information that they would then be unable to discuss or even allude to outside the confines of their secure briefing room.

Even if you believe, however, that some form of significant parliamentary oversight of CSEC and other agencies could be accommodated under the current committee system, there is no excuse for the essentially negligible oversight currently provided by those committees.

Bezan's claim that "parliamentary oversight is already in place" because the Standing Committee on National Defence already has the power to examine CSEC might be at least marginally credible if the government, which controls the agenda of the committee through its majority Conservative membership, would task it to actually provide such oversight.

For what it's worth, the Senate seems to be making some effort in that regard... (H/T to Ron Deibert.)

NSA spied on climate conference; CSEC too?

An NSA document published by the Danish newspaper Information indicates that the NSA spied on the UN Climate Change Conference at Copenhagen in 2009 (Sebastian Gjerding, Anton Geist, Henrik Moltke & Laura Poitras, "For the NSA, espionage was a means to strengthen the US position in climate negotiations," Information, 30 January 2014; see also Kate Sheppard & Ryan Grim, "Snowden Docs: U.S. Spied On Negotiators At 2009 Climate Summit," Huffington Post, 29 January 2014).

The document promises that "Analysts here at NSA, as well as our Second Party partners, will continue to provide policymakers with unique, timely, and valuable insights into key countries' preparations and goals for the conference, as well as deliberations within countries on climate change policies and negotiating strategies."

The document goes on to state that
leaders and negotiating teams from around the world will undoubtedly be engaging in intense last-minute policy formulating; at the same time, they will be holding frequent sidebar discussions with their counterparts -- details of which are of great interest to our policymakers. While the outcome of the Copenhagen Climate Change Conference remains uncertain, signals intelligence will undoubtedly play a significant role in keeping our negotiators as well informed as possible throughout the 2-week event.
NSA has four Second Party partners (Canada, Australia, New Zealand, and the United Kingdom), all of which were also present at the conference. The document does not reveal whether all of the partners or just some of them assisted the U.S. in collecting and/or analyzing SIGINT related to the conference.

Was CSEC involved?

We don't know, but it does seem quite likely.

Certainly the Harper government was keenly interested in the outcome of the conference.

Keenly interested, in particular, in ensuring that the conference achieved nothing that might threaten Canadian oil production and export goals.

Update 16 February 2014:

Not much in the way of news coverage, as reporter David Pugliese notes here: "Communications Security Establishment Spying On Climate Change Conference?" Defence Watch blog, 16 February 2014.

Bletchley Park et al. helped win the Second World War. Their successors may be helping to win the Climate Change War.

But whose side are they fighting on?

Never mind. Whatever CSEC may be doing, they're only following orders. And the CSE Commissioner will no doubt confirm that it's all legal.

Wednesday, January 29, 2014

Things to note in the government's response to the BCCLA lawsuit

The government's response to the B.C. Civil Liberties Association lawsuit against CSEC monitoring of Canadians (previously discussed here) contains quite a lot of interesting detail about CSEC operations, much of which is little known or understood and some of which I believe is new to the public domain.

Presented for your consideration, a selection of things you may not have known about CSEC operations:

1) There are four categories of information about Canadians that CSEC may end up collecting, using, retaining, and/or sharing abroad (private communications, Metadata, communications of Canadians abroad, and information "about" Canadians obtained from other communications), of which only the first requires a Ministerial authorization for CSEC to lawfully collect. All four kinds of information are subject to extensive privacy safeguards, but those safeguards do not prevent their collection, use, retention, or sharing with international partner agencies if the information is relevant to the government's intelligence or cyber protection requirements:
CSE shares foreign intelligence and cyber threat information with the Five Eyes to the extent authorized under the National Defence Act, and in accordance with Canadian national interests. The sharing of such information is further governed by international agreements, as well as domestic laws, policies and procedures, which include privacy safeguards with respect to private communications, Metadata, communications of Canadians abroad and information about Canadians.
2) The Ministerial authorizations that enable CSEC to intercept "private communications" lawfully when operating under the foreign intelligence and cyber protection parts of its mandate do not pertain to specific foreign intelligence targets, they pertain to methods of intercepting communications:
Ministerial authorizations relate to a specific method of acquiring foreign signals intelligence or of protecting computer systems (i.e., an activity or class of activities specified in the Ministerial authorizations). Ministerial authorizations do not relate to a specific individual or entity.
A single authorization might permit the monitoring of all Internet traffic, for example. (Intercept activities conducted under such an authorization would still need to be "directed at foreign entities located outside Canada", however.) There are currently four Ministerial authorizations in force, three related to foreign intelligence and one related to cyber protection. It is likely that collectively they cover all forms of communication that could contain "private communications" that CSEC might intercept.

3) Intercept activities conducted under the Ministerial authorizations related to cyber protection do not need to be directed at foreign entities outside Canada. They are, however, limited to communications with or related to Canadian federal government computer systems or networks:
CSE’s activities under its IT Security Mandate are directed at the acquisition of data, irrespective of its origin, that would potentially risk harm to the network being protected.... Where CSE activities under its IT Security Mandate risk incidentally intercepting private communications, the Minister issues an authorization under s.273.65(3) of the National Defence Act for the sole purpose of protecting the computer systems or networks of the Government of Canada from mischief, unauthorized use or interference... only when the Minister is satisfied that: (a) the interception is necessary to identify, isolate or prevent harm to Government of Canada computer systems or networks...
Note that only the Minister need be satisfied that these conditions (and suitable privacy protections) exist; the CSE Commissioner is empowered only to confirm that a cyber protection (or foreign intelligence) authorization is in place.

4) CSEC does not require a Ministerial authorization to acquire, analyze, use, retain, or share metadata. Among other uses, metadata is used to analyze communications patterns to identify individuals whose communications may be worth selecting for interception and to "filter" bulk-accessed communications streams to enable CSEC to select specific communications for interception:
The acquisition and use of Metadata is critical to the fulfillment of CSE’s mandate. Metadata is important in allowing CSE to: understand how telecommunications networks operate; distinguish foreign communications from private communications so that CSE can tailor its activities to its mandate while minimizing impact on the privacy of Canadians and persons in Canada; identify malicious foreign cyber activity; and better understand and discover foreign targets. Metadata allows CSE, usually through automated tools, to filter information found on the global information infrastructure without looking at the content of any communications.
The percentage of global communications that CSEC and its Five Eyes allies subject to metadata-based "filtering" is not known, but it is likely to be significant, and the goal of the agencies may well be eventually to subject 100% of global communications to filtering.

There is a big difference, of course, between filtering your communications and intercepting them, unless the filters end up selecting you for interception (which could be, for example, because you communicated with someone who communicated with someone who communicated with someone who has been identified as a foreign intelligence target).

5) The government's response to civil claim specifies that this discussion of metadata is limited to origin, destination, routing, call management data, etc., related to telecommunications:
For the purposes of the directives described in paragraphs 7 and 27-29 of the notice of civil claim, "Metadata" means associated with a telecommunication to identify, describe, manage or route that telecommunication or any part of it as well as the means by which it was transmitted, but excludes any information or part of information which could reveal the purport of a telecommunication, or the whole or part of its content. Any reference to Metadata in this response to civil claim will be to this definition.
Other forms of metadata collection, such as cellphone location data, which the Five Eyes agencies extensively collect, are not addressed in the government's response -- despite the fact that the B.C. Civil Liberties Association's complaint specifically included "geo-location information" in its definition of metadata.

[Update 25 September 2014: I think I was wrong on this point. The metadata used to route the telecommunication, which is included in the government's definition, would indicate the cellphone location.]

6) Nowhere in the government's response does it explicitly admit that in at least some cases it is well aware that a communication that it is collecting under its foreign intelligence mandate is a "private communication". It also fails to admit that it would choose to intercept some such communications even if it had the ability to avoid all of them. The impression that it appears to be trying to give the court is that "private communications" are only intercepted because it is impossible to avoid doing so in all cases:
It is not possible for CSE to completely avoid the interception of private communications. There were six Ministerial authorizations issued for under [sic] s.273.65(1) of the National Defence Act in 2011. For the twelve month period that they were in place, although incidental interception was authorized because it was impossible to know if a foreign entity would contact someone in Canada, for five of those Ministerial authorizations, no private communications were intercepted. For the remaining Ministerial authorization, the number of intercepted communications recognized as private communications that were used and retained by CSE was small....

In conducting activities under its Foreign Intelligence Mandate, CSE has no knowledge of who a targeted foreign individual or entity outside Canada will be communicating with, nor of the location of that other communicant. It is possible that a person in Canada may be the other party to a targeted communication.
In fact, in at least some cases, CSEC does have the ability to know before the interception of a communication that the other party is located in Canada. For example, in the case of a phone call to a fixed landline number in Canada, the call setup data transmitted in Signalling System 7 (which CSEC would have to monitor in order to select the call for interception in the first place) would indicate that the call about to be established was to a phone located in Canada.

In 2005, then-CSEC Chief Keith Coulter made it very clear that one of the reasons the Ministerial authorization system was established was specifically to enable the lawful interception of the communications of foreign targets into Canada, even though such communications are by definition private communications:
if we had a terrorist target abroad and it had a communication into Canada, we wanted to be able to acquire that. If there was an al-Qaeda target in a faraway place and they were communicating into a city in Canada, that was a communication we sought the authority, from Parliament, to acquire, use, and retain, and that's what it gave us [when it passed the Anti-Terrorism Act in 2001].
Nowhere in its statement of response does the government acknowledge this fact.

Which leads me to ask, has the government already forgotten the phrase "duty of candour"?

(My thanks to Canadian Press for sharing a copy of the government's response.)

Tuesday, January 28, 2014

Privacy Commissioner calls for better oversight, accountability

Interim Privacy Commissioner Chantal Bernier submitted a Special Report to Parliament today, titled Checks and Controls: Reinforcing Privacy Protection and Oversight for the Canadian Intelligence Community in an Era of Cyber-Surveillance.

A summary of the report's purpose and recommendations can be read here. (See also news coverage: Alex Boutilier, "Canada’s spy agency needs more oversight: watchdog," Toronto Star, 28 January 2014.)

Key CSEC-related recommendations include:

- “Require CSEC to produce an annual report for the Minister to table in Parliament: Amend the National Defence Act to require CSEC to produce a non-classified public report to be tabled in Parliament, as CSIS does, describing its ongoing activities and a summary of its risk assessments (violent extremism, organized crime, foreign corruption, etc.) and general policy priorities.” [To which I would add, resume reporting budgetary information at (or above) the level of detail provided prior to CSEC becoming a stand-alone agency.]

- “Require CSEC to proactively disclose annual statistics on cases where it assists other federal agencies with requests for interception: Under the National Defence Act, CSEC can assist federal law enforcement and security agencies, including investigations of Canadians. Regular, annual public reporting would be an improvement in this regard, similar to SIRC’s Annual Report and Public Safety Canada's Annual Report on the Use of Electronic Surveillance. Where possible, CSEC could also make public more detailed, current information about mandates, operating protocols and other statistical information, in keeping with open government principles.”

- “Clarify the provisions in the National Defence Act (NDA) for Ministerial Authorization to circumscribe CSEC activities at the statutory level. As previously recommended, statutory definitions for “activity”, “class of activities”, “intercept” and “interception” would be welcomed. Review the CSEC mandates set out in legislation and make the broader terms, references and definitions for their operations explicit in the NDA.”

- “Bolster the powers of the federal bodies reviewing national security operations: Concretely address past OCSEC, CPC and SIRC concerns with respect to the conduct of joint reviews, with advance consultation with each body on necessary measures.”

The report also makes a number of recommendations related to other agencies or to the intelligence community more generally, and also recommends that Parliament play a more active role in intelligence agency accountability:
In general terms, it remains Parliament’s role to seek accountability to Canadians. To that end we recommend that Parliamentarians:
  • Conduct a global study of the state of Canada’s intelligence oversight and review mechanisms. Existing Parliamentary venues can address political and Ministerial accountability while also producing useful studies and raising policy questions;
  • Regularly call representatives of the Canadian intelligence community to appear before committees;
  • Hear from civil society, advocates and academics working in this area; and
  • Coordinate their topics for study and witnesses to enhance coverage of the Canadian intelligence community. For example, it could be of great value for Parliamentarians to examine privacy issues in light of the emergent interface between security agencies, private sector stakeholders and the need to safeguard critical infrastructure.

[Update 9:00 pm: Coverage/commentary:

- Ian Macleod, "Privacy commissioner calls for major surveillance reforms to protect Canadians," Ottawa Citizen, 28 January 2014 - Trinh Teresa Do, "Social media may become spies' main 'channel,' privacy watchdog warns," CBC News, 28 January 2014 - "Privacy: You need to know who is listening," Globe and Mail, 28 January 2014 - "Government must act immediately to implement Privacy Commissioner’s new recommendations to safeguard Canadians’ privacy from spy agency CSEC,", 28 January 2014

Update 30 January 2014:

- Josh Wingrove, "Experts weigh in on the state of Canada’s spying rules," Globe and Mail, 30 January 2014]

Also of interest, recent comments by Ontario's Information and Privacy Commissioner:

- Ann Cavoukian, "The silence over privacy puts our freedoms at risk," orginally published in the Globe and Mail, 27 January 2014

- Joseph Brean, "Canada needs independent watchdog to prevent NSA-type breaches: Ontario privacy commissioner," National Post, 27 January 2014

- "Commissioner Cavoukian urges Canadians to follow Edward Snowden's lead by demanding more privacy and less surveillance," Canada News Wire, 28 January 2014

Monday, January 27, 2014

CSEC helps mine smartphones

The slide reproduced above, drawn from a GCHQ presentation dated 28 May 2010, reports that CSEC was working with GCHQ at that time on a suite of surveillance plugins for use with Android phones, part of a larger effort by UKUSA agencies to exploit smartphone data.

The slide was revealed by the Guardian as part of its report on the broader smartphone effort (James Ball, "NSA and GCHQ target 'leaky' phone apps like Angry Birds to scoop user data," Guardian, 27 January 2014). The New York Times and Pro Publica also reported on the program (James Glanz, Jeff Larson & Andrew W. Lehren, "Spy Agencies Scour Phone Apps for Personal Data," New York Times, 27 January 2014).

The reports from all three outlets focused mainly on the efforts of NSA and GCHQ "to take advantage of 'leaky' smartphone apps, such as the wildly popular Angry Birds game, that transmit users' private information across the internet".

According to the Guardian,
The data pouring onto communication networks from the new generation of iPhone and Android apps ranges from phone model and screen size to personal details such as age, gender and location. Some apps, the documents state, can share users' most sensitive information such as sexual orientation – and one app recorded in the material even sends specific sexual preferences such as whether or not the user may be a swinger. ...

Scooping up information the apps are sending about their users allows the agencies to collect large quantities of mobile phone data from their existing mass surveillance tools – such as cable taps, or from international mobile networks – rather than solely from hacking into individual mobile handsets.
The Guardian also reported on those more targeted efforts, however:
GCHQ's targeted tools against individual smartphones are named after characters in the TV series The Smurfs. An ability to make the phone's microphone 'hot', to listen in to conversations, is named "Nosey Smurf". High-precision geolocation is called "Tracker Smurf", power management – an ability to stealthily activate... a phone that is apparently turned off – is "Dreamy Smurf", while the spyware's self-hiding capabilities are codenamed "Paranoid Smurf".

Update 28 January 2014: Jim Bronskill, "Canadian eavesdropping agency helping Brits tame those 'Angry Birds'?," Canadian Press, 28 January 2014

Sunday, January 26, 2014

Government responds to BCCLA lawsuit

The Canadian government has filed its statement of defence in the B.C. Civil Liberties Association lawsuit against CSEC (previous discussion here and here).

James Keller of the Canadian Press has written a good report on the government's response to the lawsuit ("Ottawa says CSEC's collection of Canadians' data 'incidental'," Canadian Press, 24 January 2014).

I do have a quibble, however.

Keller reports that
CSEC is forbidden from intentionally collecting or analyzing information from Canadian citizens, whether they are in Canada or abroad.

However, the National Defence Act allows the defence minister to give CSEC written authorization to unintentionally intercept private communications while collecting foreign intelligence.
The government's statement does not actually use the terms "intentional/unintentional", and for good reason.

CSEC is prohibited from targeting Canadians anywhere or persons inside Canada (except when it is operating under part (c) of its mandate), but it is not prohibited from intentionally collecting communications between Canadians (or others) who are outside of Canada as long as such collection is not "directed at Canadians or any person in Canada" and it is not prohibited from collecting "private communications" (communications with at least one end in Canada) as long as it is operating under a ministerial authorization and the interception is "directed at foreign entities located outside Canada". There is also no prohibition against CSEC collecting "private communications" to or from a computer system or network of a Canadian federal government institution as long as CSEC is operating under a ministerial authorization and the collection is "directed at the acquisition of data, irrespective of its origin, that would potentially risk harm to the network being protected."

Nothing in these rules says that such forms of Canadian-related collection can only be "unintentional".

As I noted here, in 2005 then-CSEC Chief Keith Coulter stated explicitly that one of the reasons CSEC sought legal authorization to conduct such intercepts was to ensure that it could collect communications between foreign intelligence targets outside of Canada and persons inside Canada:
if we had a terrorist target abroad and it had a communication into Canada, we wanted to be able to acquire that. If there was an al-Qaeda target in a faraway place and they were communicating into a city in Canada, that was a communication we sought the authority, from Parliament, to acquire, use, and retain, and that's what it gave us [when it passed the Anti-Terrorism Act in 2001].
CSEC describes the collection of Canadian communications in such cases as "incidental", not "unintentional". (The CSE Commissioner does use the term "unintentional", however.)

But even the term "incidental" is misleading. Within CSEC it may be well understood that it refers to collection of a communication that was initially selected for monitoring for reasons not specifically related to its Canadian connection, but to the general public "incidental" suggests that collection of such communications was not one of the goals of the operation.

Let's think about this a bit. If CSE were capable of identifying the Canadian connection in such a communication before it made the actual interception (as, for example, it would be in the case of a telephone call made by a terrorist suspect in Yemen to a landline number in Canada), would it choose not to collect that communication? No. It would not make that choice.

What we are talking about here is the deliberate, intentional collection of the communications of Canadians or persons in Canada when they are making suspicious contact with Canadian government computer systems or communicating with terrorist suspects or other foreign intelligence targets located outside of Canada.

The number of such communications that are used and retained by CSEC is said to be small (no one will say if the number intercepted is small), and the case for collecting them is strong -- subject to suitable limits and controls.

But how can we have a reasoned public debate about the sorts of collection activities that are acceptable, and the kinds of limits and controls that are suitable, without a basic commitment to linguistic candour on the part of the government?

More comments in a future post.

Thursday, January 23, 2014

Call for telecom transparency

The Citizen Lab and other Canadian academics and civil rights organizations are calling on Canadian telecommunications companies to reveal to Canadians the amount and kinds of customer data they are providing to government (Ian MacLeod, "Reveal extent of government data surveillance, campaign asks telecom companies," Ottawa Citizen, 22 January 2014):
Government spying on Canadians’ digital lives has leading privacy, security and civil rights scholars pressing hard for telecommunications companies to finally reveal the extent of customer data handed over to police, security services and others.

A campaign led by the Citizen Lab at the Munk School of Global Affairs issued a letter this week to the country’s Internet and phone service providers asking how, when and why they disclose private and personal information to agents of the state.

“We’re giving service providers the opportunity to tell their side of the story in a non-adversarial way,” said Christopher Parsons, a post-doctoral fellow organizing the campaign at the University of Toronto’s Munk school lab.

“It puts data on the table that Canadians, researchers, everyone can start having a much more nuanced discussion on lawful access” by government to personal digital information.
The letter sent to the companies can be read here.

More on the campaign from the Citizen Lab: Towards Transparency in Canadian Telecommunications, January 22, 2014

Other recent calls for greater transparency and a real debate on the balance between surveillance and privacy in Canada:

- Wesley Wark, "The debate Canada won’t have," Ottawa Citizen, 21 January 2014
- Wesley Wark, "Reforming the Spy Game," CIPS Blog, 21 January 2014
- Travis Lupick, "Cyberspace expert Ron Deibert raises the alarm on government surveillance in Canada,", 21 January 2014

Update 25 January 2014: Michael Geist, "Why Canada’s telecoms should come clean about customer information," Toronto Star, 24 January 2014.

Update 29 January 2014
: Christopher Parsons, "More Voices Call for Transparency in Canadian Telecommunications," Technology, Thoughts & Trinkets blog, 28 January 2014.

Tuesday, January 21, 2014

NSA, CSEC, the CMVP, and Dual_EC_DRBG

Globe and Mail reporter Omar El Akkad has written an article examining the role played by NSA and CSEC in the certification of deliberately weakened encryption ("The strange connection between the NSA and an Ontario tech firm," Globe and Mail, 20 January 2014):
At the heart of digital security is the concept of encryption – making information indecipherable to anyone who doesn’t have the right passcode.

And since 1995, any software developer building encryption for technology they intended to sell to the American or Canadian government has had to consult something called the Cryptographic Module Validation Program. It’s a list of algorithms blessed by the CMVP that are, according to the government agencies that publish it, “accepted by the Federal Agencies of both countries for the protection of sensitive information.”

There’s only one problem. For more than six years, one of the central items listed in the CMVP – an algorithm for generating the random numbers that form the foundations of an encryption scheme – has had a glaring and well-known backdoor, a means of rendering the encryption totally ineffective.


For years, many wondered why the NIST in America and CSEC in Canada would continue to give their official blessing to a compromised algorithm. Last year, a potential answer to that question emerged, when documents leaked by Edward Snowden revealed the NSA to be a holder of the Dual_EC secret keys – essentially, allowing the spy agency to crack the encryption at will. In addition, a Reuters report in December revealed that the NSA had paid RSA Security LLC $10-million to continue making Dual_EC the default form of encryption on its products.
The Globe and Mail article also looks at the role of the Canadian company that developed the Dual_EC_DRBG algorithm, Certicom Corp., which was purchased by Blackberry in 2009.

(Also interesting is the Twitter link that El Akkad posted pointing to this 2003 press release announcing the licensing of Certicom's encryption technology by the NSA.)

The Cryptographic Module Validation Program was established by CSE and the U.S. National Institute of Standards and Technology in July 1995.

[Update 19 November 2014: The new CSE CMVP page is here. The old page can be read here. H/T to Ron Deibert.]

As it happens, I have the 1995-96 Business Plan of CSE's Information Technology Security (ITS) Program sitting on my desk right now. (Fear not, security folks; it's the redacted version that was released under the Access to Information Act.)

The unredacted portion of the document doesn't mention the CMVP, and it most certainly doesn't mention that NSA and CSE might use the program to foist crippled encryption on the public.

But it does make the following rather interesting comment, which given the news coverage of the past six months is even more relevant today:
The SIGINT program... has recently experienced high visibility in the press. As a result, CSE has become synonymous with the SIGINT mission even though the organization's name was originally based on the COMSEC [communications security] mission. Now, even more than ever, ITS's association with SIGINT has the potential [of] negatively affecting its reputation as a trusted security organization. CSE's communication policy has also restricted marketing efforts crucial to the success of the ITS program. To succeed, the program will initiate a number of actions which will ensure its reputation and image as a trusted security organization.
Good luck rebuilding that trust now.

Previous coverage of this case here.

Saturday, January 18, 2014

NSA policy changes and CSEC

On January 17th, President Obama announced a series of modifications to NSA policies designed to respond to public concerns about the eavesdropping practices of NSA and its allies. Some significant steps were announced, but Obama's proposals fell far short of the kinds of changes sought by privacy and civil liberties advocates.

Documents and coverage:

- President Obama's speech announcing the changes, 17 January 2014
- Presidential Policy Directive 28, 17 January 2014
- Analysis by the Electronic Frontier Foundation: Rating Obama’s NSA Reform Plan: EFF Scorecard Explained, 17 January 2014
- Coverage by New York Times: Mark Landler & Charle Savage, "Obama Outlines Calibrated Curbs on Phone Spying," New York Times, 17 January 2014; see also David Sanger & Claire Cain Miller, "In Keeping Grip on Data Pipeline, Obama Does Little to Reassure Industry," New York Times, 17 January 2014
- Coverage by Washington Post: Barton Gellman, "Obama’s restrictions on NSA surveillance rely on narrow definition of ‘spying’," Washington Post, 17 January 2014 (Gellman is the leading U.S.-based reporter working on the Snowden revelations)

Will the NSA changes have consequences for CSEC operations, and will CSEC make similar or other changes? Few signs so far:

- Leslie MacKinnon, "Obama's NSA reforms prompt little reaction from Canada's spy agency," CBC News, 17 January 2014
- Mitch Potter, "Analysis: Uncle Sam still wants your data," Toronto Star, 17 January 2014
- William Marsden, "Obama unveils reforms to U.S. cyber spying, but do they go far enough?," Postmedia News, 17 January 2014

See also Jim Bronskill, "NSA leaks prompted major Canadian eavesdropping review: declassified memo," Canadian Press, 17 January 2014

Also worth noting: "Stephen Harper must address online surveillance in Canada, says PEN Canada" (17 January 2014)

Tuesday, January 14, 2014

Dog assures Canadians it CAN bite the Man

A new section on the website of CSEC's watchdog, the CSE Commissioner, discusses current concerns about the role and capabilities of the Commissioner and his office (Current Issues: Questions and Answers), addressing questions such as

"How can an agency the size of the Commissioner’s office effectively review the activities of an organization the size of CSEC?"


"What impact has review had on CSEC?"

I won't attempt to summarize the entire piece here, but I think it's a useful response to a lot of recent commentary on the role of the CSE Commissioner, which has tended to dismiss the office as almost entirely without value.

My own feeling is that while there are lots of grounds for concern about the effectiveness of the institution (see these comments, for example), much of the work that CSE Commissioners have done has been extremely valuable.

That said, I can't say I find everything in the new section reassuring.

For instance, the Commissioner takes credit for Justice Richard Mosley's recent ruling concerning what are known as CSIS 30-08 warrants.

It was indeed the most recent annual report of the CSE Commissioner that tipped Justice Mosley to re-examine the warrants, as confirmed in paragraphs 54 and 55 of his Further Reasons for Order.

But does this really show that the process is working?

As the annual report notes, the Commissioner recommended to the Minister of National Defence that "CSEC advise CSIS to provide the Federal Court of Canada" with additional information about the involvement of Five Eyes countries in the execution of the warrants, and CSEC apparently did provide such advice to CSIS.

And then CSIS, as far as we can tell, ignored him.

Justice Mosley didn't learn about the problem from CSIS; he learned about it because he happened to read and chose to follow up on the information in the Commissioner's public report.

A lot of the key privacy concerns related to CSEC arise because of CSEC's relationships with domestic law enforcement and security agencies, and here we have a clear example not just of the difficulty CSE Commissioners have in following operational issues when they pass beyond the boundaries of CSEC, but also of the possible indifference those other agencies may have for the "advice" of the Commissioner.

Does this not confirm that there are serious problems with the mandate and/or reach of the CSE Commissioner?

If the Commissioner thinks so, he's certainly not saying it on this webpage.

Another point related to the question of CSIS 30-08 warrants:

Now that James D. Abbott, then CSEC's Acting Director of SIGINT Requirements, has admitted to Justice Mosley that he "crafted" his 2009 testimony in order to avoid providing key information to the court (Mosley para. 76), thus breaching his duty of candour, will the CSE Commissioner be revisiting his conclusion that "CSEC conducted its activities in accordance with the law" in this affair?

Is it legal to deliberately mislead a judge in order to get a warrant approved?

And while we're on the subject, is it legal for CSIS and CSEC to ask Five Eyes allies to monitor the private communications of Canadians on the basis of tainted warrants that, as Justice Mosley has since made clear, didn't even authorize the involvement of non-Canadian agencies? Is it legal even for CSIS and CSEC themselves to monitor Canadians based on tainted warrants?

Maybe the Canadian public needs to withhold judgement on whether this watchdog can bite until they see how it responds in this case.

Another thing:

Why does this Commissioner, like his predecessor, describe the collection of communications with one end in Canada undertaken in the course of CSEC's foreign intelligence activities as "unintentional"?

By law, such communications have to have been selected because one of CSEC's foreign intelligence targets was at the foreign end of the communication (i.e., the Canadian end must not have been the immediate "target" of the collection), but CSEC Chiefs have made it clear on more than one occasion that when one of their foreign targets communicates with someone in Canada, CSEC wants to, can, and does very deliberately collect both ends of that communication. Keith Coulter stated outright here that CSEC sought, successfully, to have the laws pertaining to interception amended in 2001 precisely to permit such communications to be legally collected. There is nothing "unintentional" about it.

There are undoubtedly other occasions when CSEC is actually trying to collect a foreign-only communication but ends up collecting a communication involving a Canadian or person in Canada or information about such people. In those cases, the collection really is unintentional (although that still doesn't necessarily mean it won't be retained and used).

But that's a very different matter from deliberately following the communication of a foreign target into Canada.

Even CSEC doesn't describe the collection of foreign-target-to-Canadian communications as unintentional. (It describes it as "incidental", which is also unnecessarily misleading but at least doesn't suggest that some sort of mistake was made when the communication was collected.)

So why do we get "unintentional" from the guy we're supposed to trust to give us the straight goods?

Friday, January 10, 2014

December 2013 CSE staff size


(If you click through on the link and get a different figure, it's probably because the Canada Public Service Agency has updated its website; they update the numbers once a month.)

Thursday, January 09, 2014

Canada marketed as data haven

You can't make this stuff up.

According to, Canadian companies are trying to attract international data centre customers leery of NSA snooping (Hugo Miller, "NSA Spying Sends Data Clients North of the Border,", 9 January 2014):
Revelations that the U.S. National Security Agency has spied on data networks run by American companies have given Canadian data-center operators an opportunity. They’re telling customers from Europe and Asia that laws north of the border are more protective of privacy.
However, as the article notes later,
the data-center sales pitch glosses over the long history of intelligence-sharing between Canada and the U.S. The governments have collaborated as far back as the 1940s, said Ron Deibert, an Internet-security expert who runs the University of Toronto’s Citizen Lab.

“Anyone who would look to Canada as a safe haven would be fooling themselves,” Deibert said in a phone interview. “Canada would be one of the poorest choices as we have a long-standing relationship with the NSA.”
According to the Toronto Star, the Canadian government is supporting the effort to attract data to Canada (Allan Woods, "Canada courting U.S. web giants in wake of NSA spy scandal," Toronto Star, 9 January 2014):
While Google, Microsoft, Amazon, Facebook and others have launched a pressure campaign to have Washington rein in the NSA, the electronic spy agency, Canada is hoping to profit from the discontent, said Robert Hart, founder and chief executive of the Canadian Cloud Council, an industry association representing data centre firms in this country.

“There are governmental agencies right now in Canada who are actively trying to recruit Silicon Valley companies like Google and Facebook and trying to convince them to build cloud infrastructure in Canada,” Hart said in an interview Wednesday. “I would say there’s a lot of movement right now at a political level to convince some of these larger software companies ... to host their software in Canada to get that data away from the NSA for optical reasons.”
Because transferring that data to a country that is one of NSA's closest allies, that has the legal structure in place to seize foreign data of interest to Canada's intelligence agencies (see s16 of the CSIS Act), and that connects to the global Internet almost exclusively through the United States (even domestic Canadian Internet traffic often travels through the U.S.) is definitely going to keep that data out of the hands of the NSA.

[Update 11 January 2014: Allan Woods, "U.S. data migration to Canada won’t solve privacy issues, experts say," Toronto Star, 10 January 2014.]

Unsurprisingly, it appears that some of our European friends are a little skeptical that storing their data in Canada would provide much privacy benefit (see Michael Geist, "European Report Says Canadian Privacy Law Should Be Re-Examined Due to Surveillance Activities," Michael Geist blog, 9 January 2014).

[Update 11 January 2014: Ian Macleod, "European report calls for review of data sharing with Canada over spy concerns," Ottawa Citizen, 9 January 2014.]

Sunday, January 05, 2014

Watching the watchdogs

The transcript of the Senate testimony of SIRC Chair Chuck Strahl, CSE Commissioner Jean-Pierre Plouffe, and Acting Privacy Commissioner Chantal Bernier that took place back in December is now available online:

Evidence, Standing Senate Committee on National Security and Defence, 9 December 2013.

The testimony contains some interesting discussion of the issues surrounding the existing review mechanisms for CSIS, CSEC, and other parts of the intelligence committee, including the possibility of greater parliamentary monitoring.

(Earlier news coverage here.)

Meanwhile, yesterday's Vancouver Observer revealed some pretty disturbing information about SIRC Chair Chuck Strahl's competing interests:

Matthew Millar, "Canada’s top spy watchdog lobbying for Enbridge Northern Gateway pipeline," Vancouver Observer, 4 January 2014.

[Update 9 January 2014: Tom Parry, "SIRC chair's pipeline lobbying seen as symptom of larger problem," CBC News, 9 January 2014.]

[Further update 9 January 2014: Creekside blog gives us the goods on the rest of the Cirque de Surveillance.]

[Update 10 January 2014: CBC follows in Creekside's footsteps:

Greg Weston, "Other spy watchdogs have ties to oil business," CBC News, 10 January 2014.

Further coverage:

- Stephen Maher, "Keeping an eye on Canadian spies a part-time job for pipeline lobbyist," Postmedia News, 10 January 2014
- "Ex-MP Chuck Strahl shouldn’t mix spy committee and pipeline lobbying: Editorial," Toronto Star, 10 January 2014]

[Update 25 January 2014: Max Paris, "Chuck Strahl steps down as spy watchdog amid lobbying questions," CBC News, 24 January 2014.]

Also relevant to the question of keeping intelligence agencies in line:

David Fraser, "Special prosecutor required to investigate spies and their lawyers lying to the Federal Court," Canadian Privacy Law Blog, 23 December 2013.

Michael Geist, "CSIS should be subject of independent investigation: Geist," Toronto Star, 3 January 2014.

Friday, January 03, 2014

From Confederation Heights to Camelot

Watch out, sociologists are in the house!

In recent months we've seen CFS Alert viewed through the lens of a visual artist and CSEC's "Olympia" presentation subjected to rhetorical interpretation by a professor of philosophy and humanities computing.

Behold now as two sociologists deconstruct the meaning of CSEC's headquarters present and future:

Jeffrey Monaghan & Kevin Walby, "New Camelot: The Unbearable Lightness of Canada's Twenty-First-Century Security Architecture," Scapegoat 05, 2013.

Gotta love the Academy.

Inside CSE: New section on CSE website

CSE recently added a new feature to its website. Called Inside CSE, the new section explains a bit more about the agency, its mandate, and how it functions:
Recent media reporting has created new and unprecedented interest in the Communications Security Establishment, specifically regarding how we operate and what we do on behalf of the Government of Canada and Canadians. So we’d like to tell you more about CSE in an effort to provide more information and greater transparency. In this section you will find many previously unpublished facts about CSE, including what we can and cannot do as an organization.
The "previously unpublished facts" promised in the introductory paragraph are pretty few and far between (unless the author means only that the information was "previously unpublished" on the CSE website).

But the four "fact sheets" that follow do provide a considerably more complete and frank description of the agency's activities than the secret asterisk-laden pronouncements CSE has typically made.

Notably, the fact sheets explicitly acknowledge that
While CSE cannot and does not target Canadians or persons in Canada in its foreign signals intelligence work, CSE’s capabilities may, under the Assistance Mandate, be employed by national security or law enforcement agencies in a variety of circumstances—including intercept operations against a Canadian or individuals in Canada. In those cases, CSE is acting in an assistance role, is operating under the requesting agency’s legal authority (such as a warrant) and is subject to the provisions of their mandate and policies.
[Update 7 January 2014: For the sake of those not steeped in the intricacies of CSE's three-part mandate, I should probably clarify here that there are three main avenues through which CSE can be involved in monitoring Canadians/persons in Canada. The first, as described in the paragraph above, is through part (c) of CSE's mandate, which authorizes CSE to provide assistance to security and law enforcement agencies. It is nice to see CSE being a bit more frank about its involvement in this kind of monitoring, which in the past it has typically glossed over or ignored entirely. CSE can also monitor certain Canadian communications in the course of its mandate (b) operations (protection of information infrastructures), subject to Ministerial Authorizations. Very little information is available about what sort of monitoring is conducted in those operations. Finally, CSE is permitted, again subject to Ministerial Authorizations, to intercept cross-border communications that involve Canadians/persons in Canada in the course of its mandate (a) (foreign intelligence) operations, as long as the "target" of those intercepts is a non-Canadian outside of Canada, as described in the paragraphs below.

CSE's comments on these other aspects of its mandate, and on its other activities in general, remain deliberately vague, and even misleading.]

CSE reports, for example, that
in the course of targeting foreign entities outside Canada in an interconnected and highly networked world, it is possible that we may incidentally intercept Canadian communications or information.... If a private communication is incidentally intercepted (e.g. a foreign individual we are targeting overseas is communicating with someone in Canada), CSE takes steps to protect the privacy of that information.
If you don't know better, you might assume on reading that description that CSE doesn't really want to know who its foreign targets are communicating with in Canada and what they are saying to each other, and that when such calls do get vacuumed up with the other collected communications CSE quickly acts to weed them out.

The reality is quite different.

"Incidental" means that the person on the Canadian end of the communication was not the "target" of the collection, but it does not mean that the collection of that communication was unintentional. For CSE, the fact that it has been able since 2001 to collect communications that either begin or end in Canada (as long as the target of the collection is outside of Canada) is a feature, not a bug.

As CSE Chief Keith Coulter testified to the Subcommittee on Public Safety and National Security of the Standing Committee on Justice, Human Rights, Public Safety and Emergency Preparedness on May 4th, 2005, "if we had a terrorist target abroad and it had a communication into Canada, we wanted to be able to acquire that. If there was an al-Qaeda target in a faraway place and they were communicating into a city in Canada, that was a communication we sought the authority, from Parliament, to acquire, use, and retain, and that's what it gave us [when it passed the Anti-Terrorism Act in 2001]."

Note that the communications so acquired are also used and retained. Yes, there are elaborate procedures in place to protect the privacy of Canadians and persons in Canada, and there is every reason to believe that those procedures are taken very seriously by CSE, but if the information acquired corresponds to the government's intelligence collection priorities, it is retained and it is used.

And appropriately so. There are reasonable questions that can be asked about whether the particular system in place is the best one for protecting the privacy of Canadians, and about the wider intelligence collection techniques and priorities of the government, but few people would object to the idea that, with suitable controls, the Canadian government ought to be able to monitor the communications of people plotting terrorist attacks in Canada.

The point I want to make here is not that no such collection should occur; it is that describing such collection as "incidental" and implying that it is always unintentional is deliberately -- and pointlessly -- misleading.

If CSE wants Canadians to trust that it is not misusing its extremely intrusive capabilities, it needs to give us straight answers to clear questions whenever it can. (And surely that includes cases where the Chief of CSE has already put the real answer on the public record.)

CSE also needs to be as transparent as possible.

As the fact sheets argue, CSE does need to conduct much of its activities in secret.

But the fact sheets do not explain why the level of detail on CSE's plans, priorities, and funding that was reported when CSE was part of the Department of National Defence (discussed here) cannot continue to be reported by CSE now that it has become a stand-alone agency.

What changed between June 2011, when the last such report was released, and November 2011, when CSE became independent? Did a seismic shift in the world situation suddenly make this information too dangerous to release? Did the Canadian public and the Canadian parliament suddenly develop much less need to know what this taxpayer-funded and potentially extraordinarily intrusive agency is up to?

Keeping essential secrets is one thing; choosing to no longer report information that had been publicly reported for years is quite another.

The addition of the "Inside CSE" section to CSE's website is a small but real step forward in transparency for the agency, for which it can be commended, but it does not make up for the giant backward step it recently took in terminating most of its detailed public reporting.

Update 4 January 2014:

News coverage: Daniel Proussalidis, "CSE admits it 'incidentally' spied on Canadians," Toronto Sun, 3 January 2014.

Update 6 January 2014:

David Pugliese, "CSE Backtracks And Now Admits It Spies On Canadians….Spy Agency Still Provides Misleading Information on Its Website Says CSE Watcher," Defence Watch blog, 6 January 2014.

Update 7 January 2014:

Ian Macleod, "Spy agency admits it spies on Canadians ‘incidentally’," Ottawa Citizen, 6 January 2014.

Further update 7 January 2014:

"CSEC Admits It 'Incidentally' Spies On Canadians," Huffington Post Canada, 7 January 2014.