Sunday, August 31, 2014

CSEC flunks history

CSEC has a seven-sentence section of its website that purports to tell the story of CSEC's origins as the CBNRC (The Beginning: The Communications Branch of the National Research Council).

Among the few actual details provided in the section is the following statement: "On September 3, 1946, the 179 former employees of the XU and JDU came back to work together at their new jobs in the CBNRC under the direction of retired Lt. Col. Edward Drake."

That's not really quite right.

The CBNRC's initial approved establishment was 179 positions, but the agency was nowhere near that size when it commenced operations. In fact, it was only a little over one third of that size.

At least that's what it says on page 2 of Chapter 3 of Volume I of CSEC's classified History of CBNRC:
The number of people actually available at the start as opposed to the establishment figure was very small and only grew gradually. Mr. Drake's original recommendations of August 1946 were approved by NRC and formed the starting team of 62 civilians. One year appointments were given to 12 ex-Service people (all NCOs) and 7 civilians (including several ex-WRCNS (Women's Royal Canadian Naval Service) who had been released from the Navy earlier). Three year appointments, which were curiously called "permanent", were given to 20 ex-Service people and 23 civilians. To illustrate the modest speed of growth from the original staff of 62 toward the approved establishment of 179, some figures in 1947 were: March - 73, May - 80, and October - 95.
[Update 14 September 2014: Kurt Jensen's book Cautious Beginnings: Canadian Foreign Intelligence, 1939-51 reports that "it was not until 1949 that the CBNRC... reached the original staffing level of 179 positions." (p. 160)]

Also, it was just the Joint Discrimination Unit (JDU) that "was transferred to the NRC, first in a transitional way as the Communications Research Centre (CRC) on 1 July 1946, then finally with its name changed to CBNRC and all staff transferred to NRC on 1 September 1946" (History of CBNRC, Volume I, Chapter 1, page 3). The Examination Unit (XU) had not existed for over a year by the time CBNRC began operations. (That said, a significant proportion of the XU staff had been transferred to the JDU at the latter's creation on 1 August 1945, and thus a large number of the personnel who ended up comprising CBNRC's initial staff did come originally from the XU.)

The account on CSEC's Before the Beginning; the Examination Unit and the Joint Discrimination Unit page is similarly garbled.

The apparent contradiction in start dates, on the other hand, is not a problem. As page 1 of Chapter 1 of the History reports, "In 1946, the 1st of September fell on a Sunday, and Monday was of course Labour Day; so in fact it was on Tuesday 3 September that the staff of CBNRC arrived at work, all in civilian clothes for the first time, and all occupying positions on the establishment of the National Research Council."

Thursday, August 28, 2014

Comments on CSE commissioner's report III

Some final comments on aspects of the CSE commissioner's 2013-14 report, which was released by the Office of the CSE Commissioner (OCSEC) on August 20th (initial comments here and here):

More important than ever?

The signals intelligence efforts of the western allies during the Second World War made a very important contribution to the conduct of the war, and the post-war continuation of those efforts played a vitally important role during the Cold War. We can be pretty sure that the Canadian government considered its participation in those efforts and its access to their output during those times to be extremely valuable to Canada.

That dramatic history notwithstanding, last year's annual report by the CSE commissioner told us that the Five Eyes "alliance may be more valuable now than at any other time, in the context of increasingly complex technological challenges."

The declassified version of one of the commissioner's recent reports to the minister of national defence indicated that this assessment came from CSEC itself: "According to CSEC, the Five-Eyes alliance is more valuable now than at any other time in history, given the increasingly complex technological challenges faced by the partners."

In this year's annual report, the commissioner elaborated on that statement, explaining that "This cooperative alliance may be more valuable to Canada now than at any other time, in the context of increasingly complex technological challenges added to dynamic international affairs and threat environments."

Some of us may tend to doubt that the SIGINT alliance is more important now than at any time in the past. But if budgets can be taken as a measure of the importance ascribed to an activity by the government, then it is pretty clear that this government agrees with the CSEC/OCSEC assessment.

Bright new idea: Let the guy in charge know what's going on

One of the key issues with respect to the possible misuse of Five Eyes agency powers has always been the degree to which the various agencies might be used to spy on each other's domestic communications, thus evading their own laws against domestic spying. Such deliberate evasion, we are always assured, does not take place. But it is certainly true that the Five Eyes agencies do end up sometimes collecting communications involving or concerning persons in other Five Eyes countries and that they do sometimes share that information with the agency of the country concerned. The question of how often and how systematically this occurs is thus of rather considerable importance. (See Wayne Easter's acknowledgement of the practice here.)

You might think, therefore, that the minister responsible to parliament for the agency—the guy who is always assuring us that the privacy of Canadians is entirely safe in his hands—might have some idea of the extent to which this Second Party end-run occurs. You might even expect him to insist on knowing.

But no.

This year's report discusses the question of information about Canadians received from CSEC's Second Party partners (and also the question of information shared by CSEC with those partners), and one of the things it reveals is that, as of the date the commissioner's review was conducted, the minister had never received any reporting from CSEC on the number of Canadian communications or the amount of information about Canadians that CSEC received from the Second Parties: "CSEC has not reported to the Minister of National Defence details, for example, regarding communications involving Canadians or information about Canadians that have been shared by its second party partners."

Fortunately, that lapse is set to change.

The commissioner's report notes that, "to support the Minister of National Defence in his accountability for CSEC and as an additional measure to protect the privacy of Canadians, [previous] Commissioner Décary recommended that CSEC report such details to the Minister on an annual basis." According to the commissioner, the minister has accepted that recommendation, and another one calling for a ministerial directive to lay out the parameters of information sharing with the Second Parties and related privacy protections.

So score one for OCSEC.

Sharing, sharing, sharing

Also on the topic of sharing, the report notes that
Commissioner Décary was unable to assess the extent to which CSEC’s second party partners follow [existing] agreements and protect the private communications and information about Canadians in what CSEC shares with the partners. CSEC does not as a matter of general practice seek evidence to demonstrate that these principles are in fact being followed.

While CSEC uses indicators that it believes provide sufficient assurance that the Second Parties are honouring their arrangements, it did not initially demonstrate knowledge or provide evidence of how its second party partners treat information relating to Canadians. During the conduct of this review, CSEC declined to provide the Commissioner’s office with a description of or a copy of relevant extracts of second party policies on the handling of this information. CSEC also declined at that time to identify for the Commissioner’s office any specific differences — large or small — between respective partners’ laws, policies and practices and how this may affect the partners’ protection of the privacy of Canadians. CSEC suggested at that time that review of second party authorities and activities pertain to the Second Parties and not to the lawfulness of CSEC activities and these questions were therefore outside of the Commissioner’s mandate.
This is not the first time that CSEC has told OCSEC what it can and cannot look at, which I find highly disturbing. I also find it a little strange that OCSEC didn't simply order CSEC to hand the information over. (We are constantly assured, and indeed the National Defence Act affirms, that the CSE commissioner has "all the powers of a commissioner under Part II of the Inquiries Act.")

Be that as it may, CSEC Chief John Forster did eventually relent on the question:
Subsequent to Commissioner Décary sending his classified report to the Minister of National Defence, the new Chief of CSEC, Mr. John Forster, re-examined CSEC’s initial position, sought permission from second party partners, and provided the Commissioner’s office with detailed documentation relating to respective second party policies and procedures on the treatment of information about Canadians. This is one example of Chief Forster’s positive leadership to promote increased transparency of CSEC activities and to support review by my office.
Is it churlish to note that it only took Mr. Forster a year and a half or so after becoming the new Chief to get around to demonstrating that "positive leadership"?

Give the man a gold star.

Still, score another one for OCSEC.

The system works!

Reading this year's report, it is clear that OCSEC is proceeding from triumph to triumph. Fair enough.

I think the commissioner is straining a bit, however, when he declares that the Mosley mess is an example of the system working:
Some have suggested that this matter points to a failure of the review bodies to help control the intelligence agencies. On the contrary, these events demonstrate how review works, as Justice Mosley was alerted to this following Commissioner Décary’s recommendations. It also demonstrates how review bodies — in this case the Commissioner’s office and SIRC — can cooperate and share information within existing legislative mandates.
OK. OCSEC recommends that CSEC advise CSIS to inform Justice Mosley that CSIS and CSEC have been eliciting the assistance of Second Parties to help monitor Canadians abroad, something they deliberately chose not to tell Mosley when CSIS applied for the warrants to do the monitoring in the first place. CSEC does as the commissioner recommends, and CSIS (as far as we can tell) then ignores the commissioner's suggestion entirely. Later on, Justice Mosley happens to read OCSEC's public report and decides to investigate on his own. Hilarity ensues.

That's the system working?

I dunno. Maybe OCSEC sent Mosley a copy of the 2012-13 annual report and said you might want to read pages 21 to 25. In fact, you definitely want to read pages 21 to 25.

But it still seems like a pretty ad hoc way to get results.

For all that CSE commissioners have been gradually increasing the proportion of intelligible information in their traditionally obscurantist annual reports (and to that I say BZ!), it seems to me that if the privacy of Canadians depends on key people extracting actionable intelligence from the Delphic pronouncements typically found in those documents, we're all in deep trouble.

Cooperation with review agencies in 2nd parties

The commissioner reports that he plans to look into the possibility of working cooperatively with the review mechanisms that exist in other Five Eyes countries:
In the coming months, I will explore options to cooperate with review bodies of second party countries to examine information sharing activities among respective intelligence agencies and to verify the application of respective policies. A number of Canadian and international academics have referred to an accountability gap concerning an absence of international cooperation among review bodies. These researchers suggest that growing international intelligence cooperation should be matched by growing international cooperation between review bodies. I will examine opportunities for cooperation.
Sounds like a worthwhile Canadian initiative to me.

A 2009 paper by University of Ottawa law professor Craig Forcese, The Collateral Casualties of Collaboration, got a shout-out in this regard in the commissioner's classified report on second party cooperation.

Wi-fi ho hum

CSEC's infamous "Airport wi-fi" project gets some discussion, but precious little explanation, in the commissioner's report (more here and here):
When the media suggested that CSEC had illegally tracked the movements and on-line activities of persons at a Canadian airport, we were briefed by CSEC. We questioned the CSEC employees involved and examined results of the activity. Based on our investigation and on our accumulated knowledge, I concluded that this CSEC activity did not involve “mass surveillance” or tracking of Canadians or persons in Canada; no CSEC activity was directed at Canadians or persons in Canada.
And that's about as detailed as his explanation gets.

Here are the comments made by some obscure law professor by the name of Craig Forcese (who happens to specialize in national security law) back in January.

We did eventually learn the basis of CSEC's position that no "tracking" took place. Perhaps unsurprisingly, it all comes down to the definition of tracking (see mid-way through this post). Apparently you can't be "tracked", even if they follow you around, if they haven't bothered to find out exactly who you are.

As for "directed at", it appears that this term refers only to activities designed to collect information about specific individuals. Thus, according to CSEC and the commissioner, CSEC can acquire and analyze metadata that pertains almost exclusively to Canadians or persons in Canada (as demonstrated here) without that activity being considered "directed at" Canadians or persons in Canada.

Thus, we are told, the kind of thing CSEC did in the "airport wi-fi" experiment isn't a problem.

Others are less sanguine about the legalities of CSEC metadata collection and use (including that Forcese guy again).

The Supreme Court's R. v. Spencer judgment in June makes CSEC's, and the commissioner's, position on metadata even more questionable (yup, Forcese again), but to be fair to the commissioner, that ruling came out too late to be considered in this report.

Will it be discussed in next year's report? I can't say I'm confident it will be, but the commissioner did promise to keep an eye on the topic:
My review has identified some important questions, which I will continue to examine in the coming year, including: what are the vulnerabilities and risks to the privacy of Canadians imposed by new technologies that CSEC uses to collect and analyze metadata? How and to what extent can privacy protections be built directly into the technologies and processes used by CSEC for metadata collection and analysis? I will report on the results in my next public annual report.

What about the gazebo?

The question of NSA (and CSEC) spying on the G8/G20 summits, and the legality of such activities, also came up during the last year.

My own view is that spying did take place, that CSIS and CSEC took the lead, and that it was entirely legal.

But others had different views. The commissioner's report says nothing on the topic.

Friday, August 22, 2014

Comments on CSE commissioner's report II

Some additional comments on aspects of the CSE commissioner's 2013-14 report, which was released by the Office of the CSE Commissioner (OCSEC) on August 20th (initial comments here):

I'm vigorous, dammit!

One of the things that leaps out about this year's report is how defensive CSE commissioners are getting about all the criticisms that have been leveled in recent years concerning their effectiveness as watchdogs.
In this, my first annual report, I want to set the record straight on what the Office of the CSE Commissioner does, how we do it and the way we develop reports.... I want to reassure Canadians, especially those who are skeptical about the effectiveness of review of intelligence agencies, that I am scrupulously investigating those CSEC activities that present the greatest risks to compliance with the law and to privacy. Rest assured that I will do so with the requisite vigour and all the powers of the Inquiries Act necessary to arrive at comprehensive conclusions. I will make public as much information as possible about these investigations, their resulting conclusions and any recommendations. Transparency is important to maintain public trust.
Let's give the commissioners and OCSEC their due. A lot of the criticisms that have been made in recent years have been off-base or exaggerated. It is clear that successive CSE commissioners and their staff have worked hard to inculcate a culture of legal compliance at CSEC and to develop and implement systems to monitor and measure that compliance—and that those efforts have brought significant improvements to the way CSEC does business. Canadians are much better off, I think, for having had OCSEC watching over CSEC.

But that is not to say that there haven't been any problems or weaknesses in the way OCSEC operates, including, for example, an apparent unwillingness to pull the trigger on compliance judgements, an inability to say almost anything comprehensible in annual reports (although this is gradually improving), a mandate excessively focused on compliance with the law, and an unwillingness or inability to use the insider knowledge that only commissioners and OCSEC have to advocate for changes to those laws to ensure that privacy protections keep up with the rapidly changing world of technology.

Read Wesley Wark's excellent commentary here for a reasoned critique of the performance of the office.

Where's the hammer?

For all of the useful work that OCSEC does, the minister responsible for CSEC cares about only one thing when he stands up in the House of Commons to respond to some concern about CSEC. And that is whether or not he can say that for the xth year in a row, the CSE commissioner has declared that all of CSEC's activities were in compliance with the law.

This year the commissioner has once again graciously provided the money quote:
Each year, I provide an overall statement on my findings about the lawfulness of CSEC activities. All of the activities of CSEC reviewed in 2013–2014 complied with the law.
With that on the record, the government can happily go back to ignoring the commissioner on things like the amendments to the National Defence Act that commissioners have been calling for since shortly after 2001 and which were actually promised by the government as long ago as 2007. (More here and here.)

It's about time commissioners stopped making that statement.

I'm not saying they should declare something in breach of the law if they don't believe there has been a breach. And there's probably some wisdom in talking things through behind the scenes in order get problems solved, as OCSEC clearly prefers to do, rather than pulling out the hammer and turning everything into a no-holds-barred confrontation at the first opportunity.

But let's be clear here. Every single CSE commissioner who has ever held the office (with the possible exception of Peter Cory, who held the job for such a short time he may not have formed an opinion on the question) has concluded that the Ministerial Authorization (MA) procedure that CSEC uses in order to enable it to legally intercept private communications is not supported by the law as it is written. No one is accusing CSEC of intentional law-breaking in this respect; it is the position of the Department of Justice, CSEC's legal advisor, that the current MAs do comply with the law, and there is every reason to believe that the government intended for the law passed in 2001 to make the current procedures legal.

But you're supposed to obey the laws you have, not the laws you wanted to have, so what the law actually says matters.

The government has had plenty of time to respond to the commissioners' warnings, either by passing amendments or by referring the question to the courts for a definitive interpretation.

It is time for the commissioner to pick up the hammer.

Imagine the reaction in Ottawa if this year's report, instead of providing the minister's money quote, declared that CSEC did not comply with the law in 2013-14, and that in the view of successive commissioners it had not been in compliance since 2001.

I think pandemonium wouldn't be too strong a word.

I can see why commissioners would be reluctant to bring the hammer down quite that hard, as it would amount to a call to shut down a large part of CSEC's operations—at least until amendments could be passed.

But even a statement that the commissioner is unable to affirm that CSEC's activities comply with the law would make the government sit up and take notice.

If Mr. Plouffe wants the government, and the public, to take OCSEC seriously, he should at least pick up the hammer.

The tepid statement in the current report is unlikely to do the trick:
Since the enactment of Part V.1 of the National Defence Act in December 2001, all CSE Commissioners have voiced concerns that certain fundamental provisions in the legislation lack clarity. In 2007, the government committed to amending the legislation to clarify these ambiguities. It is hoped that this can be resolved in the near future.

Supernumerary no more

The original CSE commissioner, Claude Bisson, did not believe that supernumerary judges should serve as commissioner, although the law establishing the job does permit it. (Background explanation here.)

The current commissioner was the only supernumerary ever appointed to the job. But this year's report confirms that he has now retired as a judge, so the question is for the moment again moot.

The Mosley imbroglio

The commissioner's report has disappointingly little to say about the CSIS 30-08 warrants blowout.

No discussion of the legality of CSEC asking Five Eyes partners to monitor Canadians on the basis of warrants that, it turns out, did not authorize Five Eyes involvement.

No discussion of the legality of the actions of senior CSEC official James D. Abbott, who admitted to Justice Mosley that his 2009 testimony was "crafted" to avoid mentioning to the court that Five Eyes assistance would be sought.

Why no comment on these issues?

It's ba-a-a-ack!

Earlier this year I noted that back in 2009 and 2010 the CSE commissioner had promised to conduct a review on the very interesting topic of CSEC assistance to CSIS with respect to s.16 of the CSIS Act, but that the review had never appeared.

Well, it's back (at least, the promise is):
The results of several reviews currently under way are expected to be reported to the Minister of National Defence in the coming year and included in my 2014–2015 annual report. The subjects of these reviews include:... a review of CSEC assistance to CSIS under part (c) of CSEC’s mandate and sections 16 and 21 of the CSIS Act.
I expect [redacted] will be [redacted] and [redacted] on that [redacted]. [Redacted]. But it could still be [redacted].

Looking forward to it.

More comments to come on other elements of the report, but that's it for now...

Wednesday, August 20, 2014

CSE commissioner's annual report released

The CSE commissioner's annual report was released today (PDF; HTML).

There is a lot of interesting information in the report, but the big news is that the commissioner was permitted to put a number on the use or retention of private communications (communications with at least one end in Canada) in the foreign intelligence part of CSEC's activities during 2012-13.

And that number is 66:
Overall, in 2012–2013, the volume of communications collected through CSEC’s foreign signals intelligence activities increased. However, the number of recognized private communications unintentionally intercepted and retained by CSEC was small enough that I could review each of them individually. At the end of the 2012–2013 ministerial authorization period, CSEC retained 66 of the recognized private communications that it collected. Of these, 41 private communications were used in CSEC reports (with any Canadian identities suppressed in the reports) and 25 were retained by CSEC for future use. All other recognized private communications unintentionally intercepted by CSEC were destroyed.
Sixty-six is a reassuringly small number, and the number of Canadians or other persons in Canada (hereafter "Canadian persons") involved in those communications could be even smaller, as some may have participated in more than one communication. (On the other hand, in theory a single communication involving a foreign target could go to a mailing list with dozens of Canadian persons on it, so the total number of Canadian persons implicated could be much larger.)

There are several other facts worth noting about this number.

First, it does not include any reporting, retention, or provision of private communications collected by CSEC under the cyber protection (Mandate B) or support to domestic law enforcement and security agencies (Mandate C) parts of its mandate.

[Update 19 November 2014: As shown here, the number of private communications used or retained by the cyber defence program (Mandate B) during the 1 December 2012 to 30 November 2013 reporting year was almost certainly in the low thousands, 15 to 60 times greater than the number reported for the foreign intelligence program by the CSE Commissioner.]

Second, it does not include any reporting or retention of private communications obtained by CSEC through its SIGINT partners. The report does acknowledge CSEC's "receipt from the Second Parties of intercepted communications and other foreign signals intelligence information, particularly private communications and information about Canadians." However, according to the commissioner, "The unintentional interception of a private communication by CSEC is a different situation than the unintentional acquisition by CSEC from a second party source of a one-end Canadian communication."

I have some difficulty understanding this point, as the Criminal Code definition of intercept includes to "listen to, record or acquire a communication or acquire the substance, meaning or purport thereof", which would seem to me to include acquiring it from Second Parties. But I'm no lawyer. Past commissioners have suggested that a definition of "intercept" ought to be included in those National Defence Act amendments that the government never bothers to get around to, and maybe that's why that suggestion was made. Does CSEC have its own definition of intercept that differs from the one in the Criminal Code?

Third, it does not include any reporting or retention of communications that are not considered private communications even though they do involve one or more Canadian citizens. An example would be a communication by a Canadian in which both ends of the communication are outside Canada (e.g., you're visiting France and you phone a business associate in Germany). CSEC is still not permitted to target Canadians under its Mandate A under such circumstances, but any such communication collected incidentally that met the relevant criteria could be reported or retained and would not appear in the 66 figure quoted by the commissioner.

Fourth, the figure includes only those private communications that were reported or retained. As the commissioner himself notes, "CSEC deletes almost all of the small number of recognized foreign signals intelligence private communications unintentionally intercepted by its collection programs" (emphasis added). Logically, this means that the 66 that were used or retained (i.e., not deleted) represent almost none of the total that were actually intercepted. How large is the latter number? The commissioner does say that the number intercepted is itself a "small number". But in comparison to the billions of private communications that Canadians participate in every year, some pretty large numbers might be characterizable as small.

None of this is to suggest that a massive program designed to monitor all Canadians lurks beneath that innocuous-sounding 66 number. But it's worth recognizing that 66 is far from the whole picture.

Another point: I really have a hard time with this term "unintentional" that the commissioners use. There are cases when CSEC is trying to collect a foreign communication and by mistake it pulls in a Canadian communication. Those could fairly be described as "unintentional" or, as CSEC seems to prefer, "inadvertent".

The cases that CSEC describes as "incidental" are a separate type. If CSEC collects a bunch of communications to or from one of its foreign targets, let's call him Osama, and one of those communications turns out to involve a Canadian, the collection of that Canadian's communication is termed "incidental" by CSEC. It wasn't collected by mistake. And it wasn't collected unintentionally either. It was done on purpose. The Canadian wasn't specifically targeted for collection, but CSEC certainly did want to know the identity of the people Osama was talking to and the content of those communications, and, as you might expect, they were especially interested in the Canadian angle. In fact, the law was changed in 2001 specifically to ensure that it is legal for CSEC to collect, use, and retain those targeted foreign communications that turn out to have one end in Canada.

I get that the commissioners are trying to distinguish between targeting specific Canadians and not targeting specific Canadians. But there is nothing "unintentional" about the fact that CSEC collects—and pays particular attention to—the communications of Canadians and persons in Canada when those communications are with one of CSEC's foreign targets. Even the term "incidental" is somewhat misleading, in my view, as it carries the implication that CSEC isn't really interested in the Canadian end.

They're interested.

Criticisms and comments notwithstanding, it' s nice to see the increase in transparency in this year's report by the commissioner.

There is a lot more of interest in this year's report, but that's all for now...

Media coverage:

- Colin Freeze, "Spy agency intercepted, kept communications of 66 Canadians," Globe and Mail, 20 August 2014
- Jim Bronskill, "Spy agency improperly kept Canadian info," Canadian Press, 20 August 2014
- David Pugliese, "Communications Security Establishment kept private communications of Canadians in violation of internal policies," Defence Watch blog, 20 August 2014
- Tonda MacCharles, "Canada’s electronic spy agency gets passing grade from watchdog," Toronto Star, 20 August 2014
- Kady O'Malley, "CSEC kept 66 'unintentionally' obtained private communications," CBC News, 20 August 2014

Update 21 August 2014:

- Editorial, "A glimpse into the iceberg that is CSEC," Globe and Mail, 21 August 2014
- Wesley Wark, "Canadian spy agency watchdog strikes a new pose," Ottawa Citizen, 21 August 2014. Excellent commentary by Canada's leading academic expert on intelligence issues.

Update 22 August 2014:

- Justin Ling, "Canada's Spy Agency Recorded Citizens' Calls, Internal Audit Reveals," Motherboard, 22 August 2014

Update 25 August 2014:

- Dan Leger, "Spies, guard dogs duck oversight," Chronicle Herald, 25 August 2014

Sunday, August 17, 2014

CSEC's LANDMARK tool for CNE operations

The recent c't Magazin article about Five Eyes methods of detecting computer devices vulnerable to exploitation (Julian Kirsch, Christian Grothoff, Monika Ermert, Jacob Appelbaum, Laura Poitras & Henrik Moltke, "NSA/GCHQ: The HACIENDA Program for Internet Colonization," c't Magazin, 15 August 2014) contains several slides from a CSEC presentation, apparently from 2010 or perhaps 2011, concerning a tool or program called LANDMARK:

As the first two slides indicate, LANDMARK is a tradecraft method or program used to identify "Operational Relay Boxes" (ORBs), computers that can be commandeered for use as "covert infrastructure" in Computer Network Exploitation (CNE) operations. ORBs are used to "provide an additional layer of non-attribution" (i.e., to make it more difficult to identify the perpetrator) for hacking operations to penetrate ("exploit") other computer networks, probably normally in a third country, and steal ("exfiltrate") data.

ORBs are sought in "as many non 5-Eyes countries as possible".

Other slides indicate that LANDMARK operations are at least partially automated and incorporated into CSEC's OLYMPIA "network knowledge engine" (further discussed here).

The slides also indicate that LANDMARK operations draw, at least sometimes, on information collected by GCHQ's HACIENDA tool, which searches for and compiles data on the vulnerabilities of computer devices, covering in many cases the computer infrastructure of entire countries. (See more on HACIENDA in the c't article.)

The description on the slide above notes that a February 2010 LANDMARK operation "encompasse[d] the whole of LONGRUN", possibly meaning that an entire country's infrastructure was examined. Twenty-four CSEC "network exploitation analysts" managed to identify more than 3000 potential ORBs in just a few hours.

This slide appears to show some of the HACIENDA data used in the February 2010 operation (the data is mainly from 2009, but it includes some items as recent as February 2010). You will probably need to go to this PDF version of the documents if you want to read the fine print for yourself. Interestingly, the computer screen capture, from CSEC's OLYMPIA tool, indicates that all the data shown pertained to Kenya. Is Kenya LONGRUN?

The slide notes that "network analysis" was "still manual" at this time.

By contrast, this slide suggests that, by the date of the presentation, "network analysis tradecraft to identify vulnerable devices" had become more automated within the OLYMPIA tool.

The final slide, which appears to refer to a more recent case involving a GSM provider that NSA's Tailored Access Operations directorate wanted to access, reports that an automated search for vulnerable devices using OLYMPIA took less than five minutes to perform.

The full set of slides that were published by c't Magazin, including excerpts from NSA and GCHQ documents as well as those from the CSEC document, is available here.

Update 25 August 2014:

Colin Freeze, "The Landmark file: Inside Canadian cyber-security agency’s 'target the world' strategy," Globe and Mail, 25 August 2014. Note the very interesting and previously unpublished comments by former CSEC Chief John Adams:
“We’ve got some bright young kids,” retired spymaster John Adams once told The Globe in an interview. “Virtually everything – 90 per cent of what they do – is CNO [Computer Network Operations] now. It opens it up to where they can literally go out and target the world.”

Update 27 August 2014

Patrick McGuire, "Canada’s Cyberspy Agency, CSEC, Hijacks Computers Worldwide to Build Their Spynet," Vice, 26 August 2014

Friday, August 15, 2014

CSEC amendments on permanent hold?

Colin Freeze has written a very interesting article on the government's failure to enact its long-promised amendments to the National Defence Act provisions concerning CSEC (Colin Freeze, "Harper government backtracked on bill to curb surveillance," Globe and Mail, 14 August 2014):
Legal fixes for Communications Security Establishment Canada, Ottawa’s electronic intelligence agency, had been considered “a legislative priority” by the Tories five years ago, to the point that then-defence minister Peter MacKay was successfully pushing for a package of amendments at the cabinet table.

These fixes were regarded as necessary because two former Supreme Court justices had highlighted the spy agency’s laws as flawed. So had other retired judges who had also left their courtrooms to serve as CSEC’s watchdog “commissioner.”


Yet the Conservatives’ years-earlier proposals for reform – which never materialized in Parliament – appear to have been moved back indefinitely.

“We are aware of recommendations to amend the National Defence Act but will not speculate on possible future legislative amendments,” wrote Julie Di Mambro, a spokeswoman for Mr. Nicholson, in reply to Globe questions. (The office of Mr. MacKay, now Justice Minister, declined comment.)

The bid to reform CSEC’s laws had been quietly building momentum within government, until an unrelated police-surveillance bill, C-30, was tabled and proved deeply unpopular. (Former public safety minister Vic Toews leached support away from that act with his polarizing remark that the Opposition “can either stand with us or with the child pornographers.”)
So apparently Vic Toews killed the amendments.

Presumably the government was afraid that the increased attention to surveillance and privacy issues precipated by C-30 would lead to too much interest in CSEC's intelligence-gathering powers and techniques when the NDA amendments came before parliament.

Here's what I wrote on the subject back when it looked like the government might actually do something.

Thursday, August 14, 2014

I am great

And you can see just how great here (assuming you can get beyond the paywall): Colin Freeze, Researcher connects dots on spy agency's monitoring of Wifi, Globe and Mail, 13 August 2014.

For those of you stuck on the outside, here are the key grafs:
Now, I've met Mr. Robinson, and consider him an argument for, and not against, the mosaic effect. Never an adversary of the state, he is more like an astute observer who has taken it upon himself to read well and deeply into a paucity of CSEC materials out there, to tell the public what he can about this important institution. In this way, he is more like an unpaid, unofficial public servant, soberly telling Canadians more about CSEC than the agency ever will itself.

So when Ottawa officials default to saying nothing of substance about CSEC, the Lux Ex Umbra blog - literally "light from darkness" - always has an insight. Peruse the postings over the past decade in their totality and what you'll see chronicled is an incredible story. The evolution of CSEC, its powers, its budget and its growing reach both inside and outside of Canada - a story everyone else had missed.

So here's to you Mr. Robinson. When government agents say 'we'd like to know a little bit about you for our files' and hide it in their hiding place where no one ever goes, it's nice to have a little light cast on such matters.
So there you have it.

Update 16 August 2014:

Further reporting/commentary on the question of how great I am:

Matthew Braga:
Meanwhile, Bill Robinson does some more amazing sleuth work in further analyzing CSEC’s airport wifi tracking initiative (and gets a much-deserved nod from The Globe and Mail for doing so, too.)

Professor Ron Deibert, Director, Citizen Lab:

This is really getting quite embarrassing.

I am left with no alternative but to reproduce all such comments here.

Update 21 August 2014:

Globe and Mail editorial declares me "a skillful amateur" ("A glimpse into the iceberg that is CSEC," Globe and Mail, 21 August 2014).

I guess this thing has just about run its course.

Update 24 August 2016:

...And we're back!

A salary would be nice too. Just saying.

Update 8 February 2017:

I've been asked to join the band!

Thanks for all the good wishes!

Update 25 August 2018:

Wednesday, August 13, 2014

July 2014 CSEC staff size

2174. Down from last month's 2220, which was the highest total ever. Probably the result of normal fluctuations.

(If you click through on the link and get a different figure, it's probably because the Canada Public Service Agency has updated its website; they update the numbers once a month.)

Friday, August 08, 2014

Analyzing the "airport wi-fi" map

CSEC's 10 May 2012 IP Profiling Analytics & Mission Impacts presentation, one of the Snowden documents leaked to the press in January 2014 (previous discussion here), contained the intriguing slide depicted above, which shows some of the locations where the metadata records of devices detected at a major Canadian airport were also detected at other times within a two-week period.

The image is clearly a map, as the note stating that the "Longitude scale is non-linear" makes evident. But the absence of identifying features such as coastlines and borders, and the already-noted fact about the longitude scale, make it difficult to recognize the locations depicted.

What the legend doesn't say, however, is that the latitude scale is non-linear.

And that's because it's not.

At least, that's the conclusion I draw after having tested the hypothesis.

The devices depicted on CSEC's map were detected while connected through public wi-fi spots, but not all of those spots need necessarily have been in major cities. It is likely that not all of the spots on the map do in fact correspond to major cities.

It would appear, however, that most of them do, or at least to spots near major cities, as most seem to correspond within a pixel or so in terms of latitude to the locations of major cities. Longitudinal position cannot be calculated with similar precision because of the scale issue, but the cities identified also appear to line up pretty well in terms of their longitudinal position with respect to each other (allowing for changes such as compression of the Atlantic and Pacific oceans).

Check it out for yourself:

Note that, for clarity, the labels for Toronto, Ottawa, Montreal, and Quebec City are located next to the bars emanating from their respective spots rather than to the squares that represent the spots themselves. All of the city identifications are guesses, and it is quite possible that some of them are wrong, but I think their recognizable configuration and the precision of their latitudinal coordinates make the possibility that most are misidentified negligible.

What can we conclude from this map?

Several things, I think.

1) First of all, the airport that served as the seed location for the experiment was indeed Toronto/Pearson, as was widely suspected.

2) Devices were detected at wi-fi locations across Canada, ranging from Vancouver to Calgary, Edmonton, Sudbury, Ottawa, Montreal, Quebec City, Halifax, St. John’s, and even (apparently) Fort Smith, NWT.

3) Detections were also made at several locations around the world, including Kuala Lumpur, Hong Kong, Tokyo, Havana, Paris, Amsterdam, Rome, what appear to be two cities in India, many sites in the United States, and possibly Buenos Aires (not shown on the map excerpts above; check near the bottom of the slide in the original document). Thus, either CSEC was able to access metadata records from a wide range of countries around the world or—perhaps more likely—it picked up the locations of those devices that connected back to a Canadian service provider (e.g., to perform tasks such as accessing e-mail) when the metadata was collected at the Canadian end.

4) Detections were made at a large number of U.S. sites, including Los Angeles, the San Francisco Bay area, Salt Lake City, Chicago, Detroit, Atlanta, St. Petersburg, Charleston, New York City, and Washington. Did CSEC obtain this data from NSA or, again, was it picked up only if there was a Canadian end? Either way, by definition all detections within the U.S. must have involved devices operated by persons within the United States. The study thus provides clear evidence that not just U.S. agencies but also Five Eyes partners such as CSEC have the ability to access and analyze metadata information related to communications activities of persons in the United States, perhaps limited in the case of CSEC to those communications that extend into Canada, or perhaps not. What controls and safeguards exist with respect to CSEC use of this "U.S. person" data? (And what controls and safeguards exist to limit NSA access to and use of similar data relating to Canadian communications?)

More information and analysis about the project can be found here.

Tuesday, August 05, 2014

List of law enforcement and security agencies includes some surprises

The third element of CSEC's three-part mandate authorizes it to provide operational and technical assistance to federal law enforcement and security agencies (LESAs).

The primary LESAs are CSIS and the RCMP, but a CSEC document recently released in highly redacted form to Globe and Mail reporter Colin Freeze and placed online by him contains a surprisingly extensive list of departments and agencies that the government considers to be LESAs.

According to OPS-1-11: Retention Schedules for SIGINT Data (see document page 17),
Federal law enforcement and security agencies include, in the first instance, the RCMP and CSIS, and, second, the other federal government departments and agencies with law and regulatory enforcement functions, including Canada Border Services Agency, Canada Revenue Agency, Citizenship and Immigration Canada, Health Canada, Environment Canada, Industry Canada, Transport Canada, the Canadian Food Inspection Agency, the Department of Fisheries and Oceans.
And that's not an all-inclusive list, as it doesn't include the Department of National Defence, which is known to receive Mandate C support from CSEC.

Are there any other departments and agencies that are considered to be LESAs because they have regulatory enforcement or security intelligence functions?

Because CSEC's Mandate C operations can involve the specific targeting of Canadians and other persons in Canada, those operations are potentially the most intrusive of all of CSEC's activities.

It is a bit of a shock, therefore, to discover that the list of departments and agencies that can call on CSEC's services in this way is so extensive.

A oouple of caveats are in order, however, before anyone gets too freaked out.

First of all, CSEC can only provide support that is consistent with the legal authorities available to the LESA in question. CSEC cannot intercept the private communications of a Canadian for Health Canada, for example, unless Health Canada has first gone before a judge and obtained a warrant authorizing such interception. As far as I know (please let me know if I'm wrong!), most of these agencies are not empowered to seek such warrants, so the only forms of support that CSEC will be able to provide to most of them are those forms that do not require a warrant.

Still, it is possible that CSEC support could include a search of CSEC's existing SIGINT databases, and possibly some of the databases of its Five Eyes allies, even without a warrant. The FBI can "query" certain NSA databases for information about Americans without obtaining judicial warrants, for example. Can CSIS or the RCMP do the same in Canada? Could the Canada Revenue Agency, or some of the other LESAs on the list?

Second, statistics obtained earlier by Freeze demonstrate that only four Canadian LESAs—CSIS, the RCMP, the Canada Border Services Agency, and the Department of National Defence—have actually received "Support for Lawful Access" from CSEC in recent years (2009 to 2012).

Assuming these statistics cover all forms of Mandate C assistance (which they appear to do), the possibility of CSEC support to most of the departments/agencies on the LESA list would appear to be more theoretical than real, at least for now.

CSEC and data on Canadians

Globe and Mail reporter Colin Freeze has written a pair of interesting articles on CSEC's collection of data concerning Canadians: "Canadian intelligence sweeps often intercept private data, spy document reveals," Globe and Mail, 31 July 2014, and "CSEC won’t say how long it keeps Canadians’ private data," Globe and Mail, 4 Augusr 2014).

The first article looks at the interception of private communications and other information about Canadians during CSEC's Mandate (b) (cyber defence) operations to protect government information systems and networks:
In its fight against Chinese espionage and other cyberthreats, Canada’s electronic-intelligence agency intercepts citizens’ private messages without judicial warrants.

A 22-page “Operational Procedures for Cyber Defence” document obtained by The Globe speaks to just how Communications Security Establishment Canada (CSEC) can log, store and study volumes of electronic communications that touch government computer networks – including the “private communications” of Canadians not themselves thought to be hackers.


Intelligence officials, who say they never “target” Canadians, argue they need to make use of domestic communications to pinpoint threats.

“We take strict measures to protect the privacy of Canadians,” said Ryan Foreman, a spokesman for the agency. “… The total number of private communications used and retained is classified,” he said, but added that CSEC only keeps such messages “if they contain or are suspected to contain malware or other threats.”


While it is a crime for other federal agents to snoop on Canadians’ private communications without a warrant, CSEC has a get-out-of-jail-free card. In 2001, Parliament passed a law saying its interceptions are beyond Criminal Code constraints, so long as the politician running the Defence Department signs what’s known as a “ministerial authorization.”

Not much is known about how such powers have been used over the past 13 years, beyond giving CSEC leeway to intercept citizens’ full communications without criminal consequence. (Grabs at telecommunications traffic, or “metadata,” are accomplished by CSEC under different legal reasoning.)

Seeing interception of private communications as an inevitability, CSEC takes pains to handle them with care. The cyberdefence operations document says strict steps must be followed, not just by CSEC employees, but also by outside contractors and “secondees” from other agencies.

The process starts when a federal “client” department writes CSEC requesting a cyberdefence operation. The spy agency then warns of how its tools may risk intercepting private communications. Captured communications considered private can be retained, analyzed or even shared by CSEC if they meet the threshold of being either “relevant” or “essential.” Any “Canadian identity information” is usually kept secret in such exchanges.
This article prompted a rare riposte from CSEC Chief John Forster, who charged that it "mischaracterizes how our organisation protects Government of Canada systems and networks and ignores the measures that Communications Security Establishment (CSE) has in place to protect the privacy of Canadians - including that all of our activities are reviewed by the independent CSE Commissioner to make sure we act lawfully and protect Canadians’ privacy."

I expect the Globe and Mail thanked Forster for his input and told him to come back when he could point to something specific that the article got wrong.

You can read CSEC's own explanation of its cyber activities and privacy protections here and here.

The second article examines the rules concerning how long CSEC can hold on to data about Canadians:
The federal government’s secretive electronic intelligence agency is not disclosing how long it can hold onto Canadians’ communications – even though its leaders have said that “firm” time limits are in place to protect privacy.

The strictures surrounding Communications Security Establishment Canada’s data-retention periods – including those affecting recognized “private communications” and also “metadata” – are blacked out from an operational document obtained by The Globe and Mail.

The redactions of this document are so extensive that little is revealed, beyond the latest indication that CSEC is drawing from unspecified sources within Canada.

“The retention schedules outlined in these procedures deal with SIGINT [signals intelligence] data acquired from Canadian [word redacted] sources,” it says.

CSEC came under fire this winter for violating privacy, after a leak showed that a “Canadian special source” – never described further – had helped the agency identify and track Internet-using devices that had passed through a Canadian airport.

In February, CSEC chief John Forster responded to criticisms by telling a parliamentary committee that such activities are fully legal, and in keeping with the secret orders the agency gets from Minister of National Defence Rob Nicholson. “The data wouldn’t be retained any longer than we needed it for that exercise, and the ministerial directive has a firm end-of-retention date,” he said.


The “Retention Schedules for SIGINT Data” document, newly disclosed under Access to Information laws, indicates a complex calculus is at play.

A chart where boxes are largely blacked out suggests that retention periods can differ depending on which of the CSEC’s three mandates is engaged to intercept communications – foreign intelligence, cyber defence, or in helping other federal agencies.

Retention periods are also governed by whether CSEC intercepts full communications or just “metadata” traffic, whether the underlying information is considered “essential” – and especially whether a known “private communication” of a Canadian has been caught.
The document that was released, OPS-1-11: Retention Schedules for SIGINT Data, has been placed online by Freeze and can be found here.

Although the details have all been redacted, we do know something about the maximum time periods during which some such information can be retained.

According to the description of CSEC's PPU 040 databank, which holds information about Canadians that is considered relevant to CSEC's foreign intelligence reporting, such information can be "held indefinitely".

By contrast, information retained about Canadians that was collected during CSEC's cyber defence operations, which is held in the PPU 007 databank, "is held for up to thirty years then transferred to LAC [Library and Archives Canada]."

Jim Bronskill of the Canadian Press recently reported on PPU 007.

Monday, August 04, 2014


The latest report by Glenn Greenwald concerns the NSA relationship with Israel ("Cash, Weapons and Surveillance: the U.S. is a Key Party to Every Israeli Attack," The Intercept, 4 August 2014), but it also notes that CSEC cooperation with Israel also occurs.

Based on documents leaked by Edward Snowden, the article states that
Over the last decade, the NSA has significantly increased the surveillance assistance it provides to its Israeli counterpart, the Israeli SIGINT National Unit (ISNU; also known as Unit 8200), including data used to monitor and target Palestinians. In many cases, the NSA and ISNU work cooperatively with the British and Canadian spy agencies, the GCHQ and CSEC....

The surveillance-sharing relationship with Israel has expanded to include the NSA’s British and Canadian counterparts, GCHQ and CSEC, both of which actively participate in feeding the Israelis selected communications data they have collected. Several documents from early 2009, at the height of the Israeli attack on Gaza called “Cast Lead” that left more than 1,000 people dead, detail some of this cooperation.

One top secret 2009 GCHQ project named “YESTERNIGHT” involved “Ruffle,” the British agency’s code name for ISNU. According to the document, the project involved a “trilateral (GCHQ, NSA and Third Party RUFFLE) targeting exchange agreement covering respective COMSAT accesses.” One of the “specific intelligence topics” shared between the parties was “Palestinians”, although the GCHQ document states that “due to the sensitivities” of Israeli involvement, that particular program does not include direct targeting of Palestinians and Israelis themselves. Another GCHQ document from February, 2009, describes “a quadrilateral meeting for RUFFLE, NSA, CSEC and GCHQ.”
No other details provided.

Update 18 August 2014:

Patrick McGuire, "Canada Spies on Israel's Enemies," Vice, 18 August 2014