Collection of private communications under CSE's cyber defence program
Documents recently released under the Access to Information Act reveal that thousands of "private communications" of Canadians were collected and used or retained by CSE in the course of its cyber defence operations during a recent one-year period.
The precise number of communications used or retained is redacted in the documents released to Globe and Mail reporter Colin Freeze. But analysis of the size of the redactions indicates that the number is somewhere between 1000 and 3996, which means that it is 15 to 60 times as large as the total of 66 private communications collected and used or retained by CSE’s foreign intelligence program during fiscal year 2012-13, as recently reported by the CSE Commissioner.
CSE's Cyber Defence Activities Annual Report on Private Communications for the period from 1 December 2012 to 30 November 2013 begins on page 5 of the documents. The total number of private communications, abbreviated as PC, used or retained by CSE during the year is reported on the next page.
That number is redacted, but it can clearly be seen that there is room for a four-digit number in the censored space, indicating that the number was somewhere between 1000 and 9999.
Summaries of quarterly reports were also released with the documents. The summaries for the four quarters comprising the 2012-13 reporting year can be found on pages 9 and 10. In each case, these summaries show that a three-digit number of private communications (i.e., somewhere between 100 and 999) were used or retained during the quarter, meaning that the annual total cannot have been higher than 3996.
Together these ranges indicate that the total number of private communications used or retained by CSE in the course of cyber defence operations was between 1000 and 3996 in 2012-13, a number that dwarfs the 66 used or retained in the course of its foreign intelligence operations around the same time.
The quarterly reports that were released to Freeze cover more than just the 2012-13 year, and all of the reports from the 1 March 2011 to 31 May 2014 period note that an apparently significant but redacted two-digit percentage of the communications used or retained by the cyber defence program "consisted of emails that contained malicious code" or "emails containing malicious links or attachments attempting to compromise Government of Canada (GC) systems and networks."
This suggests that a large percentage of the communications used or retained may have consisted either of e-mails sent by Canadians with the deliberate intent of compromising or damaging government systems or (probably more often) e-mails sent from compromised Canadian computers without the knowledge of the Canadian owner.
Either way, few people are likely to object to such communications being used or retained by cyber defence authorities.
Of greater potential concern is that some of the communications monitored in the course of cyber defence operations could end up containing information considered useful by the intelligence side of the agency. (Which is not to say that such use would itself necessarily be unjustified.)
The quarterly reports for the 11 March 2010 to 31 November 2011 period all note that a redacted number of communications (sometimes two, sometimes three digits) were "shared with SIGINT".
For example, the four reports that cover the 1 December 2010 to 31 November 2011 reportng year feature 2 three-digit redactions and 2 two-digit redactions, indicating that the total number of private communications "shared" during that year was somewhere between 220 and 2196 ((100 to 999) + (100 to 999) + (10 to 99) + (10 to 99)). Even if the actual figure is at the bottom end of this range, this suggests that the number shared was more than three times as great as the 66 private communications collected and used/retained by the foreign intelligence (SIGINT) program itself during fiscal year 2012-13; in theory, it could be as much as 33 times as great.
Did "sharing" with the SIGINT program continue after 2011? The documents released don't answer that question one way or the other.
If it does continue, the above figures suggest that the number of private communications obtained by the SIGINT program through the cyber defence backdoor could very significantly exceed the number obtained (or at least the number used or retained) through the SIGINT program’s own collection efforts.
Update 25 February 2015:
The CBC and The Intercept have published detailed reports on CSE's cyberdefence program based on another Snowden document (Amber Hildebrandt, Michael Pereira & Dave Seglins, "CSE monitors millions of Canadian emails to government," CBC News, 25 February 2015; Ryan Gallagher & Glenn Greenwald, "Canadian Spies Collect Domestic Emails in Secret Security Sweep," The Intercept, 25 February 2015). The document itself can be found here.
The CBC also published a set of CSE responses to questions that its reporters put to the agency.
Part of that response concerns information-sharing with the SIGINT program. According to CSE, "Information collected under our foreign intelligence and cyber security mandates is managed separately. When information is shared between the two operational areas, it is to help better understand malicious cyber threats so that we can more effectively defend government systems." The response also states that "Data collected under CSE’s IT Security mandate that is found to pose no threat cannot be accessed or used for its foreign intelligence or technical assistance mandates."