Friday, February 28, 2014

CSE Commissioner's budget cut

CSEC's budget is continuing to increase, but the budget of the Office of the CSE Commissioner (OCSEC) is set to decline, according to the 2014-15 Main Estimates (see page 258).

The Estimates report that OCSEC's 2014-15 budget will be $2.024 million, which represents a 4% decrease from 2013-14's budget of $2.113 million and an 11% decrease from 2012-13's budget of $2.286 million. Adjusting for inflation, the declines are probably closer to 6% and 14% respectively.

Update 6 March 2014:

See explanation for the budget changes here.



CSEC budget up again

According to the 2014-15 Main Estimates, CSEC's 2014-15 budget will be $829.1 million (see page 132), a huge increase over last year's budget. The 2013-14 Main Estimates put the CSEC budget at $422.2 million. That figure was increased to $460.9 million later during the fiscal year, but the total that will actually be spent in 2013-14 is currently estimated to be $443.7 million.

Most of the increase is accounted for by a one-time payment of $300 million towards the cost of constructing CSEC's new headquarters complex.

When that one-time cash is excluded, CSEC's 2014-15 budget totals $529.1 million, which is still significantly higher than the 2013-14 budget.

Almost all of the increase is accounted for by an "increase of $100.8 million for contract payments in 2014–15 which includes maintenance of CSE’s new facility". CSEC will be making annual payments of about this size for the next 35 years as part of the public-private deal through which the complex is to be maintained. The payments will cover regular updating of much of CSEC's computer systems as well as maintenance of the buildings themselves, which explains why the figure is so high.

The new budget level means that, for the first time, CSEC's core budget ($529.1 million) exceeds the budget of the Canadian Security Intelligence Service ($516.2 million), making CSEC Canada's largest intelligence agency in terms of funding. (The overall budget of the Canadian Cryptologic Program, which includes the Canadian Forces Information Operations Group as well as CSEC, is probably closer to $650 million.)

CSEC's 2014-15 personnel budget, on the other hand, is only slightly higher than it was estimated to be in 2013-14 ($228.3 million compared to $225.3 million), which may even represent a slight decrease after accounting for inflation. If the estimate for this year is accurate, this may indicate that CSEC is at the end of its long post-9/11 period of staff growth.

News coverage:

Jim Bronskill, "Eavesdropping agency's budget gets big increase, while watchdogs face cuts," Canadian Press, 27 February 2014.

Thursday, February 27, 2014

Recent CSEC coverage/commentary



Recent CSEC coverage/commentary worth reading:

Carl Meyer, "CSEC’s policy arm rises to prominence," Embassy, 26 February 2014
- The CSEC organization chart shown above accompanied Meyer's article.

Paul Meyer, "Supervising Surveillance: Oversight and the Communications Security Establishment Canada," Cyber Dialogue, 24 February 2014
- The former Director-General of the Security and Intelligence Bureau at Foreign Affairs recommends improvements in CSEC oversight. (Hi, Paul!)

Colin Freeze, "Privacy or national security: Have spy agencies gone too far?" Globe and Mail, 27 February 2014
- Online debate featuring reporter Colin Freeze, lawyer Caily DiPuma, law professor Craig Forcese, and Executive Director of the Office of the CSE Commissioner J. William Galbraith.

Tuesday, February 25, 2014

Revisiting the Commissioner's reports: It's supernumeraryman!

Still on the subject of past CSE Commissioners' reports...

In his final annual report (2002-03), the first CSE Commissioner, the Hon. Claude Bisson, expressed concern about the possibility that a supernumerary judge might be appointed to be Commissioner:
Paragraph 273.63 (1) of the National Defence Act provides that the Governor in Council may appoint either a supernumerary judge or a retired judge of a superior court as Commissioner of the Communications Security Establishment. However, I am concerned that a supernumerary judge would face serious limitations in carrying out the full range of duties and responsibilities involved.

These limitations arise from the blurring of lines between the executive and legislative arms of government on the one hand, and the judiciary on the other, that would result from appointing a supernumerary judge. For example, a supernumerary judge would not be in a position to comment on proposed legislation – as I have had occasion to do from time to time. Similarly, a supernumerary judge ought not to appear as a witness before parliamentary committees. Although I am somewhat disappointed not to have been called as a witness before parliamentary committees to discuss my annual reports, as a retired judge I would at least have been able to do so.
A supernumerary judge (someone correct me if I'm wrong here) is one who no longer performs regular judicial duties but still holds office as a judge and is available to perform part-time duties.

Of the six individuals who have been appointed CSE Commissioner since the office was created in 1996, only one wasn't fully retired from the judiciary at the time of his appointment.

The sole supernumerary judge appointed to the position is the current officeholder, the Hon. Jean-Pierre Plouffe. According to his biography on the CSE Commissioner website, "He will remain a supernumerary Justice until April 2014, when he will then retire."

Was Commissioner Bisson correct when he wrote that a supernumerary judge ought not to appear as a witness before parliamentary committees or to comment on proposed legislation?

I certainly don't know, but the question is far from irrelevant: Commissioner Plouffe has already appeared before the Standing Senate Committee on National Security and Defence.

Monday, February 24, 2014

Revisiting the Commissioner's reports: Missing s.16 review

Here I am, spending my weekend reading through back issues of the CSE Commissioner's annual report (yeah, I don't have a life) when I see what looks like a promising upcoming review mentioned in the 2008-09 report:
Other reviews that are underway or planned for the next reporting year include: ... CSEC’s assistance (under part (c) of its mandate) to the Canadian Security Intelligence Service under section 16 of the CSIS Act.
Section 16 is the part of the CSIS Act that enables CSIS to collect foreign intelligence in Canada at the request of either the Minister of Foreign Affairs or the Minister of National Defence. When CSIS gets the go-ahead for such operations, it can then bring CSEC in if necessary to assist in the operation through part (c) of CSEC's mandate, which authorizes CSEC to provide assistance to federal law enforcement and security agencies.

As I commented here, s.16 probably provides the legal basis for the collection of foreign embassy communications in Canada. And if monitoring was done at the G8 and G20 summits, that monitoring was also probably authorized through s.16.

It was concern about the "private communications" of Canadians getting monitored during the interception of embassy communications that led former CSE employee Jane Shorten to blow the whistle about privacy violations in 1995.

All in all, it seems like a pretty interesting topic for a review.

So off I go to the 2009-10 annual report to find out what transpired in the Commissioner's review (or whatever he would be willing to report about it, anyway).

No s.16 review.

Well, that's OK. Some of these reviews take more than a year to complete, and indeed the 2009-10 report promises that
Other reviews planned for 2010–2011 include: ... CSEC assistance to CSIS under part (c) of CSEC’s mandate and sections 16 and 21 of the CSIS Act.
On to the 2010-11 report!

Well, you can guess where this is going.

No review.

And no promise of a forthcoming review, either in that report or in any subsequent report!

Nor is there any mention of such a review having been conducted in the CSE Commissioner's list of classified reports provided to the Minister of National Defence over the years.

What happened to the s.16 review?

Sunday, February 23, 2014

Rigby, Coulombe, and Forster testimony

On February 3rd, National Security Advisor Stephen Rigby, CSIS Director Michel Coulombe, and CSEC Chief John Forster testified before the Standing Senate Committee on National Security and Defence. The transcript of that session is available online. (See also Forster's prepared remarks here.)

The session covered a lot of interesting ground, ranging from the number of Canadian extremists thought to be in Syria (about 30) to the news that the government is appealing the recent Mosley decision concerning Five Eyes monitoring of Canadians abroad. The primary topic of discussion during the session, however, was CSEC's IP Profiling Analytics & Mission Impacts document, AKA the "Airport wi-fi" story, which the CBC had revealed just four days earlier.

By now, we all know the basic substance of the official explanation for the project: the whole thing was perfectly legal, it was just a study used to develop techniques for finding foreign terrorists and kidnappers, and it wasn't even about Canadians or persons in Canada (despite the fact that the data used were derived almost exclusively from persons in Canada).

But it's still interesting to see exactly what was said.

In reading the testimony, I got the distinct impression that as part of the Five Eyes effort to master the global internet, CSEC collects, uses, and stores (for a classified period of time) pretty much all of the Canadian communications metadata it can lay its hands on.

Background here and here.

Sunday, February 16, 2014

Get your Plouffe on

From the Creekside blog:



Great stuff.

Who has Five Eyes and deep pockets?



Back in October (and August) I asked who is funding CSEC through the "Foreign Partners -- Security" account and what is the purpose of the fund.

The Globe and Mail picked up on those questions, and now, thanks to the Access to Information Act (h/t Carl Meyer), we can read CSEC's official quasi-answers:



In brief, "The money came from the Five Eyes partnership", and it "reflects investments received from partners for cryptologic research and development that will enhance Canada's national security."

So it's Five Eyes money.

Now, maybe the Five Eyes have some kind of Top Secret Dragon's Den operating where they all get together to decide whether to fund struggling SIGINT agencies that are trying to bring bright cryptologic ideas to market. But I doubt it.

The only member of the Five Eyes with the kind of deep pockets to go around tossing money at partner agencies is the NSA. Even GCHQ, the only other Five Eyes agency that is larger than CSEC, is a recipient of NSA money (£34.7m in 2011-12).

It looks like the cash comes from the NSA.

Friday, February 14, 2014

CSEC HQ at night



Chuck Clark took a great night shot of the new CSEC headquarters on February 12th. CSIS headquarters can also be seen in the photo (the triangular building just behind the CSEC complex).

The image is very similar to visual artist Trevor Paglen's recent nighttime photos of U.S. intelligence agency headquarters buildings.

You can see earlier photos by Chuck Clark here and here.

Thursday, February 13, 2014

January 2014 CSEC staff size

2173, a new record.

(If you click through on the link and get a different figure, it's probably because the Canada Public Service Agency has updated its website; they update the numbers once a month.)

Q: Why did CSEC spy on Canadian wi-fi? A: It's all good!

The CSE Commissioner has updated his earlier comments on the legality of CSEC's wi-fi metadata spying (previous discussion here, here, here, and here). Yesterday, the Commissioner, or his office, added an additional question and answer addressing the issue to the Commissioner's Frequently Asked Questions page:
The Commissioner’s office has been briefed by CSEC about the metadata activity referred to in the CBC story. We questioned CSEC employees involved in the activity and who prepared the presentation, and we examined results of the activity.

This activity is used by CSEC to understand global communications networks. We concluded that this CSEC activity does not involve “mass surveillance” or tracking of Canadians or persons in Canada; no CSEC activity was directed at Canadians or persons in Canada.

We are also satisfied that the details and explanation that the Chief of CSEC provided on February 3, 2014, before the Senate Committee on National Security and Defence are accurate.
The Commissioner's answer also asserted flat out that
If CSEC were tracking the movements, on-line or other activities of persons at a Canadian airport, that would be illegal.
The claim that CSEC's activities in this affair have been legal hinges, first and foremost, on a secret (and judicially untested) interpretation of the term "directed at", as explained in an excellent post by law professor Craig Forcese ("Faith-based Accountability: Metadata and CSEC Review," National Security Law blog, 13 February 2014):
I don't know enough about the technology to have an opinion on whether the CSEC program involved "tracking". Whether it was "mass surveillance" is, I suppose, in the eyes of the beholder, since this is a colloquial and not a legal concept. But when the Commissioner says "no CSEC activity was directed at Canadians or persons in Canada" this is a legal judgment -- this language circumscribes CSEC's foreign intelligence mandate in its governing legislation.

I have struggled with what this phrase means, speculating on tools of statutory interpretation that might favour a government view on the reach of "directed". But even then, my imagination has failed to find ways to make even a narrow view of "directed" line up with what seem to be the core facts: information was collected by CSEC from a Canadian airport that, by definition, came (exclusively, I would think) from Canadians or persons in Canada. I do not think it makes any legal difference from a CSEC mandate perspective if this information was extracted from a willing (or unwilling) third party, or that it was archived and not real time.

But it is very possible I am wrong. There is only so much one can say conclusively when confronted with the inequality of arms in this most secret of areas. But legal doubts need to be assuaged with real law. And so the government needs to show its legal cards. It is long past the time when a bare assertion of legality suffices, when that assertion is based on a legal theory that no one outside of government has seen.
The relevance of the question extends far beyond the brief wi-fi analysis experiment reported by the CBC. What is at stake is whether the term "directed at" allows only a limited and carefully conscribed window into the communications and non-communications activities of Canadians/persons in Canada or has the effect of throwing open the barn door to the wholesale collection, analysis, use, retention, and sharing of vast quantitities of metadata or other information, including potentially "private communications", by or about Canadians.

The National Defence Act requires both that CSEC's foreign-intelligence-related collection of "private communications" be "directed at" a foreign entity outside of Canada and that its collection of other kinds of information not be "directed at" Canadians or persons in Canada. In both cases, the meaning of "directed at" is fundamental.

The CSE Commissioner's support for CSEC's actions in the wi-fi affair seems to mean that he and CSEC agree that "directed at" is not a simple synonym for selection of communications based on the identity/location of the communicants. It seems to refer not to who is communicating but to the kind of information being sought. And if that is true, then (in the government's view) the legal door may be open to the processing of every single "private communication" made by Canadians -- as long as the purpose of the activity is to collect information related to foreign entities located outside Canada.

And the door to the processing of metadata and other kinds of information that the government does not consider to be "private communications" could be open even wider, requiring only that CSEC's actions not be specifically directed at obtaining information about Canadians or persons in Canada. Collection of all metadata produced in Canada might be conducted, for example, as part of the global collection of such data in order "to understand global communications networks" (the purpose, according to the Commissioner, of the wi-fi experiment).

It is worth recalling at this point that there is no evidence that the metadata used in the wi-fi experiment was collected specifically for that experiment. It appears, instead, to have been drawn from an existing metadata database that almost certainly extends far beyond the several Canadian airports, hotels, businesses, coffee shops, and other locations where the monitored devices were detected and also almost certainly extends far beyond the two-week window of the experiment.

Is CSEC currently collecting a comprehensive, or near comprehensive, or any kind of ongoing database of metadata concerning communications-related activity in Canada? And is it analyzing those activities for information relevant to its foreign intelligence targets, such as visits to websites associated with suspect causes?

And what about the "private communications" of Canadians? If "directed at" is not a synonym for selection of communications based on the identity/location of the communicants, then monitoring "directed at" Al Qaeda (a foreign entity located abroad), for example, could very well include the processing of Canadian "private communications" for suspicious content even when no known foreign suspect is a party to the communication. (And nothing says the target of the monitoring has to be a terrorist group; it could be, as an earlier commenter here suggested, the European Union, or one of any number of other foreign intelligence targets.)

The CSE Commissioner has stated that "The number of communications with a Canadian end (a “private communication”) that are unintentionally [sic] intercepted, and used or retained by CSEC under SIGINT ministerial authorizations, is small; the number is small enough that the Commissioner is reviewing all of these private communications". This is an important reassurance, but "used or retained" refers to those communications that CSEC determines to contain information pertinent to its foreign intelligence targets; clear statements about how many Canadian "private communications" are actually processed in order to find those that are used or retained are much harder to find.

And even if the number actually being processed is also currently small, as may well be the case for reasons of technology or policy or whatever, it is vitally important to know where the line that defines what is legal is drawn. Exactly what, in the view of the government and of the CSE Commissioner, can CSEC legally do? Technology and policy can change, and they can do so far from the public eye. The sole aspect of CSEC's behaviour for which the CSE Commissioner has a mandate to hold CSEC to account is the legality of that behaviour. And a reassurance in that regard means nothing if we have no idea what behaviour may be regarded as legal.

Nor, it could also be pointed out, are any of the Commissioner's reassurances useful if we have no way to interpret what he is saying.

When the CSE Commissioner can tell Canadians that a CSEC activity that apparently drew on a massive database of metadata concerning the activities of Canadians and other persons in Canada, assembled a set of user IDs seen at a Canadian airport, and then followed those IDs backward and forward in time to a variety of different Canadian locations "[did] not involve 'mass surveillance' or tracking of Canadians or persons in Canada" -- when the Commissioner can assure us that "If CSEC were tracking the movements, on-line or other activities of persons at a Canadian airport, that would be illegal" and then go on to assert that CSEC's wi-fi experiment doing just that was not illegal -- it is clear that we are not using a shared vocabulary.

Dear CSE Commissioner: We cannot know your meaning unless we share a vocabulary. If we do not know your meaning, your assurances are meaningless.

News coverage:

- Jim Bronskill, "Watchdog review clears spy agency's experiment with airport Wi-Fi data," Canadian Press, 13 February 2014
- Stewart Bell, "Spy agency did not illegally snoop on Canadians over airport Wi-Fi: watchdog," National Post, 13 February 2014

Update 14 February 2014:

- "Watch the metadata-gatherers closely," editorial, Globe and Mail, 13 February 2014
- Noushin Khushrushahi, "Guard dog or watchdog? It’s time to set the story the straight about CSEC spying," OpenMedia.ca, 13 February 2014

Further update 14 February 2014:

- Greg Weston, "CSEC exoneration a 'mockery of public accountability'," CBC News, 14 February 2014


Wednesday, February 12, 2014

Honour among data thieves II

The "common understanding" that exists among the Five Eyes countries that they won't spy on each other seems to be less and less commonly held:

"Obama: No country where we have no-spy agreement," Associated Press, 11 February 2014.

See Honour among data thieves, UKUSA version for a look at how the "understanding", which does seem to exist, probably works in practice.

Update 2 May 2014:

U.S. National Security Advisor Susan Rice also asserts (says the New York Times) that "the United States [does] not have no-spy agreements with any of its close allies, even with the other members of the so-called Five Eyes — the United States, Britain, Canada, Australia and New Zealand" (David Sanger, "U.S. and Germany Fail to Reach a Deal on Spying," New York Times, 1 May 2014).

Monday, February 10, 2014

Campaign against mass surveillance

A number of citizen groups around the world have designated February 11th as the international day to fight back against mass surveillance.

Canadian organizers here: thedaywefightback.ca

Update 11 February 2014: Commentary by Michael Geist: "The Day We Fight Back Against Mass Internet Surveillance: What Canadians Can Do," michealgeist.ca, 11 February 2014

Friday, February 07, 2014

Leitrim ops building plans posted online



Detailed architectural drawings of the operations building at CFS Leitrim have been posted online as part of a tender for renovation work, the Ottawa Citizen reports (Ian MacLeod, "Government Posts Schematic Diagrams of Canadian Military Spy Operations Centre On The Internet," Ottawa Citizen, 6 February 2014):
The drawings are attached to a Public Works tender issued Wednesday for a renovation fit-up of the ops room, the heart of Canadian Forces Station Leitrim, the country’s oldest signals intelligence listening post targeting foreign electronic communications. ...

The fit-up plans show not only the location of the ops room within the main building, but the number and arrangement of desks, computer screens, specifications of the voice data power system, a reflected ceiling plan, electrical and mechanical requirements and more.

[Update 1:00 pm: The documents are no longer available: Ian MacLeod, "Diagrams of top-secret Leitrim spy centre yanked from Canadian government website," Ottawa Citizen, 7 February 2014.]

[Update 11 February 2014: The drawings have now been placed back online. Ian MacLeod has the story: "Spy station renovation project cancelled, then reposted online," Ottawa Citizen, 11 February 2014.]

The main Leitrim Operations Building was completed in 1995. According to figures published at the time, the building totals 6890 square metres, including a 3430 square metre shielded area, which would contain the operations room. In addition to the operations area, the building contains offices, workshops, a technical maintenance section, and mechanical rooms (electrical room, UPS room, generator room, chiller room, etc.).

An older operations building, built in 1969, is attached to the newer building (the rectangular space at top right of the diagram).

This is not the first time surprisingly detailed information about CFS Leitrim has been published online. In 1997, DND posted a report and annexes listing the titles and locations of all 768 Communicator Research trade positions in the CF Supplementary Radio System as of 1 November 1996, including all 313 positions then at Leitrim.

The subsequent completion of the project to convert the SIGINT sites at Alert, Gander, and Masset to remote operations and the transfer of CFIOG headquarters to Leitrim have led to significant growth at the station, with the military population (all trades) at the station probably now exceeding 500.

Update 11 February 2014: The changes to the operations room could be part of, or related to, the upgrade in CFIOG SIGINT capabilities currently underway under Project SPRINGTHAW.

Tuesday, February 04, 2014

Three "must reads" and one "don't look"

Some excellent must-read coverage/commentary on CSEC issues today:

1) An analysis of the legal issues around CSEC metadata monitoring:

- Craig Forcese, "Armchair Metalawyering Metadata: CSEC's Mandate and the Latest Snowden Release," National Security Law blog, 4 February 2014

2) A commentary on why ensuring legal compliance and improving CSEC oversight are not enough:

- Michael Geist, "Against Oversight: Why Fixing the Oversight of Canadian Surveillance Won't Solve the Problem," michaelgeist.ca, 4 February 2014

3) An explanation of what CSEC was trying to achieve in its IP Profiling Analytics & Mission Impacts project:

- "Did CSEC really track Canadian airport travellers?" Top Level Communications blog, 4 February 2014

The "don't look" was today's House of Commons debate on CSEC surveillance.

Don't bother looking. Just keep reminding yourself: Worst form of government except for all the rest. Worst form of government except for all the rest.

Update 10:30 pm:

And still I can't help looking...

If nothing else, the day's events sent a pretty clear signal that the Harper government has no intention of augmenting parliamentary oversight of CSEC and other agencies.

Coverage:
- Jim Bronskill, "Liberals' CSEC Watchdog Committee Motion Shut Down By Tories," Canadian Press, 4 February 2014
- Trinh Theresa Do, "Liberals call for parliamentary oversight of CSIS, CSEC," CBC News, 4 February 2014

Monday, February 03, 2014

Wi-fi spy guys II


(Above) Creekside blog looks at the CSEC wi-fi controversy.

More coverage/commentary:

- Bruce Schneier, "CSEC Surveillance Analysis of IP and User Data," Schneier on Security, 3 February 2014 -- very helpful analysis
- "Needed: More eyes on Canada’s spies," editorial, Globe and Mail, 2 February 2014

It is also highly worth listening to today's edition of the CBC Radio show The Current, featuring Interim Privacy Commissioner Chantal Bernier, Western University professor Jacquelyn Burkell, and Citizen Lab's Christopher Parsons (podcast here).

Today's 4 to 8 pm meeting of the Senate Committee on National Scurity and Defence could also be enlightening. (Hope springs eternal.)

Update 7:00 pm:

Well, the Senate hearing did manage to clarify matters somewhat, although many of the key details remain unaddressed or withheld.

In essence, the government's position is that the metadata project reported by the CBC did take place, that its purpose was to develop targeting and analysis techniques that are in fact now being used operationally by CSEC, and that the collection, analysis, use, and retention of Canadian metadata is a normal part of CSEC's operations, necessary to those operations, and entirely legal. Officials also insist, however, that CSEC does not use the data to target Canadians for foreign intelligence purposes. The impression left was that the collection of Canadian metadata is extensive and may be close to all-encompassing, but no figures were provided, and officials also declined to disclose the retention period for the data. There was no discussion of the degree to which CSIS and the RCMP may have access to CSEC's metadata files (or the extent to which they may have their own files), and no discussion of whether or not CSIS and the RCMP require judicial warrants in order to use metadata in their investigations involving Canadians and/or to seek CSEC's assistance in utilizing that data. There was also no discussion of the extent to which Canadian metadata can be accessed by CSEC's Five Eyes allies or what controls may be in place on the use of that data.

Good coverage by the Globe here:

Colin Freeze, "Nothing wrong with monitoring airport wi-fi, Harper security adviser says," Globe and Mail, 3 February 2014

Additional coverage:

- Laura Payton, "Spy agencies, prime minister's adviser defend metadata collection," CBC News, 3 February 2014
- "CSEC Not Spying On Canadians, Head Of Eavesdropping Agency Says," Canadian Press, 3 February 2014
- Tonda MacCharles, "Top security adviser says CSEC didn’t violate Canadians’ privacy," Toronto Star, 3 February 2014
- Stewart Bell, "Stephen Harper’s top security advisor denies reports of illegal spying on Canadians using airport Wi-Fi," National Post, 3 February 2014

Sunday, February 02, 2014

More on the wi-fi spy guys

More coverage and commentary on the CSEC wi-fi spying controversy:

- "CSEC Wi-Fi snooping experiment prompts calls for review," CBC News, 1 February 2014
- Giuseppe Valiante, "'Too early' to tell if spy agency broke any laws, privacy commissioner says," Toronto Sun, 31 January 2014
- Wesley Wark, "Op-Ed: In (and out) of the wilderness of secrets," Ottawa Citizen, 31 January 2014
- "Canada’s oversight of spy agencies falls short: Editorial," Toronto Star, 2 February 2014
- Heather Mallick, "CSEC’s startling spying on Canadian travellers: Mallick," Toronto Star, 31 January 2014
- Cyrus Farivar, "New Snowden docs show Canadian spies tracked thousands of travelers," Ars Technica, 31 January 2014

Also very interesting is the following commentary by journalist Ryan Gallagher speculating on how the government's responses to the controversy can be squared with the reality reported in the original leaked document:

Ryan Gallagher, "Canada's Wi-Fi Surveillance and CSEC's Non-Denial Denials," notes.rjgallagher.co.uk, 1 February 2014.

More comments later.

Update 3 February 2014:

Ryan Gallagher's commentary (referenced above) highlights very effectively the contradiction between what CSEC has been saying it is legally prohibited from doing and what it has now been shown actually to be doing, but what I think he misses is that most if not all of that contradiction arises from CSEC's misleading or even downright untruthful explanations of what it is permitted to do, rather than actual illegal conduct.

CSEC's public assurances have long been designed to give Canadians the impression that CSEC is not allowed to obtain communications by or information about Canadians or any person in Canada, and that any such data unintentionally or incidentally acquired must be deleted, but the reality is very different.

CSEC has a three-part mandate. I describe some of the kinds of communications and/or information about Canadians that CSEC can legally collect under the foreign-intelligence and cyber-protection parts of its mandate (according to the government's interpretation of the law) here. CSEC cannot "target" Canadians or persons in Canada when collecting this information, but it can still collect a significant amount of such information, and it can also analyze, use, retain, and share the information (subject to various privacy-related procedures) if it is relevant to the government's intelligence requirements. CSEC is also permitted to obtain communications by or information about Canadians or persons in Canada under the assistance-to-law-enforcement-and-security-agencies part of its mandate when those agencies request CSEC's assistance and have the legal authority to obtain the information (more here). In that case, CSEC actually can "target" Canadians or persons in Canada.

Rather than convey these rather important details, CSEC's public assurances have typically taken the form of those quoted by Gallagher, i.e., "CSEC, under its legislation, cannot target Canadians anywhere in the world or anyone in Canada", "we do not target Canadians at home or abroad in our foreign intelligence activities, nor do we target anyone in Canada", and "CSE’s foreign intelligence mandate specifically dictates that our activities be directed only at foreign entities, and not at Canadians or anyone in Canada."

The first of these statements can fairly be characterized as a lie, as it ignores the third part of CSEC's mandate, but the other two are merely deliberately misleading, conveniently describing only one part of CSEC's mandate and failing even then to acknowledge that information may also be collected under that part as long as Canadians are not personally "targeted". (Indeed, if CSEC's claim that its wi-fi metadata collection is legal is correct, it is permissible for CSEC to collect at least some sorts of Canadian information in bulk or even in toto, even in cases where the collection may pertain exclusively or almost exclusively to Canada, as long as no Canadian or person in Canada is individually singled out as a specific "target".)

Given the record of mendacity in CSEC's public statements, it is tempting to declare that the agency has only itself to blame when the media, members of parliament, and Canadians in general conclude that CSEC has been breaking the law when an instance of information collection involving Canadians comes to light. It is CSEC, after all, that deliberately caused us to believe that such collection would be illegal.

But it is important that we get this right.

It may yet be shown that some of what CSEC has been doing has in fact been illegal. But it is likely that most or perhaps all of its activities have actually been legal.

And while it would indeed be bad news if we do find that CSEC has been breaking the law, it could well be even worse news if it turns out that everything CSEC has been doing (and presumably a good deal more that it could do in the future) is perfectly legal under existing Canadian law -- or, at least, nominally legal in the absence of a judicial ruling on the compatibility of those activities with the Charter of Rights and Freedoms.

Gallagher's commentary also looks at the government's claim that "no Canadian or foreign travellers were tracked" in the wi-fi operation.

It is clear, as Gallagher points out, that tracking -- by any normal definition of the word -- was indeed going on. He speculates that the government's response may rely on a specialized definition of "tracking" that enables them to deny what is plainly the truth.

He may well be right.

I suspect, however, that in this case the explanation may lie in the words "Canadian or foreign travellers".

While normal human beings might conclude that both Canadian and foreign travellers were indeed tracked, CSEC's claim may be that only devices were tracked in the specific tests reported in the document. Since no device was tracked specifically on account of the fact that it belongs to a particular person, and the analysis itself (as far as I know) did not seek to associate particular individuals with particular devices (although it may well have utilized information associated or associatable with specific individuals), CSEC may feel it is justified in stating that no individuals were tracked. The same or similar logic seems to underlie the agency's claim that it can collect metadata related to thousands or even millions of Canadians and persons in Canada for foreign intelligence purposes while at the same time stating that its foreign intelligence operations do not "target" any Canadians or persons in Canada.

Of possible relevance here is the fact that the operations described in the document were developmental tests. If real-world operations are now being conducted using the techniques described in the document, or similar kinds of techniques, those operations will indeed involve the tracking of specific individuals who are either known before the tracking began or identified subsequent to their being singled out by analysis of the data.

Will the government state that no Canadian or foreign travellers have ever been tracked (or, if it prefers, detected in a number of different locations over time) in Canada, either by CSEC or by any other Canadian or allied agency, under any mandate, using these or similar metadata-based techniques?