Tuesday, March 25, 2014

Robinson PGP key

I've decided I should (re)acquire the capability to use PGP (GnuPG to be precise).

I work under the assumption that any major SIGINT agency that decides it has a specific interest in my correspondence will always be able to find the means to access it regardless of whatever crypto precautions I might try to take, so don't take this step as an invitation to send me things you wouldn't want our five-eyed friends and their counterparts elsewhere to know about.

But nothing says that everyone in the general public should be forced to leave all of their correspondence open for anyone to read at any time, so acquiring PGP seems like a reasonable thing to do.

[Updated 10 August 2016 with new key]

Here is my public key (fingerprint: 5B5E AA3A 6812 E58B EFBA 3B9C 9027 7F82 612C FFA6):

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQINBFer1pcBEADRwwv6kzLlJaNBwHyoO7iFK8Kwyk7eYtrJn9B5mJuBon7Ad6ZU
ML4z1Cp4nFVMn5JeXlffWk7YT0GAxEYMK3hpgKtxXgIT0S5SwyuY3cJypTpzkrAO
DeMls+7E6n5Y9CsfD4tV0kiGNlPOqnqPxsNzdT0Hpu2TFHHpdQgztWd8lFkTTEs/
dIy8IxXpq/RQBnWnjeStvR88o19bgbKFoTIudA3Qm3ffwtjPN59kFXktyLSuGgnK
VEJL/g9i9jAcMJnKSGfoySDlo1oWrZaVCpTxfdXDn6U9fcaiZNffFghrp0vcodgm
lNwzVKaj3g9KW/tDpca7FMYgUS8j61HB0rBvX0z6jcCWPyTaljaQeVSg/fKh26/O
rslkoJY3NhY08GD0uV3mMFGyU1//mDg1J2KSueLVKzLNRuzj4yAJ1zeRy6CjPWY+
+N9aA4SraQDKRuntdwcE5+7J7HOWNdr4g9urPNJI1hXhBrKy2exdQvBLuRrvxtWN
PYSqugVrpxFQ2Pe0cPpNxxkzYQF5dVtXIGq7yuNYCipGCjOJ9m09ioMSj++BXQnD
WVyIvhqMHdk3NNq+nllFyKssBlKdxSf1y6nIn6xY8T3XysIUpHgQTQonps59rkmp
y4khOTSRw/VzQ448aPvDX5DQfWuxMh+eKUvIpLJAN7iisbKCku9w6k6A8wARAQAB
tCxCaWxsIFJvYmluc29uIDxiaWxscm9iaW5zb25jYW5hZGFAZ21haWwuY29tPokC
PwQTAQgAKQUCV6vWlwIbIwUJCWYBgAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheA
AAoJEJAnf4JhLP+mv+EP/3WMmidFe0IAwANLQf8j5qh+XOWLuhBcyDV9bKZaZVtb
3lvDoAYAKi+iGZ5hwUAXLsPgbluf/ZV5lvtlj6MvSEysA5duBR3TGJkiLco2QFVf
ZSPuGGInokkHSMPBdwU/VCzbVcL78uEVtC0Z2GW4QAh3/ESsGYP1YY+vLHUPVP5Y
PnzGSCxM26mlIeeyvLYx/UvJhlfTYkRGeWd7sYJynEgNVnh7cKykvrSY59p/lp5l
kdZ2FXWdINQ8gCp3SIyCoTTmAXVl317NuC4j/iiV1JNUWWEFD7mtcq6O+DXEPije
TOWipYGmgyzKZk5bu8YdZmtJLWdS3lqsn0Po9Ufrezbhd6gbEu5PuNC5rw/RGjtc
gwWs6y1HtVHrStVqtu56zK0pzLMB64YxooxzUVpcCR1mZJs8yCheUG2JaDH4AO3x
+0J+I4M6mqJaEZACdyW8qTT7fzivqCSXgW2RQjDppsdYtomnpBGPw06xQv9xsppd
NBTUywBd/ldXzEzeAxGMZK/T10GwxscgPAEtpJwqlgXNkPSjJ+mTDCPOCmX28vJc
//EzUb3wrdIBFsHwFWrh9b6J4mUzFhJ4ADMvOLrhycuiV2rm8k3/obs+lngfNu+I
+3JxI9ULUWoFAwT+vkQnDa+bOidZN/xgME2Jc+rwvlkUXF1Dx4jbf7uumVUicUcj
uQINBFer1pcBEADKa7bgAhY0Qy58epdJ/WBnVcXBNS7a8NVkhBP+ECcf7jWhPQf3
b06biLrzr6qFWJM1U77V5b0INkntbG0bOWapLg6afqk7dEOalyV5quBQXyy9ot+t
QOuPmq1rBLXL9d56zQ7pXWtzFIq9zWGB7yU9uJESgJ7UYSeb13+21weglrwuvKBP
hCZBZsCqGflQEJXjIqHX8va5lna4tx80SJLKQlynqBFvPmYL/QHYpPFD7iYcifhS
NJPPXFmE9b2XjDt52M7U4kAkfFqqXfpk97EaC+uSVLJzBQ7csKpJ91qHWhH2X6po
BrtWuJh6B41Fd2T29cJa05wcHJn8YFIDoP6/N0xSXWmMEE5PXRobGmxD6WL8dPMV
O8FwyTQ1UO3rnu9cHPxydCCRkysgF46fIUeSkR4QJNICX3+MVCGgqiX6Ljeuco+4
LX/RUWgMcXYdqa3kMVwRIhe0tNszKckiGRU9TReWpjQMRdxgHSlF//YIJVZo/Gq2
5+t9E9xGnynqSC6y5BRVRlhClvfPIWmjxBpxebogzkdC1RMZp3cKft5eDAsGu24H
NysxoPItMQmfkiQ+Ofl7z7J3+NjG6+OjDCd8l+FhfUWS+iMWKq0oSMFJmufY/opW
Of4v1ajb05URFRZVQlzkjq9lcelnc23piSF+x6MnfXMh2v0VVjPJ45t/swARAQAB
iQIlBBgBCAAPBQJXq9aXAhsMBQkJZgGAAAoJEJAnf4JhLP+mBWsP+gPcM8gPEI3g
2PFLrDeekTZzfuBekIuJGat46IZEg/ZactVxm+JM5TTsk6mCoinui5B1PLSqi0sR
QjDvR6MmTdBg/JZL0fegXdtrG4A25iTGYuaN8J7RzKGSII6Y9NTmsor+J1FwVBqh
IpE1dzUfTzD3yoWqmRqDj2Bsr3WW/5rfbRxoIUKJZ1XcF1/idxsHq5xfHmE0VKmJ
wg2F0U2nI6sza4p26jqR3ySfGsI4clssP3ExE9x9uWAx2Tsndh8Gcb2lU9RUlnNi
3cAnsxk2+12HdjpULc8vvfNgKqpLe0Qnu/VrSVnWxWgzy5HG7zad/emeY60OmNAy
N/CKxGoD+zvRYpJ+LxQ8mK1mBHqzENsnzw3SkceleHcnmDv8wZOTsdJpUqGTtFrh
meeIh7e1vMF4dx6Npk7eavW+dU5hVZSe7d+3BT8Etv5lt7Yo0C46bLw+RK/5/FV2
Rj+CbJ3laT3EvhCYciElrWyL1YE7IIRu69fY0wEP82pCdBaBlxcboDP2nFAsTz62
T/XbdNpEqnleAloKIrdjdRe5lGoi0Q0ufk/LSc/xeoop/zqnqzplBZNHBRrPAiFg
eoixvUuhYwypES+onIDHzfxsckb6ABY2RvjiO7AvvE90iFx0/f+lDLHYrONg7MQ7
iY4hcbG6VALoJoHQqD3tcvQJEKTEaCI2
=3Tr3
-----END PGP PUBLIC KEY BLOCK-----

Monday, March 24, 2014

Freeze on CANADALAND

The latest edition of Jesse Brown's CANADALAND podcast features a conversation with Globe and Mail reporter Colin Freeze on the difficulties of covering intelligence/privacy issues in Canada even in the post-Snowden world: How Canada's Spies Game the Media

Freeze is one of the few journalists who has done extended coverage of intelligence-related issues in Canada and he has taken the lead on recent CSEC coverage. (Others worth mentioning include Jim Bronskill, Greg Weston, Michelle Shephard, Stewart Bell, Ian MacLeod, and Andrew Mitrovica.)

Well worth a listen.

(Oh, and thanks for the plug on your website, Jesse!)

Saturday, March 22, 2014

Meta-truth on mega-data

Every now and then it's fun to look back at earlier official assurances and compare them to what we know today.

This June 2013 statement by then-Defence Minister Peter MacKay, which I recently re-read while checking some other information, is a good example:
Mega-data is collected only on international, not domestic, communications.
Yes, he really did say mega-data instead of metadata.

But the fun part is re-reading MacKay's statement in the context of this recent revelation. (Further discussion here and here.)

SNOWGLOBE: CSEC analysis of suspected French spyware

Le Monde has published a report on CSEC's analysis of an e-mail spying operation that it discovered in November 2009. The operation targeted a number of organizations around the world, including a French-language media outlet in Canada. CSEC concluded that the source of the operation was probably France (Jacques Follorou & Martin Untersinger, "La France suspectée de cyberespionnage," Le Monde, 21 mars 2014).

See also: Jacques Follorou & Martin Untersinger, "Quand les Canadiens partent en chasse de « Babar »," Le Monde, 21 mars 2014.

The newspaper also published several slides from the CSEC powerpoint presentation, one of the documents leaked by Edward Snowden, on which the Le Monde reports were based.

Globe and Mail coverage here: Tu Thanh Ha, "French spy software targeted Canada: report," Globe and Mail, 21 March 2014.

Monday, March 17, 2014

Recent news/commentary

Recent news and commentary items related to CSEC:

- Jim Bronskill, "Canada's electronic spy agency uncovers wrongdoing, ethics breaches," Canadian Press, 16 March 2014.

- Matthew Braga, "Why can't, or won't, your phone company detail data it shares with the feds?" Globe and Mail, 16 March 2014; see also Christopher Parsons, "The Murky State of Canadian Telecommunications Surveillance," citizenlab.org, 6 March 2014.

- John Adams, "Making the case for metadata," iPolitics, 14 March 2014; see also the longer version here. (The former Chief of CSEC defends the agency's operations, while reiterating his support for greater parliamentary scrutiny. In the iPolitics version, but not the longer version, Adams also makes the intriguing statement that there is within CSEC "an internal audit committee which includes external-to-government members, with access to any and all activities carried out by CSEC" in order to help keep an eye on the agency (emphasis added). He is not talking about the CSE Commissioner, whom he discusses separately. What is the nature of this committee, and who are these external-to government individuals?)

- Alex Boutilier, "Ottawa imposes life-long gag order on bureaucrats, lawyers," Toronto Star, 13 March 2014. (Additional organizations added to the list of persons "permanently bound to secrecy".)

- Jordan Press, "Canada’s military squeezed out of cyber-defence, emails warn," Vancouver Province, 12 March 2014

- Michael Geist, "If U.S. Cloud Computing Isn't Good Enough for the Canadian Government, Why Should It Be for You?" Michael Geist blog, 12 March 2014

- Colin Freeze, "Spy agency’s memos to minister shed light on secretive practices," Globe and Mail, 7 March 2014 (available only to subscribers, but you can read the bits of the memos that were released here)

Saturday, March 15, 2014

CSEC OLYMPIA software analyzed



The Top Level Communications blog has published a detailed and convincing analysis of the functions and capabilities of CSEC's OLYMPIA target development software, as revealed in a leaked June 2012 powerpoint presentation (part of the Snowden documents): OLYMPIA: How Canada's CSEC maps phone and internet connections (13 March 2014).

The topics discussed are way beyond my very limited technical knowledge, so there's very little I can add, but FWIW the explanations provided do seem to ring true.

One small note: While I agree that the TAO referred to in the presentation is most likely NSA's Tailored Access Operations unit, there is some reason to believe that CSEC's parallel unit may also use the name "Tailored Access".

Previous discussion of OLYMPIA here, here, and here.

Friday, March 14, 2014

February 2014 CSEC staff size

2162.

(If you click through on the link and get a different figure, it's probably because the Canada Public Service Agency has updated its website; they update the numbers once a month.)

Sunday, March 09, 2014

Parliamentary oversight at work



On January 29th, James Bezan, the Parliamentary Secretary to the Minister of National Defence, assured the House of Commons that improved parliamentary oversight of the Canadian intelligence community is unnecessary because existing committees already have the power to provide oversight (previous discussion here):
The Standing Committee on National Defence has the authority and the power to call the commissioner of the Communications Security Establishment as well as Communications Security Establishment Canada before committee. It also has the opportunity, if it so desires, to meet with CSEC staff on its premises. They have a new building that members could easily tour around.

Those opportunities already exist. Parliamentary oversight is already in place. We do not need to be reinventing the wheel.
The screen capture reproduced above demonstrates that Mr. Bezan did indeed have a straight face as he made those comments.

On February 4th, the Conservatives defeated a Liberal motion that called on the government to establish a special intelligence oversight committee. Bezan once again took the lead in arguing against the motion:
The member is calling for more parliamentary oversight, yet Parliament has always had the ability to have these individuals appear before committee. I sit on the national defence committee, and CSEC is one of the agencies that is responsible under the Department of National Defence. Our committee has the power at any point in time to call on those people who are appointed either as the chief or commissioner of Communications Security Establishment Canada. We can call them in to talk about budget and activities.
The committee the Liberals are advocating would have a wider remit, covering all national security agencies, not just CSEC, and unlike normal committees, its members would be cleared to receive classified information.

But it is true that the National Defence committee could provide some additional oversight of CSEC—as long as the government is willing to permit it to perform that role.

On February 13th, the members of the committee voted to "invite the Minister of National Defence and the Chief of Communications Security Establishment Canada (CSEC) as witnesses to appear before the Committee to answer questions about CSEC's intelligence-gathering policies and practices, for one hour each, as soon as possible."

But on March 6th, the day the Minister and CSEC Chief John Forster were scheduled to appear, the committee unexpectedly went in camera and cancelled the session. The minutes of the discussion show that no new appearance date has been sought. The committee agreed to invite the Minister back to discuss the departmental Estimates, but the only formal decision made with respect to CSEC was "That the speaking notes for the Minister of National Defence on the Supplementary Estimates (C) 2013-14 and Communications Security Establishment Canada intelligence-gathering policies and practices, distributed today, be handed over to the Clerk."

Why was the session cancelled?

We don't know. But it is hard not to suspect that it was the government, which ultimately controls the committee's agenda through its majority membership on the committee, that made the decision.

Is that supposed to be oversight?

[Update 4 April 2014: Forster and Nicholson testified to the committee on April 3rd.]

Thursday, March 06, 2014

CSE Commissioner budget cuts not really cuts

The CSE Commissioner's 2014-15 Report on Plans and Priorities, tabled today in the House of Commmons, indicates that the apparent reduction in the Commissioner's budget over the past two years (discussed earlier here) is not a reduction in the core budget of the office.

According to the report, the significant increase in the Commissioner's budget that took place in 2012-13 "was entirely attributable to the cost of [a] security retrofit and expansion of the physical space" of the offices of the Commissioner, due in large part to the recent expansion of the Commissioner's staff. The reductions of the past two years have simply returned the Commissioner's budget to its core level.

The Executive Director of the Office of the Communications Security Establishment Commissioner, William Galbraith, e-mailed me with additional details (re-posted here with permission):
Here is some explanation of the arcana of government finances, in this instance the "Estimates": the decrease this year is due to re-payment of prior year borrowing from future years to pay for construction costs that allowed the Commissioner to accommodate more staff (now 11 full-time positions plus office space for subject matter experts engaged by the Commissioner); the official term for this is
"re-profiling". Construction was completed a year ago.

Here are figures that follow the construction and security retrofit:

i) The 12-13 budget included $290,000 received in Supplementary Estimates for the costs of the security retrofit and expansion of the physical space.

ii) The 13-14 budget included $100,000 that had to be set aside for partial "repayment" of the supplementary estimate monies received in 12-13.

iii) The 14-15 budget was reduced $100,000 pre-estimates for another partial "repayment" of the supplementary estimate monies received in 12-13.

iv) The 15-16 budget was reduced $90,000 pre-estimates for the final "repayment" of the supplementary estimate monies received in 12-13.

You'll see that ii, iii and iv add to the $290,000 which was received, as described in i. If you were to include the $100,000 in 14-15 in the Estimate total, the revised total would be $2,124,000 (an increase of $11,000).

If you examine the 2014-15 Report on Plans and Priorities, you will see that the Commissioner's office funding (appropriation from Parliament) is stable around $2 million, increasing in 2016-17. However, Commissioners regularly ask whether they have adequate resources to fulfill their mandate effectively.

Saturday, March 01, 2014

CSEC talks to the Globe and Mail

Colin Freeze has a fascinating article in today's Globe and Mail based on a two-hour meeting he had with seven CSEC officials at the new headquarters building on January 31st (Colin Freeze, "The Globe goes inside Canada’s top-secret spy agency," Globe and Mail, 1 March 2014).

The article starts with a classic example of CSEC's idea of openness:
The seven officials at the boardroom table insist that their identities cannot be published – the risk, one explains, is that they would become targets of a “hostile foreign intelligence service.”

Given the top-secret nature of their work, that request is understandable. That this conversation is taking place at all is unprecedented – and, to use one official’s word, “uncomfortable.”
CSEC does have secrets it needs to keep, and it is probably sensible to restrict some information about who does what at the agency.

But part of the problem Canadians have in trying to debate the issues surrounding surveillance is that CSEC and the government as a whole often try to withhold information that doesn't need to be secret, that is not actually considered to be secret by the government, and that may indeed already be in the public domain.

As the article later notes, the meeting's attendees included "a cyberdefence director-general" and "a very senior female boss". Many of the names of CSEC officials at the director-general level and above have already been officially divulged by the government, including the identity of the Director-General of Cyber Defence, who is Scott Jones. And the "very senior female boss" at the meeting was very likely the Deputy Chief SIGINT, who is Shelly Bruce. Three of the other staffers at the meeting were in corporate communications, so the chances are most or all of those names are also in the public domain.

The odds are good, in other words, that in the case of well over half the CSEC personnel at the meeting with Freeze, the only thing not mentioning their names keeps from "hostile intelligence services" is the fact that they recently met with a reporter from the Globe and Mail.

Still, it was a step towards greater openness that CSEC met with the Globe and Mail at all.

The primary purpose of the meeting was to discuss CSEC's use of metadata.
[W]e are here to discuss how “metadata” emanating from computers and smartphones – presumptively, Internet protocol addresses, phone logs and smartphone geolocation data – give CSEC a view of a world’s worth of communications.

The problem is that, in a broad sweep of metadata, capturing a Canadian conversation – private chat that is protected by law and accessible only with a warrant – is always a possibility.

To simplify how CSEC works, the signals-intelligence director outlines a cloud on a white board: This is the Internet. He then draws five boxes inside and labels them “covert collection sites.”

He stops short of elaborating. ...

“They are positioned where they need to be,” he says.

The collection process at these covert sites begins when CSEC machinery logs global telecommunications traffic in bulk. During this first pass, the raw data arrive as an undifferentiated mess, and no one knows – or could know, if they wanted – whether any Canadian metadata are in the mix.

It’s only during the next step, “processing and analysis” that identifying information starts to be revealed – and those pesky privacy concerns begin to kick in.

CSEC computers sift out the metadata, then analysts boil them down some more. This is where telling patterns emerge, including whether Canadian data are part of the sweep. CSEC says it treats Canadian material differently, but won’t say how.

The final step is “targeting.” Now knowing rough patterns worth watching, and how to avoid Canadians, the analysts task the covert collection sites to be on the lookout for communications from identifiable groups of foreigners.
Worth reading the whole article.