Wednesday, January 28, 2015

LEVITATION: CSE and free file upload sites

Excellent new CBC report on another CSE document leaked by Edward Snowden (Amber Hildebrandt, Michael Pereira and Dave Seglins, "CSE tracks millions of downloads daily: Snowden documents," CBC News, 28 January 2015):
Canada's electronic spy agency sifts through millions of videos and documents downloaded online every day by people around the world, as part of a sweeping bid to find extremist plots and suspects, CBC News has learned.

Details of the Communications Security Establishment project dubbed "Levitation" are revealed in a document obtained by U.S. whistleblower Edward Snowden and recently released to CBC News.

Under Levitation, analysts with the electronic eavesdropping service can access information on about 10 to 15 million uploads and downloads of files from free websites each day, the document says.

"Every single thing that you do — in this case uploading/downloading files to these sites — that act is being archived, collected and analyzed," says Ron Deibert, director of the University of Toronto-based internet security think-tank Citizen Lab, who reviewed the document. ...

According to the document, Canada can access data from 102 free file upload sites, though only three file-host companies are named: Sendspace, Rapidshare and the now-defunct Megaupload.

Sendspace told CBC News that "no organization has the ability/permission to trawl/search Sendspace for data," and its policy states it won't disclose user identities unless legally required.

No other file-sharing company responded to CBC requests for comment.

However, the Levitation document says that access to the data comes from unnamed "special sources," a term that in previous Snowden documents seemed to refer to telecommunications companies or cable operators.

It is also unclear which, or how many, of the Five Eyes access information on these uploaded files and whether the companies involved know the spy agencies have this access.

Many people use file-sharing websites to share photos, videos, music and documents, but these cyber-lockers have also been accused of being havens for illegally sharing copyrighted content.

Not surprisingly, extremists also use the online storage hubs to share propaganda and training materials.

To find those files, the document says Canada's spy agency must first weed out the so-called Glee episodes as well as pictures of cars on fire and vast amounts of other content unrelated to terrorism.

Analysts find 350 "interesting download events" each month, less than 0.0001 per cent of the total collected traffic, according to the top-secret presentation.

Surveillance specialists can then retrieve the metadata on a suspicious file, and use it to map out a day's worth of that file user's online activity.

By inputting other bits of information into at least two databases created by the spying partners, analysts can discover the identity and online behaviour of those uploading or downloading these files, as well as, potentially, new suspicious documents.

The Levitation project illustrates the "giant X-ray machine over all our digital lives," says Deibert.

Once a suspicious file-downloader is identified, analysts can plug that IP address into Mutant Broth, a database run by the British electronic spy agency Government Communications Headquarters (GCHQ), to see five hours of that computer's online traffic before and after the download occurred.

That can sometimes lead them to a Facebook profile page and to a string of Google and other cookies used to track online users' activities for advertising purposes. This can help identify an individual.

In one example in the top-secret document, analysts also used the U.S. National Security Agency's powerful Marina database, which keeps online metadata on people for up to a year, to search for further information about a target's Facebook profile. It helped them find an email address.

After doing its research, the Levitation team then passes on a list of suspects to CSE's Office of Counter Terrorism.

The agency cites two successes as of 2012: the discovery of a German hostage video through a previously unknown target, and an uploaded document that gave it the hostage strategy of a terrorist organization.
There is much more worth reading in the CBC's story.

The CBC also published CSE's response to the questions that CBC submitted to the agency concerning the program.

You can listen to the CBC's Dave Seglins discussing the story on CBC Radio's The Current here. (I get my own two cents' worth in at the end of the segment. One minor correction: as I mentioned here, my father was never part of the SIGINT world.)

The CBC's reporting on the document was done in conjunction with Glenn Greenwald and The Intercept, whose take on the story can be read here: Ryan Gallagher & Glenn Greenwald, "Canada Casts Global Surveillance Dragnet Over File Downloads," The Intercept, 28 January 2015.

It is probably worth noting that none of the above means that CSE has been "targeting" or "directing its activities at" Canadians. As the agency frequently points out, it is not permitted to target Canadians anywhere or any person in Canada (except of course, as it much more rarely points out, when operating under its Mandate C). CSE is very much permitted, however, to collect the communications of or information about Canadians etc. if that collection is "incidental" to its efforts to collect information on its foreign targets, assuming a suitable Ministerial Authorization is in place (and you can rest assured, one is).

But when your 100% legal foreign target includes all traffic to or from all (presumably foreign-based) free upload sites in the world, then your "incidental" collection will include not just some, not just a lot of, but all Canadian traffic to or from those sites as well.

Which sort of makes the distinction between directing or not directing your activities at Canadians moot.

No Canadian transaction with these sites was targeted for collection. But every last one of them was in fact collected, either by CSE itself or by its partners, who then made it available for CSE's examination.

Other coverage/commentary:

- "Canadian spies scoured file-sharing sites to track jihadis, document shows," Globe & Mail, 28 January 2015.

- Matthew Braga, "Spies Know What You're Downloading on Filesharing Sites, New Snowden Docs Show," Motherboard, 28 January 2015. Includes interesting speculation on EONBLUE.

- "Spy agency CSE is monitoring our private online activities on a massive scale and sharing sensitive data with other governments,", 28 January 2015.

- David Ljunggren, "Snowden files show Canada spy agency runs global Internet watch: CBC," Reuters, 28 January 2015.

- Andy, "Canadian Government Spies on Millions of File-Sharers," TorrentFreak, 28 January 2015.

- Jim Bronskill, "Spies agency defends Internet terror hunt," Canadian Press, 28 January 2015.

- Jamie Condliffe, "Canadian Spies Monitor Millions of International File Downloads Daily," Gizmodo, 28 January 2015.

- Laura Tribe, "Mass surveillance program in Canada revealed on International Data Privacy Day," CJFE blog, 28 January 2015.

- "Cyber surveillance worries most Canadians: privacy czar's poll," CBC News, 28 January 2015.

- "Project Levitation and your privacy: Politicians call for cybersurveillance oversight," CBC News, 28 January 2015.

- Alex Boutilier, "Mass surveillance program defended by Conservatives," Toronto Star, 28 January 2015.

- Colin Freeze, "Spy program raises concerns about Internet anonymity," Globe & Mail, 28 January 2015.

- Ian Austen, "Canada Agency Monitors File-Sharing, Reports Say," New York Times, 28 January 2015.

Update 29 January 2015:

- Amber Hildebrandt, Michael Pereira and Dave Seglins, "CSE's Levitation project: Expert says spy agencies 'drowning in data' and unable to follow leads," CBC News, 29 January 2015.

- John Leyden, "Snowden reveals LEVITATION technique of Canada’s spies," The Register, 29 January 2015.

- Editorial, "Snowden and the dark sophistry of CSEC," Globe & Mail, 29 January 2015.

- Eva Prkachin, "The Mega-spies on Megaupload,", 29 January 2015.

Update 2 February 2015:

- Jesse Brown, "Your Government is Spying on Your Downloads," Canadaland, Episode 68, 1 February 2015. Brown interviews Christopher Parsons of CitizenLab on the LEVITATION document and broader CSE-related questions. Highly recommended.

Update 3 February 2015:

- Michael Geist, "The Canadian Privacy and Civil Liberties Punch in the Gut (or Why CSE/CSIS Oversight is Not Enough),", 3 February 2015. "Mass surveillance of a hundred million downloads every week by definition targets Canadians alongside Internet users from every corner of the globe. To argue that Canadians are not specifically targeted when it is obvious that the personal information of Canadians is indistinguishable from everyone else’s data at the time of collection, is to engage in meaningless distinctions that only succeed in demonstrating the weakness of Canadian law. Better oversight of CSE is needed, but so too is a better law governing CSE activities."

Monday, January 26, 2015

BADASS monitors smartphone apps

The Intercept has an interesting and detailed report on a joint GCHQ-CSE presentation on intelligence collection from smartphone apps (Micah Lee, "Secret ‘BADASS’ Intelligence Program Spied on Smartphones," The Intercept, 26 January 2015):
British and Canadian spy agencies accumulated sensitive data on smartphone users, including location, app preferences, and unique device identifiers, by piggybacking on ubiquitous software from advertising and analytics companies, according to a document obtained by NSA whistleblower Edward Snowden.

The document, included in a trove of Snowden material released by Der Spiegel on January 17, outlines a secret program run by the intelligence agencies called BADASS. The German newsweekly did not write about the BADASS document, attaching it to a broader article on cyberwarfare. According to The Intercept‘s analysis of the document, intelligence agents applied BADASS software filters to streams of intercepted internet traffic, plucking from that traffic unencrypted uploads from smartphones to servers run by advertising and analytics companies. ...

For spy agencies, this smartphone monitoring data represented a new, convenient way of learning more about surveillance targets, including information about their physical movements and digital activities. It also would have made it possible to design more focused cyberattacks against those people, for example by exploiting a weakness in a particular app known to be used by a particular person. Such scenarios are strongly hinted at in a 2010 NSA presentation, provided by agency whistleblower Edward Snowden and published last year in The New York Times, Pro Publica, and The Guardian. That presentation stated that smartphone monitoring would be useful because it could lead to “additional exploitation” and the unearthing of “target knowledge/leads, location, [and] target technology.”
The article notes that some of the apps discussed in the presentation have subsequently begun efforts to encrypt their communications. But it appears likely that many vulnerable apps remain.
In addition to Yahoo’s Flurry and Google’s AdMob, the BADASS presentation also shows that British and Canadian intelligence were targeting Mobclix, Mydas, Medialets, and MSN Mobile Advertising. But it’s clear that any mobile-related plaintext traffic from any company is a potential target. While the BADASS presentation focuses on traffic from analytics and ad companies, it also shows spying on Google Maps heartbeat traffic, and capturing “beacons” sent out when apps are first opened (listing Qriously, Com2Us, Fluentmobile, and Papayamobile as examples). The BADASS presentation also mentions capturing GPS coordinates that get leaked when opening BlackBerry’s app store.
The article also notes that
While the BADASS program is specifically designed to target smartphone traffic, websites suffer from these exact same problems, and in many cases they’re even worse.

Websites routinely include bits of tracking code from several different companies for ads, analytics, and other behavioral tracking. This, combined with the lack of HTTPS, turns your web browser into a surveillance device that follows you around, even if you switch networks or use proxy servers.

In other words, while the BADASS presentation may be four years old, and while it’s been a year and a half since Snowden’s leaks began educating technology companies and users about the massive privacy threats they face, the big privacy holes exploited by BADASS remain a huge problem.
The CSE part of the presentation, prepared by someone from CSE's Global Access directorate, appears to be the second part of the discussion (pages 22-58, entitled "We Know How Bad You Are At “Angry Birds”: Exploring and Exploiting Leaky Mobile Apps with BADASS (OtH)".

Bossenmaier appointed Chief of CSE

Greta Bossenmaier has been appointed Chief of CSE effective 9 February 2015.

Bossenmaier is currently Senior Associate Deputy Minister of International Development at the Department of Foreign Affairs, Development and Trade. She was Deputy Minister of the Privy Council Office's Afghanistan Task Force from June 2009 to January 2012, and she began her career as a defence scientist in DND's Operational Research and Analysis Establishment. (More bio information here.)

Bossenmaier replaces the current Chief, John Forster, who is to become the Deputy Minister of National Defence effective 2 February 2015.

Forster spent only three years in the job at CSE (he became Chief on 30 January 2012), but his transfer to National Defence is a significant promotion and therefore presumably not an indication of any dissatisfaction with his performance at CSE.

Bossenmaier will be the 9th Chief CSE/Director CBNRC—and the first woman in the role—in the agency's 68-year history:

  • Edward M. Drake (1946 - 1971)
  • N. Kevin O'Neill (1971 - 1980)
  • Peter R. Hunt (1980 - 1989)
  • A. Stewart Woolner (1989 - 1999)
  • D. Ian Glen (1999 - 2001)
  • Keith Coulter (2001 - 2005)
  • John L. Adams (2005 - 2012)
  • John Forster (2012 - 2015)
  • Greta Bossenmaier (2015 - )

Photos of new CSE headquarters

Nice series of ground-level photos of the new CSE headquarters complex taken last spring here.

Saturday, January 24, 2015

Has anybody seen the bridge?

I was looking at this artist's impression of the new CSE headquarters and it reminded me that according to the original plan there was supposed to be a pedestrian bridge between the CSE complex and the neighbouring CSIS headquarters.

What ever happened to that idea?

The construction crews have all packed up and gone home, and there is no sign of any bridge.

I'm just trying to find the bridge.

Has anybody seen the bridge?

Have you seen the bridge?

I ain't seen the bridge.

Where's that confounded bridge?

Wednesday, January 21, 2015

Recent news items

A brief round-up of recent CSE-related news items:

- Bruce Campion-Smith, "Ottawa firefighters cut lock to enter top-secret installation," Toronto Star, 20 January 2015. (The Star gets the unredacted version of what happened during the minor fire at the new CSE complex in November 2013.)

- Ian MacLeod, "Spy agency fire triggered security concerns," Ottawa Citizen, 20 January 2015. (The Citizen gets the redacted version, but also reports some interesting information. They should drop the term ECHELON, however. It didn't mean the whole Five Eyes SIGINT community back in the 1990s, and it certainly doesn't now.)

- Matthew Braga, "A Pair of Bolt Cutters Was All It Took to Break Into Canada's Cyberspy Agency," Motherboard, 20 January 2015. (Motherboard's take on the story.)

All three stories note that CSE's new headquarters was still under construction at the time of the fire, which is true, but the complex was not entirely unoccupied. Pod 1 of the complex, CSE's high-performance computing centre, which was built under the earlier Mid-Term Accommodation Project (MTAP), was occupied by CSE's codebreakers and data-miners in November 2011. A brief discussion of the MTAP, including an artist's rendering of the interior of the building, can be found here.

- Normand Lester, "CSEC, Canada's Electronic Spy Agency, Recruiting Students," Huffington Post Canada, 20 January 2015.

- Matthew Green, "Hopefully the last post I'll ever write on Dual EC DRBG," A Few Thoughts on Cryptographic Engineering blog, 14 January 2015. (Cryptographer Matthew Green on the Dual EC DRBG encryption scandal, the Canadian aspect of which was discussed here and here. The particular Canadians involved in approving the standard can be found on this list published with Green's commentary.)

- Craig Forcese, "The Judicialization of Extraterritorial Spying: Gaps and Gap-Fillers in the World of CSIS Foreign Operations," Criminal Law Quarterly, 6 January 2015.

Tuesday, January 13, 2015

December 2014 CSE staff size

2236, down slightly from last month's record high.

(If you click through on the link and get a different figure, it's probably because the Canada Public Service Agency has updated its website; they update the numbers once a month.)

Friday, January 09, 2015

New CSE headquarters update

Chuck Clark's latest air photo, taken on 29 December 2014, shows a number of interesting developments at CSE's new headquarters complex. (Click image for larger view.)

The temporary trailers in place for the construction of the complex, located to the east of the main building (top of the image), are now gone, which is unsurprising as construction of the project should now be finished.

Also gone are the two large containerized backup generators that formerly accompanied Pod 1, CSE's high-performance computing centre (visible at the top of the image in this post). Presumably the power plant in CSE's data warehouse, the large windowless building to the left in the image above, now supplies backup power to Pod 1 as well.

[Update 22 February 2015: It looks like DND paid CSE $600,000 to take the generators off their hands.]

Also worth noting is the small, white box on the main roof (left-hand edge), which first appeared in September 2014. This looks like the kind of shelter used to hide intercept antennas on the roofs of diplomatic facilities. Canada maintains intercept sites at several Canadian embassies around the world, including (perhaps) our embassy in Beijing.

I would guess that the installation at CSE's headquarters is used more to test new antennas and equipment configurations than to conduct ongoing surveillance, but they probably do pull in live communications in the course of routine testing and training activities, so govern yourselves accordingly!

Canadian Architect recently published an explanation of the design philosophy and interior layout of the new complex that actually provides some interesting new information if you can plow through all the PR puffery and general verbiage.

Monday, January 05, 2015

Fantino now minister for CSE?

On January 5th Julian Fantino was appointed Associate Minister of National Defence. The announcement of his appointment lists three specific areas that he is supposed to focus on, two of which (foreign intelligence and information technology security) constitute the two main mandates of the Communications Security Establishment.

It's potentially a very positive development that CSE may now have a minister who has enough time to actually pay serious attention to the agency.

But I remain to be convinced that Minister Fantino is the best choice for the job.

Update 6 January 2015:

Justin Ling, "2015 Is Canada’s Year of the Spy," Vice, 6 January 2015

Update 28 January 2015:

Alex Boutilier and Patrick Baud question whether Fantino has formal authority over CSE and discuss what the necessary paperwork might be to put that in place: