Bcc: CSE

The CBC and The Intercept have published new reports on the collection by CSE's cyberdefence program of e-mail and website contacts between Canadians and the federal government (Amber Hildebrandt, Michael Pereira & Dave Seglins, "CSE monitors millions of Canadian emails to government," CBC News, 25 February 2015; Ryan Gallagher & Glenn Greenwald, "Canadian Spies Collect Domestic Emails in Secret Security Sweep," The Intercept, 25 February 2015).

As explained in the CBC report,

A top-secret document written by Communications Security Establishment (CSE) analysts sheds new light on the scope of the agency’s domestic email collection as part of its mandate to protect government computers. ...

The surveillance service vacuums in about 400,000 emails to and from the government every day and then scans them using a tool called PonyExpress to look for any suspicious links or attachments, according to the top-secret document.

That automated system sifts through them and detects about 400 potentially suspect emails each day — about 146,000 a year. That system sends alerts to CSE analysts, who then can take a closer look at the email to see if it poses any threat.

Only about four emails per day — about 1,460 a year — are serious enough to warrant CSE security analysts contacting the government departments potentially affected. ...

CSE holds on to emails for “days to months,” while metadata -- the details about who sent it, when and where -- is kept for “months to years,” according to the document. The agency also records metadata about visits to government websites.

The number of e-mails said to be serious enough to take action on (~1460/year) corresponds well to the range for e-mails "used or retained" by the CSE cyberdefence program (1000-3996/year) that I reported here based on analysis of CSE documents released under the Access to Information Act.

As the CBC notes, the number of e-mails and other contacts monitored and the number ultimately flagged for action are likely to have increased since the 2010 document was written. In 2010 CSE routinely monitored only its own communications and those of the Department of National Defence and the Department of Foreign Affairs. It has since also become responsible for monitoring communications to the rest of the Government of Canada through the Shared Services Canada network. However, the Access documents suggest that, as of a year or two ago, the total number used or retained per year remained lower than 4000.

The CSE document that today's reports are based on, another one of the Five Eyes documents leaked by Edward Snowden, can be found here. (Be sure to check the second half of the file, where the speaker's notes accompanying the powerpoint slides were also reproduced.)

The CBC also published a very interesting set of CSE responses to questions that its reporters put to the agency. (But don't expect all the questions to be answered.)

The activities revealed in today's reports are the kinds of things we would expect a cyberdefence program to do, and the CBC was right, I think, to report the information without trying to make a scandal out of it. That said, there are legitimate questions about how much information concerning Canadians' interactions with their government is retained by CSE, how long that information can be held, and what purposes that information can be used for, and the CBC was also right to report those questions‐and CSE's partial responses.

Update 1 March 2015:

Further coverage/commentary:

- Nicole Bogart, "CSE monitors your emails to the government: What you need to know," Global News, 25 February 2015

- Adrian Lee, "So, when do we start caring about privacy?" Maclean's, 25 February 2015

- Craig Desson, "Leaked files show Canadian spy agency struggling with flood of data," Toronto Star, 26 February 2015

- Ken Hanly, "Op-Ed: Canadian spy agency collects Canadian emails to government sites," Digital Journal, 26 February 2015