Sunday, March 29, 2015

NSA mapped Canadian VPNs

I'm late to blogging about this one (no slight intended to the Globe and Mail):

Earlier this month the Globe and Mail reported on a leaked document showing that NSA's mapping of Virtual Private Networks (VPNs) includes the VPNs of major Canadian companies (Colin Freeze & Christine Dobby, "NSA trying to map Rogers, RBC communications traffic, leak shows," Globe and Mail, 17 March 2015):
The U.S. National Security Agency has been trying to map the communications traffic of corporations around the world, and a classified document reveals that at least two of Canada’s largest companies are included.

A 2012 presentation by a U.S. intelligence analyst, a copy of which was obtained by The Globe and Mail, includes a list of corporate networks that names Royal Bank of Canada and Rogers Communications Inc.

The presentation, titled “Private Networks: Analysis, Contextualization and Setting the Vision,” is among the NSA documents taken by former contractor Edward Snowden. It was obtained by The Globe from a confidential source.

Canada’s biggest bank and its largest wireless carrier are on a list of 15 entities that are visible in a drop-down menu on one of the presentation’s 40 pages. It shows part of an alphabetical list of entries beginning with the letter “R” that also includes two U.K.-headquartered companies – Rolls Royce Marine and Rio Tinto – and U.S.-based RigNet, among other global firms involved in telecom, finance, oil and manufacturing.

The document does not say what data the NSA has collected about these firms, or spell out the agency’s objective. A comparison of this document with previous Snowden leaks suggests it may be a preliminary step in broad efforts to identify, study and, if deemed necessary, “exploit” organizations’ internal communication networks.

Christopher Parsons, a researcher at the University of Toronto’s Citizen Lab, who reviewed the leaked document with The Globe, said the activity described could help determine useful access points in the future: “This is preparing the battlefield so it could later be used.

“This is … watching communications come in and out of a network and saying, ‘Okay, these are the places we need to go in.’”
The Globe and Mail has not published the presentation, and the newspaper is being mysterious about the provenance of the document, citing only a "confidential source". (Previous Canadian releases of documents from the Snowden archive have been co-ordinated with Glenn Greenwald or other journalists at The Intercept, but there is no evidence of that co-ordination in this instance.)

[Update: However, this single page, previously released by Greenwald, appears to come from the same document. H/T to]

Some background information on the NSA's efforts to map and monitor VPNs can be found in this separate document, published in December by Der Spiegel. Interesting tidbit: Page 26 appears to show collection of the communications of the United Nations Assistance Mission for Iraq (UNAMI).

As the Globe and Mail reported, the presence of Rogers and RBC on the NSA's list of VPNs raises questions about the extent to which NSA may be monitoring the communications of Canadian corporations and persons.

Freeze and Dobby note—with a link to this blog (thanks!)—that "Today, under the terms of a 66-year old reciprocal accord, Washington and Ottawa agree to refrain from spying on the communications of each other’s citizens and entities."

To the best of my knowledge, there is no explicit no-targeting accord within the CANUSA agreement itself. (The text has never been released.)

But there is certainly a common understanding among the members of the Five Eyes community that they will not target each other in their routine operations. This understanding is part of the overall amalgam of resolutions, common strategic directions, agreed procedures, and established practices that have grown out of the UKUSA agreement and subsidiary agreements such as CANUSA.

However, as I noted here, that understanding is "more what you'd call 'guidelines' than actual rules".

For one thing, the prohibition doesn't apply if the monitored party agrees to the targeting, which is not likely to occur on a blanket basis, but almost certainly does in more limited contexts. Second, it doesn't apply to "incidental" (i.e., non-targeted) collection, which under some programs can capture nearly everything transmitted. Third, it is well understood by all parties that all reserve the right to secretly target one another when "national interests" dictate that that's desirable.

As the CSE Commissioner stated in one of his classified reports (later released under ATIP), "The UKUSA and CANUSA Agreements do not refer to specific protections; for example, the agreements do not refer to the terms 'privacy' or 'personal information'." However, the "cooperative agreements and resolutions" among the parties "include a commitment by the Five-Eyes to respect the privacy of each others’ citizens, and to act in a manner consistent with each others’ policies relating to privacy. It is recognized, however, that each of the Five-Eyes is an agency of a sovereign nation that may derogate from the agreements, if it is judged necessary for their respective national interests."

The classification markings on the G&M's VPN document evidently indicated that it was releasable to Canada, which shows that NSA did not feel any need to hide the VPN mapping from Canada. So in this case we're not looking at the U.S. government going behind the back of the Canadian government to secretly target Canadians.

But that may be little consolation to Rogers, RBC, and the other Canadian corporations and individuals whose VPN communications may have been, or may in the future be, collected by NSA as a result of this mapping.

The Globe and Mail also published a follow-up article:

Colin Freeze & Christine Dobby, "Reports of NSA spying on Canadian companies fuel calls for more transparency," Globe and Mail, 17 March 2015.

See also:

Colin Freeze & Christine Dobby, "Watchdog presses Ottawa for strong rules on sharing surveillance data," Globe and Mail, 18 March 2015.


Post a Comment

<< Home