Sunday, March 29, 2015

NSA mapped Canadian VPNs

I'm late to blogging about this one (no slight intended to the Globe and Mail):

Earlier this month the Globe and Mail reported on a leaked document showing that NSA's mapping of Virtual Private Networks (VPNs) includes the VPNs of major Canadian companies (Colin Freeze & Christine Dobby, "NSA trying to map Rogers, RBC communications traffic, leak shows," Globe and Mail, 17 March 2015):
The U.S. National Security Agency has been trying to map the communications traffic of corporations around the world, and a classified document reveals that at least two of Canada’s largest companies are included.

A 2012 presentation by a U.S. intelligence analyst, a copy of which was obtained by The Globe and Mail, includes a list of corporate networks that names Royal Bank of Canada and Rogers Communications Inc.

The presentation, titled “Private Networks: Analysis, Contextualization and Setting the Vision,” is among the NSA documents taken by former contractor Edward Snowden. It was obtained by The Globe from a confidential source.

Canada’s biggest bank and its largest wireless carrier are on a list of 15 entities that are visible in a drop-down menu on one of the presentation’s 40 pages. It shows part of an alphabetical list of entries beginning with the letter “R” that also includes two U.K.-headquartered companies – Rolls Royce Marine and Rio Tinto – and U.S.-based RigNet, among other global firms involved in telecom, finance, oil and manufacturing.

The document does not say what data the NSA has collected about these firms, or spell out the agency’s objective. A comparison of this document with previous Snowden leaks suggests it may be a preliminary step in broad efforts to identify, study and, if deemed necessary, “exploit” organizations’ internal communication networks.

Christopher Parsons, a researcher at the University of Toronto’s Citizen Lab, who reviewed the leaked document with The Globe, said the activity described could help determine useful access points in the future: “This is preparing the battlefield so it could later be used.

“This is … watching communications come in and out of a network and saying, ‘Okay, these are the places we need to go in.’”
The Globe and Mail has not published the presentation, and the newspaper is being mysterious about the provenance of the document, citing only a "confidential source". (Previous Canadian releases of documents from the Snowden archive have been co-ordinated with Glenn Greenwald or other journalists at The Intercept, but there is no evidence of that co-ordination in this instance.)

[Update: However, this single page, previously released by Greenwald, appears to come from the same document. H/T to]

Some background information on the NSA's efforts to map and monitor VPNs can be found in this separate document, published in December by Der Spiegel. Interesting tidbit: Page 26 appears to show collection of the communications of the United Nations Assistance Mission for Iraq (UNAMI).

As the Globe and Mail reported, the presence of Rogers and RBC on the NSA's list of VPNs raises questions about the extent to which NSA may be monitoring the communications of Canadian corporations and persons.

Freeze and Dobby note—with a link to this blog (thanks!)—that "Today, under the terms of a 66-year old reciprocal accord, Washington and Ottawa agree to refrain from spying on the communications of each other’s citizens and entities."

To the best of my knowledge, there is no explicit no-targeting accord within the CANUSA agreement itself. (The text has never been released.)

But there is certainly a common understanding among the members of the Five Eyes community that they will not target each other in their routine operations. This understanding is part of the overall amalgam of resolutions, common strategic directions, agreed procedures, and established practices that have grown out of the UKUSA agreement and subsidiary agreements such as CANUSA.

However, as I noted here, that understanding is "more what you'd call 'guidelines' than actual rules".

For one thing, the prohibition doesn't apply if the monitored party agrees to the targeting, which is not likely to occur on a blanket basis, but almost certainly does in more limited contexts. Second, it doesn't apply to "incidental" (i.e., non-targeted) collection, which under some programs can capture nearly everything transmitted. Third, it is well understood by all parties that all reserve the right to secretly target one another when "national interests" dictate that that's desirable.

As the CSE Commissioner stated in one of his classified reports (later released under ATIP), "The UKUSA and CANUSA Agreements do not refer to specific protections; for example, the agreements do not refer to the terms 'privacy' or 'personal information'." However, the "cooperative agreements and resolutions" among the parties "include a commitment by the Five-Eyes to respect the privacy of each others’ citizens, and to act in a manner consistent with each others’ policies relating to privacy. It is recognized, however, that each of the Five-Eyes is an agency of a sovereign nation that may derogate from the agreements, if it is judged necessary for their respective national interests."

The classification markings on the G&M's VPN document evidently indicated that it was releasable to Canada, which shows that NSA did not feel any need to hide the VPN mapping from Canada. So in this case we're not looking at the U.S. government going behind the back of the Canadian government to secretly target Canadians.

But that may be little consolation to Rogers, RBC, and the other Canadian corporations and individuals whose VPN communications may have been, or may in the future be, collected by NSA as a result of this mapping.

The Globe and Mail also published a follow-up article:

Colin Freeze & Christine Dobby, "Reports of NSA spying on Canadian companies fuel calls for more transparency," Globe and Mail, 17 March 2015.

See also:

Colin Freeze & Christine Dobby, "Watchdog presses Ottawa for strong rules on sharing surveillance data," Globe and Mail, 18 March 2015.


Anonymous Anonymous said...

Michael And Ingrid Heroux said

My wife and I finally got our second reply back from our RCMP freedom of information requests that we sent them to get our 30-08 warrant information and the investigation information that our daughters were working on before they were murdered. We were told our requests needed our signatures, birth dates, and social insurance numbers. We sent in the FOI request forms with a sample of our hand writing, multiple samples of our signatures, our birthdates, copies of our birth certificates and copies of our social insurance cards. My wifes reply from the RCMP was that they needed to know what RCMP detachment has her information so they can find it and my reply from the RCMP was that they needed to know my birthdate before they can find my information.

We are being stonewalled by the RCMP from getting our information. These are the type of games every government agency we have applied to to get our 30-08 warrant information through the freedom of information system has been play with us for over a year now. CSIS and CSEC are not even replying back to us and SIRC should of got back to us this week but they just tabled a letter in Parliament yesterday stating they can not properly investigate CSIS. How are we suppose to get our 30-08 warrant information and have a proper investigation done for the torture and murder of our family for the last 6 years? Who is going to help us?

If anyone knows of a good lawyer so we can keep the rest of our family alive please get ahold of us. You can contact us on our website. Thanks

April 02, 2015 2:57 pm  

Post a Comment

<< Home