Friday, May 29, 2015

CSE-CSIS memorandums of understanding

Justin Ling wrote an interesting article last week about some documents he obtained through the Access to Information Act concerning several memorandums of understanding (MOUs) between CSE and CSIS (Justin Ling, "Secret Documents Reveal Canada's Spy Agencies Got Extremely Cozy With Each Other," Vice, 20 May 2015).

He also posted the documents online.

It had long been known that CSE and CSIS had at least two MOUs on co-operation, both signed on 1 November 1990, one on CSIS Act s.12 activities and the other on s.16 activities. These documents lay out, at least in part, the parameters of the support that CSE can provide to CSIS under its Mandate C, the only part of the CSE mandate that permits the deliberate targeting of Canadians.

Which makes them potentially of great interest.

The documents Ling obtained included most of the text of the s.12 MOU. Key details were withheld, but there is still some intriguing material there, including a proviso that
All [criminal intelligence] information which may be used in the investigation or prosecution of an alleged contravention of any law of Canada or a province shall be reported to the Service [i.e., CSIS]. (See PDF page 16.)
Note the "shall" in that statement. The next paragraph seems to suggest that CSE's provision of such information to CSIS may be subject to various conditions or limitations, but we can't know whether or to what degree that may be true because all the subsequent details are redacted.

It seems reasonable to expect that the MOUs CSE has with the RCMP outline similar requirements for the provision of "criminal intelligence" to that agency as well.

How often such information is collected—deliberately or incidentally—and provided to federal "law enforcement and security agencies" remains an open question. Statistics on requests for CSE "Support to Lawful Access" seem to show relatively small annual numbers, only around 70-80 requests per year, but how sweeping those requests may be is not known, and whether they cover all aspects of Mandate C support is also unknown, so it's not possible to draw firm conclusions.

The even more sensitive CSIS Act s.16 MOU, which deals with the collection of foreign intelligence within Canada (think spying on foreign embassies and on foreign delegations attending events like the G8/G20 summit), was apparently withheld in its entirety, as there is no sign of it at all in the documents released to Ling.

The documents do reveal, however, that as of 2010 CSIS had "three specific Memoranda of Understanding with CSE which address ongoing cooperation in the performance of our duties and functions under sections 12, [redacted], 16 of the CSIS Act." (See page 71.)

To my knowledge, this third MOU has not been heard of before, and no information was released about its subject or contents.

The statement above strongly suggests, however, that the MOU relates to a separate section of the CSIS Act somewhere between sections 12 and 16, which would almost certainly be section 15. It is probably no coincidence that the preamble of a later, overarching "framework" MOU signed by the two agencies (also released to Ling) cites CSIS information collection/investigative activities under three separate, specific sections of the CSIS Act: 12, 15, and 16. (See page 21.)

Section 15 empowers CSIS to conduct investigations to provide personnel "security assessments" to federal, provincial, and foreign institutions, both for security clearance purposes and (federally) for immigration/refugee purposes. If this is indeed the explanation, it would seem that the idea that CSE SIGINT might contribute to such assessments is a deep, dark secret.

That said, the Ling documents also point to the existence of one or two other MOUs, one concerning "DIFTS" (30-08 activities) that was still under negotiation in 2010 (see page 72) and one signed in January 2007 (see pages 76-78).

If the latter was still in place in 2010, then it must be the one that I think relates to s.15.

The 2007 MOU seems to relate to a program involving the receipt by CSE of information from CSIS that is then used to guide CSE foreign intelligence collection, the results of which are subsequently provided to CSIS. (See, in particular, page 77.)

Which sounds a lot like the 2008 dispute between CSE and the CSE Commissioner over the agency's treatment of certain metadata, in which the Commissioner argued that CSE should re-examine and re-assess the legislative authority used to conduct its activities in relation to certain targets or topics, "particularly those supplied by federal law enforcement and security agencies engaged in ongoing criminal and national security investigations." [emphasis added] In the Commissioner's view, such activities should properly have been considered support to those agencies, i.e., Mandate C, not foreign intelligence (Mandate A) activities.

Maybe the dispute related to the collection/analysis of "foreign intelligence" metadata related to persons undergoing security assessments.

Thursday, May 28, 2015

Torus antennas increase collection of satellite communications

It doesn't have much direct connection to CSE, but some research I've been involved with on the Five Eyes agencies' growing ability to monitor satellite communications has just been published by the Nautilus Institute:

Desmond Ball, Duncan Campbell, Bill Robinson and Richard Tanter, "Expanded Communications Satellite Surveillance and Intelligence Activities Utilising Multi-beam Antenna Systems", NAPSNet Special Reports, Nautilus Institute, 28 May 2015.
The recent expansion of FORNSAT/COMSAT (foreign satellite/communications satellite) interception by the UKUSA or Five Eyes (FVEY) partners has involved the installation over the past eight years of multiple advanced quasi-parabolic multi-beam antennas, known as Torus, each of which can intercept up to 35 satellite communications beams. Material released by Edward Snowden identifies a ‘New Collection Posture’, known as ‘Collect-it-all’, an increasingly comprehensive approach to SIGINT collection from communications satellites by the NSA and its partners. There are about 232 antennas available at identified current Five Eyes FORNSAT/COMSAT sites, about 100 more antennas than in 2000. We conclude that development work at the observed Five Eyes FORNSAT/ COMSAT sites since 2000 has more than doubled coverage, and that adding Torus has more than trebled potential coverage of global commercial satellites. The report also discusses Torus antennas operating in Russia and Ukraine, and other U.S. Torus antennas.
The full report is available here.

One of my co-authors, Duncan Campbell, also has a companion piece in the online version of WIRED UK: ""Torus": has one word in a Snowden leak revealed a huge expansion in surveillance?" WIRED UK, 28 May 2015.

This article just published by The Intercept (Peter Maass, "Inside NSA, Officials Privately Criticize “Collect It All” Surveillance," The Intercept, 28 May 2015) on the perils of collecting too much data makes timely related reading.

Also on that wider topic, I would highly recommend Taylor Owen's recent article in Foreign Affairs ("The Violence of Algorithms:
Why Big Data Is Only as Smart as Those Who Generate It
," Foreign Affairs, 25 May 2015).

Update 4 June 2014:

News coverage in Oz:

- Philip Dorling, "Pine Gap’s new spy role revealed," The Age, 31 May 2015.
- Michael Gorey, "Secret life of Pine Gap gets airing," Herald Sun, 1 June 2015.
- Erwin Chlanda, "Pine Gap shines in global snooping: report," Alice Springs News Online, 2 June 2015.

Wednesday, May 27, 2015

CSE and friends target mobile phones

More Snowden revelations were reported last week by the CBC (Amber Hildebrandt & Dave Seglins, "Spy agencies target mobile phones, app stores to implant spyware," CBC News, 21 May 2015):
Canada and its spying partners exploited weaknesses in one of the world's most popular mobile browsers and planned to hack into smartphones via links to Google and Samsung app stores, a top secret document obtained by CBC News shows.

Electronic intelligence agencies began targeting UC Browser — a massively popular app in China and India with growing use in North America — in late 2011 after discovering it leaked revealing details about its half-billion users.

Their goal, in tapping into UC Browser and also looking for larger app store vulnerabilities, was to collect data on suspected terrorists and other intelligence targets — and, in some cases, implant spyware on targeted smartphones.

The 2012 document shows that the surveillance agencies exploited the weaknesses in certain mobile apps in pursuit of their national security interests, but it appears they didn't alert the companies or the public to these weaknesses. That potentially put millions of users in danger of their data being accessed by other governments' agencies, hackers or criminals.
The Citizen Lab released a separate report on the particular vulnerabilities of the UC Browser (A Chatty Squirrel: Privacy and Security Issues with UC Browser, Citizen Lab, 21 May 2015) in conjunction with the CBC report.

[Update 28 May 2015: See also "The Many Identifiers in Our Pockets: A primer on mobile privacy and security" (Citizen Lab, 21 May 2015) and Ron Deibert's commentary, "When it comes to cyberspace, should national security trump user security?" Globe and Mail, 21 May 2015.]

The CBC article also reported that
The so-called Five Eyes intelligence alliance — the spy group comprising Canada, the U.S., Britain, Australia and New Zealand — specifically sought ways to find and hijack data links to servers used by Google and Samsung's mobile app stores, according to the document obtained by Snowden.

Over the course of several workshops held in Canada and Australia in late 2011 and early 2012, a joint Five Eyes tradecraft team tried to find ways to implant spyware on smartphones by intercepting the transmissions sent when downloading or updating apps.


Ultimately, the spy agencies wanted to implant spyware on certain smartphones to take control of a person's device or extract data from it, the document suggests.

The spy agencies also sought to match their targets' smartphone devices to their online activities, using databases of emails, chats and browsing histories kept in the Five Eyes' powerful XKeyScore tool to help build profiles on the people they were tracking.

Making that connection was a much desired goal of the agencies because of the growing use of smartphones and the wealth of data they contain.
There's much more worth reading in the CBC report.

The Intercept also published a report on the document, focusing more on the NSA and the app store angle: Ryan Gallagher, "NSA Planned to Hijack Google App Store to Hack Smartphones," The Intercept, 21 May 2015.

The document that the reports are based on was produced by a "Network Tradecraft Advancement Team" that appears to be composed of representatives from all five Five Eyes agencies.

The redacted version of the document, released by the CBC, is well worth a close look.

Page 20, for example, seems to show that at least one of the app suppliers that shows up—apparently repeatedly—in the demonstration depicted in the presentation is a Calgary-based company. Multiple communications from Blackberry devices in Bahrain and Saudi Arabia to the supplier in Calgary, monitored by CSE's own EONBLUE system, are shown.

Some people might call that spying on Canadians.

But CSE would undoubtedly classify it as "incidental collection", while the CSE Commissioner would use the term "unintentional collection".

So fear not. As usual, it's all good.

Update 4 June 2015:

See also Christopher Parsons' discussion of the document.

Wednesday, May 13, 2015

April 2015 CSE staff size

2143. Fifth drop in a row.

See last month's post on this topic for further comments.

(If you click through on the link and get a different figure, it's probably because the Canada Public Service Agency has updated its website; they update the numbers once a month.)

Tuesday, May 12, 2015

Ten years of blogging!

I missed my blog's tenth anniversary earlier this month!

(First post here.)

How the time flies when you're having fun.

To celebrate the anniversary, all blog posts will be available for public reading for half price for all of this month!

Allan Lawrence on CSE and speech recognition

A previous post noted some comments from olden times—the 1990s—about the threat to privacy posed by SIGINT agency speech-recognition capabilities.

Which reminded me of this extraordinary speech by former Progressive Conservative Solicitor General Allan Lawrence—one of the few cabinet ministers ever to tour CSE headquarters—which he delivered in the House of Commons more than 30 years ago, on March 16th, 1984:
There are other measures which are terribly absent from the [CSIS Act, which was then under debate] which should protect and concern us all. One that has not been referred to by any Hon. Member yet—and I want to speak about it in the very limited time I have available to me today—is the terrible lack of control and monitoring in regard to electronic eavesdropping in the country at the moment, and as certainly would be the case if the Bill were passed in its present form.

I am not contravening my oath of office in indicating some of these concerns. I am not contravening the Official Secrets Act in publicizing some of the things I want to publicize in the House today. Anything I intend to say here today has already been published in Canada by others. ...

Hundreds of sophisticated tape recorders are turning right now in Canada, recording conversations that have been activated by the use of certain code words or phrases which automatically turn them on.

The eavesdropping of conversations is one of the major and most efficient tools being used today in the battle against crime and the gathering of information of all sorts, both by public agencies and, I suspect, by private organizations. ...

I suspect, although I have no proof, that accountable, effective control, supervision or prohibition, as the case may be, is largely illusory in this country. There is simply too much of it going on both within and without the Government. ...

I am concerned that there is still at least one very large gap in this whole process over which neither the Minister nor this Bill seems to envisage any accountable control in any way whatsoever. The impression the Minister attempts to convey is that this Bill, in conjunction with Part VI of the Criminal Code which deals with criminal investigation, specifies that henceforth all legal authorizations for third party eavesdropping or the obtaining of information by electronic or other means will have to be judicially authorized. That quite definitely, quite seriously and quite dangerously is totally wrong.

We have a so called ultra secret agency in this country that quite closely works with, feeds into and extracts from both the huge National Security Agency's sprawling facilities and the computer complex in Fort George Mead [sic] in Maryland, Washington [sic], and also the large listening and cryptological centre in the United Kindgom [sic] that has been in the news lately because of certain spy and union problems.

Canada's agency is mainly operational here in the Ottawa area and is called the Communications Security Agency [sic], the CSE. ... In the scheme of things, it is located under the jurisdiction of the Department of National Defence, although it is never listed in the Estimates, never mentioned in any budgetary item in the House or any of its committees and rarely appears on departmental organizational charts. ...

The purpose of the three or more nation group is to monitor all telephone, telegraph, telex, microwave, or radio emission signals or messages anywhere in the world or in space, and they do it. Sensitive radio receivers tap microwave and satellite transmissions of telephone conversations, for instance, while a computer equipped with limited speech recognition capability quickly filters through thousands of tapes and intercepts by seizing on key words. It would not take too much imagination to believe that four triggering words would be 'diplomat, terrorist, bomb' and 'explosion'. I leave it to Members to think of some of the other trigger words. [In this section of the speech, Lawrence was drawing on a Globe and Mail article (Jonathan Chevreau, "Spy technology can outdo Big Brother," Globe and Mail, 23 December 1983]

Decoding devices and unscrambling gear are obviously an integral part of its facilities. These agencies, Canada's included, obviously not only listen to international wavelengths. By their nature, they have the potential to listen in to everything and anything that hits the airwaves and more, both outside and inside Canada. Computer data banking information is fed by telephone facilities. Telephonic communications are carried on by microwave. Microwaves are intercepted by this agency.

I am not arguing that these facilities for both security and economic purposes are not necessary or useful. I am arguing that this Bill does not seem to recognize either that ministerial knowledge or judicial approval that is designed to lull us into the comfortable belief that all is well and being controlled, authorized and monitored.

There is a terrible potential for abuse in the CSE and its allied and international agencies in other countries. They can, and I am convinced they do, listen in, break into, decodify and store conversations of people in this country with no independent control, supervision, or monitoring.

In conclusion, may I say that at a time when more and more personal, private, governmental and commercial communication and transmission is being handled through the airwaves, including easy access to data banks, it is simply appalling that this Bill, which is designed to allay our fears respecting some elements of personal privacy and civil liberties and at the same time provide an efficient framework for our protection from foreign influences, both hostile and friendly, ignores this rapidly expanding capability.
The "limited speech recognition capability" available at Lawrence's time was very, very limited indeed, but the efforts being made to produce more effective systems were very real.

Just a couple of years later, for example, Aviation Week (14 December 1987) reported that the "USAF's Rome Air Development Center plans to develop an architecture to automatically process up to 150 audio channels in real time for human communications intelligence analysis. The effort will use the center's automatic speech processing capabilities including speaker identification, language identification, keyword recognition and speech enhancement."

Sunday, May 10, 2015

Can you hear me now?

The Intercept had a story last week on the state of speech processing capabilities within the SIGINT community (Dan Froomkin, "The Computers are Listening: How the NSA Converts Spoken Words Into Searchable Text," Intercept, 5 May 2015):
Top-secret documents from the archive of former NSA contractor Edward Snowden show the National Security Agency can now automatically recognize the content within phone calls by creating rough transcripts and phonetic representations that can be easily searched and stored.

The documents show NSA analysts celebrating the development of what they called “Google for Voice” nearly a decade ago.

Though perfect transcription of natural conversation apparently remains the Intelligence Community’s “holy grail,” the Snowden documents describe extensive use of keyword searching as well as computer programs designed to analyze and “extract” the content of voice conversations, and even use sophisticated algorithms to flag conversations of interest.

The documents include vivid examples of the use of speech recognition in war zones like Iraq and Afghanistan, as well as in Latin America. But they leave unclear exactly how widely the spy agency uses this ability, particularly in programs that pick up considerable amounts of conversations that include people who live in or are citizens of the United States.

Spying on international telephone calls has always been a staple of NSA surveillance, but the requirement that an actual person do the listening meant it was effectively limited to a tiny percentage of the total traffic. By leveraging advances in automated speech recognition, the NSA has entered the era of bulk listening.
It does not appear to be practical yet for NSA and its partners to capture and process into searchable (and permanently storable) text all the speech that passes through the SIGINT system.

Still, it is clear that the intelligence community's ability to process speech is rapidly growing.

None of this should come as a surprise if you've been paying attention, of course.

CSE and its Five Eyes partners have been working on computer speech recognition, and related technologies such as speaker identification, for a long, long time.

And some of us on the outside have been worrying—the less charitable might say panicking—about the potential privacy implications of such technologies for nearly as long:

“CSE's interest in high-tech devices that help locate specific conversations and documents is a clear indication the five-member alliance collects and sifts large volumes of civilian traffic, said Bill Robinson, a researcher in Waterloo, Ont., who has long studied the spy agencies. "This technology is needed to process vast communications streams when you're hunting for nuggets within it." Mr. Robinson said the devices have legitimate uses, but hold "potentially frightening" implications for people's privacy as the technology advances. "They'll be able to do things they never could've done in the past.”” (Jim Bronskill, "High-tech snooping tools developed for spy agency," Vancouver Sun, 24 May 1999)

“Mr. Robinson says that while the federal government last year appointed a commissioner to oversee the CSE, he remains concerned that the SIGINT system as it sweeps through global, civilian communications could pose a threat, perhaps inadvertently, to the privacy of Canadians. "Not that the government is systematically monitoring citizens, but it's risky when the capabilities are developing to do that," he says.” (Peter Hum, "I spy," Ottawa Citizen, 10 May 1997)

“Since 1989, the CSE has awarded three contracts worth $1.1 million to a Montreal firm to make machines that can quickly isolate key words and phrases from millions of signals CSE monitors each day, CTV reported Sunday [based on Access to Information requests made by me]. “It’s frightening,” says Bill Robinson…. “It has Orwellian potential to sweep through everybody’s conversations. As computers get faster and faster, theoretically one would be able to keep records of all conversations.”” (“Spy agency works on eavesdropping device for phones, fax,” Ottawa Citizen, 31 January 1994)

Those capabilities don't appear to be here quite yet.

But they're a whole lot closer than they were 20 years ago.

Update 11 May 2015:

Follow-on story from The Intercept (Dan Froomkin, "The Computers are Listening: Speech Recognition is NSA’s Best-Kept Open Secret," Intercept, 11 May 2015):
It’s not surprising that the NSA isn’t talking about [speech recognition]. But oddly enough, neither is anyone else: Over the years, there’s been almost no public discussion of the NSA’s use of automated speech recognition.

One minor exception was in 1999, when a young Australian cryptographer named Julian Assange stumbled across an NSA patent that mentioned “machine transcribed speech.”

Assange, who went on to found WikiLeaks, said at the time: “This patent should worry people. Everyone’s overseas phone calls are or may soon be tapped, transcribed and archived in the bowels of an unaccountable foreign spy agency.”

Update 12 May 2015:

See also Allan Lawrence's 1984 speech to the House of Commons.

Update 8 June 2015:

More from The Intercept (Dan Froomkin, "The Computers Are Listening: NSA Won’t Say If It Automatically Transcribes American Phone Calls in Bulk," Intercept, 8 June 2015).

Saturday, May 09, 2015

"The Espionage Establishment" now available for viewing

The groundbreaking CBC documentary The Fifth Estate: The Espionage Establishment, originally broadcast on January 9th, 1974, is finally available for viewing online.

Among other revelations, The Fifth Estate: The Espionage Establishment was the first to reveal the existence of Canada's signals intelligence agency, then called the Communications Branch of the National Research Council (CBNRC), to the Canadian public and parliament. It even showed CBNRC's director, Kevin O'Neill, as he left his home to go to work (see screen cap above).

CBNRC's exposure led to extensive questioning in parliament and wide coverage in Canadian newspapers, and it is thought to have played an important role in the Trudeau government's 1975 transfer of the agency to the Department of National Defence, where it received its current name, the Communications Security Establishment.

Further comments on the documentary here.

H/T to Anonymous—no, not that one—for tipping me to the link.

Update 26 May 2015:

The CBC posted a brief introduction to the documentary here: Amber Hildebrandt, "How CSE's existence was first revealed by CBC TV," CBC News, 21 May 2015. They have also posted a link to the transcript of the program.