Year in Review

Monday, 5 January 2015

Well, 2014 turned out to be quite a year. For me, it was a really productive one, and I was lucky enough to get the opportunity to work on some great projects. Below are a few personal highlights that I've put together as a sort of 'year in review', along with a list of notable stories and developments in the realm of surveillance and national security, some 'ones to watch' for 2015, and a few awards that I've decided to hand out for dishonourable government conduct, just because there was so much of it over the last twelve months, and the worst offenders deserve some recognition...

(I meant to post this last week, but I've been on a remote Spanish island on holiday with no internet connection... so here it is, better late than never...)
January to March

In January I worked with Canadian broadcaster CBC to reveal details about domestic surveillance in the Canada. In February, The Intercept launched, and I contributed to a story that revealed some new details about US and UK government efforts to target WikiLeaks. In March, I had a report out shining a light on how the US National Security Agency has worked alongside its UK partner Government Communication Headquarters to infect large numbers of computers across the world with malware. I also worked on a story exposing the NSA's targeting of innocent system administrators as part of its covert attempts to hack into communication networks.

April to June

In March, I worked with German news magazine Der Spiegel on a story revealing new details about the NSA's surveillance of world leaders. In April, I reported on British spies' attempts to get broad unsupervised access into NSA troves of surveillance data. And in June, I worked with some great reporters at Danish newspaper Dagbladet Information to reveal new information showing how the NSA forms secret partnerships with countries across the world in order to help significantly expand its surveillance reach.

July to September

In August, the US military banned its personnel from reading The Intercept, and a few days later we published one of the most important stories I've worked on to date, exposing a vast US surveillance search system used to share huge troves of private data among dozens of US government agencies, including domestic law enforcement. The story revealed the decades-long history of US agencies' use of masses of metadata to monitor people's behaviour, and exposed how the CIA was using metadata to aid its efforts to secretly kidnap terror suspects (a practice that often resulted in the suspects — some of whom were totally innocent — being brutally tortured).

In September, we began reporting details at The Intercept about the scope of surveillance in New Zealand, and shined a light on deceptive statements made by the government there about its spying efforts; meanwhile, police raided and ransacked the home of the excellent investigative reporter that we were (and are) working with on Snowden revelations related to New Zealand.

October to December

In November, I worked on a story revealing how one of the most sophisticated pieces of malware ever discovered — dubbed "Regin" by security experts — was linked to cyberattacks perpetrated by British spies against Belgian telecommunications company Belgacom and European Union offices. This piece was an interesting one to work on in that it combined both news reportage with malware analysis — something that's never been done before in journalism, I think — and was published alongside downloadable samples of the Regin malware.

In December, I had a new report out revealing a secret NSA program that involves spying on emails sent among hundreds of mobile phone companies around the world, a practice that helps the agency hack into phone networks. The story exposed how the NSA targeted a London-headquartered trade group that represents tech giants like Microsoft and Facebook, and provided evidence that NSA had been working to insert security vulnerabilities into global telecommunications infrastructure so that they can be exploited for surveillance.

Also in December, I reported new details about the GCHQ hack of Belgian telecommunications company Belgacom as part of a reporting collaboration with newspapers in Belgium and the Netherlands. This particular story is one that I am especially proud of; it was the culmination of about six months of work, and took a huge amount of cooperation with different teams operating out of four separate countries simultaneously. We were able to tell the full story of the British hack on Belgacom, a hugely significant incident representing an unprecedented cyberattack by one EU member state on another. The story included new 'smoking gun' evidence showing that the Regin malware samples contained code-names that also appeared in secret GCHQ documents obtained from whistleblower Edward Snowden.

Vital stories

Here a list of some reports and developments that stood out to me in 2014:

NSA collects millions of text messages daily in 'untargeted' global sweep, The Guardian, 16 January.

Snowden docs show UK spies attacked Anonymous, hackers, NBC News, 4 February.

The NSA’s secret role in the US assassination program, The Intercept, 10 February.

Optic Nerve: millions of Yahoo webcam images intercepted by GCHQ, The Guardian, 27 February.

NSA surveillance program reaches ‘into the past’ to retrieve, replay phone calls, Washington Post, 18 March.

Top EU court rejects EU-wide data retention law, BBC News, 8 April.

Death from above: how American drone strikes are devastating Yemen, Rolling Stone, 14 April.

Turkish president approves law widening secret service's powers, Reuters, 24 April.

The NSA is recording every cell phone call in the Bahamas, The Intercept, 19 May.

Germany arrests man suspected of spying for US, BBC News, 4 June.

NSA: Inside the five-eyed vampire squid of the Internet, The Register, 5 June.

Vodafone reveals existence of secret wires that allow state surveillance, The Guardian, 6 June.

US officials scrambled to nab Snowden, hoping he would take a wrong step. He didn’t, Washington Post, 14 June.

GCHQ sanctions spying on every Facebook, Google and Twitter user, The Telegraph, 17 June.

In NSA-intercepted data, those not targeted far outnumber the foreigners who are, Washington Post, 5 July.

Germany to spy on US for first time since 1945 after ‘double agent’ scandal, The Independent, 7 July.

Meet the Muslim-American leaders the FBI and NSA have been spying on, The Intercept, 9 July.

Hacking online polls and other ways British spies seek to control the Internet, The Intercept, 14 July.

The secret government rulebook for labeling you a terrorist, The Intercept, 23 July.

CIA Admits improperly hacked into Senate computers, Washington Times, 31 July.

Barack Obama’s secret terrorist-tracking system, by the numbers, The Intercept, 5 August.

The Islamic State (documentary), Vice, 7 August.

German spy company helped Bahrain hack Arab Spring protesters, The Intercept, 8 August.

Photos of alleged 9/11 '20th hijacker' can stay classified: court, Reuters, 2 September.

MRAPs and bayonets: what we know about the Pentagon's 1033 program, NPR, 2 September.

The NSA and GCHQ campaign against German satellite companies, The Intercept, 14 September.

Israel's NSA scandal, New York Times, 16 September.

Wikileaks releases FinFisher files to highlight government malware abuse, The Guardian, 16 September.

The NSA and me, The Intercept, 2 October.

Citizen Four (documentary), 10 October.

Why was the NSA chief playing the market? Foreign Policy, 22 October.

MI5 spied on leading British historians for decades, secret files reveal, The Guardian, 24 October.

In Cold War, US spy agencies used 1,000 Nazis, New York Times, 26 October.

Secret manuals show the spyware sold to despots and cops worldwide, The Intercept, 30 October.

Brazil is keeping its promise to avoid the US Internet, Gizmodo, 30 October.

Disguised as climate negotiators, Dagbladet Information, 1 November.

UK intelligence agencies spying on lawyers in sensitive security cases, The Guardian, 7 November.

FBI says it impersonated AP reporter in 2007 case, AP, 7 November.

Americans’ cellphones targeted in secret US spy program, Wall Street Journal, 14 November.

WhatsApp now provides end-to-end encryption for your messages, Gizmodo, 18 November.

Before Snowden, a debate inside NSA, AP, 19 November.

US firms accused of enabling surveillance in despotic Central Asian regimes, The Intercept, 20 November.

How Vodafone-subsidiary Cable & Wireless aided GCHQ’s spying efforts, Süddeutsche Zeitung, 25 November.

CIA torture report, 9 December.

WikiLeaks CIA leaks, 18 & 21 December.

Inside the NSA's war on internet security, Der Spiegel, 27 December.

The Sabu Files, Vice/Daily Dot.

Save our sources campaign, The Press Gazette.

Ones to watch in 2015

Some things worth keeping an eye on...

A new US cybersecurity unit that will advise agencies on surveillance operations.

Details about a secret database being used by federal agents in the US, the existence of which has become the subject of dispute in an ongoing court case.

Information about documents being shredded en masse in a UK police anti-corruption investigation.

Developments in the US government's ongoing criminal investigation into WikiLeaks, which may have involved the use of a prominent informant.

The long-overdue publication of a government-commissioned post-Snowden review of UK surveillance operations.

The US government using state secrecy powers to block the release of files from anti-Iran group.

Renewed 'crypto wars' as law enforcement agencies in the US push for more powers to combat privacy-protecting encryption technologies.

More details about the CIA's hacking of Senate computers.

A continuing government effort to introduce new laws bolstering surveillance powers in the US, UK, Australia, Canada, and New Zealand.

Many more stories from the Snowden documents related to secret spying conducted by the US, UK, Australia, Canada, New Zealand, and other countries.

Now for a few awards...

Because I feel like handing out some dubious accolades:

Bullshit statement of the year

Winner: Recently retired GCHQ spy chief Sir Iain Lobban for his claim in October that the agency doesn't engage in "anything remotely resembling mass surveillance." A completely false statement that could not be further from the truth.

Runner-up: UK home secretary Theresa May for "collection of bulk data is not mass surveillance."

3rd prize: former US vice-president Dick Cheney for "we were very careful to stop short of torture."

Dishonourable mentions: former NSA and CIA chief Michael Hayden for "I didn’t do anything wrong"; New GCHQ spy chief Robert Hannigan for "GCHQ is happy to be part of a mature debate on privacy in the digital age."

Orwellian euphemism of the year

New Zealand's prime minister John Key tries and fails to make mass surveillance palatable to the public in September by re-branding it "mass protection."

Outrageous admission of the year

Former NSA and CIA chief Michael Hayden tells an audience at Johns Hopkins University in April: "We kill people based on metadata."

Understatement of the year

President Barack Obama, in August, on the CIA's brutal human rights abuses post 9/11: "We tortured some folks."

Gaffe of the year

UK foreign secretary Philip Hammond, who is responsible for signing off on GCHQ surveillance operations, illustrates that he doesn't have a clue what he's been approving during a parliamentary hearing in October.

Hypocrite of the year

Michael Hayden, the CIA chief who overseen the agency's secret extrajudicial kidnapping operations that involved imprisoning and torturing terrorism suspects, some of whom were entirely innocentcomplains in December that a Senate report criticising CIA torture methods was like being "tried and convicted in absentia. We were not given an opportunity to mount a defense."

Most bizarre mass surveillance justification of the year

UK prime minister David Cameron explains to British lawmakers in January that fictional TV crime dramas demonstrate the need for new dragnet spying powers.

Most absurd response to surveillance revelations of the year

A special joint award that goes to the Canadian prime minister's parliamentary secretary, Paul Calandra, and John Key, New Zealand's prime minister. Instead of addressing the substance of revelations about secret government spying in 2014 (that I was involved in reporting), Calandra and Key both resorted to weird and childish petty insults, calling my colleague Glenn Greenwald a "porn spy" (Calandra) and a "loser" (Key).

Villain of the year

UK police and security agencies for establishing a precedent that means journalism — the mere publication of facts and opinions — can now be considered terrorism; for working to secretly identify journalists' confidential sources; and for eavesdropping on lawyers' privileged communications.

Extraordinary Rendition and the Secret Role of Metadata

Thursday, 28 August 2014

On Monday, I had a new story out at The Intercept revealing a secret search engine that the National Security Agency built to share a massive amount of data with other US government agencies, including domestic law enforcement. There are many new and important details scattered through the piece. But there is one in particular I would like to take a minute to focus on here, because it is a fact that strikes at the heart of the debate about government surveillance and deserves some more attention.

In one of the classified documents that we published with the story, dated from 2005, the NSA outlined some of the "successes" of a data-sharing project called CRISSCROSS that was led by the Central Intelligence Agency. The document shows that metadata collected about communications was integral to the CIA's extraordinary rendition program during the Bush Administration, which involved kidnapping terror suspects and taking them to secret "black site" jails where they would be brutally interrogated and sometimes tortured. The NSA document says:

Since 9/11, the contributions to the GWOT [global war on terror] due to our increased collection of signaling metadata are innumerable and significant. It is safe to say that it has been a contribution to virtually every successful rendition of suspects and often, the deciding factor.

This is an incredible detail. Remember, metadata is not the audio content of a phone call or the words contained within the body of an email message. It is merely information showing who you have contacted and when. Governments have often sought to defend the mass-scale collection of metadata by insisting that it is not information that is sensitive or very private. In June last year, President Obama tried to dismiss concerns about metadata collection in the United States by claiming that "nobody is listening to your telephone calls." But, clearly, the government doesn't need to be listening to your calls to deem you a threat. That metadata has been the deciding factor in targeting people for extraordinary rendition is a profound illustration of that — and it shows that metadata collection has real-world ramifications: it is not just some benign activity.

You might think, "well, I'm not a terror suspect so what do I care?" But this is not only about the Bad Guys — there are much wider consequences at play here. During the height of the extraordinary rendition program, for instance, some of the people targeted were victims of what was called "erroneous rendition." In other words, the CIA would kidnap the wrong person. (Yes, seriously.) In 2005, it was reported by the Washington Post that the CIA's inspector general was investigating a "growing number" of erroneous renditions, with some anonymous government officials saying that they believed there were as many as 30 instances of it having taken place.

Much is still unknown about these cocked-up renditions because the information has been kept secret. But now that we know metadata played a key role in targeting people — in some cases even being the "deciding factor" — questions must surely be asked about whether this method was ever to blame. From a legal and human rights perspective, it is disturbing enough that the CIA was secretly kidnapping, imprisoning, and then torturing people. But the possibility of innocent individuals being targeted on the basis of their metadata trail clearly adds a chilling extra dimension. It is a policy of guilt by association that bears all the hallmarks of a kind of terrible and flawed style of totalitarian policing.

Today, the practice of extraordinary rendition appears to have been largely phased out by President Obama. But the concerns raised by the use of metadata to target people are still highly pertinent. Indeed, as The Intercept reported back in February, metadata is actively being used to target and kill terror suspects in drone strikes in countries like Yemen, Pakistan and Somalia. One military source said that the method can result in the "wrong people" being bombed. And if you think that sounds far-fetched — that the US would not launch missiles at people because of their metadata — you don't need to take my word for it. Just go and listen to what former CIA and NSA chief Michael Hayden has to say. As he boasted in April: "We kill people based on metadata."

Sabu, LulzSec, and the FBI's WikiLeaks Investigation

Monday, 26 May 2014

Some very intriguing new details emerged on Friday about the case of former Anonymous hacker turned FBI informant Hector Monsegur, or "Sabu" as he is better known.

A document filed in a New York district court shed light on the "extraordinarily valuable and productive" extent of Sabu's cooperation with the government over a period of approximately three years.

It is already widely known that Sabu secretly helped authorities track down and jail his former hacker comrades who were part of LulzSec, a high-profile Anonymous splinter group that attacked and infiltrated major corporate and government websites in the summer of 2011.

But the latest court document for the first time hints at Sabu's broader role aiding another major FBI undercover operation — one that I believe likely relates to an aggressive investigation into WikiLeaks and its founder Julian Assange. The section of the document in question is vague, deliberately so, but offers enough detail to indicate that it directly involves WikiLeaks and is potentially of high importance, for reasons I'll explain below. The document states:

Monsegur also engaged in a significant undercover operation in an existing investigation through which, acting at the direction of law enforcement, Monsegur gathered evidence that exposed a particular subject’s role in soliciting cyber attacks on a foreign government. The evidence he enabled the Government to obtain was extremely valuable, and the Government could not otherwise have obtained it without his assistance. Although this cooperation has not resulted in any prosecutions to date, the Government believes his information, and the evidence he helped to obtain in this matter, is extremely significant.

To understand why this matters and why it struck me straight away, a bit of background is necessary.

As I reported last year in a piece for Slate, Sabu, while working as an FBI informant in 2011, was in contact with a young WikiLeaks volunteer who had established a close relationship with Assange.

The volunteer, Sigurdur Thordarson, told me that with Assange's approval he set up a line of communication between Sabu, LulzSec, and WikiLeaks. He said he then solicited the hackers to infiltrate computers at the Icelandic Ministry of Finance to find evidence of anti-WikiLeaks sentiment. "That was the first assignment WikiLeaks gave to LulzSec," Thordarson claimed, because the Ministry of Finance had months earlier thwarted an attempt by DataCell, a company that processes WikiLeaks donations, to purchase a large new data center in Reykyavik. The FBI appears to have monitored the exchange between WikiLeaks and LulzSec through Sabu, and a few days later contacted Icelandic authorities to warn them about an imminent cyber attack. Icelandic police travelled to the United States to discuss the matter, according to information published by the country's state prosecutor.

According to Thordarson, the LulzSec hackers eventually turned over some confidential documents to WikiLeaks that related to the US embassy in Iceland, as well as other hacked files, such as a huge trove of emails mined from Syrian government servers that were later released by WikiLeaks. Thordarson alleged that Assange spoke with Sabu over Skype during this time, and he showed me records of chats he had with Sabu that appear to support his version of events. Again, Sabu was secretly working as an FBI informant during his correspondence with WikiLeaks; FBI agents, who were monitoring Sabu's online activity 24/7 and directing his conduct, would have almost certainly been watching over his shoulder during any conversations with Assange or others.

In a bizarre twist, Thordarson himself later became an FBI informant, before he found out that Sabu, too, was working for the Bureau. (You can read the whole crazy backstory here.) WikiLeaks says Thordarson was a rogue operative and has accused the FBI of using "coercion and payments" in an effort to extract information that could be used against its staff in a prosecution. It is unclear whether Assange was personally involved at all in any attempt to solicit the hacking of foreign government computers.

Either way, one thing that is clear and undisputed is that Sabu was in contact with WikiLeaks while he was working for the FBI. And the new court document in Sabu's case strongly suggests to me that the contact was not some random occurrence — rather, it suggests it was part of a concerted FBI undercover sting operation aimed at implicating Assange and his colleagues in criminal activity.

The mention of "a particular subject’s role in soliciting cyber attacks on a foreign government" stood out to me immediately as a likely reference to the Assange-Thordarson-Sabu-Iceland affair, perhaps even intended as a warning shot from the Justice Department that this is an angle still being pursued. WikiLeaks seems to have noticed it, as well, tweeting on Saturday that the document contained an "apparent reference to [an] FBI operation against WL."

It is worth recalling that the FBI and the Justice Dept. still have an active and ongoing criminal investigation into WikiLeaks, a fact that was most recently confirmed just last week. But because of constitutional press freedom protections in the United States under the First Amendment, to prosecute any WikiLeaks staff for their role in publishing leaked classified US government documents would be untenable. That is precisely why it is far more likely that the FBI will be seeking to find other charges it can lay against Assange, such as conspiracy, and that is where I think Sabu comes into the frame. The new court document refers to an "existing investigation" and notes that while the information Sabu gleaned about the cyber attacks being solicited "has not resulted in any prosecutions to date," it remains "extremely significant." [Emphasis added.]

So watch this space. I expect more details about this dramatic debacle are going surface before long — possibly even in an indictment against Assange, if the FBI gets its way.

The Detainee Report and the UK Government Flouting FOIA Law

Wednesday, 26 March 2014

Back in September, as I explained in a previous post, I filed a Freedom of Information Act (FOIA) request with the UK government in an attempt to obtain a long-withheld report on British spies' complicity in torture and extraordinary rendition. The government repeatedly ignored my requests — refusing to even acknowledge them, as obligated under the law — but finally published the report in December.

As I suspected it would, the so-called 'Detainee Inquiry' report shined a light on the dubious involvement of the UK's security services in brutal interrogation tactics and kidnapping methods carried out by US government operatives in the aftermath of the September 11 attacks. British agents, it found, were under no obligation to report breaches of the Geneva conventions and turned a "blind eye" to the torture of detainees held in foreign prisons.

The report was put together by the Detainee Inquiry as a preliminary report and, unfortunately, it only scratched the surface. Headed by retired judge Sir Peter Gibson, the inquiry was originally supposed to dig deep into the allegations of complicity in the abuses. However, it was postponed in 2012 amid controversy because the government said that it clashed with ongoing police investigations into some of the same cases. Justice Secretary Ken Clarke promised that an independent judge-led inquiry would continue in time, but the government suddenly pulled a policy reversal in December and now says the issues will be dealt with (or should I say, swept under the rug) by the largely toothless parliamentary intelligence and security committee — a move that has been strongly criticised by human rights groups, lawyers, and two United Nations special rapporteurs.

Aside from pointing to substance of the Gibson report, though, I wanted address something else here: that is, he dismal conduct of the government in ignoring my original request to obtain it. The Cabinet Office repeatedly failed to respond to my inquires for a period of about five months, even after the Information Commissioner's Office (ICO) got involved. (The ICO is the public body that enforces access to information legislation in the UK.) Under the terms of the FOIA law, the government should have responded to my initial request within 30 days. Instead, it chose not to respond at all — not even an acknowledgement; nothing. I've never experienced anything like that, and I have submitted quite a lot of FOIA requests in my time.

It seemed that the Cabinet Office was clearly flouting its legal obligations, so I decided to submit a formal complaint with the ICO. Last month, the ICO issued a "decision notice" in my case (see below), finding in my favour that the government broke the law under section 10 of the Freedom of Information Act by ignoring my request. The ICO threatened to pursue contempt of court action against the government in the High Court if it did not contact me within a further 35 days. Unsurprisingly, earlier this month, about a day before the deadline was due to expire, the Cabinet Office finally responded — claiming "oversights" were the cause of the long delay while having the cheek to open its letter by referring to my "recent" FOIA request. The request was submitted half a year prior.

Cabinet officials were contacted on several occasions about my request over this six-month period; they confirmed to the ICO over the phone that they had received it, and were then warned about potential "enforcement action." Yet they continued to not respond to me. It was not until the government was formally threatened with contempt in the decision notice that it acted. And by then, the Detainee Inquiry report that I was originally seeking had been released publicly anyway.

I have no idea whether the government deliberately ignored my request in a bid to delay releasing the report, so that it could release it later on its own terms. But frankly that does not seem like a far-fetched possibility, especially given that some public bodies, like London's Metropolitan Police, have admitted treating FOIA requests from journalists as "high risk" — even though all requests are supposed to be treated "applicant and motive blind." Either way, whether the failure to respond was calculated or just down to total incompetence, I have certainly not come away from this debacle with a sense that the government cares much about fulfilling its legal responsibilities in the realm of transparency.

For that reason, there is a satisfaction in seeing the government get reprimanded by the ICO for its unlawful conduct in this case. But ultimately there is a kind of depressing futility about the finding. The decision notice will go against the government — damaging the Cabinet Office's FOIA credentials with the Information Commissioner, especially if other cases such as this continue to stack up. (The Cabinet could be placed on the ICO's "monitoring programme" if it keeps egregiously flouting its FOIA obligations.) However, that doesn't really count for much in practice. I would like to see the ICO given much stronger powers to enforce compliance with FOIA law — the power to dish out heavy fines for flagrant violations and inexplicably extreme delays in responding to people. Otherwise it seems highly likely that the government and other public bodies will continue to be content to ignore requests whenever it suits them to do so.

UPDATE, 27 March 2014: As a commenter below has pointed out, it turns out that the Cabinet Office has in fact already been placed on the "monitoring programme" by the Information Commissioner's Office after "serious shortcomings" were identified in its responses to freedom of information requests. The ICO announced in January, while my complaint was still ongoing, that it would be examining the Cabinet's responses to requests received between 1 January and 31 March 2014. The ICO claims that "failure to show signs of improvement during this period may result in enforcement action."

Canada's WiFi Surveillance and CSEC's Non-Denial Denials

Saturday, 1 February 2014

On Thursday, a report I worked on with Glenn Greenwald and Greg Weston was published in Canada, revealing how the country's spy agency CSEC secretly developed a program to monitor WiFi users in a major Canadian airport.

The piece, based on documents leaked by the former US National Security Agency contractor Edward Snowden, has led to CSEC being accused of acting unlawfully and has triggered calls for better oversight of the agency.

But one of the most intriguing aspects of the fallout from the story has been the Canadian government's response — which merits some scrutiny and analysis.

First, some context.

Back in November, Greenwald, Weston and I reported separate revelations about Canada's role in an NSA operation to spy at the G8 and G20 summits in Canada in 2010. In response, CSEC's chief John Forster claimed in response to reporters' questions:

What I can tell you is that CSEC, under its legislation, cannot target Canadians anywhere in the world or anyone in Canada, including visitors to Canada.

During a speech in October, Forster had made a similar statement:

I can tell you that we do not target Canadians at home or abroad in our foreign intelligence activities, nor do we target anyone in Canada. In fact, it's prohibited by law. Protecting the privacy of Canadians is our most important principle.

And again, in January, he repeated this assertion in a letter to a Canadian newspaper:

Under the law, CSE’s foreign intelligence mandate specifically dictates that our activities be directed only at foreign entities, and not at Canadians or anyone in Canada. That is the law and we fully respect that.

Having analysed Canadian documents in the Snowden material, these statements struck me as quite astonishing.

Why? Because one of the top-secret Snowden documents revealed that, in 2012, CSEC had set up a program that involved monitoring WiFi usage at a large Canadian airport. The secret files showed how CSEC was able to use a huge amount of data about the WiFi connections to follow users "backward and forward in recent time" — identifying visits to hotels, other airports, Internet cafes, coffee shops, and a library.

The tactic is described by CSEC in the files as "IP profiling" — a surveillance method that can be used to track users' movements over time. In one case, as we reported at CBC on Thursday, the spy agency says that it performed a sweep of an entire "modest-sized" city and identified 300,000 user IDs:

The "mission impact" of the tactic, according to the document, is that it can alert spies to "target country location changes" and "webmail logins with time-limited cookies":

The full document [pdf] speaks for itself. It illustrates a secret surveillance operation was conducted on Canadian soil — sweeping up metadata on the WiFi usage of thousands of people not suspected of any crime. Equally significant, the revelation contradicts CSEC chief Forster's repeated assertion that "we do not target Canadians at home or abroad in our foreign intelligence activities, nor do we target anyone in Canada."

After we reported the airports story, it got more interesting.

CSEC issued a statement that was notable for three reasons. First, the agency did not repeat its previous mantra claiming not to "target anyone in Canada." Second, it appeared to make an admission that it is sweeping up metadata within Canada, saying that it was "legally authorized" to "collect and analyze" this information. And third, it issued a fresh denial, saying that "no Canadian or foreign travellers were tracked. No Canadian communications were, or are, targeted, collected or used."

Shortly afterwards, on Friday, a similar denial was made by the Canadian prime minister's parliamentary secretary, who launched a bizarre personal attack on Greenwald while claiming that the "facts" were that "nothing in the stolen documents showed that Canadians' communications were targeted, collected, or used, nor that travellers' movements were tracked."

But these denials are hollow.

It's a straw man to claim that the revelations were about communications being "targeted, collected, or used." That is not what our story was about. The issue at hand is how CSEC initiated a program to sweep up information showing when people are connecting to WiFi networks and using this information to build "profiles" of their movements back and forward in time.

And that brings us to the more important point. CSEC and the prime minister's secretary claimed that "no Canadian or foreign travellers were tracked." However, what they did not say was how they were defining the word "tracked."

The documents quite clearly show how the agency used user "IP profiles" to monitor WiFi users' movements over time, with this capability enabling it to generate "alerts" when a person relocates to another country.

The dictionary definition of "tracking" says that it means "the act or process of following something or someone." CSEC's IP profiling is exactly that — monitoring users' location and keeping tabs on where they are. Indeed, the document says as much, outlining how CSEC uses this tactic to "follow IDs backward and forward in recent time." The documents also mention how CSEC used tools called "Quova" and "Atlas database" — which are technologies used to pinpoint the geolocation of an IP address.

CSEC's denial that it "tracked" Canadians or foreign travellers, I think, hinges upon a narrowly defined interpretation of the word. The US Department of Defence, for instance, uses "tracking" as a specific technical term meaning the "precise and continuous position-finding of targets by radar, optical, or other means." CSEC's IP profiling definitely fits the dictionary definition of "tracking" as it is understood by most people — but does it fit the narrower military definition? Perhaps CSEC believes that IP profiling does not constitute "precise and continuous" tracking. But if so, it should be explaining this — as otherwise its denial is highly misleading.

Spy agencies are professionals in the art of deception, and sometimes that seems to be reflected in their public relations strategy. Afterall, we have seen misleading denials issued repeatedly by the National Security Agency and its Five Eyes counterparts about various surveillance revelations in recent months. Again and again, officials have used narrowly defined words or jargon terms in a carefully crafted way in order to issue non-denial denials in which they appear to refute an allegation but on closer reading do not really refute it at all.

The ultimate point here is that the tactics being used by CSEC and the Canadian government to deflect criticism of their secret surveillance programs merit as much attention as the revelations themselves. That is especially clear when, in response to disclosures about their secret programs, senior government officials launch childish character assassination attempts against the journalists who reported the information. In a democratic society, surely a higher standard is required. It is not enough for governments and spy agencies to spit out a few indignant statements and denials with the expectation that people should just blindly trust that they are telling the truth.

Also, no matter how "tracking" is being defined, what is clear is that CSEC was (and our sources say still is) running a large-scale surveillance operation on domestic soil, seriously calling into question spy chief Forster's previous statements that "our activities" are not directed "at Canadians or anyone in Canada." The CSEC boss is due to appear before a Senate committee hearing on Monday. Hopefully Canada's lawmakers will take the opportunity to ask some probing questions.

UPDATE, 7 February 2014: Since the story was published last week, there have been several developments. There have been more calls for an independent review of CSEC's activities, while spy chief Forster was forced to publicly defend the surveillance in Monday's Senate hearing.

There have also been some interesting analyses of the leaked documents worth responding to.

First, the surveillance blog Electrospaces claimed that the secret documents seemed to have been "incorrectly interpreted" in our CBC report. The blog published an anonymous analysis from someone who says that CSEC's surveillance project was "was not surveillance of Canadian citizens per se but just a small research project." The second analysis came from Bruce Schneier, who claimed that it was "not really true" that CSEC used "airport Wi-Fi information to track travellers."

First of all, it is a mischaracterization to claim that the CSEC project was just a small research project that didn't implicate Canadians "per se." It was part of a pilot initiative that involved sweeping up data on hundreds of thousands of people — many of whom would have been Canadian citizens. Our sources for the story told us that the pliot had since gone live — i.e. that it had gone from being a "proof-of-concept" to an operationally active domestic program. This is about much more than a "small research project."

Second, it is absolutely the case that CSEC tracked travellers' movements based on the Internet activity by using IP and ID data and honing in on a major Canadian airport's WiFi system.

It may be about more than that — and I agree with Schneier when he says that it is "actually far more interesting than simply eavesdropping on airport Wi-Fi sessions" because of the wider ramifications of this kind of 'big data' analysis.

But this particular initiative was focused on pulling out a huge trove of user ID and IP data and following users "backward and forward in recent time" to and from a Canadian airport to see if it would be possible to keep tabs movements and trigger alerts based on those movements.

What we reported was accurate and remains so: "Canada's electronic spy agency used information from the free internet service at a major Canadian airport to track the wireless devices of thousands of ordinary airline passengers for days after they left the terminal."

Even CSEC chief Forster has since come out and admitted that a kind of tracking was going on (though he says it didn't occur in "real time," which is not something we actually claimed):

Forster said the agency used metadata to develop a model that showed they could track an internet user's network activity "around a public access mode," and that the tracking didn't happen in real time.

Some of the more insightful analysis on the CSEC affair has come from Bill Robinson, a Canadian surveillance expert described by the Toronto Star as "Canada's authority on CSEC."

Robinson makes some interesting points on the meaning of "tracking" in this context and CSEC's initial denial that it had tracked people — and I think he could be hitting the nail on the head here:

While normal human beings might conclude that both Canadian and foreign travellers were indeed tracked, CSEC's claim may be that only devices were tracked in the specific tests reported in the document. Since no device was tracked specifically on account of the fact that it belongs to a particular person, and the analysis itself (as far as I know) did not seek to associate particular individuals with particular devices (although it may well have utilized information associated or associatable with specific individuals), CSEC may feel it is justified in stating that no individuals were tracked. The same or similar logic seems to underlie the agency's claim that it can collect metadata related to thousands or even millions of Canadians and persons in Canada for foreign intelligence purposes while at the same time stating that its foreign intelligence operations do not "target" any Canadians or persons in Canada.

In a separate blog post after spy chief Forster's testimony before the Canadian Senate committee on Monday, Robinson wrote:

In essence, the government's position is that the metadata project reported by the CBC did take place, that its purpose was to develop targeting and analysis techniques that are in fact now being used operationally by CSEC, and that the collection, analysis, use, and retention of Canadian metadata is a normal part of CSEC's operations, necessary to those operations, and entirely legal. Officials also insist, however, that CSEC does not use the data to target Canadians for foreign intelligence purposes.
To have CSEC now appearing to admit (under pressure) that it is using metadata to conduct domestic monitoring on a mass scale is revelatory — and that is where the focus should be. As I wrote here previously, how "tracking" is being defined as a word should not be the most central point in the debate. The attention should be on CSEC conducting a large-scale surveillance operation on Canadian soil and misleading Canadian citizens about it in a series of public statements. Robinson asks the right questions in his earlier blog post:

If real-world operations are now being conducted using the techniques described in the document, or similar kinds of techniques, those operations will indeed involve the tracking of specific individuals who are either known before the tracking began or identified subsequent to their being singled out by analysis of the data.

Will the government state that no Canadian or foreign travellers have ever been tracked (or, if it prefers, detected in a number of different locations over time) in Canada, either by CSEC or by any other Canadian or allied agency, under any mandate, using these or similar metadata-based techniques?

The EU Parliamentary Inquiry's Report on Mass Surveillance

Saturday, 11 January 2014

After about five months of hearings and investigating, the European Parliament's civil liberties committee has published its report on the revelations about mass surveillance leaked by the American former National Security Agency contractor Edward Snowden.

The comprehensive 52-page report, published Wednesday in draft form [pdf], contains a large number of important findings and recommendations — some of which I think it's worth highlighing here.

The report accuses spy agencies — particularly in the US (NSA) and the UK (GCHQ) — of operating dragnet snooping programs that appear to involve illegal actions. It says that the UK government has on at least two occasions breached the European Convention on Human Rights and the EU Charter in how it has tried to crack down on reporting of the Snowden leaks (examples cited are the detention of former Guardian journalist Glenn Greenwald's partner and the destruction of Guardian computers). In addition, the committee calls for the European Parliament to suspend data sharing deals with the US government, and it says new legal protections are necessary for journalists and whistleblowers.

Crucially, the report does not shy away from attempting to address some of the larger issues — such as the profound and unprecedented existential questions new mass surveillance technologies raise for modern democracies. It calls on US authorities and EU member states to "prohibit blanket mass surveillance activities and bulk processing of personal data," adding:

[The committee] sees the surveillance programmes as yet another step towards the establishment of a fully fledged preventive state, changing the established paradigm of criminal law in democratic societies, promoting instead a mix of law enforcement and intelligence activities with blurred legal safeguards, often not in line with democratic checks and balances and fundamental rights, especially the presumption of innocence. [Emphasis added.]

This kind of policing, it warns, is leading to "every citizen being treated as a suspect." For that reason, the report notes that the committee

condemns in the strongest possible terms the vast, systemic, blanket collection of the personal data of innocent people, often comprising intimate personal information; emphasises that the systems of mass, indiscriminate surveillance by intelligence services constitute a serious interference with the fundamental rights of citizens; stresses that privacy is not a luxury right, but that it is the foundation stone of a free and democratic society; points out, furthermore, that mass surveillance has potentially severe effects on the freedom of press, thought and speech as well as a significant potential for abuse of the information gathered against political adversaries; emphasises that these mass surveillance activities appear also to entail illegal actions by intelligence services and raise questions regarding extraterritoriality of national law.

UK surveillance laws are singled out for criticism, with the inquiry concluding that the UK's legal framework is in need of an overhaul because it is outdated. But the finger is not pointed solely at the spooks in the UK and the US. The report accuses countries including France, Germany, and Sweden of running their own mass surveillance programs, too. It also rightly blasts the general incompetence of oversight committees — both in Europe and the US — that are supposed to be tasked with holding spy agencies accountable:

despite the fact that oversight of intelligence services’ activities should be based on both democratic legitimacy (strong legal framework, ex ante authorisation and ex post verification) and an adequate technical capability and expertise, the majority of current EU and US oversight bodies dramatically lack both, in particular the technical capabilities. [Emphasis added.]

Moreover, it calls on the European Commission — the EU's executive body — to evaluate the possibility of introducing legal liabilities that could be used to punish technology companies for not fixing known vulnerabilities in their software or for installing secret backdoors for spying. It wants the European Parliament to consider only procuring software that is open source, so that the software code can be reviewed to ensure it is secure and free from backdoors inserted for spying. And it also urges European Union member states to initiate investigations into "possible cybercrimes and cyber attacks committed by governments or private actors in the course of the activities under scrutiny."

"Trust has been profoundly shaken," the report says. "Trust between the two transatlantic partners, trust among EU Member States, trust between citizens and their governments, trust in the respect of the rule of law, and trust in the security of IT order to rebuild trust in all these dimensions a comprehensive plan is urgently needed."

It's worth a read if you have the time. The full report is here [pdf].

GCHQ's Dubious Role in The 'Quantum' Hacking Spy Tactic

Thursday, 12 December 2013

I've not posted here for a while, but I've got a good excuse. For the last month or so I've been out in Brazil working on a series of stories with the American journalist and former Guardian columnist Glenn Greenwald. We've been reporting a series of revelations about government surveillance based on the trove of files leaked by former NSA contractor Edward Snowden.

I've had some time to take a breather tonight and I want to draw attention to something important in one of the latest stories we worked on with a team of excellent Swedish journalists from Uppdrag Granskning — an investigative unit that operates as part of Sweden's national public broadcaster SVT.

We worked on several stories with Uppdrag Granskning in the lead up to an hour-long documentary, aired Wednesday, about Sweden's major role in the global surveillance nexus that is led by the United States, the United Kingdom, and the other members of the so-called Five Eyes group — Australia, Canada, and New Zealand.

As we reported, the documents reveal how Sweden has become a key partner for the US and the UK, and top-secret agreements have been made in the last decade that bolster Sweden's spying role like never before.

But aside from these crucial details, which are hugely important for Swedish citizens to be informed about, I'd like to highlight here one smaller piece of information that we reported that I think is highly notable.

Earlier this year, it was disclosed that UK spy agency GCHQ was involved in hacking into the Belgian telecom company Belgacom's computer systems in order to covertly gather intelligence on unknown targets. But what is interesting is that, despite being involved in using these hacking methods, GCHQ has been worrying behind the scenes about their legality.

One of the Snowden documents we revealed on the Uppdrag Granskning documentary — dated circa April 2013 — shows the NSA describing a so-called 'Quantum' hacking initative that GCHQ was involved in at a "proof-of-concept" level. However, the document notes:

Continued GCHQ involvement may be in jeopardy due to British legal/policy restrictions, and in fact NSA’s goal all along has been to transition this effort to a bilat with the Swedish partner. [Emphasis added.]

This struck me because, last year, I uncovered a document showing something similar. In obscure technical standards meetings with telecom companies about implementing new surveillance capabilities, GCHQ representatives from a little-known unit of the agency called the National Techical Assistance Centre were voicing the same concerns about hacking techniques.

At meetings held between 2010 and 2011 in Estonia and Italy, at which a GCHQ representative was present, the UK was said to be anxious about the legality of performing a so-called 'man-in-the-middle' attack to covertly hack and eavesdrop on communications:

An additional concern in the UK is that performing an active attack, such as the Man-in-the-Middle attack proposed in the Lawful Interception solution...may be illegal. The UK Computer Misuse Act 1990 provides legislative protection against unauthorised access to and modification of computer material. The act makes specific provisions for law enforcement agencies to access computer material under powers of inspection, search or seizure. However, the act makes no such provision for modification of computer material. A Man-in-the-Middle attack causes modification to computer data and will impact the reliability of the data.

This could not be clearer. The UK's position was that it might be unlawful for authorities to hack a computer in order to monitor communications and/or exfiltrate data. That was the position in 2010/11, and I think the same concern is what is being referenced in the 2013 NSA document when UK "legal/policy restrictions" are mentioned.

Yet despite this concern — and this is perhaps the most important point — GCHQ has marched ahead with its participation in clandestine surveillance operations that involve hacking. The Belgacom case is a specific example, but the NSA documents on Sweden illustrate that Belgacom was not an isolated case. GCHQ was (and likely continues to be) involved in a program called WINTERLIGHT that explicitly involves trying to infect hundreds of targeted computers with so-called 'implants' of malware. GCHQ even operates a covert computer server that it uses to help infect targets with the malware, likely by masquerading as legitimate websites such as LinkedIn, as previous reports have suggested. These covert servers are mentioned in one of the NSA documents on Sweden, dated April 2013, revealed by Uppdrag Granskning:

Last month, we received a message from our Swedish partner that GCHQ received FRA [Swedish spy agency] QUANTUM tips that led to 100 shots, five of which were successfully redirected to the GCHQ server.

So, the question here is: how can this be legal? If GCHQ was previously concerned that performing active hacking attacks may be unlawful under the UK's Computer Misuse Act, then how has that situation been resolved? Has the agency been granted immunity to perform these operations? If so, who granted the immunity? Alternatively, has the UK government, with zero public debate and under cover of total secrecy, produced a classified interpretation of the law aimed at justifying and rendering lawful the use of this clandestine hacking technique?

Another very intriguing theory I have considered is that GCHQ lets one of the other agencies do the "dirty work" — the part of the hack that would illegal under UK law. The NSA may deploy the malware, for instance, while GCHQ plays a lesser role by merely facilitating the attack by hosting the server — but still reaping the benefits (i.e. it gets access to the intercepted data). Having spent countless hours now looking at the Snowden documents, it certainly appears to me that this is something that occurs — that the spy agencies circumvent their domestic laws by allowing partner agencies to do things that they could not do themselves.

Either way, GCHQ's clear and undeniable role in Quantum hacking attacks raises hugely significant legal questions and it is remarkable to me — but perhaps not totally surprising — that the blundering British parlimentarians who are supposed to hold the agency to account have thus far failed to raise any of these key issues.