Wednesday, 26 March 2014
Saturday, 1 February 2014
What I can tell you is that CSEC, under its legislation, cannot target Canadians anywhere in the world or anyone in Canada, including visitors to Canada.During a speech in October, Forster had made a similar statement:
I can tell you that we do not target Canadians at home or abroad in our foreign intelligence activities, nor do we target anyone in Canada. In fact, it's prohibited by law. Protecting the privacy of Canadians is our most important principle.And again, in January, he repeated this assertion in a letter to a Canadian newspaper:
Under the law, CSE’s foreign intelligence mandate specifically dictates that our activities be directed only at foreign entities, and not at Canadians or anyone in Canada. That is the law and we fully respect that.Having analysed Canadian documents in the Snowden material, these statements struck me as quite astonishing. Why? Because one of the top-secret Snowden documents revealed that, in 2012, CSEC had set up a program that involved monitoring WiFi usage at a large Canadian airport. The secret files showed how CSEC was able to use a huge amount of data about the WiFi connections to follow users "backward and forward in recent time" — identifying visits to hotels, other airports, Internet cafes, coffee shops, and a library. The tactic is described by CSEC in the files as "IP profiling" — a surveillance method that can be used to track users' movements over time. In one case, as we reported at CBC on Thursday, the spy agency says that it performed a sweep of an entire "modest-sized" city and identified 300,000 user IDs: The "mission impact" of the tactic, according to the document, is that it can alert spies to "target country location changes" and "webmail logins with time-limited cookies": The full document [pdf] speaks for itself. It illustrates a secret surveillance operation was conducted on Canadian soil — sweeping up metadata on the WiFi usage of thousands of people not suspected of any crime. Equally significant, the revelation contradicts CSEC chief Forster's repeated assertion that "we do not target Canadians at home or abroad in our foreign intelligence activities, nor do we target anyone in Canada." After we reported the airports story, it got more interesting. CSEC issued a statement that was notable for three reasons. First, the agency did not repeat its previous mantra claiming not to "target anyone in Canada." Second, it appeared to make an admission that it is sweeping up metadata within Canada, saying that it was "legally authorized" to "collect and analyze" this information. And third, it issued a fresh denial, saying that "no Canadian or foreign travellers were tracked. No Canadian communications were, or are, targeted, collected or used." Shortly afterwards, on Friday, a similar denial was made by the Canadian prime minister's parliamentary secretary, who launched a bizarre personal attack on Greenwald while claiming that the "facts" were that "nothing in the stolen documents showed that Canadians' communications were targeted, collected, or used, nor that travellers' movements were tracked." But these denials are hollow. It's a straw man to claim that the revelations were about communications being "targeted, collected, or used." That is not what our story was about. The issue at hand is how CSEC initiated a program to sweep up information showing when people are connecting to WiFi networks and using this information to build "profiles" of their movements back and forward in time. And that brings us to the more important point. CSEC and the prime minister's secretary claimed that "no Canadian or foreign travellers were tracked." However, what they did not say was how they were defining the word "tracked." The documents quite clearly show how the agency used user "IP profiles" to monitor WiFi users' movements over time, with this capability enabling it to generate "alerts" when a person relocates to another country. The dictionary definition of "tracking" says that it means "the act or process of following something or someone." CSEC's IP profiling is exactly that — monitoring users' location and keeping tabs on where they are. Indeed, the document says as much, outlining how CSEC uses this tactic to "follow IDs backward and forward in recent time." The documents also mention how CSEC used tools called "Quova" and "Atlas database" — which are technologies used to pinpoint the geolocation of an IP address. CSEC's denial that it "tracked" Canadians or foreign travellers, I think, hinges upon a narrowly defined interpretation of the word. The US Department of Defence, for instance, uses "tracking" as a specific technical term meaning the "precise and continuous position-finding of targets by radar, optical, or other means." CSEC's IP profiling definitely fits the dictionary definition of "tracking" as it is understood by most people — but does it fit the narrower military definition? Perhaps CSEC believes that IP profiling does not constitute "precise and continuous" tracking. But if so, it should be explaining this — as otherwise its denial is highly misleading. Spy agencies are professionals in the art of deception, and sometimes that seems to be reflected in their public relations strategy. Afterall, we have seen misleading denials issued repeatedly by the National Security Agency and its Five Eyes counterparts about various surveillance revelations in recent months. Again and again, officials have used narrowly defined words or jargon terms in a carefully crafted way in order to issue non-denial denials in which they appear to refute an allegation but on closer reading do not really refute it at all. The ultimate point here is that the tactics being used by CSEC and the Canadian government to deflect criticism of their secret surveillance programs merit as much attention as the revelations themselves. That is especially clear when, in response to disclosures about their secret programs, senior government officials launch childish character assassination attempts against the journalists who reported the information. In a democratic society, surely a higher standard is required. It is not enough for governments and spy agencies to spit out a few indignant statements and denials with the expectation that people should just blindly trust that they are telling the truth. Also, no matter how "tracking" is being defined, what is clear is that CSEC was (and our sources say still is) running a large-scale surveillance operation on domestic soil, seriously calling into question spy chief Forster's previous statements that "our activities" are not directed "at Canadians or anyone in Canada." The CSEC boss is due to appear before a Senate committee hearing on Monday. Hopefully Canada's lawmakers will take the opportunity to ask some probing questions.
UPDATE, 7 February 2014: Since the story was published last week, there have been several developments. There have been more calls for an independent review of CSEC's activities, while spy chief Forster was forced to publicly defend the surveillance in Monday's Senate hearing. There have also been some interesting analyses of the leaked documents worth responding to. First, the surveillance blog Electrospaces claimed that the secret documents seemed to have been "incorrectly interpreted" in our CBC report. The blog published an anonymous analysis from someone who says that CSEC's surveillance project was "was not surveillance of Canadian citizens per se but just a small research project." The second analysis came from Bruce Schneier, who claimed that it was "not really true" that CSEC used "airport Wi-Fi information to track travellers." First of all, it is a mischaracterization to claim that the CSEC project was just a small research project that didn't implicate Canadians "per se." It was part of a pilot initiative that involved sweeping up data on hundreds of thousands of people — many of whom would have been Canadian citizens. Our sources for the story told us that the pliot had since gone live — i.e. that it had gone from being a "proof-of-concept" to an operationally active domestic program. This is about much more than a "small research project." Second, it is absolutely the case that CSEC tracked travellers' movements based on the Internet activity by using IP and ID data and honing in on a major Canadian airport's WiFi system. It may be about more than that — and I agree with Schneier when he says that it is "actually far more interesting than simply eavesdropping on airport Wi-Fi sessions" because of the wider ramifications of this kind of 'big data' analysis. But this particular initiative was focused on pulling out a huge trove of user ID and IP data and following users "backward and forward in recent time" to and from a Canadian airport to see if it would be possible to keep tabs movements and trigger alerts based on those movements. What we reported was accurate and remains so: "Canada's electronic spy agency used information from the free internet service at a major Canadian airport to track the wireless devices of thousands of ordinary airline passengers for days after they left the terminal." Even CSEC chief Forster has since come out and admitted that a kind of tracking was going on (though he says it didn't occur in "real time," which is not something we actually claimed):
Forster said the agency used metadata to develop a model that showed they could track an internet user's network activity "around a public access mode," and that the tracking didn't happen in real time.Some of the more insightful analysis on the CSEC affair has come from Bill Robinson, a Canadian surveillance expert described by the Toronto Star as "Canada's authority on CSEC." Robinson makes some interesting points on the meaning of "tracking" in this context and CSEC's initial denial that it had tracked people — and I think he could be hitting the nail on the head here:
While normal human beings might conclude that both Canadian and foreign travellers were indeed tracked, CSEC's claim may be that only devices were tracked in the specific tests reported in the document. Since no device was tracked specifically on account of the fact that it belongs to a particular person, and the analysis itself (as far as I know) did not seek to associate particular individuals with particular devices (although it may well have utilized information associated or associatable with specific individuals), CSEC may feel it is justified in stating that no individuals were tracked. The same or similar logic seems to underlie the agency's claim that it can collect metadata related to thousands or even millions of Canadians and persons in Canada for foreign intelligence purposes while at the same time stating that its foreign intelligence operations do not "target" any Canadians or persons in Canada.In a separate blog post after spy chief Forster's testimony before the Canadian Senate committee on Monday, Robinson wrote:
In essence, the government's position is that the metadata project reported by the CBC did take place, that its purpose was to develop targeting and analysis techniques that are in fact now being used operationally by CSEC, and that the collection, analysis, use, and retention of Canadian metadata is a normal part of CSEC's operations, necessary to those operations, and entirely legal. Officials also insist, however, that CSEC does not use the data to target Canadians for foreign intelligence purposes.To have CSEC now appearing to admit (under pressure) that it is using metadata to conduct domestic monitoring on a mass scale is revelatory — and that is where the focus should be. As I wrote here previously, how "tracking" is being defined as a word should not be the most central point in the debate. The attention should be on CSEC conducting a large-scale surveillance operation on Canadian soil and misleading Canadian citizens about it in a series of public statements. Robinson asks the right questions in his earlier blog post:
If real-world operations are now being conducted using the techniques described in the document, or similar kinds of techniques, those operations will indeed involve the tracking of specific individuals who are either known before the tracking began or identified subsequent to their being singled out by analysis of the data. Will the government state that no Canadian or foreign travellers have ever been tracked (or, if it prefers, detected in a number of different locations over time) in Canada, either by CSEC or by any other Canadian or allied agency, under any mandate, using these or similar metadata-based techniques?
Saturday, 11 January 2014
The comprehensive 52-page report, published Wednesday in draft form [pdf], contains a large number of important findings and recommendations — some of which I think it's worth highlighing here.
The report accuses spy agencies — particularly in the US (NSA) and the UK (GCHQ) — of operating dragnet snooping programs that appear to involve illegal actions. It says that the UK government has on at least two occasions breached the European Convention on Human Rights and the EU Charter in how it has tried to crack down on reporting of the Snowden leaks (examples cited are the detention of former Guardian journalist Glenn Greenwald's partner and the destruction of Guardian computers). In addition, the committee calls for the European Parliament to suspend data sharing deals with the US government, and it says new legal protections are necessary for journalists and whistleblowers.
Crucially, the report does not shy away from attempting to address some of the larger issues — such as the profound and unprecedented existential questions new mass surveillance technologies raise for modern democracies. It calls on US authorities and EU member states to "prohibit blanket mass surveillance activities and bulk processing of personal data," adding:
[The committee] sees the surveillance programmes as yet another step towards the establishment of a fully fledged preventive state, changing the established paradigm of criminal law in democratic societies, promoting instead a mix of law enforcement and intelligence activities with blurred legal safeguards, often not in line with democratic checks and balances and fundamental rights, especially the presumption of innocence. [Emphasis added.]
This kind of policing, it warns, is leading to "every citizen being treated as a suspect." For that reason, the report notes that the committee
condemns in the strongest possible terms the vast, systemic, blanket collection of the personal data of innocent people, often comprising intimate personal information; emphasises that the systems of mass, indiscriminate surveillance by intelligence services constitute a serious interference with the fundamental rights of citizens; stresses that privacy is not a luxury right, but that it is the foundation stone of a free and democratic society; points out, furthermore, that mass surveillance has potentially severe effects on the freedom of press, thought and speech as well as a significant potential for abuse of the information gathered against political adversaries; emphasises that these mass surveillance activities appear also to entail illegal actions by intelligence services and raise questions regarding extraterritoriality of national law.
UK surveillance laws are singled out for criticism, with the inquiry concluding that the UK's legal framework is in need of an overhaul because it is outdated. But the finger is not pointed solely at the spooks in the UK and the US. The report accuses countries including France, Germany, and Sweden of running their own mass surveillance programs, too. It also rightly blasts the general incompetence of oversight committees — both in Europe and the US — that are supposed to be tasked with holding spy agencies accountable:
despite the fact that oversight of intelligence services’ activities should be based on both democratic legitimacy (strong legal framework, ex ante authorisation and ex post verification) and an adequate technical capability and expertise, the majority of current EU and US oversight bodies dramatically lack both, in particular the technical capabilities. [Emphasis added.]
Moreover, it calls on the European Commission — the EU's executive body — to evaluate the possibility of introducing legal liabilities that could be used to punish technology companies for not fixing known vulnerabilities in their software or for installing secret backdoors for spying. It wants the European Parliament to consider only procuring software that is open source, so that the software code can be reviewed to ensure it is secure and free from backdoors inserted for spying. And it also urges European Union member states to initiate investigations into "possible cybercrimes and cyber attacks committed by governments or private actors in the course of the activities under scrutiny."
"Trust has been profoundly shaken," the report says. "Trust between the two transatlantic partners, trust among EU Member States, trust between citizens and their governments, trust in the respect of the rule of law, and trust in the security of IT services...in order to rebuild trust in all these dimensions a comprehensive plan is urgently needed."
It's worth a read if you have the time. The full report is here [pdf].
Thursday, 12 December 2013
Continued GCHQ involvement may be in jeopardy due to British legal/policy restrictions, and in fact NSA’s goal all along has been to transition this effort to a bilat with the Swedish partner. [Emphasis added.]This struck me because, last year, I uncovered a document showing something similar. In obscure technical standards meetings with telecom companies about implementing new surveillance capabilities, GCHQ representatives from a little-known unit of the agency called the National Techical Assistance Centre were voicing the same concerns about hacking techniques. At meetings held between 2010 and 2011 in Estonia and Italy, at which a GCHQ representative was present, the UK was said to be anxious about the legality of performing a so-called 'man-in-the-middle' attack to covertly hack and eavesdrop on communications:
An additional concern in the UK is that performing an active attack, such as the Man-in-the-Middle attack proposed in the Lawful Interception solution...may be illegal. The UK Computer Misuse Act 1990 provides legislative protection against unauthorised access to and modification of computer material. The act makes specific provisions for law enforcement agencies to access computer material under powers of inspection, search or seizure. However, the act makes no such provision for modification of computer material. A Man-in-the-Middle attack causes modification to computer data and will impact the reliability of the data.This could not be clearer. The UK's position was that it might be unlawful for authorities to hack a computer in order to monitor communications and/or exfiltrate data. That was the position in 2010/11, and I think the same concern is what is being referenced in the 2013 NSA document when UK "legal/policy restrictions" are mentioned. Yet despite this concern — and this is perhaps the most important point — GCHQ has marched ahead with its participation in clandestine surveillance operations that involve hacking. The Belgacom case is a specific example, but the NSA documents on Sweden illustrate that Belgacom was not an isolated case. GCHQ was (and likely continues to be) involved in a program called WINTERLIGHT that explicitly involves trying to infect hundreds of targeted computers with so-called 'implants' of malware. GCHQ even operates a covert computer server that it uses to help infect targets with the malware, likely by masquerading as legitimate websites such as LinkedIn, as previous reports have suggested. These covert servers are mentioned in one of the NSA documents on Sweden, dated April 2013, revealed by Uppdrag Granskning:
Last month, we received a message from our Swedish partner that GCHQ received FRA [Swedish spy agency] QUANTUM tips that led to 100 shots, five of which were successfully redirected to the GCHQ server.So, the question here is: how can this be legal? If GCHQ was previously concerned that performing active hacking attacks may be unlawful under the UK's Computer Misuse Act, then how has that situation been resolved? Has the agency been granted immunity to perform these operations? If so, who granted the immunity? Alternatively, has the UK government, with zero public debate and under cover of total secrecy, produced a classified interpretation of the law aimed at justifying and rendering lawful the use of this clandestine hacking technique? Another very intriguing theory I have considered is that GCHQ lets one of the other agencies do the "dirty work" — the part of the hack that would illegal under UK law. The NSA may deploy the malware, for instance, while GCHQ plays a lesser role by merely facilitating the attack by hosting the server — but still reaping the benefits (i.e. it gets access to the intercepted data). Having spent countless hours now looking at the Snowden documents, it certainly appears to me that this is something that occurs — that the spy agencies circumvent their domestic laws by allowing partner agencies to do things that they could not do themselves. Either way, GCHQ's clear and undeniable role in Quantum hacking attacks raises hugely significant legal questions and it is remarkable to me — but perhaps not totally surprising — that the blundering British parlimentarians who are supposed to hold the agency to account have thus far failed to raise any of these key issues.
Thursday, 7 November 2013
These qualifications recognise that sometimes there will be an overriding public interest in the information being released prior to the intended publication date. Public authorities should not be able to avoid putting information in the public domain by adopting unreasonable publication timetables or an 'intention' to publish where there is little prospect of that happening within a reasonable timescale.Given the seriousness of the allegations about UK security agencies' role in facilitating extraordinary rendition and torture, there is evidently a very strong public interest case for this preliminary report to be immediately released under the Freedom of Information Act. That is especially true given the inexplicably lengthy delay that we have already had to endure. It's worth also pointing out that despite the sort of behaviour detailed above, the government continues to audaciously insist it is committed to transparency. Just last week the Cabinet Office was proclaiming "wide-ranging new commitments to bring more of the benefits of transparency into people’s everyday lives." Cabinet minister Francis Maude was quoted as saying that "transparency is an idea whose time has come." Unfortunately, the section of Maude's own department responsible for implementing transparency does not appear to have received the memo — and is currently flouting the Freedom of Information Act in a case involving the withholding of important information that the public clearly has a right to know. I have lodged a formal complaint about the Cabinet Office's conduct with the Information Commissioner's Office — so watch this space. UPDATE, 4 December 2013: Late last month, the Information Commissioner's Office replied to the complaint I filed about the UK government's non-response to my request that it release the rendition/torture report. An official from the ICO said he had contacted the government's Cabinet Office to confirm that my request had been received and to give the government a 10-day deadline to contact me. The ICO reminded the government of its obligations under the Freedom of Information Act and noted that it "may consider taking enforcement action" should similar complaints arise (read the ICO's correspondence here). However, despite this light reprimand from the ICO, incredibly I've still received no response from the government about the rendition report. The 10-day deadline expired yesterday and I've heard nothing — I've not yet so much as received an acknowlegement that my initial request is being dealt with, even though it was submitted more than two months ago (the government is supposed to respond within 20 working days; it's now been more than 50). This means that the Cabinet Office, which likes to tout its transparency credentials, is not only actively flouting its obligations under the Freedom of Information Act — it has also now failed to act on a formal request made by the authority that enforces the FOIA law, the ICO. Before the end of the week, I'll be following up my complaint with the ICO in the hope that more serious action can be taken. Of course, I'll post further updates here with any new developments in this strange case as and when they arise. UPDATE, 29 December 2013: The government has released the Detainee Report today; the Guardian reports that it reveals how "MI6 officers were under no obligation to report breaches of the Geneva conventions and turned a 'blind eye' to the torture of detainees in foreign jails, according to the report into Britain's involvement in the rendition of terror suspects." I am still pursuing my complaint against the Cabinet Office for its handling of my FOIA request. UPDATE, 26 March 2014: In response to my complaint, the Information Commissioner's Office issued a "decision notice" stating that the Cabinet Office breached section 10 of the Freedom of Information Act in ignoring my request. More details here.
Tuesday, 23 July 2013
Recently, Islamabad agreed with NATO that it could conduct operations in Pakistan from across the border in Afghanistan... Significantly, Pakistan and Taliban authorities struck a peace deal in Bajour only two days ago and were scheduled to sign a document to that effect on Monday. This lends credence to the possibility that it was NATO and not Pakistani forces that made the raid.Among those who died in the attack was the leader of the madrassa, a reportedly pro-Taliban radical cleric named Maulana Liaqat. Pakistan officials also claimed that Ayman al-Zawahiri — who was then Osama bin Laden's deputy — had used the madrassa to train suicide bombers. That would certainly have given both US and NATO forces a motive to want to target the building. And Pakistan has covered up for US drone strikes in the past. But still, there is still no concrete information that has been presented confirming beyond doubt that a US drone or any other US or NATO military aircraft was involved. Indeed, secret US diplomatic cables published by WikiLeaks in 2010, four years after the strike, did not hint at any US or NATO role. US officials writing in classified cables dated from 2006 described the incident alternately as a "Pakistan military strike against a madrassa/militant training camp" and a "Pak-Mil attack on an extremist madrassa." Even with the Bureau of Investigative Journalism's publication of the leaked Pakistani document attributing the attack to NATO forces or a US drone, in my view, the facts remain murky and contentious. And that is perhaps one of the most shocking elements of this story — that seven years on there is still such a lack of clarity about the circumstances of this grave incident, involving the reported deaths of dozens of innocent children. Without an answer to such a simple question — who pulled the trigger? — there can be no accountability, no closure, no recourse for justice for the families of those who lost a child on that day in Chenagai. It is an incident that seems to symbolise the bloody, faceless brutality of the ruthless covert warfare that has become a staple feature of the so-called War on Terror over the past decade, especially in the tribal regions of Pakistan. But just because there may be dangerous, high-level terror targets operating in these places, military forces, wherever they are from, should not get a pass to kill and maim with impunity. For that reason alone, the madrassa strike surely requires serious further scrutiny — perhaps from UN special rapporteur Ben Emmerson, who is currently investigating the issue of civilian drone deaths.