Canada's WiFi Surveillance and CSEC's Non-Denial Denials

Saturday, 1 February 2014

On Thursday, a report I worked on with Glenn Greenwald and Greg Weston was published in Canada, revealing how the country's spy agency CSEC secretly developed a program to monitor WiFi users in a major Canadian airport.

The piece, based on documents leaked by the former US National Security Agency contractor Edward Snowden, has led to CSEC being accused of acting unlawfully and has triggered calls for better oversight of the agency.

But one of the most intriguing aspects of the fallout from the story has been the Canadian government's response — which merits some scrutiny and analysis.

First, some context.

Back in November, Greenwald, Weston and I reported separate revelations about Canada's role in an NSA operation to spy at the G8 and G20 summits in Canada in 2010. In response, CSEC's chief John Forster claimed in response to reporters' questions:

What I can tell you is that CSEC, under its legislation, cannot target Canadians anywhere in the world or anyone in Canada, including visitors to Canada.

During a speech in October, Forster had made a similar statement:

I can tell you that we do not target Canadians at home or abroad in our foreign intelligence activities, nor do we target anyone in Canada. In fact, it's prohibited by law. Protecting the privacy of Canadians is our most important principle.

And again, in January, he repeated this assertion in a letter to a Canadian newspaper:

Under the law, CSE’s foreign intelligence mandate specifically dictates that our activities be directed only at foreign entities, and not at Canadians or anyone in Canada. That is the law and we fully respect that.

Having analysed Canadian documents in the Snowden material, these statements struck me as quite astonishing.

Why? Because one of the top-secret Snowden documents revealed that, in 2012, CSEC had set up a program that involved monitoring WiFi usage at a large Canadian airport. The secret files showed how CSEC was able to use a huge amount of data about the WiFi connections to follow users "backward and forward in recent time" — identifying visits to hotels, other airports, Internet cafes, coffee shops, and a library.

The tactic is described by CSEC in the files as "IP profiling" — a surveillance method that can be used to track users' movements over time. In one case, as we reported at CBC on Thursday, the spy agency says that it performed a sweep of an entire "modest-sized" city and identified 300,000 user IDs:

The "mission impact" of the tactic, according to the document, is that it can alert spies to "target country location changes" and "webmail logins with time-limited cookies":

The full document [pdf] speaks for itself. It illustrates a secret surveillance operation was conducted on Canadian soil — sweeping up metadata on the WiFi usage of thousands of people not suspected of any crime. Equally significant, the revelation contradicts CSEC chief Forster's repeated assertion that "we do not target Canadians at home or abroad in our foreign intelligence activities, nor do we target anyone in Canada."

After we reported the airports story, it got more interesting.

CSEC issued a statement that was notable for three reasons. First, the agency did not repeat its previous mantra claiming not to "target anyone in Canada." Second, it appeared to make an admission that it is sweeping up metadata within Canada, saying that it was "legally authorized" to "collect and analyze" this information. And third, it issued a fresh denial, saying that "no Canadian or foreign travellers were tracked. No Canadian communications were, or are, targeted, collected or used."

Shortly afterwards, on Friday, a similar denial was made by the Canadian prime minister's parliamentary secretary, who launched a bizarre personal attack on Greenwald while claiming that the "facts" were that "nothing in the stolen documents showed that Canadians' communications were targeted, collected, or used, nor that travellers' movements were tracked."

But these denials are hollow.

It's a straw man to claim that the revelations were about communications being "targeted, collected, or used." That is not what our story was about. The issue at hand is how CSEC initiated a program to sweep up information showing when people are connecting to WiFi networks and using this information to build "profiles" of their movements back and forward in time.

And that brings us to the more important point. CSEC and the prime minister's secretary claimed that "no Canadian or foreign travellers were tracked." However, what they did not say was how they were defining the word "tracked."

The documents quite clearly show how the agency used user "IP profiles" to monitor WiFi users' movements over time, with this capability enabling it to generate "alerts" when a person relocates to another country.

The dictionary definition of "tracking" says that it means "the act or process of following something or someone." CSEC's IP profiling is exactly that — monitoring users' location and keeping tabs on where they are. Indeed, the document says as much, outlining how CSEC uses this tactic to "follow IDs backward and forward in recent time." The documents also mention how CSEC used tools called "Quova" and "Atlas database" — which are technologies used to pinpoint the geolocation of an IP address.

CSEC's denial that it "tracked" Canadians or foreign travellers, I think, hinges upon a narrowly defined interpretation of the word. The US Department of Defence, for instance, uses "tracking" as a specific technical term meaning the "precise and continuous position-finding of targets by radar, optical, or other means." CSEC's IP profiling definitely fits the dictionary definition of "tracking" as it is understood by most people — but does it fit the narrower military definition? Perhaps CSEC believes that IP profiling does not constitute "precise and continuous" tracking. But if so, it should be explaining this — as otherwise its denial is highly misleading.

Spy agencies are professionals in the art of deception, and sometimes that seems to be reflected in their public relations strategy. Afterall, we have seen misleading denials issued repeatedly by the National Security Agency and its Five Eyes counterparts about various surveillance revelations in recent months. Again and again, officials have used narrowly defined words or jargon terms in a carefully crafted way in order to issue non-denial denials in which they appear to refute an allegation but on closer reading do not really refute it at all.

The ultimate point here is that the tactics being used by CSEC and the Canadian government to deflect criticism of their secret surveillance programs merit as much attention as the revelations themselves. That is especially clear when, in response to disclosures about their secret programs, senior government officials launch childish character assassination attempts against the journalists who reported the information. In a democratic society, surely a higher standard is required. It is not enough for governments and spy agencies to spit out a few indignant statements and denials with the expectation that people should just blindly trust that they are telling the truth.

Also, no matter how "tracking" is being defined, what is clear is that CSEC was (and our sources say still is) running a large-scale surveillance operation on domestic soil, seriously calling into question spy chief Forster's previous statements that "our activities" are not directed "at Canadians or anyone in Canada." The CSEC boss is due to appear before a Senate committee hearing on Monday. Hopefully Canada's lawmakers will take the opportunity to ask some probing questions.

UPDATE, 7 February 2014: Since the story was published last week, there have been several developments. There have been more calls for an independent review of CSEC's activities, while spy chief Forster was forced to publicly defend the surveillance in Monday's Senate hearing.

There have also been some interesting analyses of the leaked documents worth responding to.

First, the surveillance blog Electrospaces claimed that the secret documents seemed to have been "incorrectly interpreted" in our CBC report. The blog published an anonymous analysis from someone who says that CSEC's surveillance project was "was not surveillance of Canadian citizens per se but just a small research project." The second analysis came from Bruce Schneier, who claimed that it was "not really true" that CSEC used "airport Wi-Fi information to track travellers."

First of all, it is a mischaracterization to claim that the CSEC project was just a small research project that didn't implicate Canadians "per se." It was part of a pilot initiative that involved sweeping up data on hundreds of thousands of people — many of whom would have been Canadian citizens. Our sources for the story told us that the pliot had since gone live — i.e. that it had gone from being a "proof-of-concept" to an operationally active domestic program. This is about much more than a "small research project."

Second, it is absolutely the case that CSEC tracked travellers' movements based on the Internet activity by using IP and ID data and honing in on a major Canadian airport's WiFi system.

It may be about more than that — and I agree with Schneier when he says that it is "actually far more interesting than simply eavesdropping on airport Wi-Fi sessions" because of the wider ramifications of this kind of 'big data' analysis.

But this particular initiative was focused on pulling out a huge trove of user ID and IP data and following users "backward and forward in recent time" to and from a Canadian airport to see if it would be possible to keep tabs movements and trigger alerts based on those movements.

What we reported was accurate and remains so: "Canada's electronic spy agency used information from the free internet service at a major Canadian airport to track the wireless devices of thousands of ordinary airline passengers for days after they left the terminal."

Even CSEC chief Forster has since come out and admitted that a kind of tracking was going on (though he says it didn't occur in "real time," which is not something we actually claimed):

Forster said the agency used metadata to develop a model that showed they could track an internet user's network activity "around a public access mode," and that the tracking didn't happen in real time.

Some of the more insightful analysis on the CSEC affair has come from Bill Robinson, a Canadian surveillance expert described by the Toronto Star as "Canada's authority on CSEC."

Robinson makes some interesting points on the meaning of "tracking" in this context and CSEC's initial denial that it had tracked people — and I think he could be hitting the nail on the head here:

While normal human beings might conclude that both Canadian and foreign travellers were indeed tracked, CSEC's claim may be that only devices were tracked in the specific tests reported in the document. Since no device was tracked specifically on account of the fact that it belongs to a particular person, and the analysis itself (as far as I know) did not seek to associate particular individuals with particular devices (although it may well have utilized information associated or associatable with specific individuals), CSEC may feel it is justified in stating that no individuals were tracked. The same or similar logic seems to underlie the agency's claim that it can collect metadata related to thousands or even millions of Canadians and persons in Canada for foreign intelligence purposes while at the same time stating that its foreign intelligence operations do not "target" any Canadians or persons in Canada.

In a separate blog post after spy chief Forster's testimony before the Canadian Senate committee on Monday, Robinson wrote:

In essence, the government's position is that the metadata project reported by the CBC did take place, that its purpose was to develop targeting and analysis techniques that are in fact now being used operationally by CSEC, and that the collection, analysis, use, and retention of Canadian metadata is a normal part of CSEC's operations, necessary to those operations, and entirely legal. Officials also insist, however, that CSEC does not use the data to target Canadians for foreign intelligence purposes.
To have CSEC now appearing to admit (under pressure) that it is using metadata to conduct domestic monitoring on a mass scale is revelatory — and that is where the focus should be. As I wrote here previously, how "tracking" is being defined as a word should not be the most central point in the debate. The attention should be on CSEC conducting a large-scale surveillance operation on Canadian soil and misleading Canadian citizens about it in a series of public statements. Robinson asks the right questions in his earlier blog post:

If real-world operations are now being conducted using the techniques described in the document, or similar kinds of techniques, those operations will indeed involve the tracking of specific individuals who are either known before the tracking began or identified subsequent to their being singled out by analysis of the data.

Will the government state that no Canadian or foreign travellers have ever been tracked (or, if it prefers, detected in a number of different locations over time) in Canada, either by CSEC or by any other Canadian or allied agency, under any mandate, using these or similar metadata-based techniques?


  1. Excellent analysis. Thanks for your reporting and your careful follow-up.

  2. Brilliant reporting on this issue. Thank you for a logical and fact based review. I am disheartened to see the childish behavior of a representative of the government we, as Canadians, have elected to work on behalf of Canadians and our country. Thank you.

  3. We are dealing with bald-faced liars. Data was swept up... but nobody was 'targeted'. (Something like firing a burst of AK47 into a crowd, but not 'targeting' anybody. Devices were tracked but 'no body was tracked'.

    Dissembling by spy agencies and their governments is par for the course.

  4. "On February 3, the public will have a rare opportunity to learn a little about spying activities conducted by Communications Security Establishment Canada (CSEC). John Forster, the chief of Canada’s version of the NSA, is scheduled to appear before the Senate Committee on National Defence and Security." Travis Lupick

  5. hmmm.. no Canadians were targeted, tracked etc.. and no foreign travellers either.. they just swept up a load of data at a major Canadian International Airport.. I'm wondering who else could possibly be in such a location aside from Canadians and international travellers.. The law is clear.. no matter what data they actually collected, and to what use they eventually put it. the key phrase is that "their activites must not be directed at..." etc.. no matter what they did.. they directed their activities at Canadians and foreign travellers.. should really be a closed book..

  6. Was it not the CSE that spied on the "pipeline opponents" such as the Dogwood environmental activists?

    Also, what do you think of this - the "no domestic" rule could easily be breeched by CSE asking CSE's counterparts in other [friendly] nations to spy on Canadians in Canada or in other nations, and to then hand that information to CSE.

    [ps - I know one of the former CSE Chiefs personally]