Sunday, February 02, 2014

More on the wi-fi spy guys

More coverage and commentary on the CSEC wi-fi spying controversy:

- "CSEC Wi-Fi snooping experiment prompts calls for review," CBC News, 1 February 2014
- Giuseppe Valiante, "'Too early' to tell if spy agency broke any laws, privacy commissioner says," Toronto Sun, 31 January 2014
- Wesley Wark, "Op-Ed: In (and out) of the wilderness of secrets," Ottawa Citizen, 31 January 2014
- "Canada’s oversight of spy agencies falls short: Editorial," Toronto Star, 2 February 2014
- Heather Mallick, "CSEC’s startling spying on Canadian travellers: Mallick," Toronto Star, 31 January 2014
- Cyrus Farivar, "New Snowden docs show Canadian spies tracked thousands of travelers," Ars Technica, 31 January 2014

Also very interesting is the following commentary by journalist Ryan Gallagher speculating on how the government's responses to the controversy can be squared with the reality reported in the original leaked document:

Ryan Gallagher, "Canada's Wi-Fi Surveillance and CSEC's Non-Denial Denials," notes.rjgallagher.co.uk, 1 February 2014.

More comments later.

Update 3 February 2014:

Ryan Gallagher's commentary (referenced above) highlights very effectively the contradiction between what CSEC has been saying it is legally prohibited from doing and what it has now been shown actually to be doing, but what I think he misses is that most if not all of that contradiction arises from CSEC's misleading or even downright untruthful explanations of what it is permitted to do, rather than actual illegal conduct.

CSEC's public assurances have long been designed to give Canadians the impression that CSEC is not allowed to obtain communications by or information about Canadians or any person in Canada, and that any such data unintentionally or incidentally acquired must be deleted, but the reality is very different.

CSEC has a three-part mandate. I describe some of the kinds of communications and/or information about Canadians that CSEC can legally collect under the foreign-intelligence and cyber-protection parts of its mandate (according to the government's interpretation of the law) here. CSEC cannot "target" Canadians or persons in Canada when collecting this information, but it can still collect a significant amount of such information, and it can also analyze, use, retain, and share the information (subject to various privacy-related procedures) if it is relevant to the government's intelligence requirements. CSEC is also permitted to obtain communications by or information about Canadians or persons in Canada under the assistance-to-law-enforcement-and-security-agencies part of its mandate when those agencies request CSEC's assistance and have the legal authority to obtain the information (more here). In that case, CSEC actually can "target" Canadians or persons in Canada.

Rather than convey these rather important details, CSEC's public assurances have typically taken the form of those quoted by Gallagher, i.e., "CSEC, under its legislation, cannot target Canadians anywhere in the world or anyone in Canada", "we do not target Canadians at home or abroad in our foreign intelligence activities, nor do we target anyone in Canada", and "CSE’s foreign intelligence mandate specifically dictates that our activities be directed only at foreign entities, and not at Canadians or anyone in Canada."

The first of these statements can fairly be characterized as a lie, as it ignores the third part of CSEC's mandate, but the other two are merely deliberately misleading, conveniently describing only one part of CSEC's mandate and failing even then to acknowledge that information may also be collected under that part as long as Canadians are not personally "targeted". (Indeed, if CSEC's claim that its wi-fi metadata collection is legal is correct, it is permissible for CSEC to collect at least some sorts of Canadian information in bulk or even in toto, even in cases where the collection may pertain exclusively or almost exclusively to Canada, as long as no Canadian or person in Canada is individually singled out as a specific "target".)

Given the record of mendacity in CSEC's public statements, it is tempting to declare that the agency has only itself to blame when the media, members of parliament, and Canadians in general conclude that CSEC has been breaking the law when an instance of information collection involving Canadians comes to light. It is CSEC, after all, that deliberately caused us to believe that such collection would be illegal.

But it is important that we get this right.

It may yet be shown that some of what CSEC has been doing has in fact been illegal. But it is likely that most or perhaps all of its activities have actually been legal.

And while it would indeed be bad news if we do find that CSEC has been breaking the law, it could well be even worse news if it turns out that everything CSEC has been doing (and presumably a good deal more that it could do in the future) is perfectly legal under existing Canadian law -- or, at least, nominally legal in the absence of a judicial ruling on the compatibility of those activities with the Charter of Rights and Freedoms.

Gallagher's commentary also looks at the government's claim that "no Canadian or foreign travellers were tracked" in the wi-fi operation.

It is clear, as Gallagher points out, that tracking -- by any normal definition of the word -- was indeed going on. He speculates that the government's response may rely on a specialized definition of "tracking" that enables them to deny what is plainly the truth.

He may well be right.

I suspect, however, that in this case the explanation may lie in the words "Canadian or foreign travellers".

While normal human beings might conclude that both Canadian and foreign travellers were indeed tracked, CSEC's claim may be that only devices were tracked in the specific tests reported in the document. Since no device was tracked specifically on account of the fact that it belongs to a particular person, and the analysis itself (as far as I know) did not seek to associate particular individuals with particular devices (although it may well have utilized information associated or associatable with specific individuals), CSEC may feel it is justified in stating that no individuals were tracked. The same or similar logic seems to underlie the agency's claim that it can collect metadata related to thousands or even millions of Canadians and persons in Canada for foreign intelligence purposes while at the same time stating that its foreign intelligence operations do not "target" any Canadians or persons in Canada.

Of possible relevance here is the fact that the operations described in the document were developmental tests. If real-world operations are now being conducted using the techniques described in the document, or similar kinds of techniques, those operations will indeed involve the tracking of specific individuals who are either known before the tracking began or identified subsequent to their being singled out by analysis of the data.

Will the government state that no Canadian or foreign travellers have ever been tracked (or, if it prefers, detected in a number of different locations over time) in Canada, either by CSEC or by any other Canadian or allied agency, under any mandate, using these or similar metadata-based techniques?

3 Comments:

Anonymous Richard Roskell said...

Hi Bill, I have concerns that we may be missing the forest for the trees regarding the interception of private Canadian communications. People are rightly concerned about their metadata, and much can be said on that issue. But what about this: with a simple Ministerial directive, CSEC could target a very broad range of private communications- not just the metadata but the contents as well?

Hypothetical Scenario

Foreign Entity: European Union
Intelligence Interest: Free Trade
Ministerial Directive: Learn everything you can from Canadian sources, or from sources communicating to Canada.

From that moment CSEC is authorized to intercept private Canadian communications, and to analyze them for content that touches on free trade with the European Union. To do that, CSEC will intercept all the Canadian communications it can- probably pretty much everything- and then analyze it for information of interest.

In the above scenario, the private communication doesn't even have to be to the European Union or a member entity. In other words, CSEC's inquiry may be DIRECTED at the EU, but that doesn't prevent it from intercepting and analyzing third party Canadian communications, as long as they in some way speak to the inquiry.

My reading of CSEC's enabling legislation is that there are holes big enough to swallow their new HQ and the grounds it sits on. Conversely, my impression is that many analysts are focusing on the relative minutiae, and that CSEC and their intelligence partners are happy to keep them so engaged.

February 08, 2014 8:13 pm  
Blogger Bill Robinson said...

Hi, Richard.

Thanks for that comment.

I've been thinking about that issue as well. As you say, the legislation requires that any collection of "private communications" be "directed at" a foreign entity outside of Canada, while collection of other kinds of communications or other information must not be "directed at" Canadians or persons in Canada. So it all hinges on the meaning of "directed at".

I'm confident that the CSE Commissioner would choke on any interpretation of "directed at" that had the effect of entirely or very largely removing the legal limits on monitoring Canadians, and I imagine we would get CSEC whistleblowers under such circumstances as well.

But I do believe that "directed at" may be considerably more inclusive than would be the case if it were a simple rule that at least one end of the communication has to be directly connected to the foreign entity concerned. It may well include communications one, two, or more "hops" away from the entity of concern. It could also mean the collection of any content related to that entity that appears in the communications of others, including (as you suggest) the "private communications" of Canadians.

It is evident from the wi-fi story that CSEC is able to collect and draw upon an extensive -- maybe close to comprehensive -- database of communications-related activity in Canada without (according to the government's interpretation) violating the rule that such activities cannot be "directed at" anyone in Canada. This would seem to confirm that "directed at" is not a simple synonym for selection of communications based on the identity/location of the communicants.

(And all of the above refers only to the "foreign intelligence" part of CSEC's mandate.)

February 10, 2014 12:38 pm  
Anonymous Richard Roskell said...

Hi again Bill, thanks for your reply. I don't share your confidence concerning the CSE Commissioner, largely because I also observe that the enabling legislation does not in any way hinder CSEC from directly targeting the communications of Canadians or people in Canada. All that's required to do so is a Ministerial directive as per Article 273.65 of the NDA.

Note that Article 273.65 (1) authorizes the interception of "private communications," which are defined in the legislation as being to or from Canadians. Note further that Article 273.65 (2a) requires that: "the interception will be directed at foreign entities located outside Canada." There would be no need for a ministerial directive in order to intercept communications related to a foreign entity outside of Canada. That capability is already integral to CSEC's mandate. Note also that "directed at" in this context obviously means the foreign entity, yet the interception of Canadian communications are what the MD is authorizing.

It's clear that CSEC interprets the term "directed at" to refer to the ultimate foreign entity that's under consideration. It's also clear that CSEC can target the private communications of Canadians as long as the point of the inquiry is foreign intelligence, and not a Canadian or person in Canada.

I believe that's the only interpretation that's internally consistent with CSEC's legislation. I would like to point out also that the power granted to the minister via Article 273.65 is utterly sweeping. By making the terms of inquiry in a Ministerial Directive very general, CSEC would essentially receive carte blanche to intercept and analyze every communication emanating to or from Canadians.

February 19, 2014 2:05 pm  

Post a Comment

<< Home