Newly released documents obtained courtesy of Edward Snowden demonstrate that the Canadian government (part of the US-led Anglophone Five Eyes spying alliance) is no shy back-seat passenger when it comes to spying on its own citizens.
A report by The Intercept on Monday highlights a document which details how the Communications Security Establishment (CSE – Canada’s version of the NSA) cooperated with the UK’s GCHQ to intercept the unencrypted communications traffic of certain ‘leaky’ smartphone apps; data which was then subject to packet analysis and filtered using BADASS software.
BADASS exploited the data that many apps send data to advertising and analytics companies, and which can provide a huge amount of information about their users,
‘Where does the user live? Where does the user work? Where is the user right now? What’s the phone’s unique identifier? What version of Android or iOS is the device running? What’s the user’s IP address?’
In addition to identifying users and their habits, the information gleaned could be used uncover vulnerabilities in phones, which could then be exploited.
In the same week, The Intercept has published another article, this time detailing how CSE spied on RapidShare, SendSpace, and the now defunct MegaUpload file sharing websites (which the documents refer collectively to as FFU – Free File Upload – sites).
Dubbed operation LEVIATHON, it was conjectured that these popular filesharing services were used by extremists and terrorists. The spying was performed without the knowledge or permission of the targeted services, and CSE collected some ‘2,200 URL’s that point to documents of interest.’
Security operatives could then correlate documents to uploaders’ IP addresses or Facebook IDs (using the Facebook ID cookie left in uploaders’ browser cookie cache). The Intercept describes the implications of this,
‘The IP addresses are valuable pieces of information to CSE’s analysts, helping to identify people whose downloads have been flagged as suspicious. The analysts use the IP addresses as a kind of search term, entering them into other surveillance databases that they have access to, such as the vast repositories of intercepted Internet data shared with the Canadian agency by the NSA and its British counterpart Government Communications Headquarters.
If successful, the searches will return a list of results showing other websites visited by the people downloading the files – in some cases revealing associations with Facebook or Google accounts. In turn, these accounts may reveal the names and the locations of individual downloaders, opening the door for further surveillance of their activities.’
Somewhat amusingly, filtering out episodes of the popular TV series Glee seems to have been a problem at one point.
Ron Deibert, director of University of Toronto-based Internet security think tank Citizen Lab, told The Intercept that LEVITATION was,
‘[A] giant X-ray machine over all our digital lives… These revelations make clear that CSE engages in large-scale warrantless surveillance of our private online activities, despite repeated government assurances to the contrary.’
The slides also mention a protect codenamed ATOMIC BANJO, which tapped internet cables directly in order for operatives to monitor the IP addresses of computers that downloaded files ‘of interest’.
What is particularly interesting however, and indicative of how collecting such vast amounts of data only creates a bigger haystack in which to find a needle, is that only 350 documents a month were considers ‘interesting’ – this amounts to less than 0.0001 percent of al all the data collected.
In fact, it seems that such a massive surveillance operation achieved only two successes:
‘The discovery of a hostage video through a previously unknown target, and an uploaded document that contained the hostage strategy of a terrorist organization. The hostage in the discovered video was ultimately killed, according to public reports.’
What is clear, is that Canada is a major player in the Five Eyes spying alliance, and that it is not shy of spying on its own citizen’s. Indiscriminately sweeping up the phone records of users of certain apps, and data from the millions of downloads made from ‘FFU’ websites, would inevitably have meant collecting a great deal of information on Canadians.
Despite this, CSE made the following statement to The Intercept and CBC News.
‘CSE is legally authorized to collect and analyze metadata, including from parts of the Internet routinely used by terrorists. Some of CSE`s metadata analysis activities are designed to identify foreign terrorists who use the Internet to conduct activities that threaten the security of Canada and Canadian citizens.
CSE does not direct its activities at Canadians or anyone in Canada, and, in accordance with our legislation, has a range of measures in place to protect the privacy of Canadians incidentally encountered in the course of these foreign intelligence operations.’