A new Edward Snowden document shows how Canadian spy organisation CSEC (Communications Security Establishment Canada) trial-ran NSA developed technology over a two week period in 2012, using it to track thousands of ordinary travellers who had taken advantage of a Canadian airport’s (which one is not revealed) free WiFi.
The actual content of communications (phone calls and emails sent) was not tracked, but the scale of metadata collected was such that travellers could be tracked for days after leaving the airport as their phones showed up on other WiFi hotspots around Canada (such as airports, hotels, coffee shops and restaurants, libraries, train stations etc.), and could even be tracked days before they arrived at the airport.
Under Canadian law it is illegal to target Canadian citizens with foreign intelligence activities, but security experts told CBC News (who broke the story) that,
‘Many Canadians whose smartphone and laptop signals were intercepted without their knowledge as they passed through the terminal,’ would have been included, and ‘it would be simple for the spy agency to have put names to all the Canadians swept up in the operation.’
Canada is part of the English speaking ‘Five Eyes’ spying network, and it is likely that the data obtained from the trial would have been shared with CSEC’s sister organizations such as the NSA and GHCQ. CSEC were apparently over the moon with the new software, calling it ‘game-changing, and capable of tracking ‘any target that makes occasional forays into other cities/regions.’ Chillingly, ‘sources tell CBC News the technologies tested on Canadians in 2012 have since become fully operational.’
In a similar trial project CSEC boasts that,
‘It obtained access to two communications systems with more than 300,000 users, and was then able to “sweep” an entire mid-sized Canadian city to pinpoint a specific imaginary target in a fictional kidnapping.’
The Canadian public and privacy experts alike have expressed outrage at the revelations, although CSEC insists that it acted both properly and within the law,
‘[CSEC is] mandated to collect foreign signals intelligence to protect Canada and Canadians. And in order to fulfill that key foreign intelligence role for the country, CSEC is legally authorized to collect and analyze metadata. No Canadian communications were (or are) targeted, collected or used.’
Privacy experts have however expressed doubt over this legality,
‘I cannot see any way in which it fits CSEC’s legal mandate,’ international security and intelligence expert Wesley Clarke told CBC News.
Using VPN to prevent tracking by WiFi hotspots
Encrypting your data using VPN is a very effective way to prevent it being spied on when using public WiFi hotspots, even against the likes of the NSA. In this case however, the contents of communications was not spied on by CSEC (or at least that is what they say), and only metadata such as when, and to which hotspot which hotspot you connected, was tracked.
Connecting to WiFi hotspots through an encrypted VPN tunnel might help obfuscate the unique identifiers of a device, but there is no guarantee of this. As Ronald Deibert, co-founder and a principal investigator of the OpenNet Initiative and Information Warfare Monitor projects notes, we with a smartphone, tablet or laptop we are ‘essentially carrying around digital dog tags as we go about our daily lives’.