Spy agency cleared in metadata case
OTTAWA — The government’s electronic eavesdropping agency did not track the online activities of Canadians during a contentious study of wireless communication at airports, says a federal watchdog.
The independent body that monitors Communications Security Establishment Canada says the spy agency’s metadata analysis effort wasn’t about mass surveillance or the monitoring of Canadians.
The watchdog’s assurances, however, left analysts with lingering questions about just what CSEC legally can do when it comes to sifting through digital communications.
A CSEC document obtained last month by CBC — originally leaked by former U.S. spy contractor Edward Snowden — suggested information was taken from an unidentified Canadian airport’s free Wi-Fi system over a two-week period to conduct the trial.
In a new posting on its website, the CSEC watchdog says it has since received a briefing from the spy agency, questioned employees involved in the project, and examined results of the activity at issue.
“This activity is used by CSEC to understand global communications networks,” says the watchdog’s office, led by Quebec judge Jean-Pierre Plouffe.
“We concluded that this CSEC activity does not involve ‘mass surveillance’ or tracking of Canadians or persons in Canada.”
Ottawa-based CSEC has a mandate to monitor foreign computer, satellite, radio and telephone traffic of people, countries, organizations and terrorist groups for information of intelligence interest to Canada.
It works closely with similar agencies in the United States, Britain, Australia and New Zealand.
The CBC story prompted a storm of concern about invasion of Canadians’ privacy, putting Defence Minister Rob Nicholson — responsible for the eavesdropping agency — on the defensive during the House of Commons question period.
Liberal MP Scott Brison said MPs spend a lot of time in Canadian airports during their travels, using their wireless Internet access to stay connected and send emails containing personal information about constituents.
“Will the government notify any members of Parliament or Canadians who have been caught up in this data sweep?” Brison asked. “Will the minister initiate his own investigation into CSEC’s activities, to reassure Canadians that their privacy has not been violated?”
The watchdog says in the new posting that such surveillance did not occur, adding that if CSEC were tracking the movements or online activities of people at a Canadian airport, that would be illegal.
Plouffe’s statement that “no CSEC activity was directed at Canadians or persons in Canada” begs legal interpretation, said Craig Forcese, an associate law professor at the University of Ottawa.
These doubts should be assuaged with real law, he wrote Thursday in a blog posting. “And so the government needs to show its legal cards. It is long past the time when a bare assertion of legality suffices, when that assertion is based on a legal theory that no one outside of government has seen.”
Intelligence expert Wesley Wark, who also teaches at the University of Ottawa, said he was curious as to how and why Plouffe’s office arrived at its conclusions, and whether the airport Wi-Fi exercise had appropriate levels of internal approval at CSEC.
Overall, Plouffe must “get used to providing full public explanations for his findings,” not brief summary judgments, if he is going to “satisfy skeptical Canadians that he is truly independent and truly capable of holding CSEC to account,” Wark said.
The CSEC watchdog’s comments echoed those of spy agency chief John Forster, who told a Senate committee shortly after the CBC story that CSEC was merely collecting electronic metadata — data trails about messages, essentially — and not the actual content of those messages and calls.
Forster said CSEC aimed to build a mathematical model to help determine a communication pattern at a public location, in this case an airport.
The May 2012 CSEC presentation leaked to CBC says the project could help security officials locate a kidnapper making ransom calls.
CSEC is forbidden from targeting the private communications of Canadians such as emails and phone calls. However, metadata is not considered a private communication for the spy service’s purposes.
Some civil libertarians, privacy advocates and academics say CSEC’s metadata monitoring is worrisome because even such seemingly innocuous routing codes and digital stamps can reveal much about someone, such as their location and who they are contacting.
Bill Robinson, who has kept a close eye on CSEC for years, wondered Thursday how far the agency’s metadata collection and use go.
“Is CSEC currently collecting a comprehensive, or near comprehensive, or any kind of ongoing database of metadata concerning communications-related activity in Canada?” he wrote on his blog.
“And is it analyzing those activities for information relevant to its foreign intelligence targets, such as visits to websites associated with suspect causes?”
Forster has denied CSEC uses metadata to build profiles of Canadians. Rather, it helps the agency screen out the content of Canadian messages, he told the senators.
In a recent court filing, CSEC says metadata also helps it identify malicious foreign cyber-activity and better understand and discover foreign targets. “Metadata allows CSE, usually through automated tools, to filter information found on the global information infrastructure without looking at the content of any communications.”
The watchdog’s office says it is doing an in-depth review focused exclusively on metadata.
Wark said he suspects Canadians will not see the results of that review until summer or fall of next year.