Canada's electronic spy agency fretted over how its collection of cellphone and email metadata might be perceived even before CBC published a story on the agency using Wi-Fi data to track airport passengers, new documents obtained by CBC reveal.
A Communications Security Establishment employee warned in an email several days before the CBC story aired that public knowledge of the top-secret experiment, which followed passengers at a major Canadian international airport using their electronic footprints, "would be damaging" to the agency by "putting into question" its collection of the metadata belonging to Canadians.
"There was some internal squirming by CSE around the fact that they had used Canadian metadata to build the analytical model, and had done so over a protracted period," says national security expert and University of Ottawa professor Wesley Wark.
The electronic surveillance agency came under increased scrutiny in the weeks following the Jan. 30, 2014 airing and publication of the CBC story, which was based on a document obtained by U.S. whistleblower Edward Snowden and analyzed in collaboration with the U.S. news site The Intercept.
- CSE used airport Wi-Fi to track Canadian travellers
- Wi-Fi snooping experiment prompts calls for review
- Canada's Snowden files: More stories
Now, new documents obtained under the Access to Information Act, provide insight into how the spy agency prepped for Senate committee hearings and media scrums, as questions rained down about their use of the metadata collected about passengers at the Canadian international airport.
Care must be taken, said an email dated Feb. 3, 2014 — the day CSE chief John Forster spoke at a Senate committee — not only to make sure the agency didn't mislead, but also to make sure "we don't limit the scope of any future activities."
From an intelligence perspective, that second concern is understandable given how metadata has become the "absolute core way" intelligence agencies now monitor communications and individuals, says Chris Parsons, a post-doctoral fellow at University of Toronto's Citizen Lab, a research lab specializing in technology and human rights.
"If all of a sudden they were more limited in their ability to analyze, collect or parse Canadian metadata, then it could put their intrusion detection systems and ... signals intelligence operation in some kind of jeopardy."
- How Canada's spy agency hunts extremists through file-sharing sites
- CSE's cyberwarfare toolbox revealed
Metadata is often described as the information that appears on an envelope, or data about data. For email, it would include such elements as the name, time stamp, subject line and destination, but not the message itself. For cellphones, it could include such things as the location, telephone numbers and duration of calls.
Some civil libertarians and privacy advocates argue metadata can be more revealing and powerful than the content of a private communication, especially when analyzed en masse.
Information collected about passengers at a Canadian international airport was based on a "snapshot of historical metadata collected from the global internet," the documents said.
The information was "completely minimized and at no time contains any user attributable information, nor can it be reverse-engineered to reveal it.
"The data was only used to paint a picture of the pattern of network use in certain types of facilities with public internet access. This is what you see in the presentation, patterns of dots," one email says.
One of the reasons the agency likely opted for a historical sample is to be "absolutely certain" the metadata was "cleaned to the point that it could in no way be traced back to one person or communication," says Christian Leuprecht, a fellow at Queen's University's Centre for International and Defence Policy and a professor at the Royal Military College.
"The historical snapshot allowed them to ensure compliance throughout the experimentation ahead of time, without having to worry about demonstrating compliance after the fact."
'Deeply flawed' definition
The access-to-information documents also provided some new insights into how the spy agency views whether or not it's directing its spying at Canadians.
"If CSE were to track anyone… we would need to know who they are; we would need to actively locate and find the individual; and we would need to monitor their movements in real time," a briefing note for CSE's chief said.
Internal CSE briefings & emails
On mobile? Click here to read the CSE documents
CSE is barred by statute from targeting or tracking Canadians under its foreign signals mandate, but it says it is allowed under the current interpretation of the rules to incidentally collect metadata and emails. The agency is obligated to delete private communications unless they are deemed essential to foreign intelligence, but not metadata.
Tamir Israel, a lawyer with University of Ottawa's Canadian Internet Policy and Public Interest Clinic, says CSE's definition of when it is targeting Canadian is "deeply flawed" and contradicts privacy laws.
In cases involving third-party online tracking, typically used for advertising, the federal privacy commissioner has found that extensive tracking of metadata, even when the companies don't know the name of an individual, constitutes a violation, says Israel. The extensive monitoring creates a detailed profile, making identifying the individual too easy.
Part of the problem, he says, is that the CSE is "in this isolated sort of internal bubble where they get to determine the legal interpretation of everything they do."
In the days following the CBC report, the spy agency's watchdog was quick to defend the agency.
'The CSE Commissioner may have rushed into the fray a little precipitously.' - Wesley Wark
CSE Commissioner Jean-Pierre Plouffe said his office examined the top-secret, airport Wi-Fi presentation and concluded that the experiment did not involve "mass surveillance" and was done to understand the global internet, thus rendering it legal.
But two months later, Plouffe's office called on the CSE, asking for more clarity on the airport experiment, according to the new documents obtained by CBC.
The office wanted a "better understanding" of the signals intelligence metadata analysis used in the airport Wi-Fi case and asked for a demonstration on how the experiment was done.
"The CSE Commissioner may have rushed into the fray a little precipitously," says Wark.
The review likely also served as part of an ongoing review of CSE's use of metadata, which began in June 2013 following some of the initial Snowden revelations.
CBC is working with U.S. news site The Intercept to shed light on Canada-related files in the cache of documents obtained by U.S. whistleblower Edward Snowden.
For a complete list of the past stories done by CBC on the Snowden revelations, see our topics page.