The head of Canada's communications surveillance agency defended its use of metadata Monday and argued a test using Canadian passengers' data — revealed by CBC News last week — didn't run in real-time and wasn't an actual operation.
John Forster, chief of the Communications Security Establishment Canada, defended the cybersecurity agency over revelations contained in a document released by U.S. National Security Agency whistleblower Edward Snowden.
Forster was appearing before the Senate national defence committee along with the head of CSIS and the prime minister's national security adviser days after a CBC News report on the document that showed CSEC used airport Wi-Fi to track the movements of Canadian passengers, including where they'd been before and after the airport.
- Watch: Heads of CSIS, CSEC testify
- Watch: PM's national security adviser testifies
- Snowden docs: CSEC used Wi-Fi to track travellers
Forster did not deny the story, but said CSEC was acting within the law.
Forster said the agency used metadata to develop a model that showed they could track an internet user's network activity "around a public access mode," and that the tracking didn't happen in real time.
Metadata can reveal a trove of information, including, for example, the location and telephone numbers of all calls a person makes and receives. It does not include the content of the call, which would legally be considered a private communication and cannot be intercepted without a warrant.
"This exercise involved a snapshot of historic metadata collected from the global internet. There was no data collected through any monitoring of the operations of any airport. Just a part of our normal global collection," he said.
"We weren't targeting or trying to find anyone or monitoring individuals' movements in real time. The purpose of it was to build an analytical model of typical patterns of network activity around a public access mode," Forster said.
The spy chief said the agency also uses metadata to ensure it isn't inadvertently directing investigative efforts at a Canadian phone number or IP address. The agency is supposed to stick to foreign intelligence, not domestic.
Is metadata discarded?
Metadata, Forster said, is essential to CSEC's work. But he said the agency doesn't use it to build profiles on Canadians, and that its own staff would report CSEC to its commissioner watchdog if the agency started tracking Canadians.
Speaking to reporters after the committee meeting, Forster allowed that Canadian metadata is being collected.
"There are foreign and Canadian information mixed together in the internet," he said, responding to a question about whether the agency picks up data belonging to Canadians.
The collection of metadata was approved by a ministerial directive, Forster said. The first directive was issued in 2005 under a Liberal government, with the latest one issued in 2011 under the Conservatives.
Asked whether the data collected for the model had been discarded, Forster referred to a directive about how long it could be stored.
"After a maximum amount of time that data, if it hasn't already been discarded, is discarded," he said.
CSIS denies mass surveillance
Ontario Privacy Commissioner Ann Cavoukian said the law needs to be updated to include metadata, a term that appears nowhere in the current act.
What is 'metadata'?
Metadata refers to information used to order or describe data, rather than the data itself. In the case of modern communications, it is the digital traces created when a phone call is made, an email or text is sent or a webpage is accessed — but it does not contain the content or conversation that was exchanged in those calls, messages or web surfing.
To use a less modern example, a library card catalogue contains the metadata for the books in a library.
However, metadata can include a lot of information, including the date, time, duration and location of a communication, the wireless device ID or internet address of the device that was used and the IDs or addresses of devices on the other end of the message or call — and even keywords or "tags" that relate to the information being exchanged.
"So it is fiction to say that the act authorizes metadata. It's an interpretation — the way I interpret it, any interception is not permitted," Cavoukian told Evan Solomon, host of CBC News Network's Power & Politics.
The head of Canada's spy agency, the Canadian Security Intelligence Service, told senators the agency doesn't perform mass surveillance of Canadians.
"I can assure you that CSIS warrants authorized by the Federal Court do not allow the mass surveillance of Canadians and we do not engage in such activities," Michel Coulombe said.
"Our warrants are directed against specific individuals who pose a threat to the security of Canada, a threshold that is clearly articulated in the CSIS Act."
Earlier, Prime Minister Stephen Harper's national security adviser, Stephen Rigby, defended the collection of Canadians' metadata by Canada's surveillance agency, calling it "data about data."
Rigby said he is "not totally persuaded" that Canada's spy agencies tapped into airport Wi-Fi.
"I think that the document that has been released clearly indicates that there has been collection of metadata," Rigby said.
"That is a well-known fact.… It does not represent a compromise of private communications by Canadians. It's data about data," making it "well within the legal parameters" of agency operations, he said.
Canada's interim privacy commissioner, Chantal Bernier, said in a report last week that she had serious concerns about how spy agencies use social media to collect information. Bernier said the potential for privacy invasion calls for commensurate protection, including an updated law.
130 Canadian extremists abroad
Michel Coulombe, the head of the Canadian Security Intelligence Service, says his agency is aware of more than 130 Canadians working abroad in support of extremist activities. He says it's his number 1 security concern.
"Currently, CSIS is aware of over 130 Canadians who are abroad in support of extremist activities, including approximately 30 in Syria alone. Such individuals' activities vary widely, ranging from paramilitary activity, training in weapons and explosives, and logistical support, to terrorist fundraising and studying in extremist madrassas.
"Some never achieve their intent and simply return home. Thus their depth of experience varies widely, making some individuals much more concerning than others. The service actively investigates such individuals, however, I must be clear in stating that such investigations are inherently challenging and gaps in our understanding are unavoidable. The number of individuals overseas are in constant flux. Their motivations are difficult to ascertain and their movement against sometimes isolated terrain are difficult to track."
Rigby said Bernier presented Parliament with some interesting ideas, but that the current controls "are reasonably robust."
"I think to a certain extent there's been a lot of public debate about some of the actions of our security agencies as a result of Mr. Snowden's disclosures," he said.
"I'm not persuaded at the end of the day that all of them are 100 per cent accurate."
Rigby said Bernier's ability to audit CSIS and CSEC is a check in itself.
"I think that the annual reports that are tabled by the commissioner, by SIRC [CSIS's review body the Security Intelligence Review Committee] and by the director of CSIS, for example, all represent opportunities to comment on privacy issues and the checks that are in place to assure Canadians that they have reasonable privacy protections in place," he said.
'That, simply put, is spying'
Opposition members in the House of Commons have long demanded more parliamentary oversight of the country's national security agencies.
NDP defence critic Jack Harris tabled a motion last fall to create a parliamentary committee to determine the best way to oversee CSEC and CSIS. The motion was defeated.
Liberal public safety critic Wayne Easter is tabling a motion in the House Tuesday to order CSEC to end all illegal monitoring of Canadians and increase proper oversight of the cybersecurity agency via a national security parliamentary committee.
"When Canadian citizens transferring through airports and using Wi-Fi have their metadata collected, that, simply put, is spying," Easter said in the House Monday.
A report by the commissioner from last June, Easter said, noted that some activities may have been directed at Canadians.