CSEC's collection of metadata shows ability to 'track everyone'

Recent allegations about domestic spying by one of Canada’s security agencies has inspired a great deal of confusion about metadata, and whether it's as harmless as the security establishment says it is.

Eavesdropping agency collecting more than just 'data about data'

John Forster, head of the Communications Security Establishment Canada (CSEC), has said that his agency does not snoop on Canadians. (Fred Chartrand/Canadian Press)

Recent allegations about domestic spying and the collection of "metadata" by one of Canada’s security agencies have inspired a great deal of confusion about the precise nature of the surveillance.

John Forster, head of the Communications Security Establishment Canada, appeared before the Senate security and defence committee Feb. 3 and answered questions about a CBC report that said CSEC had used airport Wi-Fi to follow the movements of Canadian travellers.

CSEC is supposed to monitor only foreign communications for intelligence that may be of interest to Canada. The agency has said it does not spy on Canadians nor anyone in Canada.

In this particular case, Forster denied that CSEC had snooped on Canadians, saying the agency had accessed airport Wi-Fi to capture “a snapshot of historical metadata.”

When asked to clarify the importance of metadata, Prime Minister Stephen Harper’s national security adviser explained it simply as "data about data."

Here’s a closer look at the contentious issue of metadata.

What is metadata?

The explanation that metadata is “data about data” is mostly right, says David Lewis, a global security advocate for network hosting and service provider Akamai Technologies. It’s information about the digital envelope that carries specific correspondences over a network, he says. 

This can include phone numbers, the length and time of calls, email addresses and internet routing information. The metadata is the information about a specific communication, but it doesn’t reveal the substance of the communication itself.

Do average web users even notice it?

In his book Black Code: Inside the Battle for Cyberspace, author Ron Deibert writes that “we rarely experience metadata directly, as it is buried in instructions and communications several layers below our interactions with our devices.”

Metadata may not be readily apparent, but for an average internet user, it just takes a bit of digging to find it. When you download a song from iTunes, for example, the file will contain details about the artist, album, date of the recording and copyright information, which can usually be found simply by right-clicking on the file.

As Deibert points out, metadata will also become visible any time you upload an image to a site such as Flickr, where you might notice that the image contains information about the model of camera used to take the picture, the time it was taken and the geographical coordinates of where it was shot.

The most controversial type of metadata is the information attached to phone calls and emails. A smartphone can contain information about the date and time of the communication, the number of both the caller and the receiver, their respective geographic locations and the amount of data transmitted.

This information is shared every few seconds, as the smartphone sends out a signal to the nearest Wi-Fi hotspot or cellphone tower in order to establish the most stable connection for the device.

As Deibert writes, “Average users may have thousands of data points like these collected from them every day as they communicate through cyberspace.”

So what’s the problem?

While the CSEC insists that it is not listening in on actual conversations, Akamai’s David Lewis thinks that the gathering of metadata is even more invasive.

“For some reason [consumers] seem to think it’s OK that they’re sharing metadata, but I’m sorry, that’s an awful lot of information about a phone call without the context of the call,” says Lewis.

Without even looking at the substance of a phone call or email, surveillance agencies such as the CSEC, the National Security Agency in the U.S. and Britain's GCHQ have the ability to track your movements, as well as map out a network of your interactions. This could be far more incriminating than something you might have expressed in a phone call or email, Lewis says.

  As a sign of how valuable metadata is to the surveillance community, GCHQ has used metadata found in a 2011 NSA sweep of millions of text messages to gather info on the movements, contacts and financial transactions of a large number of British citizens, according to a document leaked by NSA whistleblower Edward Snowden.

While these individuals weren't even targeted for surveillance, the NSA and GCHQ were able to use metadata such as missed-call alerts or texts sent with international roaming charges to see who people were calling, when they crossed a border and when they made an electronic bank withdrawal.

Taken together, all this metadata has the potential to provide the security establishment with a fairly comprehensive picture of a person's life, says Lewis.

While being able to see a network of communications between disparate people could lead to the capture of a potential terrorist, it could also ensnare an innocent individual, Lewis adds.

“They can say, ‘Well, you talked to this person, who talked to this person, who talked to this person, who talked to this person, who talked to that person – obviously, you must be connected.’ And it’s like, it doesn’t work that way.”

What is CSEC's rationale?

According to its mandate, CSEC is not allowed to target the private communications of Canadians. The agency is able to gather metadata, however, because it does not deem this information a private communication.

Ann Cavoukian, Ontario's privacy commissioner, thinks the law needs to be updated to include metadata.

She says it is "a fiction" to say that the National Defence Act authorizes metadata, since the law makes no specific reference to metadata, Cavoukian told Evan Solomon, host of CBC News Network's Power & Politics.

"It's an interpretation — the way I interpret it, any interception is not permitted."

Lewis says the collection of metadata is part of the Canadian security establishment’s growing ability “to track everyone, anywhere, anytime.”


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Member

Join the conversation  Create account

Already have an account?