Canada’s electronic surveillance agency is covertly monitoring vast amounts of Canadians’ emails as part of a sweeping domestic cybersecurity operation, according to top-secret documents.
The surveillance initiative, revealed Wednesday by CBC News in collaboration with The Intercept, is sifting through millions of emails sent to Canadian government agencies and departments, archiving details about them on a database for months or even years.
The data mining operation is carried out by the Communications Security Establishment, or CSE, Canada’s equivalent of the National Security Agency. Its existence is disclosed in documents obtained by The Intercept from NSA whistleblower Edward Snowden.
The emails are vacuumed up by the Canadian agency as part of its mandate to defend against hacking attacks and malware targeting government computers. It relies on a system codenamed PONY EXPRESS to analyze the messages in a bid to detect potential cyber threats.
Last year, CSE acknowledged it collected some private communications as part of cybersecurity efforts. But it refused to divulge the number of communications being stored or to explain for how long any intercepted messages would be retained.
Now, the Snowden documents shine a light for the first time on the huge scope of the operation — exposing the controversial details the government withheld from the public.
Under Canada’s criminal code, CSE is not allowed to eavesdrop on Canadians’ communications. But the agency can be granted special ministerial exemptions if its efforts are linked to protecting government infrastructure — a loophole that the Snowden documents show is being used to monitor the emails.
The latest revelations will trigger concerns about how Canadians’ private correspondence with government employees are being archived by the spy agency and potentially shared with police or allied surveillance agencies overseas, such as the NSA. Members of the public routinely communicate with government employees when, for instance, filing tax returns, writing a letter to a member of parliament, applying for employment insurance benefits or submitting a passport application.
Chris Parsons, an internet security expert with the Toronto-based internet think tank Citizen Lab, told CBC News that “you should be able to communicate with your government without the fear that what you say … could come back to haunt you in unexpected ways.”
Parsons said that there are legitimate cybersecurity purposes for the agency to keep tabs on communications with the government, but he added: “When we collect huge volumes, it’s not just used to track bad guys. It goes into data stores for years or months at a time and then it can be used at any point in the future.”
In a top-secret CSE document on the security operation, dated from 2010, the agency says it “processes 400,000 emails per day” and admits that it is suffering from “information overload” because it is scooping up “too much data.”
The document outlines how CSE built a system to handle a massive 400 terabytes of data from Internet networks each month — including Canadians’ emails — as part of the cyber operation. (A single terabyte of data can hold about a billion pages of text, or about 250,000 average-sized mp3 files.)
The agency notes in the document that it is storing large amounts of “passively tapped network traffic” for “days to months,” encompassing the contents of emails, attachments and other online activity. It adds that it stores some kinds of metadata — data showing who has contacted whom and when, but not the content of the message — for “months to years.”
The document says that CSE has “excellent access to full take data” as part of its cyber operations and is receiving policy support on “use of intercepted private communications.” The term “full take” is surveillance-agency jargon that refers to the bulk collection of both content and metadata from Internet traffic.
Another top-secret document on the surveillance dated from 2010 suggests the agency may be obtaining at least some of the data by covertly mining it directly from Canadian Internet cables. CSE notes in the document that it is “processing emails off the wire.”
The Canadian government has previously accused China of trying to hack into its systems. And last year, the country’s revenue agency shut down after a hacker broke into its site following the exposure of a security vulnerability known as Heartbleed.
Of the masses of emails the agency was scanning and storing using PONY EXPRESS in 2010, however, only about 0.001 percent of them were deemed to contain potentially malicious viruses. According to the documents, 400 each day triggered alerts. Of those, only about four a day were judged serious enough to inform the government departments affected.
Since the 2010 documents were authored, it is likely the scale of the domestic data collection has increased. CSE states in the documents that it is working to bolster its capabilities. Under a heading marked “future,” the agency notes: “metadata continues to increase linearly with new access points.”
A CSE spokesman told The Intercept and CBC News in a statement that the agency eventually deletes intercepted Canadians’ emails if they are found to contain no cyberthreat, but would not comment on the amount of emails collected, or discuss the period of time that the messages are retained for.
“Under its cyber security mandate, CSE collects data and metadata that is relevant and necessary to understand the nature and methods of malicious cyber threats,” the spokesman said. “Data and metadata are deleted according to established data retention schedules that are documented in internal policies and procedures. To provide more detail could assist those who want to conduct malicious cyber activity against government networks.”
Photo: Getty Images/iStockphoto
“The latest revelations will trigger concerns about how Canadians’ private correspondence with government employees are being archived by the spy agency and potentially shared with police or allied surveillance agencies overseas, such as the NSA.”
It’s this that creeps me out, the knowledge that every phone call I make and every email I author ends up transmitted to Washington, and then on to the Utah facility. (No wonder they need a thousand or so acres in Utah: the electronic lives of everyone on earth adds up to a lot of terrabites.) Canadian politicians and career civil servants are not quite as imaginative and scary as those in the US, but they do have a monkey-see monkey-do policy vis-a-vis the US — like good little vassals — so this new news only adds to the tightening spot in the pit of my stomach.
BFD. Really scraping the bottom of the barrel for scoops, aren’t we? You guys must really miss Snowden.
Mr. Greenwald
This is a non story (thirty-two comments on one of your threads is ridiculous). As long as there are Islamic terrorists burning captives to death; executing captive Coptic Christians; bombing marathons; bombing Shia Muslims worshiping in a Mosque; hijacking planes for weapons; bombing trains; attacking Malls; kidnapping “comfort” girls; killing anyone and everyone like in Mumbai (Pakistan, Iraq, Nigeria etc.); murdering people that value free speech and threatening to attack Malls in the US and Canada – Americans and Canadians will appreciate the work of intelligence to help prevent politically-motivated targeting and murdering of innocent people.
The recent attacks in Europe have only highlighted their importance.
” This is a non story (thirty-two comments on one of your threads is ridiculous).”
Craig, does it ever occur to you that the number of comments to an article is a very poor measure of the article’s readership count?
Do you know how many times I visited this same article to extract a piece of information that supported something that I was working on without leaving a comment each time I visited?
Do you know how many friends I had access and read this article without leaving or posting the comments that they certainly made to me?
Do you know that it is not absolutely necessary to comment in order to read an article?
Did you know that GG may not even care ( I presume he is not with TI to spend his time counting comments) ?
Sir, do you know anything at all?
I think that it reflects the interests of his loyal readership which to me is a measure of the interests people have in this article. It doesn’t matter to me one bit how many of your friends read this article. None of mine even know this site exist. The Intercept has been publishing the same stories for the past year and a half. It’s a “little” overdone in my opinion. Most of his mousekateers would prefer that he bash American and Israeli foreign policies. Given a choice, certainly Greenwald would prefer that as well – but he does have a certain amount of obligation toward Edward Snowden. The Oscar wasn’t a freebee.
You don’t need to preface your comment with a sir when referring to me as a moron…..
” The Intercept has been publishing the same stories for the past year and a half. ”
And all this time that TI has been, according to you, ‘publishing the same stories ‘, you nevertheless visited the site often enough to make the observation? Why are you drawn to the same stories?
_________
” I think that it reflects the interests of his loyal readership …”
You may be right but I’m not sure what loyalty has got to do with this. The man is not a cult leader.
____________
” You don’t need to preface your comment with a sir when referring to me as a moron…”
Now Sir, no blatant accusations. I never called you a moron, although you are entitled to calling yourself anything you want of course.
” Most of his mousekateers would prefer that he bash American and Israeli foreign policies. ”
And where, how and when was that ‘ preference’ to ‘…bash American and Israeli foreign policies ‘declared by the patrons of this website? Or is it just one of your imaginations?
Do you really believe that the folks here are not capable of bashing anything on their own and sorely need Greenwald to do it for them?
Maybe we should end this little dialogue. On the scale of things, it is just not worth the strain my eyes are feeling tapping on the small keyboard trying to talk to you. Yes, me that your original post was not even directed to, to steal your thunder.
“……Maybe we should end this little dialogue. On the scale of things, it is just not worth the strain my eyes are feeling tapping on the small keyboard trying to talk to you……”
But you did anyway.
Thanks.
Are you a Canadian? Or are you an American who doesn’t know that any other place exists? The U.S., UK, and Canada need to get the hell out of other people’s countries, stop killing their innocent citizens. Canada used to be peacemakers who were obliged to help people, now they are just warmongers. It is no wonder that there are threats to these countries. When governments want to go to war, they are just as much terrorist as anyone else. Statistically the North American population have a better chance of being killed by a gun toting idiot. We the people of this planet need to grow up before we completely obliterated this it. Killing people is not the answer and when governments go to such a length as to surveil their own people something is terribly wrong. Obviously this thread is about Canada so who cares.
No one showed up tracking me while I read the article but when I opened comments, my blocker went to 31 hits.
I live in Canada and I have a system that is pretty much NSA-proof. I have gone to elaborate lengths to make sure that from both hardware and software perspectives my system is very difficult to hack into. And, as additional precautions I switch off the ISP’s router whenever I am not using the system. So if CSE is trying to hack into my system they are having a hard time.
The other day one of the other ISP companies sent a fellow to my home with an offer for an incredibly cheap internet connection and – what really made me suspicious – the offer included a free laptop worth at least $400. Apparently someone had determined that it would be a great idea to gift me a Trojan Horse and I would fall for it. Native people are usually considered stupid and naive.
I am pretty certain CSE is stalking everyone’s internet activity, not just vacuuming up email exchanges with government officers. That’s why they must be quite relieved to read this article that absolves them of grave illegalities.
Congratulations. You must know that they can “cloak” their way into your residence whether you are there or not, to manipulate your system to install hacking code in the BEER segment of your computer.
This code is not accessible to any OS, let alone application software such as anti-virus programs.
It has firmware modules that they obtain from hardware component manufacturers which they use to manipulate the hardware functions in ways that commercial diagnostics systems cannot detect.
And it thrives on stealth. Absolute stealth, where the user lives in a false sense of security believing that their system is secure. This is because the code has zero interruptions to the normal function of your system.
And they did this as far back as 2003 when I spent weeks studying the exact intrusion in my system back then. I felt just like you feel about your system now: that it was secure etc.
‘Cloaking’ is the technology that uses metamaterials to manipulate light, rendering objects invisible, sort of the way of the ‘lost’ Malaysian aircraft…
” I am pretty certain CSE is stalking everyone’s internet activity, not just vacuuming up email exchanges with government officers. That’s why they must be quite relieved to read this article that absolves them of grave illegalities. ”
CSE is vacuuming because Canada is a member of the all-Anglo-Saxon 5 eyes, and is the equivalent of the NSA. They all operate on the same page.
Commission of illegalities by a member of that group does not resolve any other member in the group of wrongdoing. For one thing, governing laws that each is answerable to are different; for the other, you could not hold them accountable if you wanted to; all have lawyers at the very top that see to that…
Sorry, I hate to be the bearer of bad news; but I cannot be nice at the expense of the truth either…
To Canada’s spooky spooks: Get honest, productive – from the people’s standpoint – jobs. Are they hard to come by? I don’t care any more than you do. Do it!
HAS ANYONE DISCUSSED THE CONCERN THAT NSA AND CANADA AND OTHERS WHO ARE STORING ALL THIS DATA IN WHAT I AM SURE THEY SAY IS ‘HERMETICALLY SECURE’ STATUS ACTIUALLY CAN GET HACKED, LIKE THE WHITE HOUSE, MAJOR FINANCIAL AND CONSUMER CORPORATIONS HAVE, BY THE VERY PEOPLE THEY ARE SUPPOSEDLY PROTECTING US FROM. HOW ABOUT USING THAT ARGUMENT, WHICH SEEMS TO ME POSSIBLE AND THEREFORE PLAUSIBLE, TO MOTIVATE THE AMERICAN PUBLIC TO MARCH ON WASHINGTON AND STOP THIS MADNESS. AFTER ALL THE ARMCHAIR CRACKPOTS THAT HAVE BEEN ‘PROTECTING’ US HAVE A HORRIBLE TRACK RECORD OF REALLY STOPPING TERRORISM GIVEN EMBASSY BOMBINGS, WTC (and they knew about that one coming!), AND MOST RECENTLY BENGHAZHI SINCE THE REAGEN ERA TIL PRESENT. USING THEIR OWN TALKING POINTS AGAINST THEM, IS THIS A CREDIBLE ‘REAL AND PRESENT DANGER’ OR AM I TECHNOLOGICALLY IGNORANT AND HOPELESSLY PARANOID. YOUR THOUGHTS ANYONE, GLEN?
There is an election coming up in Canada slated for midway through the year. However harper has bragged about the data mining ‘machine’ in place to monitor the other parties and their popularity. He therefore can determine when to call a snap election. He has bragged about monitoring the sleazy facebook site and now we know that he is mining the email data from the other party sites and their supporters. He has been using the technique of scare tactics and most likely tax payer money to run government ads to crow about how honest and great he is. The Canadian government is run like a dictatorship by a few pompous delusional people who tell only a small amount of truth to pass off as the real truth. My mother used to tell me that was lying by omission. Why do we believe bulls#!t?
If the Canadian people don’t get off their privileged asses and vote him out of office, Canada is going to be in deep trouble. Think of Wisconsin and scott walker. But of course there is little option as the other party lead by trudeau is much the same but anyone is better. There should be a time limit for holding office for all elected officials especially the prime minister.
I’ve always assumed that anything I send the government is now data they have on me. Altho I’d be angry about them sharing health care information with other agencies, isn’t this other stuff pretty unsurprising? — Mona
According to this story, the government isn’t the group that one should be concerned about wrt health care information (though I don’t trust them either):
Looking up symptoms online? These companies are tracking you.
Experian and Acxiom are data brokers. Your information is straight-up cash in their pockets.
Here’s the most interesting bit about Experian:
The upside (such as it is):
So, all those people out there who turn their nose at anything that comes from Wikipedia might want to reconsider their snobbery. Just sayin’…..
http://motherboard.vice.com/read/looking-up-symptoms-online-these-companies-are-collecting-your-data
Just block google, yahoo, cnn, aol and dropbox right at the router. Now don’t depend on the ISP’s Cisco router to block anything for you. Instead chain the Cisco router to your own cheap Chinese-made router, and do the blocking there. Then connect your system to our own router. I can bet none of the spies can then figure out how to hack into your system.
You can still bypass the blocking filter if you use Tor browser in case you need to access any of the blocked sites.
Thanks for that Pedinska.
And about Wikipedia snobbery: That drives me crazy. Wiki is a pretty good source, especially for the endnotes. When a Wiki entry concerns a topic I know something about, and it seems basically right, why not use it as support in an argument? The reflexive ridicule for citing Wiki is right up there with kneejerk shrieking about Godwin.
This is an aside: Glenn and colleagues, is there anything of significance that you think may be worth writing about re: the South Africa spy files that were released to Al Jazeera recently by a whistleblower there?
I find it hard to expect any one of the 5 eyes in this strictly Anglo- Saxon family, to be any different from the rest.
This article comes out the day after bill C-51 passes second reading. That sweeping bill allows spying for protection of government or important economic infrastructure amoung other things.
Was there any delay by the CBC in releasing this info? If it was released earlier we might not have this horrid law now.
Maybe I’m missing something, but this story seems, well, not shocking. This:
I’ve always assumed that anything I send the government is now data they have on me. Altho I’d be angry about them sharing health care information with other agencies, isn’t this other stuff pretty unsurprising?
Pretty much unsurprising, although it still suggests that anything a constituent shares with, say, the tax authorities, social security, government health programs (e.g., Medicare), once shared with agencies like NSA outside the original gov’t department/ministry, is no longer compartmentalized. And that data, once shared, could leak further down the exchange, since the data replicates with each new sharer. So at some point the original constituent could find that someone else filed a tax refund or passport application in their name, or some other new mischief.
These sharers seem good at burglary but may not be so good at protecting the proceeds. As with Gemalto, all they seem good at is jimmying things open.
Why, it’s almost as if there oughta be a law!
If correspondence is related to proceedings in parliament (e.g. the work of a parliamentary committee), it is protected by parliamentary privilege. Therefore placing it in a database available to others, including presumably the NSA, might be a small problem. Many Canadians are unaware that their government proceedings are subject to review and approval by the NSA.
However, these legal quibbles are outweighed by the usefulness of the new system. The government for example can ask for a list of all MPs who have corresponded with anti-pipeline activists – and then read those e-mails. Or environmentalists. Or labor activists. Or any activists really. So it seems like a good way to keep tabs on activists – and MPs. And all justified by the need for cyber security.
To me it’s another example of a thing that should be rare and/or require individual warrants/reasons instead evolving into bulk surveillance. This passage: “Under Canada’s criminal code, CSE is not allowed to eavesdrop on Canadians’ communications. But the agency can be granted special ministerial exemptions if its efforts are linked to protecting government infrastructure — a loophole that the Snowden documents show is being used to monitor the emails.”
“Special ministerial exemptions” at the rate of 400,000 emails a day. Doesn’t seem very special, and few people seem exempt. Similar to FISA courts issuing warrants to justify scooping up millions of online communications a day. They’re not individually tailored. They aren’t solely used for extreme cases, or parts of intricate investigations. Their targeting isn’t precise at all, it’s scattershot. This isn’t just a problem for the privacy-minded. It’s a problem for what the agencies are purporting to do, which is protect against threats. The above mentions the “information overload” problem. Well, if you scoop 400,000 emails a day you may need to justify it to bosses, so to show they need all those emails they invent new “threat profiles” and other bullshit, so they can say enough of a % of those collected justifies the entire operation. And this also justifies retaining all of them for longer. This may or may not result in analysts spending way too much time on that bullshit, when they should be focused on actual threats. Well, don’t want to write all day. Anyway sure, this isn’t shocking. It’s just more evidence.
Link
Glenn, was this collaboration made possible and done by using the secure room or building or whatever it is that you said awhile back that The Intercept or First Look was in the process of creating?
I could be wrong Kitt, but I don’t think so. I’m guessing that these docs are part of what was shared with the CBC a while back but went into limbo when the original reporter Glenn was working with left CBC and they were stuck with someone who was ideologically opposed to sharing information found in the Snowden trove with the public.
Having said that, I obviously don’t know the extent of what the CBC has been sitting on, so it’s entirely possible I am wrong in this assumption.
I think instead of us living in a “police state”, maybe we live in a “police world”.
Canadian Members of Parliament don’t have a lot to do, and some fill in their spare time by responding to the concerns of their constituents. The Government has a legitimate need to monitor this sort of activity and nip it in the bud. Otherwise, the next thing you know, some of the MPs would be introducing private members bills in Parliament, and otherwise stirring up trouble.
The ruling Conservative Party has generally done a good job of cowing its own MPs and they tend to be a fairly docile bunch who do what they are told, but those in other parties are more problematical.
“…the agency eventually deletes intercepted Canadians’ emails if they are found to contain no cyberthreat,”
You can drive a decades-wide truck through the loophole in “eventually.”
How does reporting on a foreign government’s surveillance activities follow the Chomsky rule?
Surely the rule does not say you can only ever report on what is directly connected with you rown country. In any case there is a US connection in this story.
Wow! Massive! 400 terabytes a month. That costs the Canadian government about US $10,000. Obviously they never delete anything; there is no motive to do so at these prices. Even Canada can afford to make multiple copies!
So this stupid system remembers who I last replied to and puts my next comment there as well?
Yes. It does. After sending a reply, I go up and click on the “cancel reply” button to clear it to enable me to reply to someone else.
The US tends to be a little arrogant and assumes there is nothing to be learned from other countries. But analyzing the communications of all elected representatives under the pretext of monitoring for cyber threats is an excellent approach. Think of how much more effective the president would be in dealing with Congress if he could monitor all their communications and take pre-emptive action whenever they were mobilizing to oppose him. He could expose their plots and disrupt them before they developed into real threats to his political agenda. Or he could decide to support them, in exchange for certain concessions. It is much easier to play political poker when you know the contents of your opponent’s hand.
This article may not be of interest to the average US citizen, but I believe it is intended as direct advice to the president, as he will undoubtedly hear about it when he is briefed on the latest leaks of NSA documents. Prior to the Snowden leaks, the NSA probably didn’t see any reason to inform the president about this program (since they prefer to control congress directly), but once the leaks are made public, he has to be briefed in order to respond to questions, and will no doubt demand (in private) that the NSA let him in on the action.
” Think of how much more effective the president would be in dealing with Congress if he could monitor all their communications and take pre-emptive action whenever they were mobilizing to oppose him. He could expose their plots and disrupt them before they developed into real threats to his political agenda. ”
And think of how effective the reverse would be as well. Congress could pre-empt to abort in advance, any of the President’s moves that they do not like.
And what a wonderful place America would be…
Among other things, Canada is one of the NSA’s Five Eyes partners.
I don’t think you’d really expect all that much privacy from a letter to a member of Parliament, so I’m tempted to characterize this less as “CSE spying on your email” than “CSE spying on Parliament.” Though somehow that doesn’t make it less alarming!
Good article, thanks for the update on the Canadian copycat wannabe of the NSA.
You know sometimes I wonder, and maybe one of you authors may want to comment on this, if these guys want to collect emails perhaps we should accommodate them by programming our computers to send thousands of random letter or copied script junk emails/day. We could send them to ourselves or to others of a NSA busy work group. Our computers are sitting most of the time waiting for us to do something. Why can’t they be churning out these emails, several/second just filling up the NSA’s databases with junk, much like government and corporate folks fill out lives with junk and aggravation? I recognize they have great computing capability but if several million computers were each sending out thousands of emails a day, each containing several million characters we would be giving them quite a challenge. So far, as far as I know, it is not against the law to send a junk email. Just a thought.
Thing is, eventually, that could also be illegal as they began cracking down on individuals behind DOS (denial of service) attacks as they could claim the sheer volume of email traffic occurring could disrupt certain servers, blah, blah, blah. You would have to ensure, as well, that you aren’t flagged as a spam email address, or it could be flagged by the service and shut down. Also, the sorts of programming endeavors they already utilize also would recognize patterns, and weed it out. These emails could be a map if not enough people contributed to the effort; it is an interesting thought, but I am worried that if done incorrectly, it could become a new method that leads to incarceration just as the DOS attacks were at the beginning of Anonymous activities using the the “Low Orbit Ion Cannon” program against $cientology. People who had not ensured the proper security methods of Internet anonymity were incarcerated even as they unwittingly committed a crime they did not know existed. That activity would be understood as, “hacktivist,” activity, and this they fear terribly (I.e. The recent Lizard Squad ‘attacks’ has spurred several arrests in several countries; although their activities are moderately more insidious, anyone caught in these variations of activities are lumped together, and given the campaigns to slander the character of people in order to mar people’s reputations).
quote”.. if these guys want to collect emails perhaps we should accommodate them by programming our computers to send thousands of random letter or copied script junk emails/day.”unquote
I’ve thought about that too. I think it’s a great idea. How do we make it go viral? Someone should write some software that you can download or something so everyone’s computer does it automatically simultaneously. Unfortunately, wouldn’t this overload private servers as well?, Like yahoo..or google? hmmm, now that I think about it… maybe that wouldn’t be so bad after all. I also wonder if something similar could be done with smartphones, like some kind of app that sends phone messages by the billions to government lines..or something to that effect. The point is, there’s gotta be a way to inundate government storage..daily.
There is no law against copying any government agency.
Literally, we all could copy the NSA and the other partners in the Five Eyes Alliance, with every email, text and other communication we do, and have a blanket notice which prohibits them from using the contents for any nefarious purpose, (a legal notice provision). The legal notice should be explicit and warn them that unauthorized use of privileged information will be subject to criminal and civil penalties.
In turn they could institute an awards program, pins and button, and merit certificates, for instance “Citizen of the Month”, “NSA’s Angel of the Month”, etc.
Heck there could even be competitions, domestic and international, and think about the money that might be saved with such speedy compliance…
They could reduce staff, and make cuts in several areas, and all those savings could be used to augment social services programs.
Imagine the NSA becoming a social services entity !!!
In fact, food stamps, and other social services benefits could have the NSA logo emblazoned thereon.
Obama wouldn’t have to lie anymore, when he appears on television; it must take great effort of will to maintain that “false face” he presents.
Hang on, a bunch of short squirrely weird looking characters are in my yard, surrounding the house, half a dozen SUV’s outside …
If I don’t post again, its because they don’t permit such from our local internment center; Bye…
Be sure to include certain keywords so every email is flagged for review.
Virus, malware, ISIS, al Qaida, bomb, Parliament, Congress, Syria, Pakistan, etc.
The concerns raised by Lenore and the legal notice mentioned by Mel should be considered though.
So, maybe just add those keywords to your normal correspondence rather than mass generation… and get enough people involved?
Some input from EFF or some lawyers may be useful.