Edward Snowden has revealed some of the ways that the Canadian government has systematically undermined the security of internet infrastructure and taken advantage of already insecure systems. Though it is too early to ascertain the political fallout of his revelations, the technical fallout is evident. Snowden’s disclosures have incited changes in how the largest private organizations in the world technically protect data under their control; long-standing vulnerabilities in how data is stored and transmitted are rapidly being resolved and legal challenges are arising to contest alleged state surveillance activities. But while technology companies and legal challenges can incite democratic debate about government surveillance, such surveillance actions are first and foremost political issues requiring informed public debate between citizens and their political representatives in Ottawa.
This article begins by discussing a handful of the technical vulnerabilities that have been either leveraged, created, or exploited by the Communications Security Establishment (CSE) in conducting its foreign signals intelligence operations. In particular, this article focuses on the monitoring of unencrypted communications, sabotage of internationally approved encryption standards, infiltration of poorly-secured devices connected to the internet, and how some of these tactics are being hindered or stopped by technology companies and standards organizations. The solutions issued by these companies and organizations—though perhaps overdue—are driven by an interest in securing or retaining market share, or regenerating trust, and not to resolving questions concerning the democratic legitimacy or appropriateness of the CSE’s, the NSA’s, or other intelligence agencies’ actions. As such, Canadians must seriously consider the kinds of activities and operations that CSE carries out on their behalves and what the federal government should adopt to ensure that the agency’s activities are publicly perceived as being both legal and democratically legitimate.
Signals Intelligence (SIGINT) organizations such as CSE have a history of collecting large volumes of communications information to achieve the national security objectives set by the government of the day. Such information has included the content of communications (e.g. strategic documents, tactical orders on the battlefield) and its so-called ‘metadata’ (e.g. geolocation of radio outposts, regularity of encrypted communications). As more communications have shifted to online environments, resources have been allocated to capture metadata and content that flow across the internet. Leaked documents provided by Edward Snowden have extensively focused on American and British SIGINT organizations thus far, though we also know that Canada’s SIGINT agency has leveraged long-standing technical deficiencies, created others, and exploited other computer systems’ vulnerabilities for its own gain. Unlike in the past, such surveillance activities do not just specifically aim at political, military, or economic targets. Instead, surveillance activities have ramifications for Canadian and non-Canadian users of the internet alike.
Leveraging Unencrypted Metadata
On 30 January 2014, the CBC revealed that CSE had conducted an experiment using WiFi data it possessed as a result of collecting metadata from the, “global information infrastructure, also called ‘the Internet.’” As part of the experiment CSE established seed identifiers that were then traced as they appeared throughout CSE’s metadata database. Such tracing revealed what WiFi access points the identifiers appeared at, with the points then linked with other databases in order to geographically approximate where the identifiers were appearing. The experiment relied on monitoring unique identifiers associated with either advertising cookies or logins to web services like email; each identifier was stated as not being associated with a specific Canadian despite the revelatory nature of identifiers such as ‘firstname.lastname@example.org.’ The end result was that ‘email@example.com’ could be tracked as it appeared at a WiFi access point at Pearson International, a Starbucks in downtown Toronto, an academic library at the University of Toronto, and then at a business’ WiFi access point in Ottawa the next day.
What was particularly explosive in Canada was that rather than using a metadata datastore for Brazilian or Argentinean or Chilean telecommunications information, a datastore holding Canadian information was used. That CSE even retained this information, and could easily access it, stands in contrast to how the agency is expected to behave: there are restrictions on its ability to target Canadians communications but no similar restrictions that prevent the organization from retaining and using metadata pertaining to Canadians’ communications. What was discussed less at the time, however, was that such surveillance was possible because the identifiers themselves had been transmitted to internet providers (e.g. Google, Yahoo!) in an unencrypted format: the logins for Yahoo! mail and tracking codes associated with Google’s advertising services—amongst others—were effectively transformed into identifiers for state surveillance practices. Moreover, given that major telecommunications companies in Canada, such as Rogers Communications and Bell Sympatico, outsourced email service to Yahoo! and Microsoft, respectively, it was possible that Canadians’ email metadata was being captured and stored along with less-evidently, though ostensibly, Canadian metadata like ‘firstname.lastname@example.org’.
Knowledge of this kind of surveillance, linked with growing awareness of how such identifiers are used by other Five Eyes intelligence organizations to co-ordinate the collection of electronic information, has led companies to harden their communications systems. Yahoo!, and by extension its email customer Rogers Communications, has subsequently encrypted email communications between the mail client and server, potentially foiling surveillance dependent on reading email addresses in plain text. Similar hardening of email has taken place across the American cloud industry.
The advertising industry, in contrast, has not seen a similar shift to encryption because of technical delays. Specifically, shifting to ‘https’ encrypted communications to serve online ads requires all advertising companies to be able to deliver encrypted content to the web browser; thus far, the industry as a whole has failed to redesign its infrastructure to accommodate such security functionality and must do so as a collective group or else some companies will be unable to track individuals across websites and deliver targeted ads. Consequently, the encryption of email and transmission of data between client computers and cloud servers only partially blinds CSE to the activities of internet users. CSE has presumably been forced to rotate the kinds of identifiers it primarily relies on—currently more on advertising cookies and less on email identifiers—but it can continue its operations. Advertising companies can assert that they have acted in the interests of users without undercutting the advertising businesses that are less apparent to users and function as the primary drivers of the companies’ profits, thus providing more of public relations whitewash than a real ‘blinding’ of SIGINT organizations.
Creating Technical Vulnerabilities
Individuals, businesses, and governments alike depend on the ability to encrypt data traffic to secure it from prying eyes. In 2006, the National Security Agency (NSA) claimed to have successfully weakened an encryption standard, Dual EC DRBG, which was then approved by the United States’ National Institute of Standards and Technology (NIST). Subsequently, the NSA worked to have the same flawed standards approved by the International Organization for Standardization. CSE, Canada’s pre-eminent authority on communications security, ran the international committees responsible for evaluating and authorizing the proposed flawed algorithm. Some “behind-the-scenes finessing” with the head of CSE occurred, which led to the NSA rewriting the draft and establishing the sabotaged standard as an internationally approved means of encrypting data traffic. In effect, the NSA advanced a deficient encryption algorithm through its national standards body and, subsequently, succeeded in establishing Dual EC DRBG as an international standard with CSE’s assistance.
The result of this ‘finessing’ was the propagation of a known vulnerable mode of data encryption; while there is little evidence the standard was ever widely used, it was integrated into major operating systems and security products. The integration of these operating systems was incredibly significant; by just changing the method through which an operating system encrypted data —something computer users would not ever detect, and few virus scanners were likely to detect—an intelligence agency could decrypt data traffic. At issue, however, was that the algorithm’s weaknesses were known since 2007: it wasn’t just the NSA and its partners that were aware of the Dual EC DRB’s deficiencies, but all organizations that monitored public cryptographic research. Consequently, CSE’s collaboration with the NSA compromised the admittedly little used cryptographic standard while simultaneously calling into question other cryptographic standards that had been established by NIST and other standards organizations.
The reactions to these weaknesses were significant: companies such as RSA and Microsoft began actively removing the Dual EC DRBG standard from their products. But such remediations of vulnerability have limited effects for companies or government agencies that legitimately rely on the standard. Organizations are faced with the choice of modifying their products or processes, or continue to rely on known vulnerable encryption and thus risk the security of their digital communications. In the case of legacy systems, or where there are large sunk costs, it may be impossible or impractical to move away from the flawed standard without replacing considerable amounts of infrastructure. The result is that some organizations will likely remain vulnerable to third-party espionage by foreign governments and criminals alike for an indefinite period of time.
Moreover, standards organizations were shaken by the revelations because their statuses as trusted partners in establishing cryptographic standards have been called into question. NIST is re-evaluating the roles that the NSA has in evaluating proposed standards. Perhaps most significantly, the trust that NSA, CSE, and other government cryptographic agencies had built up in lending expertise to create secure encryption standards has been weakened, thus limiting their influence in legitimately improving encryption standards. While companies and standards bodies are actively trying to mitigate damage linked with cryptographic standards tampering, they are motivated towards regaining consumer trust and less towards promoting discourse concerning the democratic legitimacy of CSE and the NSA, thereby undermining Canadians’ and Americans’ digital security.
Exploiting Computer Vulnerabilities
It is challenging to positively identify what group or nation-state actor is responsible for infiltrating computer networks or exfiltrating data from networks. Attackers can easily proxy data through servers operating between themselves and their targets making them difficult to identify. Often it takes detailed forensic work to ascertain what criminal gang or nation-state actor is responsible for attacks. Sustained work, over the past several years, has often enabled researchers and government authorities to assert that particular gangs or nations were likely involved in espionage, though such allegations are routinely contested.
It is illegal to infiltrate someone else’s server in Canada and the United States, and both countries have established treaties to facilitate the prosecution of individuals that engage in such computer-related crimes. However, CSE currently runs the LANDMARK system to automate the discovery of vulnerable computer servers that can subsequently be used as launch-pads to attack other servers. CSE analyzes thousands of Internet-connected devices per year to develop large numbers of Operational Relay Boxes that are used to mask CSE’s role in attacking and exfiltrating data from targeted computer devices. In other words, CSE identifies computer infrastructures that have vulnerabilities that can be exploited to subsequently take advantage of these weaknesses rather than defensively attempting to patch vulnerabilities or alert computer device owners that their devices are vulnerable to third-party intruders.
Unlike CSE’s efforts to monitor Canadians’ communications and sabotage encryption standards, their exploitation of computer systems around the world have not met with significant pushback by the technical community: many devices either cannot be patched, or their owners do not realize they are exposed to the Internet, or their administrators are incapable of updating the systems for lack of experience or knowledge. Systems that are identified using LANDMARK do not exclusively belong to foreign governments or perceived foreign threats. Instead, the systems are likely owned and operated by non-threatening actors such as individuals and businesses and universities around the world. These parties are thus drawn into the world of intelligence gathering as a matter of CSE’s convenience, not because the parties themselves are noteworthy. In addition to preying on parties who are not suspected of wrongdoing or ill intent towards Canada or its allies, these parties may be mistakenly accused of launching the actions that CSE is routing through their systems. Such potential for mistaken identity could lead to legal challenges or other recriminations against the parties that CSE proxies their activities through, with such challenges or recriminations arising from any number of sources. To date, there has not been a public debate to address whether CSE should be hiding behind innocents nor whether CSE complies with Canadian human rights operations in indiscriminately targeting non-combatant’s devices in the online environment.
The Solution Must Be Political
Internet companies such as Google and Yahoo! have purportedly begun to fight back by fixing insecure systems; doing so could regain the public trust, while minimally interfering with their advertising-based profit margins. Other companies like RSA have depreciated products to regain their customers’ trust. Standards organizations are also re-evaluating the roles that government code-breakers have in establishing encryption standards. While the actions of Google, Yahoo!, and other businesses and organizations have changed the technical landscapes of SIGINT, they have not promoted sustained and informed debate of CSE’s actions in Canada.
CSE operates at the direction of the government and, according to the agency’s independent Commissioner, within the confines of the law. Successive Commissioners have, however, acknowledged that CSE’s boundaries need clarification. Despite the Commissioners’ assurances, CSE is facing external legal challenges because of its monitoring of Canadians’ communications. Regardless of the outcome of those challenges, legal decisions will not ensure that Parliamentarians play a role in providing review of the SIGINT organization’s activities that it requires to demonstrably operate both within the law and with the approval of democratically elected officials.
Parliament and Canadians alike deserve sustained debates meant to address CSE’s democratic deficit, and such debate must strike to the heart of the kinds of activities that CSE ought to engage in. There have been recent suggestions from Parliamentarians on how to make this oversight a reality through the creation of parliamentary committees. Attempts to build committees would benefit from the additional requirement that committee members have Top Secret clearance: CSE, in its recent responses to Parliamentarians, maintains that it cannot provide detailed information about its activities to individuals without such clearance. Thus, if we are to have a Parliamentary review body then its members must be able to receive Top Secret classified information to ascertain whether current activities should be circumscribed for (non-partisan) political reasons.
There remains more basic questions that arguably ought to ground any Parliamentary Committee’s mandate: to what extent must CSE respect with human rights? How should human rights obligations limit certain kinds of surveillance behaviour? Is it appropriate to indiscriminately undermine international cryptographic standards and infiltrate innocent people’s computers in the service of conducting state espionage and, if so, to what extent will Canada ignore its human rights obligations in order to conduct state-sanctioned cyber-actions? These are uncomfortable and hard questions that will provide equally uncomfortable discussions surrounding how Canadians register and infringe on human rights. These basic questions must be addressed and should form the basis for any committee that reviews CSE in the future.