Collect everything, understand nothing – and possibly break the law: the CSE’s LEVITATION and the GCHQ’s illegal data sharing

As far as mass surveillance is concerned, Canada may not have taken up much of our attention over the past 18 months. Apart from the revelation about a year ago that

Canada’s electronic spy agency [the Communications Security Establishment, or CSE for short] used information from the free internet service at a major Canadian airport to track the wireless devices of thousands of ordinary airline passengers for days after they left the terminal

there has been more concern about the shenanigans of the NSA, for which Snowden worked as a contractor before he blew the whistle, and Britain’s GCHQ which “has often been much more flagrant [than the NSA] in its violations of privacy rights of the world’s citizens“.

Canada, on the other hand, has so far been “described as a junior partner in the Five Eyes spying partnership”. Now, with a new revelation based on documents provided by Snowden of a CSE mass surveillance programme called LEVITATION, that perception may change.

 

LEVITATION, the mass spying programme courtesy Canada’s CSE

As a cooperation between The Intercept and the CBC reveals,

Canada’s leading surveillance agency is monitoring millions of Internet users’ file downloads in a dragnet search to identify extremists.

LEVITATION can monitor downloads in countries across Europe, the Middle East, North Africa and North America. It is evidence that the CSE has built its own global spying programme – and one that potentially rivals similar efforts by the NSA and the GCHQ. Ron Deibert, director of University of Toronto-based Internet security think tank Citizen Lab, calls it an illustration of the “giant X-ray machine over all our digital lives.”

And that isn’t all. “The past 10 days have been a difficult time for Canadians concerned with privacy and civil liberties,” writes Michael Geist in The Star, and goes on to explain why:

Strike one came with new Edward Snowden revelations regarding Canada’s role in the daily tracking of the Internet activities of millions. Strike two was the introduction of Bill C-51, the anti-terrorism legislation, which sparked concern from observers across the country.

Indeed – like governments in the UK and Germany – the Canadian government is pushing for an extension of its security powers and proposing new legislation that would allow “suspects to be detained based on less evidence and let CSIS actively interfere with suspects’ travel plans and finances.” The purported aim of these powers of course being to catch terrorists and prevents acts of terrorism.

However, the LEVITATION programme, whose supposed use in the WAR ON TERROR (PANIC!) is to “identify people uploading or downloading content that could be connected to terrorism – such as bomb-making guides and hostage videos,” shows that the surveillance powers in place are already pretty intimidating.

Under LEVITATION, the up- and downloads of millions of users not suspected of any wrongdoing get swept up in the CSE’s dragnet. The only file sharing sites named in the documents provided by Snowden are “RapidShare, SendSpace, and the now defunct MegaUpload” but there are said to be 102 sites affected in total. As a result

[m]illions of pictures, videos, and other files downloaded online globally are being watched by Canada’s electronic spy agency CSE.

CSE analysts even joke about having to sift through “inevitable episodes of Glee” to get at the content they are really looking for.

Edward Snowden speaking at a World Affairs Conference at Upper Canada College last week, uttered words of warning to the Canadian students in attendance, pointing out that surveillance and security powers of this kind “fundamentally change… the balance of power between the citizen and the state”, thereby posing “a threat to democracy.”

Legal experts are also raising concerns:

The specific uses that they [i.e. the CSE] talk about in [counter-terrorism] context[s] may not be the problem, but it’s what else they can do,” said Tamir Israel, a lawyer with the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic [because] picking which downloads to monitor is essentially “completely at the discretion of CSE.

 

“Hugely intrusive” practices of questionable legality, not to mention ethics

The “hugely intrusive” potential of such programmes became obvious recently when it emerged that

the [British] GCHQ scooped up emails to and from journalists working for some of the largest American and British media outlets, as part of a test exercise (my emphasis).

This is particularly worrying when you consider not only that the GCHQ ranks journalists as a threat of similar proportions to terrorists and hackers, but also that British government officials like Home Secretary Theresa May have previously suggested that journalists reporting on the Snowden materials are “condoning” terrorism. Considering that, the question needs to be asked what exactly constitutes “terrorism” in the eyes of the people using these formidable surveillance powers to combat it.

A similar issue could arise [with regard to LEVITATION], with the eavesdropping service choosing targets outside the terrorism realm… Academics, lawyers, journalists, activists and business people commonly use file-hosting sites as part of their jobs.

 

Collecting the hackers’ “take”: how the agencies exploit the “successes” of hackers

And file sharing sites are not the only sources that the intelligence agencies apparently get material from that can be considered to be “outside the terrorism realm”.

The U.S., U.K. and Canadian governments [may] characterize hackers as a criminal menace, warn of the threats they allegedly pose to critical infrastructure, and aggressively prosecute them, but they are also secretly exploiting their information and expertise,

for example by “by collecting the hackers’ ‘take,’” – i.e. stolen data – to get access to things like emails from the hackers’ targets. These targets include, you may have guessed, “a wide range of diplomatic corps, human rights and democracy activists and even journalists.”

It seems safe to say that surveillance is already being deployed outside the so-called terrorism realm and what is more, the British GCHQ, for one, has previously been reported to have “employed some of the same hacker methods against Anonymous (e.g., mass denial of service) as governments have prosecuted Anonymous for using,” which means that GCHQ is using the same techniques that hackers are being prosecuted for.

 

The Investigatory Powers Tribunal: UK-US surveillance regime was unlawful ‘for seven years’

This in mind, it may not come as much of a surprise that “the UK’s most secretive court [the Investigative Powers Tribunal]” has ruled that

[m]ass surveillance of the internet by the monitoring agency GCHQ has not in the past been conducted within the law

– contrary to what the GCHQ has been claiming for the past 18 months.

Don’t get me wrong here: it shouldn’t come as a surprise that parts of GCHQ’s mass surveillance programmes were found to be illegal, but that doesn’t change the fact that the ruling itself constitutes a landmark which is lauded by Privacy International as (further) vindication of Snowden’s revelations.

Yet, there no reason to get over-excited either. The GCHQ and the British government themselves interpret the ruling – which finds that “[t]he regime that governs the sharing between Britain and the United States of electronic communications intercepted in bulk was unlawful until last year” (my emphasis) – to mean that “the UK’s bulk interception regime is fully lawful” (my emphasis) because the IPT has only “found against the government in one small respect in relation to the historic intelligence-sharing legal regime” (my emphasis).

This “bizarrely positive reaction to the ruling” has prompted online tabloid The Register to quip that “[r]evelations in documents leaked by former NSA sysadmin Edward Snowden accidentally made British spies’ data-sharing relationship with the US NSA lawful by making the secret relationship public, the Investigatory Powers Tribunal ruled.”

Indeed,

The 12-page tribunal judgment in the case brought by Liberty and Privacy International does not rule that the British GCHQ bulk interception programmes were unlawful. But it has ruled that the secret intelligence sharing arrangements between Britain and the US, known as Prism and Upstream, did not comply with human rights laws for seven years because the internal rules and safeguards supposed to guarantee our privacy have themselves been kept secret (my emphasis).

Thus, while the ruling is significant because it “marks the first time since the IPT was established in 2000 that it has upheld a complaint relating to any of the UK’s intelligence agencies” saying “that the government’s regulations were illegal because the public were unaware of safeguards that were in place” privacy campaigners are right to criticise that activities that are now deemed lawful (as opposed to the past seven years) are only so “thanks… to the degree of disclosure Liberty and the other claimants were able to force from our secrecy-obsessed government.”

In other words, had privacy campaigners not brought this to court, the intelligence agencies likely would have continued to conduct their secret illegal activities. Whereas now, it seems as if “[t]he logic… is that it is perfectly fine to spy on people, as long as you tell them about it.

What is more,

the intelligence services retain a largely unfettered power to rifle through millions of people’s private communications – and the tribunal believes the limited safeguards revealed during last year’s legal proceedings are an adequate protection of our privacy.

That’s not necessarily awesome news for anyone who values their privacy. Still, the ruling and efforts by campaigners pushing for stronger oversight have already prompted those of the media who have been doing little but government PR over for the past 18 months to chime that “the current campaign to drag the full scope of GCHQ’s activities into the light threatens to damage that security irreparably.” No surprises there.

Trevor Timm is right when he argues that the IPT ruling “should have huge implications for… many members of the British media, who purposefully ignored the clearly illegal GCHQ mass surveillance program for so long.”

Because what this ruling clearly indicates is that reassurance by the GCHQ that “all of GCHQ’s work is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight” are open to interpretation. Or rather, there isn’t even much room for interpretation because GCHQ’s

framework wasn’t legal – or, at least, it wasn’t until the Snowden documents forced GCHQ to release more information after being dragged into court, thereby creating one.

It isn’t thanks to much of the British media that we now know about this illegal framework.

Thankfully, Liberty plans to take the case to the European court of human rights.

 

LEVITATION: adding to a haystack of mostly irrelevant data, or: sifting through episodes of Glee

In addition to the questionable legality of mass surveillance programmes and Five Eyes data sharing, adding to a vast haystack of data which is already “straining spy agency resources” and using programmes that can “take resources away from targeted data collection of specific threats” will do little good when trying to obtain data that is actually relevant to terrorism investigations.

This is something else that Edward Snowden repeated this in his address to the Canadian conference, telling students that

mass surveillance can actually harm the ability to prevent terrorist attacks while also being detrimental to personal privacy.

The problem with mass surveillance is when you collect everything, you understand nothing.

CSE’s LEVITATION programme is a case in point:

CSE finds some 350 “interesting” downloads each month… a number that amounts to less than 0.0001 per cent of the total collected data.

Importantly,

It is unclear from the document whether LEVITATION has ever prevented any terrorist attacks.

Considering what seems to be its rather limited success, LEVITATION’s scope seems disproportionate.

Here is what else it can do:

LEVITATION “does not rely on cooperation from any of the file-sharing companies” because separate operations can siphon data directly from tapped fibre optic cables (sound familiar? You may remember TEMPORA, the GCHQ’s fibre optic tapping programme).

By sifting out IP addresses and using the information as a search term for other databases – such as GCHQ’s MUTANT BROTH – the CSE can then identify users and reveal associations with other online accounts, for example on social media. For instance by seeing “five hours of that computer’s online traffic before and after the download occurred.” They can also use other Five Eyes databases, like for example the NSA’s MARINA, to go back even further in time – MARINA stores metadata for up to a year.

In the end, the spy agency not only paints a detailed picture of someone’s online life, but can also identify that individual as a new potential suspect.

Similarly, the CSE’s airport WiFi tracking programme that was revealed a year ago collects “so much data [that the CSE] could even track the travellers back in time through the days leading up to their arrival at the airport”, according to experts. If that ain’t scary…

 

A slippery slope: legislation in “times of fear and panic”

Now, the IPT ruling in the UK “has put a question mark against [the] assurance” by the security services that everything they do is legal. Moreover, given the broad scope of programmes like the CSE’s LEVITATION or the GCHQ’s TEMPORA, the question is how much of data from Canadians and Brits ends up in their own foreign intelligence agencies’ dragnets even though – like the foreign intelligence agencies in countries like the US and Germany – the GCHQ and the CSE are both “prohibited by law from targeting [people in their own countries] without a judicial warrant.”

In Canada, the opposition has apparently decided to “to focus on oversight [because of] the weakness of the current system and the absence of any meaningful reforms within the proposed legislation.”

That is important because, as Snowden told students in Canada:

without oversight, governments cannot resist the temptation to use the data which they have collected for “new and novel purposes.”

However, it is perhaps doubtful that mere oversight would be enough to reign in the kind of massive surveillance apparatus built by the Five Eyes partners. Rather, it seems imperative that shortcomings in current legislation are amended and that proposed new legislation be given proper scrutiny before it is implemented. “[P]articularly during… times of fear and panic,” it seems more important than ever that we carefully consider expanding surveillance powers and introducing new anti-terrorism legislation that could have a major impact on people’s civil liberties.

As Snowden said:

Once we let these powers get rolling, it’s very difficult to stop that boulder.

 

More on this…

A video of Snowden’s keynote address to the World Affairs Conference at Upper Canada College is here.

Michael Geist’s insightful explanation of the problems of oversight and the new Canadian anti-terrorism legislation is here.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s