Huffpost Canada ca

CSE Tracks Millions Of Downloads Daily: Snowden Documents

Posted: Updated:

Canada's electronic spy agency sifts through millions of videos and documents downloaded online every day by people around the world, as part of a sweeping bid to find extremist plots and suspects, CBC News has learned.

Details of the Communications Security Establishment project dubbed "Levitation" are revealed in a document obtained by U.S. whistleblower Edward Snowden and recently released to CBC News.

Under Levitation, analysts with the electronic eavesdropping service can access information on about 10 to 15 million uploads and downloads of files from free websites each day, the document says.

"Every single thing that you do — in this case uploading/downloading files to these sites — that act is being archived, collected and analyzed," says Ron Deibert, director of the University of Toronto-based internet security think-tank Citizen Lab, who reviewed the document.

In the document, a PowerPoint presentation written in 2012, the CSE analyst who wrote it jokes about being overloaded with innocuous files such as episodes of the musical TV series Glee in their hunt for terrorists.

CBC analyzed the document in collaboration with the U.S. news website The Intercept, which obtained it from Snowden.

The presentation provides a rare glimpse into Canada's cyber-sleuthing capabilities and its use of its spy partners' immense databases to track the online traffic of millions of people around the world, including Canadians.

That glimpse may be of even greater interest now that the Harper government plans to introduce new legislation increasing the powers of Canada's security agencies. 

Though Canada’s always been described as a junior partner in the Five Eyes spying partnership, which includes the U.S., Britain, New Zealand and Australia, this document shows it led the way in developing this new extremist-tracking tool.

"It's really the first time that a story has been reported that involves [CSE] as the lead agency in a program of pure mass surveillance," said Glenn Greenwald, a constitutional lawyer and journalist with The Intercept, and who has been instrumental in bringing Snowden's information to public attention.

Canada's electronic surveillance service said it cannot comment on the specific program, but added that some of its metadata analysis is designed to identify foreign terrorists who use the internet for activities threatening the security of Canada and Canadians.

Story Continues After Slideshow

12 Things Harper Doesn't Want You To Know About Spying On Canadians
Share this
Current Slide

"CSE is clearly mandated to collect foreign signals intelligence to protect Canada and Canadians from a variety of threats to our national security, including terrorism," agency spokesman Andrew McLaughlin wrote in an email to CBC.

Deibert, at the Citizen Lab, says that on the surface the Levitation program is reassuring, indicating Canada's spies are doing their job, but he adds that the mass surveillance nature of it raises questions.

'A giant X-ray machine'

According to the document, Canada can access data from 102 free file upload sites, though only three file-host companies are named: Sendspace, Rapidshare and the now-defunct Megaupload.

Sendspace told CBC News that "no organization has the ability/permission to trawl/search Sendspace for data," and its policy states it won't disclose user identities unless legally required.

No other file-sharing company responded to CBC requests for comment.

However, the Levitation document says that access to the data comes from unnamed "special sources," a term that in previous Snowden documents seemed to refer to telecommunications companies or cable operators.

It is also unclear which, or how many, of the Five Eyes access information on these uploaded files and whether the companies involved know the spy agencies have this access.

Many people use file-sharing websites to share photos, videos, music and documents, but these cyber-lockers have also been accused of being havens for illegally sharing copyrighted content.

Not surprisingly, extremists also use the online storage hubs to share propaganda and training materials.

To find those files, the document says Canada's spy agency must first weed out the so-called Glee episodes as well as pictures of cars on fire and vast amounts of other content unrelated to terrorism.

Analysts find 350 "interesting download events" each month, less than 0.0001 per cent of the total collected traffic, according to the top-secret presentation.

Surveillance specialists can then retrieve the metadata on a suspicious file, and use it to map out a day's worth of that file user's online activity.

By inputting other bits of information into at least two databases created by the spying partners, analysts can discover the identity and online behaviour of those uploading or downloading these files, as well as, potentially, new suspicious documents.

The Levitation project illustrates the "giant X-ray machine over all our digital lives," says Deibert.

From IP to ID

Once a suspicious file-downloader is identified, analysts can plug that IP address into Mutant Broth, a database run by the British electronic spy agency Government Communications Headquarters (GCHQ), to see five hours of that computer's online traffic before and after the download occurred.

That can sometimes lead them to a Facebook profile page and to a string of Google and other cookies used to track online users' activities for advertising purposes. This can help identify an individual.

In one example in the top-secret document, analysts also used the U.S. National Security Agency's powerful Marina database, which keeps online metadata on people for up to a year, to search for further information about a target's Facebook profile. It helped them find an email address.

After doing its research, the Levitation team then passes on a list of suspects to CSE's Office of Counter Terrorism.

The agency cites two successes as of 2012: the discovery of a German hostage video through a previously unknown target, and an uploaded document that gave it the hostage strategy of a terrorist organization.

It's unclear from the leaked document how long Levitation was operational and whether it is still in use.

CSE says its foreign signals intelligence has "played a vital role in uncovering foreign-based extremists' efforts to attract, radicalize and train individuals to carry out attacks in Canada and abroad." But it offered no specifics about Levitation.

'What else can they do?'

Back in 2012, the spy agency appeared to be assessing the power and accuracy of the Levitation project as compared to other tools in its counterterrorism arsenal.

Though the presentation jokes about filtering out Glee episodes, the issue underscores an increasing problem for spy agencies around the world: how the massive haystack of internet traffic they are collecting is straining spy agency resources.

Projects like Levitation aim to automate part of the process.

But it also causes some people to worry about what these powerful and secretive agencies can do with such an immense store of data at their fingertips.

"The specific uses that they talk about in this context may not be the problem, but it's what else they can do," says Tamir Israel, a lawyer with the University of Ottawa's Canadian Internet Policy and Public Interest Clinic.

National security expert Wesley Wark says the Levitation documents clearly demonstrate the CSE's abilities. But he also warns the tool has the potential to be "hugely intrusive."

A recent story by The Guardian illustrates that potential. The British newspaper revealed that that the GCHQ scooped up emails to and from journalists working for some of the largest American and British media outlets, as part of a test exercise.

The story, based on Snowden documents, says GCHQ has also listed investigative journalists as a "threat" who rank somewhere between terrorists and hackers.

A similar issue could arise here, with the eavesdropping service choosing targets outside the terrorism realm, says Israel.

Academics, lawyers, journalists, activists and business people commonly use file-hosting sites as part of their jobs.

"It's completely at the discretion of CSE essentially what documents to pick," Israel says.

The mass surveillance by Canada's signals intelligence agency also raises questions about the number of Canadians inadvertently caught up in it.

In the Levitation presentation, two anonymous Canadian IP addresses from a Montreal-based data server appear on a list of suspicious downloads around the world. The list also included several from allies and trading partners, including the U.K., U.S., Spain, Brazil, Germany and Portugal.

By law, CSE isn't allowed to target Canadians. Canada's commissioner charged with reviewing the secretive group found it unintentionally swept up private communications of 66 Canadians while monitoring signals intelligence abroad, but concluded there was no sign of unlawful practice.

Canada is supposed to mask the identities of untargeted Canadians scooped up in its surveillance before passing information to its Five Eyes partners and law enforcement agencies.

Deibert says there are "all sorts of grey areas" in how CSE operates, including how long they can retain the data they collect, the volume of the mass collection, the rules around metadata and how this data is shared with spying partners.

"The mission is appropriate," he says. "But is engaging in wholesale mass surveillance the appropriate means to that end? Especially in the context where, in this country, you have very little oversight in any meaningful sense."

CBC is working with U.S. news site The Intercept to shed light on Canada-related files in the cache of documents obtained by U.S. whistleblower Edward Snowden. The CBC News team — Dave Seglins, Amber Hildebrandt and Michael Pereira— collaborated with The Intercept’s Glenn Greenwald and Ryan Gallagher to analyze the documents. For a complete list of the past stories done by CBC on the Snowden revelations, see our topics page. Contact us by email by clicking on our respective names or search for our PGP keys here.

Also on The Huffington Post

Whistleblowers Of Yesteryear
Share this
Current Slide

Suggest a correction