Did Csec Actually Rails Canadian Aerodrome Travellers?

(Updated: Feb 9, 2014)

On Jan 30, the Canadian tv channel CBC broke a story written yesteryear Greg Weston, Glenn Greenwald in addition to Ryan Gallagher, maxim that the Communications Security Establishment Canada (CSEC), which is Canada's equivalent of NSA, used airdrome WiFi to runway Canadian travellers - something which was claimed to live on almost sure enough illegal. This storey was apperently based upon an internal CSEC presentation (pdf) from May 2012 which is titled "IP Profiling Analytics & Mission Impacts":

The CSEC presentation nigh "IP Profiling Analytics & Mission Impacts"
(click for the total presentation inwards PDF)

However, every bit is oft the illustration amongst many of the stories based on the Snowden-documents, it seems that the master copy CSEC presentation was incorrectly interpreted in addition to presented yesteryear Canadian television.

The presentation was analysed yesteryear a reader of this weblog, who wants to remain anonymous, but kindly allowed me to release his interpretation, which follows here. Only some nipper editorial changes were made.

-----

The CSEC projection was non surveillance of Canadian citizens per se but just a minor inquiry projection closely allied amongst the previous Co-Traveller Analytics document. The written report was written yesteryear a 'tradecraft developer' at the Network Analysis Centre. The method was non 'in production' at the fourth dimension of the written report though the developer concludes it is capable of scaling to production (real surveillance).

The Five Eyes countries are trying out diverse analytics that come about cloud-scale databases amongst trillions of files. Some analytics go well, others don't or are redundant in addition to are discarded. This i worked good at scale on their Hadoop/MapReduce database setup, giving a 2 2nd response. However, nosotros don't know which this or whatever other cloud analytics ever came into actual use.

In this case, CSEC was just running a airplane pilot experiment hither - they needed a real-world information laid to play with. This document does non demonstrate whatever CSEC involvement inwards the actual identities of Canadians going through this airport, nor inwards tracking item individuals inwards the larger exam town of 300,000 people. While they could likely de-anonymize user IDs captured from airdrome WiFi (the Five Eyes agencies ingest all airline in addition to hotel reservation amongst personal ID tagging etc. into other databases) that was non inside the compass of this experiment.

Technically however, CSEC does non convey a legal mandate to practise fifty-fifty faux-surveillance of Canadian citizens inwards Canada. So they could live on inwards some problem - it could morph into existent surveillance at whatever fourth dimension - because the document shows Canadian laws don't concur them back. They should convey used Great Britain airdrome information from GHCQ instead. But at that topographic point they lacked the 'Canadian Special Source' access to Canadian telecommunications providers.

The airplane pilot study monitored Canadian airports in addition to hotels but the finish was foreign: slide nineteen says "Targets/Enemies soundless target air move in addition to hotels airlines: shoe/underwear/printer bombs ... hotels: Mumbai, Kabul, Jakarta, Amman, Islamabad, Egyptian Sinai". However, this seems far-fetched: the printer bombs were UPS cargo, non passenger-carried. Would someone transportation cargo fifty-fifty become close the airport, much less banking concern jibe their gMail there? More convenient just to halt yesteryear the UPS component subdivision inwards town.

The purpose of the 5 companies mentioned inwards the presentation is non ever clear:

The offset society mentioned, Quova, does mass IP geo-location lookup. CSEC passes that effect on to their ain ATLAS tool every bit nosotros saw inwards the slides nigh the OLYMPIA program. Given an IP, Quova seems to render exclusively 5 fields: latitude, longitude, city, country, network operator. The Quova latitude/longitude information shown is non real precise: exclusively degrees in addition to minutes. For comparison, iPhone 4S photograph exif metadata provides seconds of GPS lat/long out to half dozen decimal points fifty-fifty amongst pitiable tower coverage.

Bell Canada in addition to its Internet access provider portal sectionalisation Sympatico are mentioned inwards regards to the unnecessarily redacted IP (a nipper village W of Hudson Bay, likely just the Baker Lake mine inwards Nunavit).

Boingo is a post-start-up inwards the the United States which is the primary WiFi provider to airports in addition to hotels worldwide. Boingo is inwards some problem financially, so NSA mightiness convey an entry bespeak there, yet the CSEC document makes it audio similar they are non peculiarly cooperative.

Akamai is a real the United States large society that spreads corporate spider web site servers some the globe for faster response in addition to DDoS resistance. So when yous bespeak your browser at ford.com the parcel doesn't become or come upward dorsum from Detroit, but rather Akamai intercepts the URL in addition to sends yous packets from a local mirror (i.e. Amsterdam) without disclosing that inwards the URL. CSEC seems to convey found that frustrating in addition to of petty value.

It goes without maxim that Bell Canada is the altitude suspect if a telecom Internet access provider is providing backbone intercepts. Rogers Communications is the exclusively (implausible) alternative. However all the document says is: "Data had limited aperture – Canadian Special Source ... major CDN ISPs squad amongst the United States e-mail majors, losing move coverage" ... "Have ii weeks worth of ID-IP information from Canadian Special Source"

At NSA, a Special Source Operation (SSO) refers to a corporate partner, so this is real probable the CSEC counterpart, yesteryear context a major Canadian ISP. Here 'aperture' way the corporate partner could exclusively practise so much - every bit presently every bit the Canadian Internet access provider hands off to Google or Yahoo, CSEC cannot follow the trail whatever longer. So it is non a large the United States firm.

I found it strange that the yell of the corporate partner was redacted inwards slide 8. The explanation: tidings media don't similar to cite corporate names inwards a bad light. Not fearfulness of lawsuits (it's non defamation, slander or libel to just post a regime document) but likely fearfulness of advertising revenue loss.

How is CSEC getting their data? I recollect nosotros tin dominion out straight radio frequency signal interception hither - they convey the capability to practise this, but it does non scale, non fifty-fifty to a large airport. So it's most probable done through a corporate partner but which one, where along the mesh does the intercept occur, in addition to what information fields are recorded?

Let's recollect nigh scenarios for information travelling: Boingo receives the initial URL request, passes it off to their Internet access provider Sympatico, who transcend it along to the Bell Canada network, where it is routed to Akamai or the commons internet, until it is received yesteryear the requested website in addition to all its associated advert in addition to icon servers, in addition to the commons TCP/IP response occurs, loading the requested spider web page along amongst all the auxillary cookies, beacons, trackers, in addition to widgets.

From "two weeks worth of ID-IP data" it sounds similar they are non collecting establishment-of-connection events to the airdrome WiFi but exclusively collecting when someone genuinely visits a spider web site. That's inwards contrast to jail cellular telephone phone metadata which also includes attempted in addition to unanswered telephone telephone events.

But what just does the presenter hateful yesteryear ID-IP? Some people advise it mightiness live on MAC address in addition to IP address inwards combination. Or user agent device string (device, OS, browser version etc). Others state advertising cookies in addition to cookie chaining or CSEC mightiness live on hacking WiFi to install FinFisher spyware for persistent access. NSA probable owns or partners amongst several advertising companies and/or purchase tracking information wholesale from corporate information aggregators.

I recollect the analyst muddles terminology hither inwards calling this contact-chaining across air gaps, trying to live on trendy. The offset has meant going out from an initial private selector to circles of secondary in addition to 3rd selectors thence finding unlike individuals or IPs linked to the offset selector, every bit seen both inwards NSA utilization in addition to inwards OLYMPIA DNI in addition to DNR chaining. Here, nobody contacts anybody else; the somebody is fixed, CSEC is just assigning a few move points to each individual.

The term 'air gap' originally meant an offline figurer that could non live on exfiltrated, hither it just way intermitent online presence at a costless WiFi spot, non fifty-fifty sequential because the traveller may non convey ever used costless WiFi spots. Most the United States travellers would connect via a jail cellular telephone phone accessory to their laptop, i.e. utilization their jail cellular telephone information provider the infinitesimal they got costless of the airport. They would live on far easier to runway amongst yesteryear passive jail cellular telephone phone tower than yesteryear sporadic WiFi mesh usage.

The SIGINT collection downside: straightaway everyone is alerted nigh geo-tracking of movements from global costless WiFi site use. So collection straightaway provides a gigantic haystack amongst no needles. Although these guys amongst the fourth grade madrassa educations, perhaps they remain clueless nigh snooping techniques.

-----

Security adept Bruce Schneier also concluded that the CSEC presentation is non nigh tracking Canadian travellers, but genuinely shows "a proof-of-concept projection to position unlike IP networks, using a database of user IDs found on those networks over time, in addition to so potentially using that information to position private users".

Update:
On his weblog, i of the journalists working on the storey of the Canadian broadcaster CBC has straightaway responded to the critical remarks expressed here.