Category Archives: CSEC

Hon. Harjit Singh Sajjan - Address to Security Innovation Network - IT Security Entrepreneurs Forum - 20160420

Hon. Harjit Singh Sajjan - Address to Security Innovation Network - IT Security Entrepreneurs Forum - 20160420

Good Morning.  Thank you for the warm welcome. I am pleased to be here to speak with you today.  Your forum this week is about innovation in cyber security… A critical topic for everyone here… And for industry, governments and academia around the world.

This morning, I hope to provide some insight on how Canada is approaching evolving challenges in the cyber security world. More importantly, I want to share the vital importance of partnerships and innovation…Of working more closely together.

Innovating to solve complex cybersecurity problems simply cannot be done alone.  And that is why forums such as this are so important.

As you may know, as Canada’s Minister of National Defence, I am in the unique position of having one of Canada’s key security and intelligence agencies reporting to me… the Communications Security Establishment, or CSE.

I will discuss the important role CSE plays in Canada’s cyber security in a couple of minutes.

But first, a little about why cyber is important to me.

I came to my role as Minister of National Defence with a background in security and intelligence.

I have been a police officer in Vancouver, working on organized crime files… I have been deployed internationally to Bosnia and Afghanistan as an officer with the Canadian Armed Forces.

Throughout my police and military career, the security of my colleagues, my country and Canadians has always been top of mind…  And I have learned that secure technology is critical to overall security.

I know what it means to depend on technology… To confidently rely on devices and systems that are not compromised and that keep Canadians and our allies safe.  In my career, my life and the lives of the people I have served with have depended on those secure communications.

Cyber security is not just about security… It is about prosperity... It is about using technology with confidence. Canada is a perfect example.

We are among the most connected countries on earth. Over 85 percent of Canadians are online… more than in any other country in the world.  Three-point-six percent of Canada’s GDP directly depends on the Internet.

Over two hundred Government of Canada services are available online.  Our trade, shipping industry, border control and so many more functions depend on the Internet.

So, while it is hidden from general view, the Internet powers the work of the government as well as almost all Canadian business...  The same is true here in the United States.

It is easy to see how the security of the technology you are working on affects your own citizens.  The citizens of your closest neighbours… And the global community.

And that is one of the reasons I was interested in being here this morning.

As entrepreneurs… true builders… developers… and creative minds behind evolving cyber security technology, you have an insight into the fluid nature of the cyber world, as well as what it takes to stay ahead of threats.

Today, we all face a global security environment that is complex and quickly evolving.  Traditional rivalries persist on the world stage... But non-state actors are also challenging the status quo.

Criminal networks are expanding and fueling bigger strategic threats…  We are witnessing a dangerous interplay of ideological extremism, violence and crime, state failure, regional disorder and humanitarian struggles.

These significant changes and trends are not isolated…  They are crashing into each other… They are creating new and novel security dynamics.

And one of these dynamics is that we are trying to secure something that was not originally designed for the way it is being used today.

I do not think I am telling you anything new when I say that the Internet was designed for open communication by researchers… It was designed in an environment of high trust among the users… It was not designed to be fundamentally secure.

So, the work that we are doing in Canada and many of you are doing is like fitting a square peg in a round hole.  The cyber security industry has valiantly attempted to retroactively fix a system that was originally designed to be open.

And of course, there is a toll on our society and all of our citizens when cyber security is pushed aside to make things easier, faster, and cheaper.

The cyber security risk increases even more as we layer hardware and software in increasingly complicated ways.

Computer technology used to be relatively simple and self-contained.

Today, new technology is built on top of older common components.

These layered technologies are everywhere. And they power the Internet’s networks, servers, mobile devices, industrial control systems and “smart” consumer products.

They also underpin the operations of governments, enterprises, and households across the globe.

And that layering makes it more likely that at least some of the technology is out-of-date. It could be the hardware… the operating system… or software. This means potential vulnerabilities and risk.

And as we all know, a successful attack can affect not just a single computer, network, or enterprise… but huge numbers of Internet stakeholders. This of course, includes governments and industry.

A single vulnerability in one piece of software has the potential to bring down giants.

When looking at the threats and vulnerabilities together, it is a staggering illustration of the potential risk in technology.

Yet, at the same time, we see the incredible impact and benefit that technology has on society. It is changing the way we work. The way we live and play. In fact, it is even changing the way we think.

With all of this at stake, over the last few years the Government of Canada’s cyber thinking has focussed on three key pillars:

First… securing the Government’s cyber systems.

Second… partnering with industry and our provincial governments to secure the vital cyber systems outside of the federal government.

And finally… helping Canadians to be secure online, which is no small feat.

As I mentioned, I am responsible for the Communications Security Establishment. It plays an important role in all three of those pillars.

It lives the cyber security challenge every day.

For close to 75 years, CSE has worked to help protect the safety and security of Canadians and our allies. It works closely with its valued 5 eyes partners… here in the United States… and in Britain, Australia and New Zealand.

CSE has three key roles.

  • It collects foreign signals intelligence;
  • It helps protect the government’s computer networks and information, and networks of importance to the Government of Canada;
  • And it provides technical assistance to our federal law enforcement and security organizations.

For the next few minutes I am going to focus on the second point… helping protect government systems and networks of importance to the Government of Canada.

First, a little bit of history… CSE has been in the business of protecting the Government of Canada’s most important and sensitive information and communications throughout its long history.

The way it has been done has certainly changed over the years. From encrypting radio signals… To securing stand-alone main-frame computers… To keeping Canadian information safe as internet communication and technology has exploded.

That explosion revolutionized how Canadians - and the world - talked to and did business with each other.

In the 90s and 2000s, government departments in Canada built and managed their own IT and communications infrastructure… Their own email systems… Their own data centres.

That created a multitude of individual networks and systems… More than 100 different email systems… More than 300 data centres… All with various levels of security and efficiency.

In the last few years, the people, technology resources, and IT infrastructure assets of 43 federal departments and agencies were brought together under one roof.

This is an enormous transformation for our federal government. And it represents a tremendous opportunity for CSE’s cyber security work, especially when you consider the security of those networks.

We are now able to monitor and help protect the vast majority of the Government of Canada network from a handful of key gateways that CSE is guarding.

So what CSE is helping protect has changed. A handful of gateways instead of hundreds… But how it helps protect has also transformed. In fact, CSE has turned its method of cyber defence on its side.  Simply put, it has innovated.

With its unique abilities, capabilities, and highly skilled staff, CSE focused on the automation of its defence systems. Host and network sensors became the backbone of that system.

Through various automated measures, our network defence systems are detecting… and blocking… millions of malicious cyber activities against Government of Canada systems.

For example, on average, CSE is blocking over 100 million network scans per day on Government of Canada systems.

So things have changed in Canada. A new Canadian government IT structure. Innovative approaches to cyber security. And intelligent real-time systems.

The results?

We can now see the edge of our networks and know exactly what we are protecting…

We are now able to block malicious activity without any impact on the users or the government.  The only impact is on the threat-actor who cannot penetrate our defences.

We have gone from a passive, reactionary stance… to an active, dynamic position.

The impact of all of this cannot be understated. Nor can it allow us to be complacent.

Systems are not invulnerable. Systems are also much more than just technology.. Systems include people, processes and procedures.

No system can be perfect.  But this innovative approach has put the Government of Canada in a much better position to address the threats of tomorrow.

With many nation-states… countless cyber-criminals and unknown others taking malicious cyber actions, innovation is more crucial than ever.

But, as I said off the top, innovation in cybersecurity does not… and cannot… happen alone. CSE’s innovative work and the knowledge they are building cannot be confined within its walls.

CSE works with its domestic and Five Eyes partners to share knowledge and awareness of threats with our critical Canadian infrastructure partners. This includes operators and industries, and provincial governments.

But partnership does stop there. We are also working hard to partner with academia. First, to get their insight, and to support cyber research and development…

But also to ensure the skills we need are being taught to our cyber security experts of the future.

These partnerships are essential to providing intelligent cyber security.  Whether it is issues of national security, economic prosperity, or protecting our individual privacy, the one constant is the need for collaborative, innovative cyber security.  No one can do this alone.

We, as a community, are constantly encountering and addressing new threats. Threats which are innovative in their own right.

So we all need to work together to be as innovative as possible to meet… and predict… new threats before they happen.

Organizations like CSE must team up with our partners. And when I say partners, I mean international allies, the private sector, academia, and people like you.

Industry leaders, academia and other key players… All working together to constantly improve… To constantly innovate… And ultimately to ensure that our citizens can use technology with trust and confidence.

This is a commitment that we take seriously.  Work in this area is well underway.

The Government of Canada has been focused on developing strong relationships with the companies that have the largest impact. For example, with Canadian telecommunications companies. It should be fairly obvious why.

There is no single industry in Canada that does not depend on telecommunications technology and systems to conduct its business. Businesses across the energy and utilities sectors… the financial world… the transportation sector… and the health and food sectors rely on secure telecommunications technology for their success.

To build on the work with the telecoms sector, CSE is increasing its sharing critical information about cyber threats with companies that will have to defend against them.

Specifically, CSE will be taking classified threat information… gathered from a variety of sources… declassifying certain aspects of it, and sharing it.

The result should be timely, useful, and relevant information that can be used to protect networks and systems from the types of increasingly sophisticated attacks we are seeing.

The transfer of technology and knowledge… to and from our industry partners… will result in a better protected, better prepared Canadian society.

There are so many players in the picture when it comes to securing our systems and keeping our countries safe.  A forward-thinking strategy is essential.

And I am not just talking about Governments.  We certainly have a significant role to play, but Governments cannot be the sole entity responsible for cyber security.

As we think to the future, there are many questions we need to ask… And many questions we need to answer.

How can governments, industry and academia work more closely together? Governments do not own the vital cyber systems and infrastructure on which our societies depend.

So how do we improve our ability to identify, report and share cyber threat and other information between all of the players… all in real time?

How do we focus on enhancing the cyber security of our products?

How do we manage the risks that exist within the supply chain?

These are among the questions that we need to think about… And we are thinking about them in Canada. I will be working with my colleague, the Minister of Public Safety, who will be leading a review on how we protect Canada’s critical infrastructure from cyber threats.

In addition, a couple of weeks ago I launched the largest public consultation on defence policy in my country in the past 20 years.

Cyber security is a critical part of defence policy. And it will be a significant item examined as part of this review.

Our government’s reviews of cyber security come at a critical time. Not only because of evolving threats, but because of how important the internet is to our country... Our security… And our economy.

In summary, let me reiterate a few key things.

The evolution of the cyber security world is collectively outpacing our collective ability to protect it.  I have touched on the vulnerabilities that are created when new technology is built on old, out of date technology.

From a protection perspective, and given my background from a military and policing perspective, we cannot protect what we cannot define... Or predict.

With cyber threats constantly evolving and changing, defining and predicting the next generation of cyber threats is incredibly difficult.

So as the cyber security world evolves, and the tools and techniques of cyber-attacks accelerate, we collectively need to find innovative ways to secure and defend against threats.

Threats we have yet to define... Threats we cannot yet see… Vulnerabilities yet to be introduced.

The drive to make cheaper, faster technology cannot be done in isolation. It has to go hand-in-hand with cyber security.  Everyone is at risk if it is not.

Cyber security is one of the biggest challenges our generation faces.  But it is also an opportunity for governments… For industry… For academia.

As we have all seen, failures in the cyber security domain can have huge economic impacts.  The reverse is equally true.

A robust cyber security environment, built by industry, government and academia, has the potential for economic prosperity.

It is government providing safe and secure online services to its citizens… It is companies doing business with customers with confidence and trust... And it is people benefitting from the most modern and secure technology that innovation can offer.

Through innovation and partnerships we can meet this challenge head-on.

On that note, before I close, I would like to take a moment to recognize the outstanding work that CSE employees do every day.

Without their careful protection of our cyber environment, our efforts to innovate through these important partnerships may be fruitless. They keep our cyber security environment safe… they help us prevent the crippling attacks that others many try to make on our system…

…And they often do so without much recognition at all. So I offer them my thanks today, for the critical work they do.

I want to thank you for your attention this morning.  I hope you have a better sense of how Canada is approaching cyber security.

And I hope I have given you a sense of the immense opportunities for innovation between governments, industry and academia. Working together means security and prosperity for our nations… And for our citizens.

Thank you.

 

Encryption technology and the law in Canada - Canadian Bar Association 201603

Encryption technology and the law in Canada - Canadian Bar Association 201603

It’s been four years since then-Justice Minister Vic Toews had to shelf Bill C-30, the cyber-snooping bill that forced one of the Harper government’s rare tactical retreats.

Three years since Edward Snowden peeled back the curtain on the NSA, and forced the Western world to confront the realities of state surveillance.

Two years since documents showed that the Communications Security Establishment (CSE), Canada’s electronic spy agency, had been experimenting with software and hardware to capture data from every traveller passing through Canadian airports.

It’s been just a year since the Harper government tabled Bill C-51, the anti-terrorism legislation that would break down walls on information sharing and open the door to what has been dubbed “total situational awareness.”

And last month, American law enforcement began knocking on Apple’s door to write a backdoor for the iPhone’s encryption protections to help investigators crack the cellphone of the San Bernardino shooters.

Despite this, and growing concerns about security and surveillance, Canadian courts have so far been mostly shielded from these conversations.

Apart from the federal courts — that hear ex parte applications for classified wiretap orders and electronic surveillance mandates — news of the criminal courts tackling issues of technology, encryption, and invasive surveillance techniques are muted.

That’s beginning to change.

While cases dating back to 2014 show that the RCMP were able to exploit certain flaws on some cellphones, recent cases show that the problem is one that defence lawyers are almost certainly going to need to confront in the near future.

In R. v. Kemp — a relatively small marijuana trafficking case — the RCMP seized the accused’s Blackberry in 2013, only to find it almost impossible to crack.

“Over 400 experiments were performed to refine the intricate process for the BlackBerry 9320 between March 2014 and June 2014,” reads a letter from the RCMP referenced in the decision.

It took some six months, from late 2013 to the summer of 2014, for the cops to crack the phone (only to find nothing at all on the device) but the RCMP technology unit nevertheless showed that progress was being made to push the markers back on encryption protection.

In the years following that decision, the goalposts have shifted back and forth, as companies like Research in Motion and Apple have unveiled ever-more sophisticated security measures that simply may not be enough.

David Fraser, a partner at McInnis Cooper, picked up on one case where an accused’s Blackberry — which, as the judge puts it, “has a reputation for being a very secure means of communication,” protected by add-on encryption which “was previously thought to be undefeatable” — was cracked by RCMP technicians who “destroyed this illusion and extracted from this phone 406 e-mails, 25 address book entries and other information all of which had been protected.”

That, Fraser notes on his blog, is a “doozy.”

Though, he notes, not necessarily revolutionary.

“Of course, it could have been defeated by really bad [Operations security], but who knows?”

For Jason Tarnow, who practises criminal defence in British Columbia, the issue came up abruptly in one case.

“I’m in my mid-30s, I like to think that I’m pretty well educated on technology in general,” Tarnow told CBA National.

Still, he landed a case that tested the limits of what case law had experience in. His client, an RCMP officer, was accused of downloading child pornography through the Tor Browser — a Firefox-based web browser that uses onion routing protocol, named as such because of its numerous layers of disguised traffic, that ensures a user’s web history is almost entirely anonymized.

Trouble is there is hardly any jurisprudence on free software that enables anonymous communication.

“I couldn’t find many cases that touched upon it when I was getting ready for the case,” Tarnow says. “Not that it would have helped much.”

Interestingly, the officer didn’t download Tor of his own accord — it was an RCMP training class that had introduced him to the browser, as a means to address the growing police issue of, as RCMP Commissioner Bob Paulson frequently phrases it, “going dark.”

Tarnow, nevertheless, had to introduced Tor to the befuddled courtroom, including the judge — “he caught on pretty good, I thought” — adding “it was such a novel technology for everybody in the courtroom.”

He says that, although his client was convicted, he doesn’t suspect that the judge drew a negative inference simply because his client had the anonymizing application on his computer, nor did it muddy the chain of custody of the custody for the offending material.

But his case was just one of many that have been bubbling their way up through the lower courts. He warns suspicion of the privacy software may, however, become a problem in the future.

“Police are going to come across Tor more frequently in their investigations,” Tarnow says. “However, just because people value and protect their online activity with Tor, investigators shouldn't necessarily assume it's there to hide unlawful activity. It could very well be that people don't want the state snooping through their lives any further. I suppose a simple analogy can be: because I lock my front door doesn't mean I'm up to no good on the other side of it. I just don't want others in.”

He goes on to say that PGP and Tor will be something that defence counsel might want to start contemplating, especially as online privacy rights find themselves “eroded,” especially at places like border crossings, where the privileged information found on the phones and laptops of defence counsel could be susceptible to snooping.

“I think everyone, no matter what your profession is, should become more alive to security protections and privacy protections,” Tarnow says. “Because there’s a lot of threat to invade it.”

Documents reveal CSIS wary of Bill C-51 reforms - The Globe and Mail 20160203

Documents reveal CSIS wary of Bill C-51 reforms - The Globe and Mail 20160203

Prime Minister Justin Trudeau arrived in Ottawa promising to rein in Canada’s spies. But the bosses at the Canadian Security Intelligence Service want the Liberals to know that “robust” rules already govern their expanding operations – including their controversial, and newly legalized, disruption campaigns.

 
PDF: CSIS Director Michel Coulombe's letter of introduction to Public Safety Minister Ralph Goodale

Transition materials that CSIS provided to Public Safety Minister Ralph Goodale highlight some of the challenges from the Bill C-51 controversy last year, when Canadian spying became a political issue. The documents, which were released to The Globe and Mail, show polite CSIS pushback against some of the Liberals’ campaign pledges.

During the election, the governing Conservatives vowed to empower CSIS to fight terrorism, and cited Bill C-51, a new law that vastly increased the agency’s freedom to operate and share information, as proof that they could do it.

The NDP vowed to repeal the law, and the Liberals promised a middle course. On Nov. 4, Mr. Trudeau told Mr. Goodale in a mandate letter he should “work to repeal … the problematic elements of C-51 and introduce new legislation that strengthens accountability.”

A week later, CSIS director Michel Coulombe sent a letter of introduction, and arranged a briefing, telling Mr. Goodale his spy service operates on tight strictures, not arbitrary whims.

“Recent legislation, including an expansion of the Service’s mandate, has of course led to many changes of our policies,” Mr. Coulombe wrote. “Most recently, a robust new framework was established to govern the conduct of threat-reduction activities.”

letter and related briefing materials were released under the Access to Information Act. On Monday, Mr. Coulombe is to testify before a Parliamentary committee.

“Threat reduction” refers to the most controversial clauses of C-51, which give CSIS disruptive powers to “take measures, within or outside Canada, to reduce the threat” of any forces felt to be dangerous to national security. The law says CSIS intelligence officers cannot harm, kill or sexually assault anyone, but use of the power is otherwise open-ended.

The transition materials show CSIS officials view threat reduction as a large part of their jobs now. They assured Mr. Goodale they do not take their new responsibilities lightly. “Every effort has been made to ensure the responsible exercise … each time the Service exercises its authority.”

CSIS officials said the service lives up to its legal obligations to consult Federal Court judges, or the public-safety minister and his written directives guiding the use of disruptive powers. Internal policies, they added, require further consultation with Mounties, diplomats and the Communications Security Establishment.

“Though CSIS’s authority to investigate and respond is rooted in its own legislation, its actions are not taken in isolation and demand close collaboration with the national-security community,” the documents say. (They do not make clear if CSIS is apprising the federal partners of planned disruptions, or enlisting their help.)

The CSIS Act passed in 1984 reflected a relatively passive federal intelligence-collection agency. Agents had no powers to arrest anyone, or carry guns. Nothing explicitly enabled CSIS officers to interpose themselves in suspects’ lives beyond tapping phones or conducting interviews.

But that began to change, especially after the Sept. 11, 2001, attacks. CSIS operatives started going to places such as Afghanistan and carrying guns. Its leaders testified they started working more closely with police, and doing things that could help prevent terrorism. Some suspects began publicly complaining about CSIS officers aggressively following them or showing up to conduct interviews at workplaces.

C-51 allows CSIS officers to do all this and more. Mr. Coulombe last year told Parliament the bill could facilitate hacking operations – such as meddling with suspects’ smartphones, money movements or travel. The law does not contemplate CSIS ever disclosing such operations to suspects.

The Liberals have never spelled out how they plan to overhaul the C-51 powers. Scott Bardsley, a staffer for Mr. Goodale, said the minister is consulting with security experts for national-security reforms.

The federal government has also promised to create a Parliamentary committee where select MPs would be allowed insights into classified CSIS operations. Most Canadian lawmakers currently know nothing about the specifics of CSIS operations.

Mr. Coulombe says he is aware of a growing political appetite to shine some light on CSIS.

“The Service recognizes the current environment of heightened public interest in national security,” he said in his November letter to Mr. Goodale. He added that as “trust underpins the Service’s ability to be effective, the opportunity to contribute to this discussion is most welcome.”

Rogers and Alcatel-Lucent Proposed an Encryption Backdoor for Police - Motherboard 20160212

Rogers and Alcatel-Lucent Proposed an Encryption Backdoor for Police - Motherboard 20160212

As telecom companies prepare for the day when phone calls are counted in megabytes and not minutes, yet another contentious encryption debate is looming: how to secure subscribers' voice conversations, while balancing law enforcement’s need to eavesdrop when needed.

For Canadian telecom company Rogers and equipment maker Alcatel-Lucent (now Nokia), one option was a so-called backdoor, a secret key of sorts that could decrypt otherwise secure communications, and that theoretically only law enforcement could use.

In 2012, the two companies came up with a lawful interception proposal for a next-generation voice encryption protocol, known as MIKEY-IBAKE. The protocol was designed to protect conversations end-to-end—that is, no one sitting in the middle of a call's network connection could eavesdrop on what was being said.

Unless you were law enforcement, that is. For them, there was an exception, a backdoor. But there’s a problem with this scenario: a backdoor for law enforcement has the potential to be exploited by others, which is why, amongst security professionals, backdoors are so vehemently opposed.

"In the US, this has been the debate. Are we going to backdoor communications? We simply haven't had that debate here," said Christopher Parsons, a post-doctoral researcher at the Citizen Lab, which belongs to the University of Toronto’s Munk School for Global Affairs. "It seems as though we have carriers and vendors who are looking for ways to subvert that without bothering to deal with the politicians."

The documents detailing the Rogers and Alcatel-Lucent proposal are related todocuments analyzed last month by Steven Murdoch, a Royal Society University Research Fellow in the Information Security Research Group of University College London. Murdoch’s analysis described an encryption protocol related to MIKEY-IBAKE that had been modified—backdoored—by the UK intelligence agency GCHQ.

An excerpt from one of the documents describing Rogers and Alcatel-Lucent's proposal. Image: Screenshot/3GPP

On the one hand, telecom providers have no choice but to opt for stronger encryption (and, to be clear, this is a good thing). At present, "land-line calls are almost entirely unencrypted, and cellphone calls are also unencrypted except for the radio link between the handset and the phone network," wrote Murdoch, in his recent analysis of GCHQ’s backdoored cellular encryption scheme.

On the other, more widespread use of encryption has drawn the ire of law enforcement. The FBI famously described Apple and Google’s efforts to increase user data protections as making evidence go “dark.” And because various jurisdictions—including Canada and the US—include wiretap provisions as a condition of having access to wireless spectrum, employing protections that also stymie law enforcement isn't so cut and dry.

"These lawful intercept requirements are harming security,” Murdoch said in an interview. “They're preventing the deployment of security in order to facilitate surveillance, and that's not really a debate that's been discussed."

The Rogers and Alcatel-Lucent proposal was introduced during a meeting of the 3rd Generation Partnership Project's lawful interception working group in 2012. The 3GPP is an organization that develops standards that dictate how much of the world's cellular infrastructure works, including 4G and LTE (draft documents of the proposal are available on its website, but the final proposal is not).

At that meeting, which was held in Barcelona, Rogers and Alcatel-Lucent proposed an approach to encryption where, instead of protecting communications using a random number generator the system would use a pre-defined "pseudo-random number generator," or a secret number, that only a telecom provider or network operator would know.

Because all messages would be encrypted using this pre-determined number, anyone that discovered the number could decrypt any message they wanted.

“We're talking about fundamental aspects of how law enforcement interacts with our communications, that the extent to which we can trust the security provided to us by telecommunications providers"

The proposal was described by Parsons and fellow Citizen Lab researcher Andrew Hilts last year, in a report for the the Telecom Transparency Project (Parsons is its founder), but received little notice at the time.

"The Rogers/Alcatel-Lucent solution would let a [telecom service provider] either decrypt traffic in real time or retroactively decrypt traffic that had been encrypted using the [pseudo-random number generator]," the pair wrote in their 2015 report on the telecommunications surveillance. "As such, their proposal would effectively undermine the core security design decisions that were ‘baked’ into MIKEY-IBAKE."

"This should be a public discussion. This shouldn't be something that's buried away in a pretty cloistered standards environment,” said Parsons, who called the proposal “worrying.” Canadian Parliament has yet to engage in the sort of encryption debate currently taking place in the US.

“We're talking about fundamental aspects of how law enforcement interacts with our communications, that the extent to which we can trust the security provided to us by telecommunications providers,” Parsons continued. “And this all comes after Canada has passed numerous legislature that deals with security and surveillance, none of which, to my mind, explicitly clarify whether or not this kind of decryption on the fly would be required."

The encryption protocol proposed by Rogers and Alcatel-Lucent was actually previously rejected by the UK government's spy agency agency GCHQ for being too difficult to eavesdrop on. Instead, GCHQ proposed an alternate standard, MIKEY-SAKKE, which can be more readily intercepted. The UK government has beenpromoting adoption of the standard in both government and commercial products.

MIKEY-IBAKE, meanwhile, does not appear to have been implemented. Leonard Pesheck, a spokesperson for Nokia (which recently purchased Alcatel-Lucent), wrote in an email that "the MIKEY-IBAKE proposal we submitted to 3GPP SAE for standardization was not accepted and we therefore did not pursue product plans."

Rogers spokesperson Jennifer Kett also confirmed the company brought forward the MIKEY-IBAKE proposal, but "ultimately that proposal was not adopted."

"As you can appreciate, in order to best protect our customers and as a condition of our licenses, we don’t publicly disclose our security practices," Kett wrote in an email.

If those practices include backdoors, however, it’s only a matter of time before others disclose them first.

Bragga, Matthew - Why Canada isn’t having a policy debate over encryption - The Globe and Mail 20160223

Bragga, Matthew - Why Canada isn’t having a policy debate over encryption - The Globe and Mail 20160223

The legal saga between Apple and the FBI has thrust encryption into the government’s policy spotlight again – but only if you live in the United States. In Canada, you could be excused for not knowing such a debate exists .

Ever since FBI director James Comey characterized the rising tide of encrypted data as “going dark” in an October, 2014 speech, American civil liberties groups, cryptographers, private companies and politicians have argued ceaselessly about encryption’s merits and the dangers of so-called backdoors.

While most acknowledge that encryption keeps vast swaths of Internet communication and services secure, there have nonetheless been calls for legislation, “golden keys” and the formation of encryption committees in response to increasingly vocal arguments that encryption is helping criminals and terrorists operate beyond the law’s reach.

Things culminated last week with the FBI’s order that Apple Inc. modify its software to make it easier for law enforcement to break the iPhone’s security protections – modifications that have been characterized as a backdoor for law enforcement, or criminals, to use again and again.

In Canada, however, policy discussions involving encryption and, more largely, police powers in the digital realm – such as cellphone tracking devices and the use of hacking tools – have been “functionally non-existent,” according to Citizen Lab researcher Christopher Parsons.

“We haven’t had the kind of debate and back and forth and public positions taken that you see in the United States, you see in the United Kingdom. We just don’t do it here,” Mr. Parsons said.

Some of the reasons are familiar. There is, for example, a comparatively smaller policy community in Canada that focuses on these issues than there is in the U.S., and a smaller amount of case law – not to mention the fact that previous governments have shown more interest in expanding police powers, rather than curtailing or even detailing them.

And if past U.S. cases are any indication, the government will just as easily benefit by staying out of the debate and piggybacking on the outcome of the FBI’s case.

“They can dodge the debate and benefit from it without having to engage in it,” said Tamir Israel, a staff lawyer with the Canadian Internet Policy and Public Interest Clinic. “And then the other side to that is they often will find quieter ways to get comparable results where they can’t directly piggyback.”

By way of example, Mr. Israel pointed to the Solicitor General’s Enforcement Standards (SGES), which outline 23 technical surveillance standards that must be followed as a condition of obtaining a wireless spectrum licence in Canada. After the U.S. passed lawful surveillance legislation called the Communications Assistance for Law Enforcement Act in the 1990s, Canada used the SGES to quietly introduce similar standards.

Although the standards were introduced in the mid-1990s and updated again in 2008, details were not made public until The Globe and Mail obtained past and current versions of the documents in 2013.

Mr. Israel pointed to a wider problem preventing a successful encryption debate in Canada: a lack of transparency surrounding the government’s position and policies. He raised cellphone tracking technology called Stingrays, or IMSI catchers, as an example. “I personally find it very hard to believe that no law enforcement agencies in Canada are using these. But we can’t even get the debate going, because we can’t get past that first step where any of them admit that they’re using them.”

The RCMP would not comment on Apple’s dispute with the FBI but said in a statement: “International police agencies are all in agreement that some ability to access evidence when judicial authorization is granted is required, recognizing that secure data and communications enables commerce and social interactions in today’s reality. These are complex challenges which the RCMP continues to study.”

The statement continued: “The RCMP encourages public discourse with Canadians as public policy continues to take shape on the issue of encryption.”

The Office of the Privacy Commissioner of Canada said in an e-mail that it was not aware of any government agencies that have proposed backdoors in Canadian companies or Internet service providers, and that it is following encryption discussions “with interest.”

When reached via e-mail, Liberal MP Robert Oliphant, who chairs the standing committee on public safety and national security, wrote that, “while encryption and backdoors are of great concern to a number of people, they have not yet surfaced as issues for our committee in its early days.”

However, he added, the committee is still “sifting through all the important issues of safety and security and will be setting our work plan shortly.”

Public Safety Canada said in a statement that it is “monitoring the ongoing debate in the U.S. and other countries on the issue of government access to encrypted data” and that “no special events related to encryption” are currently planned.

NDP MP and committee vice-chair Brian Masse, echoing Mr. Oliphant’s statement, added that any proposed legislative changes involving encryption or backdoors should be handled democratically and involve both the Privacy Commissioner and Parliament.

Meanwhile, neither the chair nor vice-chairs of the standing committee on industry, science and technology responded to a request for comment.

A small comfort, Citizen Lab’s Mr. Parsons argued, is that Canadian politicians have shown themselves to be more level-headed and avoided the sky-is-falling rhetoric of their counterparts in the U.S., where Senator Dianne Feinstein, who chairs the Senate select committee on intelligence, stated earlier this month that “an Internet connection and an encrypted message application” is all Islamic State militants need to carry out an attack.

If this issue is going to be given some weight, Mr. Parsons suggested, “committee meetings that very seriously look into this while there isn’t a terror moment, it’s the ideal way of going.”

Got a question about spying and driving? Canada's Security Intelligence Review Committee's got you covered

In its 2013-14 Annual Review of the Canadian Security Intelligence Service (CSIS), Canada's Security Intelligence Review Committee (SIRC) remarked that "physical surveillance is extremely difficult to carry out ... surveillance officers are required to observe their targets while managing an often complex and evolving environment ... they must develop extensive area knowledge ... they must execute their skills under pressure and, often, in less than ideal circumstances."

Happily, given the extreme difficulty of carrying out physical surveillance, CSIS's own review in 2011 had authorized "a dedicated manager with adequate staff to coordinate the centralization and standardization ... and modernization to advance overall performance."

In 2013-14, the SIRC was eager to learn "the extent to which CSIS has been successful in making proposed and, arguably, necessary changes to the surveillance program."

Unhappily, the SIRC discovered that "in the absence of a strong central authority to lead the transition within the surveillance programs, regions began implementing changes to their surveillance models according to their own needs and available resources."

While commending the initiative of regional offices, the SIRC was rightly concerned that "it will be much more difficult for CSIS to devise a truly 'national' set of surveillance standards ...  the absence of strong leadership to guide the surveillance program has meant that some of the issues that SIRC views as the most serious remain unaddressed."

Not only was the SIRC apparently concerned that the skills and techniques of physical surveillance might become increasingly uneven across the nation, but it raised an alarm that "the Service does not have legal advise on how provincial laws apply to its surveillance teams.".

For example, SIRC found that CSIS failed to provide "a set of national driving standards to guide employees on important daily operational matters, such as the use of communications equipment while driving. Therefore, SIRC recommended that CSIS prioritize the request for legal advice pertaining to its liability under distracted driving legislation across Canada. Furthermore, following receipt of legal advice, CSIS should develop clear and standardized operating procedures outlining the responsibilities of surveillance officers with respect to the performance of their duties and functions while driving."

Distractions-placement-626x382

While the CSIS and the SIRC do not always see eye-to-eye, the two agencies were in complete agreement on this priority. In its response to the SIRC's recommendation, the CSIS advised that "The Service has drafted a request for a legal opinion pertaining to its liability under distracted driving legislation across Canada."

Postscript

The SIRC's 2014-15 Annual Review of the CSIS makes no mention of steps taken to address a spy's liability under distracted driving legislation across Canada.

 

Canada’s hacking power awes Brazilian security expert - The Globe and Mail 20131012

Canada’s hacking power awes Brazilian security expert - The Globe and Mail 20131012

Brazilian security expert Paulo Pagliusi says he is “astonished” by Canada’s hacking power.

He recently spent three hours reviewing the leaked Communications Security Establishment Canada (CSEC) slides on behalf of Brazil’s FantasticoTV program, which broadcast a report last week alleging CSEC spied on internal communications at the Brazilian Ministry of Mines and Energy (MME).

A retired navy officer-turned-chief executive for Procela IT Security Intelligence, a security-intelligence company, Mr. Pagliusi answered questions from The Globe and Mail via e-mail. The exchange has been edited.

You said that you were amazed by the “sheer power” of this attack. Can you expand on why you said this?

I was astonished by the power of these tools to infiltrate the ministry, such as the “Olympia” program from CSEC. I was especially surprised by the detailed and straightforward way in which the process is explained to intelligence agents, and how thoroughly the Brazilian ministry’s communications were dissected.

The leaked documents have also shown how the data gleaned through espionage was shared with an international spy network, named the “Five Eyes.” [An alliance of five English-speaking countries – Australia, Britain, Canada, New Zealand and the United States – to share intelligence and electronic eavesdropping is commonly known as “Five Eyes.”]

How would you describe the nature of the Olympia program?

As a result of using Olympia for infiltrating the ministry over an unspecified period, the CSEC has developed a detailed map of the institution’s communications. As well as monitoring e-mail and electronic communications, the Olympia program screens I have seen in that presentation have shown that CSEC could also have eavesdropped on telephone conversations.

The MME uses an encrypted server. What could CSEC see by getting inside it?

These MME servers use private encryption, for instance, to contact the National Oil Agency, Petrobras, Eletrobras, the National Department of Mineral Production and even the president of the Republic. CSEC could see state conversations, government strategies upon which no one should be able to eavesdrop.

What is the significance of the CSEC metadata maps showing MME communications to Saudi, Jordan, Eritrea, even Canada?

It means that CSEC has mapped a number of communications of the mentioned countries, being able to monitor e-mail and electronic communications and eavesdropping on telephone conversations.

What is the significance of the slide saying CSEC wanted to call in “TAO” for a “man on the side” operation?

Tailored Access Operations (TAO) is a cyber-warfare intelligence-gathering unit of the U.S. National Security Agency.

TAO identifies, monitors, infiltrates and gathers intelligence on computer systems. In my opinion, the author of the CSEC presentation makes the next steps very clear. Among the actions suggested, there is a joint operation with TAO for an invasion known as “Man on the Side.” All incoming and outgoing communications in the network can be copied, but not altered.

It would be like working on a computer with someone looking over your shoulder.

Do you have any theories about what precisely Canada wanted inside the MME servers?

Considering only the documents leaked by Edward Snowden, I have seen, it is not possible to conclude what precisely Canada wanted inside the MME servers.

However, the speculation it could be broad based economic trend information makes to me perfect sense. In my opinion, specific technology (i.e. “Does Brazil have tech to explore ocean fields that rest of world lacks?”) cannot be found in MME servers.

Slides reveal Canada’s powerful espionage tool - The Globe and Mail 20131019

Slides reveal Canada’s powerful espionage tool - The Globe and Mail 20131019

Security experts say that Canadian intelligence has developed a powerful spying tool to scope out and target specific phones and computers so as to better set up hacking and bugging operations.

The outlines of the technology are contained in the slides of a PowerPoint presentation made to allied security agencies in June, 2012. Communications Security Establishment Canada (CSEC) called the tool “Olympia,” showing how its analysts sifted through an immense amount of communications data and zeroed in on the phones and computer servers they determined merited attention – in the demonstration case, inside the Brazilian Ministry of Energy and Mines.

Within weeks, CSEC figured out who was talking to whom by plugging phone numbers and Internet protocol addresses into an array of intelligence databases. In this way it “developed a detailed map of the institution’s communications,” Paulo Pagliusi, a Brazilian security expert who examined the slides, told The Globe.

The slides are part of a large trove of documents that have been leaked by Edward Snowden, the former contractor with the U.S. National Security Agency (NSA) whose disclosures have set off a debate over whether the agency has improperly intruded on the privacy of Americans. Other disclosures have raised questions about its spying on foreign governments, sometimes with the assistance of allied intelligence agencies.

The Globe and Mail has collaborated with the Brazil-based American journalist Glenn Greenwald, based on information obtained from the Snowden documents. Mr. Snowden, who went into hiding in Hong Kong before the first cache of NSA documents was leaked, has been charged by the United States with espionage and theft of government property. Russia has granted him temporary sanctuary.

Canadian officials declined to comment on the slides. Responding to an e-mail requesting comment on whether Canada co-operated with its U.S. counterpart in tapping into Brazilian communications, CSEC spokesman Andy McLaughlin said the agency “cannot comment on its foreign intelligence activities or capabilities.” Prime Minister Stephen Harper said earlier this month that he is “very concerned” about reports CSEC focused on the Brazil ministry.

Any ability to sift through telecommunications data for specific leads can be valuable for electronic-eavesdropping agencies, especially the capacity to map out – without necessarily listening into – an organization’s Internet or voice communications. This, in turn, can help isolate specific devices for potential hacking operations. By developing “Olympia” as a method for doing just this, Canada added to its spymasters’ toolkit.

The PowerPoint presentation by CSEC was first reported by Brazil’sFantastico TV program, which earlier reported the NSA spying, in conjunction with Mr. Greenwald. Brazilian officials expressed outrage at the United States, but their criticism of Canada was more fleeting. They say they now intend to put public employees on an encrypted e-mail system.

The CSEC presentation – titled Advanced Network Tradecraft – described a technological reconnaissance mission aimed at the Brazilian energy ministry in April and May of 2012. According to the presentation, the agency knew very little about the ministry going in, apart from its Internet domain name and a few associated phone numbers. The presentation never makes clear CSEC’s intentions for targeting the Brazilian ministry.

The leaked slides also suggest Canada sought to partner with the NSA, with one slide saying CSEC was “working with TAO to further examine the possibility” of a more aggressive operation to intercept Internet communications.

“TAO” refers to “tailored access operations,” said Bruce Schneier, a privacy specialist for the Berkman Center for the Internet and Society at Harvard. “It’s the NSA ‘blackbag’ people.” (A “blackbag job” refers to a government-sanctioned break-and-enter operation – hacking in this case – to acquire intelligence.)

It is not clear whether CSEC or the NSA followed up with other actions involving the Brazilian ministry.

How Does CSEC Work with the World’s Most Connected Telecom Company? - VICE 20140401

How Does CSEC Work with the World’s Most Connected Telecom Company? - VICE 20140401

Some servers in a data centre, suckin' up your data.

When Glenn Greenwald and Ryan Gallagher worked with the CBC earlier this year to report that CSEC was using free airport WiFi to spy on Canadian travelers (in at least one documented incident), the mainstream media’s interpretation of this news was quietly refuted on an obscure, fascinating blog called Electrospaces, which approaches telecommunications and surveillance from a much more insider-y and technical perspective.

According to the Electospaces report, the media had largely misinterpreted the significance of CSEC’s airport spying program. It’s not surprising either, given the highly complex nature of basically any surveillance or intelligence presentation that has leaked from the treasure chest of Edward Snowden. They’re written to be opaque, and we’re living through an unprecedented time of unintended intelligence industry transparency.

In a post titled “Did CSEC Really Track Canadian Airport Travelers” written on Electrospaces, Peter Koop, the blog’s founder, published a much different interpretation of the leaks by an unnamed reader. The interpreter writes: “CSEC was just running a pilot experiment where they needed a real-world data set to play with. This document does not demonstrate any CSEC interest in the actual identities of Canadians going through this airport, nor in tracking particular individuals in the larger test town of 300,000 people…

Technically however, CSEC does not have a legal mandate to do even faux-surveillance of Canadian citizens in Canada. So they could be in some trouble—it could morph into real surveillance at any time—because the document shows Canadian laws don't hold them back.”

The post, if you are interested in unpacking the ramifications of the CSEC leaks, is a must-read. Especially since Ronald Deibert, the founder of the Citizen Lab (a University of Toronto thinktank whose mandate is largely to study the intersection between governments and the internet), who the CBC consulted to help interpret the CSEC leaks, commented on the post by writing: “As someone who reviewed the un-redacted documents prior to the CBC publication, and who was unhappy with the story's focus on ‘Free WIFI in airports’ which has spread far and wide, I agree entirely with this analysis.”

One of the key elements that the post examines is CSEC’s cooperation with five different corporations to uncover metadata: Quova (a subsidiary of the American telecom giant Neustar), Bell Sympatico, Boingo (a popular airport WiFi provider), and Akamai (a corporate server company whose actual work is much more complex than this parenthetical will allow).

The relationships between agencies like CSEC and the NSA, and public corporations, is largely unreported. We know that companies like Verizon, Google, Yahoo, andMicrosoft have all cooperated with the NSA to some degree, but how do those relationships manifest themselves in Canada?

It’s worth considering the extent that Canadian taxpayer dollars filter into Wall Street, via the purchase of American surveillance equipment and services. In the case of the airport WiFi leak, where surveillance tools were apparently tested on Canadian citizens by CSEC, the importance of this question becomes underlined and bolded. Simply put, the government is maneuvering on a slippery slope when they use taxpayer money to purchase metadata collection services from publicly traded corporations, which can apparently assist in mass surveillance operations.

For now, lets focus on Quova, one of CSEC’s corporate partners, whose parent company Neustar has been called “the most important tech company you’ve never heard of,” because of its huge share in the clandestine market of law enforcement data requests. In 2012, cell phone carriers in the United States answered over 1 million requests for customer information from cellphone carriers, who were forced to turn over “caller locations, text messages and other data for use in investigations.” While similar requests are underreported in Canada, between April 2012 and March 2013, the Canadian Border issued 18,000 requests for customer data that included: “content of voicemails and text messages, websites visited and the rough location of where a cellphone call was made.”

In a post on Neustar’s blog entitled “FAQs About Neustar and Our Assistance to Law Enforcement,” the company addresses a few questions about their cooperation with American authorities. The post explains that Neustar is the central body that helps connect cell phone customers across various carriers and providers. And, in case you’re wondering: “None of Neustar’s wireless carrier clients can, nor does Neustar on their behalf, ‘ping’ or geolocate a handset device at the request of law enforcement.” So, the company can’t track people down in real time. They also state, “we will deny requests for information when the proper documentation is not provided,” so at least the entrance to their vault of customer metadata isn’t a revolving door.

That said, Neustar did not respond to VICE’s requests for comment to discuss their cooperation with Canadian authorities.

Besides the mention of Quova in CSEC’s free airport WiFi document, the company’s name also popped up in documents that outline the highly contentious joint operation conducted by CSEC and the NSA, against the Brazilian Ministry of Mines and Energy. That story originally broke through the Guardian, and Quova’s name appeared a few times in the leaked Olympia program presentation, which seemed to outline Five Eyes spying on Brazil. Given the more aggressive nature of the Brazil leaks, at least compared to the airport snooping plot, Quova was seemingly used to provide agents with IP ranges (to specifically locate Brazilian government computers), geo-location data related to IP addresses (to find out where these computers are in the world, exactly), and anonymizers to mask their economic espionage.

VICE contacted Peter Koop, the founder of Electrospaces, to discuss the relationship between Quova, Neustar, and CSEC. Mr. Koop had this to say: “I only have evidence that CSEC is using the Quova-tool, which is part of the Neustar portfolio now. But as Neustar is providing a wide range of internet registry and traffic monitoring services, it's very well possible that CSEC also uses other tools and services provided by this company.”

Very well possible indeed, especially considering the steps Neustar has taken to position itself as the go-to source for surveillance assistance. While it’s hard to say just how embedded Neustar is in the world of Five Eyes surveillance, Neustar’s 2005 purchase of Fiducianet, a company specializing in Communications Assistance for Law Enforcement Act (CALEA) compliance, was a firm step in this direction.

At the time, Neustar’s CEO Jeff Ganek said this of the Fiducianet purchase: “Through Fiducianet, Neustar is well positioned to address the law enforcement compliance needs of communications service providers.” Ganek continued, “Service providers are legally on the hook to solve this problem. Fiducianet has the platform that solves it. They can do it better and more efficiently than the carriers themselves.”

The service providers Ganek was referring to were likely the telecom companies that Neustar works with, which as of writing total roughly 5,700. So basically, while your cell phone provider is gouging you on roaming and excessive data use, Neustar could be gouging them for their services that help the Bell's, Rogers', and Telus' of the world deal with law enforcement requests.

Evidently, Canada depends heavily on American corporations to help move into a surveillance-friendly future. In an NSA document detailing the relationship between the NSA and CSEC, NSA authors note that due to CSEC’s “limited ability to produce cryptographic devices,” CSEC is “a large consumer of U.S. IA (Information Assurance) products.”

Information Assurance products, like Neustar’s NeuSentry portfolio (which warns clients to “prepare for the worst” when it comes to cybercrime) can either be cloud-based infrastructure security tools, hardware products for integration into existing computer networks, or third-party monitoring services. In short, Neustar sells a shitload of products that help governments and companies stay secure on the interwebs. These products and services are likely a big part of operational expenses at agencies like CSEC. Apparently the Americans are well aware that Canada needs to spend a ton of our funny money on their fancy telecom data collection tools, which means Neustar must be doing quite well—thanks to Canada’s thirst for metadata and cybersecurity.

It certainly sounds as if strengthening partnerships with corporations is a mandate across the Five Eyes spy agencies. The five-year SIGINT (signals intelligence) Strategy plan for the NSA discusses at length the need to develop “embedded, deeply interactive engagements” with what are described throughout as internal/external and public/private partners. This desire to “fully leverage internal and external NSA partnerships,” seems to indicate that growing the corporate network of the Five Eyes spy agencies is a priority—meaning the expansive and mysterious CSEC and Neustar relationship is only a small part of the puzzle.

This quest to strengthen the partnerships between surveillance agencies and their various partners also reared its head in the 2009 National Security Telecommunications Advisory Committee (NSTAC) report, which asked President Barack Obama to focus on three main objectives: the integration of federal cyber-security activities “under a single, central organizing governance structure,” collaboration with industry leaders in order to develop a “legal framework to protect the nation’s critical infrastructure,” and lastly, the nurturing of “strong public/private partnership(s).” Based on that third goal, it’s not surprising to hear that current Neustar President, CEO and Board of Directors member Lisa Hook was appointed to NSTAC in June of 2011 by President Obama.

VICE reached out to CSEC for comment on their relationship between Neustar in particular, and other public corporations in general, but they only offered a non-answer. One of the agency’s spokespeople, Ryan Foreman, told us: “CSE cannot comment on its operations or capabilities and therefore we are unable to respond to your question.”

Right. Well, moving right along then.

On one hand, it can be considered a good thing that third-party operators like Neustar hold the keys to vaults of metadata that telecommunications leave behind; that they operate as a middle-man between law enforcement agencies (LEA) and the telecom providers who can sometimes struggle with processing LEA requests for information. On the other hand, however, we need to know more about the ways in which these profit-focused enterprises handle all of this information.

In Canada, CSEC’s budget for 2013 was $444 million, and is reported to total $829 million in 2014. In the United States the NSA is said to have spent $10.8 billion in 2013—so where does all of this money go?

We know that public corporations like Neustar are active in domestic and international surveillance operations, and also that understanding the nature of these relationships is about as easy as sneezing with your eyes open. But without information on these relationships, we are only left to guess about how the corporate partners of the Five Eyes alliance inform programs and operations and the extent of their profiteering. As noted by Mr. Koop and confirmed by CSEC’s man of few words, Ryan Foreman, this information is closely guarded.

If public, corporate partners assist in shady operations at Canadian airports and throughout Brazilian ministries, then are they also assisting the US government when it flies drones over Yemen, where it’s alleged that electronic metadata analysis replaced human intelligence, and was used to inform and justify a drone strike that killed 12 members of a wedding party?

It doesn’t take an internet-savvy Sherlock Holmes to see that there’s something off about taxpayer money being funneled into a public corporation that assists in dodgy surveillance operations, that sometimes targets those same taxpayers, and may piss off friendly nations like Brazil in the process—all the while operating in a way that must necessarily benefit shareholders.

Public corporations like Neustar have access to what they call “unique, authoritative datasets,” and aim to position themselves as one-stop shops for LEA’s, while remaining beholden to their shareholders and the pursuit of profit above all. In the arena of espionage assistance, this relationship is concerning to say the least.

How rich are the already-wealthy telecom companies getting by way of Canadian tax dollars? Has that tax money ever been used to pay for assistance in surveillance operations conducted against Canadians? Are public corporations selling potentially unreliable data to LEAs in the name of maximizing profits? If so, is this data used to inform programs, like the drone missions, that result in the wrongful death of innocents?

These are big questions that to date remain unanswered.