Canada’s electronic surveillance agency is covertly monitoring vast amounts of Canadians’ emails as part of a sweeping domestic cybersecurity operation, according to top-secret documents.
The surveillance initiative, revealed Wednesday by CBC News in collaboration with The Intercept, is sifting through millions of emails sent to Canadian government agencies and departments, archiving details about them on a database for months or even years.
The data mining operation is carried out by the Communications Security Establishment, or CSE, Canada’s equivalent of the National Security Agency. Its existence is disclosed in documents obtained by The Intercept from NSA whistleblower Edward Snowden.
The emails are vacuumed up by the Canadian agency as part of its mandate to defend against hacking attacks and malware targeting government computers. It relies on a system codenamed PONY EXPRESS to analyze the messages in a bid to detect potential cyber threats.
Last year, CSE acknowledged it collected some private communications as part of cybersecurity efforts. But it refused to divulge the number of communications being stored or to explain for how long any intercepted messages would be retained.
Now, the Snowden documents shine a light for the first time on the huge scope of the operation — exposing the controversial details the government withheld from the public.
Under Canada’s criminal code, CSE is not allowed to eavesdrop on Canadians’ communications. But the agency can be granted special ministerial exemptions if its efforts are linked to protecting government infrastructure — a loophole that the Snowden documents show is being used to monitor the emails.
The latest revelations will trigger concerns about how Canadians’ private correspondence with government employees are being archived by the spy agency and potentially shared with police or allied surveillance agencies overseas, such as the NSA. Members of the public routinely communicate with government employees when, for instance, filing tax returns, writing a letter to a member of parliament, applying for employment insurance benefits or submitting a passport application.
In a top-secret CSE document on the security operation, dated from 2010, the agency says it “processes 400,000 emails per day” and admits that it is suffering from “information overload” because it is scooping up “too much data.”
The document outlines how CSE built a system to handle a massive 400 terabytes of data from Internet networks each month — including Canadians’ emails — as part of the cyber operation. (A single terabyte of data can hold about a billion pages of text, or about 250,000 average-sized mp3 files.)
The agency notes in the document that it is storing large amounts of “passively tapped network traffic” for “days to months,” encompassing the contents of emails, attachments and other online activity. It adds that it stores some kinds of metadata — data showing who has contacted whom and when, but not the content of the message — for “months to years.”
CSE, under its cyberdefence mandate, is allowed to hold on to personal information — email addresses, IP addresses and other identifiers — for up to 30 years, then transfer it to Library and Archives Canada, according to the agency’s own description of its databanks in the federal Info Source publication.
Of the masses of emails the agency was scanning and storing using PONY EXPRESS in 2010, however, only about 0.001 percent of them were deemed to contain potentially malicious viruses. According to the documents, the automated system sifts through them and detects about 400 potentially suspect emails each day — about 146,000 a year. That system sends alerts to CSE analysts, who then can take a closer look at the email to see if it poses any threat. Only about four emails per day — about 1,460 a year — are serious enough to warrant CSE security analysts contacting the government departments potentially affected.
The document says that CSE has “excellent access to full take data” as part of its cyber operations and is receiving policy support on “use of intercepted private communications.” The term “full take” is surveillance-agency jargon that refers to the bulk collection of both content and metadata from Internet traffic.
Another top-secret document on the surveillance dated from 2010 suggests the agency may be obtaining at least some of the data by covertly mining it directly from Canadian Internet cables. CSE notes in the document that it is “processing emails off the wire.”
The data analyzed by PONY EXPRESS can be obtained using Deep Packet Inspection Technology (DPI). Such technology works by observing small portions of internet traffic known as packets, and matching the information describing each packet against a library of signatures—including known applications, protocols, network activity, and more.
DPI hardware can also flag all internet traffic destined for a particular IP address, or range of IP addresses, such as those belonging to the Government of Canada. It’s possible that CSE’s EONBLUE program—which is believed to be based on DPI technology—could be the first step in flagging email traffic for further analysis by PONY EXPRESS.
Since the 2010 documents were authored, it is likely the scale of the domestic data collection has increased. CSE states in the documents that it is working to bolster its capabilities. Under a heading marked “future,” the agency notes: “metadata continues to increase linearly with new access points.”
A CSE spokesman told The Intercept and CBC News in a statement that the agency eventually deletes intercepted Canadians’ emails if they are found to contain no cyberthreat, but would not comment on the amount of emails collected, or discuss the period of time that the messages are retained for.