CSEC’s airport tracking in support of ‘lawful access’ erodes trust of Canadians

With an estimated 300 spy agency requests for help with domestic investigations, responsibility for sharing data with the “Five Eyes” foreign intelligence network and an oversight mechanism that has been called “flimsy at best,” the Communications Security Establishment Canada (CSEC) has apparently been in a tough situation for many years. And it may all be due to a standard procedure of providing “support to lawful access.”

According recent revelations from yet another Edward Snowden information leak suggest that the signals intelligence agency has stooped so low as to track and investigate users of free Internet access in airports, which is significantly different from incidental eavesdropping. I say track because once captured, their devices’ electronic fingerprints were followed for weeks after they visited the airport, but perhaps even more ominous, that also allowed the feds to investigate those targets backwards in time, using phone company records.

Those phone company records – of course – constitute private information in our country and the surreptitious tracking of arbitrary individuals is considered illegal here, so taking the documents at face value what could have prompted the almost 70-year old agency created to protect Canadians to allegedly infringe on the rights of individuals?


According to the CBC the “only official oversight of CSEC’s spying operations is a retired judge appointed by the prime minister, and reporting to the minister of defence who is also responsible for the intelligence agency.”

So in the absence of oversight we have the following possibilities:

  1. The Snowden documents are a complete or partial fabrication.
    This may be possible, but highly unlikely given their past accuracy, the precision of the content and the insights provided. But theoretically possible.
  2. The CSEC’s response that “no Canadian or foreign travellers’ movements were ‘tracked,'”.
    Naturally, the term ‘tracked’ can be interpreted, defined and avoided so the official answer here is not terribly helpful.
  3. The documents allege CSEC’s data collection included only metadata, albeit in sufficient amounts to enable investigative visibility into the activities of thousands of airport visitors. The first part is legally acceptable. The second part, not so much.

Why? Because according to the official explanation, the CSEC is “mandated to collect foreign signals intelligence to protect Canada and Canadians. And in order to fulfill that key foreign intelligence role for the country, CSEC is legally authorized to collect and analyze metadata.”

CSEC chief John Forster recently stated: “I can tell you that we do not target Canadians at home or abroad in our foreign intelligence activities, nor do we target anyone in Canada. In fact, it’s prohibited by law. Protecting the privacy of Canadians is our most important principle.”


So if the evidence is real and the goings-on at the CSEC aren’t altogether above board, what could have prompted the venerable agency to overstep its bounds in ways that have been described by the Information and Privacy Commissioner of Ontario as “really unbelievable?” In a recent statement Ann Cavoukian indicated that she was “blown away” by the revelations that could have included her own data, ostensibly given her hectic travel schedule.

This week, the Office of the Federal Privacy Commissioner called upon CSEC to “proactively disclose” its involvement with other agencies, in part because it is becoming clear that Canada’s laws explicitly allow CSEC to offer “technical and operational assistance” to other agencies such as the RCMP and CSIS. And we know that the organization is responsible for sharing collected data with its other “ECHELON” spying partners — the U.S., Britain, New Zealand, and Australia. According to a recent story in the Globe and Mail:

“One issue is whether the various federal agencies use compatible legal standards to collect information: The RCMP and CSIS rely on their officers getting judges to sign off on warrants that allow them to tap a suspect’s phone. Yet CSEC is an electronic eavesdropping agency that operates under unique laws, whose computer scientists warrantlessly spy on foreigners and collect communications in bulk, while being barred from targeting Canadians or people in Canada.”


In what seems to be an interestingly coincidental matter of timing, the Toronto Star reported this week that the Canadian Security Intelligence Service (CSIS) is concerned about homegrown terrorist sympathizers becoming a serious security threat and a damaging blemish on Canada’s international image and relations.

Foreign deals notwithstanding, the RCMP and CSIS electronic surveillance requests for CSEC “support to lawful access” average less than 100 per year, but those amount to potentially hundreds of thousands of cases of domestic surveillance. According to the CBC, another leaked document indicated that CSEC:

“Obtained access to two communications systems with more than 300,000 users, and was then able to ‘sweep’ an entire mid-sized Canadian city to pinpoint a specific imaginary target in a fictional kidnapping”

Apparently one reason the CSEC is such an attractive partner for invasive surveillance is their access to advanced  “domestic interception of foreign telecommunications (DIFT).” à-la-NSA. This technique is so powerful that it is suspected of having been used to sidestep the judiciary system. According to the Globe:

Last month, a Federal Court judge who had legally endorsed the DIFT power as a global extension of made-in-Canada warrants renounced parts of his landmark 2009 decision. Judge Richard Mosley wrote that he has since learned that CSEC and CSIS had machinated to keep his court “in the dark” about key facts, so that they could globally keep tabs on Canadian terrorism suspects.


If indeed the CSEC has access to an arsenal of electronic surveillance tools similar to the NSA’s catalogue of powerful exploits, it is understandable that CSIS and the RCMP would want to be patched into that kind of intel and evidence processing capability. According to the Globe:

The RCMP and CSIS rely on their officers getting judges to sign off on warrants that allow them to tap a suspect’s phone. Yet CSEC is an electronic eavesdropping agency that operates under unique laws, whose computer scientists warrantlessly spy on foreigners and collect communications in bulk, while being barred from targeting Canadians or people in Canada.

But given the kind of access and authority afforded by these agencies, it seems more and more apparent that the CSEC’s apparently skewed mandate is the result of “support to legal access” requests they have no authority to evaluate nor reject. This may be why the chorus of commissioners, judges and civil libertarians seems to increasingly demand openness and visibility higher up the chain.

They’re right, of course, because if left unaddressed, these issues may become more than just distant abuses of authority.  In the words of Justice Mosley, such surveillance and data sharing practices unlawfully put Canadian suspects in jeopardy by exposing them to the risk they may be “detained or otherwise harmed” by the intelligence agencies far more aggressive than Canada’s own.

For the rest of us, the phrase “support to legal access” may just become a trigger for suspicion, which in itself is a further erosion of the trust citizens should be able to have in their government.

Claudiu Popa
Claudiu Popa
Claudiu Popa is a security and privacy advisor to Canadian enterprises, associations and agencies. He is an author, speaker and lecturer. Connect with him on Twitter @datarisk, Facebook, G+ or LinkedIn.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Latest Blogs

ITB in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.