Now We Know Even More about How the NSA Invades Canada’s Privacy

An aerial photo of the NSA's data centre in Utah, released by the EFF. via WikiCommons.

On Monday, the Washington Post provided a glimpse into the “raw traffic” (content) that the NSA collects from such a recklessly vast amount of individuals, that the regular ol’ non-terrorists whose personal privacy is invaded far outnumber the actual bad guys (or “targets”) that the NSA is trying to squash with their all-knowing spy powers.

In a stunning report, Barton Gellman details how the NSA collects nudie pics, chatlogs, voice chats, and emails from: “Ordinary Internet users, American and non-American alike.” These ordinary individuals represent a much larger slice of the pie than the terrorists, kidnappers, rapists, and other evil doers that the NSA is legally allowed to spy on—after they receive a warrant.

This news should read as highly disturbing for Canadians, who may presume they are immune to NSA spying because of their non-Americanness or non-evilness, but in reality could very well be swept up by the NSA’s Bond villain-esque data-vacuum.

In their report from earlier this week, the Washington Post published a spiffy infographic that breaks down the information they observed through analyzing 22,000 surveillance reports that were produced by the NSA between 2009-2012, and leaked to the paper by Edward Snowden. The graph shows that Canadian IPs and corporations were part of the “identifiers” collected during that time, but the information was “minimized” so that the NSA was allegedly unable to view that private, allied data.

When the NSA talks about the minimization of identifiers belonging to friendly states (like Canada!), it’s to describe a process of automatically preserving the privacy of America’s BFF. So, if a bad guy sent a message to another bad guy that read, “I’m gonna buy a pay-as-you-go phone from Bell Canada so I can prank call Stephen Harper,” it would read as “I’m gonna buy a pay-as-you-go phone from MIN. CA CORP so I can prank call MIN. CA PRIME MINISTER” to an NSA agent on the other end.

This does not mean that the NSA hasn’t recorded the full text of the message which outlines the bad guy’s plan to patronize Bell Canada, then prank call Stephen Harper, but the “distribution of unminimized intercepts is limited by law,” so access to that full text would be somewhat limited. If the NSA thought that prank call was going to be a major threat, they might be able to easily reveal the full text.

The criteria for revealing masked content, however, might be even looser than that. According to Edward Snowden, he had “unusually broad, unescorted access to raw SIGINT [signals intelligence],” which would indicate that the raw data isn’t as locked down as the NSA may want you to think.

While Canadians are allegedly protected from NSA spying as a result of our membership in the Five Eyes spy club (a partnership of surveillance agencies in the US, UK, Canada, New Zealand, and Australia) there appear to be all sorts of ways Canadian data can get swept up, plus, it seems as if the US has had schemes worked out to spy on Five Eyes partners before.

All of this does not even address the very common usage of proxies and other VPNs to mask the true geolocation of an internet user, which would mean that a Canadian using a proxy would not appear to be a Canadian to the NSA. So if you, as a Canadian, use Tor (a popular tool for people who want to avoid internet surveillance) to mask your location while browsing online—you are basically throwing away your “privilege” as a protected user from the NSA’s spy vaccum.

In fact, recent news tells us the NSA basically targets any users of privacy software by default. According to the source code of one of the NSA’s more infamous spy tools, XKeyScore—an absurdly powerful tool that is said to be able to track basically anything a human being does online—the program is designed in such a way that “simply searching the web for privacy tools online is enough to get the NSA to label you an ‘extremist’ and target your IP address for inclusion in its database.”

This is not to mention an even more innocuous method of masking one’s location online—watching TV. As mentioned in the Post article, many North Americans have used IP blockers recently to access certain World Cup streams. Canadians are constantly being blocked out of American, British, and other global web content because of our status as an igloo-loving nation with restricted access to great television.

It seems that once you start playing with your geo-location, the NSA stops caring you’re Canadian.

Even if you don’t use privacy software to keep prying eyes away, or geo-location proxies to watch the soccer game bro! You can still manage to get caught in the web of spies if you are simply in a chat room where an NSA target is present.

Again, from Gellman’s story:

“If a target entered an online chat room, the NSA collected the words and identities of every person who posted there, regardless of subject, as well as every person who simply ‘lurked,’ reading passively what other people wrote.”

While you may think that the odds of finding yourself in a targeted chat room are fairly low, we know now that the NSA has Muslim thinkers on their watch lists, simply because they are Muslim thinkers. In an article published on The Intercept earlier this week, Glenn Greenwald and Murtaza Hussain reported on five Muslims (a former George W. Bush staffer, two professors, an attorney, and a civil rights leader) who made their way onto FBI and NSA watchlists—harkening back to the McCarthy era. With growing jihadist activity coming from Canada, one might imagine that there will be closer attention paid to the Muslims of the great Canadian north.

To further contextualize this trap of being surveilled as a Canadian online, I reached out to Christopher Parsons of the Citizen Lab, who discussed the latest NSA revelations:

“It's apparent that the National Security Agency is collecting significant amounts of information about persons believed to be residing in Canada. And, even when 'minimizing' data about Canadians, that information isn't scrubbed from NSA databases but merely masked.

Intelligence agencies are very good at retaining data for long periods of time and, since they aren't deleting information about Canadians, that means some future law or policy might expand the number of persons or number of uses for 'minimized' Canadian personal information. As long as it resides in a US government database there is the potential that innocent people's data will be used either against them, or against others they know, despite the fact that the data collection and retention was inappropriate in the first place. Moreover, the fact that this data is even retained raises question about whether the American government could, or will, authorize the sharing of Canadians' personal information with additional intelligence agencies or governments elsewhere in the world, thus expanding who has access Canadians' information that is collected by NSA.”

So, even though you may not be concerned about your data being incidentally swept into the NSA’s massive spy network, what happens if you join a politically controversial group like Idle No More and join in on a pipeline protest? Or if you convert to Islam and start attending critical lectures? Would you still be comfortable with the government having a retroactive database of communications from your personal life?

I asked Chris Parsons about the dangers of incidental collection, as it pertains to Canadians, from both the NSA and Canada’s surveillance agency, CSEC. If you’re not familiar with CSEC, very little is known about their activities and practices. But its former chief, John Adams, has said Canadians are “stupid” for posting too much on Facebook. So you can definitely trust them.

“The Canadian government routinely insists that Canadians are not targeted by the Communications Security Establishment Canada (CSEC) though some 'incidental' collection does occur. Where incidental collection demonstrably happens there should be requirements to purge such raw data from signals intelligence databases but, seemingly, the NSA has decided to not do this because analysts never know when data could be important or useful to another of their colleagues. Such 'hold it all, because it might be useful one day' philosophies have been sufficient to incite European courts to strike down European laws that mandate data retention as a violation of basic rights. Moreover, such broad retention schedules mean that so much data is retained as to hinder analysts' abilities to find relevant information amongst a sea of irrelevant information. And finally, the possibility of a 'permanent record' has chilling effects on speech and association and, as a result, damages the abilities and willingness of citizens to exercise their democratic rights.”

In short, if a government collects information about you “incidentally” then shouldn’t they delete it? There don’t appear to be very strict rules against retention of incidentally captured data, and that’s a big problem, for the reasons described above, non-criminals shouldn’t have a “permanent record” simply for using the internet.

Ultimately, just as I have seen with every other online surveillance revelation, there will be an inevitable reaction of: “So what? I have nothing to hide.” But with so much of our communications out there in the cloud, between family members, friends, and lovers, it’s simply unacceptable that all of that can be “incidentally” logged onto a government hard drive for absolutely no reason.

So, hopefully, imagining your sexts being stored in Ottawa or Utah will give you the heebie jeebies feeling that should tell you the system is out of control.

@patrickmcguire