Tech by VICE

Spies Know What You're Downloading on Filesharing Sites, New Snowden Docs Show

A program called LEVITATION monitored users of file sharing websites such as Rapidshare and the now-defunct Megaupload for suspicious activity.

by Matthew Braga
Jan 28 2015, 1:40pm

The program, code named LEVITATION, is based on newly released documents obtained by NSA whistleblower Edward Snowden. ​​Photo via Theen Moy/Flickr

Canada's electronic spy agency has been operating a massive global surveillance operation that targets users of popular file sharing websites, according to a new report published early Wednesday morning by The Intercept and CBC.

The program, code named LEVITATION, is based on newly released documents obtained by NSA whistleblower Edward Snowden. It was created by Canada's Communications Security Establishment (CSE) to identify and locate users around the world who access files such as "Jihadist propaganda" or bomb-making guides on file sharing websites such as Rapidshare and the now-defunct Megaupload.

​According to the docu​ments, CSE analysts "see about 10-15 million" uploads and downloads each day, but only "350 interesting download events per month," which amounts to less than 0.0001 percent of all events.

Presentation slide from documents obtained by The Intercept from whistleblower Edward Snowden. ​Photo: CBC and The Intercept

The information is contained within a PowerPoint presentation that dates from 2012. However, it is not clear for how long LEVITATION has existed, whether it is still in use, and which of Canada's partner agencies—a group that includes the the US, Britain, New Zealand and Australia, and is known as the Five Eyes—also had access to the program.


The codename previously appeared in a separate Snowden document that also dates from 2012, and was published in 2013 b​y The Globe and Mail, describing CSE's OLYMPIA program. OLYMPIA refers to the agency's "Network Knowledge Engine," which combines data from various CSE surveillance programs and databases—including LEVITATION—for analysis and targeting.

Once a suspicious user has been identified by LEVITATION as uploading or downloading a file to one of the agency's targeted websites, CSE analysts can use that user's IP address in conjunction with other surveillance databases to retrace their past activity online. For example, the document also references a program operated by British electronic spy agency GCHQ called MUTANT BROTH. The program stores billions of intercepted cookies, "which it uses to correlate with IP addresses to determine the identity of a person,"according to a previous report by ​The Intercept.

Presentation slide from documents obtained by The Intercept from whistleblower Edward Snowden. ​Photo: CBC and The Intercept

"CSE is clearly spying on the private online activities of millions of innocent people, including Canadians, despite repeated government assurances to the contrary," said David Christopher, spokesperson for the Canadian internet policy advocacy group OpenMedia, in a statement. "Law-abiding Internet users who use popular file hosting services are now finding themselves under the government's microscope."

This time last year, another CSE document was released detailing the agency's efforts to identify targets who connected to public WiFi hotspots, and track their past and future movements worldwide. The program was trialled at a major Canadian airport, and similarly criticized for its indiscriminate collection of us​er data.

However, it appears that CSE received at least two successful pieces of intelligence from LEVITATION, according to the documents—in one instance, "a German hostage video from a previously unknown target," and the hostage strategy of a terrorist organization.

"It's really the first time that a story has been reported that involves CSE as the lead agency in a program of pure mass surveillance," Glenn Greenwald, a reporter with The Intercept, told the CBC.

Where is all this data coming from?

Rather than monitor each file sharing company individually, the documents hint at a "special source" known only by the codename ATOMIC BANJO, which is responsible for the collection of "HTTP metadata" from 102 known file sharing sites (Sendspace, Rapidshare, and the now-defunct Megaupload are the only three identified by name).

"'Special Source' typically refers to access to corporate data stores, or corporate data flows, so ISPs or data centers or something like that. Trans-atlantic cables," said Christopher Parsons, a postdoctoral fellow at the Citizen Lab, which studies surveillance and other digital policy issues within the University of Toronto's Munk School of Global Affairs. "Access is predicated on either contractual term or a monetary payment or something of that nature. Which is to say that someone or some individuals within the special source organizations are aware of what's going on."

One example is the NSA's relationship with AT&T and Verizon in the US, where the two companies were complicit in handing over customer ​data.

Indeed, "Special Source" has often been used by Five Eyes intelligence agencies in previous Snowden documents as a codename for access to global communications infrastructure, such as fibre-optic cables. For example, one NSA do​cument describes a program called RAMPART which relies on "Special Source Operations," and whereby "Foreign Partners provide access to cables and host U.S. equipment … for transport, processing and analysis."

According to a report by The Guardian in​ 2013, a GCHQ program called Tempora has the ability to store "huge volumes of data drawn from fibre-optic cables for up to 30 days so that it can be sifted and analysed."

A slide from a document obtained by Edward Snowden, ​and published by Der Spiegel earlier this month. ​​Photo: Der Spiegel​

As for CSE, a document released by Ge​rman newspaper Der Spiegel earlier this month describes a "cyber threat detection platform" called EONBLUE. According to the document, EONBLUE had been under development for over eight years as of November 2010—the date the document was published—and is made up of over 200 sensors deployed across the globe using "collection programs including S​PECIALSOURCE."

What makes EONBLUE significant, said Parsons, is that we now know "Canada has sites around the world. And based on previous documents around special source operations, we quite often see large volumes of data being accessed. So it's possible that EONBLUE is similarly used to access large quantities of data."

One of EONBLUE's capabilities is the collection of metadata. It is not clear whether the metadata collected from ATOMIC BANJO is related to the metadata produced by EONBLUE.

"It's certainly possible, but there's no definitive evidence, that would indicate a direct correlation," Parsons said.

According to CSE spokesperson Ryan Foreman in an emailed statement, "CSE's foreign signals intelligence has played a vital role in uncovering foreign-based extremists' efforts to attract, radicalize, and train individuals to carry out attacks in Canada and abroad. In accordance with the law, CSE`s foreign intelligence and cyber defence activities are focused on foreign entities to protect Canadians against threats, including terrorism and cyber-attacks."

The agency did not address questions about LEVITATION, and whether the program is still in use.