9 February 2014

Analysis Indicates Recent CBC Story About Canadian SIGINT Agency Spying on Travellers Incorrect

By Peter Koop
electrospaces.blogspot.com

February 6, 2014

Did CSEC really track Canadian airport travellers?

On January 30, the Canadian television channel CBC broke a story written by Greg Weston, Glenn Greenwald and Ryan Gallagher, saying that theCommunications Security Establishment Canada (CSEC), which is Canada’s equivalent of NSA, used airport WiFi to track Canadian travellers - something which was claimed to be almost certainly illegal. This story was apperently based upon an internal CSEC presentation (pdf) from May 2012 which is titled “IP Profiling Analytics & Mission Impacts”:


The CSEC presentation about “IP Profiling Analytics & Mission Impacts”

(click for the full presentation in PDF)

However, as is often the case with many of the stories based on the Snowden-documents, it seems that the original CSEC presentation was incorrectly interpreted and presented by Canadian television.


The presentation was analysed by a reader of this weblog, who wants to stay anonymous, but kindly allowed me to publish his interpretation, which follows here. Only some minor editorial changes were made. 

The CSEC project was not surveillance of Canadian citizens per se but just a small research project closely allied with the previous Co-Traveller Analytics document. The report was written by a ‘tradecraft developer’ at the Network Analysis Centre. The method was not ‘in production’ at the time of the report though the developer concludes it is capable of scaling to production (real surveillance).

The Five Eyes countries are trying out various analytics that work on cloud-scale databases with trillions of files. Some analytics work well, others don’t or are redundant and are discarded. This one worked well at scale on their Hadoop/MapReduce database setup, giving a 2 second response. However, we don’t know which this or any other cloud analytics ever came into actual use. 

In this case, CSEC was just running a pilot experiment here - they needed a real-world data set to play with. This document does not demonstrate any CSEC interest in the actual identities of Canadians going through this airport, nor in tracking particular individuals in the larger test town of 300,000 people. While they could probably de-anonymize user IDs captured from airport WiFi (the Five Eyes agencies ingest all airline and hotel reservation with personal ID tagging etc. into other databases) that was not within the scope of this experiment.

Technically however, CSEC does not have a legal mandate to do even faux-surveillance of Canadian citizens in Canada. So they could be in some trouble - it could morph into real surveillance at any time - because the document shows Canadian laws don’t hold them back. They should have used UK airport data from GHCQ instead. But there they lacked the ‘Canadian Special Source’ access to Canadian telecommunication providers.

The pilot study monitored Canadian airports and hotels but the goal was foreign: slide 19 says “Targets/Enemies still target air travel and hotels airlines: shoe/underwear/printer bombs … hotels: Mumbai, Kabul, Jakarta, Amman, Islamabad, Egyptian Sinai”. However, this seems far-fetched: theprinter bombs were UPS cargo, not passenger-carried. Would someone shipping cargo even go near the airport, much less check their gMail there? More convenient just to stop by the UPS office in town.

The role of the five companies mentioned in the presentation is not always clear:

The first company mentioned, Quova, does bulk IP geo-location lookup. CSEC passes that outcome on to their own ATLAS tool as we saw in the slides about the OLYMPIA program. Given an IP, Quova seems to return only five fields: latitude, longitude, city, country, network operator. The Quova latitude/longitude data shown is not very precise: only degrees and minutes. For comparison, iPhone 4S photo exif metadata provides seconds of GPS lat/long out to six decimal points even with poor tower coverage.

Bell Canada and its ISP portal division Sympatico are mentioned in regards to the unnecessarily redacted IP (a minor settlement west of Hudson Bay, probably just the Baker Lake mine in Nunavit). 

Boingo is a post-start-up in the US which is the main WiFi provider to airports and hotels worldwide. Boingo is in some trouble financially, so NSA might have an entry point there, yet the CSEC document makes it sound like they are not especially cooperative.

Akamai is a very US large company that spreads corporate web site servers around the globe for faster response and DDoS resistance. So when you point your browser at ford.com the packet doesn’t go or come back from Detroit, but rather Akamai intercepts the URL and sends you packets from a local mirror (i.e. Amsterdam) without disclosing that in the URL. CSEC seems to have found that frustrating and of little value.

It goes without saying that Bell Canada is the top suspect if a telecom ISP is providing backbone intercepts. Rogers Communications is the only (implausible) alternative. However all the document says is: “Data had limited aperture – Canadian Special Source … major CDN ISPs team with US email majors, losing travel coverage” … “Have two weeks worth of ID-IP data from Canadian Special Source”

At NSA, a Special Source Operation (SSO) refers to a corporate partner, so this is very likely the CSEC counterpart, by context a major Canadian ISP. Here ‘aperture’ means the corporate partner could only do so much - as soon as the Canadian ISP hands off to Google or Yahoo, CSEC cannot follow the trail any longer. So it is not a big US firm.

I found it odd that the name of the corporate partner was redacted in slide 8. The explanation: news media don’t like to mention corporate names in a bad light. Not fear of lawsuits (it’s not defamation, slander or libel to merely post a government document) but probably fear of advertising revenue loss. 

How is CSEC getting their data? I think we can rule out direct radio frequency signal interception here - they have the capability to do this, but it does not scale, not even to a large airport. So it’s most likely done through a corporate partner but which one, where along the internet does the intercept occur, and what data fields are recorded?

Let’s think about scenarios for data travelling: Boingo receives the initial URL request, passes it off to their ISP Sympatico, who pass it along to the Bell Canada network, where it is routed to Akamai or the usual internet, until it is received by the requested website and all its associated ad and image servers, and the usual TCP/IP response occurs, loading the requested web page along with all the auxillary cookies, beacons, trackers, and widgets.

From “two weeks worth of ID-IP data” it sounds like they are not collecting establishment-of-connection events to the airport WiFi but only collecting when someone actually visits a web site. That’s in contrast to cell phone metadata which also includes attempted and unanswered call events.

But what exactly does the presenter mean by ID-IP? Some people suggest it might be MAC address and IP address in combination. Or user agent device string (device, OS, browser version etc). Others say advertising cookies and cookie chaining or CSEC might be hacking WiFi to install FinFisher spyware for persistent access. NSA likely owns or partners with several advertising companies and/or buy tracking data wholesale from corporate data aggregators. 

I think the analyst muddles terminology here in calling this contact-chaining across air gaps, trying to be trendy. The first has meant going out from an initial individual selector to circles of secondary and tertiary selectors thus finding different individuals or IPs linked to the first selector, as seen both in NSA use and in OLYMPIA DNI and DNR chaining. Here, nobody contacts anybody else; the person is fixed, CSEC is just assigning a few travel points to each individual. 

The term ‘air gap’ originally meant an offline computer that could not be exfiltrated, here it just means intermitent online presence at a free WiFi spot, not even sequential because the traveller may not have always used free WiFi spots. Most US travellers would connect via a cell phone accessory to their laptop, i.e. use their cell data provider the minute they got free of the airport. They would be far easier to track with by passive cell phone tower than by sporadic WiFi internet usage.

The SIGINT collection downside: now everyone is alerted about geo-tracking of movements from global free WiFi site use. So collection now provides a gigantic haystack with no needles. Although these guys with the 4th grade madrassa educations, maybe they remain clueless about snooping techniques.

Security expert Bruce Schneier also concluded that the CSEC presentation is not about tracking Canadian travellers, but actually shows “a proof-of-concept project to identify different IP networks, using a database of user IDs found on those networks over time, and then potentially using that data to identify individual users”. 

Links and Sources



- Lux ex Umbra: More on the wi-fi spy guys


No comments: