CSEC's collection of metadata shows ability to 'track everyone'
Eavesdropping agency collecting more than just 'data about data'
Recent allegations about domestic spying and the collection of "metadata" by one of Canada’s security agencies have inspired a great deal of confusion about the precise nature of the surveillance.
John Forster, head of the Communications Security Establishment Canada, appeared before the Senate security and defence committee Feb. 3 and answered questions about a CBC report that said CSEC had used airport Wi-Fi to follow the movements of Canadian travellers.
CSEC is supposed to monitor only foreign communications for intelligence that may be of interest to Canada. The agency has said it does not spy on Canadians nor anyone in Canada.
In this particular case, Forster denied that CSEC had snooped on Canadians, saying the agency had accessed airport Wi-Fi to capture “a snapshot of historical metadata.”
- Spy agencies, prime minister's adviser defend Wi-Fi data collection
- What do we know about Canada’s eavesdropping agency?
When asked to clarify the importance of metadata, Prime Minister Stephen Harper’s national security adviser explained it simply as "data about data."
Here’s a closer look at the contentious issue of metadata.
What is metadata?
The explanation that metadata is “data about data” is mostly right, says David Lewis, a global security advocate for network hosting and service provider Akamai Technologies. It’s information about the digital envelope that carries specific correspondences over a network, he says.
This can include phone numbers, the length and time of calls, email addresses and internet routing information. The metadata is the information about a specific communication, but it doesn’t reveal the substance of the communication itself.
Do average web users even notice it?
In his book Black Code: Inside the Battle for Cyberspace, author Ron Deibert writes that “we rarely experience metadata directly, as it is buried in instructions and communications several layers below our interactions with our devices.”
Metadata may not be readily apparent, but for an average internet user, it just takes a bit of digging to find it. When you download a song from iTunes, for example, the file will contain details about the artist, album, date of the recording and copyright information, which can usually be found simply by right-clicking on the file.
As Deibert points out, metadata will also become visible any time you upload an image to a site such as Flickr, where you might notice that the image contains information about the model of camera used to take the picture, the time it was taken and the geographical coordinates of where it was shot.
The most controversial type of metadata is the information attached to phone calls and emails. A smartphone can contain information about the date and time of the communication, the number of both the caller and the receiver, their respective geographic locations and the amount of data transmitted.
This information is shared every few seconds, as the smartphone sends out a signal to the nearest Wi-Fi hotspot or cellphone tower in order to establish the most stable connection for the device.
As Deibert writes, “Average users may have thousands of data points like these collected from them every day as they communicate through cyberspace.”
So what’s the problem?
While the CSEC insists that it is not listening in on actual conversations, Akamai’s David Lewis thinks that the gathering of metadata is even more invasive.
“For some reason [consumers] seem to think it’s OK that they’re sharing metadata, but I’m sorry, that’s an awful lot of information about a phone call without the context of the call,” says Lewis.
Without even looking at the substance of a phone call or email, surveillance agencies such as the CSEC, the National Security Agency in the U.S. and Britain's GCHQ have the ability to track your movements, as well as map out a network of your interactions. This could be far more incriminating than something you might have expressed in a phone call or email, Lewis says.
While these individuals weren't even targeted for surveillance, the NSA and GCHQ were able to use metadata such as missed-call alerts or texts sent with international roaming charges to see who people were calling, when they crossed a border and when they made an electronic bank withdrawal.
Taken together, all this metadata has the potential to provide the security establishment with a fairly comprehensive picture of a person's life, says Lewis.
While being able to see a network of communications between disparate people could lead to the capture of a potential terrorist, it could also ensnare an innocent individual, Lewis adds.
“They can say, ‘Well, you talked to this person, who talked to this person, who talked to this person, who talked to this person, who talked to that person – obviously, you must be connected.’ And it’s like, it doesn’t work that way.”
What is CSEC's rationale?
According to its mandate, CSEC is not allowed to target the private communications of Canadians. The agency is able to gather metadata, however, because it does not deem this information a private communication.
Ann Cavoukian, Ontario's privacy commissioner, thinks the law needs to be updated to include metadata.
She says it is "a fiction" to say that the National Defence Act authorizes metadata, since the law makes no specific reference to metadata, Cavoukian told Evan Solomon, host of CBC News Network's Power & Politics.
"It's an interpretation — the way I interpret it, any interception is not permitted."
Lewis says the collection of metadata is part of the Canadian security establishment’s growing ability “to track everyone, anywhere, anytime.”