By Greg Weston, Glenn Greenwald, Ryan Gallagher
Jan 31, 2014
A top secret document retrieved by U.S. whistleblower Edward Snowdenand obtained by CBC News shows that Canada’s electronic spy agency used information from the free internet service at a major Canadian airport to track the wireless devices of thousands of ordinary airline passengers for days after they left the terminal.
After reviewing the document, one of Canada’s foremost authorities on cyber-security says the clandestine operation by the Communications Security Establishment Canada (CSEC) was almost certainly illegal.
Ronald Deibert told CBC News: “I can’t see any circumstance in which this would not be unlawful, under current Canadian law, under our Charter, under CSEC’s mandates.”
The spy agency is supposed to be collecting primarily foreign intelligence by intercepting overseas phone and internet traffic, and is prohibited by law from targeting Canadians or anyone in Canada without a judicial warrant.
As CSEC chief John Forster recently stated: “I can tell you that we do not target Canadians at home or abroad in our foreign intelligence activities, nor do we target anyone in Canada.
“In fact, it’s prohibited by law. Protecting the privacy of Canadians is our most important principle.”
But security experts who have been apprised of the document point out the airline passengers in a Canadian airport were clearly in Canada.
CSEC said in a written statement to CBC News that it is “mandated to collect foreign signals intelligence to protect Canada and Canadians. And in order to fulfill that key foreign intelligence role for the country, CSEC is legally authorized to collect and analyze metadata.”
Metadata reveals a trove of information including, for example, the location and telephone numbers of all calls a person makes and receives — but not the content of the call, which would legally be considered a private communication and cannot be intercepted without a warrant.
“No Canadian communications were (or are) targeted, collected or used,” the agency says.
In the case of the airport tracking operation, the metadata apparently identified travelers’ wireless devices, but not the content of calls made or emails sent from them.