TORONTO – Canada’s electronic spy agency collects and stores millions of emails sent to the government to check for malware and suspicious links, according to documents obtained by NSA whistleblower Edward Snowden. But experts are concerned about the scope of the surveillance.
The top-secret documents – obtained by Snowden and published by CBC in collaboration with U.S. news site The Intercept – reveal Communications Security Establishment (CSE) analysts comb through hundreds of thousands of emails a day and store details about those emails for “days to months.”
According to the CBC report, the emails are collected to protect the government from hackers, cyber criminals and enemy states.
The article notes that CSE says “specific communications” are examined if they are “suspected to relate to a cyber-threat that could harm government of Canada systems and networks.”
What emails are being collected?
Any messages sent to a government email address. That means anyone who has applied for a passport, or simply emailed their local MP is affected.
Just how many emails are we talking about?
According to the documents, CSE collected about 400,000 emails to the government each day. However, the documents date back to 2010 – and, as the report pointed out, the volume of emails government bodies receive each day has likely increased.
CSE also extracts metadata from the messages – revealing who sent it, when and where.
The documents also reveal CSE scans messages using a tool code-named “PonyExpress” to find any suspicious links or attachments.
About 400 potentially suspicious emails are flagged each day. Those flagged messages are then sent to CSE analysts who examine the email further to see if it poses a threat.
In fact, the documents even refer to CSE suffering “information overload” from collecting “too much data.” One slide even refers to the data collected as “our haystack,” with the image of a needle in a haystack.
What are the concerns?
It’s important to note that monitoring emails for malicious software or other online security risks isn’t unusual – in fact, it’s entirely within CSE’s mandate when it comes to protecting government infrastructure.
But some argue that CSE is using this as a loophole to monitor communications.
“Under Canada’s criminal code, CSE is not allowed to eavesdrop on Canadians’ communications. But the agency can be granted special ministerial exemptions if its efforts are linked to protecting government infrastructure — a loophole that the Snowden documents show is being used to monitor the emails,” read The Intercept’s report.
“These fresh revelations are further proof of how CSE recklessly disregards the privacy of Canadians. While government cybersecurity is important, there is clearly no cybersecurity need to retain people’s private information for months or even years,” OpenMedia.ca communications manager David Christopher said in a statement Wednesday.
“Communicating with one’s local MP or the government is part of everyday life here in Canada, and citizens should be able to do so without fear of being spied on.”
But experts also concerned about the length of time that data is being retained.
The documents reveal that CSE stores emails for “days to months,” while metadata is kept for “months to years.” That’s as specific as it gets.
CSE declined to give CBC more specific information about the amount of email and metadata collected and when it is deleted. The agency told CBC such information “could assist those who want to conduct malicious cyberactivity against government networks.”
“The key issue is understanding how CSE retains data. Is it the case that when I email my MP they store it for one to four months? Or if it passes the buffer it’s deleted in days,” Chris Parsons, a cyber security expert at Citizen Lab who viewed the document for CBC, told Global News.
“That should be an easy question to respond to.”
Another concern Parsons raised is what happens to law abiding citizens who happen to have malware on their computers. If they email their MP – with no malicious intent – and unintentionally pass along a virus, what happens to their information?
“How is that information treated? Are you treated like someone with a random virus, or are you classified as something?” Parsons asked.