The U.S. National Security Agency has pursued a prolonged strategy to give itself covert, undetectable access to encrypted and private information sent online, such as bank transactions and emails, leaked documents show.
And on one occasion, it appears Canadian security officials stepped aside to let them.
A published report citing leaked classified NSA documents says Canada’s Communications Security Establishment (CSE), a federal agency whose mission is to monitor foreign electronic data for threats, was responsible for the creation of a 2006 encryption standard that would be used globally by banks, private companies, individuals and governments to protect sensitive data sent over or stored on the Web.
But the CSE allowed the U.S. agency to “seize control” of the process, a New York Times report says, a move that allowed the NSA to rewrite the draft code and create a hidden path into data that was protected by the encryption.
After some “behind-the-scenes finessing” with the Canadian team “the stage was set for NSA” to take over authorship of the standard, a classified memo initially leaked by former U.S. contract intelligence worker Edward Snowden says.
The revelation directly links Canadian security officials to the extraordinary and legally dubious efforts by the NSA to capture and monitor an unprecedented amount of communications online through undisclosed programs like the now infamous PRISM initiative.
In an email statement from the CSE, the agency acknowledged the participation of the NSA in developing the 2006 standard, saying the effort “was performed by a working group that included CSE, NSA, and other international members from academia and industry as equal participants.”
The agency did not comment on whether it was aware of changes made to the standard that gave the U.S. agency access to data using the encryption.
Based on comments in the leaked documents, however, experts suggest Canadian officials had some idea of the NSA’s intentions to amend the standard.
Encryption standards are universally used across the Web to securely send emails, bank transactions, credit-card purchases and other sensitive data.
The basic notion is that the standards generate random numbers inserted into the protected information, making it virtually impossible to decipher until the information reaches a secure end point. A so-called backdoor would allow undetected access to the information.
There was perhaps push-back from the Canadian side during the 2006 process, memos from the NSA show, but control appears to have ultimately been relented, with the new standard then being peddled to the International Organization for Standardization for widespread use globally, leaked memos show.
“The road to developing this standard was smooth once the journey began,” one memo acquired by the Times noted. “However, beginning the journey was a challenge in finesse.”
Experts say the revelation opens fresh questions about measures being taken by the CSE and other domestic agencies, specifically whether they possess similarly covert access to Canadians’ encrypted online data, or are complicit in allowing other governments access.
“I think it’s striking how little we know about the role Canada plays both in terms of what our own intelligence agencies are doing, and also what U.S. agencies are doing in Canada,” Prof. Geist said.
But while Canadians don’t know much about governmental surveillance of their data, recent survey results released by The Canadian Registration Authority (CIRA) —the organization that manages the .ca Internet domain—suggests many don’t mind federal snooping.
Half (49 per cent) of respondents said they “believe it is acceptable for the government to monitor email and other online activities,” while that figure jumps to 77 per cent if the intent is to prevent “future terrorist attacks.”
The results are “startling enough” for CIRA to call for a national dialogue on the subject, the body says.
Experts in the area echo the call.
“We need to ask ourselves these questions because it’s critical to our democracy,” Michel Juneau Katsuya, a former senior intelligence officer for the Canadian Security Intelligence Service said.
“How far do you want your government to go in protecting you in the name of national security?” he said.
“That debate is not really occurring, and that’s a problem.”
— with files from Bryan Mullan in Ottawa