Revelations about a Canadian spy program that can sift through 15 million downloaded files a day are raising concerns that Ottawa's fight against terrorism is eroding Internet anonymity. But Canadian spies claim to have used this technique to unearth a specific intelligence lead – the "hostage strategy" of an al-Qaeda offshoot, before passing it along to U.S. intelligence.
A top-secret Communications Security Establishment document about its "Levitation" program was leaked by U.S. contractor Edward Snowden and published by the CBC and online publication The Intercept on Tuesday.
Some of the spying described in the document closely matches what a federal official has suggested is one of Canada's most valued spying stratagems.
"Let's imagine there is a hostage situation unfolding," the CSE's signals-intelligence director said in a 2013 interview with The Globe. Drawing a diagram of three terrorist hostage takers talking on their phones, he said that "the solution to this, for us, is metadata."
Metadata is information about an electronic communication excluding the spoken or typed words. Leaders of electronic-eavesdropping agencies, such as CSE, have convinced the executive branches of government that they need an unfettered ability to collect, log, and search this material – in bulk.
Past leaks have shown that CSE analysts have a continually collected trove of metadata at their fingertips, through a database known as "Olympia," which allows Ottawa to scour all manner of covertly collected telecommunications traffic. Sifting tools are needed because Olympia taps into the overwhelming collections of the "Five Eyes" allies – Canada, the United States, Britain, Australia and New Zealand.
Previous leaks have shown that "Levitate" is among dozens of search techniques now readily available to CSE analysts, on a drop-down menu within Olympia.
2. Mention of CSE "Levitate" first featured in OCt. 2013 CSE "Olympia" leak, on pulldown menu. pic.twitter.com/udU4EQmLRY— Colin Freeze (@Colinfreeze) January 28, 2015
But the latest leak shows that three years ago CSE intelligence analysts were trying it out as "Levitation."
The hypothesis was that snooping on sites used to swap large data files – video, music, or documents – can reveal terrorists. "Extremists use Free File Upload (FFU) sites differently than the general public," the newly disclosed slides say.
So CSE watched for 2,200 known Web links to extremist literature moving on MegaUpload, RapidShare, and 100 similar sites.
How CSE got its covert collection systems in place is unclear. The slides indicate a distinction between "seeing" downloads and "finding" intelligence leads. "We see about 10-15 million FFU events per day," reads the presentation. "… We're finding about 350 interesting download events per month."
Documents with titles such as "How to Make a Gas Bomb" were seen turning up in Iraq, Saudi Arabia, Syria – and in Canada. It's unclear whether CSE told police about the Canadian activity. CSE appears to have "anonymized" such transactions, an automatic scrubbing of identifying information that protects the spy agency from allegations it engages in warrantless domestic spying.
Foreigners are offered no such privacy protections. And CSE analysts leveraged other Five Eyes metadata databases to figure out which foreigners might be behind the suspicious transactions.
For that, CSE tapped into a British agency's logs of corporate "cookies." Cookies are the unique codes that social-media sites place on Web browsers, so as to better track their users' habits and sell advertising. Knowing which cookies link to which Facebook identities, and which Internet Protocol addresses, is valuable – they help corporations figure out just whom to target.
The same can be said for piggybacking spy agencies. Some of the CSE "Levitation" searches took place on March 28, 2012. It was around this time that reports surfaced that al-Qaeda in the Islamic Maghreb (AQIM) was circulating a new "proof of life" video from Africa. In it, German hostage Edgar Fritz Raupach was shown pleading for a ransom.
The final slide says CSE acquired "a German hostage video from a previously unknown target." It then adds that an "FFU upload event gave us AQIM's hostage strategy. The resulting report was disseminated widely including by the CIA to their counterparts overseas."
Mr. Raupach was reported stabbed to death in May, 2012, by his captors, as Nigerian forces raided a safe house used by suspected terrorists.
In a statement, the CSE said that it is legally authorized to collect metadata to protect Canadians from terrorist threats. "We regret that the publication of techniques and methods, based on stolen documents, renders those techniques and methods less effective."