As the tidal wave of disclosures on widespread U.S. surveillance continues – there is now little doubt that the U.S. government has spent billions creating a surveillance infrastructure that covers virtually all Internet and wireless communications – the question of Canada’s role in these initiatives remains largely shrouded in secrecy.
The Canadian government has said little, but numerous reports suggest that agencies such as the Communications Security Establishment Canada (the CSE is the Canadian counterpart to the U.S. National Security Agency) are engaged in similar kinds of surveillance. This includes capturing metadata of Internet and wireless communications and working actively with foreign intelligence agencies to swap information obtained through the data mining of Internet-based surveillance.
The active connection between Canadian and U.S. officials moved to the forefront last week with reports that Canadian officials may have played a starring role in facilitating U.S. efforts to create a “backdoor” to widely used encryption standards. That initiative has been described as “undermining the very fabric of the Internet.”
Encryption standards play a crucial role in Internet security by allowing parties to communicate in a secure manner over open networks. The technologies are used for electronic banking, medical records, e-commerce transactions, and online communications.
Earlier this month, new reports indicated that the NSA had secretly managed to defeat Internet privacy and security by cracking widely used encryption technologies. The revelations sent shock waves throughout the Internet security community and raised doubts about the security of millions of transactions that take place online.
While the NSA reportedly uses several techniques to break encryption, including deploying super-computers and working with technology companies to weaken the security embedded within their products, the most important factor may have been the creation of several international encryption standards that made it easier for the agency to crack encrypted messages.
As reported by the New York Times, the encryption standards involve the use of mathematical algorithms to generate random numbers. Those randomly generated numbers play an important role in creating encrypted messages by making it virtually impossible to crack the code. Yet behind-the-scenes, it turns out the NSA wrote the standard, granting itself the capability to break the resulting encryption.
The Canadian role in these developments is linked to how the NSA managed to gain control over the standard setting process. In 2006, the CSE ran the global standard setting process for the International Organization for Standardization. The NSA convinced the CSE to allow it to re-write an earlier draft and ultimately become the sole editor of the standard.
The CSE claims that its relationship with the NSA during the standard setting process was merely designed to support the Canadian government’s effort to secure its technological infrastructure. However, it is now clear that Canada worked with the U.S. to ensure that the backdoor was inserted into the encryption standard and that it may have gained access to decryption information in the process.
In fact, Canada’s work with the U.S. on surveillance issues has even included financial compensation. Bill Robinson, who actively tracks CSE activities, recently reported “that a specific account exists within the government’s Financial Reporting Accounts to record payments that CSE receives from foreign governments.” Government documents indicate that the account “is used by Communications Security Establishment to record funds received from foreign governments, to cover expenditures to be made on their behalf, in accordance with the provisions of agreements with the Government of Canada.”
In other words, Canada may not only have played a key role in facilitating one of the most significant incursions into the Internet privacy, but it may even have been paid for its work.
Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.