I From: . . pr Sent: April?30-Subject: FW: IP Profiling Metadata Analysis Sample Summary Importance: High Classification: Gentlemen, The summary. Cheers. cSEicsT i From: .2 Sent: April-3044 10:34 AM To:_ I: Cc: Subject: IP Pro?ling Metadata Analysis Sample - Summary Importance: High Classification: Refs:A.Meeting Morning everyone, First thanks for taking the time yesterday to help prepare us for the session later today. It was most appreciated. As promised yesterday I have been able to piece together (most of) the answer to the question about the metadata sample that the IP Profiling analysis was conducted against. A) Metadata type and period CONFIDENTIAIJISI 1 durum-n I s.15(1) - DEF nerated by eithera 1? I was copied from the 11.1". . LE time was any of this tadata shared location in any form' output is completely minimized and engineered to reveal it. C) Current status If you have any questions please don?t hesitate to contact me. Hope this helps. Cheers. CONFIDENTIALIISI 2 Mind umth melnmd unnumth margin-um mulls 5.15m - DEF TOP Eyes Only -- . Hill From: Bruce, Shelly Sent: February-03-14 11:08 AM To: lit 11 Subject: FW: Deck notes Classification: TOP Eyes Only FYI. El-I-n-v:f Sent: February-U344 8:32 AM Tm ill i-z- Cc: Rochon, Dominic McLaughlin, Andrew] (Andy); Fli .rlixr: 555.: .351.? 0mmanney, John i? Subject: Deck notes Classb?icotion: TOP 5ECRET//Sl//Canadian Eyes Only Here are some notes on the deck. Let me know if you want more detail. Red is and will reveal things we don?t want (or wouldn?t have wanted) people to know. Overall, presentation is about a number of different activities: - The importance (and challenge) of accurate IP geolocation Ways to profile so that we can quickly characterize similar in the foreign target space - Operational scenarios that require new ways to identify in time and space when targets are trying to evade us These are advanced analytics that would reveal the sophistication of CSE's capabilities, methods and techniques against a backdrop of a very complicated internet-based operating environment and 1 i To delve deeper into the underlying analysis would risk exposing specific capabilities, methods and techniques which, under SOIA, we are prohibited from doing. Slide 1 (title slide) identifies that this is work was done by a tradecraft developer (aka data scientist, and not a target analyst) who works in the network analysis centre (whose focus is characterizing networks) SlideZ sets the scene by noting?that we cannot rely on commercial databases when IP geolocation is critical - for example, a commercially registered IP in Canada would be found in the middle of nowhere?we KNOW this is untrue - we want to use the info at our disposal to improve the accuracy of commercial reference data because we 0 WANT to know where our foreign targets are for obvious operational reasons, and TOP Eyes Only 1 TOP Eyes Only 0 NEED to know where our foreign targets are for important compliance reasons. Slide 3 lays out the purpose of the multi-part presentation: These are advanced analytics that would reveal the sophistication of SIGINT capabilities against a backdrop of a very complicated internetabased operating environment. 0 How can we develop richer context around to raise our confidence in what we are seeing? e.g. if it looks like this pattern of dots, it is probably an internet caf? 0 Can we use this new knowledge to tip (or alert) us to when our targets interact in this space'Iil'. Lii. ?7 :33 .Ili' 71' Can-we'us'e' this new knowledge to find'our targetseven when they'are trying to evade. our Slides 4 8 describe the approach taken by the network analyst to characterize a travel node, in this case an airport - Uses snapshot of historical, i.e. already collected metadata?no new effort launched - Wants to establish patterns of activity around the IP during that snapshot to better characterize it?so that we can find similar patterns again elsewhere - Tools used?commercial data (Quova, now called Neustar), r: Ei- . 1., - source of metadata?? - To delve any deeper into the underlying analysis would risk exposing Specific capabilities, methods and techniques which, under SOIA, we are prohibited from doing. Slides 9 show the results of the analysis of this first exercise to model activity around a travel node. - Dots represent network activity and identify the global distribution of associated with the other foreign airports from a network perspective - To delve any deeper into the underlying analysis would risk exposing specific capabilities, methods and techniques which, under SOIA, we are prohibited from doing. Slide 10 shows the same data as previous slide but notes the importance of accurate geolocation as a starting point, otherwise all subsequent analysis is erroneous, i.e. if your airport is the IP located by commercial data sources to be in the middle of a lake, then the rest of your data is probably wrong. Slides 11 18 use the same approach to characterize related to see if similar network activity patterns can be developed - To delve any deeper into the underlying analysis would risk exposing specific capabilities, methods and techniques which, under SOIA, we are prohibited from doing. Slide 19 - gpusurnmar ize the findings and show the potential operational application of this exercise in a global context. "gr:Ilg: 19.5.3.1. '21 z! 'l?o delve any deeper into the operational capacity to apply these models would risk exposing specific capabilities, methods and techniques which, under SOIA, we are prohibited from doing. TOP Eyes Only 2 Ra Bulge euwi ss? s.15(1) - DEF llzsid . tn. hull-.1 Inlarmrl s. ?u ovum-LN "mg. TOP SECRET/lSl/ICanadian Eyes Only INFO: End of this model, and end of this sample of historical metadata? Slide 21 outlines a new problem where targets use multiple devices phones or other) to communicate with different parties, making it difficult to put the entire picture of activity together - Here we have just alerted our targets to the fact we know they use this technique and that we have deveIOped or are developing methods to defeat their deception Slides 22 - 23 outline an approach to testing a hypothesis to discover this target behaviour - The "sweep" of 300K IDs was done from a historical sample of metadata extracted from foreign intelligence collection, i.e. intercept from targets that are positively identified as foreign and outside Canada, and which correspond to GC priorities - New analytics were successfully applied to filter through the 300K possibilities and identify 19 leads that would require follow on analysis, for example, the model that was produced in the earlier part of the presentation to help us understand if the target was at an internet caf? or other public access point - To delve any deeper into the operational capacity to apply these models would risk exposing specific capabilities, methods and techniques which, under SOIA, we are prohibited from doing. Slide 24 is the result ofthe metadata analysis - To delve any deeper into the operational capacity to apply these models would risk exposing specific capabilities, methods and techniques which, under SOIA, we are prohibited from doing. Slide 25 reveals the type of computing power that is required to conduct these analytics in operational sce a rio s. - CARE is Ce refe re e) - The work described in the presentation, however, was not done jointly with NSA, as reported by the media - As a rule, CSE would not expose the technology we use as that allows those we are targeting insight into our capabilities. To delve any deeper into the operational capacity to apply these models would risk exposing specific capabilities, methods and techniques which, under SOIA, we are prohibited from doing. Slide 26 indicates that we were successful in identifying new tradecraft that could be applied in operational scenarios involving foreign targets and indicates we are enhancing To delve any deeper into the operational capacity to apply these models would risk exposing specific capabilities, methods and techniques which, under SOIA, we are prohibited from doing. Slide 27 was redacted entirely I 'l Shelly Bruce I Deputy Chief/Chef adjoint SIGINT Communications Security Establishment/Centre de la s?curit? des t?l?communications St?" 613.991. 7140,- 'z lz'. TOP SECRETI/Sl/lCanadian Eyes Only 3 OFFICIAL USE ONLY From: Bruce, Shelly Sent: February-0344 12:59 PM TO: . "z Subject: FW: Additional Q5 and As max-'5' Sent: February-03-14 8:48 AM To: Bruce, Shelly Subject: FW:-Additional Q5 and As Classification: OFFICIAL USE ONLY The latest From: Ommanney, John Sent: February?OB-H 8:45 AM To: '35 2 .. Subject: FW: Additional Q5 and As Classification: OFFICIAL USE ONLY Here are the latest. mer? ?1 if: Sent: February-U244 5:11 PM To: Ommanney, John Cc: Nolan, Corinne Rochon, Dominic Subject: Additional Q5 and As Classification: OFFICIAL USE ONLY Bringing up copies. E-copy for use if required. OFFICIAL USE ONLY 1 5.15m DEF OFFICIAL USE ONLY I?ri?u 'Strateg'it Politiques strat?giques EDB- OFFICIAL USE ONLY 2 nonnamagmanm RAFT UNCLASSIFIED FOR OFFICIAL USE ONLY (1.1 If your business is foreign intelligence, why would you collect Canadian metadata or look at travellers in Canada? Metadata is technical information used to route communications, and not the contents of a communication. CSEC cannot and does not single out Canadian metadata for collection. The internet is large and complex, involving 3.5 billion users and 1800 petabytes of information that travel the globe each day, ignoring geographic and national boundaries. This complexity of global communications networks means that Canadian communications are comingled with international communications. In this context it is impossible for CSEC to collect exclusively foreign metadata. Metadata is required to ensure our activities are directed at foreign targets outside of Canada. For example, we must be able to use metadata to know when one of our foreign targets may be entering Canada. In which case, we must cease any intelligence coverage and, through intelligence reporting, advice the RCMP and CSIS so they can conduct any further follow?up. More importantly, metadata is essential to fulfill our mandate to collect foreign intelligence. CSEC uses metadata analysis techniques, such as those described in the presentation, to develop an understanding of the global networks used by our foreign intelligence targets. Foreign terrorist targets actively seek to hide in plain sight, to disguise their communications in the bustle and noise of urban life in order to evade detection It is essential for any foreign intelligence agency to be able to better understand the types of networks foreign targets use and how their behaviours might appear on those networks. For this reason, metadata is also used to build models to understand how networks operate in order to locate our legitimate foreign intelligence targets outside Canada. Without moving into operational specifics, i can state that the model illustrated in the presentation has been used in efforts to gather foreign intelligence related to foreign terrorist targets. Within the last 12 month period, I am aware of at least 2 cases where this model has been used to identify foreign terrorist threats affecting Canadian and allied interests. (1.2 How can you say that Canadians were not tracked? If CSEC were to track anyone, as we do with legitimate foreign targets outside Canada: 0 We would need to know who they are; 0 We would need to actively locate and find the individual; and 0 We would need to monitor their movements in real time. Roi-Ind undo! IM MIA - union! dam-Iron -umwum-m (lluill DRAFT UNCLASSIFIED FOR OFFICIAL USE ON LY I That was not the purpose or the result of this exercise. - The goal was to build an analytical model of typical patterns of network activity around a public internet access point, like an airport, so that CSEC could then apply this model for the purpose of gathering foreign intelligence. This work involved a snapshot of historical metadata collected from the global internet. 0 We did not use this data to identify any individual Canadian or person in Canada. 0 The data was only used to paint a picture of the pattern of network use in certain types of facilities with public internet access. This is what you see in the presentation, patterns of dots. Q3 How can you say that this activity was legal when the law says you cannot direct your activities at Canadians or persons in Canada? 0 CSEC is authorized to acquire information in order to provide foreign intelligence under the National Defence Act. 0 To fulfill this mandate, CSEC is authorized to collect and analyze metadata from the global information infrastructure. 0 We use metadata to understand global communications networks so that we can find our targets in a vast sea of communications, and direct our activities at these legitimate foreign intelligence targets outside Canada in order to better understand their capabilities and intentions. - These communications networks are complex, vast, borderless and rapidly changing, and foreign and Canadian communications are intermingled. 0 As a result, CSEC collects and analyses metadata, so that we can better understand these networks, and so that we can ensure we are only directing our foreign intelligence activities at foreign targets outside of Canada 0 That?s what this exercise was: analyzing a snapshot of historical metadata from the global internet to build an analytical model of typical network activity patterns around a public access point like an airport. - The purpose of the model was solely to better understand what these patterns look like so that we can more effectively and quickly direct our foreign intelligence activities at legitimate foreign targets, such as terrorists and hostage-takers. 0 This use of metadata is authorized under the National Defence Act and subject to conditions established under a Ministerial Directive. We recognize that metadata may contain information that has a privacy interest and we take strict measures to protect the privacy of Canadians and persons in Canada. A00091 63_4-000009 DRAFT Du.?an mm a. lm LAI all!? this?: UNCLASSIFIED FOR OFFICIAL USE ONLY (1.4 How can you assure Canadians that their privacy was not violated through this activity? CSEC did not collect the content of any private communications. In this case, metadata, which does not include the content of a communication, was analysed for the sole purpose of developing an analytical model of patterns of network communication. This model was developed for application in identifying foreign threats. We did not use this data to identify any individual Canadian or person in Canada. All of activities, including analytic activities involving the use of metadata in this exercise, include measures that protect the privacy of Canadians as well as the privacy of persons in Canada. These include conditions imposed by a Ministerial Directive, and which have been clearly articulated in CSEC policy. The independent CSE Commissioner has reviewed out metadata activities multiple times. He has never found CSEC to have acted unlawfully. In fact, he has specifically noted our culture of lawful compliance and genuine concern for protecting the privacy of Canadians. We recognize and acknowledge that many of our activities have privacy implications and we take this seriously. For that reason within CSEC there are multiple structures in place to ensure the privacy of Canadians is strictly protected. These include: 0 Active monitoring of internal processes and an internal audit and evaluation function; 0 A dedicated group of CSEC personnel focused exclusively on the development and implementation of operational policies and procedures, as well as embedded policy compliance teams in our operational areas; 0 Executive control and oversight; 0 An on-site legal team of 8 lawyers from the Department ofJustice that works closely to provide independent legal advice to CSEC staff; and 0 External review by the CSE Commissioner as well as the Privacy Commissioner. If pressed on how the personal information was protected While metadata is largely used to manage and route communications, we recognise that metadata may contain information that has a privacy interest. Under the National Defence Act and consistent with our other legal obligations CSEC must take steps to protect the privacy of Canadians and persons in Canada in its use and retention of information. This includes not only private communications but other information that has a privacy interest Ruin-Id udulhc anwnudchlollAl mammals-w cun?l UNCLASSIFIED FOR OFFICIAL USE ONLY - We do this through concrete steps such as implementing strict controls on the use, retention, sharing and access to this information. a The multiple structures we have in place for process monitoring, policy compliance, executive control, legal advice and external review ensure that these measures to protect privacy are followed. In The CSE Commissioner reviews our measures to protect privacy in every single review he undertakes. (1.5 Who approved this operation? 0 Let me clarify that this was not an operation. a This was an exercise using a snapshot of historical metadata to build a mathematical, analytical model. It was not subject to ministerial approval. 0 use of metadata is authorized under the National Defence Act and is subject to conditions set out in a Ministerial Directive that was signed in 2011. The independent CSE Commissioner regularly reviews CSEC activities, including our activities involving metadata. (1.6 I hear that CSEC conducted this activity as a trial run for the NSA and other international partners? 0 CSEC conducts its foreign intelligence activities in accordance with intelligence priorities set by the Government of Canada. 0 CSEC did not conduct this activity on behalf of the NSA or any other partner agency. This was a CSEC effort to develop a mathematical analytic model that can refine understanding of communication networks and identify foreign targets. 0 While we work closely with our allies to address threats that affect our common interests, no foreign partner can ask another to do something it cannot legally do itself. 0 CSEC does not take direction from any outside organization. We are accountable to the Minister of National Defence, the Government of Canada and Parliament. (1.7 Is this "trial run" now a fully operational program? 0 Contrary to media speculation, the subject of this slide presentation is an analytical model. It does not represent an operational program not is it directed at Canadians. It only illustrates a validation exercise of an analytic technique for application in directing our lawful activities at foreign entities outside Canada, such as foreign terrorist targets. 1 mug: ununumbmw .- w. u. .-..-- .. tlall?l DRAFT UNCLASSIFIED FOR OFFICIAL USE ONLY 0.8 How did you obtain this data about travellers at the airport? Who or what is your "special source?? 0 No data was collected through any monitoring of the operations of any airport. 0 To provide more specific details than those already released by the press would reveal highly classified techniques and capabilities. Since this could cause further injury to Canada?s national security, I am not permitted under the law to disclose any further If pressed on any particular slide detail etails. - I would be happy to discuss and clarify for the committee the overall nature of the exercise and the analytical model described in the document. 0 However, I cannot provide any more specific details that could cause further injury to Canada?s national security. That would be contrary to the law. 0 While the document has been published, it has been released without proper authorization and still contains highly classified details about techniques and capabilities. .l-Ilcu 'u mum- l- chili? 5.15m - DEF TOP Eyes Only nird' ill lli From: . i. an; Sent: 12:57 PM To: I '3 -: Cc: Subject: .. lf' .. . I-.. I lP Profiling ?Analytics Classification: TOP SECRET/fSl//Canadian Eyes Only I had this and again, no one has raised any compliance/lawfulness Many of these concepts are hard to explain in layman?s term, so that?s why there is extra attention on the choice of words used (i.e to make sure we don't mislead and to make sure if we don?t limit the scope of any future activities) Sent: renr'uary-us-m 12:215 Subject: FW: Pro?ling Analytics Classification: TOP Eyes Only Sir, FY I, the initial activity/feedback from Cheers. From i Sent: Octoberfl?hlz 7::?gtillii?rofiling Analytics liE: Classification: TOP SECRET/lSl/ICanadian Eyes Only Hello, I believe I used this string last week to request that we put an end to email exchanges on this issue, since there were many on the go (though I failed to locate me message to that TOP Eyes Only 1 an mum:- NAM m. mam rm. win: Tully Irv! . hum-u ray-u ya, rla?s?tz s.15(1) DEF TOP SECRETl/Sll/Canadian Eyes Only There?s been time to examine this network analysis project in the meantime and obtain more details on the nature of this research using lemi? The overall thrust of the research aims to provide greater resolution of IP addresses through the identification and analysis of patterns of IPs that emerge in a number of different use settings. The value of enhancing the resolution of these is that it ultimately allows for a greater understanding of the technical details, characteristics and specifications of communications networks and an enhanced ability to determine the locations of communications in specific circumstances. ensure that the project?s objectives are adequately captured and clearly reflect their focus, so that there is no potential ambiguity about the nature of this work, which lies squarely in the realm of acceptable network analysis activities. work with the Thanks everyone for the chance to discuss this issue and for taking the time to engage. manna?ammun- i s'Lr- ?1 E: "a From: Sent: October-09?12 12:21 To: .12Subject: RE: Profiling Analytics ,1 Classification: TOP Eyes Only i: r: a . 172*?! Iii" lam. CSE Canada/CST Canada TOP Eyes Only 2 Rolland mm- H. ATIA mun-um .uu - mug-we- Duly! iuneuudl this?: TOP Eyes Only Sent: 1 1:13 AM f1"?l2" - I I I- Sub] i . IP Pro?ling Analyti CSEJCS ttaa Classification: TOP Eyes Only Good morning, Please see aached presentation ?3 We will examine it further and get back to TOP Eyes Only 3 5 ?luau-l ?m.u Wan-null:th chili!- TOP Eyes Only cheers Manager, From: @5312? Sent;Sentembeif-ZZ-1g4338 PM To: .. .. .. .. Subject: IP Profiling Analytics Classification: TOP File: IP Profiling Analytics.pptx TOP Eyes Only A0009164 a) 016 thuedwnulAM-mhuiedi?r?lm Manuahh'w :bll?i Importance: High Classification: have been given a heads up from-Jased on an email request from the OCSEC Legal Advisor that they wou1_d like to gain_a_ better understanding of SIGINT metadata analysis for numerous activities g. Profiling, ?Win-921such they will be requesting a meeting, coordinated by- as described here: ?In order to have a better understanding of SIGINT metadata analysis activities, we would appreciate it if you could set up the following briefings and demonstrations: . '2 gain in order to ask him some follow-up questions to the brie?ng he already provided us. We would also appreciate seeing a demonstration of how he undertook the IP profiling analytics. 1- We would like to meet They are going to provide a set of questions for the presenters which I will share with you as soon as I get it. We can discuss once Wretums on how best to present the demonstration/information to meet their request. Cheers. 1 Muldll?llhlAM ?mum-u.. Walnut hlullAl ?minim-Mill rIrI I - DEF sizounb, 5-20(1l(c) L'ilii?ffifiljil' Sent: Janury-29?l4 7:05 AM To: Bruce, Shelly CC: .li Subject: IP Pro?ling - History of Analytic/CARE Importance: High Classification: Morning Ma?am, the best estimate of what-has put together for the data that was used to develop the analytics as well as some information about the tradecraft environment system, Collaborative Analysis Research Environment (CARE). i 1 irst learned about CARE in late if!? at the .25' . . - as it came up in some slides from ?6 It builds'on the platform 1 the project is managed by the Joint Res 7 and provides vital feedback on issues, requested enhancements etc2.. oper at CSE the JRO lead, who then passes it ared in the presentation were based on two-week random metadata pulls from Til?gt 3., using metadata that wa colted .I 7 . .. .. At that time we the network analysis profiling I . . oe it our ?uni: rr-ii A Iv I if 'l?i,mn II - I I. r-rn' 'r '5 11;: Throughout the next to rk with the metadata in this way (Le. getting a two-week random sample of metadata events so as to continue to refinetheutradecraft and build a rence base to corn are one set of data i? 7 i: i Once we had the the sam type on ut from that time period. ll. . .I versus another. All data won hav can from .: medata ev So effectively, CARE was introduced into CSE sometime in- and we began using it in earnest once we learned about it and were given accounts and Were able to get copies of the metadata events to work with. This is how we were able to compare the speed differences in the platforms for creating the tradecraft and getting the results. luv- .. 1 .-.- -Ii-z'lz II l' . I'llI'llI'i'r' I II 1 -00001 8 MummlMAm.?u.mW meruouhlu?uu Mun-mom dum- Secur'eg? I Non-Secure: . . 2 . I: rag. ii. 5.31 From: Sent To: Subject: TOP Eyes Only - January-2844' 4:18 PM Bruce, Shelly NS review of IP profiling Classi?cation: TOP Eyes Only Overall, presentation is about Analytics to profile IP addresses/ranges in order to characterise them in an MundundulhnATlA I'll-? maniac-hum chili? effort to refine the SIGINT development effort in pursuing ta rgets in a complex communication environment. These are advanced analytics that would showcase the sophistication of SIGINT capabilities. sources to seek additional information about the group Slide 1: Title: identification of an. loD I Reveals name of a CSE employee and his- Slide 2: nature of IP profiling and challenges with accuracy of the data. 0 loD: [iigroup might spur "journalistic" I Reveals the use of a CDN IP derived from a commercial database to demonstrate the challenges with the accuracy of IP Geolocation I Reveals the 0riginal owner of the IP Slide 3: Objective of the effort, setting the stage for the problem set and the rest of the presentation Slide 4: the seed of this effort is around travellers and using Wi-Fi hotspot at an intl. airport as a starting point 0 loD: I . I .5327". . . .35: izi I reveals SIGINT techniques and methodologies Slide 5: scope of profiling travel nodes 0 loD I reveals SIGINT techniques and methodologies Slide 6: lP profiling over time around travel nodes 0 loD I reveals SIGINT techniques and methodologies Slide 7: theory vs what real data reveals loDReveals SIGINT sources, methods and capabilities Slide 8: overview of the data used in the development of this analytic loD: . 5.2., a? 1 l- - .: 22:. :i 52 airlift-g1! 7 at .335; TOP Eyes Only 'ii? 171..-. -000020 Ralu?d uMil Ih ATIA nlolmr-T .nuyuir! Iv -- rlass?s s.15(1) - DEF s.15(1) - lA TOP SEC ETIISlIlCanadian Eyes Only if!? 3? Hi I reference to having seedknowledge of a Canadian Airport W'i-F'i IP address I. - Slide 9: geo plot of IP activities starting from a CDN airport intl. terminal as a seed 0 loD I Reveals the use of a IP of CDN airport as a seed while this analysis is based purely on metadata (no content was ever collected), this would be damaging in putting into question CSE use of CDN metadata I Reveals capabilities in profiling geo-hops to track roame rs Slide 10: slide depicting the impact of a "what-if" scenario around the erroneous geolocation of the initial seed IP 0 loD I Similar to slide 9 but in the context of erroneous geolocation based on commercial datasets Slide 11: demonstrated the ability to characterise at a high level the previous and next hops centered around the CDN airport intl terminal 0 (CD I SIGINT tradecrafts and techniques Slide 12: based on data collected, the profile of another CDN airport is noted 0 loD I While similar to the methodology used in slide 9, this slide perpetuates the issue associated with the use of CDN metadata I methods - Slide 13-17: each slide demonstrate the profile of a unique entity based on the pattern of user ID seen over time I advanced analytics being able to characterize an entity based (purely on metadata) on the pattern of user ID seen I Building on slide 7 and slide 9 (the use of a sample from CDN special source to characterize a CDN intl. airport), the examples outlined in the 5 slides imply that part of this effort was to characterise a Hotel, an enterprise, a coffee shop, a library, a wireless gateway based on CDN metadata I methods and techniques - Slide 18: slide specific to the characterization of a wireless gateway I methods and techniques Slide 19: why lP profiling is important to SIGINT IOD: disclosure of the applicability of this analytic to real SIGINT missions I ?511. methods and techniques - Slide 20: summary of the analytical hypothesis presented in the 19 previous slides IOD: I Use of "sweep" can imply the ability to I SIGINT methods and techniques TOP Eyes Only 2 Rwy-lumen trulmdu-Inumr page In mm d- tum urn-grum- Iu ml?l TOP Eyes Only - Slides 21-25 demonstrate the use of the IP analytic tradecrafts in support of the efforts to tackle the challenges associated with a kidnaping case (who is behind a ransom call, where are they, can we track them and work our way back to where the hostage is being held) 0 IOD I damaging in disclosing what SIGINT would be looking for to associate and correlate timing and geolocation information associated with ransom calls - Slide 21: Hostage problem statement - Slide 22: Solution outline IOD I High level outline of the recipe used to tackle this problem - Slide 23: Proof of concept using a sample of SIGINT data 0 I Questions could be raised as to the nature of the sample (is it Canadian metadata - Slide 24: results of using the analytic on test data and how the presence of the kidnapper/target would be detected 0 loD I SIGINT methods and techniques - Slide 25: challenges associated with large data sets and the advantages of using CARE 0 IOD I Reveals SIGINT sources, tradecrafts, capabilities and relationships I CARE is a product of a - Slide 26: overall summary of the deck 0 loD I Reveals the value of IP profiling I 5 I Advanced technique to contact chain across air-ga ps I SIGINT methods, techniques, capabilities TOP Eyes Only 3 A00091 67__3-000022 Roluu mug an min do LAI uni-ts UNCLASSIFIED CSEC's Use of Metadata Senate Committee on National Security and Defence February 4, 2014 role is to collect information on foreign targets from the global information infrastructure the Internet. To do this, we need to understand how millions of communications networks function, how they are constantly changing and how foreign targets make use of them.- The document refers to a model we were trying to build of the typical communications patterns around public internet access points - in this case an airport. This work relied on metadata. Metadata is data about a communication, but not the contents of a communication itself. It is used by computers to manage or route communications over global networks. It does not include any content of emails, phone messages, text messages, photos. CSE collects metadata from the global internet in order to: 1. Understand constantly changing global communications networks to know how to find our target in a sea of billions of communications 2. We use it to ensure our intelligence collection is directed at foreign targets outside of Canada and to avoid targeting Canadians' communications. This exercise involved using a snapshot of historical metadata collected from the global internet. No data was collected through any monitoring of the operations at any airport. . This was not and is not an operational surveillance program. That was not the purpose or the result of this exercise. We weren?t targeting or trying to find anyone or monitor any individuals? movements in real time. The purpose was to build an analytical model of typical patterns of network activity around a public internet access point, like an airport which is what you see in the document, patterns of dots. AHA mum-d Newman I I "gum Ms run noun 23 UNCLASSIFIED - 2 - The goal was to build a mathematical, analytical model. The end result of this work was formulas, algorithms, software. The reason we did this was to develop a model that could help us find legitimate foreign targets terrorists, hostage takers, foreign intelligence agents. For example, we may have hostages taken in a foreign city possibly Canadians or citizens of one of our allies. Our challenge is how do we find our foreign targets in a Sea of billions and billions of communications? This analytical model can help us in two ways: First - It helps us to narrow our search in a foreign remote region or large city? filtering from millions of possibilities to a few. Second - we know terrorists or hostage takers will often use public places to access the internet because they are trying to hide in plain sight. This model helps us to identify where that contact may be coming from - a caf?, a hotel, an airport. This model can save time and work during an incident where time is critical. It increases our chance of success. I am aware of at least 2 cases in the past year where this model has been and is being used to help identify foreign terrorist threats. The collection and use of metadata to analyze global networks is authorized under the National Defence Act. This work was conducted under conditions set out in a Ministerial Directive on metadata signed in 2011. No Canadians? private communications were targeted, collected or used. We did not use this data to identify any individual Canadian or person in Canada..As with all of our activities, measures were in place and applied to protect the privacy of Canadians. cerrid 9813952 UNCLASSIFIED -3- Our collection and use of metadata, including for network analysis, has been reviewed by successive Commissioners 5 times since 2003, most recently in 2011, and found to be lawful. The Commissioner approved a review in 2012 which underway. cerrid is 9813952 UNCLASSIFIED FOR OFFICIAL USE ONLY 0.1 If your business is foreign intelligence, why would you collect Canadian metadata or look at travellers in Canada? Metadata is technical information used to route communications, and not the contents of a communication. CSEC cannot and does not single out Canadian metadata for collection. The internet is large and complex, involving 3.5 billion users and 1800 petabytes of information that travel the globe each day, ignoring geographic and national boundaries. This complexity of global communications networks means that Canadian communications are comingled with international communications. In this context it is impossible for CSEC to collect exclusively foreign metadata. Metadata is required to ensure our activities are directed at foreign targets outside of Canada. For example, we must be able to use metadata to know when one of our foreign targets may be entering Canada. In which case, we must cease any intelligence coverage and, through intelligence reporting, advice the RCMP and CSIS so they can conduct any further follow-up. More importantly, metadata is essential to fulfill our mandate to collect foreign intelligence. CSEC uses metadata analysis techniques, such as those described in the presentation, to develop an understanding of the global networks used by our foreign intelligence targets. Foreign terrorist targets actively seek to hide in plain sight, to disguise their communications in the bustle and noise of urban life in order to evade detection It is essential for any foreign intelligence agency to be able to better understand the types of networks foreign targets use and how their behaviours might appear on those networks. For this reason, metadata is also used to build models to understand how networks operate in order to locate our legitimate foreign intelligence targets outside Canada. Without moving into operational specifics, i can state that the model illustrated in the presentation has been used in efforts to gather foreign intelligence related to foreign terrorist targets. Within the last 12 month period, I am aware of at least 2 cases where this model has been used to identify foreign terrorist threats affecting Canadian and allied interests. (1.2 How can you say that Canadians were not tracked? If CSEC were to track anyone, as we do with legitimate foreign targets outside Canada: 0 We would need to know who they are; 0 We would need to actively locate and find the individual; and 0 We would need to monitor their movements in real time. UNCLASSIFIED FOR OFFICIAL USE ONLY 0 That was not the purpose or the result of this exercise. I The goal was to build an analytical model of typical patterns of network activity around a public internet access point, like an airport, so that CSEC could then apply this model for the purpose of gathering foreign intelligence. - This work involved a snapshot of historical metadata collected from the global internet. 0 We did not use this data to identify any individual Canadian or person in Canada. 0 The data was only used to paint a picture of the pattern of network use in certain types of facilities with public internet access. This is what you see in the presentation, patterns of dots. Q3 How can you say that this activity was legal when the law says you cannot direct your activities at Canadians or persons in Canada? 0 CSEC is authorized to acquire information in order to provide foreign intelligence under the National Defence Act. 0 To fulfill this mandate, CSEC is authorized to collect and analyze metadata from the global information infrastructure. 0 We use metadata to understand global communications networks so that we can find our targets in a vast sea of communications. Global communications networks are complex, vast, borderless and rapidly changing, and foreign and Canadian communications are intermingled. - CSEC collects and analyses metadata, so that we can better understand these networks, and so that we can ensure we are only directing our foreign intelligence activities at foreign targets outside of Canada. I Foreign intelligence reveals the motivations, intentions and capabilities of our foreign targets. To find our foreign targets, we first need to understand the global network, how it operates, and then how our targets operate on that global network. - That?s what this exercise was about: analyzing a snapshot of historical metadata from the global internet to build an analytical model of typical network activity patterns around a public access point like an airport. - We did not use this data to identify any individual Canadian or person in Canada. a The sole purpose of the model was to better understand what these patterns look like so that we can more effectively and quickly direct our foreign intelligence activities at legitimate foreign targets, such as terrorists and hostage-takers. Ir This use of metadata is authorized under the National Defence Act and subject to conditions established under a Ministerial Directive. We recognize that metadata may contain information that has a privacy interest and we take strict measures to protect the privacy of Canadians and persons in Canada. UNCLASSIFIED FOR OFFICIAL USE ONLY 0.4 How can you assure Canadians that their privacy was not violated through this activity? CSEC did not collect the content of any private communications. In this case, metadata, which does not include the content of a communication, was analysed for the sole purpose of developing an analytical model of patterns of network communication. This model was developed for application in identifying foreign threats. We did not use this data to identify any individual Canadian or person in Canada. All of activities, including analytic activities involving the use of metadata in this exercise, include measures that protect the privacy of Canadians as well as the privacy of persons in Canada. These include conditions imposed by a Ministerial Directive, and which have been clearly articulated in CSEC policy. The independent CSE Commissioner has reviewed out metadata activities multiple times. He has never found CSEC to have acted unlawfully. In fact, he has specifically noted our culture of lawful compliance and genuine concern for protecting the privacy of Canadians. We recognize and acknowledge that many ofour activities have privacy implications and we take this seriously. For that reason within CSEC there are multiple structures in place to ensure the privacy of Canadians is strictly protected. These include: 0 Active monitoring of internal processes and an internal audit and evaluation function; 0 A dedicated group of CSEC personnel focused exclusively on the development and implementation of operational policies and procedures, as well as embedded policy compliance teams in our operational areas; 0 Executive control and oversight; 0 An on-site legal team of 8 lawyers from the Department of Justice that works closely to provide independent legal advice to CSEC staff; and 0 External review by the CSE Commissioner as well as the Privacy Commissioner. If pressed on how the personal information was protected While metadata is largely used to manage and route communications, we recognise that metadata may contain information that has a privacy interest. Under the National Defence Act and consistent with our other legal obligations CSEC must take steps to protect the privacy of Canadians and persons in Canada in its use and retention of information. This includes-not only private communications but other information that has a privacy interest UNCLASSIFIED FOR OFFICIAL USE ONLY We do this through concrete steps such as implementing strict controls on the use, retention, sharing and access to this information. The multiple structures we have in place for process monitoring, policy compliance, executive control, legal advice and external review ensure that these measures to protect privacy are followed. The CSE Commissioner reviews our measures to protect privacy in every single review he undertakes. (1.5 Who approved this operation? Let me clarify that this was not an operation. This was an exercise using a snapshot of historical metadata to build a mathematical, analytical model. It was not subject to ministerial approval. use of metadata is authorized under the National Defence Act and is subject to conditions set out in a Ministerial Directive that was signed in 2011. The independent CSE Commissioner regularly reviews CSEC activities, including our activities involving metadata. (1.6 I hear that CSEC conducted this activity as a trial run for the NSA and other international partners? CSEC conducts its foreign intelligence activities in accordance with intelligence priorities set by the Government of Canada. CSEC did not conduct this activity on behalf ofthe NSA or any other partner agency. This was a CSEC effort to develop a mathematical analytic model that can refine understanding of communication networks and identify foreign targets. While we work closely with our allies to address threats that affect our common interests, no foreign partner can ask another to do something it cannot legally do itself. CSEC does not take direction from any outside organization. We are accountable to the Minister of National Defence, the Government of Canada and Parliament. (1.7 Is this ?trial run" now a fully operational program? Contrary to media speculation, the subject of this slide presentation is an analytical model. It does not represent an operational program not is it directed at Canadians. it only illustrates a validation exercise of an analytic technique for application in directing our lawful activities at foreign entities outside Canada, such as foreign terrorist targets. planed undn ATIA dormamn Mus an min a: in LN m1 (until: UNCLASSIFIED FOR OFFICIAL USE ONLY (1.8 How did you obtain this data about travellers at the airport? Who or what is your ?special source"? No data was collected through any monitoring ofthe operations of any airport. To provide more specific details than those already released by the press would reveal highly classified techniques and capabilities. Since this could cause further injury to Canada?s national security, lam not permitted under the law to disclose any further details. If pressed on any particular slide detail I would be happy to discuss and clarify for the committee the overall nature of the exercise and the analytical model described in the document. However, i cannot provide any more specific details that could cause further injury to Canada?s national security. That would be contrary to the law. While the document has been published, it has been released without proper authorization and still contains higth classified details about techniques and capabilities. (1.1 9953561 Questions and Answers for the Chief: Unauthorized Disclosure on Airport Metadata Analzsis What were you doing in the project described in this document? The document refers to a model we were trying to build of the typical communications patterns around public internet access points in this case an airport. This is what you see in the document: patterns of dots. This work relied on metadata. Metadata is data about a communication, not the contents of a communication itself. It is technical information used by computers to manage or route communications over global networks. It does not include any content ofthe communications no emails, no phone messages, no text messages, no photos, no content. CSE collects metadata from the global internet in order to: 0 Understand the constantly changing global communications networks to know how to find legitimate foreign targets in a sea of billions of bits of communications. 0 Ensure our intelligence collection is directed at foreign targets outside of Canada. The purpose of the exercise was to develop a model to help us find legitimate foreign targets ?terrorists, hostage takers, foreign intelligence agents. For example, we may have hostages taken in a foreign city possibly Canadians or citizens of one of our allies. How do we find our foreign targets in a sea of billions and billions of communications? This exercise involved using a snapshot of historical metadata collected from the global internet. No data was collected through any monitoring of the operations at any airport. This was not and is not an operational surveillance program. No Canadians? private communications were targeted, collected or used. We did not use this data to identify any individual Canadian or person in Canada. As with all of our activities, measures were in place and applied to protect the privacy of Canadians. The independent CSE Commissioner has recently looked into this issue and has publicly noted that this analysis did not involve "mass surveillance" or tracking of Canadians or persons in Canada. No CSE activity was directed at Canadians or persons in Canada. Page 1 of 8 (1.2 Q.3 SHORT FORM RESPONSE THEREAFTER 0 As have already outlined in detail in my recent appearance before Senate committee, the activity described in the document was an exercise to develop a mathematical model for the sole purpose of finding legitimate foreign targets under our legal mandate for foreign intelligence. No data was collected from monitoring the operations at any Canadian airport and no private communications were collected. The independent CSE Commissioner has looked into this matter and publicly confirmed that this analysis did not involve any 'mass surveillance?, that no Canadians or persons in Canada were tracked, and that no activity was directed at Canadians or persons in Canada. How was the data that was collected used? The data was used to build an analytical model of typical patterns of network activity around a public internet access point. This analytical model can help us fulfill our mandate in two ways: it helps us to narrow our search in a foreign remote region or large city? filtering from millions of possibilities to a few. 0 Terrorists or hostage takers will often use public places to access the internet because they are trying to hide in plain sight. This model, which helped to identify typical patterns, helps us to identify where that contact may be coming from a caf?, a hotel, an airport. Further, this model can save time and work during an incident where time is critical. It increases our chance of success. lam aware of at least 2 cases where this model has been used in the past year to help identify foreign terrorist threats. The collection and use of metadata to analyze and understand the global internet for the purpose of targeting foreign entities outside Canada is authorized under the National Defence Act. If your business is foreign intelligence, why would you collect Canadian metadata or look at travellers in Canada? Metadata is technical information used to route communications, and not the contents of a communication. CSE cannot and does not single out Canadian metadata for collection. The internet is large and complex, involving 3.5 billion users and 1800 petabytes of information that travel the globe each day, ignoring geographic and national boundaries. This complexity of global communications networks means that Canadian communications are comingled with international communications. In this context it is impossible for CSE to collect exclusively foreign metadata. 9953561 Page 2 of 8 Metadata is required to ensure our activities are directed at foreign targets outside of Canada. For example, we must be able to use metadata to know when one ofour foreign targets may be entering Canada. In which case, we must cease any intelligence coverage and, through intelligence reporting, advise the RCMP and CSIS so they can conduct any further follow-up. More importantly, metadata is essential to fulfill our mandate to collect foreign intelligence. CSE uses metadata analysis techniques, such as those described in the document, to develop an understanding of the global networks used by our foreign intelligence targets. Foreign terrorist targets actively seek to hide in plain sight, to disguise their communications in the bustle and noise of urban life in order to evade detection It is essential for any foreign intelligence agency to be able to better Understand the types of networks foreign targets use and how their behaviours might appear on those networks. For this reason, metadata is also used to build models to understand how networks operate in order to locate our legitimate foreign intelligence targets outside Canada. How can you say that this activity was legal when the law says you cannot direct your activities at Canadians or persons in Canada? CSE is authorized to acquire information from the global information infrastructure in order to provide foreign intelligence under the National Defence Act. To fulfill this mandate, CSE is authorized to collect and analyze metadata from the global information infrastructure. We use metadata to understand global communications networks so that we can find our targets in a vast sea of communications, and direct our activities at these legitimate foreign intelligence targets outside Canada in order to better understand their capabilities and intentions. Foreign and Canadian communications are intermingled on these communications networks which are complex, vast, borderless and rapidly changing. As a result, CSE collects and analyses metadata, so that we can better understand these networks, and so that we can ensure we are only directing our foreign intelligence activities at foreign targets outside of Canada That?s what this exercise was: analyzing a snapshot of historical metadata from the global internet to build an analytical model of typical network activity patterns around a public access point like an airport. We did not use this data to identify any individual Canadian or person in Canada. 9953561 Page 3 of 8 1-000033 undo: IM ATIA llomulm 0?qu In who In: unit-gun cm non clan?- . The sole purpose of the model was to better understand what these patterns look like so that we can more effectively and quickly direct our foreign intelligence activities at legitimate foreign targets, such as terrorists and hostage-takers. This use of metadata is authorized under the National Defence Act. Both the collection and use of metadata in this case was in accordance with the conditions set out in the current Ministerial Directive on metadata. The first Ministerial Directive, which accounted for this kind of network analysis, was signed in 2005. A new Ministerial Directive was submitted by my predecessor and signed by the Minister in 2011. 0 Our collection and use of metadata, including network analysis, has specifically been reviewed by successive Commissioners six times since 2003, the most recent of which was submitted to the Minister in 2011, and were found to be lawful. The Commissioner has approved in 2012 a new review of metadata. Metadata is the kind of topic that the Commissioner regularly looks at and we are happy to cooperate with him in that review. 0 The independent CSE Commissioner has also recently looked into this specific issue and has publicly noted that this analysis did not involve "mass surveillance" or tracking of Canadians or persons in Canada. No CSE activity was directed at Canadians or persons in Canada. (1.5 How can you assure Canadians that their privacy was not violated through this activity? 0 The independent CSE Commissioner has recently looked into this issue and has publicly noted that this analysis did not involve "mass surveillance" or tracking of Canadians or persons in Canada. No CSE activity was directed at Canadians or persons in Canada, 0 CSE did not collect the content of any private communications. 0 In this case, metadata, which does not include the content of a communication, was analysed for the sole purpose of developing an analytical model of patterns of network communication. This model was developed for application in identifying foreign threats. 0 We did not use this metadata to identify any individual Canadian or person in Canada. 0 All of CSE's activities, including analytic activities involving the use of metadata in this exercise, include measures that protect the privacy of Canadians as well as the privacy of persons in Canada. These include conditions imposed by a Ministerial Directive, and which have been clearly articulated in CSE policy. 0 The independent CSE Commissioner has reviewed our metadata activities multiple times, and as part of his current efforts, he is conducting another review of our use of metadata. He has never found CSE to have acted unlawfully. In fact, he has Specifically noted our culture of lawful compliance and genuine concern for protecting the privacy of Canadians. 9953561 Page 4 of 8 (2.6 (2.7 995 ow ln?lludl hluLN "mm-mm: m. thls?u We recognize and acknowledge that many of our activities, including the collection and use of metadata, have privacy implications and we take this seriously. For that reason within CSE there are multiple structures in place to ensure the privacy of Canadians is strictly protected. These include 0 Active monitoring of internal processes and an internal audit and evaluation function; 0 A dedicated group of CSE personnel focused exclusively on the development and implementation of operational policies and procedures, as well as embedded policy compliance teams in our operational areas; 0 Executive control and oversight; 0 An on-site legal team of 8 lawyers from the Department of Justice that works closely to provide independent legal advice to CSE staff; and 0 External review by the CSE Commissioner as well as the Privacy Commissioner. What kind of data did you collect and how was private information protected? While metadata is largely technical data used to manage and route communications, we recognise that metadata may contain information that has a privacy interest. Under the National Defence Act and consistent with our other legal obligations CSE must take steps to protect the privacy of Canadians and persons in Canada in its use and retention of information. This includes not only private communications but other information that has a privacy interest We do this through concrete steps such as implementing strict controls on the use, retention, sharing and access to this information. The multiple structures we have in place for process monitoring, policy compliance, executive control, legal advice and external review ensure that these measures to protect privacy are followed. The CSE Commissioner reviews our measures to protect privacy in every single review he undertakes. How can you say that Canadians were not tracked? The independent CSE Commissioner has recently looked into this issue and has publicly noted that this analysis did not involve ?mass surveillance" or tracking of Canadians or persons in Canada. No CSE activity was directed at Canadians or persons in Canada. 3561 Page 5 of 8 If CSE were to track anyone, as we do with legitimate foreign targets outside Canada: 0 We would need to know who they are; 0 We would need to actively locate and find the individual; and 0 We Would need to monitor their movements in real time. That was not the purpose or the result ofthis exercise. The goal was to build an analytical model of typical patterns of network activity around a public internet access point, like an airport, so that CSE could then apply this model for the purpose of gathering foreign intelligence. I This work involved a snapshot of historical metadata collected from the global internet. I We did not use this data to identify any individual Canadian or person in Canada. - The data was only used to paint a picture of the pattern of network use in certain types of facilities with public internet access. This is what you see in the document, patterns of dots. Q.8 Who approved this operation? 0 Let me clarify that this was not an operation. 0 This was an analytic exercise using a snapshot of historical metadata to build a mathematical, analytical model. it was not subject to ministerial approval. 0 use of metadata is authorized under the National Defence Act and is subject to conditions set out in a Ministerial Directive that was signed in 2011.. The independent CSE Commissioner regularly reviews CSE activities, including our activities involving metadata. (1.9 Why did you develop this model in Canada? Why not an airport in another country? In order to fulfill our mandate to collect foreign signals intelligence in accordance with government intelligence priorities, we need to understand where our foreign targets are and how they communicate on global networks. In order to understand global networks we conduct network analysis and develop models, for which we require the use of metadata. This analysis took a snapshot from previously collected metadata and that was then used to test algorithms to describe patterns of public access behaviours on the Internet. This enables us to model how networks operate in order to locate our legitimate foreign intelligence targets, also outside Canada. 0 The development of this model was done using a small subset of metadata that we had collected, as authorized under the law. 9953561 Page 6 of 8 In order to develop an accurate model we needed a thorough understanding of a network associated with a public internet access point. We used data where the parameters ofthe network could then be validated through publicly available and geographically accurate information. This way, when we use the model in a foreign country, where we know little about the conditions, we can be confident that the model is valid, robust and reliable, and will allow us to have high confidence in the accuracy of the resulting analysis. Q.10 I hear that CSE conducted this activity as a trial run for the NSA and other international partners? CSE conducts its foreign intelligence activities in accordance with intelligence priorities set by the Government of Canada. CSE did not conduct this activity on behalf of the NSA or any other partner agency. This was a CSE effort to develop a mathematical analytic model that can refine understanding of communication networks and identify foreign targets. While we work closely with our allies to address threats that affect our common interests, no foreign partner can ask another to do something it cannot legally do itself. CSE does not take direction from any outside organization. We are accountable to the Minister of National Defence, the Government of Canada and Parliament. (1.11 Is this ?trial run" now a fully operational program? Contrary to media speculation, the subject of this slide presentation is an analytical model. It does not represent an operational program. It only illustrates a validation exercise of an analytic technique for application in directing our lawful activities at foreign entities outside Canada, such as foreign terrorist targets. The independent CSE Commissioner has also recently looked into this specific issue and has publicly noted that this analysis did not involve "mass surveillance? or tracking of Canadians or persons in Canada. No CSE activity was directed at Canadians or persons in Canada. 0.12 How did you obtain this data about travellers at the airport? Who or what is your ?special source?? No data was collected through any monitoring of the operations of any airport. To provide more specific details than those already released by the press would reveal highly classified techniques and capabilities. Since this could cause further injury to Canada?s national security, I am not permitted under the law to disclose any further details. 9953561 Page 7 of 8 A00091 68_1 5-000037 If pressed on any particular de tail related to methods, capabilities, targets or operations: in i would be happy to discuss and clarify for the committee the overall nature of the exercise and the analytical model described in the document. I However, I cannot provide any more specific details that could cause further injury to Canada?s national security. That would be contrary to the law. it While the document has been published, it has been released without proper authorization and still contains highly classified details about techniques and capabilities. 9953561 Page 8 of 8 Id ATM - an'uuhd Mommy- In Mind! la lm LAI nunsuqielrems m1 gs: TAB 34 UNAQTHORIZEQQISCLOSURE: AIRPORT METADATA ANALYSIS SPEAKING POINTS: 0 CSE's work is vital to the security and safety of Canada and Canadians. By law, CSE only directs its foreign intelligence activities at foreign entities outside Canada. a The Chief of CSE has appeared before Senate Committee to provide a full description of the analysis undertaken, which was for the sole purpose of finding legitimate foreign targets under legal mandate for foreign intelligence. 0 The independent CSE Commissioner has reviewed metadata activities multiple times and has concluded they were lawful - Further, the Commissioner has looked into this activity and publicly confirmed that this analysis did not involve any ?mass surveillance?, that no Canadians or persons in Canada were tracked, and that no activity was directed at Canadians or persons in Canada. FOR FURTHER INFORMATION: 0 Chief, CSE BACKGROUND INFORMATION 0 The January 30, 2014 unauthorized disclosure of details from a highly classified CSE technical deck has led to allegations in the media and in Parliament that CSE is acting unlawfully by conducting mass surveillance and directing its foreign intelligence activities at Canadians. The classified document that was released is a technical presentation that outlines an exercise to build a mathematical model of typical network activity patterns around a public internet access point. The analysis conducted was based on a snapshot of historical metadata from the global internet. 0 No data was collected from the monitoring of any airport. No private communications were targeted, collected or used. No data was used to identify any individual Canadian or person in Canada. Last Updated: February 28, 2014 A0 9168 17000039 Approved by: Chief, CSE Page 1 0?93 Last Updated: February 28, 2014 Approved by: Chief, CSE Page 2 of 2 TAB 34 The sole purpose of the model was to better understand what these network activity, patterns look like so that CSE can more effectively and quickly direct its foreign intelligence activities at legitimate foreign targets, such as terrorists and hostage-takers who often seek to hide in plain sight by using public internet access points. The use of metadata to better understand global networks is essential to the fulfillment of foreign intelligence mandate. CSE acquires and analyses metadata pursuant to its mandate as set out in the National Defence Act and subject to all of the restrictions of the Act, including the restrictions on directing activities at Canadians or any person in Canada and the requirement to have measures in place to protect the privacy of Canadians. Any metadata?related activities are also subject to applicable ministerial directives, applicable ministerial authorizations, and various other policies and procedures put in place to provide comprehensive protection for the privacy of Canadians and persons in Canada. The CSE Commissioner has reviewed CSE metadata activities multiple times and has concluded they were lawful. The CSE Commissioner is currently conducting another review of CS E?s metadata activities. Recently, the CSE Commissioner has posted an update to his website noting that he has looked into this specific activity and confirming that the analysis did not involve any ?mass surveillance?, that no Canadians 'or persons in Canada were tracked, and that no activity was directed at Canadians or persons in Canada A00091 68_1 8-000040 TOP SECRET I I Communicalions Security Cenlre de la s?curit? Esleblishmenl Canada des t?l?communicalions Canada 5.15:1} - DEF IP Profiling Analytics Mission Impacts 5.3% 1% that ta- =m [2511' ins. ?ea Tradecraft Developer CSEC - Network Analysis Centre May 10, 2012 TOP SECRET . -I I- E, - . Example IP Profile Problem 0 Target appears on IP address, wish to understand network context more fully - Example Quova look-up response - Lat. 60.00 Long: ?95.00 (in frozen tundra W. of Hudson Bay) City: unknown Country: Canada, Operator: Bell Canada, Sympatico Issues with IP look-up data: ?is it actually revealing, or is it opaque ?is the data even current, or is it out-of-date ?was the data ever accurate in the first place Auun?saLz-nou 042 TOP SECRET I- - I I Objectives 0 Develop new analytics to provide richer contextual data about a network address 0 Apply analytics against Tipping Cueing objectives 0 Build upon artefact of techniques to develop new needle-in-a-haystack analytic contact chaining across air-gaps TOP SECRET Analytic Concept - Start with Travel Node Begin with single seed Wi-Fi IP address of intl. airport Assemble set of user IDs seen on network address over two weeks TOP SECRET .. . .u Eli-5315} - Profiling Travel Nodes - Next Step Followle backward and forward in recent time Earlier IP clusters of: Later IP clusters of: other intl. airports domestic airports major intl. hotels etc. - local hotels - domestic airports local transportation hubs - local internet cafes etc. E. Egg-mm? TOP SECRET . . i" IP Hopping Forward in Time Follow IDs forward in time to next IP note delta time DEF Next IP sorted by most popular: Can then take seeds from these airports and repeat to cover whole world Ditto for going backward in time, can uncover roaming infrastructure of host city: hotels, conference centers, hotspots etc. TOP SECRET "ii-2 z" r' I Data Reality The analytic produced excellent profiles, but was more complex than initial concept suggests Data had limited aperture Canadian Special Source - major CDN ISPs team with US email majors, losing travel coverage Behaviour at airports little lingering on arrival; arrivals using phones, not WiFi still, some Wi-Fi use when waiting for connecting flight/baggage different terminals: domestic/international; also private lounges Very many airports and hotels served by large Boingo private network - not seen in aperture; traffic seems to return via local Akamai node I -: LL: Ill-1" J: lri-J'Lv hearth-air: lit-site TOP SECRET "Elan-Iii. I :If: nu. . .. . Tradecraft Development Data Set - Have two weeks worth of data from Canadian Special Sou rce mazes-us we it the! ail: lav w? - Had program access to Quova dataset connecting into Atlas database 0 Had seed knowledge of a single Canadian Airport WiFi IP address TOP SECRET .: :1 Hop Geo Profile From? CDl\l Airport lntl. Terminal Long Longitude scale is non-linear "most far-flung sites are wireless gateways with many other wireless gateways in set a Profiled/seed lP location: Square geographic location Hopped-to IP location: a] Line height numbers of unique hopped-to IPs at location Plot of where else le seen at seed lP have heen seen in two weeks Plot shows most hopped to are nearby - confirming reported seed geo data I a: TOP SECRET .. I .H. Effect of Invalid Information Long Longitude scale is non-linear a Geo mcongruence: displacement of seed location from distribution center strongly suggests data error Inl ?an: an (u Esta;? Profiled/seed IP location: I: Square geographic location Hopped-to lP location: Ill Line height numbers of unique hopped?to at location Effect of invalid seed geo information readily apparent TOP SECRET Hop?Out Destinations Seen Other domestic airports Other terminals, lounges, transport hubs Hotels in many cities Mobile gateWays in many cities Etc. Hi?ill??ilifil??i?i?? TOP SECRET ?Discovered? Other CDN Airport IP 0 Domestic terminal 0 Closeness of majority of hopped-to confirms geo data 0 But, domestic airport can also look like a busy hotel 55; Fe 3:55 2:55: :55. .aii? it: (-5: 5:3. :gg. .cEz gem 55:54:; a lilv 1.: I- . .. . .1. - I. .1 IDs Presence Profile at ?Discovered? Airport i . i Iz-zrmi? 2i: szzTime/days Dominant pattern is each ID is seen briefly, just once - as expected Each horizontal line shows presence pattern of one ID, sorted by order of appearance Him? .. . . 553i ginninhlitany: ?23:552'1: El" "1133': i' Jilg'v'id: ".115" 751'? 2H: f" TOP SECRET I ll 1l?ui1iiXI-Ii-i-E? ?r Profiles of Discovered Hotel iSEEilii?? HI..- Many IDs present over a few days . .TOP SECRET Profiles of Discovered Enterprise a- i lb? llII hit" I 1 I I. Time/days -) Regular temporal presence (M-F) with local geographic span Contrasts well against travel/roaming nodes TOP SECRET 24-24;: ?amTime/days -) . TIme/davs -) Similar patterns of mixed temporal 8: local geographic presence J: 22%: TOP SECRET 1 Discovered Wireless Gateway ?mefdays -) TOPSECRET l? I - . lun?ru i l5artial Range Profile of Wireless Gateway it} I Number of I IDsseen on each IP Limo I IDTotalon IP a Commonle 2in 100 1 .3 2-. 5 7 3 Individual IP number in range of 8 For wireless gateway, range behaviour is revealing Mostle seen on an IP are also scattered across entire range ID totals traffic across full range is very high TOP SECRET i?i ii" [li?uigi?zi'u'ia Mission Impact of IP Profiling Tipping and Cueing Task Force (TCTF) a 5-Eyes effort to enable the SIGINT system to provide real-time alerts of events of interest alert to: target country location changes, webmail logins with time- limited cookies etc. - Targets/Enemies still target air travel and hotels airlines: shoe/underwear/printer bombs - hotels: Mumbai, Kabul, Jakarta, Amman, Islamabad, Egyptian Sinai - Analytic can hop-sweep through IP address space to identify set of IP addresses for hotels and airports detecting target presence within set will trigger an urgent alert aim to productize analytics to reliably produce set of IPs for alerting . . . - . TOP SECRET I I. . . IP Profiling Summary 0 Different categories of IP ownership/use show distinct characteristics airports, hotels, coffee shops, enterprises, wireless gateways etc. clear characteristics enable formal modeling developments clear identification of hotels and airports enables critical Tipping Cueing tradecraft 0 Geo-hop profile can confirm/refute geo look-up information later could fold-in time deltas for enhanced modeling 0 Can ?sweep? a region/city for roaming access points to IP networks - leads to a new needle-in-a-haystack analytic TOP SECRET Tradecraft Problem Statement 0 A kidnapper based in a rural area travels to an urban area to make ransom calls can?t risk bringing attention to low-population rural area won?t use phone for any other comms (or uses payphones - Assumption: He has another device that accesses IP networks from public access points having a device isn't necessary, could use internet cafes, libraries etc. he is also assumed to use lP access around the time of ransom calls - Question: Knowing the time of the ransom calls can we discover the kidnapper?s lD/device "contact chain? across air-gap (not a correlation of selectors) 5::le 5: [ll-I: 9:552- 55: ?Fl: ??l?f?muum TOP SECRET I .1: . . Solution Outline 0 With earlier IP profiling analytics, we can T?sweep? a city/region to discover and determine public accesses - We can then select which IP network IDs are seen as active in all times surrounding the known ransom calls reduce set to a shortlist - Then we examine the reduced set of IP network IDs and eliminate baseline heavy users in the area that fall into the set intersection just because they are always active that is, eliminate those that are highly active outside the times of the ransom calls hopefully leaves only the one needle from the haystack 3-: 232:2": 555%. TOPSECRET [?nnxn First Proof-of-Concept 0 Swept a modest size city and discovered two high traffic public access ranges with >300,000 active IDs over 2 weeks used for initial expediency due to computational intensity - Presumed that there were 3 ransom calls, each 50 hours apart during daytime, looked for IDs within 1 Hr of calls reduce large set to a shortlist ofjust 19 IP network IDs I Examined activity level of 19 IP network IDs how many presences each had in 1 Hr slots over two weeks main worry as the computation was running: there would be a lot of le that showed just a handful of appearances: e.g. 3, 4, 5 instances Eunii 5E.E :lz'illi .. .. ., .. . '"?nv??svx 12d 43; nrze? . 3? TOPSECRET ID Presence Shortlist Each horizontal line shows presence of ID over time/hour-slots Time/hour-slots -) Postulated presence of kidnapper/target 1 Happy result: least active ID had appearances in 40 hour-slots! Thus could eliminate all, leaving just the kidnapper (if he was there) s??aH HH- g?g?at?nouum TOP SECRET - wild it. Big-Data Computational Challenge s.15(1) - DEF 0 All the previous analytics, while successful experimentally, ran much too slowly to allow for practical productization 0 CARE: Collaborative Analytics Research Environment a big-data system being trialed at CSEC non-extraordinary hardware - minimal impedance between memory, storage and processors highly optimized, in?memory database capabilities columnar storage, high performance vector functional runtime powerfule Q5 .EE-a?challenging (derived from APL) - Result of first experiments with CARE: game?changing run-time for hop-profiles reduced from 2+ to several seconds allows for tradecraft to be profitany productized :t7fi:.: 1' iEE-i' Eiid?h'i; ?hilly-'3: agii- :25: an TOP SECRET - 2:1 :1 r5} .. . Overall Summary 0 IP profiling showing terrific value significant analytic asset for IP networks and target mobility enables critical capability within Tipping Cueing Task force working to productize on powerful new computational platform broader SSO accesses/apertures coming online at CSEC look to formalize models fold-in timing deltas 0 A new needle-in-a-haystack analytic is viable: contact chaining across air-gaps enabled by sweep capability of IP profiling should test further to understand robustness with respect to loosening assumptions of target behaviour beyond kidnapping, tradecraft could also be used for any target that makes occasional forays into other cities/regions 2' 94262.22. 6 7 Pages? sont des duplicatas 3.15:1: - DEF TOP SECRET .. I . -