New secret documents leaked by Snowden reveal that CSE monitors millions of Canadian emails to Government, but privacy advocates criticized how CSE does it.
The national broadcaster Canadian Broadcasting Corporation (CBC), citing a 2010 NSA documents, revealed that the Canadian Intelligence monitors visits to government websites and scans about 400,000 emails per day for suspicious content, links or attachments, in order to protect the Homeland security. The surveillance activity run by the CSE allows the Intelligence to alert the Government in case of cyber attacks and to take countermeasures to protect computer networks from threat actors.
“The emails are vacuumed up by the Canadian agency as part of its mandate to defend against hacking attacks and malware targeting government computers. It relies on a system codenamed PONY EXPRESS to analyze the messages in a bid to detect potential cyber threats.” states a report published by the Intercept.
The Intelligence is doing much more, electronic eavesdropping activity includes Canadians’ electronic tax returns, emails to members of Parliament and passport applications. The documents reveal that the CSE also holds on to metadata, which identifies who sent an email, as well as when and where.
One id the top-secret documents dated from 2010 suggests the CSE may be covertly mining data directly from Canadian Internet cables.
“processing emails off the wire” is reported in the document.
Under Canada’s criminal code, the CSE is not allowed to eavesdrop the communications of Canadians.
“But the agency can be granted special ministerial exemptions if its efforts are linked to protecting government infrastructure — a loophole that the Snowden documents show is being used to monitor the emails.” states the Intercept
Privacy advocates are contesting the CSE agency for retention of sensitive data for months or years in some cases.
“While government cybersecurity is important, there is clearly no cybersecurity need to retain people’s private information for months or even years,” David Christopher of the non-profit OpenMedia, which advocates for an open Internet.
The CSE confirmed that the Agency doesn’t maintain emails if they don’t contain any cyber threat or information of interest.
“Under its cyber security mandate, CSE collects data and metadata that is relevant and necessary to understand the nature and methods of malicious cyber threats,” the spokesman said. “Data and metadata are deleted according to established data retention schedules that are documented in internal policies and procedures. To provide more detail could assist those who want to conduct malicious cyber activity against government networks.” a CSE spokesman told The Intercept and CBC News.