Sunday, September 28, 2014

Harper, CSEC, and metadata

Comments made by Prime Minister Stephen Harper in New York on September 24th have raised questions about CSEC's use of metadata and about how well the prime minister understands CSEC's activities.

The comments came in an exchange between the prime minister and Wall Street Journal editor-in-chief Gerard Baker during a live interview in front of a New York business audience:
Baker: How do you deal with this challenge between, on the one hand, individual liberty and the need for security? Canada is a country which takes very seriously the notion of human rights and individual rights and is understandably protective of those, and yet, you know, there has been this whole furore here in the United States and around the world about government surveillance. And yet we're starting to see that perhaps some of that government surveillance actually, whether you like it or not, is perhaps necessary actually to avert some of these threats and to stop some of these radicalized people coming and doing these terrible things. How do you get that balance right between on the one hand protecting the security of your people and preserving their right to go about their lives?

Harper: Well, I think broadly the answer to that is actually quite straightforward—which is that you focus your energies: you have, obviously, a system that can identify potential threats, track them, and zero in on surveillance on those particular threats, as opposed to systems that are just broadly based on widespread surveillance of everyone. I’m not a big believer in those kinds of systems, not just because they have the potential to infringe civil liberty, but they usually overwhelm you with data in a way that you can’t actually process or make any use of. So the real challenge, I think, is using these tools, and using them in a way that you can focus in on the people you know are actually going down the wrong path. Just as, frankly, we would do with much traditional crime: we try and focus on people we know become associated with criminal gangs or criminal activity. We don't focus on entire cities or entire populations from which they come.

Baker: Yeah, but, again, the U.S. law enforcement authorities would say that—especially the use of metadata to figure out patterns in phone conversations and that kind of stuff—that's how you do sift down this enormous amount of data, and you can establish that in order to do that effectively, to trace whether some guy in Buffalo is planning to either fly out to the Middle East or blow up a plane somewhere, it's very important to detect patterns in that guy's mobile phone conversations at home and abroad. And that's how you do it, isn't it? Isn't that how you do it?

Harper: Well, they may say that.

Baker: Do you do that in Canada?

Harper: We don't do that in Canada. We don't use metadata as a surveillance tool. And as you note we have had not only radicalized individuals, we have broken up plots and actions of individuals who were planning terrorist actions, and we've done that through targeted, on-the-ground surveillance of people.
Transcription by me. You can watch the entire exchange here (discussion starts around 2:40).

If the prime minister's comments were intended to deny that CSEC uses metadata at all, then he was certainly wrong and should have known better.

CSEC's reliance on metadata has been acknowledged officially many times. CSEC Chief John Forster testified in April, for example, that the agency uses metadata
for three things. One is to understand global communication networks, so we use it to analyze networks so that when we're searching for a foreign target, it helps us to find where our best chance of success is in identifying targets in a sea of billions of communications. Two, we use it to make sure that we're actually targeting a foreign communication and not a Canadian communication. Three, we use metadata to help us detect and identify cyber-attacks against government systems and the information they contain. We can only use metadata either to understand global networks and analyze them, or to define our foreign targets. We don't use it to identify or target Canadians.
It is possible that the prime minister was wrong or was simply being disingenuous, but I suspect his remarks were actually, as their context suggests, intended specifically to refer to the possible use of domestic Canadian metadata to systematically analyze the telephone and/or internet activities of Canadians in order to identify previously unknown suspicious individuals or activities.

The NSA does "contact chaining" searches through both domestic and international metadata, including metadata concerning its Five Eyes allies, and it also does broader, "pattern of life" searches through at least some of that data. We also know that at least some Canadian metadata is shared with those allies, and presumably subjected to some of these analyses.

With respect to Canada itself, we know that CSEC has access to a significant amount of Canadian metadata (although how comprehensive, we don't know) and that the agency can be called upon to analyze such data in support of domestic investigations. The 2006 version of OPS-1-10, Procedures for Metadata Analysis, a CSEC policy document, noted that specific procedures exist for handling domestic metadata analysis: "Metadata analysis conducted in support of Federal Law Enforcement or Security Agencies (LESAs) to obtain Security or Criminal Intelligence (mandated under paragraph 273.64(1)(c) of the NDA, known as ‘Mandate C’) is handled only in accordance with OPS-4-1, Procedures for CSE Assistance to Canadian Federal Law Enforcement or Security Agencies, and OPS-4-2, Procedures for CSE Assistance Under Section 12 of the CSIS Act."

In April 2014, Chief Forster confirmed CSEC's continued support to domestic agencies in this respect: "Again, although we collect metadata, it's very much limited in its use to our existing mandate, which is foreign intelligence collection and cyber-defence. The restrictions we have around that is to understand global networks to find foreign targets. We're not using it to target Canadians or anyone in Canada for our intelligence-gathering activities unless we're assisting CSIS and RCMP under a court warrant." (emphasis added)

Or a few other agencies.

Clearly, CSEC can and does use metadata in support of targeted domestic investigations undertaken by Canadian law enforcement and security agencies. And such support probably includes "contact chaining" analysis of those targets. CSEC can also analyze metadata related to its foreign intelligence targets located outside Canada, even if that data extends back into Canada (e.g., a Canadian telephone number in contact with a target in Yemen).

But can CSEC trawl through Canadian metadata searching for suspicious activities or connections without a direct connection to a specific individual targeted for specific reasons?

I think perhaps this is what the prime minister was saying CSEC does not do.

It would be interesting to know if this is indeed what he meant, and if so, if he was right.

News coverage:

- "Stephen Harper says Canadians' metadata not collected," Toronto Star, 25 September 2014
- "Stephen Harper on Canada's spy agency," The National (CBC), 25 September 2014

Update 30 September 2014:
And Question Period (26 September 2014) once again proves useless for bringing any clarity to the issue.

Thursday, September 25, 2014

Forster provides words

CSEC Chief John Forster has given a low-entropy "interview" to something called Global Government Forum:

Graham Scott, "Interview: John Forster, Chief of the Communications Security Establishment (CSE), Canada," Global Government Forum, 24 September 2014:
What is CSE For?

There are around 2200 staff in CSE, who will soon be in a new purpose-built facility with cutting-edge technology. At their head is John Forster, a man who has been a Canadian public servant for over 30 years. What does he see as his primary role?

‘As the Chief of CSE, it is a pleasure to lead an exceptional organization and work with some of the brightest public servants in Canada. I see my role in helping to create an organization and climate where their talents, expertise and commitment can flourish for the benefit of Canada.

‘To do that we need clarity of mandate; a vision of what we need to do to be successful five years from now; an environment that supports innovation and collaboration; a facility and technology that allows us to excel in meeting the needs of our clients and partners; a policy framework and culture of lawfulness and protecting the privacy of Canadians; and a commitment to recruit, retain and develop the skills and people we need to succeed.

‘Delivering on our mission to protect Canadians from global threats, while at the same time managing a significant transition in the organization is both daunting and exciting.’
He could go on. And he does.

Tuesday, September 23, 2014

CSEC in the limelight has released a new and very slick video about CSEC: How much does spy agency CSEC know about your private life?

OpenMedia has been doing great work raising awareness about electronic snooping and other issues related to the future of the Internet, and the video is well worth a watch.

But it's quite off target in my view, in terms both of the degree to which Canadian communications are likely to be collected by CSEC and of the legality of the activities that CSEC does undertake.

There is good reason to believe that CSEC is scrupulous about obeying the law as it is interpreted for the agency by the Department of Justice. Whether all of those interpretations would survive a court challenge is open to question, of course, and there is some chance that we will eventually get an answer to that question.

But the fact that CSEC's activities are, in the eyes of the government, legal does not erase all of the possible privacy, liberty, security, and public benefit concerns that can be raised about those activities or those of CSEC's Five Eyes allies. OpenMedia would do better to focus on those issues, in my view, than on the narrow question of legality.

Justin Ling has more on the OpenMedia campaign here: "The New Offensive On Canadian Government Spying," Motherboard, 22 September 2014.

There's a nice irony in the fact that one of the "usual suspects" that Ling notes supports the campaign is Amnesty International. Amnesty's founder, Peter Benenson, was a codebreaker at Bletchley Park during the Second World War, and he worked in the same section as Kevin O'Neill, who later became Chief of CSE.

Other recent items of interest:

- Ben Makuch, "Canada's Spy Agency Partnered with Quebec's Hackfest to Recruit New Hackers," Motherboard, 17 September 2014.

- Matthew Braga, "Cyber Insecurity: What we don’t know about Canada’s digital spy agency," The Walrus, October 2014. Good piece.

Monday, September 22, 2014

Metadata sharing through GLOBALREACH

Last month's Intercept report on ICREACH, NSA's program for sharing metadata with the broader U.S. intelligence community, also contained some information about GLOBALREACH, a similar program for sharing metadata among the Five Eyes countries.

As explained in the article (Ryan Gallagher, "The Surveillance Engine: How the NSA Built Its Own Secret Google," The Intercept, 25 August 2014),
The creation of ICREACH represented a landmark moment in the history of classified U.S. government surveillance...

“The ICREACH team delivered the first-ever wholesale sharing of communications metadata within the U.S. Intelligence Community,” noted a top-secret memo dated December 2007. “This team began over two years ago with a basic concept compelled by the IC’s increasing need for communications metadata and NSA’s ability to collect, process and store vast amounts of communications metadata related to worldwide intelligence targets.”

The search tool was designed to be the largest system for internally sharing secret surveillance records in the United States, capable of handling two to five billion new records every day, including more than 30 different kinds of metadata on emails, phone calls, faxes, internet chats, and text messages, as well as location information collected from cellphones. Metadata reveals information about a communication—such as the “to” and “from” parts of an email, and the time and date it was sent, or the phone numbers someone called and when they called—but not the content of the message or audio of the call. ...

In 2006, NSA director Alexander drafted his secret proposal to then-Director of National Intelligence Negroponte. ...

Alexander explained in the memo that NSA was already collecting “vast amounts of communications metadata” and was preparing to share some of it on a system called GLOBALREACH with its counterparts in the so-called Five Eyes surveillance alliance: the United Kingdom, Australia, Canada, and New Zealand.

ICREACH, he proposed, could be designed like GLOBALREACH and accessible only to U.S. agencies in the intelligence community, or IC.

A top-secret PowerPoint presentation from May 2007 illustrated how ICREACH would work—revealing its “Google-like” search interface and showing how the NSA planned to link it to the DEA, DIA, CIA, and the FBI. Each agency would access and input data through a secret data “broker”—a sort of digital letterbox—linked to the central NSA system. ICREACH, according to the presentation, would also receive metadata from the Five Eyes allies.

The aim was not necessarily for ICREACH to completely replace [the earlier CIA-hosted] CRISSCROSS/PROTON, but rather to complement it. The NSA planned to use the new system to perform more advanced kinds of surveillance—such as “pattern of life analysis,” which involves monitoring who individuals communicate with and the places they visit over a period of several months, in order to observe their habits and predict future behavior.
The documents released by The Intercept in conjunction with its report can be found here.

The system began operating on a pilot project basis in 2007.

The following graphics from the May 2007 presentation (see pages 31 and 33 of the documents) show that data brokers had already been created to facilitate metadata sharing between NSA and GCHQ, and that brokers were planned for the other Five Eyes agencies, CSE, DSD (now ASD), and GCSB.

The presentation also showed (see page 21) that NSA databases already contained metadata concerning roughly 126 billion telephone "call events" obtained from Second Parties (mostly probably pertaining to communications outside their own countries), but that no Digital Network Information (Internet-related) metadata had "yet" been provided by the Second Parties.

Notes taken at a Five Eyes metadata-sharing conference hosted by GCHQ in 2008 (page 44 of the documents) indicate that "Second Party derived data" had not at that point been "made available to US Intelligence Community (IC) (domestic) agencies" (as opposed to the NSA itself), but that this broader access was being sought. "In the hope that such agreement will be forthcoming, NSA has persuaded other US IC agencies to make almost 100 bn previously NOFORN records [in the PROTON database] shareable with the 5-eyes via GLOBALREACH."

The conference also discussed the willingness of NSA's partners to share metadata relating to their own nationals/residents. DSD indicated that it was able to "share bulk, unselected, unminimised metadata as long as there is no intent to target an Australian national – unintentional collection is not viewed as a significant issue. However, if a ‘pattern of life’ search detects an Australian then there would be a need to contact DSD and ask them to obtain a ministerial warrant to continue."

CSEC, by contrast, was of the view that "bulk, unselected metadata presents too high a risk to share with second parties at this time, because of the requirement to ensure that the identities of Canadians or persons in Canada are minimised". Re-evaluation of this stance was underway at the time of the conference, the notes indicate, but a 2013 report by the CSE Commissioner indicated that CSEC continues to "[suppress] Canadian identity information in metadata and reports shared with the Second Parties". The same statement does confirm, however, that at least some minimized Canadian metadata is indeed shared. (And, of course, it remains possible for the relevant Canadian identity information to be provided if the other party can produce what may well be little more than a form letter justifying its provision.)

NSA, for its part, indicated that "Sharing unmasked US identifiers with second party SIGINT partners will be easier than with some US domestic partners.” (See page 43.)

The Intercept report notes that the total number of metadata records shared through ICREACH (and presumably GLOBALREACH) is "more than 850 billion". In fact, the total is likely to be much larger than that. By 2007 the databases were growing by about 570 billion records a year (page 22), and the annual collection rate has almost certainly increased substantially in the years since.

Older records may well have been purged of course, but even assuming no increase in collection and, for the sake of argument, a short, five-year data retention period, the total number of metadata records available must be close to three trillion. The actual number could be many trillions higher than that.

In addition, as The Intercept reported, "The intelligence community’s top-secret 'Black Budget' for 2013… shows that the NSA recently sought new funding to upgrade ICREACH to 'provide IC analysts with access to a wider set of shareable data.'"

Use of Five Eyes-related metadata is also getting more extensive. On 29 November 2010, the NSA's SID Management Directive 424 changed the procedures regarding metadata analysis to "permit contact chaining, and other analysis, from and through any selector, irrespective of nationality or location, in order to follow or discover valid foreign intelligence targets." As this document explains, "The impact of the new procedures is two-fold. In the first place it allows NSA to discover and track connections between foreign intelligence targets and possible 2nd Party or US communicants. In the second place it enables large-scale graph analysis on very large sets of communications metadata without having to check foreignness of every node or address in the graph."

What procedures are in place to protect the privacy of Canadians during such analyses?

As former NSA Director Michael Hayden famously said, "We kill people based on metadata". It is not impossible to imagine occasions when a Canadian might end up on the wrong end of a Hellfire missile, a practice we used to call "extrajudicial execution".

In his most recent annual report, the CSE Commissioner reported that he began, this year, to include "disclosures of Canadian identities to second party partners" in his annual review of disclosures of Canadian identity information.

Friday, September 12, 2014

August 2014 CSEC staff size


(If you click through on the link and get a different figure, it's probably because the Canada Public Service Agency has updated its website; they update the numbers once a month.)

Sunday, August 31, 2014

CSEC flunks history

CSEC has a seven-sentence section of its website that purports to tell the story of CSEC's origins as the CBNRC (The Beginning: The Communications Branch of the National Research Council).

Among the few actual details provided in the section is the following statement: "On September 3, 1946, the 179 former employees of the XU and JDU came back to work together at their new jobs in the CBNRC under the direction of retired Lt. Col. Edward Drake."

That's not really quite right.

The CBNRC's initial approved establishment was 179 positions, but the agency was nowhere near that size when it commenced operations. In fact, it was only a little over one third of that size.

At least that's what it says on page 2 of Chapter 3 of Volume I of CSEC's classified History of CBNRC:
The number of people actually available at the start as opposed to the establishment figure was very small and only grew gradually. Mr. Drake's original recommendations of August 1946 were approved by NRC and formed the starting team of 62 civilians. One year appointments were given to 12 ex-Service people (all NCOs) and 7 civilians (including several ex-WRCNS (Women's Royal Canadian Naval Service) who had been released from the Navy earlier). Three year appointments, which were curiously called "permanent", were given to 20 ex-Service people and 23 civilians. To illustrate the modest speed of growth from the original staff of 62 toward the approved establishment of 179, some figures in 1947 were: March - 73, May - 80, and October - 95.
[Update 14 September 2014: Kurt Jensen's book Cautious Beginnings: Canadian Foreign Intelligence, 1939-51 reports that "it was not until 1949 that the CBNRC... reached the original staffing level of 179 positions." (p. 160)]

Also, it was just the Joint Discrimination Unit (JDU) that "was transferred to the NRC, first in a transitional way as the Communications Research Centre (CRC) on 1 July 1946, then finally with its name changed to CBNRC and all staff transferred to NRC on 1 September 1946" (History of CBNRC, Volume I, Chapter 1, page 3). The Examination Unit (XU) had not existed for over a year by the time CBNRC began operations. (That said, a significant proportion of the XU staff had been transferred to the JDU at the latter's creation on 1 August 1945, and thus a large number of the personnel who ended up comprising CBNRC's initial staff did come originally from the XU.)

The account on CSEC's Before the Beginning; the Examination Unit and the Joint Discrimination Unit page is similarly garbled.

The apparent contradiction in start dates, on the other hand, is not a problem. As page 1 of Chapter 1 of the History reports, "In 1946, the 1st of September fell on a Sunday, and Monday was of course Labour Day; so in fact it was on Tuesday 3 September that the staff of CBNRC arrived at work, all in civilian clothes for the first time, and all occupying positions on the establishment of the National Research Council."

Thursday, August 28, 2014

Comments on CSE commissioner's report III

Some final comments on aspects of the CSE commissioner's 2013-14 report, which was released by the Office of the CSE Commissioner (OCSEC) on August 20th (initial comments here and here):

More important than ever?

The signals intelligence efforts of the western allies during the Second World War made a very important contribution to the conduct of the war, and the post-war continuation of those efforts played a vitally important role during the Cold War. We can be pretty sure that the Canadian government considered its participation in those efforts and its access to their output during those times to be extremely valuable to Canada.

That dramatic history notwithstanding, last year's annual report by the CSE commissioner told us that the Five Eyes "alliance may be more valuable now than at any other time, in the context of increasingly complex technological challenges."

The declassified version of one of the commissioner's recent reports to the minister of national defence indicated that this assessment came from CSEC itself: "According to CSEC, the Five-Eyes alliance is more valuable now than at any other time in history, given the increasingly complex technological challenges faced by the partners."

In this year's annual report, the commissioner elaborated on that statement, explaining that "This cooperative alliance may be more valuable to Canada now than at any other time, in the context of increasingly complex technological challenges added to dynamic international affairs and threat environments."

Some of us may tend to doubt that the SIGINT alliance is more important now than at any time in the past. But if budgets can be taken as a measure of the importance ascribed to an activity by the government, then it is pretty clear that this government agrees with the CSEC/OCSEC assessment.

Bright new idea: Let the guy in charge know what's going on

One of the key issues with respect to the possible misuse of Five Eyes agency powers has always been the degree to which the various agencies might be used to spy on each other's domestic communications, thus evading their own laws against domestic spying. Such deliberate evasion, we are always assured, does not take place. But it is certainly true that the Five Eyes agencies do end up sometimes collecting communications involving or concerning persons in other Five Eyes countries and that they do sometimes share that information with the agency of the country concerned. The question of how often and how systematically this occurs is thus of rather considerable importance. (See Wayne Easter's acknowledgement of the practice here.)

You might think, therefore, that the minister responsible to parliament for the agency—the guy who is always assuring us that the privacy of Canadians is entirely safe in his hands—might have some idea of the extent to which this Second Party end-run occurs. You might even expect him to insist on knowing.

But no.

This year's report discusses the question of information about Canadians received from CSEC's Second Party partners (and also the question of information shared by CSEC with those partners), and one of the things it reveals is that, as of the date the commissioner's review was conducted, the minister had never received any reporting from CSEC on the number of Canadian communications or the amount of information about Canadians that CSEC received from the Second Parties: "CSEC has not reported to the Minister of National Defence details, for example, regarding communications involving Canadians or information about Canadians that have been shared by its second party partners."

Fortunately, that lapse is set to change.

The commissioner's report notes that, "to support the Minister of National Defence in his accountability for CSEC and as an additional measure to protect the privacy of Canadians, [previous] Commissioner Décary recommended that CSEC report such details to the Minister on an annual basis." According to the commissioner, the minister has accepted that recommendation, and another one calling for a ministerial directive to lay out the parameters of information sharing with the Second Parties and related privacy protections.

So score one for OCSEC.

Sharing, sharing, sharing

Also on the topic of sharing, the report notes that
Commissioner Décary was unable to assess the extent to which CSEC’s second party partners follow [existing] agreements and protect the private communications and information about Canadians in what CSEC shares with the partners. CSEC does not as a matter of general practice seek evidence to demonstrate that these principles are in fact being followed.

While CSEC uses indicators that it believes provide sufficient assurance that the Second Parties are honouring their arrangements, it did not initially demonstrate knowledge or provide evidence of how its second party partners treat information relating to Canadians. During the conduct of this review, CSEC declined to provide the Commissioner’s office with a description of or a copy of relevant extracts of second party policies on the handling of this information. CSEC also declined at that time to identify for the Commissioner’s office any specific differences — large or small — between respective partners’ laws, policies and practices and how this may affect the partners’ protection of the privacy of Canadians. CSEC suggested at that time that review of second party authorities and activities pertain to the Second Parties and not to the lawfulness of CSEC activities and these questions were therefore outside of the Commissioner’s mandate.
This is not the first time that CSEC has told OCSEC what it can and cannot look at, which I find highly disturbing. I also find it a little strange that OCSEC didn't simply order CSEC to hand the information over. (We are constantly assured, and indeed the National Defence Act affirms, that the CSE commissioner has "all the powers of a commissioner under Part II of the Inquiries Act.")

Be that as it may, CSEC Chief John Forster did eventually relent on the question:
Subsequent to Commissioner Décary sending his classified report to the Minister of National Defence, the new Chief of CSEC, Mr. John Forster, re-examined CSEC’s initial position, sought permission from second party partners, and provided the Commissioner’s office with detailed documentation relating to respective second party policies and procedures on the treatment of information about Canadians. This is one example of Chief Forster’s positive leadership to promote increased transparency of CSEC activities and to support review by my office.
Is it churlish to note that it only took Mr. Forster a year and a half or so after becoming the new Chief to get around to demonstrating that "positive leadership"?

Give the man a gold star.

Still, score another one for OCSEC.

The system works!

Reading this year's report, it is clear that OCSEC is proceeding from triumph to triumph. Fair enough.

I think the commissioner is straining a bit, however, when he declares that the Mosley mess is an example of the system working:
Some have suggested that this matter points to a failure of the review bodies to help control the intelligence agencies. On the contrary, these events demonstrate how review works, as Justice Mosley was alerted to this following Commissioner Décary’s recommendations. It also demonstrates how review bodies — in this case the Commissioner’s office and SIRC — can cooperate and share information within existing legislative mandates.
OK. OCSEC recommends that CSEC advise CSIS to inform Justice Mosley that CSIS and CSEC have been eliciting the assistance of Second Parties to help monitor Canadians abroad, something they deliberately chose not to tell Mosley when CSIS applied for the warrants to do the monitoring in the first place. CSEC does as the commissioner recommends, and CSIS (as far as we can tell) then ignores the commissioner's suggestion entirely. Later on, Justice Mosley happens to read OCSEC's public report and decides to investigate on his own. Hilarity ensues.

That's the system working?

I dunno. Maybe OCSEC sent Mosley a copy of the 2012-13 annual report and said you might want to read pages 21 to 25. In fact, you definitely want to read pages 21 to 25.

But it still seems like a pretty ad hoc way to get results.

For all that CSE commissioners have been gradually increasing the proportion of intelligible information in their traditionally obscurantist annual reports (and to that I say BZ!), it seems to me that if the privacy of Canadians depends on key people extracting actionable intelligence from the Delphic pronouncements typically found in those documents, we're all in deep trouble.

Cooperation with review agencies in 2nd parties

The commissioner reports that he plans to look into the possibility of working cooperatively with the review mechanisms that exist in other Five Eyes countries:
In the coming months, I will explore options to cooperate with review bodies of second party countries to examine information sharing activities among respective intelligence agencies and to verify the application of respective policies. A number of Canadian and international academics have referred to an accountability gap concerning an absence of international cooperation among review bodies. These researchers suggest that growing international intelligence cooperation should be matched by growing international cooperation between review bodies. I will examine opportunities for cooperation.
Sounds like a worthwhile Canadian initiative to me.

A 2009 paper by University of Ottawa law professor Craig Forcese, The Collateral Casualties of Collaboration, got a shout-out in this regard in the commissioner's classified report on second party cooperation.

Wi-fi ho hum

CSEC's infamous "Airport wi-fi" project gets some discussion, but precious little explanation, in the commissioner's report (more here and here):
When the media suggested that CSEC had illegally tracked the movements and on-line activities of persons at a Canadian airport, we were briefed by CSEC. We questioned the CSEC employees involved and examined results of the activity. Based on our investigation and on our accumulated knowledge, I concluded that this CSEC activity did not involve “mass surveillance” or tracking of Canadians or persons in Canada; no CSEC activity was directed at Canadians or persons in Canada.
And that's about as detailed as his explanation gets.

Here are the comments made by some obscure law professor by the name of Craig Forcese (who happens to specialize in national security law) back in January.

We did eventually learn the basis of CSEC's position that no "tracking" took place. Perhaps unsurprisingly, it all comes down to the definition of tracking (see mid-way through this post). Apparently you can't be "tracked", even if they follow you around, if they haven't bothered to find out exactly who you are.

As for "directed at", it appears that this term refers only to activities designed to collect information about specific individuals. Thus, according to CSEC and the commissioner, CSEC can acquire and analyze metadata that pertains almost exclusively to Canadians or persons in Canada (as demonstrated here) without that activity being considered "directed at" Canadians or persons in Canada.

Thus, we are told, the kind of thing CSEC did in the "airport wi-fi" experiment isn't a problem.

Others are less sanguine about the legalities of CSEC metadata collection and use (including that Forcese guy again).

The Supreme Court's R. v. Spencer judgment in June makes CSEC's, and the commissioner's, position on metadata even more questionable (yup, Forcese again), but to be fair to the commissioner, that ruling came out too late to be considered in this report.

Will it be discussed in next year's report? I can't say I'm confident it will be, but the commissioner did promise to keep an eye on the topic:
My review has identified some important questions, which I will continue to examine in the coming year, including: what are the vulnerabilities and risks to the privacy of Canadians imposed by new technologies that CSEC uses to collect and analyze metadata? How and to what extent can privacy protections be built directly into the technologies and processes used by CSEC for metadata collection and analysis? I will report on the results in my next public annual report.

What about the gazebo?

The question of NSA (and CSEC) spying on the G8/G20 summits, and the legality of such activities, also came up during the last year.

My own view is that spying did take place, that CSIS and CSEC took the lead, and that it was entirely legal.

But others had different views. The commissioner's report says nothing on the topic.