World leaders may be fretting over whether the NSA bugged their phones, but Canadian government officials aren't particularly worried—they bought theirs directly from the agency. A survey of procurement records kept on public government websites reveals that Canada has spent over $50 million purchasing a bevy of secure communications equipment from the largest branch of the American intelligence community.
There are at least 100 different contracts listed, the earliest of which date back to 2004. They include procurements of telephones, fax machines, and cryptographic cards for encrypting calls, all bought from the NSA.
In all, 29 different government departments and agencies procured hardware from the NSA. Among them are law enforcement agencies like the Canadian Security Intelligence Service, Canadian Border Services, Public Safety, the RCMP (the mounties), and the Department of Defence, to which about half the contracts are attributed. The list also includes Agriculture Canada, Justice Canada, and the Department of Foreign Affairs and International Trade. Independent bodies like the Immigration and Refugee Review Board, the Canadian Nuclear Safety Commission and the National Energy Board all purchased equipment from the NSA, too.
Motherboard reached out to all the departments who procured the equipment, and some confirmed their receipt. A Canadian Heritage spokeperson said that the department purchased "secure phones, faxes and encryption cards to link all of its offices, including its five regional offices and its headquarters to allow for secure transmission of information and conversations." The National Energy Board also confirmed the purchase of "three secure telephones" with "the associated sort of access cards that go with them."
Ultimately, Public Works and Government Services Canada insisted on commenting on behalf of the federal government. A spokesperson said that all of the contracts were made on behalf of Communications Security Equipment and Components (COMSEC).
“COMSEC is a combination of various equipment that allows for secure voice and data transmission," the spokesperson said in an emailed statement. "Having secure transmissions prevents unauthorized interceptors from accessing telecommunications on networks including voice, video and data." Public Works also confirmed that “the US government owns the intellectual property rights to the cryptologic components that provide for secure voice and data transmission.”
The contracts are scattered across publicly accessible government websites—some posted to obscure departmental portals as part of transparency initiatives, while others were added to a government procurement website sometime in the last year. They were categorized under an array of different terms—"communications security equipment and components," "cryptologic equipment and components," "Radio and television communication equipment, except airborne," "telephone and telegraph equipment" and, in the case of one contract valued at $96,010.97, "miscellaneous manufactured articles."
Many departments refused to specify the exact nature of the equipment, so it’s impossible to know the totality of the hardware that was purchased. Public Works, however, did confirm that the Canadian Government may have procured video and data transmission hardware from the NSA.
To be sure, the NSA is a world leader in cryptography, and like any US government agency, does plenty of business with private contractors. The Department of Defense strikes deals with private contractors and allied governments for material goods all the time, and on its face, the NSA selling phones to an allied government isn't particularly out of the ordinary.
But considering the NSA has tapped the lines of foreign leaders in the past, it's concerning that several key Canadian communication systems would have been outsourced to the American agency. Incidentally, the last Canada-NSA contract was dated August 5, 2013, less than a week after details emerged about the NSA program to bug European Union offices, including that of German Chancellor Angela Merkel.
Canada's Privy Council Office (PCO)—the department that provides “essential advice and support to the Prime Minister and Cabinet,” as well as handling procurement for Prime Minister Stephen Harper’s Office—tendered more than $750,000 worth of the NSA contracts. A spokesperson for the Privy Council refused to say whether the Prime Minister’s phone itself was purchased from the NSA. But there’s certainly evidence that communications equipment obtained from the NSA is being operated at the highest levels of government.
“If not his line, it could be the National Security Advisor’s,” said Christopher Parsons, a postdoctoral fellow at the Citizen Lab in the Munk School of Global Affairs, a group that monitors surveillance issues. Harper’s National Security Adviser, is Stephen Rigby, an influential figure who is allegedly the first in line to deliver daily security briefings to the prime minister.
Rigby is no stranger to the NSA, either. He traveled to Washington, DC in 2011 to tour NSA headquarters, according to disclosure documents. That visit accounts for one of at least three meetings between the Privy Council Office and the NSA. The first—between PCO Executive Director Gregory Fyffe and NSA intelligence agent David Moore in February 2004—took place just before the initial contract was tendered.
A government spokesperson told Motherboard that Public Works managed the procurement for these contracts, yet many of the documents list one agency—for example, the House of Commons—as the end user, but designate the Communications Security Establishment (CSE) as the end user office. The CSE is Canada's equivalent of the NSA, and Motherboard reached out for more details on the contracts. The agency confirmed that it was the receiving office for the hardware. The CSE maintains that the NSA did not build the products, per se—rather, that the procurement from American manufacturers needed NSA sign-off before it could go forward.
“When CSE requests authorization from the NSA for the purchase of a type of cryptographic equipment, and NSA approves the request, a letter of authorization is provided to the US manufacturer and to CSE,” a spokesperson said in an email statement, noting that once the NSA and CSE sign off on the equipment, Public Works take over the process. It’s not clear which private industry is manufacturing this material in the United States.
NSA data used to spy on Merkel. Image: Wikimedia Commons
NSA documentation for that procurement program makes it clear that the agency is very much involved in developing and vending the products. One brochure, the Commercial Solutions for Classified Customer Handbook, details several requirements for any corporation that wants to participate in the American government program, and adds that the NSA may enter into an agreement “which may stipulate other requirements for the particular technology.”
Many of the Snowden documents show that the NSA uses backdoor solutions to spy on its target with a program called Jetplow. But if Canadian officials did end the contracts because of revelations by Snowden, it would be understandable: NSA documents leaked to the Guardian show the American spy apparatus had been eavesdropping on the calls of 35 unnamed world leaders—and it’s still unclear if Harper is among them.
Technically, the Canadian Prime Minister shouldn't have to worry about being snooped on. Declassified information on the so-called Five Eyes partnership—an intelligence-sharing agreement between America, Canada, the United Kingdom, Australia, and New Zealand—supposedly forbids the five friendly governments from snooping on each other. But we don’t know what caveats exist in that agreement, because it’s kept top secret. We do know, however, that the NSA was operating in Toronto during the G8 and G20—and that CSE knew about it. That sort of cooperation, Parsons says, is to be expected by the Five Eyes partners.
“There is of course a concern that in the Five Eyes agreement there is an proviso that members of the Five Eyes network can engage in surveillance on other partners if it’s in their sovereign interest,” Parsons said.
Meanwhile, documents leaked by Snowden prove that the agency considered unilaterally snooping on Australian citizens—an allied country and Five Eyes member state. Even so, Canadian government officials are insisting there is nothing to worry about. “The standard security provisions for both Canada and the US were applied for each requirement,” Public Works says.
So if the NSA does have the capability, under what circumstances might it listen in on the Canadian government without its knowing?
“It’s not fully clear," Parson said. "It’s possible that if POTUS or an equivalent executive officer of the American government were doing something and they wanted to provide protection or they were concerned about a trade negotiation or nuclear safety—things that are going to be at the absolute height of an American government’s agenda.” Parsons says that Washington might tap Ottawa’s lines in those “exceptional” cases.
“The question that would arise is whether or not, for deeply sensitive issues that affect the Canadian interest and possibly are detrimental to the American interests, whether there are other security measures being taken,” said Parsons. While he noted that many departments have staff trained to deal with top-secret material—and not to communicate over the phone—it nonetheless remains likely that sensitive information is being passed along this secure phone system.
It’s unclear how the equipment was purchased prior to 2004, which is the first year that government departments began disclosing contracts valued over $10,000, but Parsons says the decline of Canadian telecommunications giant Nortel in the early 2000s may have sent Ottawa scrambling for a secure replacement. Nor is it clear if any Canadian companies meet the security requirements to produce this sort of cryptographic equipment. What is clear is that for the last ten years, the Canadian government has been relying on the American intelligence community to supply its secure communications systems—whether or not that's cause for alarm, then, depends on how much it trusts the NSA.