How Canadian Spies Infiltrated the Internet's Core to Watch What You Do Online

EONBLUE proves the Canadian government is playing a much larger role in monitoring the internet than most might think.

You might not think Canada's digital spies are on par with those in the US and UK—but rest assured, America's northern neighbour is just as capable of perpetuating mass surveillance on a global scale. Case in point: at over 200 locations around the world, spies from Canada's cyberintelligence agency have been monitoring huge volumes of global internet traffic travelling across the internet's core.

​From these locations, Communications Security Establishment (CSE) can track who is accessing websites and files of interest. Its analysts can also log email addresses, phone numbers and even the content of unencrypted communications—and retain encrypted communication for later study, too—as well as intercept passwords and login details for later access to remote servers and websites.

​But perhaps more importantly, tapping into global internet traffic is a means for CSE to monitor, and also exploit, an ever growing list of digital threats, such as vulnerabilities in networks and computers and the spread of malware as well as botnets and the computers under their control. In the process, analysts can keep tabs on both friendly and foreign governments conducting covert cyber attacks and infiltration of their own.

​"We haven't seen very much to date that hasn't been suspected or known about, but it's the scale and breadth of this activity that is so staggering on a daily basis"

Such vast access to the backbone of the internet is achieved through a program called EONBLUE. According to documents disclosed by whistleblower Edward Snowden,  ​and published by Der Spiegel last month, the program is designed to "track known threats," "discover unknown threats," and provide "defence at the core of the Internet."

And while it may be tempting to dismiss this as yet another in a long line of revelations of mass surveillance, it is one of the clearest examples yet that Canada plays no small part in its Five Eyes partnership with intelligence agencies from Australia, New Zealand, the UK, and the US.

The meaning of threats, in this case, is two-fold: cyber attacks on network infrastructure and data, certainly, but also the online activities of terrorists believed to be plotting attacks against the physical world. The EONBLUE program is part of CSE's Global Network Detection operations, which specialize in collecting signals intelligence from the movement of traffic online.

A presentation slide describing EONBLUE. ​Photo via Der Spiegel

While the locations of EONBLUE sites are not disclosed in the documents, one slide makes reference to the internet's "core" and describes EONBLUE's ability to "scale to backbone internet speeds"—implying possible access to telecom operators, data centers, undersea cables and other infrastructure providers worldwide.

Such access would mean that much, if not all of the data, travelling through a location tapped by CSE could be subject to surveillance. Though the agency maintains it cannot legally track Canadians at home or abroad it is hard to fathom how such data could be exempt.

As of November 2010, when the document was dated, EONBLUE had already been under development for over eight years. However, it isn't clear from the slides for how long EONBLUE has been used, or whether it is still in use today.

"We haven't seen very much to date that hasn't been suspected or known about, but it's the scale and breadth of this activity that is so staggering on a daily basis," said Christopher Parsons, a postdoctoral fellow at the  ​Citizen Lab, an interdisciplinary research group that studies global surveillance issues at the University of Toronto's Munk School of Global Affairs.

"It's designed for mass tracking, mass surveillance, on a global level," Parsons said. ​

What you can learn from looking at packets

According to network security researchers consulted by Motherboard, EONBLUE is likely a global-scale implementation of  ​a technology known as Deep Packet Inspection, or DPI.

Such technology works by observing small portions of internet traffic known as packets, and matching the information describing each packet against a library of signatures—including known applications, protocols, network activity, and more. Internet service providers have been known to use DPI technology to identify subscribers using peer-to-peer filesharing protocols such as BitTorrent on their networks, for example. But such devices, generally speaking, can do much, much more.

Depending on how the system is configured, DPI hardware can: log the IP addresses of all users connecting to a website or webpage; log all activity from a certain IP, or blocks of IPs; identify applications being used on the network; look for cookies, email addresses, phone numbers, and other identifiers; identify encrypted traffic, and also the type of encryption used; identify the type of protocol a connection is using (for example, FTP or HTTP); locate the port that network traffic is connecting to or from; and, perhaps most concerning of all, modify certain types of traffic in real-time, in such a way that neither the sender or receiver would know any such tampering took place.

In other words, such a device can be instructed to lay bare your activities online.

"It's difficult to understand how they're doing this without violating the sovereignty and likely the criminal laws of at least some countries, allied countries even, abroad"

It's not clear what, exactly, EONBLUE is configured to monitor, but descriptions of other Canadian intelligence operations that rely on the program do offer some indication. For example, one document says that, thanks to EONBLUE, Canadian intelligence analysts identified a new type of malware, codenamed SNOWGLOBE, that they suspected was the work of French intelligence.

Because EONBLUE monitors network traffic, CSE was able to watch someone log into one of the remote computers, or listening posts, with which SNOWGLOBE communicated, and retrace the malware operator's steps. This enabled Canadian intelligence to login to the listening post themselves, and see the data SNOWGLOBE had transmitted from the computers it had infected.

Another document outlining a roadmap for EONBLUE development references a Canadian version of  ​the infamous US intelligence database XKEYSCORE. At the NSA, XKEYSCORE allowed analysts to query such information as the content of emails, browsing history, telephone numbers and online chats between Facebook users that, until July 2013, were not encrypted by default.

A presentation slide describing CSE's Global Network Detection group. Photo via Der Spiegel

While it's not clear how CSE's XKEYSCORE functioned in practice, it's clear Canadian spies were at least planning to develop a powerful database on par with that of its partner agencies in the US and UK—but using data that had been flagged by EONBLUE.

And previously,  ​Motherboard reported on another CSE program known as LEVITATION. According to documents jointly published by The Intercept and CBC, Canadian spies tracked users downloading certain files from popular filesharing networks worldwide, such as Rapidshare and the now-defunct Megaupload. While there is no explicit link between the two programs in any of the documents that have been publicly released, CSE could have instructed EONBLUE to flag the IP addresses of every user who attempted to access a bomb-making guide, for example, and send that information to a database for later analysis by LEVITATION.

So where does EONBLUE get its data?

While the documents make it clear that EONBLUE relies on access to the internet's core infrastructure—the physical cables and connection points across which most data in a geographic region travels—it's not clear where, exactly, that access occurs.

"It's difficult to understand how they're doing this without violating the sovereignty and likely the criminal laws of at least some countries, allied countries even, abroad," said Tamir Israel, a staff lawyer at the  ​Canadian Internet Policy & Public Interest Clinic (CIPPIC).

A presentation slide referencing SPECIALSOURCE as a source of its data. ​Photo via Der Spiegel​

One slide suggests that EONBLUE sits on-top of existing collection programs, such as SPECIALSOURCE, and  ​sometimes referred to as Special Source Operations (SSO)—a term that has been used in other documents to indicate direct access to fibre-optic cables and ISPs.

In other words, CSE's partner agencies—or another division within CSE itself—are likely responsible for gaining physical access to internet infrastructure, and then making that data available to programs such as EONBLUE.

Curiously, one slide within the document hints at the existence of an Australian extension of EONBLUE operated by Australian Signals Directorate. Another refers to a Canadian special source. Whether that data source is located in Canada, or is a Canadian operator of infrastructure abroad, remains unclear.

"CSE cannot comment further on operations, methods or capabilities, as that would constitute a breach of the Security of Information Act," wrote CSE spokesperson Ryan Foreman in a statement. "Furthermore, we regret that the publication of techniques and methods, based on stolen documents, renders those techniques and methods less effective when addressing threats to Canada and Canadians."

It's hard not to overstate the importance of what's happening here. There are more eyes than we realize watching our data as it travels around the world. And it's programs such as EONBLUE that prove the Canadian government is playing a much larger role in monitoring the internet than most might think—with a prowess that rivals both NSA and GCHQ.