By Ishmael N. Daro & Tannara Yelland
Employees of Canada’s electronic spying agency are told to only speak about their work in vague terms when asked by outsiders, including friends and family, and to keep that information limited to those “who truly have a need to know,” according to documents released to the Albatross under the Access to Information Act.
The secretive Communications Security Establishment Canada, or CSEC, reinforced the need for secrecy last year in the wake of media leaks by former American intelligence analyst Edward Snowden.
In a memo to CSEC staff dated June 26, 2013, spy chief John Forster reminded employees taking time off for the summer to “be mindful of a few things as you’re engaged in casual chats around a BBQ or pool, softball field or soccer pitch.” He suggested stories based on Snowden leaks would lead to uncomfortable questions from friends and family, and asked employees to “please refrain from speculating about what has been reported.”
“You can feel confident in stating that CSEC’s activities are always legal, never directed at Canadians, and reviewed by the Commissioner’s office,” Forster wrote.
Another document, dated August 2013, provides talking points to employees who may find themselves at tradeshows, conferences or recruitment fairs on behalf of CSEC. The provided script — similar to what can be found on CSEC’s website — has bullet points about the legality of the agency’s work, the nature of its collaboration with other countries and the oversight mechanisms intended to keep CSEC from overstepping its legal boundaries.
“We respect the privacy of Canadians,” one bullet point reads. “What we are really about is helping keep Canadians and Canada safe.”
Such groovy lingo is not suggested for use with any members of the media, however. CSEC employees are clearly instructed to avoid speaking to journalists, and to report to the agency’s media relations office any exchanges they may have with “a reporter or [...] someone who later reveals themselves to be a reporter.”
“Remember,” the document warns, “with the media nothing is off the record, and anything you tell them may be reported.”
A confidential 2008 Disclosure of Employment policy also informs employees of the agency’s right “to review anything you wish to publish in any form,” including books, journalistic articles, academic papers and public speeches and presentations.
The restrictions on what spies can tell the outside world are indicative of an agency used to operating in the shadows that has nevertheless been thrust into the spotlight since journalists first started publishing front-page stories about Western spooks collecting phone and internet records on millions of people around the world. Although the bulk of the Snowden leaks have been about the American National Security Agency, revelations have also rocked CSEC by dint of its membership in the 5 Eyes spying network along with the U.S., U.K., Australia and New Zealand.
Despite Forster’s insistence that activities of his agency “are never directed at Canadians,” CSEC has been criticized for its metadata collection program that “incidentally” picks up Canadian citizens’ information.
The most explosive revelation to date was a CBC report in January on CSEC’s use of Wi-Fi hotspots at a Canadian airport to track travellers’ phones and other devices during a two-week trial run of a program that could potentially help in terrorism or hijacking cases. CSEC Commissioner Jean-Pierre Plouffe later ruled that no laws were broken and that “no CSEC activity was directed at Canadians or persons in Canada” — a conclusion that was widely panned by privacy advocates and technology experts.
Given the secretive nature of the agency’s work, and the number of questions employees might face from both curious and suspicious members of the public, CSEC policy appears to be for its spies to identify themselves as generic “Government of Canada” employees, although the precise cover story is blacked out in two of the documents obtained by the Albatross.
Unintended disclosures over social media became particularly concerning to CSEC bosses in August of last year after the Washington Post was able to divine operational details about NSA programs by scouring employees’ LinkedIn accounts. In an internal article titled “What’s on your Social Media account?” written by public affairs director Andy McLaughlin, employees are advised not to identify themselves as CSEC employees online.
“If your job is especially sensitive or involves [redacted] you definitely shouldn’t be advertising your affiliation with CSE [redacted] on social media,” writes McLaughlin. “The benefits of saying you’re a CSE employee simply don’t outweigh the risks. If you feel you need to say something about who you work for, say the Government of Canada [redacted].”
But even if CSEC employees’ LinkedIn profiles are sufficiently shrouded in generalities, the intelligence workers could still be given away by their office swag, of all things. The Disclosure of Employment policy warns that CSEC-branded mugs, hats and what appear to be gym bags are best left at home when travelling abroad. And business cards — if an employee is deemed important enough to get them at all — should contain minimal contact information and “should list a job title for you that is generic and innocuous in nature.”