Documents released by US whistleblower Edward Snowden show the Communications Security Establishment Canada (CSEC) used airport Wi-Fi to track passengers from around the world.
Travelers passing through a major Canadian airport were potentially caught up in a vast electronic surveillance net, which allowed the nation’s electronic spy agency to track the wireless devices of thousands of airline passengers - even for days after they had departed the terminal, a document obtained by CBC News revealed.
The document shows the spy agency was then able to track travelers for a week or more as the unwitting passengers, together with their wireless devices, visited other Wi-Fi "hot spots" in locations across Canada, and across the border at American airports.
The CBS report said any place that offered Wi-Fi internet access, including "airports, hotels, coffee shops and restaurants, libraries, ground transportation hubs" was vulnerable to the surveillance operation.
After reviewing details of the leaked information, one of Canada's leading authorities on internet security says the secret operation was almost certainly illegal.
"I can't see any circumstance in which this would not be unlawful, under current Canadian law, under our Charter, under CSEC's mandates," Professor Ronald Deibert, an internet security expert at the University of Toronto, told CBC News.
It remains unclear from the leaked data how CSEC was able to infiltrate so many wireless devices to see who was using them, both on Canadian territory and beyond.
Deibert said the intelligence agency must have gained direct access “to at least some of the country's main telephone and internet pipelines,” thereby gaining access to an enormous amount of emails and phone calls placed by Canadians.
Meanwhile, for those who are comforted by the thought that the spy agency was only collecting the metadata on Canadian wireless devices, which excludes the personal content of communications, Deibert had some sobering news.
Metadata is "way more powerful that the content of communications. You can tell a lot more about people, their habits, their relationships, their friendships, even their political preferences, based on that type of metadata," he told CBC News.
The CSEC is specifically tasked with gathering foreign
intelligence by intercepting overseas phone and internet traffic,
and is forbidden by law from collecting information on Canadians
- or foreigners in Canada - without a court warrant.
As CSEC Chief John Forster recently stated: "I can tell you that we do not target Canadians at home or abroad in our foreign intelligence activities, nor do we target anyone in Canada.
"In fact, it's prohibited by law. Protecting the privacy of Canadians is our most important principle."
However analysts who were privy to the document say that airline passengers in a Canadian airport were clearly on the territory of Canada.
CSEC spokesperson Lauri Sullivan told the Star, an online Canadian news outlet, that the “classified document in question is a technical presentation between specialists exploring mathematical models built on everyday scenarios to identify and locate foreign terrorist threats.”
Disclosure of the program puts those techniques at risk, she said.
Early assessment of the leaked information indicates the passenger tracking operation was a trial run of a powerful new software program CSEC was developing with help from its American partner, the National Security Agency.
The technology was to be shared with the so-called 'Five Eyes' surveillance bloc composed of Canada, the United States, Britain, New Zealand and Australia.
In the document, CSEC described the new spy technology as "game-changing," saying it could be used for powerful surveillance on "any target that makes occasional forays into other cities/regions."
Sources told CBC News the “technologies tested on Canadians in 2012 have since become fully operational.”
CSEC claims "no Canadian or foreign travelers' movements were 'tracked,'" although CBC News questioned in its report why the comment "put the word "tracked" in quotation marks."
Canada's two largest airports — Toronto and Vancouver — both say they have never supplied CSEC or other federal intelligence agency with information on airport passengers' Wi-Fi communications.
Alana Lawrence, a spokesperson for the Vancouver Airport Authority, was quoted as saying it provides free Wi-Fi access at the facility, but does "not in any way store any personal data associated with it," not has it ever received a request from a spy agency for the data.
US-based company, Boingo, the largest private supplier of Wi-Fi services at Canadian airports, says it has not cooperated with Canada's intelligence agency's on any surveillance operations.
"To the best of our knowledge, [Boingo] has not provided any information about any of our users to the Canadian government, law enforcement or intelligence agencies," spokesperson Katie O'Neill told CBC News.
Ontario's privacy commissioner Ann Cavoukian admitted she is "blown away" by news of the secret operation.
"It is really unbelievable that CSEC would engage in that kind of surveillance of Canadians," Cavoukian told the Canadian news agency. "This resembles the activities of a totalitarian state, not a free and open society."