Your Source for Leaks Around the World!

Author Archive

Net Neutrality Passes in Landmark FCC Ruling to Keep Internet “Fast, Fair, and Open”

In Archive, FCC, Internet, Net Neutrality on February 27, 2015 at 7:16 AM



Today the FCC voted three to two to reclassify broadband Internet access as a common carrier service under Title II of the Communications Act, and forbear from the parts of the Act that aren’t necessary for net neutrality rules. This reclassification gives the FCC the authority to enact (and enforce) narrow, clear rules which will help keep the Internet the open platform it is today.

As expected, the FCC’s new rules forbid ISPs from charging Internet users for special treatment on their networks. It will also reach interconnection between ISPs and transit providers or edge services, allowing the FCC to ensure that ISPs don’t abuse their gatekeeper authority to favor some services over others.

That’s great for making sure websites and services can reach ISP customers, but what about making sure customers can choose for themselves how to use their Internet connections without interference from their ISPs? To accomplish this, the FCC has banned ISPs from blocking or throttling their customers’ traffic based on content, applications or services—which means users, hackers, tinkerers, artists, and knowledge seekers can continue to innovate and experiment on the Internet, using any app or service they please, without having to get their ISP’s permission first.

Even better, the rules will apply to wireless and wired broadband in the same way, so you don’t have to worry that your phone switching from Wi-Fi to a 4G network will suddenly cause apps not to work or websites to become inaccessible. Lots of people use mobile devices as their primary way of accessing the Internet, so applying net neutrality rules to both equally will help make sure there is “one Internet” for all.

So congratulations, Team Internet. We put the FCC on the right path at last. Reclassification under Title II was a necessary step in order to give the FCC the authority it needed to enact net neutrality rules. But now we face the really hard part: making sure the FCC doesn’t abuse its authority.

For example, the new rules include a “general conduct rule” that will let the FCC take action against ISP practices that don’t count as blocking, throttling, or paid prioritization. As we said last week and last year, vague rules are a problem. The FCC wants to be, in Chairman Wheeler’s words, “a referee on the field” who can stop any ISP action that it thinks “hurts consumers, competition, or innovation.” The problem with a rule this vague is that neither ISPs nor Internet users can know in advance what kinds of practices will run afoul of the rule. Only companies with significant legal staff and expertise may be able to use the rule effectively. And a vague rule gives the FCC an awful lot of discretion, potentially giving an unfair advantage to parties with insider influence. That means our work is not yet done.  We must stay vigilant, and call out FCC overreach.

The actual order is over 300 pages long, and it’s not widely available yet. Details matter. Watch this space for further analysis when the FCC releases the final order.


Karl Bode/TechDirt:

While the net neutrality rules are incredibly important, the FCC’s decision on municipal broadband may actually wind up being more meaningful over the long run. As we’ve noted for years, neutrality violations are really just a symptom of a lack of competition. Around twenty states now have laws in place — usually based entirely on ISP/ALEC model legislation — that prohibit towns and cities from improving their own broadband infrastructure — even in instances where nobody else will. In some cases these rules even go so far as to prohibit towns and cities from striking public/private partnerships to improve broadband service.

Specifically, the FCC voted 3-2 to approve petitions by EPB Broadband in Chattanooga, Tennessee, and Greenlight in Wilson, North Carolina. Those petitions requested that the FCC use its authority to ensure timely broadband deployment using “measures that promote competition in the local telecommunications market, or other regulating methods that remove barriers to infrastructure investment.” While some politicians have lamented the FCC’s move as a trampling of states’ rights, these individuals ironically have had no problem with ISPs writing state telecom law that tramples those same rights. The justifications for these restrictions have never been coherently supported, and Wheeler was quick to highlight the hypocrisy of the position:

“You can’t say you’re for broadband and then turn around and endorse limits on who can offer it. You can’t say, ‘I want to follow the explicit instructions of Congress to remove barriers to infrastructure investment,’ but endorse barriers on infrastructure investment. You can’t say you’re for competition but deny local elected officials the right to offer competitive choices.”

Needless to say, this is likely only a new chapter in the debate over both issues, the precise wording of the neutrality wording will be debated for months if not years, and you can expect ISP legal action on both fronts aimed at protecting the uncompetitive status quo. It also probably goes without saying that opponents of net neutrality and those who like it when AT&T, Verizon and Comcast are allowed to write protectionist telecom law aren’t taking the day’s events very well. One of the best freakouts of the day belonged to Hal Singer, author of that misleading study we’ve previously debunked claiming that you’d face $15 billion in new taxes under Title II:

While some grieve the death of imaginary “innovation angels,” thousands of others are celebrating a rare instance where Internet activism was able to overcome lobbying cash and push a government mountain toward doing the right thing.

Full Video of FCC Net Neutrality Ruling and Press Conference

World Wide Web Inventor Tim Berners-Lee Statement @ FCC Net Neutrality Ruling

Apple Co-Founder Steve Wozniak Remarks

CAUSE: IARPA Developing Automated Pre-Crime Prediction System Against Cyber-Attacks

In Archive, Big Data, Hacking, IARPA, ODNI, Surveillance on February 27, 2015 at 4:26 AM


Martin Anderson/TheStack:

The Office of the Director of National Intelligence (ODNI) is soliciting the involvement of the private and academic sectors in developing a new ‘precrime’ computer system capable of predicting cyber-incursions before they happen, based on the processing of ‘massive data streams from diverse data sets’ – including social media and possibly anonymized Bitcoin transactions.

In January the Intelligence Advanced Research Projects Activity (IARPA), administrated by ODNI, held a Proposers’ Day Conference  for the Cyber-attack Automated Unconventional Sensor Environment (CAUSE) initiative, inviting interest from cyber-security companies including Battelle, RepKnight, Florida Center for Cybersecurity (FC2), Galois Inc., SoarTech, SRA International Inc., Vion, and of course, IBM, which produces technologies used and cited by some of the other vendors in their own proposals.

Dr. Peter Highnam presented the overview on January 21st, initially drawing attention to the interests in the project of no less than 16 major government departments, including the CIA, the Defense Intelligence Agency, the Department of State, the FBI, the Department of Homeland Security and all branches of the US military.

At its core the predictive technologies to be developed in association with the private sector and academia over 3-5 years are charged with the mission ‘to invest in high-risk/high-payoff research that has the potential to provide the U.S. with an overwhelming intelligence advantage over our future adversaries’.

The R&D program is intended to generate completely automated, human-free prediction systems for four categories of event: unauthorized access, Denial of Service (DoS), malicious code and scans and probes which are seeking access to systems.

The CAUSE project is an unclassified program, and participating companies and organizations will not be granted access to NSA intercepts. The scope of the project, in any case, seems focused on the analysis of publicly available Big Data, including web searches, social media exchanges and trawling ungovernable avalanches of information in which clues to future maleficent actions are believed to be discernible.

Program manager Robert Rahmer says: “It is anticipated that teams will be multidisciplinary and might include computer scientists, data scientists, social and behavioral scientists, mathematicians, statisticians, content extraction experts, information theorists, and cyber-security subject matter experts having applied experience with cyber capabilities,”

Battelle, one of the concerns interested in participating in CAUSE, is interested in employing Hadoop and Apache Spark as an approach to the data mountain, and includes in its preliminary proposal an intent to ‘de-anonymize Bitcoin sale/purchase activity to capture communication exchanges more accurately within threat-actor forums…’.

Identifying and categorizing quality signal in the ‘white noise’ of Big Data is a central plank in CAUSE, and IARPA maintains several offices to deal with different aspects of it.

Its pointedly-named ‘Office for Anticipating Surprise’ frames the CAUSE project best, since it initiated it. The OAS is occupied with ‘Detecting and forecasting the emergence of new technical capabilities’, ‘Early warning of social and economic crises, disease outbreaks, insider threats, and cyber attacks’ and ‘Probabilistic forecasts of major geopolitical trends and rare events’.

Another concerned department is the ‘Office of Incisive Analysis‘, which is attempting to break down the ‘data static’ problem into manageable mission stages:

1) Large data volumes and varieties – “Providing powerful new sources of information from massive, noisy data that currently overwhelm analysts”

2) Social-Cultural and Linguistic Factors – “Analyzing language and speech to produce insights into groups and organizations. “

3) Improving Analytic Processes – “Dramatic enhancements to the analytic process at the individual and group level. “

The ‘Office of Smart Collection‘ develops ‘new sensor and transmission technologies, with the seeking of ‘Innovative approaches to gain access to denied environments’ as part of its core mission, while the ‘Office of Safe and Secure Operations‘ concerns itself with ‘Revolutionary advances in science and engineering to solve problems intractable with today’s computers’.

The CAUSE program, which attracted 150 developers, organizations, academics and private companies to the initial event, will announce specific figures about funding later in the year, and practice ‘predictions’ from participants will begin in the summer, in an accelerating and stage-managed program over five years.

Related Links:

IARPA’s “Janus” Program to “Radically Expand” Facial Recognition Capabilities

Synthetic Environment for Analysis and Simulations

CyberCOP: NSA System Monitors Cyberattacks in Real-Time

MonsterMind: NSA’s Autonomous Cyberwarfare Program

Emotive: New Computer Program Reads Up to 10,000 Tweets a Second to Map Public Sentiment

Persistent Surveillance Systems’ Pre-Crime Aerial Panopticon Watches City-Wide Area, Tracking Everyone

Knightscope K5: Autonomous Data-Collecting Robocop to Predict Crimes

Brain Scans Predict Which Criminals Are More Likely to Reoffend

Islamic State’s “Jihadi John” Identified as Mohammed Emwazi from London: 26-Year-Old Well-Off Westminster Grad, Alleged MI5 Recruit Attempt in 2009

In Archive, ISIS, Islamic State, Jihadi John, MI5, Terrorism on February 26, 2015 at 7:31 PM




The world knows him as “Jihadi John,” the masked man with a British accent who has beheaded several hostages held by the Islamic State and who taunts audiences in videos circulated widely online.

But his real name, according to friends and others familiar with his case, is Mohammed Emwazi, a Briton from a well-to-do family who grew up in West London and graduated from college with a degree in computer programming. He is believed to have traveled to Syria around 2012 and to have later joined the Islamic State, the group whose barbarity he has come to symbolize.

“I have no doubt that Mohammed is Jihadi John,” said one of Emwazi’s close friends who identified him in an interview with The Washington Post. “He was like a brother to me. . . . I am sure it is him.”

A representative of a British human rights group who had been in contact with Emwazi before he left for Syria also said he believed Emwazi was Jihadi John, a moniker given to him by some of the hostages he once held.

“There was an extremely strong resemblance,” Asim Qureshi, research director at the rights group, CAGE, said when shown one of the videos and asked to confirm whether Emwazi could be “Jihadi John.”

“This is making me feel fairly certain that this is the same person,” Qureshi added.

Authorities have used a variety of investigative techniques, including voice analysis and interviews with former hostages, to try to identify Jihadi John. James B. Comey, the director of the FBI, said in September — only a month after the Briton was seen in a video killing American journalist James Foley — that officials believed they had succeeded.

Nevertheless, the identity of Jihadi John has remained shrouded in secrecy. Since Foley’s killing, he has appeared in a series of videos documenting the gruesome killings of other hostages, including four other Westerners, some of whom he personally beheaded. In each, he is dressed in all black, a balaclava covering all but his eyes and the ridge of his nose. He wears a holster under his left arm.

  • August 19 2014: Video in which US journalist James Foley is beheaded
  • September 2 2014: Video in which US journalist Steve Sotloff is beheaded
  • September 13 2014: Video in which British aid worker David Haines is beheaded
  • October 3 2014: Video in which British aid worker Alan Henning is beheaded
  • November 16 2014: Video in which Jihadi John is shown killing Syrian soldier in a mass beheading, which also shows the head of former US Army Ranger-turned-aid worker Peter Kassig
  • January 20 2015: Video in which Jihadi John is seen standing alongside two Japanese hostages and demanding a ransom in exchange for their release
  • January 31 2015: Video in which Japanese journalist Kenji Goto is beheaded

The Kuwaiti-born Emwazi, in his mid-20s, appears to have left little trail on social media or elsewhere online. Those who knew him say he was polite and had a penchant for wearing stylish clothes while adhering to the tenets of his Islamic faith. He had a beard and was mindful of making eye contact with women, friends said.

He was raised in a middle-class neighborhood in London and on occasion prayed at a mosque in Greenwich.

Two police officers walk outside a flat in London

London flat that is reportedly the former home of Mohammed Emwazi

The friends, who spoke on the condition of anonymity because of the sensitivity of the investigation, believe that Emwazi started to radicalize after a planned safari in Tanzania following his graduation from the University of Westminster.

Emwazi and two friends — a German convert to Islam named Omar and another man, Abu Talib — never made it on the trip. Once they landed in Dar es Salaam, in May 2009, they were detained by police and held overnight. It’s unclear whether the reason for the detention was made clear to the three, but they were eventually deported.

Emwazi flew to Amsterdam, where he claimed that an officer from MI5, Britain’s domestic security agency, accused him of trying to reach Somalia, where the militant group al-Shabaab operates in the southern part of the country, according to e-mails that he sent to Qureshi and that were provided to The Post.

Emwazi denied the accusation and claimed that MI5 representatives had tried to recruit him. But a former hostage said Jihadi John was obsessed with Somalia and made his captives watch videos about al-Shabaab, which is allied with al-Qaeda.

The episode was described in the Independent, a British newspaper, which identified Emwazi as Muhammad ibn Muazzam.

Emwazi and his friends were allowed to return to Britain, where he met with Qureshi in the fall of 2009 to discuss what had happened. “Mohammed was quite incensed by his treatment, that he had been very unfairly treated,” Qureshi said.

Shortly afterward, Emwazi decided to move to his birthplace, Kuwait, where he landed a job working for a computer company, according to the e-mails he wrote to Qureshi. He came back to London twice, the second time to finalize his wedding plans to a woman in Kuwait.

In June 2010, however, counterterrorism officials in Britain detained him again — this time fingerprinting him and searching his belongings. When he tried to fly back to Kuwait the next day, he was prevented from doing so.

“I had a job waiting for me and marriage to get started,” he wrote in a June 2010 e-mail to Qureshi. But now “I feel like a prisoner, only not in a cage, in London. A person imprisoned & controlled by security service men, stopping me from living my new life in my birthplace & country, Kuwait.”


Court papers naming Emwazi from 2011 (via BBC)

Nearly four months later, when a court in New York sentenced Aafia Siddiqui, an al-Qaeda operative convicted for the attempted murder of U.S. personnel in Afghanistan, Emwazi expressed sympathy for her, saying he had “heard the upsetting news regarding our sister. . . . This should only keep us firmer towards fighting for freedom and justice!!!”

In the interview, Qureshi said he last heard from Emwazi in January 2012, when Emwazi sent him an e-mail seeking advice.

“This is a young man who was ready to exhaust every single kind of avenue within the machinery of the state to bring a change for his personal situation,” Qureshi said. In the end, he felt “actions were taken to criminalize him and he had no way to do something against these actions.”

Close friends of Emwazi’s also said his situation in London had made him desperate to leave the country. It’s unclear exactly when he reached Syria or how.

One friend said he believed Emwazi wanted to travel to Saudi Arabia to teach English in 2012 but was unsuccessful. Soon afterward, the friend said, he was gone.

“He was upset and wanted to start a life elsewhere,” one of the friends said. “He at some stage reached the point where he was really just trying to find another way to get out.”

Once in Syria, Emwazi contacted his family and at least one of his friends. It’s unclear what he told them about his activities there.

A former hostage who was debriefed by officials upon release said that Jihadi John was part of a team known as “The Beatles,” guarding Western captives at a prison in Idlib, Syria, in 2013. The hostages nicknamed the facility “the box.” Emwazi was joined by two other men with British accents, including one who was dubbed “George.” A former hostage said Emwazi participated in the waterboarding of four Western hostages.

Former hostages described George as the leader of the trio. Jihadi John, they said, was quiet and intelligent. “He was the most deliberate,” a former hostage said.

Beginning in early 2014, the hostages were moved to a prison in the Syrian city of Raqqa, the Islamic State’s de facto capital, where they were visited often by the trio. They appeared to have taken on more powerful roles within the Islamic State.

About the same time, Qureshi said, he sent an e-mail to Emwazi.

“I was wondering if you could send me your number,” he wrote. “Inshallah [God willing] it will be good to catch up.”

There was no response.



Emwazi’s identity was confirmed by a senior British security official, who said that the British government had identified Emwazi some time ago but had not disclosed his name for operational reasons. The identification was also confirmed in Washington by a senior United States military intelligence official.


The naming of Mohammed Emwazi as “Jihadi John” means it is not the previously suspected British-born rapper Abdel Bary, who had been named by non-government sources in October 2014. However, Bary is still a terrorist wanted internationally.


MailOnline has published the first unmasked photo of Emwazi as a child at St. Mary Magdalene Church of England primary school in west London.


Sky News has obtained the first adult photo of Emwazi from his University of Westminster student records.




Emwazi Emails Detail Holland Interrogation and Alleged MI5 Attempt to Recruit Him as Informant in 2009 (via CAGE):

“As soon we landed and came out of the plane 4 armed men were waiting for us. It was the Schiphol airport in Holland and the men were policemen. They took us three specifically, they checked our passports. They were waiting for three men and had our name cards. So we went with them at least we felt more comfortable with them. This was Europe much closer to home. So we trusted them with our passports and did not ask many questions. We just said if you want to make sure and double check, then do it. So they took us downstairs to the immigration floor. We were waiting downstairs and they had our passport doing all the checks. They called us one by one. A man came in who was the head of immigration in the airport.”

Then they were subjected to the first stage of actual interrogation. In Tanzania officers questioned them through the cell taking notes, but it was more informal questioning. It was in the airport that each was called individually to an interrogation room. His friend was first and then Emwazi was called:

“When my friend came back in the room Nick wanted to see me, so I went in. There was this main guy in immigration. Two other men were also in the room. One was Fernando and the other was Nick. He said to me, “Mohammed you have to enter this cell now and my colleagues Nick and Fernando are going to ask you some questions.” I said that what if I do not want to enter the cell. He said, “Well you are not under arrest to be honest”. Then Nick stood up and started saying that we will let you know, we will let you know just enter the cell. He spoke in a cockney accent as if he was from back home. So we entered the cell and all three of us sat down. He introduced himself and his colleague. He said this is Fernando from Dutch intelligence. I thought ok. And then he said I am Nick from MI5. When he said that I thought wow! I can’t believe it. Am I so special?  First I got spotted down and now MI5. This is a major thing. He said to me, “Mohammed not many people get to speak to MI5 so consider yourself lucky.” Like this was a major joke. Then he asked me to introduce myself. I said, “My name is Mohammed. I live in west London. I have just finished my degree so we booked our holiday and came here.” He asked me to tell him about my holiday plan. He asked me to start off from the beginning as how we reached here and everything. As we told you early on that we booked the train from that to ferry and from ferry to the plane. So I told him everything. So he said ok and did exactly the same thing as he did to my friend, in that he took out a map. I remember the map was labelled as East Africa. It was only for those areas. So he took out the map, slammed it on the table and said ok tell me now where were you going.

So he pointed to the map and said ok this is Tanzania and tell me where you were going. I said, “no, this is east Africa and I pointed out towards Tanzania and said this is Tanzania and this is where I was going as my ticket says departure 22nd of May and return on the 21st of June. So he said where else did you want to go? I said to him, “well I have not bought any other ticket. This is the only ticket I booked. Do you know if I have booked any other ticket? This is the only ticket I have going to and coming back from Tanzania. That is it.” He said to me, “no, I think you are lying and you wanted to go to Somalia.” And I just looked at him and said, “why the hell would I want to go to Somalia, where a civil war is going on?” he asked me that how did I know that there is a civil war in Somalia. I asked him if he reads the news or not? Did he not have a TV at home? I said to him that I had a TV at home which tells me that there is a civil war in Somalia so why would I choose to go there? And then I said to him, “Nick my friend, look! In the map there is Tanzania and above that is Kenya and then above that is Somalia. How would I have crossed Kenya to go to Somalia? It is a totally different country.” He just got baffled and then he said that oh, you might have someone in Tanzania to take you over there. I asked him that who I would have there. I have no relation over there, I do not know anyone. I did not know anyone in Amsterdam either. I said to him that it was a holiday and you do not go to places for holiday where only you know people. Whatever you do, wherever you go it is all part of holiday and it stays there. That is how I felt. Then he said that at the end of the day they had been following us and watching us closely. I told him that it was news to me and I had no idea about it. He knew everything about me; where I lived, what I did, the people I hanged around with. He also believed that I was lying and I wanted to go to Somalia. Then he made a face and said, “I am going out of the cell now and by the time I come back,  I want you to think about what do you want to say to us.” I said to him that before you go out you have to tell me that what you want from me. He said that he wanted the truth. I said, “Bloody hell! I just told you what was our plan and where were we going and you still think that I am lying. What do you want from us?” he pointed out his finger at me and said to me, “Don’t try to play smart and lie on my face. Don’t try to fool me. YOU WANTED TO GO TO SOMALIA.” I said to him that I have just shown you my ticket for going to Tanzania. Now the argument had started going back and forth, same thing again and again, like in a circle. He just wanted to force it out of my mouth that I intended to go to Somalia. But I stood firm and maintained that I had no reason to go to Somalia. I was in Tanzania, how could I force enter into Kenya? How could have we managed that. So eventually he said ok, go Mohammed. He wanted my phone number before letting me go. He said that he was going to keep in touch and call me regularly. He even said that he would try to visit me. But I refused and told him that I did not want him to pay me a visit. He again said that he was going to keep a check on me and keep a close track of all my activities. It was like a threat. Then I was let go and went back to the immigration office with my friends…”

But after Emwazi explained how he planned only to go on holiday with the logical points set out above, the MI5 agent drifted away from accusing him of terrorism. He moved to courting him to work for the MI5. Emwazi recalled exactly what was said to him:

“Listen Mohammed: You’ve got the whole world in front of you; you’re 21 years old; you just finished Uni – why don’t you work for us?”

All this was said in front of the Dutch Intelligence officer. He asked Emwazi to help them out, telling him that this was an opportunity for him – not a lot of people got to meet MI5.

Emwazi told them he would not work for them and that, being a normal person, there was nothing he could even help them with.

At this, the MI5 agent’s tone became much more disturbing. He began speaking of freedom and Emwazi responded:

“I’m free, if I’m not going to work with you it doesn’t mean I’m going to go to prison does it?”

While assuring him that he would not go to prison for this, he issued a threat letting him know:

“You’re going to have a lot of trouble …you’re going to be known…you’re going to be followed…life will be harder for you.”

The last thing Emwazi received from the agent was his number on a piece of paper and the words:

“We’ll see you in London mate.”

The other two friends went through a similar interrogation with the same questions and offer to work for them.

The three were made to then book their own tickets back to the UK and were taken to the ferry.



Two medics who met the Islamic State militant known as Jihadi John in Syria have described him as a quiet man hiding an adrenaline junkie streak and a “gung ho” attitude.

The British men were working at a hospital in Syria near the Turkish border when they came across the militant – named today as London man Mohammed Emwazi – as he visited friends who were injured and sick.

Speaking on condition of anonymity, the men told ITV News they had previously known of Emwazi in London but never met until they came across him separately during stints in the war-torn country in 2013, some months before he became known as Jihadi John for his role in a series of videos showing the killing of hostages.

The medics said at the time they met Emwazi in Syria, he was unmarried and was a fighter with the al Nusra Front. He later switched allegiance to Islamic State.

A man who wore full combat gear at all times, even in safe areas during the full heat of summer, he earned his high-ranking position through his aggressive behaviour.

He was, they said, a man with “nothing to lose”, and who was “always ready for war”.

“From what I’ve heard, from the way that he deals with difficult incidents, is that he seems to be someone with not really much to lose … There have been incidents where there have been run-ins at check points and he’s dealt with people in a sort of way – a careless manner, gung-ho manner, with disregard for his own life and safety.”

They said he was “caring” towards his friends in hospital, bringing fizzy drinks, Haribo sweets and ice cream for them – contrasting sharply with the expensive gun and extra rounds he carried into the health centre.

“He was caring towards his friends … his friends seemed to like him, he was relaxed … At the same time he also seemed to be quite prepared. He was kitted out completely. He wandered into the hospital armed, and I had to ask him to remove his weapon … He was coordinating something on the phone.”

Emwazi had a strong dislike of Britain, they said, and scowled when the country was mentioned. He would only admit to being “kind of” British when asked, and usually identified as Yemeni-Kuwaiti, speaking Arabic as a first language.

They also revealed Emwazi was known in Syria by his Islamic name, Abu Muharib al-Yemeni – a sign of his rejection of his British roots.

The men said they were “shocked” when they found out for certain that Emwazi was indeed the militant who had become known as Jihadi John, saying they had not anticipated he could be so brutal.

“There was nothing too remarkable about him as a person. He was normal – as normal as fighters get.”

The medics have since spoken to UK police about their experiences in Syria.

PONY EXPRESS: CSE Spying on Canadians’ Emails to Government

In Archive, Canada, CSEC, NSA Files, Surveillance on February 25, 2015 at 10:42 PM



Ryan Gallagher/Glenn Greenwald/TheIntercept/CBC:

Canada’s electronic surveillance agency is covertly monitoring vast amounts of Canadians’ emails as part of a sweeping domestic cybersecurity operation, according to top-secret documents.

The surveillance initiative, revealed Wednesday by CBC News in collaboration with The Intercept, is sifting through millions of emails sent to Canadian government agencies and departments, archiving details about them on a database for months or even years.

The data mining operation is carried out by the Communications Security Establishment, or CSE, Canada’s equivalent of the National Security Agency. Its existence is disclosed in documents obtained by The Intercept from NSA whistleblower Edward Snowden.

The emails are vacuumed up by the Canadian agency as part of its mandate to defend against hacking attacks and malware targeting government computers. It relies on a system codenamed PONY EXPRESS to analyze the messages in a bid to detect potential cyber threats.


Last year, CSE acknowledged it collected some private communications as part of cybersecurity efforts. But it refused to divulge the number of communications being stored or to explain for how long any intercepted messages would be retained.

Now, the Snowden documents shine a light for the first time on the huge scope of the operation — exposing the controversial details the government withheld from the public.

Under Canada’s criminal code, CSE is not allowed to eavesdrop on Canadians’ communications. But the agency can be granted special ministerial exemptions if its efforts are linked to protecting government infrastructure — a loophole that the Snowden documents show is being used to monitor the emails.

The latest revelations will trigger concerns about how Canadians’ private correspondence with government employees are being archived by the spy agency and potentially shared with police or allied surveillance agencies overseas, such as the NSA. Members of the public routinely communicate with government employees when, for instance, filing tax returns, writing a letter to a member of parliament, applying for employment insurance benefits or submitting a passport application.

In a top-secret CSE document on the security operation, dated from 2010, the agency says it “processes 400,000 emails per day” and admits that it is suffering from “information overload” because it is scooping up “too much data.”


The document outlines how CSE built a system to handle a massive 400 terabytes of data from Internet networks each month — including Canadians’ emails — as part of the cyber operation. (A single terabyte of data can hold about a billion pages of text, or about 250,000 average-sized mp3 files.)

The agency notes in the document that it is storing large amounts of “passively tapped network traffic” for “days to months,” encompassing the contents of emails, attachments and other online activity. It adds that it stores some kinds of metadata — data showing who has contacted whom and when, but not the content of the message — for “months to years.”

CSE, under its cyberdefence mandate, is allowed to hold on to personal information — email addresses, IP addresses and other identifiers — for up to 30 years, then transfer it to Library and Archives Canada, according to the agency’s own description of its databanks in the federal Info Source publication.

Of the masses of emails the agency was scanning and storing using PONY EXPRESS in 2010, however, only about 0.001 percent of them were deemed to contain potentially malicious viruses. According to the documents, the automated system sifts through them and detects about 400 potentially suspect emails each day — about 146,000 a year. That system sends alerts to CSE analysts, who then can take a closer look at the email to see if it poses any threat. Only about four emails per day — about 1,460 a year — are serious enough to warrant CSE security analysts contacting the government departments potentially affected.

The document says that CSE has “excellent access to full take data” as part of its cyber operations and is receiving policy support on “use of intercepted private communications.” The term “full take” is surveillance-agency jargon that refers to the bulk collection of both content and metadata from Internet traffic.

Another top-secret document on the surveillance dated from 2010 suggests the agency may be obtaining at least some of the data by covertly mining it directly from Canadian Internet cables. CSE notes in the document that it is “processing emails off the wire.”

The data analyzed by PONY EXPRESS can be obtained using Deep Packet Inspection Technology (DPI). Such technology works by observing small portions of internet traffic known as packets, and matching the information describing each packet against a library of signatures—including known applications, protocols, network activity, and more.

DPI hardware can also flag all internet traffic destined for a particular IP address, or range of IP addresses, such as those belonging to the Government of Canada. It’s possible that CSE’s EONBLUE program—which is believed to be based on DPI technology—​could be the first step in flagging email traffic for further analysis by PONY EXPRESS.

Since the 2010 documents were authored, it is likely the scale of the domestic data collection has increased. CSE states in the documents that it is working to bolster its capabilities. Under a heading marked “future,” the agency notes: “metadata continues to increase linearly with new access points.”

A CSE spokesman told The Intercept and CBC News in a statement that the agency eventually deletes intercepted Canadians’ emails if they are found to contain no cyberthreat, but would not comment on the amount of emails collected, or discuss the period of time that the messages are retained for.


See: Dreamy, Nosey, Tracker & Paranoid: GCHQ’s Spying Smurfs Can Hide On Phones, Turn Them On, Eavesdrop & Locate

EONBLUE: CSE’s Cyber Threat Detection Platform; Access Internet Core Infrastructure with 200 Sensors Across Globe

In Archive, Canada, CSEC, Internet, NSA Files, Surveillance on February 25, 2015 at 10:34 PM


Matthew Braga/Motherboard:

You might not think Canada’s digital spies are on par with those in the US and UK—but rest assured, America’s northern neighbour is just as capable of perpetuating mass surveillance on a global scale. Case in point: at over 200 locations around the world, spies from Canada’s cyberintelligence agency have been monitoring huge volumes of global internet traffic travelling across the internet’s core.

​From these locations, Communications Security Establishment (CSE) can track who is accessing websites and files of interest. Its analysts can also log email addresses, phone numbers and even the content of unencrypted communications—and retain encrypted communication for later study, too—as well as intercept passwords and login details for later access to remote servers and websites.

​But perhaps more importantly, tapping into global internet traffic is a means for CSE to monitor, and also exploit, an ever growing list of digital threats, such as vulnerabilities in networks and computers and the spread of malware as well as botnets and the computers under their control. In the process, analysts can keep tabs on both friendly and foreign governments conducting covert cyber attacks and infiltration of their own.

Such vast access to the backbone of the internet is achieved through a program called EONBLUE. According to documents (1) (2) leaked by whistleblower Edward Snowden,  ​and published by Der Spiegel last month, the program is designed to “track known threats,” “discover unknown threats,” and provide “defence at the core of the Internet.”


And while it may be tempting to dismiss this as yet another in a long line of revelations of mass surveillance, it is one of the clearest examples yet that Canada plays no small part in its Five Eyes partnership with intelligence agencies from Australia, New Zealand, the UK, and the US.

The meaning of threats, in this case, is two-fold: cyber attacks on network infrastructure and data, certainly, but also the online activities of terrorists believed to be plotting attacks against the physical world. The EONBLUE program is part of CSE’s Global Network Detection operations, which specialize in collecting signals intelligence from the movement of traffic online.

While the locations of EONBLUE sites are not disclosed in the documents, one slide makes reference to the internet’s “core” and describes EONBLUE’s ability to “scale to backbone internet speeds”—implying possible access to telecom operators, data centers, undersea cables and other infrastructure providers worldwide.

Such access would mean that much, if not all of the data, travelling through a location tapped by CSE could be subject to surveillance. Though the agency maintains it cannot legally track Canadians at home or abroad it is hard to fathom how such data could be exempt.

As of November 2010, when the document was dated, EONBLUE had already been under development for over eight years. However, it isn’t clear from the slides for how long EONBLUE has been used, or whether it is still in use today.

According to network security researchers consulted by Motherboard, EONBLUE is likely a global-scale implementation of ​a technology known as Deep Packet Inspection (DPI).


Such technology works by observing small portions of internet traffic known as packets, and matching the information describing each packet against a library of signatures—including known applications, protocols, network activity, and more. Internet service providers have been known to use DPI technology to identify subscribers using peer-to-peer filesharing protocols such as BitTorrent on their networks, for example. But such devices, generally speaking, can do much, much more.

Depending on how the system is configured, DPI hardware can: log the IP addresses of all users connecting to a website or webpage; log all activity from a certain IP, or blocks of IPs; identify applications being used on the network; look for cookies, email addresses, phone numbers, and other identifiers; identify encrypted traffic, and also the type of encryption used; identify the type of protocol a connection is using (for example, FTP or HTTP); locate the port that network traffic is connecting to or from; and, perhaps most concerning of all, modify certain types of traffic in real-time, in such a way that neither the sender or receiver would know any such tampering took place.

In other words, such a device can be instructed to lay bare your activities online.

It’s not clear what, exactly, EONBLUE is configured to monitor, but descriptions of other Canadian intelligence operations that rely on the program do offer some indication. For example, one document says that, thanks to EONBLUE, Canadian intelligence analysts identified a new type of malware, codenamed SNOWGLOBE, that they suspected was the work of French intelligence.

Because EONBLUE monitors network traffic, CSE was able to watch someone log into one of the remote computers, or listening posts, with which SNOWGLOBE communicated, and retrace the malware operator’s steps. This enabled Canadian intelligence to login to the listening post themselves, and see the data SNOWGLOBE had transmitted from the computers it had infected.

Another document outlining a roadmap for EONBLUE development references a Canadian version of ​the infamous US intelligence database XKEYSCORE. At the NSA, XKEYSCORE allowed analysts to query such information as the content of emails, browsing history, telephone numbers and online chats between Facebook users that, until July 2013, were not encrypted by default.


While it’s not clear how CSE’s XKEYSCORE functioned in practice, it’s clear Canadian spies were at least planning to develop a powerful database on par with that of its partner agencies in the US and UK—but using data that had been flagged by EONBLUE.

While the documents make it clear that EONBLUE relies on access to the internet’s core infrastructure—the physical cables and connection points across which most data in a geographic region travels—it’s not clear where, exactly, that access occurs.

“It’s difficult to understand how they’re doing this without violating the sovereignty and likely the criminal laws of at least some countries, allied countries even, abroad,” said Tamir Israel, a staff lawyer at the ​Canadian Internet Policy & Public Interest Clinic (CIPPIC).

One slide suggests that EONBLUE sits on-top of existing collection programs, such as SPECIALSOURCE, and  ​sometimes referred to as Special Source Operations (SSO)—a term that has been used in other documents to indicate direct access to fibre-optic cables and ISPs.


In other words, CSE’s partner agencies—or another division within CSE itself—are likely responsible for gaining physical access to internet infrastructure, and then making that data available to programs such as EONBLUE.

Curiously, one slide within the document hints at the existence of an Australian extension of EONBLUE operated by Australian Signals Directorate. Another refers to a Canadian special source. Whether that data source is located in Canada, or is a Canadian operator of infrastructure abroad, remains unclear.

According to documents jointly published by The Intercept and CBC, a CSE program codenamed LEVITATION tracked users downloading certain files from popular filesharing networks worldwide to identify extremists, while another program codenamed PONY EXPRESS sifts through millions of emails sent from Canadians to government agencies in a bid to detect potential cyber threats.

While there is no explicit link between the programs in any of the documents that have been publicly released, CSE could have instructed EONBLUE to flag the IP addresses of every user who attempted to access a bomb-making guide, for example, and send that information to a database for later analysis by LEVITATION.

The data analyzed by PONY EXPRESS can be obtained using Deep Packet Inspection Technology. DPI hardware can also flag all internet traffic destined for a particular IP address, or range of IP addresses, such as those belonging to the Government of Canada. It’s possible that CSE’s EONBLUE program—which is believed to be based on DPI technology—​could be the first step in flagging email traffic for further analysis by PONY EXPRESS.

It’s hard not to overstate the importance of what’s happening here. There are more eyes than we realize watching our data as it travels around the world. And it’s programs such as EONBLUE that prove the Canadian government is playing a much larger role in monitoring the internet than most might think—with a prowess that rivals both NSA and GCHQ.

%d bloggers like this: