Christopher Parsons, a fellow at the Citizen Lab at the University of Toronto, a group that helped review the documents, added that while using corporate analytics may have been one possible attack vector, there could have been another.
“There’s a series of different kinds of identifiers—that’s not entirely clear from the documents,” he told Ars.
“It’s also theoretically possible that [CSEC] may be tapping into other identifiers. There’s going to be some global database that they’re pulling from. Whether it’s going to be cookies or another identifier. My thought would be [if not cookies] that if they’re looking for particular chat user names or e-mail that is also sent in clear or sent in clear often enough. One of [the] pieces about this [is] that it seems to indicate that it’s the act of logging on. It’s not clear that you have to make some particular action, it’s that the device[s] are likely to be sending out this kind of information upstream. It is possible that it’s your username every time you hit the mail server.”
He also noted that in Canada, the two major ISPs—Bell and Rogers—provide, by default, e-mail accounts on Microsoft and Yahoo, respectively.
So, he speculated, if CSEC was going to use such an e-mail username for instance, “that ISP is going to have a litany of personal information about a Canadian target, billing and everything else that they hold, whereas the cookie information may not provide [all that information.]”