Thursday, November 20, 2014

Liaison office concerns

Jim Bronskill has written an interesting piece on the problems CSE's liaison officers have been experiencing in recent years ("Poor training, communication bedevilled Canada's Five Eyes liaisons: evaluation," Canadian Press, 19 November 2014):
Lack of training, poor communication with head office and sketchy expectations hampered the Canadian liaison teams embedded in the electronic spy agencies of Ottawa's Five Eyes partners, says a newly declassified evaluation.

The Ottawa-based Communications Security Establishment's foreign relations program is key to helping the spy service do its work, given the importance of relations with counterparts in the United States, Britain, Australia and New Zealand, the internal evaluation concludes.

But it calls for several changes to "achieve greater effectiveness and efficiencies."

The Canadian Press obtained a heavily censored copy of the August 2012 evaluation — originally classified "Secret/Canadian Eyes Only" — under the Access to Information Act.

...

CSE has special liaison offices at the U.S. National Security Agency and Britain's Government Communications Headquarters, as well as one in Canberra that provides representation to the electronic spy services of Australia and New Zealand.

In turn, Canada hosts members of the four foreign agencies.

The study found advance briefings for Canadian liaison staff sent overseas was largely limited to information about living and working abroad.

"Operational training offered to posted employees is scarce and self-initiated," the evaluation report says.

Staff heading to the foreign posts had to book meetings with CSE directors or enrol in internal courses. However, some noted that formal classroom training was not necessarily helpful.

"Rather, they felt that spending some time working with various operational areas during the pre-posting phase was often very beneficial."

In addition, liaison directors "seldom received feedback" on the initial planning documents they submitted to superiors.

Once on the job, the directors felt they were "often ill-informed" about developments at CSE headquarters. Management at CSE also expressed a desire for better communication. A senior manager lamented that information he received from one foreign post in particular was often either already known or outdated by the time it was sent to CSE.

"Because these employees are out of the country, it is very important that they have effective and reliable communications available to them," the report says.

CSE employees who took the foreign positions essentially gave up their previous jobs and CSE didn't have a formal process for reintegrating them into the Ottawa fold once their posting was done, it adds.

Upon return, posted employees "are often required to fill positions unrelated to their area of expertise and the experience and knowledge gained from the foreign posting are not exploited."

CSE spokesman Ryan Foreman said most of the evaluation's recommendations had been implemented, with the rest expected to be complete later this year.
Also interesting is this fact box on CSE's liaison offices, which reports the dates when the liaison offices were established. The years when the offices were established were already known, but the month of establishment was known only in the case of the office at GCHQ.

Here's a list of the Canadian Special Liaison Officers (CANSLOs) to NSA and GCHQ I compiled several years ago. The names of the more recent CANSLOs don't seem to be available, but every now and then one turns up.

I have also written a bit on the 2009 establishment of the CANSLO/C-W in Canberra. The first CANSLO/C-W was (evidently) a woman, but no names have been released so far.

Back in the old days, the job of CANSLO/W was often given to mid-ranking officers who were considered destined for greater things. The last two Chiefs of CSE to come from inside the ranks of the agency, Peter Hunt and Stew Woolner, both served as CANSLO/W earlier in their careers. (Since 1999, all Chiefs have been selected from outside the agency.)

The CANSLO/L slot, on the other hand, gained a reputation as a plum posting for senior officers just prior to retirement.

Undoubtedly there were exceptions to those patterns even then; it would be interesting to know if they continue to some degree today.

The liaison offices normally have several people posted to them, not just the liaison officer. During the Cold War period, there were (I believe) about four people at the NSA office and two at the GCHQ office. No information on the current size of these offices has been made public.

By contrast, in 2008 the NSA's liaison office at CSE had 12 people attached to it. It is possible, however, that this total included NSA "integrees" serving on exchange with CSE.


Tuesday, November 18, 2014

October 2014 CSE staff size

2238, a new high.

(If you click through on the link and get a different figure, it's probably because the Canada Public Service Agency has updated its website; they update the numbers once a month.)

Collection of private communications under CSE's cyber defence program


Documents recently released under the Access to Information Act reveal that thousands of "private communications" of Canadians were collected and used or retained by CSE in the course of its cyber defence operations during a recent one-year period.

The precise number of communications used or retained is redacted in the documents released to Globe and Mail reporter Colin Freeze. But analysis of the size of the redactions indicates that the number is somewhere between 1000 and 3996, which means that it is 15 to 60 times as large as the total of 66 private communications collected and used or retained by CSE’s foreign intelligence program during fiscal year 2012-13, as recently reported by the CSE Commissioner.

CSE's Cyber Defence Activities Annual Report on Private Communications for the period from 1 December 2012 to 30 November 2013 begins on page 5 of the documents. The total number of private communications, abbreviated as PC, used or retained by CSE during the year is reported on the next page.

That number is redacted, but it can clearly be seen that there is room for a four-digit number in the censored space, indicating that the number was somewhere between 1000 and 9999.

Summaries of quarterly reports were also released with the documents. The summaries for the four quarters comprising the 2012-13 reporting year can be found on pages 9 and 10. In each case, these summaries show that a three-digit number of private communications (i.e., somewhere between 100 and 999) were used or retained during the quarter, meaning that the annual total cannot have been higher than 3996.

Together these ranges indicate that the total number of private communications used or retained by CSE in the course of cyber defence operations was between 1000 and 3996 in 2012-13, a number that dwarfs the 66 used or retained in the course of its foreign intelligence operations around the same time.

The quarterly reports that were released to Freeze cover more than just the 2012-13 year, and all of the reports from the 1 March 2011 to 31 May 2014 period note that an apparently significant but redacted two-digit percentage of the communications used or retained by the cyber defence program "consisted of emails that contained malicious code" or "emails containing malicious links or attachments attempting to compromise Government of Canada (GC) systems and networks."

This suggests that a large percentage of the communications used or retained may have consisted either of e-mails sent by Canadians with the deliberate intent of compromising or damaging government systems or (probably more often) e-mails sent from compromised Canadian computers without the knowledge of the Canadian owner.

Either way, few people are likely to object to such communications being used or retained by cyber defence authorities.

Of greater potential concern is that some of the communications monitored in the course of cyber defence operations could end up containing information considered useful by the intelligence side of the agency. (Which is not to say that such use would itself necessarily be unjustified.)

The quarterly reports for the 11 March 2010 to 31 November 2011 period all note that a redacted number of communications (sometimes two, sometimes three digits) were "shared with SIGINT".

For example, the four reports that cover the 1 December 2010 to 31 November 2011 reportng year feature 2 three-digit redactions and 2 two-digit redactions, indicating that the total number of private communications "shared" during that year was somewhere between 220 and 2196 ((100 to 999) + (100 to 999) + (10 to 99) + (10 to 99)). Even if the actual figure is at the bottom end of this range, this suggests that the number shared was more than three times as great as the 66 private communications collected and used/retained by the foreign intelligence (SIGINT) program itself during fiscal year 2012-13; in theory, it could be as much as 33 times as great.

Did "sharing" with the SIGINT program continue after 2011? The documents released don't answer that question one way or the other.

If it does continue, the above figures suggest that the number of private communications obtained by the SIGINT program through the cyber defence backdoor could very significantly exceed the number obtained (or at least the number used or retained) through the SIGINT program’s own collection efforts.

Monday, November 17, 2014

Monitoring Canadians abroad pre-Mosley

As we all know by now, CSIS and CSE interpreted Justice Richard Mosley's 2009 ruling in the X(re) case as opening the way not only for CSIS to obtain warrants to monitor specific Canadians outside Canada from within Canada, but also for CSIS and CSE to call on the services of Canada's Five Eyes allies to assist in that monitoring. Justice Mosley, who learned of the latter interpretation only in 2013, had a very different view, and much excitement has since ensued. The government recently proposed Bill C-44 to establish a legal basis for CSIS to conduct intrusive surveillance abroad (and presumably to call on the assistance of allies in such operations).

What was the situation before the 2009 decision? A request for a warrant to use intrusive measures abroad was rejected by Justice Edmond Blanchard in 2007, but it may be that CSIS did not take that rejection to mean that Five Eyes assistance was not permitted.

At least, that's how the U.S. Embassy understood the situation.

In a 9 October 2009 cable commenting on the Mosley decision (one of the diplomatic cables leaked to Wikileaks), the Embassy explained that
Previous to Justice Mosley's [2009] ruling, CSIS had to ask allies to conduct electronic surveillance on CSIS's behalf or to request that Canadian telecom companies voluntarily provide international call records when Canadian terror suspects left the country.
If the Embassy's account is correct, CSIS was indeed calling on the assistance of allied surveillance resources in the pre-Mosley period, even, it would appear, after Blanchard's 2007 decision.

That is not the situation as Justice Mosley understood it, however. Mosley's 2013 Further Reasons for Order notes that the Deputy Attorney General of Canada advised CSIS in October 2008 that "interception of a target’s communications outside Canada by a foreign agency at the Service’s request" did not, in his view, require a warrant. But Mosley also noted that "Neither agency appears to have been prepared to proceed solely on the strength of the DAGC’s October 2008 opinion."

Was the Embassy misinformed?

Whatever the answer to that question may be, the Embassy's statement that Canadian telecom companies were also being asked (and presumably agreeing) to voluntarily provide the international call records of Canadians abroad is also very interesting.

Saturday, November 15, 2014

Forcese on the Supreme Court's Wakeling ruling


Law professor Craig Forcese comments on the implications for CSIS and CSE of Friday's Supreme Court ruling on sharing intercepted communications with foreign agencies ("Judicialization of Intelligence Cont'd: Intelligence Sharing, Post Wakeling," National Security Law blog, 15 November 2014):
The Supreme Court of Canada released its decision in Wakeling v. United States on Friday, adding another picket in the progressive hedging-in of intelligence practices by law. In my view, the case has serious implications for CSIS (and potentially CSEC) international intelligence-sharing, to the point that conventional practices in the area are now constitutionally doubtful. Placing those practices of firmer constitutional footing is a reasonably straightforward fix. The question in my mind is whether the government will use the opportunity presented by Bill C-44, amending the CSIS Act, to preempt the inevitable next generation of constitutional challenges. Or alternatively will it follow what appears to be its standard practice of waiting until matters become so untenable that a legal fix is practically dictated to it.
It's worth reading the whole thing.

One question identified by Forcese is the degree to which CSE's existing procedures for "minimizing" Canadian identity information may help to fulfill the requirement for the protection of privacy in information-sharing.
A wrinkle for CSEC would be that intercept of Canadian communications under its independent, foreign intellignece mandate is supposedly done incidentally, and I believe that the Canadian information is then "minimized" to remove identifying information. If only minimized data is shared, it may be that section 8 privacy interests are not triggered by the information sharing in the same way as they are by the actual collection. So the CSEC discussion on section 8 and its application to intercept sharing would be more complex
This is a good point.

The CSE Commissioner has confirmed that "CSEC suppresses Canadian identity information in what is shared with its international partners."

But there are two points worth noting about this "minimized" information:

First, CSE retains the original, unminimized information in its databases, and well-established procedures exist for customers, including foreign partners, to request and subsequently receive the original identity information as long as they can demonstrate a need for the information that meets CSE's criteria for providing it. Those criteria are, of course, secret, so it's impossible for the public to judge their adequacy.

It is those procedures that will determine in the first instance where CSE draws the line between privacy protection and intelligence-sharing.

Second, in many cases it may be possible for customers to circumvent minimization by unminimizing information on their own, through analyzing context information in the data, comparing intercepts to information already acquired by the customer itself, examining related metadata, or performing other kinds of analysis. De-anonymization of supposedly anonymized data sets is an area of increasing concern. This possibility suggests that minimization alone, although undoubtedly a very useful strategy for privacy protection, may not be enough to ensure sufficient protection.

Thursday, November 13, 2014

Details, details


I usually avoid pointing out the odd factual error in news stories. I make mistakes. Everybody makes mistakes. It's a complicated subject, the information available to the public is sparse, and who really needs another pedant on the internet?

But every now and then, I can't help myself...

Target for tonight: Justin Ling's recent article on the court cases concerning CSIS and CSEC monitoring of Canadians abroad ("How Canada's Spy Agencies Cozied Up to the NSA," Motherboard, 7 November 2014).

What follows are selected excerpts accompanied by comments:

- "The story goes back to March, when a Federal Court judge demanded details of just how the Canadian Security Intelligence Service (CSIS) goes about doing NSA-style surveillance. The details of that case just came out this week."

It really goes back to August 2013, when Justice Richard Mosley of the Federal Court demanded an explanation from CSIS and CSE of their use of monitoring assistance by the NSA and other Five Eyes agencies. Or maybe even to 2007, when a ruling by Justice Edmond Blanchard started the whole ball rolling (see below).

What came out on November 4th were the details of the Federal Court of Appeals' ruling on the government's appeal of the legal interpretations laid out by Justice Mosley in his Further Reasons for Order delivered after his 2013 investigation.

- "In 2008, CSIS applied for a warrant to team up with its sister agency, Communications Security Establishment Canada (CSEC) and the NSA, to do surveillance on a Canadian suspect. We don’t know why they asked for the surveillance, what the Canadian was suspected of doing, or who that suspect was—the case refers to him, her, or them as X. That warrant was denied by a Federal Court judge."

It was a 2007 application that was denied by Justice Blanchard. That application covered 10 individuals, nine "Canadian citizens, permanent residents or refugees" and one foreign national. The X(re) application came later, concerned two Canadians, and led to the 2009 ruling by Justice Mosley that authorized for the first time what became known as 30-08 warrants, authorizing CSIS and CSEC to monitor Canadians abroad from within Canada. According to Mosley, CSIS suspected that the two individuals would engage in "threat-related activities... while traveling outside of Canada".

- "He found that CSIS had no right to be keeping tabs on Canadians abroad, in violation of international law, as its mandate was strictly domestic."

He, i.e., Blanchard, found that, in the absence of explicit legislative sanction, he had no power to authorize CSIS to undertake activities that might violate the laws of the countries where they took place, as this would violate international law. He did not say that CSIS had no right to monitor Canadians abroad. (Blanchard would have had no objection if, for example, the monitoring took place in a country that had legally authorized CSIS to conduct the activities. Nor would he have objected to the use of forms of monitoring that are not illegal in the country in question.)

- "A few months later, they tried again, with a different judge—their warrant made no mention of overseas surveillance, stating that they planned to do all the surveillance from within Canada."

It was almost a year and a half later. And the agencies were explicit about the fact that CSIS and CSEC would monitor the Canadians while they were abroad; the problematic part was the claim that all the monitoring would be done from within Canada.

- "Since it looked like just about every other warrant brought forward by CSIS, Justice Richard Mosley—a well respected jurist—signed it."

It did not look like just about every other warrant. It was specifically designed to permit the monitoring of its Canadian targets while they were abroad, not just in Canada, and to do so in a way that was legally distinguishable from the failed bid put before Blanchard in 2007. The fact that in authorizing it he was stepping around the Blanchard decision was clearly understood and acknowledged by Mosley.

- "Four long years later, Mosley was flipping through an annual report from the nominal overseer of CSEC. One sentence in it caught Mosley’s eye, where the commissioner recommends that CSEC: 'provide the Federal Court with explicit evidence in…warrant applications that CSEC’s assistance to CSIS might include the interception of private communications of the Canadian subjects…by CSEC’s second party partners in the United States, United Kingdom, Australia and New Zealand, and also involve the sharing of identity information of those Canadians with the four partners.'"

If only CSE commissioners were so forthright and clear in their annual reports!

In the actual sentence the commissioner recommended that "CSEC advise CSIS to provide the Federal Court of Canada with certain additional evidence about the nature and extent of the assistance CSEC may provide to CSIS."

- "Evidently, the government wasn’t tremendously confident in [its appeal of Mosley's Further Reasons for Order], hence why they introduced legislation specifically legalizing CSIS’ cooperation with the spooks at Fort Meade, Bill C-44. They were probably right to be nervous. Last week’s Federal Court of Appeal decision just prolonged the tongue-lashing that the spy agencies received from Mosley."

Bill C-44 would make it explicit that CSIS can operate abroad, even when in violation of foreign laws ("Without regard to any other law, including that of any foreign state, a judge may, in a warrant issued under subsection (3), authorize activities outside Canada to enable the Service to investigate a threat to the security of Canada"), thus addressing the problem raised originally by Justice Blanchard. Cooperation with foreign spy agencies in monitoring Canadians would also be facilitated by this change (although there could still be Charter questions), but it is not specifically addressed in the legislation.

As for the timing, the government tabled its legislation in October, long after the appeal court's July 31st ruling. (It was only the public that remained in the dark about the ruling until November 4th.)

- "The Court of Appeal included a section from an internal CSEC memo on '2nd Party Assets' in its decision, explaining: 'these are CSEC’s SIGNIT [Signals Intelligence] counterparts within the 5-Eyes community...'"

It was a CSIS memo.

And, yes, I am literally NIT-picking here, but how do people get SIGNIT out of Signals Intelligence? It's a surprisingly common mistake. It's SIGnals INTelligence, not SIGnals NITs. I just don't get it. The Court of Appeal, and I assume the original memo, wrote SIGINT.

- "Canadian courts can now authorize the NSA to spy on perceived threats to Canada..."

Canadian courts don't and won't have any say over NSA's authority to do anything (unless perhaps they occasionally authorize certain activities in Canada), and there is not and has never been any impediment to Canadian agencies seeking and receiving the cooperation of NSA or other Five Eyes agencies in spying on "perceived threats to Canada"—except with respect to requests to monitor Canadians in the absence of a warrant authorizing such monitoring.

That said, it does seem highly likely, assuming that Bill C-44 is passed, that future warrants authorizing the monitoring of Canadians abroad will include authorization to draw on the resources of Five Eyes allies and, for that matter, potentially, other countries' intelligence agencies.

In all such cases, however, the subjects of the surveillance will be specific individuals whose surveillance has been authorized by a Canadian judge, so this doesn't really get to the question of the degree to which the Five Eyes agencies may monitor each others' citizens and then pass information on to the relevent government without having received specific targeting requests.

It has already been admitted that this kind of thing occurs, but the claim is that it only happens "incidentally".

Much of what these agencies say to the public is deliberately misleading, so believe it or don't. But even if their claim is indeed the whole truth of the matter an awful lot of monitoring could, at least in theory, fall under the rubric of "incidental".

[Update 14 November 2014: See here for an example of extensive "incidental" collection of Canadian communications by NSA.]

The topic is one that deserves continued, close attention.

But it doesn't hang on the passage or non-passage of Bill C-44.

I'm not trying to attack Justin Ling here. He has done good reporting on CSE, and what's more, he just retweeted one of my tweets, so he's in my good books.

But what's the point of having a topic-specific blog if you can't sweat a few of the details from time to time?

(Here's hoping I managed to get them all right myself. No guarantees.)


Saturday, November 08, 2014

CSE received $923K from "foreign partners" last year

Page 6.49 of Volume I of the Public Accounts of Canada 2014 reports that CSE's "Foreign Partners - Security" fund received $922,860 in fiscal year 2013-14.

The Public Accounts also report that CSE spent $658,438 from the account during the year, leaving a total of $2,266,839 at the end of the fiscal year.

The same document explains that the Foreign Partners accounts "were established to record funds received from foreign partners, to cover expenditures to be made on their behalf, in accordance with the provisions of agreements with the Government of Canada."

In 2013, the government acknowledged to Globe and Mail reporter Colin Freeze that the money in the account comes from "the Fives Eyes partnership".

As I noted here and here, it seems highly likely that the member of the partnership that actually supplies the cash is the US National Security Agency.

Adding last year's data to previous years' totals, we get a grand total of at least $12.3 million paid to CSE, and at least $10.1 million spent by CSE on behalf of its "foreign partners", since 2002-03.

Friday, November 07, 2014

CSE budget up again


The Supplementary Estimates (B) for 2014-15, tabled earlier this week, indicate that CSE's budget authority for this fiscal year is being increased by $10.1 million, from $838.6 million to $848.7 million.

Most of the increase ($8.2 million) is attributed to "Funding for the Long-Term Accommodation Project", CSE's new headquarters. Have costs risen on the project? Or has something new been added to it? Who knows if we will ever be told.

The Public Accounts 2014, which cover fiscal year 2013-14, were also released recently. Volume II (PDF page 26) shows that CSE spent $444.3 million last year (total includes $606 thousand in respendable revenue). The amount spent was $25.1 million lower than the $468.8 million in budget authority that was granted to CSE during 2013-14 (see page 46).

CSE told the Globe and Mail (Bill Curry, "Security agencies fail to spend millions from budgets," Globe and Mail, 5 November 2014) that "the lower spending was partly because several small projects were delayed."

No details were provided, but the projects in question must have been IT security related, as page 423 of Volume II shows that the shortfall occurred almost entirely in the Information Technology Security side of the agency, which spent only $142.2 million of the $166.9 million allotted to it during the year. The SIGINT side managed to spend $302.1 million of the $302.9 million allotted to it.

The primary reason for the huge difference between CSE's 2014-15 budget of $848.7 million and last year's spending of $444.3 million is a $300-million one-time payment being made this year related to the construction of CSE's new headquarters. Even if that sum is ignored, however, the $548.7 million in additional spending authorized for the agency this year is significantly higher than 2013-14's $444.3 million actual spending or even its $468.8 million in spending authority.