Friday, October 31, 2014

CSEC reverts to CSE

Good catch by the Toronto Star's Tonda MacCharles ("Spy agency CSEC says goodbye to Canada," Toronto Star, 31 October 2014):
Communications Security Establishment Canada, the spy agency that collects foreign security intelligence by combing the Internet and airwaves of the world, is dropping “Canada” from its name.

For old hands, CSE is the familiar handle. It was always hard to get used to C-S-E-C.

...

In an email titled, UNCLASSIFIED, the agency’s media relations office suggests nothing’s changed. Ryan Foreman says the legal title of the organization was, and is, CSE.

However, in 2007, along came instructions for every federal department and agency to comply with what was a stricter branding measure.

“Under the Federal Identity Program, which requires all federal departments and agencies to have the word ‘Canada’ as part of their corporate title, the word ‘Canada’ was added to create the agency’s applied title, the Communications Security Establishment Canada, or CSEC,” Foreman wrote.

He said the “applied” title is all that changed and the legal title remains Communications Security Establishment.

The change started to appear in the past six months, matching CSE’s URL, which had never changed to pick up the Canada word mark.
Judging from the earlier versions stored by the Internet Archive, the reversion to CSE began appearing on the agency's website at the beginning of August.

Ironically, it was only around January of this year that I finally gave up and starting consistently referring to the agency as CSEC instead of CSE. Oh well, I never liked the change anyway.

While we're at it, let's bring back the 291ers too. Even the Commander of CFIOG still calls the 00120 trade the 291 occupation (see page 9). Can we just forget that whole 00120 thing?

Monday, October 27, 2014

Mosley taken care of?

The government's Bill C-44, introduced in parliament today, should take care of the difficulties CSIS and CSEC have had in monitoring Canadians abroad since Justice Richard Mosley's 2013 order clarifying the scope of what are known as 30-08 warrants. (The bill also has other provisions, but they are not addressed here.)

By making it clear that CSIS is authorized to conduct its security investigations outside of Canada as well as inside Canada, the new provisions should remove any legal impediment to CSIS and CSEC asking Canada's Five Eyes allies to assist those monitoring operations.

At least, that's my take as a non-lawyer on the new provisions. I'll update this space if expert opinion is different.

One question I have: Since communications that take place entirely outside of Canada are not "private communications" as defined by the Criminal Code even when Canadians are participants in those communications, does this mean that CSIS will now be able to collect Canadian communications that occur abroad without any judicial warrant at all? And, if so, that CSEC through its Mandate (c) power and the Five Eyes allies will be able to assist such collection regardless of whether CSIS has a warrant?

It may well be that the Charter protection against unreasonable search and seizure precludes warrantless monitoring of Canadian communications wherever they take place, whether or not they are technically considered "private communications".

But unless that's an obvious and uncontroversial fact that is well known among legal experts—or some other obvious prohibition applies—it strikes me that the bill's provisions ought to be clarified in that respect.

[Update 28 October 2014: Law professor Craig Forcese assesses the new provisions here, specifically addressing the question of whether a warrant is or isn't required. It doesn't look like there's a simple answer, and Forcese comments that "it would be nice to have some language in the bill specifying in greater detail the trigger for seeking warrants in the first place." Go read the whole piece.]

Legal aspects aside, it is also worth remembering that questions will still remain about how well the privacy (and safety) of Canadians is protected when information about the Canadians that CSIS wants to monitor is shared with Canada's allies.

News coverage and commentary:

- Jim Bronskill, "Long-awaited anti-terror bill extends CSIS source protection," Canadian Press, 27 October 2014
- Colin Freeze & Josh Wingrove, "Conservatives table first CSIS legislation in 30 years," Globe and Mail, 27 October 2014
- Susana Mas & Chris Hall, "CSIS powers beefed up under new bill tabled by Steven Blaney," CBC News, 27 October 2014
- Craig Forcese, "A Longer Arm for CSIS: Assessing the Extraterritorial Spying Provisions," National Security Law blog, 28 October 2014

Friday, October 24, 2014

Forcese on CSEC and the law

In a presentation to the SERENE-RISC cybersecurity conference on October 22nd, law professor Craig Forcese provided a very useful explanation of the current state of Canadian law pertaining to communications surveillance and privacy, including the implications for CSEC ("Does the State Belong in the Computers of the Nation? Legal Developments in Cybersurveillance," National Security Law blog, 23 October 2014).

The section pertaining to CSEC is excerpted below with a few of my own comments added, but the entire presentation is worth reading:
[I]n 2001, after 9/11, the National Defence Act was amended to codify formally the intercept powers of Communications Security Establishment Canada. Of particular note, the new law opened the door to lawful intercept by CSEC of Canadian “private communications” as part of its so-called Mandate A – that is, collecting foreign signals intelligence.

Up until this point, had CSEC intercepted Canadian private communications in performing this function, it would have committed a crime under Part VI of the Criminal Code. After 2001, CSEC was exempted from Part VI so long as the Minister of National Defence authorized any intercept of private communications.
My comment: There is every reason to believe that CSEC did in fact sometimes inadvertently collect private communications in the years prior to those changes. However, it was never accused by the CSE Commissioner of having broken the law in those instances, presumably because Part VI applies only to those who "wilfully" intercept a private communication. As the Commissioners were able to confirm, CSEC worked actively to avoid such collection as much as possible. No such measures were ever likely to be perfect, however. As the Commissioner's 2000-2001 report noted,
Despite the efficiencies inherent in new technologies, CSE is still likely to receive inadvertently some small amount of Canadian communications. Moreover, each new collection system or technique that comes on stream seems to bring with it this potential. However, CSE is well aware that it must continually upgrade its capabilities to screen out Canadian communications or risk acting unlawfully if it does not make every effort to do so.
The big problem for CSEC in 2001 was not that inadvertent collection of the occasional private communication might place the agency in legal jeopardy; it was that CSEC was not permitted to collect communications into Canada involving its foreign intelligence targets, no matter how potentially important (say, a phone call from Osama bin Laden to a phone number in Ottawa) and that even if it did inadvertently collect such a communication it would not have been permitted to use or retain it.

That's what the ministerial authorization regime was designed to change.

Back to Forcese:
Obviously, the fact that authorization comes from the minister, and not a judge, places CSEC on a fundamentally different footing than the police or CSIS. Moreover, unlike CSIS or Part VI authorizations, CSEC authorizations are more generic permissions, relating to an “activity” or “class of activity” and not to a specific individual or individuals.
I would just interject here, for those who may not be following the issue, that in the government's view the activities or classes of activities specified in these authorizations pertain to the nature of the monitoring activity to be conducted, not the nature of the activity being monitored. CSE Commissioners have long disagreed with CSEC on this question, and have called for amendments to the National Defence Act to clarify its meaning. See here, for example.

Back to Forcese:
And in terms of transparency, the CSEC review body tells us how many ministerial authorizations exist, but we know nothing about their content (which rests a closely guarded secret).

These differences in the CSEC lawful access regime [in comparison to those applying to CSIS and law enforcement agencies] likely reflected the perception that CSEC’s eyes were outward looking, focused on foreign signals intelligence that only incidentally and haphazardly swept up domestic communications. Conventional privacy protections could, in these circumstances, be muted.

Much has since been said and debated in the post-Snowden period as to what CSEC does and does not intercept, and how and in what circumstances it captures private communications. I will not rehearse that saga here.

Instead I make my key point: since 1974, the scope of lawful access has gone from: first, police investigating crime and intercepting with specific judicial authorization that then is subsequently disclosed; second, CSIS investigating security intelligence matters and intercepting with specific judicial authorization, that is never disclosed, and; third, CSEC collecting “foreign intelligence” by intercepting private communication (at least incidentally) with more generic authorization, not from a independent judicial officer, but from a member of the political executive, that is never disclosed.
Proceeding on, Forcese notes that
In the result, we have a system of surveillance law designed for a criminal law paradigm, tweaked to deal with security intelligence and essentially abandoned in all material respects for foreign signals intelligence.

This may have been sustainable in a period when the world partitioned neatly into these three categories. However, since 9/11, national security – and specifically anti-terrorism – concerns have become increasingly hybridized criminal/security intelligence/foreign intelligence issues. In actual surveillance practice, it is apparent that the foreign intelligence/security/crime boundary is murky. For instance, there has been some controversy in the past between CSEC and its review body about whether some CSEC activities truly amount to foreign intelligence gathering.

That particular concern seems now to have been resolved. More recently, however, controversy over CSEC’s metadata collection activity reflects a second notable development since the 1970s: how technological change has undermined a privacy regime first constructed for a simpler communications age. By all reasonable accounts, metadata – especially when pooled with Big Data – can be even more revealing of human behaviour than even intercepted communication content. Yet, the government seems regularly to take the view that metadata is not private communication, as a legal matter.

I dispute this particular conclusion in 12,000 words or less in an article that will appear in due course. However, to the extent this position animates inside-government approaches on this issue, it has the effect of making the privacy protections in Part VI irrelevant. Indeed under this reasoning, CSEC doesn’t even need a ministerial authorization for its metadata intercepts.

In the result, we have intercepts of potentially revealing information with no advance judicial or even legally mandatory ministerial oversight, and no formal disclosure requirements of any sort. (One counterargument is that the review bodies serve as the public’s proxies in holding the security services to account. I do not dismiss their significance. In the area of privacy, they are, however, irrelevant. The cardinal principle of privacy protection in Canadian law is advance authorization of invasions of privacy by an independent judicial officer, not after the fact criticisms by an arm’s length wing of executive government.)
Looking to the future, Forcese argues that the Supreme Court's recent Spencer ruling has
obvious implications for security surveillance by CSEC. The Supreme Court is prepared to extend section 8 protections to the most benign data -- name and address and telephone number -- associated with an IP address.

It is inconceivable to me that it will now demur when it comes to other, even more intimate forms of metadata created by modern communication -- geolocations, place called, duration of calls, websites surfed etc. While the degree of privacy protection will always depend on circumstances, I think the constitutional die is now cast when it comes to the sorts of metadata most contentious in the post-Snowden debates.

We don't know, of course, what CSEC (and perhaps other agencies) have been in fact collecting under the umbrella of "metadata". Nevertheless, the concept is so broad and Spencer so dramatic, that I assume at least some of what the government has in the past collected is now subject to the full protections of section 8.

And so putting CSEC’s activities on a sounder constitutional footing will require amendments to its governing statute. In this respect, I strongly support the private member’s law project tabled by Joyce Murray -- Bill C-622 [discussed here], now reaching second reading in the Commons. Among other things, this bill would graft a modified judicial warrant regime on CSEC activities. I would encourage those of you with an interest in this area to review this bill, and if you can, support it. When this bill was first tabled before Spencer, I believed it was constitutionally necessary, as well as good policy. Spencer more than affirmed that belief. I confess surprise and disappointment that the government has not moved itself to place CSEC intercept of private communications on a firmer constitutional footing, not least because the BC Civil Liberties Association is suing it over the issue. Regularizing the accountability process around intrusive and secretive surveillance seems an issue that transcends most conventional political boundaries.
It will be interesting to see if the legislative amendments soon to be introduced by the government address the collection of metadata and, more broadly, CSEC's overall intercept (and oversight) regime.

It wouldn't hurt if the government demonstrated some genuine respect for the role of the CSE Commissioner and also moved on the amendments to the National Defence Act that Commissioners have long called for. (More here.)

Thursday, October 23, 2014

Jesse Brown on Globe and Mail, CBC, and the Snowden documents

Independent journalist Jesse Brown, host of the CANADALAND podcast, has a fascinating report on decisions by the Globe and Mail and the CBC to publish (or not publish) CSEC-related documents from the Snowden archive over the past year ("EXCLUSIVE: CBC "stonewalled" Snowden story, says Greenwald," CANADALAND, 23 October 2014):
CANADALAND has learned that last year the CBC acquired NSA documents describing a major CSEC surveillance program, but the public broadcaster has been sitting on this news for over nine months, with no immediate plans to publish. In an interview with CANADALAND, Glenn Greenwald has revealed the "shocking reluctance" of veteran CBC reporter Terry Milewski to inform the public about CSEC spying, an indifference eventually revealed to be actual ideological opposition on the part of a reporter to exposing government surveillance programs.

Further, CANADALAND has learned that the Globe and Mail initially spiked documentation of an earlier Snowden revelation, reneging on a promise to Greenwald that if he were to provide them with Snowden leaks, the Globe would include this original documentation in their reporting. Greenwald learned that the initial decision to withhold the Snowden files came directly from former Globe and Mail editor-in-chief John Stackhouse, whom Greenwald suggests may have been buckling to government pressure.
In an update to his report, Brown explains that, according to Stackhouse,
the slides were withheld because when CSEC was asked for comment by Freeze and Nolen, they contacted [Stackhouse's] office with a "serious warning" that Canadian lives would be put at risk if the Globe published the deck. "We took it seriously," he recalls, deciding that the public has no immediate interest in seeing the slides that outweighed the possibility of Canadian targets being compromised. "We gave CSEC time to brief us on why publication would be so dangerous." But CSEC stalled on the briefing. When it finally occured, the Globe concluded that CSEC has oversstated the threat and that there was no danger involved in publishing the full files. Then, Stackhouse remembers "editorial complications in our newsroom and other files" further delaying publication. "I wish the gap in time had been less than it was" he says now.
It's nice to see an explanation of why we haven't seen any new CSEC-related revelations in recent months despite Greenwald's continuing insistence that there is more to come.

It will be interesting to see if more does in fact come.

Brown doesn't address this point, but I also think that the CBC would have improved its coverage of the Snowden documents if it had consulted a few more people with expertise on Canadian SIGINT before it finalized the stories that did go to air.

But that's just me.

Update 8:30 pm: In response to a question at his talk in Montreal this evening, Greenwald was largely dismissive of the CANADALAND report, calling it "gossipy". But at the same time he confirmed all its major details. His major concern seemed to be to make it clear that he considers his current relationship with both the CBC and the Globe and Mail to be highly satisfactory.

Update 25 October 2014: Interviewed by Brown at this event, Greenwald confirmed that further CSEC revelations had been delayed by a disagreement with CBC reporter Terry Milewski (who is now apparently no longer on the file). But he insisted that there would eventually be new CSEC stories.

Wednesday, October 22, 2014

CSE Commissioner and CSIS stories differ on Mosley mess

A CSIS memo recently obtained by Globe and Mail reporter Colin Freeze puts a somewhat different spin on the process through which Justice Mosley of the Federal Court was informed of Five Eyes involvement in CSIS/CSEC efforts to monitor Canadians abroad—an event that, for those who may have forgotten, then led to an endproduct-storm of epic proportions and, we are now promised, legislative amendments.

The CSE Commissioner's most recent annual report highlighted these events as an intelligence review success story; I was a little skeptical of that interpretation.

Be that as it may, the Commissioner's report gives the following account of the process:
One of Commissioner Décary’s recommendations, implemented by CSEC, was that CSEC advise CSIS to provide the Court with certain additional evidence about the nature and extent of the assistance CSEC may provide to CSIS, namely respecting CSEC seeking assistance from and sharing information about the Canadian subjects of the warrants with its second party partners. (2013-14 Annual Report, p. 18)
The Commissioner's report is clear: CSEC implemented the recommendation.

The CSIS memo tells the story a bit differently:
In August 2013, the Minister of National Defence tabled the annual public report of the Commissioner of CSEC, which recommended that CSEC advise CSIS to provide "certain additional evidence" to the Federal Court, "about the nature and extent of the assistance CSEC may provide to CSIS." CSIS, CSEC and Justice Canada disagreed with the recommendation.
CSEC disagreed with the recommendation?

When CSEC disagrees with one of the CSE Commissioner's recommendations it does not, as a general rule, implement that recommendation. The Minister of National Defence may end up ordering CSEC to implement a recommendation, but if the minister had done that in this case, surely CSIS should have mentioned that fact in its memo to its minister. (Ministers like to know what their colleagues are up to.)

So what's the story here? Did CSEC really advise CSIS to provide the information to the Court, as the Commissioner says, even though it disagreed with that advice, as CSIS says? "We hereby advise you to take steps that we don't think you should take." It doesn't seem very likely.

Maybe the large redacted portion of the CSIS memo contains an explanation for the contradiction—it might be nothing more than bad writing on CSIS's part. If, on the other hand, the CSE Commissioner got the story wrong, well... let's just hope it was CSIS that screwed it up.

One other takeaway from all this: When the government actually cares about the amendments it has promised to put before parliament, it moves very expeditiously.

And when it doesn't, it doesn't.

Sunday, October 19, 2014

Greenwald events in Canada

Glenn Greenwald, one of the original journalists who received the Snowden leaks, will be speaking at three events in Canada during the coming week.

The first event is Glenn Greenwald in conversation with David Walmsley, which will take place at CBC's Glenn Gould Studio in Toronto on October 21st. Walmsley is the editor-in-chief of the Globe and Mail, and his paper published a teaser interview with Greenwald on Sunday: Colin Freeze, "Q&A with Glenn Greenwald: ‘There are so many stories left to be reported’," Globe and Mail, 19 October 2014.

[Update 21 October 2014: A pleasant discussion between Walmsley and Greenwald. Some inspiring words for Canadian journalists. A couple of well-deserved shout-outs for Duncan Campbell and Nicky Hager. No news.]

Next will come the 2014 Beaverbrook Annual Lecture at Pollack Hall, McGill University, Montréal on October 23rd. McGill plans to livestream the lecture. [Update 25 October 2014: Link here.]

The final event, Glenn Greenwald Speaks, will take place in Ottawa at 440 Albert Street on October 25th. The event will feature both a talk by Greenwald and a subsequent discussion between Greenwald and Jesse Brown, host of the CANADALAND podcast. More information here.

[Update 25 October 2014: The Ottawa event can be watched here. Prodded by Jesse Brown, Greenwald again promised that more CSEC revelations will eventually come out, but, perhaps unsurprisingly, he provided no details.]

Related news coverage: Ian MacLeod, "Glenn Greenwald on balancing security and liberty," Ottawa Citizen, 17 October 2014.

All three events are open to the public, but tickets are required for the Ottawa and Toronto events. See the links for details.

September 2014 CSEC staff size

2214.

(If you click through on the link and get a different figure, it's probably because the Canada Public Service Agency has updated its website; they update the numbers once a month.)

Sunday, September 28, 2014

Harper, CSEC, and metadata

Comments made by Prime Minister Stephen Harper in New York on September 24th have raised questions about CSEC's use of metadata and about how well the prime minister understands CSEC's activities.

The comments came in an exchange between the prime minister and Wall Street Journal editor-in-chief Gerard Baker during a live interview in front of a New York business audience:
Baker: How do you deal with this challenge between, on the one hand, individual liberty and the need for security? Canada is a country which takes very seriously the notion of human rights and individual rights and is understandably protective of those, and yet, you know, there has been this whole furore here in the United States and around the world about government surveillance. And yet we're starting to see that perhaps some of that government surveillance actually, whether you like it or not, is perhaps necessary actually to avert some of these threats and to stop some of these radicalized people coming and doing these terrible things. How do you get that balance right between on the one hand protecting the security of your people and preserving their right to go about their lives?

Harper: Well, I think broadly the answer to that is actually quite straightforward—which is that you focus your energies: you have, obviously, a system that can identify potential threats, track them, and zero in on surveillance on those particular threats, as opposed to systems that are just broadly based on widespread surveillance of everyone. I’m not a big believer in those kinds of systems, not just because they have the potential to infringe civil liberty, but they usually overwhelm you with data in a way that you can’t actually process or make any use of. So the real challenge, I think, is using these tools, and using them in a way that you can focus in on the people you know are actually going down the wrong path. Just as, frankly, we would do with much traditional crime: we try and focus on people we know become associated with criminal gangs or criminal activity. We don't focus on entire cities or entire populations from which they come.

Baker: Yeah, but, again, the U.S. law enforcement authorities would say that—especially the use of metadata to figure out patterns in phone conversations and that kind of stuff—that's how you do sift down this enormous amount of data, and you can establish that in order to do that effectively, to trace whether some guy in Buffalo is planning to either fly out to the Middle East or blow up a plane somewhere, it's very important to detect patterns in that guy's mobile phone conversations at home and abroad. And that's how you do it, isn't it? Isn't that how you do it?

Harper: Well, they may say that.

Baker: Do you do that in Canada?

Harper: We don't do that in Canada. We don't use metadata as a surveillance tool. And as you note we have had not only radicalized individuals, we have broken up plots and actions of individuals who were planning terrorist actions, and we've done that through targeted, on-the-ground surveillance of people.
Transcription by me. You can watch the entire exchange here (discussion starts around 2:40).

If the prime minister's comments were intended to deny that CSEC uses metadata at all, then he was certainly wrong and should have known better.

CSEC's reliance on metadata has been acknowledged officially many times. CSEC Chief John Forster testified in April, for example, that the agency uses metadata
for three things. One is to understand global communication networks, so we use it to analyze networks so that when we're searching for a foreign target, it helps us to find where our best chance of success is in identifying targets in a sea of billions of communications. Two, we use it to make sure that we're actually targeting a foreign communication and not a Canadian communication. Three, we use metadata to help us detect and identify cyber-attacks against government systems and the information they contain. We can only use metadata either to understand global networks and analyze them, or to define our foreign targets. We don't use it to identify or target Canadians.
It is possible that the prime minister was wrong or was simply being disingenuous, but I suspect his remarks were actually, as their context suggests, intended specifically to refer to the possible use of domestic Canadian metadata to systematically analyze the telephone and/or internet activities of Canadians in order to identify previously unknown suspicious individuals or activities.

The NSA does "contact chaining" searches through both domestic and international metadata, including metadata concerning its Five Eyes allies, and it also does broader, "pattern of life" searches through at least some of that data. We also know that at least some Canadian metadata is shared with those allies, and presumably subjected to some of these analyses.

With respect to Canada itself, we know that CSEC has access to a significant amount of Canadian metadata (although how comprehensive, we don't know) and that the agency can be called upon to analyze such data in support of domestic investigations. The 2006 version of OPS-1-10, Procedures for Metadata Analysis, a CSEC policy document, noted that specific procedures exist for handling domestic metadata analysis: "Metadata analysis conducted in support of Federal Law Enforcement or Security Agencies (LESAs) to obtain Security or Criminal Intelligence (mandated under paragraph 273.64(1)(c) of the NDA, known as ‘Mandate C’) is handled only in accordance with OPS-4-1, Procedures for CSE Assistance to Canadian Federal Law Enforcement or Security Agencies, and OPS-4-2, Procedures for CSE Assistance Under Section 12 of the CSIS Act."

In April 2014, Chief Forster confirmed CSEC's continued support to domestic agencies in this respect: "Again, although we collect metadata, it's very much limited in its use to our existing mandate, which is foreign intelligence collection and cyber-defence. The restrictions we have around that is to understand global networks to find foreign targets. We're not using it to target Canadians or anyone in Canada for our intelligence-gathering activities unless we're assisting CSIS and RCMP under a court warrant." (emphasis added)

Or a few other agencies.

Clearly, CSEC can and does use metadata in support of targeted domestic investigations undertaken by Canadian law enforcement and security agencies. And such support probably includes "contact chaining" analysis of those targets. CSEC can also analyze metadata related to its foreign intelligence targets located outside Canada, even if that data extends back into Canada (e.g., a Canadian telephone number in contact with a target in Yemen).

But can CSEC trawl through Canadian metadata searching for suspicious activities or connections without a direct connection to a specific individual targeted for specific reasons?

I think perhaps this is what the prime minister was saying CSEC does not do.

It would be interesting to know if this is indeed what he meant, and if so, if he was right.


News coverage:

- "Stephen Harper says Canadians' metadata not collected," Toronto Star, 25 September 2014
- "Stephen Harper on Canada's spy agency," The National (CBC), 25 September 2014

Update 30 September 2014:
And Question Period (26 September 2014) once again proves useless for bringing any clarity to the issue.