Wednesday, August 20, 2014

CSE commissioner's annual report released

The CSE commissioner's annual report was released today (PDF; HTML).

There is a lot of interesting information in the report, but the big news is that the commissioner was permitted to put a number on the use or retention of private communications (communications with at least one end in Canada) in the foreign intelligence part of CSEC's activities during 2012-13.

And that number is 66:
Overall, in 2012–2013, the volume of communications collected through CSEC’s foreign signals intelligence activities increased. However, the number of recognized private communications unintentionally intercepted and retained by CSEC was small enough that I could review each of them individually. At the end of the 2012–2013 ministerial authorization period, CSEC retained 66 of the recognized private communications that it collected. Of these, 41 private communications were used in CSEC reports (with any Canadian identities suppressed in the reports) and 25 were retained by CSEC for future use. All other recognized private communications unintentionally intercepted by CSEC were destroyed.
Sixty-six is a reassuringly small number, and the number of Canadians or other persons in Canada (hereafter "Canadian persons") involved in those communications could be even smaller, as some may have participated in more than one communication. (On the other hand, in theory a single communication involving a foreign target could go to a mailing list with dozens of Canadian persons on it, so the total number of Canadian persons implicated could be much larger.)

There are several other facts worth noting about this number.

First, it does not include any reporting, retention, or provision of private communications collected by CSEC under the cyber protection (Mandate B) or support to domestic law enforcement and security agencies (Mandate C) parts of its mandate.

[Update 19 November 2014: As shown here, the number of private communications used or retained by the cyber defence program (Mandate B) during the 1 December 2012 to 30 November 2013 reporting year was almost certainly in the low thousands, 15 to 60 times greater than the number reported for the foreign intelligence program by the CSE Commissioner.]

Second, it does not include any reporting or retention of private communications obtained by CSEC through its SIGINT partners. The report does acknowledge CSEC's "receipt from the Second Parties of intercepted communications and other foreign signals intelligence information, particularly private communications and information about Canadians." However, according to the commissioner, "The unintentional interception of a private communication by CSEC is a different situation than the unintentional acquisition by CSEC from a second party source of a one-end Canadian communication."

I have some difficulty understanding this point, as the Criminal Code definition of intercept includes to "listen to, record or acquire a communication or acquire the substance, meaning or purport thereof", which would seem to me to include acquiring it from Second Parties. But I'm no lawyer. Past commissioners have suggested that a definition of "intercept" ought to be included in those National Defence Act amendments that the government never bothers to get around to, and maybe that's why that suggestion was made. Does CSEC have its own definition of intercept that differs from the one in the Criminal Code?

Third, it does not include any reporting or retention of communications that are not considered private communications even though they do involve one or more Canadian citizens. An example would be a communication by a Canadian in which both ends of the communication are outside Canada (e.g., you're visiting France and you phone a business associate in Germany). CSEC is still not permitted to target Canadians under its Mandate A under such circumstances, but any such communication collected incidentally that met the relevant criteria could be reported or retained and would not appear in the 66 figure quoted by the commissioner.

Fourth, the figure includes only those private communications that were reported or retained. As the commissioner himself notes, "CSEC deletes almost all of the small number of recognized foreign signals intelligence private communications unintentionally intercepted by its collection programs" (emphasis added). Logically, this means that the 66 that were used or retained (i.e., not deleted) represent almost none of the total that were actually intercepted. How large is the latter number? The commissioner does say that the number intercepted is itself a "small number". But in comparison to the billions of private communications that Canadians participate in every year, some pretty large numbers might be characterizable as small.

None of this is to suggest that a massive program designed to monitor all Canadians lurks beneath that innocuous-sounding 66 number. But it's worth recognizing that 66 is far from the whole picture.

Another point: I really have a hard time with this term "unintentional" that the commissioners use. There are cases when CSEC is trying to collect a foreign communication and by mistake it pulls in a Canadian communication. Those could fairly be described as "unintentional" or, as CSEC seems to prefer, "inadvertent".

The cases that CSEC describes as "incidental" are a separate type. If CSEC collects a bunch of communications to or from one of its foreign targets, let's call him Osama, and one of those communications turns out to involve a Canadian, the collection of that Canadian's communication is termed "incidental" by CSEC. It wasn't collected by mistake. And it wasn't collected unintentionally either. It was done on purpose. The Canadian wasn't specifically targeted for collection, but CSEC certainly did want to know the identity of the people Osama was talking to and the content of those communications, and, as you might expect, they were especially interested in the Canadian angle. In fact, the law was changed in 2001 specifically to ensure that it is legal for CSEC to collect, use, and retain those targeted foreign communications that turn out to have one end in Canada.

I get that the commissioners are trying to distinguish between targeting specific Canadians and not targeting specific Canadians. But there is nothing "unintentional" about the fact that CSEC collects—and pays particular attention to—the communications of Canadians and persons in Canada when those communications are with one of CSEC's foreign targets. Even the term "incidental" is somewhat misleading, in my view, as it carries the implication that CSEC isn't really interested in the Canadian end.

They're interested.

Criticisms and comments notwithstanding, it' s nice to see the increase in transparency in this year's report by the commissioner.

There is a lot more of interest in this year's report, but that's all for now...

Media coverage:

- Colin Freeze, "Spy agency intercepted, kept communications of 66 Canadians," Globe and Mail, 20 August 2014
- Jim Bronskill, "Spy agency improperly kept Canadian info," Canadian Press, 20 August 2014
- David Pugliese, "Communications Security Establishment kept private communications of Canadians in violation of internal policies," Defence Watch blog, 20 August 2014
- Tonda MacCharles, "Canada’s electronic spy agency gets passing grade from watchdog," Toronto Star, 20 August 2014
- Kady O'Malley, "CSEC kept 66 'unintentionally' obtained private communications," CBC News, 20 August 2014

Update 21 August 2014:

- Editorial, "A glimpse into the iceberg that is CSEC," Globe and Mail, 21 August 2014
- Wesley Wark, "Canadian spy agency watchdog strikes a new pose," Ottawa Citizen, 21 August 2014. Excellent commentary by Canada's leading academic expert on intelligence issues.

Update 22 August 2014:

- Justin Ling, "Canada's Spy Agency Recorded Citizens' Calls, Internal Audit Reveals," Motherboard, 22 August 2014

Update 25 August 2014:

- Dan Leger, "Spies, guard dogs duck oversight," Chronicle Herald, 25 August 2014

0 Comments:

Post a Comment

<< Home