Thursday, February 25, 2016

CSE 2016-17 budget will be more than four times larger than pre-9/11


The Main Estimates for fiscal year 2016-2017, which were tabled in parliament on Tuesday, February 23rd, show that the Communications Security Establishment budget is projected to be $583,624,818 in the coming year.

[Update 5 November 2016: See updated figures here.]

CSE's budget has been growing more or less continuously since 9/11. The agency's projected 2001-02 budget was $100.2 million, or about $135 million in today's dollars. (Much more was actually spent that year, but the boost from the projected level was the result of post-9/11 increases.)

The projected 2016-17 budget is thus a stunning 5.8 times larger than the pre-9/11 budget—4.3 times larger after accounting for inflation.

CSE's much increased post-9/11 focus on counter-terrorism and support to military operations undoubtedly accounts for a lot of the growth since 2001, but the agency's dramatic shift during the same period away from old-style SIGINT operations towards "mastering the Internet" and conducting computer network exploitation operations probably accounts for an even larger part of the increase.

The projected 2016-17 budget is $45.4 million higher than the $538,201,730 budget projected in the 2015-16 Main Estimates. The increase is explained as the net result of a $14.1 million reduction in accommodation costs and a $59.5 million increase in funding "to address cyber threats and advancements in information technology."

As in many years, however, the 2015-16 Main Estimate figure is not a very reliable guide to the agency's actual budget this year.

CSE's budget authorities were topped up several times during the year: $18,081,548 was added in the Supplementary Estimates (B) as a carry-forward from the previous year's operating budget; an additional $3,078,449 was added to cover various paylist requirements; another $20,000,000 was added for paylist requirements in the Supplementary Estimates (C); and the Supplementary Estimates (C) also added a $4,421,325 transfer from Public Works and Government Services, additional appropriations of $31,353,885 to "preserve Canadaʼs foreign intelligence capabilities" (buy more supercomputers?) and $2,989,797 for cyber security initiatives, plus an additional statutory appropriation of $648,400. All told, these additional cash infusions total $80,573,404, boosting CSE's proposed 2015-16 budget authorities to $618,775,134.

It is likely that not all of that money will be spent by the end of the fiscal year. Indeed, if I'm reading this document correctly, $4,218,262 is already considered frozen and cannot be spent. There may well be other spending shortfalls. Nonetheless, it looks like CSE may be on track to spend well over $600 million in FY 2015-16.

Going back to the Main Estimate numbers, most of this year's $45.4 million Main-Estimate-to-Main-Estimate increase, 72% of it, is going to the SIGINT side of the house. The remaining 28% will go to the other side, the IT Security program. Interestingly, the proportion of the overall CSE budget currently accounted for by the SIGINT and IT Security programs is also 72 and 28% respectively.

Cyber security has been much in the news in recent years, with high-profile penetrations of IT systems discovered in the NRC, the Privy Council Office, and other locations. But so far there is no evidence of an increase in the relative emphasis on cyber security within CSE.

Here is the breakdown from previous years:

2015-16: 73/27 (SIGINT/IT Security)
2014-15: 71/29
2013-14: 68/32
2012-13: 70/30

As these numbers show, despite increasing concern about Canada's vulnerability to cyberattacks and cyberespionage, CSE's SIGINT program has been growing faster than its IT Security program. However, as I noted last year, such numbers are likely to fluctuate quite significantly from year to year as capital spending related to specific projects starts and stops, so it is probably too early to draw conclusions about any long-term trends.

Further coverage:

- Alex Boutilier, "Canada’s spies expecting a budget boost," Toronto Star, 23 February 2016.


Monday, February 22, 2016

Plouffe testimony to Senate National Security and Defence Committee


CSE Commissioner Jean-Pierre Plouffe testified before the Senate National Security and Defence Committee on 22 February 2016. Pierre Blais, the Chair of the Security Intelligence Review Committee, also testified at the same time.

The transcript of the session won't be available until later [interim transcript now available here], but the meeting was televised and can be watched here. The session involving Plouffe and Blais begins around 14:08, and Plouffe's prepared testimony begins around 14:23.

The discussion of CSE's metadata problem begins at about 15:00.

Especially notable in Plouffe's response is his statement that the unminimized metadata was shared for a "number of years" before being stopped, which suggests it may have begun not long after this April 2008 meeting, when CSE told its allies that "bulk, unselected metadata presents too high a risk to share with second parties at this time, because of the requirement to ensure that the identities of Canadians or persons in Canada are minimised, but re-evaluation of this stance is ongoing."

[Update 23 February 2016: It's probably no coincidence that Qtech was contracted in April 2008 to design "a Service Oriented Architecture (SOA) for metadata sharing between Canada and its foreign allies. This high profile initiative will transform the manner in which Canada collaborates with its allies. This metadata sharing system allows the collaborating parties to retrieve metadata of interest from the department’s [Very Large Databases], and is designed to handle very large volumes of requests and resultsets." According to Bill Pezoulas, the work lasted until May 2009. The system developed was probably used to facilitate Canadian participation in Five-Eyes metadata-sharing through GLOBALREACH.

Note the bit about "very large volumes of requests and resultsets."]


Further coverage:

- Ian MacLeod, "Canadian electronic spy agency’s unlawful metadata sharing went on for years before being fixed," Ottawa Citizen, 22 February 2016.

- Ashley Burke, "'Difficult to determine' scope of privacy breach in Five Eyes data sharing," CBC News, 23 February 2016.

Sunday, February 21, 2016

The antennas of Pine Gap



Another paper in our on-going series on the SIGINT station at Pine Gap, Australia:

Desmond Ball, Bill Robinson, and Richard Tanter, "The Antennas of Pine Gap", NAPSNet Special Reports, February 21, 2016. Full text here (7 MB PDF).


Earlier reports:

- Desmond Ball, Bill Robinson, and Richard Tanter, "Management of Operations at Pine Gap", NAPSNet Special Reports, November 24, 2015;

- Desmond Ball, Bill Robinson, and Richard Tanter, "The SIGINT Satellites of Pine Gap: Conception, Development and in Orbit", NAPSNet Special Reports, October 15, 2015;

- Desmond Ball, Bill Robinson, and Richard Tanter, "The Higher Management of Pine Gap", NAPSNet Special Reports, August 17, 2015; and

- Desmond Ball, Bill Robinson, and Richard Tanter, "The militarisation of Pine Gap: Organisations and Personnel", NAPSNet Special Reports, August 13, 2015;

- Desmond Ball, Bill Robinson, Richard Tanter, and Philip Dorling, "The corporatisation of Pine Gap", NAPSNet Special Reports, June 24, 2015.

More to come!


Photo credit: Kristian Laemmle-Ruff (Attribution - NonCommercial CC BY-NC)

Coverage:

- Daniel Flitton, "Rare glimpse at the secrets of Pine Gap spy base," Sydney Morning Herald, 28 February 2016.

- Peter Devlin, "The secrets of Pine Gap: Huge high-tech spy facility in the remote Australian outback tracks terrorists and is the most important intelligence gathering unit outside the US," Daily Mail, 6 March 2016.

Thursday, February 18, 2016

CSE/CFIOG to become Helpful Finder/Fixers?

The Canadian Press is reporting that Canada's revised contribution in the war against the "Islamic State" will include a greater role for Canadian intelligence agencies (Murray Brewster, "Canada’s electronic spies at the centre of beefed-up ISIL intelligence effort," Canadian Press, 18 February 2016):
The Communications Security Establishment, Canada's electronic spy service, is set to play a more prominent role in the war against the Islamic State of Iraq and the Levant, The Canadian Press has learned. [...]

Defence Minister Harjit Sajjan has for weeks been signalling that the military will introduce a "more robust" intelligence-gathering regime, one that allies — chastened by the withdrawal of the six CF-18s — are happy to be bring [sic] to the fight.

Separately, Public Safety Minister Ralph Goodale confirmed Thursday that the Canadian Security Intelligence Service will also play a stepped-up role in the fight against the Islamic State, but he also refused to be specific.

"We are providing new and additional intelligence capabilities in the region and while by its very nature I cannot elaborate, CSIS will have a role to play," Goodale said.

"It will certainly be an increased role to accomplish larger objectives."

The defence conference where Goodale and Sajjan were speaking heard Thursday about how CSIS agents cultivated human sources in Afghanistan.

But CSE played a pivotal role alongside the Canadian Army during the Afghan war, providing by its own admission half of the crucial battlefield intelligence on Taliban militants, their movements and the locations of key commanders.

The information was used to plan military operations and for targeted capture or kill missions by special forces. But one official, speaking on condition of anonymity, said Canadians would provide targeting only and not take part in any "direct action."

Although he's been eager to trumpet the "doubling" of the intelligence effort, Sajjan has been decidedly opaque about what that means, even last week when he announced the retooled mission.

"Enhanced intelligence capability will help protect our forces in theatre as well as those of our coalition and host nation partners," Sajjan said.

"Therefore, we will significantly increase the resources we dedicate to intelligence, both in northern Iraq and theatre-wide. Our intelligence capabilities will help the coalition and Iraqi security forces develop a more sophisticated picture of the threat and improve our ability to target, degrade and defeat ISIL."

What that likely means in practical terms, according to sources and intelligence experts, is the involvement of the secretive CSE and specialists from the 21st Electronic Warfare Regiment.

It also means deploying Canadian intelligence officers into the highly secure all-source intelligence centre in Kuwait, and potentially hacking ISIL computers and smartphones.
Various comments and speculations by me follow.


Update 3 March 2016: See here for confirmation from CSE that it is participating in Operation Impact, the mission against ISIS, with respect to force protection at least.

Monday, February 15, 2016

Recent items of interest

Recent news and commentary related to CSE or signals intelligence in general (other than the really big recent story):

- Justin Ling, "Canada’s Spy Agency [CSIS] Wants to Hire Shrinks to Study Terrorists," Vice News, 15 February 2016.

- Andrew Mitrovica, "What happens when our spies break the law? Nothing, apparently," iPolitics, 12 February 2016.

- Michael Petrou, "Canada’s secret bid to stop Russian hackers: How Ottawa quietly backed efforts to fight Russian cyber-attacks against Ukraine," Maclean's, 8 February 2016.

- David Omand, "Where privacy and security intersect, will police and intelligence (finally) work together?" Globe and Mail, 2 February 2016. Also listed in the Hall of Shame here.

- Steven Chase, "U.S. takeover of network carrying sensitive federal data raises security concerns," Globe and Mail, 26 January 2016. See also Steven Chase, "Liberals criticized for not conducting security reviews on foreign takeovers," Globe and Mail, 27 January 2016.

- Ben Makuch, "Canada Discovers It's Under Attack by Dozens of State-Sponsored Hackers," Vice News, 25 January 2016.

- Daniel Therrien, "Parliament should be wary of warrantless access: Privacy Commissioner," Toronto Star, 25 January 2016.

- Geoffrey York, "RCMP use cellphone data in bid to find Burkina Faso attackers," Globe and Mail, 24 January 2016. CSE involved?

- Colin Freeze, "China denies role in cyberhack that stole U.S. military aircraft secrets," Globe and Mail, 22 January 2016.

- Ryan Olshansky, "Real Change in the Oversight of Spies?" CDA Institute Blog, 21 January 2016.

- David Pugliese, "Can Canada's intelligence capability help in war on ISIL?" Ottawa Citizen, 19 January 2016.

- Justin Ling, "Canada Wants Drones to Bomb Terrorists, Track Pirates, and Spy on Protesters," Vice News, 19 January 2016.

- Jim Bronskill, "Liberals to review Tory policy allowing info sharing even when it might lead to torture: Goodale," Canadian Press, 18 January 2016.

- Lee Berthiaume, "Defence minister calls for ‘better intelligence capabilities’ in wake of deadly African attack," National Post, 18 January 2016.

- RCMP Commissioner Bob Paulson, John Tait Memorial Lecture, 15 January 2016.

- Editorial, "Will Trudeau finally let Parliament watch the watchers?" Globe and Mail, 15 January 2016.

- Jim Bronskill, "Canada must promote open, secure cyberspace, advisers tell Trudeau," Canadian Press, 15 January 2016.

- Michelle Zilio, "Sajjan wants increased use of Canadian intelligence in ISIS mission," CTV News, 13 January 2016.

- Justin Ling, "Canadian Cops Can Still Use an Unconstitutional Mass Surveillance Tactic to Grab Your Cell Data," Vice News, 14 January 2016. See also David Fraser, "Ontario court provides clear guidance on privacy and "tower dumps" in R v Rogers and Telus," Canadian Privacy Law Blog, 14 January 2016.

- Kurt Jensen, "Canadian Intelligence Accountability," CDA Institute Blog, 13 January 2016.

- Jessica Murphy, "Canada campaigners to demand public debate on controversial anti-terror law," Guardian, 13 January 2016.

- Ian MacLeod, "Government may take extra steps to examine security agencies," Ottawa Citizen, 13 January 2016.

- Marie-Danielle Smith, "Must see: The government doesn’t want you to click here," Embassy News, 13 January 2016 (subscriber only).

- Craig Forcese, "Comparative Thinking on National Security Lawyering," National Security Law blog, 13 January 2016.

- Craig Forcese & Kent Roach, "Bridging the National Security Accountability Gap: A Three-Part System to Modernize Canada's Inadequate Review of National Security," Social Science Research Network, 11 January 2016. See also Rosemary Barton interview with Craig Forcese on CBC Power & Politics, 13 January 2016.

- Jim Bronskill, "Liberals aim to balance national security with rights and freedoms in Bill C-51 revamp," Canadian Press, 10 January 2016.

- Jordan Press, "Rebuild of National Research Council systems years late, documents show," Canadian Press, 9 January 2016.

- Jim Bronskill, "Canada looking to British model for national security committee: Goodale," Canadian Press, 8 January 2016.

- Ian MacLeod, "MP McGuinty to chair parliamentary committee to monitor spying, security," Ottawa Citizen, 8 January 2016. See also the PM's press release.

- Jordan Pearson, "Canadian Company Netsweeper to Censor Bahrain’s Internet for $1.2M," Motherboard, 8 January 2016.

- Monique Muise, "Department of National Defence seeks help monitoring social media," Global News, 7 January 2016. See also Alex Boutilier, "Canada’s military plans to monitor the world’s social media," Toronto Star, 8 January 2016. Tender notice: Social Media Monitoring (W8484-168492/A), 7 January 2016. The contract was awarded to 9172-8766 Québec inc. (AKA Nexalogy Environics) on 10 February 2016.

- Ross Lord, "Rear Admiral confirms ‘data spill,’ downplays HMCS Trinity security breach," Global News, 5 January 2016. See also Michael McDonald, "Imprudence led to alleged intelligence centre security breach: rear admiral," Globe and Mail, 5 January 2016, and Keith Doucette, "Navy finds five more breaches of secure network at N.S. training school," Canadian Press, 7 January 2016.

- Alex Boutilier, "Canadians’ Internet traffic at risk," Toronto Star, 30 December 2015.

- Alex Boutilier, "Feds eye new IT security suite to prevent attacks, block websites," Toronto Star, 30 December 2015.

- Michael Nesbitt, "Canada can do more to fight terrorism," National Post, 28 December 2015.

- Laura Stone, "RCMP pushes for new law to get Canadians’ private information without a warrant," Global News, 22 December 2015.

- Scott Vrooman, "Happy holidays to the deep state!" Toronto Star video, 21 December 2015.

- Laura Tribe, "Canadian Internet traffic is travelling through the U.S. – making Canadians even more vulnerable to NSA surveillance," OpenMedia.org, 16 December 2015. See also Kieren McCarthy, "Canadian live route map highlights vulnerabilities to NSA spying efforts," Register, 17 December 2015.

- Ian MacLeod, "Jihadis could have influenced Hill shooter Zehaf-Bibeau, says RCMP Commissioner Paulson," Ottawa Citizen, 15 December 2015.

- Robin Levinson King, "The cellphone spyware the police don’t want to acknowledge," Toronto Star, 15 December 2015.

- Editorial, "We won’t take cyber security seriously until it’s too late," National Post, 15 December 2015.

- Jim Bronskill, "Privacy czar sees middle ground in fight over access to web-customer info," Canadian Press, 14 December 2015.

- Dave Seglins, "New cybersecurity network aims to share data on emerging threats," CBC News, 11 December 2015. See also Ralph Goodale, "Statement from the Minister of Public Safety and Emergency Preparedness on the launch of the Canadian Cyber Threat Exchange," Government of Canada, 11 December 2015.

- Jim Bronskill, "Privacy czar urges 'open debate' on Bill C-51," Canadian Press, 10 December 2015. See also Claire Wählen, "Identifying privacy flaws in Harper-era legislation could take ‘years’: commissioner," iPolitics, 10 December 2015; David Fraser, "Privacy Commissioner tables annual report on privacy in the federal government," Canadian Privacy Law Blog, 10 December 2015; and Justin Ling, "There Has Been a 'Sea Change' in Privacy Rights in Canada, Warns Watchdog," Vice News, 14 December 2015. Annual Report to Parliament 2014-15: Protecting personal information and public trust, Office of the Privacy Commissioner of Canada, December 2015.

- Jim Bronskill, "ISIL cyberattack on plane unlikely: Transport," Canadian Press, 10 December 2015.

- Ann Cavoukian, "Encryption is crucial to our privacy and freedom," Globe and Mail, 9 December 2015.

Plus a small flurry of articles on Canadian Forces Station Alert:

- "International team tests virtual reality technology for sustaining astronauts’ mental health at CFS Alert," RCAF News, 6 January 2016. Ground control to Major Walt!

- Matthew Fisher, "Canada’s ‘frozen chosen’ at top of the world have been in the dark since Oct 14," National Post, 1 February 2016.

- Bruce Campion-Smith, "Canadian Forces flights are the tenuous lifeline to Alert, the top of the world," Toronto Star, 6 February 2016; "Staying busy crucial to surviving 24 hours of darkness in Alert," Toronto Star, 6 February 2016; and "Alert: A feat of engineering sustained by a feat of logistics," Toronto Star, 6 February 2016.

The last article contains some very interesting comments by Wesley Wark about Alert's Cold War mission: "Alert was one of the principal intercept sites for Soviet military communications around their ballistic missile program. That was its early purpose."

He also ventures some guesses about its current mission: "Wark speculates that its mission has changed to intercept satellite communications. It could also monitor transmissions among Russian military aircraft. Whether Russia remains the prime target is a question mark, too."

Russian military aircraft, and naval vessels, do seem like likely targets. But I doubt satellite communications are monitored from the station.

Geostationary satellites cannot be seen from Alert's far north location, which is why the High Arctic Data Communications System was built between Alert and the (slightly) more southerly Eureka.

Most satellites in non-geostationary orbits can be seen from Alert, but monitoring those requires tracking antennas that can follow the motion of the satellite through the sky. I don't think there are any such antennas at Alert, although it's not impossible that one or two small ones might exist. For the most part, there is simply no advantage to monitoring satellites from a remote site like Alert compared to more accessible locations in the south of the country.


SIGINT history:

- "The Black Chamber: The man who made Edward Snowden inevitable," Economist, 19 December 2015. As mentioned in the article, Herbert Yardley was also the founding Director of Canada's first code-breaking agency, the Examination Unit.

- Richard Brisson & François Théberge, An Overview of the History of Cryptology, Communications Security Establishment, no date (2001?). Brisson, who retired from CSE in 2011, has a website dedicated to Cryptographic Artifacts based on his personal collection. Théberge recently turned up in one of the Snowden documents.

- It's also worth checking out this series of essays about the intercept site that operated at Point Grey, B.C., during the Second World War: Station Point Grey and Very Special Intelligence: Part 1, Part 2, Part 3. The claims the author makes for the significance of the station are a bit over the top, and the selection of subjects discussed is shall we say idiosyncratic, but there's still an interesting tale in there. There is supposed to be a 4th part in the set, but I haven't been able to find it. Anyone out there know where it is?


Also of interest:

The CBC and Vice News/Motherboard recently added SecureDrop capabilities to their sites to give anonymous sources a safe way to contact them. (The Globe and Mail also has done this.)

Saturday, February 13, 2016

2014-15 Annual Report, part II: Staying dark


Some concluding comments on the CSE Commissioner's 2014-15 annual report. My earlier comments can be found here.


CSE assistance to CSIS under Mandate C and s.16

The Commissioner's long-lost review of CSE assistance to CSIS under Mandate C and s.16 of the CSIS Act was finally completed last year. (See the final section of my post on last year's report and also this post for background.)

Section 16 is the part of the CSIS Act that enables CSIS to collect foreign intelligence in Canada at the request of either the Minister of Foreign Affairs or the Minister of National Defence. When CSIS gets the go-ahead for such operations, it can call on CSE to help through CSE's Mandate C, which enables it to provide assistance to federal law enforcement and security agencies.

As I commented here, s.16 probably provides the legal basis for the collection of foreign embassy communications in Canada. And whatever monitoring was done at the G8 and G20 summits was probably also authorized through s.16.

Because it takes place in Canada, such monitoring is guaranteed to involve persons in Canada, so it is especially sensitive from the point of view of privacy protection. It was concern about the private communications of Canadians getting monitored during the interception of embassy communications that led former CSE employee Jane Shorten to go public about privacy violations in 1995.

All in all, it's a good topic for the Commissioner to shed some light on.

As I expected last year, however, not much in the way of information content actually makes it through to the Commissioner's long-suffering readers.

For starters, the report is vague about the timeframe covered by the review. One of its goals was to examine "any changes since my office’s last in-depth review," but when that review actually took place is not specified.

It seems likely, however, that the new review extended at least as far back as 2010, the year the G8 and G20 summits were held in Canada.

In 2013 there was much concern expressed about the possibility that CSE (and NSA) had illegally spied on the delegates to those summits. My own view then and now is that, yes, spying took place, but, no, it was not illegal, because this is one of the kinds of activities s.16 was specifically designed to make legal.

Given the level of public and parliamentary concern that was expressed about the legality of CSE's activities during the 2010 summits, you might think that this would be an appropriate occasion for the CSE Commissioner to address that question—at least in general terms.

Or you might think that if you hadn't read a lot of these annual reports.

There is in fact not a word about the summits in the report.

It did, however, provide a generic assurance that
CSE respected the condition contained in section 16 warrants to protect the privacy of Canadians when using intrusive measures, by following CSE policy to destroy all information about Canadians unless the information:
- relates to activities that would constitute a threat to the security of Canada as defined in the CSIS Act;
- could be used in the prevention, investigation or prosecution of an alleged indictable offence; or
- relates to those foreign states, persons or corporations for which the requesting minister has requested assistance, in writing, pursuant to section 16 of the CSIS Act.
The first and, especially, the second condition listed by the Commissioner merit particular attention as neither has any necessary connection to the original purpose of s.16 activities, the collection of foreign intelligence in Canada.

In some cases such collection probably does have a direct connection to foreign intelligence questions. There is reason to believe, for example, that people have been caught trying to sell corporate or national secrets to foreign powers because their communications with the embassies in question were monitored. In other cases, however, Canadian communications collected incidentally might have no connection at all with foreign intelligence.

The rules surrounding the use of such collection ought therefore to be of considerable concern to Canadians.

Sadly, they won't find any help in that respect here. The nature of those rules remains a mystery.

The same level of obscurity applies to most of the s.16 report.

A little bit of information is provided about the evolution of the s.16 process, notably that interdepartmental discussions in 2007 and early 2008 led to (a) the scrapping of the 1987 Tri-Ministerial Memorandum of Understanding between the Minister of Foreign Affairs, the Minister of National Defence and the Solicitor General (now Minister of Public Safety) that had originally governed the s.16 approval process and (b) its replacement by a "new process" agreed between the three ministers. We are also informed that this new process "did not outline the roles and responsibilities of the parties involved."

This leads to a recommendation that "interdepartmental agreements and internal CSE policies be updated in a timely manner to reflect current procedures and practices."

Seven or eight years on, it does seem like there may have been a bit of a timeliness failure in this regard.

There is also a useful affirmation, although somewhat ambiguous, that "Not all section 16 activities may involve warrants or assistance from CSE."

Again, no details are provided, but I take this statement to mean that CSE's support may sometimes include activities such as processing data obtained by CSIS through production orders or other information-sharing processes that don't require warrants—when operating in support of CSIS Level 1 targeting, for example. (Only Level 2 targeting requires a warrant.) Or that CSE may sometimes check its own or allied metadata databases in support of similar CSIS activities.

Of course, these possibilities apply to the full range of Mandate C cooperation, not just to support for s.16 activities. It is no coincidence that CSE statements about Mandate C usually have a qualifying phrase like the one here: "to request assistance from CSE, agencies must have the proper legal authority, such as a warrant from a court." Such as.

[Update 20 February 2016: For more on warrantless cooperation with CSIS, see Alex Boutilier, "CSE can assist in ‘threat reduction’ without a warrant, documents show," Toronto Star, 20 February 2016.]

Although he couldn't tell us much about them, overall the Commissioner was satisfied with the s.16 activities he reviewed: "I concluded that CSE conducted its activities in accordance with the law and ministerial direction, and included measures to protect the privacy of Canadians."

He did, however, make four recommendations: "two related to the updating or creation of governing process documentation; one on the updating or creation of interdepartmental memoranda of understanding between CSIS and CSE, where applicable; and one that CSE should develop caveats to attach to specific operational material that may be shared with Second Party partners to ensure that the material would not be used without the express authorization of CSE."

No, I don't know what that last one means either.


Data about metadata

Metadata reviews are a regular feature of the CSE Commissioner's annual reports, but past reviews have mostly looked at specific metadata activities; this year's review was the beginning of "an ongoing comprehensive review of CSE’s metadata activities" that will examine the agency’s "metadata activities on a broad scale, to assess changes to the activities, and to determine whether they comply with the law and whether, in conducting them, CSE protects the privacy of Canadians."

In 2014-15, the review focused on metadata use in the foreign signals intelligence (Mandate A) context. Next year, the Commissioner will report on CSE’s use of metadata in an IT security (Mandate B) context, on various issues identified in the Commissioner's classified 2014 report A Review of the Activities of the CSEC Office of Counter Terrorism, and on "other metadata activities." Presumably the last two bits cover CSE's support to law enforcement and security agency (Mandate C) activities.

In the meantime, the Commissioner noted that some of the metadata activities discussed in that 2014 classified report have now been halted and the agency is "consequently updating its policy framework."

Sounds like something dodgy turned up there.

Getting back to this year's report, predictably little is said concerning the actual nature and scope of CSE's Mandate A metadata activities. However, the Commissioner does report both that "metadata collection and analysis have evolved considerably since the last in-depth review" and that "the Canadian legal landscape has also changed since my office last conducted an in-depth review of CSE’s collection and use of metadata."

Two recent Supreme Court decisions in particular are cited, Wakeling and Spencer.
In Wakeling v. United States of America, 2014 SCC 72, the main issue raised was whether federal legislation authorizing the sharing of lawfully obtained wiretap information between Canadian and foreign law enforcement agencies is constitutional. The Court concluded that a disclosure will be reasonable under section 8 of the Canadian Charter of Rights and Freedoms if it passes a three-part test: that the disclosure is authorized by law, that the law authorizing the disclosure is reasonable, and that the disclosure is carried out in a reasonable manner. In R. v. Spencer, 2014 SCC 43, the Supreme Court ruled on a person’s reasonable expectation of privacy within the context of the use of the Internet. The Court found that, depending on the totality of the circumstances, anonymity may be the foundation of a privacy interest that engages constitutional protection against [sic] section 8 of the Charter.
This is all very interesting, but of course what we really want to know is what all this means for CSE's metadata activities.

If the Commissioner has any specific thoughts in that regard he's not sharing them with us.

The Commissioner does report that the existing ministerial directive on metadata, issued in 2011, "lacks clarity regarding the sharing of certain types of metadata with Five Eyes partners, as well as other aspects of CSE’s metadata activities."
For example, it does not define certain key terms, and fails to differentiate between other terms that, while similar in definition, are implicitly distinct concepts. The ministerial directive lacks specificity regarding the application of privacy provisions to certain processes. Furthermore, the directive does not provide clear guidance regarding a specific metadata activity that is routinely undertaken by CSE in the context of its foreign signals intelligence mission. It is also unclear whether certain language in the directive is still applicable to CSE’s use of metadata in a foreign signals intelligence context. For these reasons, I recommended that CSE seek an updated ministerial directive that provides clear guidance related to the collection, use and disclosure of metadata in a foreign signals intelligence context.
Am I the only one starting to get the distinct feeling that CSE activities don't follow the rules written in CSE policy documents as much as determine what those rules will be when they are eventually written, and re-written, after the fact? The policy people always seem to be trying—and failing—to keep up with actual, existing practice. I thought the practices were supposed to conform to the policies.

It was while the Commissioner was conducting this review that "CSE discovered on its own that certain metadata was not being minimized properly" and thus took it upon itself to suspend the sharing of "certain types of metadata" with its Five Eyes partners. The Commissioner subsequently found that CSE, in originally permitting the unminimized metadata to go out, had failed to comply with the law—the first time any CSE Commissioner has made such a finding. (Discussed further here.)

The Commissioner's review also determined that "CSE’s system for minimizing certain types of metadata was decentralized and lacked appropriate control and prioritization. CSE also lacked a proper record-keeping process."

Suspicious minds might wonder whether CSE or at least elements thereof weren't well aware of the privacy deficiencies of their systems long before the Commissioner came calling, but chose not to reveal the problem until it became clear he was about to discover it for himself.

But surely that kind of duplicity would show up in the records that the Commissioner was able to examine.

If they were properly kept.


Personally, I prefer to think sunny thoughts.


IT Security review

As noted in my previous set of comments, the 2014-15 report added a new recommendation for amendments to the National Defence Act.

Accompanying that recommendation was a hedged assessment of the IT Security, or cyber defence, program's compliance with the law:
CSE’s IT security activities were appropriately authorized and conducted in accordance with the law as interpreted by Justice Canada and in accordance with ministerial authorizations and ministerial direction. [emphasis added]
Commissioners have been applying the same kind of hedge to the Ministerial Authorization regime for over a decade now.

Despite this qualified seal of approval, the Commissioner did identify some problems with the IT Security program's handling of private communications.
My office uncovered several private communications that had not been included in the counts. Furthermore, our questioning uncovered incidents that were incorrectly identified, either indicating a private communication when such was not the case or vice versa.... These human errors were coupled with system errors that CSE had to pinpoint, delaying the review.
The Commissioner also found that "policies and procedures relating to the retention of private communications were not followed in some instances."

Reading these comments, you can almost feel the Commissioner's newly active hammer poised to strike again.

But no. The Commissioner has a surprise in store, and it's for us.

It turns out that not all private communications are really private communications!
Based on the legal opinions I have received, and with which I agree, a communication containing nothing more than malicious code and/or an element of social engineering sent to a Government of Canada computer system or network in order to compromise it is not a private communication as defined by the Criminal Code. Accordingly, CSE may not need a ministerial authorization to intercept such communications during the course of performing part (b) of its mandate. Therefore, CSE may not need to report to the Minister the interception of such communications.
Whoa, that arrived like a drone strike from the blue.
I therefore recommended that CSE reporting to the Minister on private communications unintentionally intercepted under ministerial authorizations should highlight the important differences between one-end-in-Canada e-mails intercepted under cyber defence operations and private communications intercepted under foreign signals intelligence activities, including the lower expectation of privacy attached to the private communications intercepted under cyber defence operations.
I guess I see the point here, especially in the case of one-end-in-Canada e-mails, with the Canadian end presumably being the intended victim in some government department. The Canadians involved are certainly likely to see such communications as unwanted and deserving of no special protections.

But what exactly is the legal principle here? And how far can it extend?

If some scammer phones me at home from some foreign-based boiler room, is that phone conversation no longer to be considered a private communication? What if it's a terrible deal he's offering, but nothing about it is technically illegal? Is someone going to assess the legality of what was offered before deciding whether the conversation is a private communication?

I'm sure no one is suggesting anything remotely like that.

But I do wonder how you operationalize such a distinction. Getting back to the IT Security question, what if the communication containing "an element of social engineering" takes the form of a phone call from someone purporting to be a public service colleague? Is that phone call not a private communication? What if a malicious link has been inserted into an e-mail that quotes an earlier e-mail containing actual content? Is that not a private communication?

The Commissioner's recommendation seems somewhat less radical than his discussion of this question. While the discussion asserts that some kinds of e-mails are not private communications at all, the recommendation still refers to them as private communications and suggests only that CSE "highlight the important differences" between such communications and the private communications intercepted during SIGINT operations when reporting them to the Minister. However, it does specifically assert a "lower expectation of privacy" for those e-mails, implying that a legal distinction may exist.

As I reported last year, "the total number of private communications used or retained by CSE in the course of cyber defence operations was between 1000 and 3996 in 2012-13, a number that dwarfs the 66 used or retained in the course of its foreign intelligence operations around the same time."

I can understand the Commissioner's motivation for wanting to put that larger number into some sort of context—and to emphasize what I would agree are the considerably greater privacy implications of the communications collected by the SIGINT program.

But does that really require calling the definition of private communication into question?


CNE approval process improved?

Back in September, I reported on the processes used by CSE to approve certain types of [redacted] operations, which I concluded were probably related to Computer Network Exploitation (CNE) activities.

According to CSE policy document OPS-3-1, for some kinds of operations the Chief "must consult with the Minister before approving any particularly sensitive [CNE?] operations or those that carry significant risk". Certain other kinds of operations, it stated, must be personally approved by the Minister, "if required due to sensitivity or significant risk", or by the Chief, "if appropriate".

The decision as to which operations required ministerial approval and which it was appropriate for the Chief to approve was apparently left to CSE, with little or no specific guidance provided.

What I didn't realize in September was that these policies were probably what the Commissioner was referring to in his 2013-14 report, which stated in its typically unilluminating way that the Commissioner had
examined changes to CSEC operational policies relating to the conduct of the activities under foreign signals intelligence ministerial authorizations. To ensure proper accountability for certain sensitive activities, I recommended that CSEC promulgate detailed guidance regarding the additional approvals required for these particular activities.
This year's report provides an update on that recommendation: "CSE informed my office that it has improved policy in order to respond to my recommendation that CSE promulgate detailed guidance regarding additional approvals required for certain sensitive activities."

There you have it, folks: Policy has been improved.


C-51 and beyond

Back when the Harper government was truculently ignoring the legions of people calling for changes to Bill C-51, the CSE Commissioner was one of the many people ignored.

The Commissioner's 2014-15 report reiterates the gentle suggestion that the Commissioner made last March that "an explicit authority for the review bodies to cooperate and share operational information would strengthen review capacity and effectiveness, which is that much more critical in the context of increasing cooperation and sharing of information among and with intelligence and security agencies."

That March letter also repeated the Commissioners' long-standing call for clarifying amendments to the National Defence Act.

Nothing of course was done.

As the Liberals prepare to revamp C-51 and introduce other changes to intelligence and security oversight, let's hope that parliament pays more attention this time.

And speaking of hope, there has been a lot of speculation about, but very little authoritative explanation of, the implications of the new powers granted by C-51 for CSE's activities. I was rather hoping that the Commissioner, being our law guy on the inside, might be able to clarify some of that for us, but no such luck:
As for the potential effect of this legislation on CSE, we cannot know at this time precisely how its measures will affect the work of CSE.
[Update 20 February 2016: Here's one example of how those powers may have changed. Warrants would still be required for more intrusive activities, but the range of that kind of activity has also presumably been expanded. Depending on how far "disruption" warrants may go, this could provide a basis for a wide range of CSE Computer Network Attack (CNA) activities.]

Transparency

There's a whole lot we cannot know in this business, but this latest report, 67 pages long, does continue the long-term trend towards greater transparency in reporting by CSE Commissioners, providing both more information and, in some cases, greater clarity and detail in the report's explanations.

As the Commissioner comments,
Part of my role is to inform Parliament and Canadians about CSE’s activities, and I believe it is important to support my findings with as much explanation as possible, within the restrictions of the Security of Information Act. As an independent and external body, my office can challenge, and has challenged, CSE to justify why certain information needs to be considered classified. Indeed, last year I included statistics related to unintentionally intercepted private communications collected through CSE’s foreign signals intelligence activities; this year’s report contains more statistics. I see these as important steps in helping to demystify the work of CSE and contributing to better-informed public discussion.
The inclusion of these statistics does represent an important, albeit still small, step forward.

But we have a long way to go to catch up to our southern neighbour, whose NSA is CSE's closest ally. The U.S. Privacy and Civil Liberties Oversight Board (PCLOB) recently reported, for example, that NSA will soon be publicly reporting "the number of disseminated NSA intelligence reports that refer to a U.S. person identity and the number of U.S. person identities released by the NSA in response to requests for identities that were not referred to by name or title in the original reporting." They also plan to report "the number of metadata queries that use a U.S. person identifier, and also the number of U.S. person identifiers approved for content queries."

And then there's the highly detailed reporting that PCLOB itself has done on NSA policies and programs, notably its reports on "Section 215" and "Section 702" collection.

CSE certainly has secrets that it needs to keep, but the idea that it needs to be significantly more secretive than NSA is hard to accept. I wonder if CSE seriously tries to make that claim. Why can't we treat the U.S. level of openness as a floor below which there is no reason to sink in other than exceptional circumstances?

And let's not consider that floor a ceiling. Why can't we be the ones who set the example for openness once in a while?

A little more detail in some of the Commissioner's assessments of the record of his own office would also be useful.

In this year's report, the Commissioner noted that
Since 1997, my predecessors and I have submitted 90 classified review reports to the Minister of National Defence who is responsible for CSE. In total, the reports contained 156 recommendations. CSE has accepted and implemented or is working to address 93 percent (145) of these recommendations, including all eight recommendations this year.
The report adds that CSE is still working on 15 of the recommendations, eight from this year and seven from earlier years, which indicates that 130 are considered implemented.

Judging from material recently obtained by the Globe and Mail through an Access to Information request, one of the recommendations still being implemented is the Commissioner's July 2013 recommendation that the Minister issue a new Ministerial Directive on information-sharing with the Second Parties, and that this directive be "informed by a risk assessment examining, in-depth, the potential impact of respective national differences in legal and policy authorities."

As of 18 December 2015, two and a half years after the recommendation was made, CSE had managed to produce a draft of the risk assessment.

What about the 11 recommendations rejected by CSE or otherwise not acted upon? Some were probably rendered moot by subsequent developments, but which ones? Some may have been withdrawn by the Commissioner, but which ones? Some are undoubtedly still considered relevant. Which ones? What do they recommend? How would the Commissioner rank them in terms of importance?

Are the Commissioners' long-standing recommendations for National Defence Act amendments counted among the 11 on which nothing has been done, or does the fact that the government once promised to act on them mean they are counted among the recommendations that CSE is "working on"? The new amendment recommendation is one of the eight from this year that the Commissioner counts as being worked on.

How many of the previously accepted recommendations had to be repeated before action was taken?

How many were accepted in full and how many only in part?

The report also notes that "CSE also took action on three of the five recommendations from my review of CSE’s 2012–2013 foreign signals intelligence ministerial authorizations."

Does this mean that two of the Commissioner's recommendations were rejected in that case or just that action is still pending? If the former, this single review was responsible for nearly 20% of all spiked recommendations to date. What's the story there?

Some poor drudge such as myself might be able to go through the 19 annual reports that CSE Commissioners have issued to date and come up with at least partial answers to some of these questions, but only the Commissioner's office has the information to answer them in any satisfactory manner.

Also, why doesn't the Commissioner's website list the classified reports on specific reviews that he submits to the Minister of National Defence during the course of the year as soon as they are submitted instead of waiting for the tabling of his annual report? (And if you're reading this, Commissioner Plouffe, would you please go back to listing the actual dates of those reports! Some of us care about that kind of information!)

An important part of the painful process of dragging information out of the government is submitting Access to Information requests for those classified reports. The material that eventually gets released is ridiculously redacted, of course, but there is still useful material in many of those documents. If the reports were listed as soon as they were submitted, Access requests could begin immediately instead of having to wait for the much later annual report to come out. This year (which, granted, is an extraordinary case), as much as 22 months might have been saved had the classified reports been listed right away.

The Access system does more than enough to prevent the release of timely information to the public; it doesn't need any assistance from the CSE Commissioner.

We could also use a lot more openness from CSE itself.

The Commissioner commented in the press release accompanying his annual report that "I have encouraged CSE to be more forthcoming in what it communicates to the public.”

The agency's minister, Defence Minister Sajjan, appears to share this goal, stating in his own press release that "I have directed CSE to find new opportunities to communicate with the public more openly about their activities, while still protecting sensitive information as appropriate."

If the Minister is serious, he could start by ordering the agency to reinstate the degree of public reporting that existed prior to November 2011, when CSE became a stand-alone agency. If you want to move forward, it helps to stop going backwards.

The Interim Privacy Commissioner's 28 January 2014 recommendations that CSE "proactively disclose annual statistics on cases where it assists other federal agencies with requests for interception" and "produce a non-classified public report to be tabled in Parliament, as CSIS does, describing its ongoing activities and a summary of its risk assessments (violent extremism, organized crime, foreign corruption, etc.) and general policy priorities" would also be a great step, although I'm not sure that "risk assessments" as such are within the agency's purview, except in the IT Security domain.

Friday, February 12, 2016

January 2016 CSE staff size

2153, same as last month.

(If you click through on the link and get a different figure, it's probably because the Treasury Board has updated its website; they update the numbers once a month.)

Thursday, February 04, 2016

Even GCHQ does it


Source: Globe and Mail

David Omand was the Director of GCHQ from July 1996 to December 1997.

See also Even NSA does it.

Wednesday, February 03, 2016

2014-15 Annual Report: The watchdog shows his teeth

As I noted here, there is a lot of interesting news in the CSE Commissioner's 2014-15 Annual Report, which was finally made public on 28 January 2016. (The Commissioner's reports are normally tabled in the June to August timeframe; the previous record for tardiness was the 2003-04 report, which was released on 8 October 2004. It is evident that the Harper government did not want the information that was in the report to be available to Canadians during an election campaign.)

The big news in the report was that, for the first time, the CSE Commissioner was holding out the possibility that CSE might be found in non-compliance with the law. The final answer to that question was left open in the report itself, which stated that the Commissioner was still examining the legal implications of the issue. By the time the report was finally tabled, however, Commissioner Plouffe had completed his review of the issue and concluded that CSE had failed to exercise due diligence and thus had violated the law. (For further details, see here.)

I see this decision as a very positive development. As I argued here, it was beginning to look as though CSE Commissioners would never find CSE in breach of the law for anything—or at least nothing short of admitted, unrepentant, and on-going illegality of the most brazen kind.

The danger of always letting CSE off the hook in the kinds of cases that actually do come up was two-fold: First, Canadians might come to see the Commissioner's annual assurances as largely meaningless, undermining one of the primary purposes of having the office. Second, CSE might come to see prevention of compliance lapses as relatively unimportant, since problems subsequently identified could always be fixed at some later time without consequences. By demonstrating that consequences are possible, at least in cases where CSE failed to exercise due diligence, the agency has been reminded that legal compliance has to be first on its priorities list at all times: it can never be left as an afterthought.

[Update 6 February 2016: I should probably add here that the only consequence that CSE has suffered to date (as far as we know) is public shaming, which is all that CSE Commissioners have the power to do. Whether the government will actually hold anyone in the agency to account in any more concrete way remains to be seen. Andrew Mitrovica discusses the parallel question of accountability at CSIS here: "Ex-spy watchdog asks: Why isn’t CSIS coming clean on tax data breach?" iPolitics, 5 February 2016.

Update 11 February 2016: This Globe and Mail article did report that "Prosecutors decided not to lay charges after being assured by Mr. Plouffe it was unlikely that any Canadian identities were actually compromised." Ruling out criminal proceedings does not prevent other forms of disciplinary action that might be appropriate in this case, however. Will any such steps be taken?]

Another benefit of finally wielding the hammer of compliance judgement is that the level of attention paid to the Commissioner's recommendations at the political/ministerial level cannot fail to be dramatically elevated. Maybe now—finally—going on fifteen years after the mandate of the Communications Security Establishment was enacted into law, we will see action on the clarifying amendments that successive Commissioners have sought from the beginning. (More on potential amendments below.)

Last year I lamented the continuing failure of successive Commissioners to "pick up the hammer"; it's good to see a more Thor-like Commissioner in action.

There were also many other noteworthy items in this year's report.


Use and retention of private communications

The big news in the 2013-14 report was that the Commissioner had finally been permitted to specify the number of "private communications" (communications with at least one end in Canada) used in intelligence reports or retained by CSE for possible future use during the agency's Mandate A (foreign intelligence) operations. That year the number was 66; this year the number is a mere 16.

Sixteen is a very small number, and it is useful that the CSE Commissioner is able to report it.

But, as I noted last year, it does not represent anywhere near a complete accounting of the Canadian communications intercepted or otherwise acquired and examined by CSE during the course of the year. It does not include communications of Canadians that do not fall into the definition of private communications, such as calls involving Canadians in which neither communicant is physically in Canada at the time. It does not include private communications intercepted and forwarded to CSE by Canada's SIGINT allies. It does not include private communications obtained during CSE's Mandate B (cyber security) operations. (This year's report has some interesting comments on those intercepts, however.) It also does not include private communications obtained during CSE's Mandate C (support to federal law enforcement and security agencies) operations. Finally, most importantly, it does not include the much larger number of Canadian communications intercepted or otherwise acquired by CSE that ultimately are neither used nor retained by the agency, but are simply assessed and deleted. How much larger that number is (and the scale of the even larger number of communications that receive preliminary monitoring of some sort but are never sent to an analyst to be "recognized" as private communications because automatic filters decide that they are not likely to be of interest) has never been revealed.

This is not to say there's a secret program to monitor everything Canadians say and do hiding under that almost inconsequential-looking sixteen number. Just a reminder that it is far from the whole story.

A useful innovation discussed in this year's report is the series of "spot checks" that the Commissioner has begun conducting on the larger set of private communications intercepted during CSE's Mandate A operations. These reviews cover all private communications "intercepted and recognized", not just those used or retained—but only those intercepted by CSE itself under its Mandate A. This year's spot checks covered the periods of 1 April 2014 to 20 June 2014 and 1 September 2014 to 15 October 2014, which together comprise 126 days, or 34.5% of the year.

Unfortunately, the Commissioner doesn't tell us how many Canadian private communications were intercepted and recognized during these review periods. This limits the reassurance value of his report.

I suspect that he would have been quite happy to publish this number, which would provide at least some, albeit partial, basis for assessing the scale at which CSE examines Canadian communications. Most probably CSE refused to declassify the figure. Elsewhere in his report, the Commissioner works hard to emphasize that the Minister of National Defence and CSE itself are not allowed to censor his public reporting. This is true, and of very great importance. They can't, for example, prevent him from reporting that CSE failed to comply with the law. But by controlling the power of declassification, they can and do reduce much of the Commissioner's reporting to generalities and often incomprehensibility. This has been an on-going problem for CSE Commissioners.

To their credit, the Commissioners have been gradually increasing the amount of hard information they are able to report, and this year's report contains some valuable new numbers (see below)—which also serve as important evidence that 16 private communications is far from the whole truth of CSE's interactions with Canadians.


Disclosures of Canadian Identity Information

When CSE issues a report that refers to a Canadian individual/corporation/organization etc. in some way, it "suppresses" the information that identifies that Canadian, replacing it with an expression such as "a named Canadian". CSE's customers can request this Canadian Identity Information (CII), however, and CSE will provide it if it assesses that the request is appropriate. (The RCMP might wish to know the actual name or contact information of a Canadian planning to import large quantities of illegal drugs, for example.)

This year, the Commissioner was able, for the first time, to provide statistics on the number of requests for CII made by Government of Canada clients during a portion of the year under review.

According to the report, CSE received 710 requests from Canadian government clients over a six-month period, or about 3.9 requests per day, for CII related to its Mandate A and Mandate B reporting, with the number of actual identities requested being even greater (a single request can involve multiple identities). This suggests that probably something on the order of 1500 requests were made during the entire year.

Not reported, unfortunately, was the percentage of times suppressed CII was requested or the percentage of times CSE acceded to those requests and provided the information sought. The report does state that some requests were refused, however.

Thinking about this in a back-of-the-envelope kind of way, the "sweet spot" to shoot for, it seems to me, would be a low request rate (CII requests in no more than say 10% of cases and possibly much lower than that) in combination with a high (say 90-95%) approval rate. A high approval rate would be desirable (when combined with a low request rate) because it would suggest that CSE's clients understand the rules surrounding the information and request it only when it is reasonably clear that they need it. A less than 100% approval rate, on the other hand, would also be desirable as it would suggest that approval is not granted as a matter of routine but is actually considered on a case-by-case basis.

By contrast, a high request rate combined with a high approval rate would suggest that the suppression of Canadian Identity Information in the original reports is more pro forma than a real privacy protection measure. A low approval rate would suggest, on the other hand, that CSE's clients are consistently seeking information about Canadians for which they have no justifiable need and/or that CSE's rules for access are incomprehensible or arbitrary and that its clients have no clear idea what sorts of requests may be approved.

Perhaps the Commissioner can provide some data on request and approval rates in future reports to help Canadians judge these possibilities for themselves.

It would also be helpful to know a bit more about the approval system itself in order to draw firm conclusions about its usefulness. Is it little more than a series of check boxes on an electronic form asking the requester to affirm that the identity information sought is essential to a full understanding of the intelligence in question and that such intelligence falls within the mandate of the agency requesting it? Do refusals only happen when some clown can't be bothered to read the form carefully enough to check the right boxes? A high but not perfect approval rate under those circumstances would not be much to celebrate. It would be nice if we had some basis for judging between these possibilities.

Getting back to the data that the Commissioner did provide, an annual rate of 1500 or so requests for Canadian Identity Information—which could imply (and here I'm guessing wildly) a grand total of something like 15,000 reports containing CII—presents a considerably different picture than that evoked by the Commissioner's affirmation that only 16 private communications were featured in reports in the same general timeframe.

The two measures address different things, of course. As noted above, CSE has access to many more Canadian communications than just those that it intercepts itself during Mandate A operations. More importantly, many of the references to Canadian identities that appear in CSE's reports are likely to have originated in communications that did not themselves involve Canadians. A foreign diplomatic communication might report, for example, that "named Canadian corporation" produces a particular kind of widget that would be useful for that country's prohibited ballistic missile program and that it might be possible to acquire these items through a front company based in the Bahamas. Few people would object to CSE reporting on such a communication, or to CSIS or the RCMP requesting the actual name of the company in order to prevent illicit technology transfers.

Still, the possibility that many thousands of CSE reports refer to Canadians every year, and that in hundreds of those cases the identities and other related information concerning those Canadians is ultimately released to other government agencies, highlights the extent to which CSE's activities really do impinge on or overlap with the personal lives of Canadians.

The Commissioner also reported that an unspecified number of requests for Canadian Identity Information were made by Canada's SIGINT allies (U.S., U.K., Australia, and New Zealand) during the year—and that approximately half of those requests were denied.
Such a large percentage of denials would seem to indicate that CSE places a high priority on protecting Canadian privacy in such exchanges. However, as I suggested above, it might also indicate that the Second Parties have been seeking Canadian information for which they have no justifiable need and/or that they do not understand the rules that govern access to Canadian information. Either explanation is cause for some concern.

The Commissioner also recorded that "Six requests were made for disclosure of Canadian identity information to non-Five Eyes recipients. Five of these requests were made by a Government of Canada client and one was made by a Second Party partner. None were denied."

Since 2011, CSE has been obliged to conduct a "mistreatment risk assessment" before permitting the disclosure of Canadian identity information to non-Five Eyes recipients. I fervently hope but can't say I'm at all confident that this process is considerably more rigorous than the one that governs Canadian arms sales to countries such as Saudi Arabia. The Commissioner's report notes that he reviewed "some of the corresponding mistreatment risk assessments", but it doesn't say what he made of them.

One wonders why certain Five Eyes countries that have been known to conduct extra-judicial executions, cross-border kidnapping, detention without trial, and "enhanced interrogation" are not also subject to such assessments. One might even consider it a legal obligation to perform such due diligence under certain international conventions to which Canada is a party.


Another NDA amendment recommended

Another important bit of news in the 2014-15 report is that the Commissioner has added an additional item to his list of recommended amendments to the section of the National Defence Act that spells out CSE's mandate and powers.

Successive Commissioners have recommended that clarifying amendments be made to the NDA since shortly after the CSE-related sections were passed in 2001. The Commissioners have sought amendments related to the nature of the Ministerial Authorizations that govern the interception of private communications, the definition of the terms "intercept" and "interception", and other aspects of the law.

In 2007, the Harper government promised to proceed with amendments addressing these issues, but in fact it did nothing on any of them.

The Commissioner's new recommendation concerns the rules governing CSE's IT Security activities:
The National Defence Act was modified by the Anti-Terrorism Act in 2001 to, among other things, legislate CSE as well as its activities. Regarding IT security ministerial authorizations, it was established that the Minister of National Defence could authorize CSE to intercept private communications for the sole purpose of protecting Government of Canada computer systems or networks from mischief, unauthorized use or interference, in the circumstances specified in paragraph 184(2)(c) of the Criminal Code.

Subsection 184(1) of the Code establishes the offence of intercepting a private communication and subsection 184(2) sets out circumstances where the interception is not an offence. Paragraph 184(2)(c) applies to persons engaged in providing a telephone, telegraph or other communication service to the public who intercept private communications while providing the service.

I believe subsection 273.65(3) of the National Defence Act does not accurately reflect CSE’s activities because CSE undertakes activities beyond those considered in “the circumstances specified in paragraph 184(2)(c) of the Criminal Code.” I therefore recommended that subsection 273.65(3) of the National Defence Act be amended as soon as practicable to remove any ambiguities respecting CSE’s authority to conduct IT security activities that risk the interception of private communications.
According to the Commissioner's report, this new recommendation was also accepted by the Harper government, although we will never know how sincere that acceptance may have been.

More importantly, the current government's Minister of National Defence has announced his support for the recommendations in this year's report, including the recommendation to amend the NDA.

[Update 22 February 2016: Subsequent to the writing of this report, as noted in the press release that accompanied it, the Commissioner also recommended another amendment to the NDA, "to provide a clear framework for CSE's metadata activities." The release also states that "The Commissioner received a reply to his letter to the Minister of National Defence and the Attorney General of Canada and is pleased that they have accepted his recommendations related to metadata."]

If the government lives up to its commitments concerning these amendments—and takes the opportunity to enact the other recommended amendments as well—we may finally see the end of the legal interpretation issues concerning CSE's mandate that, in the words of one Commissioner, "have bedevilled this office since December 2001."

Because it's 2016, and about time.


Commissioner's mandate and privacy

And while we're on the subject of amendments to the NDA, let's talk about the CSE Commissioner's mandate to promote privacy.

Successive Commissioners have made privacy protection an important part of their activities, but as far as I can see the only basis for that in legislation is their mandate to assess compliance with the law, which enables them to assess compliance with, for example, the privacy protections provided to Canadians in the Charter of Rights and Freedoms.

The privacy protections that exist in law (to the extent that jurisprudence has made them clear) do provide a minimum level of protection—a floor—beneath which CSE must not be permitted to sink.

But it seems to me that Canadians could also benefit from having an active advocate for greater and continuously updated protections—a constant effort to raise the ceiling—so as to adapt to changing technology and circumstances.

Commissioners do seem to have tried to push the envelope on privacy questions. The current Commissioner describes his mandate as not only to assess compliance with the law, but also "to promote the development and effective application of satisfactory measures to protect the privacy of Canadians in all the operational activities CSE undertakes."

Wouldn't it be great if the government wrote this mission explicitly into the NDA when it proceeds with those other amendments?


CFIOG Cyber Support Detachments

On a totally different topic, one of the more interesting reviews conducted by the Commissioner during the past year was an examination of the SIGINT activities of the Canadian Forces Information Operations Group (CFIOG) Cyber Support Detachments.

These small military units, formerly known as SIGINT Support Elements, are located at major headquarters in Halifax, Victoria, Winnipeg, and presumably Ottawa.
CFIOG Cyber Support Detachments act as the go-between to provide CSE reports on foreign signals intelligence to clients within the [Canadian Armed Forces (CAF)]. The CFIOG Cyber Support Detachments provide foreign signals intelligence support to select CAF commanders for a spectrum of activities, ranging from planning to direct support to combat operations. The Detachments are not involved in either the collection of foreign signals intelligence or the production of related reports; they primarily provide situational awareness to their respective intelligence and operational staff.
The Commissioner's review "concluded that the Cyber Support Detachment activities conducted under the authority of Part V.1 of the National Defence Act were in compliance with the law, ministerial direction, and CSE policies and procedures." No recommendations were made for changes in any CSD activitities. Nothing too interesting there.

What was more interesting about the review was that it featured another challenge to the CSE Commissioner's authority to review what he sees fit:
At the outset, my authority under the National Defence Act to review the CFIOG-controlled Cyber Support Detachments was questioned. After a six-month delay and many discussions between my office, CSE and the CAF, I exercised my authority and was provided direct access to Detachment staff and premises to ensure that their foreign signals intelligence activities conducted under Part V.1 of the National Defence Act complied with the law, ministerial direction, and CSE policy and procedures.
Now this is what I like to see!

Last year, it was CSE arguing that the Commissioner had no authority to examine the protection of information shared with the Second Parties, other years it has been other things, and my question has always been, why doesn't the Commissioner just point to his powers under the National Defence Act and start kicking ass and taking names? It is written right into the NDA: he has the power to investigate anything he sees as relevant to his mandate.

This time, the report says, he "exercised [his] authority".

That may just be a dramatic way of saying he managed to negotiate permission to go in, but it sounds more like he swung the hammer around a little bit first.

More of this please!

Also of interest: the Commissioner's report notes that the SIGINT reports accessed by the CSDs
may contain Canadian identity information that has been suppressed, that is, replaced by a generic reference such as “a named Canadian.” In the event that there would be a request for the disclosure of suppressed information, the Detachments would follow an established process and pass the request to CSE for action. To date, however, there has never been a request for the disclosure of suppressed Canadian identity information [through the CSDs].
At least somebody's minding their own business!

But it does leave me wondering how the SIGINT system's support to search and rescue operations fits in. SIGINT radio direction-finding stations are often used to help pinpoint the location of aircraft and ships in distress and to relay information about the occupants to the Rescue Coordination Centre.

Does such information not pass through the CSDs?

Maybe it's just that identity information is not suppressed in the first place in emergency situations where it may be necessary to help save lives, so the question of requesting its disclosure under such circumstances doesn't arise.


There is more to discuss in the 2014-15 report, but that's all I'm going to write about for now. More to come in a later installment!

In the meantime, as a partial antidote to all the rosieness in the comments above, be sure to read Wesley Wark's commentary on the CSE Commissioner and SIRC: "Canada’s spy watchdogs: Good, but not good enough," Globe and Mail, 1 February 2016.