Tuesday, August 09, 2016

2015-16 OCSEC report: News from the salvage operation

The 2015-2016 annual report of the Office of the CSE Commissioner (OCSEC), CSE's watchdog agency, was tabled in parliament on July 20th, whereupon it immediately sank without a trace. To the best of my knowledge, not a single news article has been published touching on any aspect of the report. [Until now.] (There was at least one commentary, however.) Not even Lloyd's List reported on the document when it went down.

It is perhaps not surprising that the report caused not a ripple. Last year's effort, tabled just six months earlier, was accompanied by a first-of-its-kind declaration that CSE had violated Canadian law. This year's report has no comparable James Cameron-class shocker: "This past year, all of the CSE activities reviewed complied with the law" (page 16).

Still, there's plenty of Glomar-worthy material in the wreck if you're willing to undertake the deep dive to recover it.

Join me as we watch the watchers' watchers and try to salvage some click-worthy items from this year's OCSEC report.

Spying on Canadians rose 4400%

I for one would click on a headline like that.

According to this year's report, CSE's foreign intelligence, or Mandate A, program used or retained as potentially useful 342 "private communications"—communications with at least one end in Canada—that were intercepted by CSE under ministerial authorization during the 2014-2015 authorization period (page 31).

As I discussed last year, this number is only the tip of the much larger iceberg that comprises Canadian communications processed by CSE, but it is an important statistic nonetheless. And this year what it shows is a dramatic increase in the number of private communications being used or retained by the Mandate A program.

Last year, the Commissioner reported that only 16 PCs had been used or retained at the end of the 2013-2014 authorization period, and this year he adjusted that figure without explanation to just 13 PCs. Maybe three of the retained PCs were subsequently deleted, maybe there was a change in the counting rules, maybe there is some other explanation that the Commissioner was unable to provide, or maybe I'm just missing something.

In any case, 342 is 26 times larger than 13.

And the change in the rate of PC use or retention was even greater, as the 2014-2015 authorization period was abnormally short, only seven months long. (This is discussed further below.) The rate at which the CSE Mandate A program used or retained Canadian communications that had been intercepted by CSE was 45 times as high in the 2014-15 authorization period as it was in 2013-2014 period. That's right, forty-five times.

Now, you might think the Commissioner would offer an explanation for such a dramatic change in one of the few statistical measures that OSCEC reports provide, and—mirabile dictu—he does. In a manner of speaking.
[The increase] was a consequence of the technical characteristics of a particular communications technology and of the manner in which private communications are counted. (page 33)
Now all we need is an explanation of the explanation.

My guess, and it's just a guess, is that this refers to something like SMS texting or a Facebook chat, in which each part of an extended conversation might be counted as a separate message.

If this is correct, then the dramatic rise in the number of private communications used or retained in 2014-2015 may have resulted from a relatively small number of conversations between just a few individuals. The overall number of Canadians whose communications were used or retained may not have increased at all.

An explanation along these lines might in turn explain the striking lack of concern with which the Commissioner greets what at first glance would appear to be a huge jump in the monitoring of Canadians.

But all this is just guesswork. Those of a less Pollyannish bent might make other guesses.

Nowhere does the Commissioner explicitly say there's nothing to be concerned about, and if that's how he actually feels about it, it would have been helpful if he had let his readers know.

This simple trick cut Ministerial Authorization periods by 42%

Another fact that surfaces only when you raise and reassemble portions of the text is that the five Ministerial Authorizations (MAs) that enable CSE to lawfully intercept private communications, which normally run for one full year apiece and which in recent years have extended from December 1st of one year until November 30th of the following, were cut short last year. Instead of lasting twelve full months, they were all replaced after seven, on June 30th, 2015 (see pages 30 and 34).

No explanation is provided for this change.

It is conceivable that Jason Kenney, who became Defence Minister on February 9th of that year, had his own ideas about the MA regime and didn't want to wait 10 months to introduce them, especially with an election looming. Another possibility is they were rewritten to accommodate new activities authorized by Bill C-51, which received Royal Assent on June 18th.

What the actual explanation may be I have no idea.

Our allies promised not to target Canadians and you'll never guess what happened next

We are often told that the Five Eyes partners do not target one another's citizens. Compared to the way other countries' citizens are treated, this appears to be largely true. But exceptions certainly occur.

In recent years, the CSE Commissioner has acknowledged that our Second Party partners do sometimes target Canadians, in "exceptional circumstances". This year he put it this way (page 19):
The cooperative agreements that exist between the five eyes partners include a commitment to respect the privacy of each nation’s citizens and to act in a manner consistent with each nation’s policies relating to privacy. Nevertheless, it is recognized that each of the partners is an agency of a sovereign nation that may, in exceptional circumstances, derogate from the agreements if it is judged necessary for their respective national interests. In such exceptional circumstances, one of CSE’s partners may acquire and report on information about a Canadian or a person in Canada.
So, OK, fair enough. Exceptional circumstances. Ticking nuclear bombs, national emergencies. Who could really expect otherwise?

But how widely do those national interests extend? I recall speculating a few years ago that
If, for example, the U.S. were to decide that its national interests required it to check into the possibility that would-be terrorists are plotting against the U.S. from inside Canada, we might very well expect them to go ahead and do exactly that. (But of course what are the chances that they would decide that?)
We now have an answer.

The Commissioner goes on to say:
A partner may report on Canadians located outside of Canada who are known to be engaging in or supporting terrorist activities, for example, a report about a known Canadian “foreign fighter” that may be planning to return to Canada or to attack Canadians.
For example.

Let's be clear here. I have no problem with the monitoring of people who are engaged in terrorist activities (assuming due process is followed), but according to CSIS there are some 180 individuals "with a nexus to Canada" who are engaged in terrorist activity abroad.

This is starting to sound a lot more routine than exceptional.

And there's more:
When a partner does undertake an activity relating to a Canadian, the partner may acquire information that, in addition to meeting its own national security requirements, relates to the security of Canada and, as such, may be provided to the Canadian Security Intelligence Service (CSIS) in support of its mandate to investigate and advise government on threats to the security of Canada.

Prior to February 2015, the process to provide this kind of reporting to CSIS was manual and did not involve CSE. To help address the evolving terrorist threat and the increase in the number of foreign fighters, CSIS required a more timely mechanism to securely exchange information. To this end, CSIS requested CSE assistance under part (c) of CSE’s mandate (paragraph 273.64(1)(c) of the National Defence Act (NDA)), to establish a mechanism for CSIS to receive and handle these reports via CSE’s established channels. ...

The Commissioner found that CSE’s activities to transmit these reports to CSIS were conducted in accordance with the law and with ministerial direction relating to the protection of the privacy of Canadians.
So we've gone from "naw, doesn't happen" to "oh, well, sure, but only in exceptional circumstances" to "pretty much all the time" to "we had to formalize the exchange of all this stuff to ensure its regular and timely delivery".

But terrorists, right?

Or, maybe, as former Solicitor General Wayne Easter said in 2013, “terrorism, crime or sex offenders.”

That crime bit covers a pretty wide range of exceptions.

It's worth noting that all of this is separate from Canada's own ability to monitor such persons, based on judicial warrants granted to CSIS or the RCMP, which, aside from those agencies' own capabilities, includes CSE's worldwide intercept capabilities, CSE's ability to use Second Party intercept facilities by supplying Canadian "identifiers" to those systems, and the government's ability, acting through CSE, to request that the Second Parties themselves monitor specific Canadian targets using capabilities that may not be available for direct Canadian use.

Canada's ability to enlist Second Party systems suffered a setback in November 2013 when the process for Domestic Intercept of Foreign Telecommunications and Search (DIFTS) warrants took an unexpected torpedo amidships.

But everything appears to be back to smooth sailing in that regard. The Commissioner is currently planning to conduct "a follow-up review of CSE assistance to the Canadian Security Intelligence Service (CSIS)... relating to the interception of the telecommunications of specified Canadians located outside Canada (formerly called Domestic Intercept of Foreign Telecommunications and Search warrants)." (page 52)

This little-known legal case caused CSE to suspend more metadata activities

OCSEC continues to work its way through a sweeping, multi-year review of CSE's metadata activities. This year the Commissioner finished his examination of "specific foreign signals intelligence metadata activities that were set aside during the first part of the review in order to fully investigate incidents relating to CSE’s failure to minimize Canadian identity information in certain metadata it shared with its second party partners" (i.e., the omnishambles that earned CSE its first declaration of legal non-compliance and led to the ongoing suspension of a wide range of metadata sharing with the Second Parties).

One set of activities examined by the Commissioner (see page 24), which were conducted by CSE's Office of Counter Terrorism, sparked a number of concerns. These included "guidance on a specific metadata activity that involves Canadian identity information remains vague and should be clarified", "a small number of the activities raised questions about CSE authorities", and "the Commissioner noted inconsistencies in CSE documentation and record-keeping practices".

No recommendations resulted from these "issues and irregularities", however,
because, subsequent to the period under review, CSE suspended indefinitely these particular metadata analysis activities in response to case law developments (Canadian Security Intelligence Service Act (Re), 2012 FC 1437, relating to the application of “directed at”)." It is positive to observe that CSE followed and modified its practices to address related jurisprudence. Prior to its decision to suspend these activities, CSE did not meet its commitment to address a recommendation the Commissioner made in a February 2014 review of the activities of the Office of Counter Terrorism (OCT) to amend relevant policy to reflect current practices and to enhance record keeping. However, this can be explained by the short period of time between the OCT review and the suspension of the activities. As long as the suspension remains in effect, the Commissioner does not expect CSE to implement the recommendation.
A couple of things are worth noting here. As the Commissioner says, it is certainly good to see CSE modifying its practices to respond to relevant jurisprudence.

It is less good to see that the suspension apparently took place sometime after February 2014, i.e., at least 15 months after Madam Justice Mactavish's ruling. Does the Commissioner have a view on the legality of CSE's conduct during the period between December 2012 and the suspension of the activities? Are we back to this model?

Also, how is it that these activities—possibly contact chaining involving Canadian identifiers—were the subject of an OCSEC recommendation back in February 2014, but that recommendation was simply to "amend relevant policy to reflect current practices and to enhance record keeping" and not to suspend the activities in response to the December 2012 ruling? Doesn't OCSEC follow and respond to related jurisprudence as well?

In last year's report, the Commissioner commented that "the Canadian legal landscape has... changed since my office last conducted an in-depth review of CSE’s collection and use of metadata". The Supreme Court's Wakeling and Spencer cases were specifically cited in this regard, but the Commissioner gave no indication of what implications, if any, he believed those and other rulings might have for CSE's activities.

The topic of the Mactavish ruling is worth a closer look. CSIS wanted to monitor the communications of one or more Canadian individuals or entities during an operation to collect foreign intelligence in Canada in accordance with s.16 of the CSIS Act. The agency argued that the Canadian communications could be directly (not just incidentally) collected despite an explicit ban on directing s.16 operations at Canadians since the operation would in fact be directed at gathering intelligence about a foreign target. The court rejected CSIS's view.

What makes this ruling especially relevant for CSE is that CSE's mandate, spelled out in the National Defence Act, dictates that the agency's foreign intelligence and cyber defence activities "shall not be directed at Canadians or any person in Canada"; CSE is permitted to intercept private communications in the course of foreign intelligence collection if a suitable Ministerial Authorization is in place, but such operations must be "directed at foreign entities located outside Canada". The meaning of the phrase "directed at" is thus fundamental to the relationship between CSE and Canadians.

That CSE suspended certain activities of the Office of Counter Terrorism in the wake of the Mactavish ruling suggests that the agency may have been directing some of its foreign intelligence activities a little too directly at its compatriots.

On a separate issue, the Commissioner also reported (pages 24-25) that he had recommended that CSE "issue written guidance to formalize and strengthen existing practices for addressing potential privacy concerns with second party partners" and, further, that the agency had subsequently "issued guidance to operational employees to address cases where the privacy of Canadians may be at risk."

One hopes this guidance is more than just "transfer the information to CSIS forthwith."

This named Canadian could be you

When a CSE report mentions a Canadian individual, corporation, or other organization, specific identifying information (name, phone number, etc.) is normally "suppressed" and replaced with a generic reference such as "a named Canadian". SIGINT clients reading the report can subsequently request the suppressed information from CSE, and if the department or agency has a suitable mandate and operational justification, CSE will provide it (without any warrant, as far as I can tell).

This year for the first time the Commissioner reported the total number of requests made by Government of Canada clients for Canadian identity information over the course of one year (1 July 2014–30 June 2015). That number was 1,126 (page 40), or about three requests per day, a total that may or may not be down slightly from the previous year.

How many of those requests were approved was not reported. CSE does sometimes deny requests for identity information, but no data has been provided as to how often this occurs; my impression is that the percentage approved is very high.

In some ways, the number of Canadian identity requests made may be more revealing of the degree to which Canadians are monitored in the course of CSE's operations than the 342 PCs number noted above. But it is far from an ideal measure. It shows only the number of requests that were made, not the total number of suppressed Canadian identities that appeared in CSE reporting during the year. (That number might be in the tens of thousands if identity requests are made in something like 10% of cases; if identity requests are made in more like 80 or 90 percent of cases, on the other hand, the practice of suppressing identities would seem to be largely a sham.) The figure also excludes both those Canadians who appear in Second Party reports made available to Canadian government clients through CSE and those who appear in intercepts or other information provided by CSE to CSIS and the RCMP under CSE's Mandate C.

It also needs to be noted, as the report itself states, that the number of identity requests is not the same as the number of individual identities requested:
the number of requests represent[s] the number of instances that institutions or partners submitted separate requests for disclosure of identity information suppressed in reports, providing a unique operational justification in each case. One request may involve multiple Canadian identities, and one Canadian identity may be disclosed multiple times to different institutions or partners.
In addition to reporting the number of identity requests by Canadian clients, the OCSEC report also provided for the first time the number of Canadian identity requests made to CSE by Canada's Five Eyes partners (111) and the number made for "disclosure to non-five eyes entities" (six: five made by a government of Canada client and one—which was denied—made by a Five Eyes partner). The approval rate for the 111 partner requests was not provided, but last year's report, which did not provide a request number, stated that partner requests "resulted in roughly an equal number of denials and disclosures of Canadian identity information".

Data recently released in the U.S. about NSA collection under the FAA Section 702 program (just one part of overall NSA collection) provides a potentially useful point of comparison: "In 2015, NSA disseminated 4,290 FAA Section 702 intelligence reports that included U.S. person information. Of those 4,290 reports, the U.S. person information was masked [equivalent to suppressed] in 3,168 reports and unmasked in 1,122 reports." Some of the reports with masked identities probably contained more than one masked identity, so the total number of masked identities was probably closer to 5,000, or maybe even 10,000. (The same individual might turn up in more than one report, however, so the total number of separate identities was probably considerably lower than that.)

The U.S. data also reported that "654 U.S. person identities" were unmasked in response to requests related to these reports. This suggests that something like ten percent of masked identities were ultimately unmasked in U.S. reporting, at least with respect to the 702 program.

If the NSA can publish the number of masked U.S. identities that are later revealed in response to its reporting, albeit for just one program, I see no reason why CSE cannot release comparable information for the number of minimized Canadian identities ultimately revealed. Similarly, although the U.S. data doesn't give the exact percentage of masked identities that are ultimately revealed, I see no reason why CSE couldn't release that information, and the percentage of requests that are approved, as well.

Such information would reveal a great deal to the public about the effectiveness of the measures that exist to protect their privacy while providing little or nothing of use to SIGINT targets seeking to evade CSE monitoring. What is CSE hiding, and from whom is it hiding it, when it won't show us this data?

The CSE Commissioner should insist on reporting this kind of information. And if CSE refuses to allow it, the Commissioner should indicate that parts of his report have been censored. (And, yes, in this respect the power of classification/declassification is indeed a censorship power.)

At least, that's my view.

There's more stuff worth examining in the Commissioner's 2015-2016 report, but that's it for this blog post. I'll report on my follow-up expedition in a future post.

Update 24 August 2016:

The Commissioner's report gets some news coverage:

Ian MacLeod, "Federal spies suddenly intercepting 26 times more Canadian phone calls and communications," National Post, 24 August 2016.

Update 25 August 2016:

And a very similar article:

Rachel Browne, "Canada’s Spy Agency Now Intercepting Private Messages 26 Times More Than Previously," Vice News, 25 August 2016.

...And another one:

Ian Allen, "Did domestic snooping by Canadian spy agency increase 26-fold in a year?" IntelNews, 25 August 2016.

Gotta love this line: "According to the CSE commissioner’s report for 2015, which was released in July, but was only recently made available to the media..." So that's what happened!