CSE and Bill C-59 overview
My first two posts on the contents of Bill C-59 covered the proposal to give CSE a new foreign cyber operations mandate and the proposal to replace CSE's current watchdog, the CSE Commissioner, with two new institutions, the National Security and Intelligence Review Agency (NSIRA) and the Intelligence Commissioner. These are the most important changes proposed for CSE, but the bill also contains a number of other important measures that deserve comment. I'll try to cover the key remaining points in this post.
But first a brief acknowledgement: I was fortunate to take part in a great discussion of the bill at the Citizen Lab Summer Institute in July and I'm indebted to the other participants in that session for the many helpful insights they provided, which I've tried to draw on to inform the following comments. Misinterpretations are of course still my own.
[Update 18 December 2017: See the Citizen Lab/CIPPIC analysis of the CSE-related elements of C-59, which I played a small part in writing, here.]
An all-new CSE Act
The first point to make about the bill is that it proposes to entirely replace the existing statutory basis for the agency, Part V.1 of the National Defence Act (NDA), with a new Communications Security Establishment Act.
Part V.1 was enacted in 2001 as part of the omnibus Bill C-36 that was thrown together in three weeks by the Department of Justice and quickly passed in parliament in the wake of the 9/11 attacks.
The CSE-related provisions of the NDA have been widely criticized in the years since on grounds ranging from the absence of definitions for many key terms to the ambiguity of the provisions related to Ministerial Authorizations and their possible incompatibility with the Charter of Rights and Freedoms. In the decade leading up to the introduction of C-59, CSE Commissioners called for a growing list of amendments to the NDA to address some of these questions. (The final list is nicely summarized here.) In discussing the need for amendments, Commissioner Jean-Pierre Plouffe specifically noted that "Part V.1 of the National Defence Act was drafted and enacted quickly in 2001," suggesting that sober second thoughts were only to be expected.
Claude Bisson, the first CSE Commissioner, had a slightly different perspective on this question. In his 2001-02 report, Commissioner Bisson assured readers that, “Despite concerns expressed about the haste with which the [Bill C-36] legislation was drafted and debated, I know with certainty that those parts of the legislation that deal with CSE and the CSE Commissioner benefited from years of discussion within government long before September 11.” Legislation to provide a statutory basis for CSE and to permit the agency to incidentally collect private communications had indeed long been under consideration, and it is likely that most of what was eventually bundled into C-36 pertaining to CSE already existed in some form of draft. But none of that material had been subjected to careful legislative and public consideration, and Bisson too believed that aspects of the legislation needed improvement.
So let's have a look at some of the changes that are now being proposed.
Definitions
Section 2 of the CSE Act contains definitions of terms, most of which are the same as those in the existing law. One interesting change is in the definition of Global Information Infrastructure, which is almost identical to the earlier version, but will now include not just communications and IT systems, but also "any equipment producing [electromagnetic] emissions". Is this meant to cover the collection of information leaked by information systems through power lines and other unintended routes? There does seem to be some interest in "close access" operations — the physical planting of hardware or software devices to facilitate local collection — reflected in this bill (as discussed further below), so this addition may be part of that development. Or maybe it means something completely different. But I have to think it was added for some reason.
Also added are definitions of "publicly available information" and "unselected" information, the latter referring to information collected in bulk rather than specifically singled out because it corresponds to a particular "selector" such as an e-mail address or a phone number.
Not defined, however, were a number of terms that CSE Commissioners had explicitly recommended be defined in legislation, including "acquire", "intercept", "interception", and "metadata". In the case of metadata, CSE argues — I think correctly — that the provisions of the CSE Act that address the collection of information in general are sufficient to capture current and future forms of metadata, making a formal definition unnecessary (although probably still needed in the Ministerial Directive on the topic).
But it would have been useful to have definitions of the other terms. As Commissioner Plouffe commented, "These terms are of operational significance to CSE foreign signals intelligence and cyber defence activities and of significance to the Commissioner’s mandate to determine whether CSE complies with the law." They will remain of significance to that task even after NSIRA takes it over.
Also useful, in my view, would have been a definition of the term "directed at", which is fundamental to both the existing and the proposed limitations on CSE operations with respect to persons in Canada and Canadians anywhere. Subsection 23(1) of the new act specifies that "Activities carried out by the Establishment in furtherance of the foreign intelligence, cybersecurity and information assurance, defensive cyber operations or active cyber operations aspects of its mandate must not be directed at a Canadian or at any person in Canada" (emphasis added). In 2012 the Federal Court rejected the interpretation of "directed at" that CSIS and its lawyers put forward in a case involving CSIS activities, and in 2014 CSE suspended certain unspecified activities of its own in response to that ruling. It would appear, therefore, that even if the broad outlines of its meaning are clear, key details are still a bit fuzzy — even to insiders.
But, hey, what the heck, it's only the most important provision in the act.
New minister for CSE?
CSE has been part of the defence portfolio since 1975. But, as in the CSE section of the National Defence Act, the CSE Act would contain an explicit procedure for transferring this responsibility to a different minister. Section 4 of the act would empower the Governor in Council to designate a new minister at any time, without having to amend the legislation.
I have some sympathy for the idea of transferring the agency. CSE's current master, the Minister of National Defence, has a huge, complicated, and highly demanding portfolio, and it is evident that, no matter how capable they may be, few Defence Ministers have the time to truly master the intricacies of CSE's issues. It may be that CSE prefers it that way — less chance of the minister going walkabout and all that — but there is much to be said for giving the job to someone with the time to apply some actual, substantive attention to the job of being in charge.
But which minister should get the job? The Department of External, er, Foreign, er, Global Affairs more or less ran Canadian SIGINT policy in the days of yore, and Britain's Foreign and Commonwealth Office is still nominally in charge of GCHQ, but CSE's growing roles in cybersecurity, support to domestic law enforcement, and, soon, computer network attack make the foreign ministry a less than perfect fit these days. Giving the job to the Foreign Affairs Minister would also mess up the CSE Act's provisions for authorizing foreign cyber operations (sections 30 and 31, which lay out a separate role for the Foreign Affairs Minister) and thus necessitate a formal amendment after all, so it's doubtful the government would want to go down that road.
Public Safety might be a better fit, but that portfolio arguably is also already too large and complicated. And Public Safety is heavily focused on domestic security, while CSE's remit is much wider.
When you come right down to it, leaving the agency inside the defence portfolio might make the most sense if CSE and the Canadian Forces are increasingly going to be working together on cyber operations anyway. But what to do about the overloaded minister? In its latter days the Harper government experimented with sharing some of Defence Minister Jason Kenney's CSE-related duties with Associate Defence Minister Julian Fantino, although they never handed full responsibility for the agency to Fantino. Formally assigning it to the Associate Defence Minister might be a workable solution.
Establishment established
Section 5. No big point to make here. I just enjoy marveling at the recursive nature of this section.
It's raining mandates
OK, back to business. As readers of this blog should know by now, CSE currently has a three-part mandate, usually referred to as Mandates A, B, and C. Section 16 of the CSE Act would crank that up to a five-part mandate, with no handy letter designations. The five mandates proposed are foreign intelligence (essentially Mandate A), cybersecurity and information assurance (essentially Mandate B), defensive cyber operations (new), active cyber operations (also new), and technical and operational assistance (essentially Mandate C).
These five mandates are spelled out in the five succeeding sections of the act, 17 to 21, so until someone comes up with something better, I guess I'll just refer to them by their section numbers.
Mandate 17: SIGINT
Mandate 17 is CSE's flagship mandate, the acquisition of foreign intelligence through signals intelligence activities, including computer network exploitation activities. Unlike Mandate A, however, the proposed Mandate 17 appears to be expansive enough to permit the use of human agents to modify software, implant physical devices, or otherwise assist in the collection of foreign intelligence.
(Indeed, I'm not sure what would prevent CSE from developing an entire human intelligence (HUMINT) arm of the agency under this mandate if the government were to choose someday to go that way, other than perhaps CSE's designation in s.16 as Canada's "national signals intelligence agency for foreign intelligence" and the fact that the Intelligence Commissioner would have to approve the relevant Foreign Intelligence Authorizations. Maybe that would be enough.)
But I don't think the purpose of that permissive wording is to enable the creation of a HUMINT agency as such. Instead, it is almost certainly to allow for HUMINT assistance to SIGINT activities, such as the conduct of "close access" operations, where physical access to the equipment or location to be monitored is necessary. Canada and New Zealand are the only Five Eyes countries without a dedicated foreign intelligence HUMINT agency that can help out with such activities outside of the country, and that absence has not gone unnoticed. In 2007, Bob Brûlé, CSE's former Deputy Chief, SIGINT Operations told the Standing Senate Committee on National Security and Defence that "organizations such as the CSE desperately require a foreign intelligence service for them to continue to be successful in the future. From a purely selfish point of view, some decision that the government could make to move forward would be of benefit to technical organizations such as the CSE.”
As effective encryption spreads, it may well be that the future of SIGINT lies increasingly in "end point" operations and other activities designed to cripple or bypass that encryption, and some of those activities could certainly benefit from HUMINT assistance. But there are also pitfalls to that approach. Using on-the-scene people in foreign jurisdictions can mean putting individuals at extreme risk, and such operations also have increased potential to go wrong in ways that could expose Canada to extreme embarrassment and even retaliation. If the government is contemplating going down that road, it should probably be open with parliament and the public about its intentions.
Informed consent. Because it's 2017.
Mandate 18: Cybersecurity
Mandate 18, the proposed cybersecurity mandate, is much like CSE's existing Mandate B. But it would also enable the agency to provide protective services to "electronic information and information infrastructures designated... as being of importance to the Government of Canada," as long as CSE receives a prior written request from the owner or operator. Under Mandate B, all services that require a Ministerial Authorization (anything that might involve the interception of a private communication) are limited to the Government of Canada's own systems and networks. The new mandate would open the door to CSE protection of critical infrastructures such as major communications networks and the national electricity grid. Canadian political parties might also qualify. CSE's report on cyber threats to the Canadian electoral system, released just four days before C-59 was introduced in parliament, carefully avoided the what-to-do-about-it question. But it did tee it up nicely for the arrival of the bill. You might almost think someone timed it that way.
Another aspect worth noting here: If a communications company like Bell or Telus does request CSE's help and a Cybersecurity Authorization is subsequently approved, that would make it legal for CSE to intercept any or all of the private communications carried on that network. No judicial warrant would be required. There would, however, be limitations on how information thus acquired could be used: subsection 35(3)(d) requires that privacy measures be in place that "will ensure that information acquired under the authorization that is identified as relating to a Canadian or a person in Canada will be used, analysed or retained only if the information is essential to identify, isolate, prevent or mitigate harm to... electronic information or information infrastructures designated... as being of importance to the Government of Canada".
That said, it's not entirely clear (at least to me) that this provision would prevent all non-cybersecurity uses of the information so collected. Let's suppose that full-take collection of every digital communication that passes through Bell Canada's network is determined to be essential in order to identify malicious activities that might harm that network. That determination would permit everything thus collected to be "used, analysed or retained". But what if analysis of that material turned up information useful for foreign intelligence, security intelligence, or criminal intelligence purposes? Could that information then be disclosed to CSE's intelligence customers? I'm pretty sure that the intent of s.35(3)(d) is to rule out those other uses, but I'm not sure that the actual wording is as absolute as that.
The oversight and review provisions in the bill would provide at least some protection against abuse, of course. Like Foreign Intelligence Authorizations, Cybersecurity Authorizations would require not only the Minister's signature but the approval of the Intelligence Commissioner.
In fact, it looks like each separate critical infrastructure system that CSE was ordered to protect would require its own authorization, so overseeing cybersecurity might end up being the largest part of the Commissioner's CSE-related work. (See this post for more on the Intelligence Commissioner and other aspects of the proposed oversight/review system.)
Mandates 19 & 20: Cyber operations
Mandates 19 and 20 would cover defensive and "active" cyber operations, respectively, i.e., computer network attack (CNA) operations for both defensive and offensive purposes. Such operations, which would constitute an entirely new aspect of CSE's activities, are discussed in this post, so I won't repeat all that here.
Mandate 21: Technical and operational assistance
Mandate 21, the proposed operational and technical assistance mandate, would be much the same as part three of CSE's existing mandate, Mandate C. But again, there's a tweak: Explicit authority to assist the Canadian Forces and the Department of National Defence would be added.
CSE has provided significant Support to Military Operations (primarily through Mandate A) throughout its history, and it has also occasionally provided Support to Lawful Access to the CF/DND, presumably in support of their activities as a federal law enforcement and security agency.
So if all that is already possible, why add this explicit mention? I'm guessing it's to remove any doubt about CSE's ability to assist the CF/DND in the military's own offensive cyber operations. Unlike CSE's cyber operations, the CF will get to cyberkill people as well as cyberbreak things. Maybe the government's lawyers are unsure whether the military can be considered a law enforcement or security agency when conducting military operations subject to the laws of war, or maybe they want to make it clear that CSE employees helping to carry out combat operations are doing so lawfully. The latter aspect is spelled out in greater detail in subsection 26(2).
Information about Canadians
As mentioned earlier, section 23 would require that CSE's activities under Mandates 17 to 20 (but not Mandate 21) "not be directed at a Canadian or any person in Canada". This section would also require that CNA operations "not be directed at any portion of the global information infrastructure that is in Canada."
However, section 24 spells out a number of activities that would be exceptions to those rules, the most notable being a blanket authorization to acquire, use, analyse, retain, or disclose publicly available information.
Publicly available information is defined in section 4 as "information that has been published or broadcast for public consumption, is accessible to the public on the global information infrastructure or otherwise or is available to the public on request, by subscription or by purchase." Whether that includes information that was obtained illegally and then posted on the Internet or made available for sale on the Dark Web is unclear. What it certainly does include, however, is everything that people post on public social media forums. Back in June I had a chance to ask CSE whether it could, for example, collect everything posted by everyone on Twitter under this provision, including everything that was posted by Canadians, if it decided that that would be useful. The response was, yes, it would be possible, but the agency denied that such collection was their goal, and they added that it probably would not be considered reasonable or necessary by CSE's review agency.
Be that as it may, it is clear that vast amounts of data about people's consumer choices, political and social views, religious affiliations, credit history, medical status, photographic collections, and Internet habits are either freely available or legally collected by Internet companies and commercial data brokers and potentially made available for sale. That the collection and use of such data would not be limited by CSE's usual prohibition on directing its activities at Canadians opens the door, at least in theory, to the creation of government databases containing extensive, deeply personal information on Canadians, especially when combined with information collected by other government departments, such as Revenue Canada, and information collected incidentally or otherwise by CSE's SIGINT and cybersecurity programs. How much of that sort of activity might be considered reasonable or necessary is difficult for an outside observer to predict.
The actual purpose of the provision is probably much more limited, to add social information to metadata analyses, provide collateral information for analyses of communications intercepts, enable more precise targeting of SIGINT collection (including de-targeting of individuals determined to be Canadians), and so on. But it would be nice to see some further delimitation of what could possibly pass through this rather large and ill-defined doorway.
Another interesting element is subsection 24(2), which permits the analysis of information for the purpose of providing advice pursuant to the Investment Canada Act. Presumably this would be in aid of government assessments of the potential national security consequences of foreign investments in Canadian companies. Analyses focused on Canadians or persons in Canada would be permitted under this provision, but it does not authorize collection activities directed at Canadians/persons in Canada.
Incidental collection, of course, is another matter. Subsection 24(4) would explicitly confirm that CSE "may acquire information relating to a Canadian or a person in Canada incidentally in the course of carrying out activities under an authorization issued under" its Mandates 17 or 18 [the original version of this post mistakenly said "18 or 19"] (or an emergency authorization for the same purposes). A definition of "incidentally" is helpfully provided:
But I have some difficulty with the wording "deliberately sought". As I noted here, in many cases CSE is especially interested in the communications of its foreign targets when those communications are going to or from Canadians or other persons in Canada. To take the most obvious example, if a suspected foreign terrorist plotter is communicating with someone in Canada, CSE (and Canadians in general) will want to know who in Canada is participating in the communication and what they're talking about. While it is difficult in many cases to know ahead of time whether a particular communication is going to or from someone in Canada (think gmail account, for example), in other cases, such as landline telephones, it's easy. CSE could, if it chose, apply "defeats" to prevent its collection systems from ever acquiring calls to or from Canadian landline telephone numbers. It does not do this, and has not done it since the law was changed in 2001 specifically to permit CSE to collect incidental communications. Testimony at the time by Defence Minister Art Eggleton and Justice Minister Anne McLellan made it clear that this was a deliberate decision to ensure that such collection could be done. In cases like that, incidental collection is very much "deliberately sought".
Clearly, this second meaning of "deliberately sought" is not the one intended in the bill's definition. But is it really that clear? Even the Department of Justice seems confused on this point. In its Charter Statement concerning Bill C-59, DOJ's lawyers wrote that "despite best efforts to avoid it, CSE may incidentally obtain private communications and other private information of Canadians and persons in Canada" (emphasis added).
Attention, DOJ: CSE is not — and will not be — making "best efforts" to avoid incidental collection.
To be clear, most of the time CSE is not interested in what Canadians have to say. It is definitely not targeting Canadians (except when it does so under Mandate C). But in many cases it very much does want to know what is contained in communications that take place between its foreign targets and Canadians or other persons in Canada. And for that reason, incidental collection does occur, deliberately, even when CSE could prevent it if it chose to.
My bottom line: If even the Department of Justice is confused about this issue, maybe the definition needs a little more clarity.
Privacy measures
Section 25 of the act outlines the safeguards that CSE would have to apply to the Canadian-related information it acquires: CSE "must ensure that measures are in place to protect the privacy of Canadians and of persons in Canada in the use, analysis, retention and disclosure" of both information acquired in the course of the agency's foreign intelligence and cybersecurity activities and publicly available information acquired by the agency.
Such measures are important, but they should not be misunderstood as a ban on the use, analysis, retention, or disclosure of information concerning Canadians and persons in Canada. The details of the privacy measures that CSE will have to follow are not spelled out in the act, and indeed they will almost certainly mostly remain classified, but they are not now and will not in the future be designed to prevent the use, analysis, retention, or disclosure of such information when it is deemed "essential" for CSE's mandated activities.
This does not mean that those measures will not be of value, of course.
A welcome innovation in the CSE Act's proposals is that the Intelligence Commissioner, not just the Minister, would have to be satisfied that CSE's privacy measures are sufficient before CSE's Foreign Intelligence and Cybersecurity Authorizations could enter into force. The Commissioner would have no oversight over CSE's use of publicly available information, however.
Unlike the other mandates, no specific privacy measures are laid out with respect to activities carried out under Mandate 21 (Technical and Operational Assistance). Such activities would, however, be subject to whatever privacy requirements were levied on the department or agency being assisted, including both general requirements (Charter of Rights, Privacy Act) and any measures specified in judicial warrants for intercept activities.
Also exempted from the privacy regime would be the cyber operations (computer network attack) activities undertaken under Mandates 19 and 20. Under subsection 35(4) of the act, such operations could only be authorized if the Minister "concludes that there are reasonable grounds to believe... that no information will be acquired under the authorization except in accordance with" a Foreign Intelligence or Cybersecurity Authorization. It's hard to conceive of a cyber operation that wouldn't collect at least some information, if only through the eyeballs of the individual conducting it (but probably much more extensively than that). One might imagine that at least some information would have to be acquired in the course of such operations if for no other reason than to decide what to do and then assess whether it has been done. So the assumption here must be that there would always be a Foreign Intelligence or Cybersecurity Authorization in place that could cover such operations. In the case of offensive cyber operations, this means a Foreign Intelligence Authorization, and since such authorizations would enable CSE to acquire information only "in the furtherance of the foreign intelligence aspect of its mandate", i.e., "for the purpose of providing foreign intelligence, in accordance with the Government of Canada’s intelligence priorities", those intelligence priorities had better include obtaining the information needed to conduct offensive cyber operations or there might turn out to be a bit of a gap in CSE's authorities.
All your law are override for us
Here's an interesting bit. The Foreign Intelligence, Cybersecurity, and Defensive and Active Cyber Operations Authorizations that the Minister issued would authorize the agency to carry out the activities specified in the authorizations "despite any other Act of Parliament or of any foreign state" (subsections 27(1), 28(1), 30(1), and 31(1)).
That seems pretty all-inclusive.
Don't get in the way of these people, folks, because they're about to be licensed to kill (except when conducting non-military cyber operations; see section 33).
I joke, of course. The Minister may issue no authorization unless "he or she concludes that there are reasonable grounds to believe that any activity that would be authorized by it is reasonable and proportionate, having regard to the nature of the objective to be achieved and the nature of the activities" (s.35). In the case of authorizations other than cyber operations, the Intelligence Commissioner also would have to approve. So they'd have to have a pretty darn good reason to kill you.
(And I'm hoping my having pointed that out will keep me off the list.)
One of the things actually accomplished by these provisions would be to extend the coverage of the activities protected by CSE's authorizations from just the interception of private communications to all acquisition of information by CSE, including metadata acquisition. The CSE Commissioner recommended that authority to collect metadata be explicitly added to CSE's part of the National Defence Act (along with, as noted above, a definition of the term), but that recommendation posed a practical problem of how to future-proof the definition of metadata in the face of constantly evolving technology. C-59 avoids that problem by subsuming everything that might be considered metadata now and in the future into the overall category of information and simply authorizing CSE to collect it all.
Another potential problem that this approach would solve relates to intercepts of Canadian private communications (PCs) that Canada receives from its allies. The Five Eyes countries do not routinely target each other's citizens, but intercepts of Five Eyes citizens do occur (usually incidentally) and sometimes they are passed on to the country in question. It has been CSE's view (and the Commissioners') that Canada is permitted to receive such intercepts from its allies as long as it doesn't, in the absence of a suitable warrant, specifically ask them to target persons in Canada. Apparently, receiving the contents of a PC from an ally does not in itself constitute "acquir[ing] the substance, meaning or purport" of the communication for the purposes of the Criminal Code. I'll leave it to the lawyers to explain how that works; the potential problem I want to talk about is this: No matter how you obtain the contents of a PC, it's still a PC, and the Criminal Code limits how the substance, meaning, purport, or indeed the fact of the existence of a PC may be used or disclosed. Disclosure is permitted in a number of specific circumstances — notably to CSIS or to a peace officer or prosecutor — but there is no provision for the use or disclosure of PCs in support of broader foreign intelligence activities, which leaves out a wide swath of CSE's normal reporting topics and customer base.
What has this gap meant for CSE? It's possible that the agency has a legal interpretation that says the use and disclosure provisions of the Criminal Code don't apply to reporting on the contents of PCs obtained through allies. Maybe the courts would even agree. I don't know. But it looks to me as though either CSE has had to limit its reporting on PCs obtained from allies to just CSIS and police/prosecutors or the agency has been ignoring that section of the Criminal Code. If either of those possibilities is correct, the legal override provisions in s.27 of Bill C-59 should remove that problem in the future.
Unselected unlimited?
An interesting little detail here. Subsection 35(2)(a) says the Minister can only issue a Foreign Intelligence Authorization if he or she concludes that "any information acquired under the authorization could not reasonably be acquired by other means and will be retained for no longer than is reasonably necessary". But then s.35(2)(b) requires that the Minister also conclude that "any unselected information acquired under the authorization could not reasonably be acquired by other means, in the case of an authorization that authorizes the acquisition of unselected information". Since "unselected information" is a subset of "information", what is the point of this additional provision, which levies no additional conditions? Is it that the provision does not include the condition that the acquired information must be retained for no longer than is reasonably necessary? Does this mean there would be no requirement for retention limits on any of the unselected information acquired by CSE?
Urgent circumstances
Section 47 would authorize CSE to "use and analyse information relating to a Canadian or a person in Canada if it has reasonable grounds to believe that there is an imminent danger of death or serious bodily harm to any individual and that the information will be relevant to the imminent danger".
The need for this kind of provision is undeniable, I think, but it does seem rather sweepingly permissive. The danger of death or serious bodily harm can relate to "any individual" at any location, not just Canadians or persons in Canada, and the Canadian-related information that can be examined need only be "relevant" to the danger. In Canada there are people in danger of death or serious bodily harm every day of the week, and the situation beyond our borders is often incomparably worse. Terror plots are probably the threat that most people would think of in the context of using a provision like this, but it would also probably be of use in search-and-rescue situations and other non-criminal threats to life. And in between those poles is a full panoply of criminal activities that could also pose an imminent threat of death or bodily harm. Would CSE be permitted to search for Canadian information related to any imminent violent crime in Canada? This presumably would be a search within its data repositories (the provision does not authorize any collection of information relating to Canadians or persons in Canada), but those repositories might be very large indeed. And just how imminent is "imminent"?
Also important, the section would permit Canadian-related information to be disclosed to "any appropriate person", a wording that one assumes was deliberately chosen to allow disclosure to non-Canadians as well as Canadians.
In all, it seems as though rather a lot of activity with implications for Canadian privacy might be able, at least in theory, to pass through a doorway that is probably actually intended for relatively infrequent use. One measure that might help to guard against excessive use is that both the Minister and NSIRA would have to be notified whenever information was used, analysed, or disclosed under this provision.
On a somewhat-related issue, I've been wondering where in the proposed CSE Act the government has placed the provisions that would permit CSE to provide to the RCMP and other law enforcement agencies the non-urgent criminal intelligence that it picks up incidentally in the course of its foreign intelligence operations. CSE has done this sort of sharing for a long time, and it doesn't seem at all likely that the government is planning to end that practice. So how exactly is that accomplished in this act? (And what other significant activities am I failing to see?)
You're once, twice, three times legal
Turning to section 51, we get this intriguing provision: "Part VI of the Criminal Code does not apply in relation to an interception of a communication under the authority of an authorization issued under subsection 27(1), 28(1) or (2), 30(1), 31(1) or 41(1) [i.e., a Foreign Intelligence, Cybersecurity, or Cyber Operations Authorization] or in relation to a communication so intercepted."
Two questions come to mind. First, since the Minister could only issue an authorization under subsections 30(1) or 31(1) (i.e., a Cyber Operations Authorization) if he or she concluded "that no information will be acquired under the authorization except in accordance with an authorization issued under subsection 27(1) or 28(1) or (2) or 41(1)" (i.e., a Foreign Intelligence or Cybersecurity Authorization), what is the point of making it legal to intercept a communication under the authority of a Cyber Operations Authorization? As I noted earlier, a Foreign Intelligence or Cybersecurity Authorization would pretty much have to be in place every time a Cyber Operations Authorization was issued, making the whole question of interceptions under subsections 30(1) or 31(1), even unintended ones, moot.
Second, since everything that CSE would be permitted to do in an authorization issued under any of the subsections cited in s.51 would already be legal by virtue of those authorizations, why bother with s.51 at all?
It's possible, I suppose, to imagine a CSE activity undertaken under the authority of a Foreign Intelligence or Cybersecurity Authorization that for some reason did not include permission to incidentally intercept private communications. I think that would be a very rare circumstance indeed, but even in that case s.51 would make no difference to CSE's legal liability. An intentional interception made when the authorization did not cover interceptions would not be an interception "under the authority" of that authorization and thus s.51 would not apply, whereas an inadvertent interception would not be a wilful act and therefore would not violate Part VI of the Criminal Code (which applies only to wilful interceptions of private communications), eliminating any need for s.51.
From the Sanitization Department
The act also includes a couple of interesting opaqueness measures:
Section 56 would protect the identities of persons or other entities that assist CSE on a confidential basis from disclosure in court proceedings, except under certain limited circumstances. This is probably intended mainly to keep secret the names of telecommunications companies that help CSE's intercept operations, such as the owners of the facilities that host CSE's EONBLUE sensors. But it should also prove useful for the HUMINT operations that CSE seems to be contemplating.
And section 57 would affirm that the "provision of assistance or the disclosure of information by the Establishment... does not create a presumption... that the Establishment is conducting a joint investigation or decision-making process with the entity to which assistance is provided or information is disclosed and therefore has the same obligations, if any, as the entity to disclose or produce information for the purposes of a proceeding". Among other purposes, I think this provision is intended to enable CSE to provide SIGINT in support of investigations and other processes without running the risk of being forced to disclose that SIGINT in legal proceedings. "Disclosure Risk Management" has been a major concern within CSE in recent years and this provision is probably a response to that concern.
Annual report to be produced
Still, it's not all darkness: The act would also contain a significant step towards greater transparency.
Section 60 would direct CSE to produce an annual report within three months of the end of every fiscal year. (The government fiscal year ends on March 31st, so this means the reports would be due by the end of June every year.) No details are provided as to what would go into this report, which CSE confirms would be made public, but I think this is a very welcome development and I have high hopes for it.
Don't disappoint us, CSE!
[Update 30 June 2020: Three guesses what happened.]
OK, that's it for my overview of Bill C-59 as it pertains to CSE. Phew. If any of you made it all the way to the end, thanks for reading. I hope at least some bits of it were useful.
But first a brief acknowledgement: I was fortunate to take part in a great discussion of the bill at the Citizen Lab Summer Institute in July and I'm indebted to the other participants in that session for the many helpful insights they provided, which I've tried to draw on to inform the following comments. Misinterpretations are of course still my own.
[Update 18 December 2017: See the Citizen Lab/CIPPIC analysis of the CSE-related elements of C-59, which I played a small part in writing, here.]
An all-new CSE Act
The first point to make about the bill is that it proposes to entirely replace the existing statutory basis for the agency, Part V.1 of the National Defence Act (NDA), with a new Communications Security Establishment Act.
Part V.1 was enacted in 2001 as part of the omnibus Bill C-36 that was thrown together in three weeks by the Department of Justice and quickly passed in parliament in the wake of the 9/11 attacks.
The CSE-related provisions of the NDA have been widely criticized in the years since on grounds ranging from the absence of definitions for many key terms to the ambiguity of the provisions related to Ministerial Authorizations and their possible incompatibility with the Charter of Rights and Freedoms. In the decade leading up to the introduction of C-59, CSE Commissioners called for a growing list of amendments to the NDA to address some of these questions. (The final list is nicely summarized here.) In discussing the need for amendments, Commissioner Jean-Pierre Plouffe specifically noted that "Part V.1 of the National Defence Act was drafted and enacted quickly in 2001," suggesting that sober second thoughts were only to be expected.
Claude Bisson, the first CSE Commissioner, had a slightly different perspective on this question. In his 2001-02 report, Commissioner Bisson assured readers that, “Despite concerns expressed about the haste with which the [Bill C-36] legislation was drafted and debated, I know with certainty that those parts of the legislation that deal with CSE and the CSE Commissioner benefited from years of discussion within government long before September 11.” Legislation to provide a statutory basis for CSE and to permit the agency to incidentally collect private communications had indeed long been under consideration, and it is likely that most of what was eventually bundled into C-36 pertaining to CSE already existed in some form of draft. But none of that material had been subjected to careful legislative and public consideration, and Bisson too believed that aspects of the legislation needed improvement.
So let's have a look at some of the changes that are now being proposed.
Definitions
Section 2 of the CSE Act contains definitions of terms, most of which are the same as those in the existing law. One interesting change is in the definition of Global Information Infrastructure, which is almost identical to the earlier version, but will now include not just communications and IT systems, but also "any equipment producing [electromagnetic] emissions". Is this meant to cover the collection of information leaked by information systems through power lines and other unintended routes? There does seem to be some interest in "close access" operations — the physical planting of hardware or software devices to facilitate local collection — reflected in this bill (as discussed further below), so this addition may be part of that development. Or maybe it means something completely different. But I have to think it was added for some reason.
Also added are definitions of "publicly available information" and "unselected" information, the latter referring to information collected in bulk rather than specifically singled out because it corresponds to a particular "selector" such as an e-mail address or a phone number.
Not defined, however, were a number of terms that CSE Commissioners had explicitly recommended be defined in legislation, including "acquire", "intercept", "interception", and "metadata". In the case of metadata, CSE argues — I think correctly — that the provisions of the CSE Act that address the collection of information in general are sufficient to capture current and future forms of metadata, making a formal definition unnecessary (although probably still needed in the Ministerial Directive on the topic).
But it would have been useful to have definitions of the other terms. As Commissioner Plouffe commented, "These terms are of operational significance to CSE foreign signals intelligence and cyber defence activities and of significance to the Commissioner’s mandate to determine whether CSE complies with the law." They will remain of significance to that task even after NSIRA takes it over.
Also useful, in my view, would have been a definition of the term "directed at", which is fundamental to both the existing and the proposed limitations on CSE operations with respect to persons in Canada and Canadians anywhere. Subsection 23(1) of the new act specifies that "Activities carried out by the Establishment in furtherance of the foreign intelligence, cybersecurity and information assurance, defensive cyber operations or active cyber operations aspects of its mandate must not be directed at a Canadian or at any person in Canada" (emphasis added). In 2012 the Federal Court rejected the interpretation of "directed at" that CSIS and its lawyers put forward in a case involving CSIS activities, and in 2014 CSE suspended certain unspecified activities of its own in response to that ruling. It would appear, therefore, that even if the broad outlines of its meaning are clear, key details are still a bit fuzzy — even to insiders.
But, hey, what the heck, it's only the most important provision in the act.
New minister for CSE?
CSE has been part of the defence portfolio since 1975. But, as in the CSE section of the National Defence Act, the CSE Act would contain an explicit procedure for transferring this responsibility to a different minister. Section 4 of the act would empower the Governor in Council to designate a new minister at any time, without having to amend the legislation.
I have some sympathy for the idea of transferring the agency. CSE's current master, the Minister of National Defence, has a huge, complicated, and highly demanding portfolio, and it is evident that, no matter how capable they may be, few Defence Ministers have the time to truly master the intricacies of CSE's issues. It may be that CSE prefers it that way — less chance of the minister going walkabout and all that — but there is much to be said for giving the job to someone with the time to apply some actual, substantive attention to the job of being in charge.
But which minister should get the job? The Department of External, er, Foreign, er, Global Affairs more or less ran Canadian SIGINT policy in the days of yore, and Britain's Foreign and Commonwealth Office is still nominally in charge of GCHQ, but CSE's growing roles in cybersecurity, support to domestic law enforcement, and, soon, computer network attack make the foreign ministry a less than perfect fit these days. Giving the job to the Foreign Affairs Minister would also mess up the CSE Act's provisions for authorizing foreign cyber operations (sections 30 and 31, which lay out a separate role for the Foreign Affairs Minister) and thus necessitate a formal amendment after all, so it's doubtful the government would want to go down that road.
Public Safety might be a better fit, but that portfolio arguably is also already too large and complicated. And Public Safety is heavily focused on domestic security, while CSE's remit is much wider.
When you come right down to it, leaving the agency inside the defence portfolio might make the most sense if CSE and the Canadian Forces are increasingly going to be working together on cyber operations anyway. But what to do about the overloaded minister? In its latter days the Harper government experimented with sharing some of Defence Minister Jason Kenney's CSE-related duties with Associate Defence Minister Julian Fantino, although they never handed full responsibility for the agency to Fantino. Formally assigning it to the Associate Defence Minister might be a workable solution.
Establishment established
Section 5. No big point to make here. I just enjoy marveling at the recursive nature of this section.
It's raining mandates
OK, back to business. As readers of this blog should know by now, CSE currently has a three-part mandate, usually referred to as Mandates A, B, and C. Section 16 of the CSE Act would crank that up to a five-part mandate, with no handy letter designations. The five mandates proposed are foreign intelligence (essentially Mandate A), cybersecurity and information assurance (essentially Mandate B), defensive cyber operations (new), active cyber operations (also new), and technical and operational assistance (essentially Mandate C).
These five mandates are spelled out in the five succeeding sections of the act, 17 to 21, so until someone comes up with something better, I guess I'll just refer to them by their section numbers.
Mandate 17: SIGINT
Mandate 17 is CSE's flagship mandate, the acquisition of foreign intelligence through signals intelligence activities, including computer network exploitation activities. Unlike Mandate A, however, the proposed Mandate 17 appears to be expansive enough to permit the use of human agents to modify software, implant physical devices, or otherwise assist in the collection of foreign intelligence.
(Indeed, I'm not sure what would prevent CSE from developing an entire human intelligence (HUMINT) arm of the agency under this mandate if the government were to choose someday to go that way, other than perhaps CSE's designation in s.16 as Canada's "national signals intelligence agency for foreign intelligence" and the fact that the Intelligence Commissioner would have to approve the relevant Foreign Intelligence Authorizations. Maybe that would be enough.)
But I don't think the purpose of that permissive wording is to enable the creation of a HUMINT agency as such. Instead, it is almost certainly to allow for HUMINT assistance to SIGINT activities, such as the conduct of "close access" operations, where physical access to the equipment or location to be monitored is necessary. Canada and New Zealand are the only Five Eyes countries without a dedicated foreign intelligence HUMINT agency that can help out with such activities outside of the country, and that absence has not gone unnoticed. In 2007, Bob Brûlé, CSE's former Deputy Chief, SIGINT Operations told the Standing Senate Committee on National Security and Defence that "organizations such as the CSE desperately require a foreign intelligence service for them to continue to be successful in the future. From a purely selfish point of view, some decision that the government could make to move forward would be of benefit to technical organizations such as the CSE.”
As effective encryption spreads, it may well be that the future of SIGINT lies increasingly in "end point" operations and other activities designed to cripple or bypass that encryption, and some of those activities could certainly benefit from HUMINT assistance. But there are also pitfalls to that approach. Using on-the-scene people in foreign jurisdictions can mean putting individuals at extreme risk, and such operations also have increased potential to go wrong in ways that could expose Canada to extreme embarrassment and even retaliation. If the government is contemplating going down that road, it should probably be open with parliament and the public about its intentions.
Informed consent. Because it's 2017.
Mandate 18: Cybersecurity
Mandate 18, the proposed cybersecurity mandate, is much like CSE's existing Mandate B. But it would also enable the agency to provide protective services to "electronic information and information infrastructures designated... as being of importance to the Government of Canada," as long as CSE receives a prior written request from the owner or operator. Under Mandate B, all services that require a Ministerial Authorization (anything that might involve the interception of a private communication) are limited to the Government of Canada's own systems and networks. The new mandate would open the door to CSE protection of critical infrastructures such as major communications networks and the national electricity grid. Canadian political parties might also qualify. CSE's report on cyber threats to the Canadian electoral system, released just four days before C-59 was introduced in parliament, carefully avoided the what-to-do-about-it question. But it did tee it up nicely for the arrival of the bill. You might almost think someone timed it that way.
Another aspect worth noting here: If a communications company like Bell or Telus does request CSE's help and a Cybersecurity Authorization is subsequently approved, that would make it legal for CSE to intercept any or all of the private communications carried on that network. No judicial warrant would be required. There would, however, be limitations on how information thus acquired could be used: subsection 35(3)(d) requires that privacy measures be in place that "will ensure that information acquired under the authorization that is identified as relating to a Canadian or a person in Canada will be used, analysed or retained only if the information is essential to identify, isolate, prevent or mitigate harm to... electronic information or information infrastructures designated... as being of importance to the Government of Canada".
That said, it's not entirely clear (at least to me) that this provision would prevent all non-cybersecurity uses of the information so collected. Let's suppose that full-take collection of every digital communication that passes through Bell Canada's network is determined to be essential in order to identify malicious activities that might harm that network. That determination would permit everything thus collected to be "used, analysed or retained". But what if analysis of that material turned up information useful for foreign intelligence, security intelligence, or criminal intelligence purposes? Could that information then be disclosed to CSE's intelligence customers? I'm pretty sure that the intent of s.35(3)(d) is to rule out those other uses, but I'm not sure that the actual wording is as absolute as that.
The oversight and review provisions in the bill would provide at least some protection against abuse, of course. Like Foreign Intelligence Authorizations, Cybersecurity Authorizations would require not only the Minister's signature but the approval of the Intelligence Commissioner.
In fact, it looks like each separate critical infrastructure system that CSE was ordered to protect would require its own authorization, so overseeing cybersecurity might end up being the largest part of the Commissioner's CSE-related work. (See this post for more on the Intelligence Commissioner and other aspects of the proposed oversight/review system.)
Mandates 19 & 20: Cyber operations
Mandates 19 and 20 would cover defensive and "active" cyber operations, respectively, i.e., computer network attack (CNA) operations for both defensive and offensive purposes. Such operations, which would constitute an entirely new aspect of CSE's activities, are discussed in this post, so I won't repeat all that here.
Mandate 21: Technical and operational assistance
Mandate 21, the proposed operational and technical assistance mandate, would be much the same as part three of CSE's existing mandate, Mandate C. But again, there's a tweak: Explicit authority to assist the Canadian Forces and the Department of National Defence would be added.
CSE has provided significant Support to Military Operations (primarily through Mandate A) throughout its history, and it has also occasionally provided Support to Lawful Access to the CF/DND, presumably in support of their activities as a federal law enforcement and security agency.
So if all that is already possible, why add this explicit mention? I'm guessing it's to remove any doubt about CSE's ability to assist the CF/DND in the military's own offensive cyber operations. Unlike CSE's cyber operations, the CF will get to cyberkill people as well as cyberbreak things. Maybe the government's lawyers are unsure whether the military can be considered a law enforcement or security agency when conducting military operations subject to the laws of war, or maybe they want to make it clear that CSE employees helping to carry out combat operations are doing so lawfully. The latter aspect is spelled out in greater detail in subsection 26(2).
Information about Canadians
As mentioned earlier, section 23 would require that CSE's activities under Mandates 17 to 20 (but not Mandate 21) "not be directed at a Canadian or any person in Canada". This section would also require that CNA operations "not be directed at any portion of the global information infrastructure that is in Canada."
However, section 24 spells out a number of activities that would be exceptions to those rules, the most notable being a blanket authorization to acquire, use, analyse, retain, or disclose publicly available information.
Publicly available information is defined in section 4 as "information that has been published or broadcast for public consumption, is accessible to the public on the global information infrastructure or otherwise or is available to the public on request, by subscription or by purchase." Whether that includes information that was obtained illegally and then posted on the Internet or made available for sale on the Dark Web is unclear. What it certainly does include, however, is everything that people post on public social media forums. Back in June I had a chance to ask CSE whether it could, for example, collect everything posted by everyone on Twitter under this provision, including everything that was posted by Canadians, if it decided that that would be useful. The response was, yes, it would be possible, but the agency denied that such collection was their goal, and they added that it probably would not be considered reasonable or necessary by CSE's review agency.
Be that as it may, it is clear that vast amounts of data about people's consumer choices, political and social views, religious affiliations, credit history, medical status, photographic collections, and Internet habits are either freely available or legally collected by Internet companies and commercial data brokers and potentially made available for sale. That the collection and use of such data would not be limited by CSE's usual prohibition on directing its activities at Canadians opens the door, at least in theory, to the creation of government databases containing extensive, deeply personal information on Canadians, especially when combined with information collected by other government departments, such as Revenue Canada, and information collected incidentally or otherwise by CSE's SIGINT and cybersecurity programs. How much of that sort of activity might be considered reasonable or necessary is difficult for an outside observer to predict.
The actual purpose of the provision is probably much more limited, to add social information to metadata analyses, provide collateral information for analyses of communications intercepts, enable more precise targeting of SIGINT collection (including de-targeting of individuals determined to be Canadians), and so on. But it would be nice to see some further delimitation of what could possibly pass through this rather large and ill-defined doorway.
Another interesting element is subsection 24(2), which permits the analysis of information for the purpose of providing advice pursuant to the Investment Canada Act. Presumably this would be in aid of government assessments of the potential national security consequences of foreign investments in Canadian companies. Analyses focused on Canadians or persons in Canada would be permitted under this provision, but it does not authorize collection activities directed at Canadians/persons in Canada.
Incidental collection, of course, is another matter. Subsection 24(4) would explicitly confirm that CSE "may acquire information relating to a Canadian or a person in Canada incidentally in the course of carrying out activities under an authorization issued under" its Mandates 17 or 18 [the original version of this post mistakenly said "18 or 19"] (or an emergency authorization for the same purposes). A definition of "incidentally" is helpfully provided:
incidentally, with respect to the acquisition of information, means that the information acquired was not itself deliberately sought and that the information-acquisition activity was not directed at the Canadian or person in Canada.Of particular interest is the fact that this definition specifies not only that the information-acquisition activity (communications interception, CNE operation, etc) must not be directed at the Canadian or person in Canada but also that the information acquired must not be "deliberately sought". The point of the latter requirement, I think, is to rule out the "reverse targeting" of Canadians. That's what would happen if, for example, CSE monitored a foreign individual located outside Canada not because he was himself of interest, but because he was married to a Canadian of interest and by monitoring his communications CSE could expect to obtain a large number of communications with or about her. Ruling out this kind of thing is an important safeguard.
But I have some difficulty with the wording "deliberately sought". As I noted here, in many cases CSE is especially interested in the communications of its foreign targets when those communications are going to or from Canadians or other persons in Canada. To take the most obvious example, if a suspected foreign terrorist plotter is communicating with someone in Canada, CSE (and Canadians in general) will want to know who in Canada is participating in the communication and what they're talking about. While it is difficult in many cases to know ahead of time whether a particular communication is going to or from someone in Canada (think gmail account, for example), in other cases, such as landline telephones, it's easy. CSE could, if it chose, apply "defeats" to prevent its collection systems from ever acquiring calls to or from Canadian landline telephone numbers. It does not do this, and has not done it since the law was changed in 2001 specifically to permit CSE to collect incidental communications. Testimony at the time by Defence Minister Art Eggleton and Justice Minister Anne McLellan made it clear that this was a deliberate decision to ensure that such collection could be done. In cases like that, incidental collection is very much "deliberately sought".
Clearly, this second meaning of "deliberately sought" is not the one intended in the bill's definition. But is it really that clear? Even the Department of Justice seems confused on this point. In its Charter Statement concerning Bill C-59, DOJ's lawyers wrote that "despite best efforts to avoid it, CSE may incidentally obtain private communications and other private information of Canadians and persons in Canada" (emphasis added).
Attention, DOJ: CSE is not — and will not be — making "best efforts" to avoid incidental collection.
To be clear, most of the time CSE is not interested in what Canadians have to say. It is definitely not targeting Canadians (except when it does so under Mandate C). But in many cases it very much does want to know what is contained in communications that take place between its foreign targets and Canadians or other persons in Canada. And for that reason, incidental collection does occur, deliberately, even when CSE could prevent it if it chose to.
My bottom line: If even the Department of Justice is confused about this issue, maybe the definition needs a little more clarity.
Privacy measures
Section 25 of the act outlines the safeguards that CSE would have to apply to the Canadian-related information it acquires: CSE "must ensure that measures are in place to protect the privacy of Canadians and of persons in Canada in the use, analysis, retention and disclosure" of both information acquired in the course of the agency's foreign intelligence and cybersecurity activities and publicly available information acquired by the agency.
Such measures are important, but they should not be misunderstood as a ban on the use, analysis, retention, or disclosure of information concerning Canadians and persons in Canada. The details of the privacy measures that CSE will have to follow are not spelled out in the act, and indeed they will almost certainly mostly remain classified, but they are not now and will not in the future be designed to prevent the use, analysis, retention, or disclosure of such information when it is deemed "essential" for CSE's mandated activities.
This does not mean that those measures will not be of value, of course.
A welcome innovation in the CSE Act's proposals is that the Intelligence Commissioner, not just the Minister, would have to be satisfied that CSE's privacy measures are sufficient before CSE's Foreign Intelligence and Cybersecurity Authorizations could enter into force. The Commissioner would have no oversight over CSE's use of publicly available information, however.
Unlike the other mandates, no specific privacy measures are laid out with respect to activities carried out under Mandate 21 (Technical and Operational Assistance). Such activities would, however, be subject to whatever privacy requirements were levied on the department or agency being assisted, including both general requirements (Charter of Rights, Privacy Act) and any measures specified in judicial warrants for intercept activities.
Also exempted from the privacy regime would be the cyber operations (computer network attack) activities undertaken under Mandates 19 and 20. Under subsection 35(4) of the act, such operations could only be authorized if the Minister "concludes that there are reasonable grounds to believe... that no information will be acquired under the authorization except in accordance with" a Foreign Intelligence or Cybersecurity Authorization. It's hard to conceive of a cyber operation that wouldn't collect at least some information, if only through the eyeballs of the individual conducting it (but probably much more extensively than that). One might imagine that at least some information would have to be acquired in the course of such operations if for no other reason than to decide what to do and then assess whether it has been done. So the assumption here must be that there would always be a Foreign Intelligence or Cybersecurity Authorization in place that could cover such operations. In the case of offensive cyber operations, this means a Foreign Intelligence Authorization, and since such authorizations would enable CSE to acquire information only "in the furtherance of the foreign intelligence aspect of its mandate", i.e., "for the purpose of providing foreign intelligence, in accordance with the Government of Canada’s intelligence priorities", those intelligence priorities had better include obtaining the information needed to conduct offensive cyber operations or there might turn out to be a bit of a gap in CSE's authorities.
All your law are override for us
Here's an interesting bit. The Foreign Intelligence, Cybersecurity, and Defensive and Active Cyber Operations Authorizations that the Minister issued would authorize the agency to carry out the activities specified in the authorizations "despite any other Act of Parliament or of any foreign state" (subsections 27(1), 28(1), 30(1), and 31(1)).
That seems pretty all-inclusive.
Don't get in the way of these people, folks, because they're about to be licensed to kill (except when conducting non-military cyber operations; see section 33).
I joke, of course. The Minister may issue no authorization unless "he or she concludes that there are reasonable grounds to believe that any activity that would be authorized by it is reasonable and proportionate, having regard to the nature of the objective to be achieved and the nature of the activities" (s.35). In the case of authorizations other than cyber operations, the Intelligence Commissioner also would have to approve. So they'd have to have a pretty darn good reason to kill you.
(And I'm hoping my having pointed that out will keep me off the list.)
One of the things actually accomplished by these provisions would be to extend the coverage of the activities protected by CSE's authorizations from just the interception of private communications to all acquisition of information by CSE, including metadata acquisition. The CSE Commissioner recommended that authority to collect metadata be explicitly added to CSE's part of the National Defence Act (along with, as noted above, a definition of the term), but that recommendation posed a practical problem of how to future-proof the definition of metadata in the face of constantly evolving technology. C-59 avoids that problem by subsuming everything that might be considered metadata now and in the future into the overall category of information and simply authorizing CSE to collect it all.
Another potential problem that this approach would solve relates to intercepts of Canadian private communications (PCs) that Canada receives from its allies. The Five Eyes countries do not routinely target each other's citizens, but intercepts of Five Eyes citizens do occur (usually incidentally) and sometimes they are passed on to the country in question. It has been CSE's view (and the Commissioners') that Canada is permitted to receive such intercepts from its allies as long as it doesn't, in the absence of a suitable warrant, specifically ask them to target persons in Canada. Apparently, receiving the contents of a PC from an ally does not in itself constitute "acquir[ing] the substance, meaning or purport" of the communication for the purposes of the Criminal Code. I'll leave it to the lawyers to explain how that works; the potential problem I want to talk about is this: No matter how you obtain the contents of a PC, it's still a PC, and the Criminal Code limits how the substance, meaning, purport, or indeed the fact of the existence of a PC may be used or disclosed. Disclosure is permitted in a number of specific circumstances — notably to CSIS or to a peace officer or prosecutor — but there is no provision for the use or disclosure of PCs in support of broader foreign intelligence activities, which leaves out a wide swath of CSE's normal reporting topics and customer base.
What has this gap meant for CSE? It's possible that the agency has a legal interpretation that says the use and disclosure provisions of the Criminal Code don't apply to reporting on the contents of PCs obtained through allies. Maybe the courts would even agree. I don't know. But it looks to me as though either CSE has had to limit its reporting on PCs obtained from allies to just CSIS and police/prosecutors or the agency has been ignoring that section of the Criminal Code. If either of those possibilities is correct, the legal override provisions in s.27 of Bill C-59 should remove that problem in the future.
Unselected unlimited?
An interesting little detail here. Subsection 35(2)(a) says the Minister can only issue a Foreign Intelligence Authorization if he or she concludes that "any information acquired under the authorization could not reasonably be acquired by other means and will be retained for no longer than is reasonably necessary". But then s.35(2)(b) requires that the Minister also conclude that "any unselected information acquired under the authorization could not reasonably be acquired by other means, in the case of an authorization that authorizes the acquisition of unselected information". Since "unselected information" is a subset of "information", what is the point of this additional provision, which levies no additional conditions? Is it that the provision does not include the condition that the acquired information must be retained for no longer than is reasonably necessary? Does this mean there would be no requirement for retention limits on any of the unselected information acquired by CSE?
Urgent circumstances
Section 47 would authorize CSE to "use and analyse information relating to a Canadian or a person in Canada if it has reasonable grounds to believe that there is an imminent danger of death or serious bodily harm to any individual and that the information will be relevant to the imminent danger".
The need for this kind of provision is undeniable, I think, but it does seem rather sweepingly permissive. The danger of death or serious bodily harm can relate to "any individual" at any location, not just Canadians or persons in Canada, and the Canadian-related information that can be examined need only be "relevant" to the danger. In Canada there are people in danger of death or serious bodily harm every day of the week, and the situation beyond our borders is often incomparably worse. Terror plots are probably the threat that most people would think of in the context of using a provision like this, but it would also probably be of use in search-and-rescue situations and other non-criminal threats to life. And in between those poles is a full panoply of criminal activities that could also pose an imminent threat of death or bodily harm. Would CSE be permitted to search for Canadian information related to any imminent violent crime in Canada? This presumably would be a search within its data repositories (the provision does not authorize any collection of information relating to Canadians or persons in Canada), but those repositories might be very large indeed. And just how imminent is "imminent"?
Also important, the section would permit Canadian-related information to be disclosed to "any appropriate person", a wording that one assumes was deliberately chosen to allow disclosure to non-Canadians as well as Canadians.
In all, it seems as though rather a lot of activity with implications for Canadian privacy might be able, at least in theory, to pass through a doorway that is probably actually intended for relatively infrequent use. One measure that might help to guard against excessive use is that both the Minister and NSIRA would have to be notified whenever information was used, analysed, or disclosed under this provision.
On a somewhat-related issue, I've been wondering where in the proposed CSE Act the government has placed the provisions that would permit CSE to provide to the RCMP and other law enforcement agencies the non-urgent criminal intelligence that it picks up incidentally in the course of its foreign intelligence operations. CSE has done this sort of sharing for a long time, and it doesn't seem at all likely that the government is planning to end that practice. So how exactly is that accomplished in this act? (And what other significant activities am I failing to see?)
You're once, twice, three times legal
Turning to section 51, we get this intriguing provision: "Part VI of the Criminal Code does not apply in relation to an interception of a communication under the authority of an authorization issued under subsection 27(1), 28(1) or (2), 30(1), 31(1) or 41(1) [i.e., a Foreign Intelligence, Cybersecurity, or Cyber Operations Authorization] or in relation to a communication so intercepted."
Two questions come to mind. First, since the Minister could only issue an authorization under subsections 30(1) or 31(1) (i.e., a Cyber Operations Authorization) if he or she concluded "that no information will be acquired under the authorization except in accordance with an authorization issued under subsection 27(1) or 28(1) or (2) or 41(1)" (i.e., a Foreign Intelligence or Cybersecurity Authorization), what is the point of making it legal to intercept a communication under the authority of a Cyber Operations Authorization? As I noted earlier, a Foreign Intelligence or Cybersecurity Authorization would pretty much have to be in place every time a Cyber Operations Authorization was issued, making the whole question of interceptions under subsections 30(1) or 31(1), even unintended ones, moot.
Second, since everything that CSE would be permitted to do in an authorization issued under any of the subsections cited in s.51 would already be legal by virtue of those authorizations, why bother with s.51 at all?
It's possible, I suppose, to imagine a CSE activity undertaken under the authority of a Foreign Intelligence or Cybersecurity Authorization that for some reason did not include permission to incidentally intercept private communications. I think that would be a very rare circumstance indeed, but even in that case s.51 would make no difference to CSE's legal liability. An intentional interception made when the authorization did not cover interceptions would not be an interception "under the authority" of that authorization and thus s.51 would not apply, whereas an inadvertent interception would not be a wilful act and therefore would not violate Part VI of the Criminal Code (which applies only to wilful interceptions of private communications), eliminating any need for s.51.
From the Sanitization Department
The act also includes a couple of interesting opaqueness measures:
Section 56 would protect the identities of persons or other entities that assist CSE on a confidential basis from disclosure in court proceedings, except under certain limited circumstances. This is probably intended mainly to keep secret the names of telecommunications companies that help CSE's intercept operations, such as the owners of the facilities that host CSE's EONBLUE sensors. But it should also prove useful for the HUMINT operations that CSE seems to be contemplating.
And section 57 would affirm that the "provision of assistance or the disclosure of information by the Establishment... does not create a presumption... that the Establishment is conducting a joint investigation or decision-making process with the entity to which assistance is provided or information is disclosed and therefore has the same obligations, if any, as the entity to disclose or produce information for the purposes of a proceeding". Among other purposes, I think this provision is intended to enable CSE to provide SIGINT in support of investigations and other processes without running the risk of being forced to disclose that SIGINT in legal proceedings. "Disclosure Risk Management" has been a major concern within CSE in recent years and this provision is probably a response to that concern.
Annual report to be produced
Still, it's not all darkness: The act would also contain a significant step towards greater transparency.
Section 60 would direct CSE to produce an annual report within three months of the end of every fiscal year. (The government fiscal year ends on March 31st, so this means the reports would be due by the end of June every year.) No details are provided as to what would go into this report, which CSE confirms would be made public, but I think this is a very welcome development and I have high hopes for it.
Don't disappoint us, CSE!
[Update 30 June 2020: Three guesses what happened.]
OK, that's it for my overview of Bill C-59 as it pertains to CSE. Phew. If any of you made it all the way to the end, thanks for reading. I hope at least some bits of it were useful.