CSE Commissioner calls for changes to Bill C-59
CSE Commissioner Jean-Pierre Plouffe called for changes in Bill C-59 in testimony to the Standing Committee on Public Safety and National Security today.
The Commissioner was accompanied by OCSEC Executive Director Bill Galbraith and special legal advisor Gérard Normand, who also testified. The transcript of the meeting is not yet available, but you can watch the hearing here. (It's also worth watching the testimony by Michael Vonn and Ray Boisvert that follows.)
In a document provided to the committee, the Commissioner called for nine substantive and thirteen technical amendments to the bill. [The original version of this blog post listed only the seven proposals outlined in this earlier submission by the Commissioner, which was the only one available online on January 30th.]
Here are the Commissioner's recommendations:
Several of the Commissioner's recommendations paralleled those made by various other commentators, including the authors of the Canadian Internet Policy and Public Interest Clinic (CIPPIC) and Citizen Lab report on the bill. (I'm currently a Citizen Lab Research Fellow and was one of the five co-authors of the report.)
Especially notable were the Commissioner's recommendations that ministerial authorizations for active and defensive cyber operations be subject to the approval of the Intelligence Commissioner and that the Commissioner be able to specify conditions when approving authorizations, both of which were also recommended in the CIPPIC/Citizen Lab report (recommendations #5 and #9).
In response to a question, the Commissioner and his legal advisor also expressed general agreement with the CIPPIC/Citizen Lab report's recommendation (#6) that the Intelligence Commissioner provide written reasons for all decisions.
The Commissioner's appearance before the committee was limited to one hour, which is a great shame as a productive discussion could easily have gone on for several hours, but at least the Commissioner and the subsequent witnesses were given a respectful hearing and the questions asked of them were constructive. I honestly don't understand how the previous government found that kind of basic decency so difficult to display.
Update 26 February 2018:
On 23 February, the CSE Commissioner submitted a number of additional recommendations to the standing committee examining Bill C-59, including two more pertaining to the CSE Act part of the bill:
1. "Amend the provisions falling under the Procedure part of the CSE Act (sections 34 to 37) to ensure that the Intelligence Commissioner can review the full content of an authorization."
2. "Amend subsections 27(1), 30(1) and 31(1) of the CSE Act to ensure that the Minister can issue authorizations that will be lawful “despite any other law, including that of any foreign state” as opposed to the current and more limiting wording of “despite any other Act of Parliament or of any foreign state”. Proceed to amend subsections 28(1) and (2) of the same Act accordingly, save for the reference to foreign state."
The Commissioner's submission contains brief explanations of each of the recommendations.
The cyber operations aspect of the second issue was also recently raised by Craig Forcese ("Does CSE risk a Re X moment with the current drafting in C-59?" National Security Law blog, 2 February 2018).
News coverage/commentary:
Alex Boutilier, "Electronic spy agency watchdog asks for more powers," Toronto Star, 30 January 2018.
Craig Forcese, "The (Quasi) Judicialization of CSE Cyber Operations (Active & Defensive)," National Security Law blog, 31 January 2018.
The Commissioner was accompanied by OCSEC Executive Director Bill Galbraith and special legal advisor Gérard Normand, who also testified. The transcript of the meeting is not yet available, but you can watch the hearing here. (It's also worth watching the testimony by Michael Vonn and Ray Boisvert that follows.)
In a document provided to the committee, the Commissioner called for nine substantive and thirteen technical amendments to the bill. [The original version of this blog post listed only the seven proposals outlined in this earlier submission by the Commissioner, which was the only one available online on January 30th.]
Here are the Commissioner's recommendations:
Substantive recommendationsThe terms that the Commissioner recommended be defined are:
1. The Intelligence Commissioner (IC) should approve the active cyber operations [and] defensive cyber operations that are authorized by the Minister pursuant to subsections 30(1) and 31(1) of the Communications Security Establishment Act (CSE Act).
2. The IC should have the right to request clarifications with respect to the information presented to him, short of receiving or accessing information that the Minister would not have seen.
3. The IC should be able to conditionally approve authorizations, pursuant to section 13 of the IC Act.
4. The IC should prepare a public annual report to the Prime Minister for him to table in both Houses.
5. Subsection 21(1) of the IC Act should provide that while the decision of the IC must be made within a 30-day period, the reasons could follow later.
6. Regarding subsection 37(3) of the CSE Act, it is suggested that the decision by a Minister to extend, for one more year, an authorization on matters of foreign intelligence or cybersecurity should be reviewable by the IC.
7. Paragraph 273.65(2)(c) of the National Defence Act... states that the Minister needs to be satisfied that "the expected foreign intelligence value of the information that would be derived from the interception justifies it". This has not been replicated in Bill C-59 and should be added.
8. Sections 38 to 40 of the CSE Act provide for a regime dealing with "repeal and amendment" that appears inconsistent and should be re-examined.
9. Subsection 41(2) of the CSE Act should provide that emergency authorizations issued by the Minister in foreign intelligence and cybersecurity matters are reviewable by the IC and base its process on the United Kingdom model under the Investigatory Powers Act 2016.
Technical recommendations
1. The wording in subsection 23(1) of the Intelligence Commissioner Act (IC Act) should be clarified to specify what is included in "all information that was before [the Minister]" that is provided to the Intelligence Commissioner (IC).
2. Regulation-making authority should be inserted in the IC Act to enable the creation of regulations for carrying out the purposes and provisions of the Act, as well as on more specific matters.
3. The Communications Security Establishment Act (CSE Act) and the Canadian Security Intelligence Service Act (CSIS Act) should clearly provide that both the authorization/determination and all information that led to the decision by the Minister should be provided to the IC for the purpose of his review.
4. The wording in section 13 of the IC Act should be amended to state that the IC should review all the information in order to determine whether the conclusions of the Minister are reasonable.
5. Section 25 of the IC Act should clarify the type and nature of the information being contemplated, such as briefings, or backgrounders, to help the IC exercise his role. The word "may" should be replaced by "must" for information requested by the IC.
6. The IC Act should provide that records obtained by the IC in the course of his duties are not under the IC's control, for Access to Information Act and Privacy Act purposes.
7. The wording in subsection 11.03(3) of the CSIS Act should be similar to that in subsections 29(1) of the CSE Act and section 11.23 of the CSIS Act.
8. Some terms found in Bill C-59 should be defined or clarified for the benefit of those responsible for enforcing the legislation, as well as those who will be asked to issue authorizations or approvals.
9. The entity proposed as the IC should be called the "Judicial Intelligence Commissioner" or the "Judicial Commissioner for Intelligence" and the title of the legislation changed to reflect the name.
10. The threshold set out in subsection 11.03(2) of the CSIS Act, is too low and will make the IC's review practically impossible.
11. The Minister responsible for the IC Act should be the Prime Minister.
12. The period of validity for authorizations issued under subsections 30(1) and 31(1) of the CSE Act [i.e., defensive and active cyber operation authorizations] should be up to 6 months.
13. Section 10 of the IC Act should clarify that the concept of legal advisor is covered by the term "person having specialized knowledge".
a. "information" (as used throughout the CSE Act);As can be seen, the CSE Commissioner's recommendations were limited to matters concerning the role of the proposed Intelligence Commissioner, which the CSE Commissioner will become if the bill is passed.
b. "acquire", "collection" and "interception" (as used in the CSE Act, as well as the CSIS Act; the term "interception" is defined in the Criminal Code but is problematic with respect to the foreign intelligence collection process);
c. "disclosure" and "disseminate" (as used in the CSE Act);
d. "predominantly" (as used in the CSIS Act);
e. "publicly available dataset" (this term is defined in the CSIS Act but the definition is circular)
Several of the Commissioner's recommendations paralleled those made by various other commentators, including the authors of the Canadian Internet Policy and Public Interest Clinic (CIPPIC) and Citizen Lab report on the bill. (I'm currently a Citizen Lab Research Fellow and was one of the five co-authors of the report.)
Especially notable were the Commissioner's recommendations that ministerial authorizations for active and defensive cyber operations be subject to the approval of the Intelligence Commissioner and that the Commissioner be able to specify conditions when approving authorizations, both of which were also recommended in the CIPPIC/Citizen Lab report (recommendations #5 and #9).
In response to a question, the Commissioner and his legal advisor also expressed general agreement with the CIPPIC/Citizen Lab report's recommendation (#6) that the Intelligence Commissioner provide written reasons for all decisions.
The Commissioner's appearance before the committee was limited to one hour, which is a great shame as a productive discussion could easily have gone on for several hours, but at least the Commissioner and the subsequent witnesses were given a respectful hearing and the questions asked of them were constructive. I honestly don't understand how the previous government found that kind of basic decency so difficult to display.
Update 26 February 2018:
On 23 February, the CSE Commissioner submitted a number of additional recommendations to the standing committee examining Bill C-59, including two more pertaining to the CSE Act part of the bill:
1. "Amend the provisions falling under the Procedure part of the CSE Act (sections 34 to 37) to ensure that the Intelligence Commissioner can review the full content of an authorization."
2. "Amend subsections 27(1), 30(1) and 31(1) of the CSE Act to ensure that the Minister can issue authorizations that will be lawful “despite any other law, including that of any foreign state” as opposed to the current and more limiting wording of “despite any other Act of Parliament or of any foreign state”. Proceed to amend subsections 28(1) and (2) of the same Act accordingly, save for the reference to foreign state."
The Commissioner's submission contains brief explanations of each of the recommendations.
The cyber operations aspect of the second issue was also recently raised by Craig Forcese ("Does CSE risk a Re X moment with the current drafting in C-59?" National Security Law blog, 2 February 2018).
News coverage/commentary:
Alex Boutilier, "Electronic spy agency watchdog asks for more powers," Toronto Star, 30 January 2018.
Craig Forcese, "The (Quasi) Judicialization of CSE Cyber Operations (Active & Defensive)," National Security Law blog, 31 January 2018.