Intelligence Commissioner 2021 Annual Report
The 2021 annual report of the Office of the Intelligence Commissioner (ICO) was tabled in Parliament on May 5th. From the perspective of this blog, the most interesting news in the report was that one of the three Foreign Intelligence Authorizations (FIAs) granted to CSE by the Minister of National Defence in 2021 was only "partially" approved by the Intelligence Commissioner (IC). This marks the first time since the 2019 passage of the National Security Act, 2017, which created the current oversight regime, that an FIA has not been fully approved.
FIAs enable CSE to conduct its foreign intelligence program by legalizing aspects of its SIGINT collection activities that would otherwise be illegal, such as intercepting "private communications" or breaking into computer systems to steal information. CSE typically receives three FIAs per year, each valid for a one-year period. The exact subjects of those FIAs are classified, but collectively they cover the full range of CSE collection activities, probably grouped into computer network exploitation, various kinds of radio intercept activities, and cable collection operations. The authorizations are vital to CSE because, without them, the agency would be unable to collect intelligence under its foreign intelligence mandate without running the risk of violating the law.
FIAs are issued by the Defence Minister, but they only come into force if the Minister's decision is approved as "reasonable" by the IC. In 2021, for the first time, the IC did not fully approve one of CSE's FIAs. In the case of one particular activity covered by one of the FIAs, the Commissioner judged that "the Minister's conclusions lacked information on the nature of the activity described and on how such activity would be reasonable and proportionate. The IC was of the view that the Minister’s conclusions did not bear the essential elements of reasonableness: justification, transparency, intelligibility and did not establish whether they were justified in relation to the relevant factual and legal contexts." As a result, the IC "determined that he must not approve the Foreign Intelligence Authorization relating to this specific activity."
So, what exactly was the CSE activity that didn't make the cut? Those of you who are familiar with watchdog reports will know better than to expect the IC to reveal that information to us — or, perhaps more correctly, know better than to expect CSE to permit the IC to reveal it to us. Whether the activity in question is a secret legitimately worth keeping or one of those everyone-knows-we-do-it-but-we-obstinately-refuse-to-admit-it secrets we may never know.
Interestingly, however, in its 2020 annual report (released to the public in December 2021), the National Security and Intelligence Review Agency (NSIRA) also raised concerns about an unidentified CSE activity that at least conceivably could be the same program.
In that case, NSIRA recommended that "CSE should seek a fulsome legal assessment on activities authorized by a specific Foreign Intelligence Authorization prior to undertaking any collection activities under this ministerial authorization (MA)." In its response to NSIRA, CSE accepted the recommendation "in principle" but seemed to suggest that it had already done sufficient legal assessment of the activity.
Similarly, in declining to approve the particular activity that was of concern to the IC, the Commissioner stated (among other points) that the Minister's conclusions "did not establish whether they were justified in relation to the relevant ... legal contexts."
NSIRA also appears to have been concerned about the reasonableness and proportionality of CSE's planned activities, as CSE's response to NSIRA specifically noted CSE's belief that, in its view, the activities were "reasonable and proportionate". For its part, the IC stated that "the Minister's conclusions lacked information ... on how such activity would be reasonable and proportionate."
Were the two watchdog agencies talking about the same proposed activity?
We don't know. But if they were (and this is just an "if"), a couple of points are worth noting.
First, as the NSIRA report reveals, the activity in question is something comparatively new to CSE, "enabled since the CSE Act" (which was passed in 2019), and it had not yet begun operations at the time of NSIRA's examination. This suggests the possibility that it also may not have been in operation during the time the IC looked at it, which would mean that CSE did not have to shut down an active program when the authorization for it was refused. (This might also explain why no additional or amended FIA was presented to the IC later in the year to get the activity back in operation — it wasn't ready to go anyway.)
It might seem strange that an authorization would be sought for a program that isn't ready to go into operation, but it has been known to happen under the previous (pre-2019) ministerial authorization regime. Presumably, the goal of such early approvals is to have the authorization already in place when the program is ready to begin, and perhaps also to check whether the program is in fact likely to receive authorization before a large amount of time and money has been expended on its development and installation.
The second point worth noting is that this may represent a concrete example of NSIRA and the IC working together, sharing information and highlighting issues of importance or concern to one another. This information sharing, although limited largely to certain types of formal reporting, was one of the benefits that was foreseen when the new review and oversight regime was created in 2019.
The IC report contains a brief description of how this kind of cooperation works: "The IC must provide a copy of his or her decisions to NSIRA in order to assist it in fulfilling its review mandate. In addition, the IC is entitled to receive a copy of certain reports, or parts of reports, prepared by NSICOP and NSIRA, if they relate to the IC’s powers, duties or functions."
It goes on to add: "In 2021, the IC received one such report from NSIRA."
But if that report had anything to do with the CSE foreign intelligence authorization discussed here, they're not telling us.
Presumably CSE at least knows whether there is a link between the two watchdogs' concerns. If they are linked, maybe CSE has now revisited its somewhat dismissive response to NSIRA's recommendation.
Partially reasonable
As I noted above, this was the first time that the IC approved an FIA only in part. But it didn't come as a complete surprise, as the possibility of such a decision was flagged in both of the IC's previous reports: in both documents, the table summarizing the Commissioner's decisions contained a column labeled "Partially Reasonable" that clearly implied partial rejections were possible.
If you look up the Intelligence Commissioner Act, you will see that s.20(1) offers the Commissioner just two courses of action: approving the authorization or not approving the authorization. It doesn't say anything about approving most of the bits while rejecting other bits. So, in all honesty, I don't understand the statutory basis for this procedure.
But the Intelligence Commissioner obviously does see a basis for this approach, CSE shows no sign of disagreeing with him, and other people who — very much unlike me — have an actual understanding of Canadian national security law and statutory interpretation are comfortable with it too. So I classify this in the category of things-that-clearly-work-that-way-even-though-I-don't-really-understand-why.
And it does seem like a practical approach. It would obviously be undesirable to have large, multi-program authorizations like these refused every time there was a problem with one small element within them. We also wouldn't want the IC to be tempted — or to feel pressured — to let legitimate concerns about particular programs slide for fear of the broad disruption that a refusal might cause.
An alternative approach would be to require a separate FIA for each separate information collection activity that CSE wished to conduct. But depending on how those activities were broken down, that could lead to a significantly large number of authorizations, each of which would need to be reviewed and signed by the Minister and then considered by the Commissioner. That would create a great deal of additional paperwork, but it's not clear that it would have any actual advantages over the current approach.
More transparency to come?
Last year's IC report promised that "the ICO will explore the possibility of publishing redacted and translated versions of the IC’s decisions on the ICO website." This year's report contains an update on that initiative, noting that "the ICO has made considerable efforts to publish the IC’s decisions on the ICO website. The ICO is working towards having the decisions available online as soon as feasible."
Presumably the delay is primarily the result of CSE's on-going reluctance to countenance the publication of any information the public might find remotely informative. It will be interesting to see what, if anything, is eventually permitted to appear on the ICO website. Among other possibilities, maybe at that point we'll learn if this year's partial rejection was related to the same program that prompted concerns at NSIRA.
Media coverage
As far as I can tell, the ICO report received no media coverage.
But Christopher Parsons' detailed Twitter thread looking at aspects of the report is well worth reading. See also this update to the thread, in which the ICO explains the statutory basis for its approach to authorizations.
Since Chris's Twitter posts don't last forever, he has generously suggested that I also reproduce the ICO's reply here: