NSICOP's mystery review

 

Thanks to the recent Special Report of the National Security and Intelligence Committee of Parliamentarians (NSICOP), the stakes are high on Parliament Hill right now, the main question being how many MPs will ultimately be burned at one. 

We haven't had excitement like this since Fred Rose tried to turn the Green Chamber Red. But — as anyone who reads this blog knows — excitement is not what we do here. What I want to talk about is NSICOP's other report, its 2023 Annual Report, which was released on June 5th. 

Tucked away in that report was a brief two-paragraph description of a review that NSICOP completed in November 2023:

The committee was not permitted to provide any information about the nature of the "intelligence collection activity" it examined, or even which department or agency conducted it. 

What it did tell us was that it issued a Special Report to the Prime Minister that "highlighted concerns about the authority of the federal department or agency to participate in this collection activity, particularly with regard to its Canadian partners in the security and intelligence community, including the lack of appropriate governance; and the role that the Department of Justice plays in providing advice in areas of national security and intelligence that will likely not receive judicial scrutiny."

The committee also stated that it made five recommendations, of which the government rejected one, accepted three, and "commented on" another. The report did not indicate the degree to which these responses allayed the committee's concerns, if at all, nor were any details of the committee's recommendations or the government's responses provided.

So what is actually going on?

We may not do excitement here, but we do do guesses. 

The thing that immediately caught my eye was the committee's reference to areas of national security and intelligence that will likely not receive judicial scrutiny. 

CSIS and the RCMP go to the courts to get warrants to conduct their most intrusive activities, but CSE does not. Since 2019, CSE has been subject to the "quasi-judicial" oversight of the Intelligence Commissioner, a retired judge, but the Commissioner does not operate a court, cannot issue legal rulings, and does not have the order-making powers of a judge. Most of what CSE does is unlikely ever to fall under the scrutiny of a court.

Also notable is that NSICOP expressed its concern about the authority of the entity in question to participate in the collection activity "particularly with regard to its Canadian partners in the security and intelligence community". 

Through what is known as its assistance mandate, CSE provides technological and operational assistance to federal law enforcement and security agencies, mostly to CSIS and the RCMP, during which it operates under the authorities of those agencies rather than its own. Unlike the other elements of its mandate, CSE is able to direct its activities at Canadians and persons in Canada when operating under the assistance mandate.

Those assistance activities are thus potentially some of CSE's most sensitive from a Canadian privacy and civil rights point of view. The subject is also one that CSE is extraordinarily secretive about, even by the agency's own Consistently Silent about Everything standards. I've been waiting seven years for the results of an access to information request seeking more information about the policies that govern CSE's assistance activities.

My very tentative guess is that some aspect of the assistance that CSE provides to CSIS and/or the RCMP may have been the activity that NSICOP found troubling.

That assistance might involve, for example, searching or otherwise processing on behalf of domestic investigations the vast metadata stores acquired by CSE and its Five Eyes partners during their foreign intelligence and cybersecurity operations. 

Or it might involve exploitation of the content of communications pulled into CSE and its partners' foreign intelligence/cybersecurity dragnet. (Although not normally permitted to "target" the communications of Canadians or other Five Eyes nationals, they are permitted to collect communications that include Five Eyes participants, or contain information about Five Eyes nationals, as long as those communications were collected because they involved a non-Five Eyes target. This is called "incidental" collection, and the number of communications involved can be surprisingly large.)

The warrantless exploitation by the FBI of American communications incidentally collected by the NSA has long been controversial in the United States, particularly with respect to communications collected inside the United States under Section 702 of the Foreign Intelligence Surveillance Act (FISA). A special court called the Foreign Intelligence Surveillance Court sets conditions on how NSA can conduct its collection under s.702, but critics point to extensive FBI exploitation of the American-related results, describing the program as a backdoor way to conduct warrantless surveillance of Americans.  

(Incidentally, has anyone noticed how many national security investigations here in Canada seem to start with a tip from the FBI? Hmm.)

Maybe American concerns about s.702 recently caught NSICOP's eye and the committee asked itself whether Canada had something similar to FISA collection going on here too.

We do, as this NSA document confirms.

Similar does not mean identical, of course. We don't have a Foreign Intelligence Surveillance Court — or any court — overseeing our program, just the Intelligence Commissioner, whose role is limited to approving or not approving Ministerial Authorizations (MAs). Also, it is possible that the rules governing domestic exploitation of our incidental collection, whatever they may be, are less permissive than those that apply to the FBI. 

I'd like to tell you more about those rules, but for me to do that, CSE would have to expedite that access to information request I have been waiting and waiting and waiting and waiting and waiting and waiting and waiting for (where one "waiting" = one year). Did I mention it has been SEVEN YEARS?

Back to the subject at hand.

We don't know if the collection activity that concerned NSICOP involves the exploitation of incidentally collected communications, or the exploitation of bulk metadata, or even that it has anything to do with CSE at all. But something involving CSE's assistance mandate does seem to me like a plausible possibility.

Are there any other clues?

Well, NSICOP did launch one review in 2022 that might have had something to do with the committee's secret report.

In August 2022, the committee announced plans to review "the legislative, regulatory, policy and financial framework for the lawful interception of communications for security and intelligence activities, the challenges resulting from the impact of rapidly changing and emerging technology, including the use of end-to-end encryption, and the limitations of the current framework faced with these challenges." The committee also promised to "examine potential risks to the privacy rights of Canadians associated with modernizing authorities in this area." 

That's clearly a much broader topic than something that could be characterized as concerns about a single intelligence collection activity, but it's possible that something the committee saw as it was starting that study led them to first produce a special report on a specific collection activity that they found especially concerning. Maybe we'll learn more if the overall review ever makes an appearance.

 

Other watchdogs

One potentially reassuring thought is that if anything too dire were going on, particularly if it involved CSE, we would likely already have heard rumblings about it from the National Security and Intelligence Review Agency (NSIRA) and/or the Intelligence Commissioner.

I'm not entirely persuaded that I should be reassured, however, because, as I noted in this blog post, there has indeed been a certain amount of rumbling going on in recent years.

In a report released to the public in April 2023, NSIRA expressed concern about an unspecified collection activity that CSE was planning to conduct in 2019, noting that “Similar activities conducted by other security and intelligence departments have been found to require an explicit statutory justification regime…. The CSE Act contains no such justification regime.” The review agency went on to state that “Although these activities have not yet occurred, there is no indication that CSE has fully assessed the ramifications – legal or otherwise – of the activities authorized in [redacted] Authorization.” It recommended that CSE “seek a fulsome legal assessment on activities authorized by [redacted] MA prior to undertaking any collection activities under [redacted] MA. The legal advice should address whether there is an implicit justification regime created in [redacted] MA.”

Also in 2023, the Intelligence Commissioner balked at approving one element of one of CSE's foreign intelligence MAs, concluding that it entailed a “much broader class of activities” than could “reasonably fit into the more limited class found in [CSE's] statute.” It's not clear in that case, however, whether any specific, actual activity was considered problematic by the Commissioner.

In both cases, the concerns expressed related to activities that were to be performed (or might potentially be performed) under CSE's foreign intelligence mandate, not its assistance mandate. It is possible, however, that data collected in the course of a foreign intelligence activity could end up also being used under the agency's assistance mandate, so if NSICOP's concerns are indeed related to assistance activities — which of course we don't know — the issues could still be related.

That said, we don't know whether NSIRA's concerns and those of the Intelligence Commissioner are related to each other in any way, or whether there is any connection between either of those concerns and NSICOP's. Maybe there's just a lot of different stuff out there to be concerned about. 

But it is possible that some specific activity or set of activities has been causing disquiet in more than one part of the oversight and review structure in recent years.

In that other blog post, I offered some different suggestions as to what specifically might lie behind NSIRA's and the Intelligence Commissioner's concerns. But I have no way of knowing whether any of my suggestions is anywhere close to the mark. (Somewhere around half my readers may know, but they don't tell me.)

Bottom-line-down-at-the-bottom-where-it-belongs:  

NSICOP was clearly concerned about the intelligence collection activity it examined last year. I get the impression that the committee was not especially satisfied with the government's response to its recommendations, but it didn't formally declare itself either way on that issue.

My suspicion is that the activity in question may have something to do with CSE and the assistance CSE provides to CSIS and the RCMP. However, that may say more about my particular interests than the actual evidence available.

It's possible that other oversight and review bodies are also concerned about whatever is taking place, but we don't know that: it is entirely possible that the specific cases I cited above relate to completely separate matters. If NSIRA hasn't already looked at the issue that NSICOP addressed, it probably should.

Everyone's attention is focused on foreign interference right now, and understandably so. But it would be a shame if the questions around this unidentified intelligence collection activity are left unresolved.

If one of the key purposes of bodies like NSICOP, NSIRA, and the Intelligence Commissioner is to ring a bell when something less than wonderful is going on in the secret spaces of the state, we can certainly say that this year has been one of the system's most successful. 

But the ultimate purpose of those bodies is to spur action both to protect the rights of Canadians and to improve the security and intelligence programs they examine — and for that action to be seen to have taken place by the Canadian public. 

In this case, it very much remains to be seen whether sufficient action has taken or will take place.

("Hush Most Secret" photo credit: Dr. Helen Fry)

Intelligence Commissioner addendum

One more issue I meant to raise in my recent blog post concerning the Intelligence Commissioner's 2023 annual report: 

In that report, Intelligence Commissioner Noël wrote that “in the past year I did not approve a [CSIS-related] ministerial authorization and only partially approved others [relating to CSIS and CSE] because the scope of proposed activities was too broad. After considering the rationale for my decisions, the agencies involved submitted revised requests for authorization to undertake certain activities. New ministerial authorizations — setting out a more limited scope of activities and more detailed reasons to justify the activities — were provided for my review and ultimately, approval.” 

It is unclear, at least to me, what this means for the three CSE foreign intelligence ministerial authorizations that were only partially approved in 2023. The chart on page 32 shows those three partially approved authorizations (along with the three fully approved cybersecurity authorizations), but it doesn't show that three new foreign intelligence authorizations subsequently replaced the partially approved ones.

Were there actually six foreign intelligence authorizations approved during 2023 (albeit with just three in force at any time)?

If so, will the Commissioner's decisions with respect to the later three also be declassified and eventually posted on the IC website?

Also, is there a way to be clearer about reporting the actual number of authorizations approved while still indicating the number in force at any time?