Sunday, June 19, 2022

NSIRA report on Avoiding Complicity in Mistreatment by Foreign Entities

On May 19th, NSIRA released the declassified version of its Review of Departmental Frameworks for Avoiding Complicity in Mistreatment by Foreign Entities (NSIRA Review 2019-06). Ministerial directions were issued to a number of Canadian departments and agencies in 2011 and, later, in 2017 on managing the risks of information sharing with other countries; these MDs were subsequently replaced by the provisions of the Avoiding Complicity in Mistreatment by Foreign Entities Act in 2019. NSIRA's review looked specifically at the actions taken by the six departments and agencies that received the 2017 MD, including CSE, which unsurprisingly is the agency I'm going to focus on here.

CSE comes out looking good in this report. While NSIRA noted deficiencies in the way many of the six organizations handled this issue and made a series of recommendations applicable to all of them, CSE was broadly seen as having done well in meeting its obligations.

I have to say I don't find this result greatly surprising, as two and a half decades of review by OCSEC and now NSIRA have made CSE highly conscious of the importance of ensuring that ministerial directions and other legal requirements are clearly reflected in internal policies and procedures and that compliance with those policies and procedures is effectively monitored and documented.

(This is not to suggest that reviews no longer find matters of this kind — they're still among the most common issues raised by CSE's watchdogs. But the agency has come a long way over the years in aligning its policy regime and paperwork with actual existing practice.)

What I mostly want to highlight about this report is not compliance questions, but the evidence it provides of the long way CSE has yet to go on the transparency front.

Let's look specifically at page 22 of NSIRA's report, where the annex related to CSE begins. 

 For reasons mysterious to me, CSE evidently insisted on redacting the following non-secrets: 

 

● that CSE's process under the 2011 Ministerial Directive excluded review of normal information-sharing with the Five Eyes;


 

● that prior to 2017, CSE's ITS (i.e., cyber) side and its SIGINT side each conducted Mistreatment Risk Assessments (MRAs); 


 

● that the Corporate and Operational Policy Section of CSE, which now performs these assessments for the entire agency, is or at least was known internally by the alphanumeric designator D2 (and, more specifically, the sub-unit responsible was D2A);



 

● and that the CSE branch that contains D2 is Policy and Communications, under the direction of the Deputy Chief, Policy and Communications (DC PC) (listed as Director General, Policy and Communications (DG PC) in the out-of-date chart shown below).


 

Was it really necessary for CSE to insist on redacting all that information from NSIRA's report? If it was, then maybe they shouldn't have revealed it all already.

 

Something useful is learned

Happily, it's not all blank spaces and black holes.

On the useful information front, I've wondered for some time how CSE finessed the Five Eyes issue in the years since the 2017 Ministerial Directive appeared, since that version and the subsequent 2019 Avoiding Complicity Act contain no Five Eyes exception. 

Here the report is actually quite helpful. Although it doesn't make the Five Eyes connection explicit, the report reveals that CSE does two types of mistreatment risk assessment: case-specific ones and annual ones, the latter of which are "used to exclude countries from the normal MRA process".

I don't think there's much question which countries' boxes get ticked every year for that.


Friday, May 27, 2022

Intelligence Commissioner 2021 Annual Report

The 2021 annual report of the Office of the Intelligence Commissioner (ICO) was tabled in Parliament on May 5th. From the perspective of this blog, the most interesting news in the report was that one of the three Foreign Intelligence Authorizations (FIAs) granted to CSE by the Minister of National Defence in 2021 was only "partially" approved by the Intelligence Commissioner (IC). This marks the first time since the 2019 passage of the National Security Act, 2017, which created the current oversight regime, that an FIA has not been fully approved.

FIAs enable CSE to conduct its foreign intelligence program by legalizing aspects of its SIGINT collection activities that would otherwise be illegal, such as intercepting "private communications" or breaking into computer systems to steal information. CSE typically receives three FIAs per year, each valid for a one-year period. The exact subjects of those FIAs are classified, but collectively they cover the full range of CSE collection activities, probably grouped into computer network exploitation, various kinds of radio intercept activities, and cable collection operations. The authorizations are vital to CSE because, without them, the agency would be unable to collect intelligence under its foreign intelligence mandate without running the risk of violating the law.

FIAs are issued by the Defence Minister, but they only come into force if the Minister's decision is approved as "reasonable" by the IC. In 2021, for the first time, the IC did not fully approve one of CSE's FIAs. In the case of one particular activity covered by one of the FIAs, the Commissioner judged that "the Minister's conclusions lacked information on the nature of the activity described and on how such activity would be reasonable and proportionate. The IC was of the view that the Minister’s conclusions did not bear the essential elements of reasonableness: justification, transparency, intelligibility and did not establish whether they were justified in relation to the relevant factual and legal contexts." As a result, the IC "determined that he must not approve the Foreign Intelligence Authorization relating to this specific activity."



 

 

 

 

 

 

 

 

 

So, what exactly was the CSE activity that didn't make the cut? Those of you who are familiar with watchdog reports will know better than to expect the IC to reveal that information to us — or, perhaps more correctly, know better than to expect CSE to permit the IC to reveal it to us. Whether the activity in question is a secret legitimately worth keeping or one of those everyone-knows-we-do-it-but-we-obstinately-refuse-to-admit-it secrets we may never know.

Interestingly, however, in its 2020 annual report (released to the public in December 2021), the National Security and Intelligence Review Agency (NSIRA) also raised concerns about an unidentified CSE activity that at least conceivably could be the same program.

In that case, NSIRA recommended that "CSE should seek a fulsome legal assessment on activities authorized by a specific Foreign Intelligence Authorization prior to undertaking any collection activities under this ministerial authorization (MA)." In its response to NSIRA, CSE accepted the recommendation "in principle" but seemed to suggest that it had already done sufficient legal assessment of the activity.

Similarly, in declining to approve the particular activity that was of concern to the IC, the Commissioner stated (among other points) that the Minister's conclusions "did not establish whether they were justified in relation to the relevant ... legal contexts."

NSIRA also appears to have been concerned about the reasonableness and proportionality of CSE's planned activities, as CSE's response to NSIRA specifically noted CSE's belief that, in its view, the activities were "reasonable and proportionate". For its part, the IC stated that "the Minister's conclusions lacked information ... on how such activity would be reasonable and proportionate."

Were the two watchdog agencies talking about the same proposed activity?

We don't know. But if they were (and this is just an "if"), a couple of points are worth noting.

First, as the NSIRA report reveals, the activity in question is something comparatively new to CSE, "enabled since the CSE Act" (which was passed in 2019), and it had not yet begun operations at the time of NSIRA's examination. This suggests the possibility that it also may not have been in operation during the time the IC looked at it, which would mean that CSE did not have to shut down an active program when the authorization for it was refused. (This might also explain why no additional or amended FIA was presented to the IC later in the year to get the activity back in operation — it wasn't ready to go anyway.)

It might seem strange that an authorization would be sought for a program that isn't ready to go into operation, but it has been known to happen under the previous (pre-2019) ministerial authorization regime. Presumably, the goal of such early approvals is to have the authorization already in place when the program is ready to begin, and perhaps also to check whether the program is in fact likely to receive authorization before a large amount of time and money has been expended on its development and installation.

The second point worth noting is that this may represent a concrete example of NSIRA and the IC working together, sharing information and highlighting issues of importance or concern to one another. This information sharing, although limited largely to certain types of formal reporting, was one of the benefits that was foreseen when the new review and oversight regime was created in 2019.

The IC report contains a brief description of how this kind of cooperation works: "The IC must provide a copy of his or her decisions to NSIRA in order to assist it in fulfilling its review mandate. In addition, the IC is entitled to receive a copy of certain reports, or parts of reports, prepared by NSICOP and NSIRA, if they relate to the IC’s powers, duties or functions."

It goes on to add: "In 2021, the IC received one such report from NSIRA."

But if that report had anything to do with the CSE foreign intelligence authorization discussed here, they're not telling us.

Presumably CSE at least knows whether there is a link between the two watchdogs' concerns. If they are linked, maybe CSE has now revisited its somewhat dismissive response to NSIRA's recommendation.

 

Partially reasonable

As I noted above, this was the first time that the IC approved an FIA only in part. But it didn't come as a complete surprise, as the possibility of such a decision was flagged in both of the IC's previous reports: in both documents, the table summarizing the Commissioner's decisions contained a column labeled "Partially Reasonable" that clearly implied partial rejections were possible.

If you look up the Intelligence Commissioner Act, you will see that s.20(1) offers the Commissioner just two courses of action: approving the authorization or not approving the authorization. It doesn't say anything about approving most of the bits while rejecting other bits. So, in all honesty, I don't understand the statutory basis for this procedure.

But the Intelligence Commissioner obviously does see a basis for this approach, CSE shows no sign of disagreeing with him, and other people who — very much unlike me — have an actual understanding of Canadian national security law and statutory interpretation are comfortable with it too. So I classify this in the category of things-that-clearly-work-that-way-even-though-I-don't-really-understand-why.

And it does seem like a practical approach. It would obviously be undesirable to have large, multi-program authorizations like these refused every time there was a problem with one small element within them. We also wouldn't want the IC to be tempted — or to feel pressured — to let legitimate concerns about particular programs slide for fear of the broad disruption that a refusal might cause. 

An alternative approach would be to require a separate FIA for each separate information collection activity that CSE wished to conduct. But depending on how those activities were broken down, that could lead to a significantly large number of authorizations, each of which would need to be reviewed and signed by the Minister and then considered by the Commissioner. That would create a great deal of additional paperwork, but it's not clear that it would have any actual advantages over the current approach.

 

More transparency to come?

Last year's IC report promised that "the ICO will explore the possibility of publishing redacted and translated versions of the IC’s decisions on the ICO website." This year's report contains an update on that initiative, noting that "the ICO has made considerable efforts to publish the IC’s decisions on the ICO website. The ICO is working towards having the decisions available online as soon as feasible."

Presumably the delay is primarily the result of CSE's on-going reluctance to countenance the publication of any information the public might find remotely informative. It will be interesting to see what, if anything, is eventually permitted to appear on the ICO website. Among other possibilities, maybe at that point we'll learn if this year's partial rejection was related to the same program that prompted concerns at NSIRA.

 

Media coverage

As far as I can tell, the ICO report received no media coverage.

But Christopher Parsons' detailed Twitter thread looking at aspects of the report is well worth reading. See also this update to the thread, in which the ICO explains the statutory basis for its approach to authorizations. 

Since Chris's Twitter posts don't last forever, he has generously suggested that I also reproduce the ICO's reply here:




Wednesday, May 25, 2022

History of the Examination Unit

Set up during the Second World War and housed in the National Research Council, the Examination Unit (XU) was Canada's first cryptanalytic agency.

The XU was shut down in the closing days of the war, but elements of it were combined with related armed services SIGINT units to create the Joint Discrimination Unit, which evolved in 1946 into Canada's post-war SIGINT agency, the Communications Branch of the NRC (CBNRC), now known as the Communications Security Establishment. The XU was thus a direct ancestor of today's CSE.

A classified internal history of the XU was compiled under the editorship of Gilbert de B. Robinson, a Canadian mathematician who helped to establish the unit, worked on its staff, and served as its final director.

That 222-page document has long sat available in full to researchers on the shelves of Library and Archives Canada, but the only copy accessible on the Internet (through this blog) was a highly redacted version released more than 30 years ago through an Access to Information request. 

That sad state of affairs ends today. Here is the document in its entirety:

A History of the Examination Unit, 1941-1945 (61 MB PDF)

My thanks to the family of Examination Unit staff member David Hayne for sharing the hard copy with me.

Wednesday, January 12, 2022

A year of Canadian SIGINT history posts

2021 was the Communications Security Establishment's 75th anniversary year. Every day during that year, I posted a Tweet highlighting an item related to Canada's SIGINT activities that had taken place on that date, using the hashtag #CSE75. Most of the items related directly to CSE (or to CBNRC, the Communications Branch of the National Research Council, as CSE was known until 1 April 1975), but there were also a lot about Canada's broader SIGINT history, including many related to the Second World War and even earlier.

It was my hope that, in addition to being interesting in themselves, these Tweets might encourage, or maybe shame, CSE itself to be more open about its past. 

The agency did add a small amount of material about its history to its website during the year, making related Twitter posts using the bilingual hashtag #CSE75CST. But I'm quite sure my efforts had nothing to do with any of that (except for the fact that a number of CSE's items clearly drew in part from information previously published on this blog).

You can still find my #CSE75 posts on Twitter, but I thought it might be interesting and maybe in some way useful to compile them in one place here. They're pretty much as I originally posted them, but I have taken advantage of the blog format to spell out some of the acronyms, correct a couple of typos, and add a bit more explanatory text in a few places.

My plan with #CSE75 was to post something interesting about Canada's SIGINT history for each day of the year. The result is not a comprehensive list of the most important developments in that history. In many cases multiple important events have occurred on the same day of the year, and in other cases the month or year of an event may be publicly known but the exact date is not. Many key developments are more in the nature of processes, to which it is difficult or perhaps meaningless to assign a date. And of course many of the most important events are probably ones of which we in the public are not even aware. 

In some cases I had to stretch a bit to find something interesting to report for a specific date, resorting, e.g., to examples of routine activities by or related to the agency that occurred on that date. But I think those items also help illuminate Canada's SIGINT history.

With those caveats in place, here's the list:

Read more »

Wednesday, December 22, 2021

NSIRA 2020 Annual Report

NSIRA's 2020 Annual Report was tabled on December 10th, 2021. 

I'll try to write a post on the CSE-related items in the report eventually, but in the meantime you can find the great bulk of what I'd probably say—and a lot of additional insights—in Chris Parsons' commentary here. Chris also addresses the non-CSE-related parts of the report, so at his site you get a full-service analysis!

Thursday, December 09, 2021

CSE 2020-2021 Annual Report

CSE's 2020-2021 Annual Report was released on 28 June 2021, and although I discussed the document on Twitter then, it's about time I got around to commenting on it on this blog as well.

 

Improvement over 2019-2020 report

CSE's 2020-2021 report is considerably more informative than its 2019-2020 report, which was the agency's first attempt at responding to the CSE Act's requirement to produce one. The new report contains about two and a half times as much text as the first one, and while that may be no guarantee of more signal among the noise, in this case it's fair to say that there has actually been some improvement.

As before, however, most of the information provided relates to CSE's cyber security efforts, which account for only about 30% of the agency's resources. The remaining 70% of CSE's resources go to CSE's signals intelligence (SIGINT) side, about which the agency prefers to say as little as possible. Even less is said about CSE's new cyber operations mandate.


SIGINT and cyber operations 

It's inevitable that much about intelligence-gathering and covert-action kinds of activities must remain secret, but the paucity of information here is still disappointing.

CSE's cyber operations mandate was granted only in 2019, and how those powers are used will form a key part of Canada's contribution to determining the future of cyberspace. We already knew that some number of such operations had been authorized; the only new thing we learn in this report is that some have actually been conducted. (More recently, CSE has acknowledged that cyber criminal activity was one of the targets of those cyber operations.)

By contrast, partner agencies such as NSA, GCHQ and Australia's ASD have given specific examples of the operations they undertake, and some of those governments engage in detailed public discussions of appropriate strategies, laws, and norms for cyberspace.

Information on CSE's SIGINT activities is also pretty scant. 

Last year, the National Security and Intelligence Review Agency (NSIRA) decided against publishing a number of statistics about CSE's SIGINT program that formerly had been published by OCSEC, CSE's previous review agency. Since the publication of those statistics had in all cases been approved by CSE, it is evident that no security grounds would prevent their publication by CSE itself. Surely, therefore, CSE's report contains that information at least.

I jest of course.

Read more »

Friday, December 03, 2021

Recent book chapters

In addition to Stress Tested, I have also contributed chapters to two other books published in the last year.

I wrote the chapter on the Communications Security Establishment for Top Secret Canada: Understanding the Canadian Intelligence and National Security Community, "the first book to offer a comprehensive study of the Canadian intelligence community, its different parts and how it functions as a whole." 

The CSE chapter provides a basic introduction to the agency, its mandate and resources, and some of the important questions about its operations and how they do or don't relate to Canadians.

Published by the University of Toronto Press in March 2021, the book is currently on sale at the UTP website for half price.

I also contributed a chapter to Big Data Surveillance and Security Intelligence: The Canadian Case, which was published by the University of British Columbia Press in December 2020.

As I noted here, my contribution is a bit of an outlier since CSE is not actually a security intelligence agency (although of course it does work closely with CSIS), and my chapter, "From 1967 to 2017: CSE's Transition from the Industrial Age to the Information Age," is much more a "history of the present"—how CSE got where it is today—than a discussion of its current Big Data activities. 

However, I think it does serve as a reasonable lead-in to another chapter in the book, written by Scott Thompson and David Lyon, that does look at CSE and Big Data.

The book can be purchased at the UBC Press website. Alternatively, you can download a rather messy and inconvenient—but free—open-access version of the book using the link near the bottom of this page.

Monday, November 29, 2021

Stress Tested

An open-access PDF version of the book Stress Tested: The COVID-19 Pandemic and Canadian National Security is now available at this link

Edited by Leah West, Thomas Juneau, and Amarnath Amarasingam and published by the University of Calgary Press, Stress Tested addresses "topics including supply chain disruptions, infrastructure security, the ethics of surveillance within the context of pandemic response, the threats and potential threats of digital misinformation and fringe beliefs, and the challenges of maintaining security and intelligence operations during an ongoing pandemic," all with a focus on Canada's experience. 

It looks like there's a lot of interesting reading in the book — and once you're done with that you can also check out the chapter that I contributed, "Collection and Protection in the Time of Infection: The Communications Security Establishment during the COVID-19 Pandemic" (pages 127-144). 

The friendly folks at CSE were, as usual, parsimonious with the information, but I wrote some stuff anyway. 

You can find more information about the book, and order a hard copy, here

 

Update 3 December 2021: See here for other recent CSE-related chapters I've written.


Saturday, June 26, 2021

NSIRA review calls into question legality of identity disclosures

On June 18th, the National Security and Intelligence Review Agency (NSIRA) released the public version of its report on a review the agency conducted in 2020 of CSE's disclosure of Canadian Identity Information to government of Canada clients. NSIRA concluded that CSE’s disclosure regime "may not be in compliance with the Privacy Act", and thus the review agency "submitted a compliance report" to the Minister of National Defence. Although couched in tentative terms, this conclusion is probably about as close as NSIRA is likely to get to saying that CSE broke the law.

OCSEC, the agency that reviewed CSE prior to NSIRA's creation in 2019, made a similar finding only once in its 23 years of existence. That case concerned metadata sharing with foreign partners. It's starting to look like NSIRA, which is still less than two years old, may be considerably more inclined to call out activities that it feels fall short of legal compliance than OCSEC was.

What is the significance of "Canadian Identity Information"?

Canadian Identity Information (CII) is any specific piece of information that can identify a Canadian citizen, permanent resident, or corporation incorporated in Canada, including but not limited to names, phone numbers, email addresses, IP addresses, and identifiers such as passport numbers. Except when operating under Part C of its mandate (discussed below), CSE is only permitted to target foreign entities (persons, groups, corporations) located outside Canada. But sometimes the information obtained by that targeting, or by various types of untargeted collection, contains information about Canadians, potentially including identity information. A foreign target might communicate with a person in Canada, for example, or two foreign entities might discuss information pertaining to a Canadian. Such information may be used in CSE foreign intelligence or cybersecurity reports or otherwise retained by the agency if it is assessed as being "essential" to "international affairs, defence, security or cybersecurity". But normally CII may only be included in those reports if it is "suppressed", which means replaced in the report by a generic reference such as "a Canadian person" or "a Canadian company". Client departments can request that CSE provide them with the information that was suppressed if they have the lawful authority and a suitable operational justification for receiving it.

CII releases were insufficiently justified

NSIRA looked at CSE's record of disclosing CII to Canadian government clients from 1 July 2018 to 31 July 2019, and it did not like what it saw. Over that thirteen-month period, CSE received requests from 15 departments for disclosure of a total of 3708 Canadian identifiers that had been suppressed in reports by CSE or its Five Eyes partners; 3671 (99%) of the identifiers were disclosed to the requesters.

After a closer examination of a sample of the requests accounting for 2351 identifiers, NSIRA found "69% [of the requests] to be justified, 28% to be insufficiently justified to warrant the release of CII, 2% that could not be evaluated, and 1% that CSE denied." (Note that NSIRA did not conclude that these 28% could not be justified, but simply that they had not been sufficiently justified.) NSIRA also found information disclosed by CSE that hadn't even been requested: "NSIRA observed cases where CSE disclosed Canadians’ names and other personal information even when the recipient only asked CSE for a company’s identity."

Disclosures to CSIS, the RCMP, and the Canadian Border Services Agency (CBSA), which accounted for about half of the sample, were considered by NSIRA to be generally appropriate, "with some exceptions." This suggests, however, that half or more of the releases to the 12 other client departments were not considered sufficiently justified. NSIRA recommended that CSE cease disclosing CII to clients other than CSIS, the RCMP, and the CBSA until it addressed the findings and recommendations contained in the review. Such clients would include major intelligence consumers such as Global Affairs Canada and the Privy Council Office, as well as lesser users like Innovation, Science and Economic Development Canada.

Section 16 reporting

Some of the CII released by CSE was derived from information collected in support of CSIS Act s.16 collection of foreign intelligence within Canada. This information is normally collected under the aegis of Federal Court warrants issued to CSIS, and in some cases CSIS asks CSE to help with its collection or processing. CSE sometimes also reports some of the resulting information through its own foreign intelligence reporting channels. If, for example, a CSIS s.16 operation is established to monitor the communications of the South Korean embassy for economic intelligence purposes, as was done in the 1990s, it is CSE that does most or perhaps all of the processing and reporting of the resulting intelligence.

According to NSIRA, the procedures that CSIS uses to limit the release of CII acquired under s.16 are significantly stricter than those applied by CSE in its releases, and as far as NSIRA could tell the Court was not aware that CSE's laxer practices were also being applied to the information collected under its warrants. NSIRA therefore recommended that the Federal Court be fully informed of CSE’s disclosure practices and that, in the interim, CSE cease disclosing CII collected under s.16. In January 2021, CSIS did give the Court a copy of NSIRA's classified report. What happened in the interim and what actions the Court may subsequently have taken are not revealed.

Misleading statements to parliament

NSIRA also commented that CSE's 2018 testimony about s.16 activities to a parliamentary committee was "not a complete representation of the lifecycle of information collected by CSE in its assistance", in that it failed to acknowledge CSE's use of information collected through CSIS s.16 activities. CSE's resort to what I call "secret asterisks" in its public statements about Mandate C activities has long been a source of fulminations on this blog, so it's good to see some attention to this aspect of CSE's public communications.

CSE's response

According to NSIRA, CSE accepted all of the recommendations made in the report. An unclassified version of CSE's response was helpfully made available with the report.

It is evident from that response, however, that CSE disputed NSIRA's characterization of its disclosure practices, arguing that CSE's actions were actually fully compliant with the Privacy Act. It is unclear whether the Minister of National Defence, who forwarded NSIRA's compliance report and CSE's response to Attorney General David Lametti, agreed with CSE's position on the issue or simply washed his hands of it (as he so often seems to do). We also have no information about what the Attorney General did with this information.

It may be that CSE felt a bit blindsided by NSIRA's conclusions. In its defence the agency noted that, "In his final 2018-2019 review, the [CSE] Commissioner confirmed that CSE’s disclosures of CII complied with the law and were done in accordance with ministerial direction."

But it's worth recognizing that even that review expressed serious concerns about CSE's CII practices:

In just under 20 percent of requests, clients provided operational justifications that were generic. CSE explained that generic justifications had been developed in discussion with clients and tested over time. CSE also explained that its analysts learn its clients’ mandates, authorities and requirements. However, the Commissioner’s office believes these generic requests could not be described as robust, as required by CSE policy, because they did not provide an important element required for approving a client’s disclosure request: the requestor’s specific reason for the Canadian identity information. CSE believes these generic requests meet the minimum requirements of policy. However, because the requests contain generic justifications that did not sufficiently outline the requirement for the suppressed information, they failed to meet the Commissioner’s office’s expectations for justifications of Canadian identity information disclosures.

For reference, this is what a Request for Release of Suppressed Information form looks like for CII suppressed in foreign intelligence reports (or at least what it looked like in 2014):

The redacted section contains 13 possible generic justifications for why the requested information is required, the first of which (we know from an earlier release) is "capabilities/intentions/activities of a foreign person, state, organization or terrorist group relating to international affairs, defence or security". The requestor is asked to mark those justifications that apply with an X.

If the process for the release of suppressed information still uses this form or something much like it, then frankly it's not obvious to me how any of the other 80% of requests (or 69% of requests by NSIRA's count) provide robust, specific justifications either. Maybe in those cases the necessary details were provided in the answers to questions 2 and 3.

One nice thing about CSE's response: for the first time since 2011, the agency seems to have given us a reasonably accurate list of the broad Canadian intelligence priorities the agency responds to: "from support to Canadian military operations, [to intelligence about] espionage, terrorism and kidnappings to geostrategic concerns, cyber threats, foreign interference and global crises, among others."

Now, these may all sound rather obvious, and that's exactly what they are, but that hasn't stopped CSE from treating them like life-and-death national secrets in the recent past, so maybe we can take this step as a small sign of progress in the agency's long struggle to learn the difference between things that really do need to be secret and everything else.

Back to the report...

It would be useful if the full list of recommendations made by NSIRA were clearly laid out in the report, in as close to the original wording as declassification permits, to help the public keep track of them. According to the background notes on NSIRA's website, NSIRA made 11 recommendations in this review. It is possible to work out the gist of six or so of these recommendations from the text of the public version, but the rest have been left as a mystery. Maybe the others were rolled into the recommendations provided, but who can tell?

When NSIRA promised to proactively release public versions of its classified reports instead of force researchers to go through the tediously slow and frustrating Access to Information process in order to get a usefully detailed view of what the review agency had to say, I was hopeful that a major improvement in transparency was on the way. The unclassified version that NSIRA released is considerably more detailed than the summaries that were formerly published in OCSEC's annual reports, and it's notable that it includes the first published data on the number of CII items disclosed by CSE (as opposed to the number of requests). This is to NSIRA's and CSE's credit. Kudos also for publishing the report as a searchable PDF and making an unclassified version of CSE's response available. But in the absence of a proper summary of the report's findings and recommendations, it looks like people like me will still be stuck using the Access road.

[Update 22 December 2021: NSIRA's 2020 Annual Report, released on December 10th, reproduces all 11 of the review's recommendations in slightly sanitized but still useful form. It also does this for the other reviews completed during the year, along with the target agency's responses up to that point. NSIRA also states in the report that it "intends to publish and track such information from all reviews on its website." It's great to see NSIRA adopt this approach, and I hope (and expect) that in future NSIRA will also reproduce its recommendations in the released versions of its individual reviews.]

One of the other benefits that I had hoped to enjoy as a result of proactive release was greater timeliness. In this case, the original classified report was submitted to the Minister of National Defence on 25 November 2020, which means it took nearly seven months for this summary to be released. Yes, there's a pandemic going on. But let's hope post-COVID releases will be able to reduce that lag time considerably.

News coverage and commentary:

Jim Bronskill, "Canada's cyberspy agency may have broken privacy law, intelligence watchdog says," Canadian Press, 18 June 2021.

Alex Boutilier, "Spy agency may have broken privacy laws in sharing Canadians' information, watchdog says," Toronto Star, 18 June 2021.

Christopher Parsons, "NSIRA Calls CSE’s Lawfulness Into Question," Technology, Thoughts & Trinkets blog, 18 June 2021.

Intrepid podcast: Episode 161: Review of Review: NSIRA Calls Out CSE and CSIS, uploaded 30 June 2021.


Update 28 June 2021: The original version of this post stated that the CII requests that NSIRA examined were made over a four-year one-month period. While NSIRA did look at some of CSE's disclosure practices over that longer period, the statistics pertaining to identifiers requested and disclosed covered just thirteen months, from 1 July 2018 to 31 July 2019.


Sunday, March 28, 2021

Spy agencies, COVID-19, and parking lots

In Canada and many other countries around the world, most government agencies reacted to COVID-19 by directing the bulk of their employees to work from home. But this option was not available for the majority of those working for intelligence agencies because most of their work is too highly classified to be done outside special high-security offices known as secure compartmented information facilities (SCIFs). So I was curious how Canadian agencies such as CSE and CSIS, and CSE's Five Eyes counterparts, addressed this problem. Did they keep a large part of their workforce at home at various points during the pandemic? Did they move people to off-hour times such as weekends and nights? How long did these changes go on for?

When you ask Canadian agencies questions like these the OPSEC klaxons sound, public affairs officials cry out in terror and are suddenly silenced, and a great and impenetrable darkness falls over the land. It can be pretty awkward. But it occurred to me that publicly available satellite photos might provide at least partial answers to some of these mysteries. Specifically, satellite photos of agency parking lots. As it turns out, you can learn a fair bit about how these agencies responded to COVID-19 by looking at their parking lots.

For this blog post I analyzed satellite photos of the parking lots at CSE headquarters, CSIS headquarters, Canadian Forces Station Leitrim, NSA Fort Meade, and GCHQ Cheltenham. With the exception of CSE (which uses a parking garage for most of its parking), roughly the same pattern can be seen at all of these sites: a sharp reduction in parking lot use around late March 2020 as the first wave of the pandemic struck, greater but still reduced occupancy in May and June 2020, and a return to full lots by the end of the summer of 2020. There is very little evidence of reduced parking lot use during the winter 2020/2021 wave of the pandemic.

PARKINT complications

Before we get into all that, though, we need to consider the connection between parking lot occupancy and building occupancy.

The first thing to recognize is that very few buildings have enough parking spaces for everyone who works in the building. Most of these agencies maintain at least a small 24/7 operations capability, which means not everyone is in the building at the same time. And even on the main Monday to Friday day shift, some percentage of the workforce is typically expected to take public transit, walk, ride a bike, carpool, or otherwise get to work without taking up a space in the parking lot. In some cases the parking available on site is insufficient even for that lower level of demand, and some of the workforce ends up parking on neighbourhood streets, sometimes leading to local tensions.

A second complication is that there is no standard ratio between the number of people in a building and the number of parking spaces provided. Agencies whose sites are located far from most housing and are poorly served by public transit may provide parking for nearly everyone who works there. Those located in cities well served by transit, on the other hand, may insist that a large percentage of their workers leave the car at home. Even agencies located beside one another, like CSE and CSIS, may differ in the amount of parking they provide per employee.

Third, if a reduction in the number of people working in the office frees up parking spots, employees who ordinarily would not have driven may switch to their cars to take advantage of the availability of spots. This tendency is likely to have been especially strong during the pandemic, when many people will have wanted to avoid using public transit. As a result, the number of people occupying a building can probably drop quite significantly before the parking lot becomes less than completely occupied.

This also means, however, that if large vacancies do appear in the parking lot, it's a safe bet that a very substantial reduction has taken place in the number of people coming in to the office at that time.

What is more difficult to decide is whether those reductions reflect a switch to work at home or just a change in the specific hours of the day being spent at the office. Satellite photos are typically taken within a few hours of mid-day and it is rare to get more than one photo on any given day, so evidence of reassignment to other shifts is mostly indirect. The question can be answered in part, however, by checking whether significant changes have occurred in daytime attendance on weekends.

Finally, a significant part of the agency's parking may be provided by parking garages, which obviously pose a major problem for analyses based on satellite photos. As mentioned above, this was specifically a problem for assessing CSE.

Suitable imagery

Another problem is accessing suitable imagery. Satellite images like those available on Google Earth are typically very high in resolution, making individual vehicles easy to count, but such images are not updated nearly often enough. The latest Google Earth imagery for Ottawa, for example, dates from 2018. You can easily purchase more up to date imagery from commercial providers, but that option is not available to those who, like me, are working with a budget of zero.

Fortunately, there is a class of regularly updated, lower-resolution, free imagery available that is suitable for our purposes — if barely. At 10 metres per pixel, individual vehicles cannot be seen in Sentinel-2 images, but it is usually possible to tell the difference between occupied and unoccupied parking lots, as can be seen in these images of the lots at NSA headquarters. (See map showing the lots here.)

Even better is the 3-metre imagery collected by the Planetscope Dove satellites, which Planet Labs makes available to university-affiliated researchers through its Education and Research Program.

In principle, publicly available synthetic aperture radar (SAR) imagery could also be used to assess parking lot occupancy, and because SAR images are not dependent on daylight and thus can be taken at different times of the day, such images might be helpful in determining whether a significant part of an agency's workforce had switched to working at night. However, a brief survey of available Sentinel-1 SAR imagery did not turn up any images useful for this project.

Assessing the data

OK, so let's get on with it.

Stretching outwards from the main NSA headquarters buildings at Fort Meade, Maryland, is a vast expanse of parking lots covering around 30 hectares and containing roughly 10,000 parking spots. On normal weekdays, those lots are filled to full capacity, as demonstrated by the Planet Labs image below, taken on Monday, 16 March 2020, just as the pandemic's first wave was beginning to strike with force but before the U.S. government had begun telling its employees to stay out of the office.

By contrast, by the time the Planet Labs photo below was taken on Thursday, April 2nd, parking lot occupancy at NSA had plummeted by perhaps 80 percent, where it remained until roughly the end of June. This suggests that at least 8,000 (and probably actually many more) NSA employees, military personnel, and contractors who normally would have been in the buildings were told to stay home during this period.

Or maybe not to stay home, but instead to move from their normal daytime hours of work to different hours when fewer people would be in the complex. Like the other Five Eyes agencies, some parts of NSA run 24 hours a day, seven days a week, and thus there are always some vehicles in the agency's parking lot, but the overall number of shift workers is small in comparison to the day workers.

Imagery taken over the last year confirms that weekend parking lot occupancy has remained at its normal low level throughout the pandemic, indicating that there was no significant shift of Monday to Friday work to the weekends at NSA. However, the unusual distribution of vehicles in the lots during weekday images such as the one taken on April 2nd suggests that more than one large daily shift may have been used from Mondays to Fridays during the first wave of the pandemic. When parking lots are mostly empty you expect to see the vehicles that are there clustered around the entrances to the buildings, but as can be seen in the April image many are a considerable distance from the doors. This probably means there were already a lot of vehicles in the lot when the drivers of the ones seen in the image arrived to start their shifts. This pattern was evident in all the weekday images taken in the April to June period. According to this report, some elements of the U.S. intelligence community did adopt a two-shift day during the early months of the pandemic. It looks like NSA may have been one of those agencies.

By contrast, images from July and August show much higher occupancy in the NSA lot, perhaps 80%, which is still significantly below the pre-pandemic level but suggests that the workforce was back to a single main shift by this time. Weekday use of the lot increased further in September, rising to essentially full occupancy by the end of that month. It has remained there ever since, showing no reduction even during the peak of the winter 2020-21 wave of the pandemic.

As noted above, the relationship between parking lot occupancy and building occupancy is not straightforward. Despite the lot being full, occupancy of the buildings may still have been quite a lot below normal during this later period. It is safe to say, however, that no fewer than 10,000 people were in the complex during normal weekday hours during this period, and the number was almost certainly much closer to normal occupancy than that.

(What is that normal occupancy? If I had to guess, I'd say probably around 15,000, give or take a few thousand. But that is just a guess.)

Evidently, by the time the second wave was taking place, NSA felt that physical distancing measures and modifications to work stations and/or work practices were sufficient to enable a large percentage of its workforce to return to the office safely.

GCHQ

A broadly similar pattern can be seen at GCHQ's headquarters building, commonly called the Doughnut, in Cheltenham, U.K. The Doughnut is surrounded by about 7.5 hectares of parking containing around 3,000 parking spots (see map). Prior to the pandemic, all of those spots would be filled on a normal workday, as shown in the Planet Labs image on the left from Friday, 6 March 2020.

By the time the Planet Labs image on the right was taken, on Thursday, 26 March, parking lot occupancy had fallen to about 50%, which probably corresponded to a drop of more than 50% in the workforce in the building at any time. In mid- to late June we see parking lot use start to climb again, rising to around 80% in mid-September and perhaps 95% at the beginning of October.

Due to frequent cloud cover and low light levels, good imagery is somewhat sparse during the subsequent winter months, but the GCHQ parking lots appear to be 100% occupied no later than Thursday, 26 November, and they seem to have remained that way throughout the following months. Like NSA, there is no sign of a significant shift to weekend work at any point during the pandemic. Also like NSA, the fact that the GCHQ parking lots are back to full occupancy does not necessarily mean that the full workforce is back to normal work hours in the building. It is likely, however, that the great majority were back during most of this period.

Canadian sites

The headquarters of the Canadian Security Intelligence Service, located at the corner of Blair and Ogilvie roads in east Ottawa, has about 3 hectares of parking, but the odd shape of the lot limits its capacity to about 900 vehicles (see map). Planet Labs imagery from Monday, 16 March 2020 (left), shows the lot more or less fully occupied, but by Friday, 27 March (right), occupancy had fallen to roughly 60%, suggesting an even deeper reduction in the number of personnel in the building.

Occupancy of the lot remained at that lower level until the summer, when it began to rise again. By early July, up to 90% of the lot was typically filled, and since the fall it has been back to essentially 100% full, which may or may not mean that occupancy of the building returned to normal.

The response of the Integrated Terrorism Assessment Centre (ITAC), a multi-agency organization with offices inside the CSIS building, may give an idea of how the changes in parking lot occupancy corresponded to workforce attendance at the office. ITAC reduced the number of people working in its spaces by as much as 80% during the early days of the pandemic. By the summer of 2020, the number of people working in ITAC spaces was back to half its normal level, and by the fall, following renovations to improve the safety of the centre, three-quarters or more of the personnel were back. The reductions in the CSIS workforce may not have been quite as sharp as those of ITAC, but as the parking imagery confirms, it is likely that they followed a broadly similar trajectory.

[Update 29 March 2021: Stephanie Carvin confirms that CSIS headquarters was back to 80% of normal staffing by January 2021.]

The Edward Drake Building, the headquarters of the Communications Security Establishment (CSE), is located beside the CSIS headquarters, just to its west (see map). Most of the parking at CSE is provided by an 800-car parking garage, which of course largely eliminates the value of satellite imagery for analyzing parking at the agency.

Fortunately, not all is lost. CSE's garage is too small to accommodate all the people who normally want to drive their vehicles to work, so parking has tended to overflow into the residential neighbourhood to the west of the complex, sparking complaints by residents and enforcement actions by city bylaw officers. In an attempt to reduce this problem, CSE opened a 440-car overflow parking lot on Enigma Private (see map) just north of the CSE/CSIS complex in January 2020, about two months before the pandemic hit. As it is considerably further from the building, this lot is likely to fill up last — which opens the possibility of observing occupancy drops at CSE as well.

Complicating the issue, however, is that CSE was also in the course of moving most of the 800 staff members of the Canadian Centre for Cyber Security, CSE's cyber security arm, to a separate building at 1625 Vanier Parkway. Moreover, because many of those employees work on less classified, and sometimes even unclassified, projects, it has also been possible for a significant part of their work to be performed at home, freeing up space at the Vanier Parkway building for other CSE employees who do need office spaces to do classified work but do not necessarily need the highly secure SCIF spaces required by most of the SIGINT part of the agency.

Nonetheless, there are probably as many as 1,500 CSE employees or contractors who would seek to work inside the Drake building during normal Monday to Friday hours if they could. Unless a lot of those people are using public transit, that's a lot more than an 800-vehicle garage is likely to be able to accommodate. Thus, the use or non-use of the overflow lot may give some indication of limits on building occupancy during the pandemic.

And what do the pictures show? This Planet Labs image from 5 November 2020 is fairly typical: the overflow lot, visible at the top of the picture, does not appear to be in use (compare to the CSIS lot also visible). It is possible, however, that a few vehicles are present in the lot.

The bottom line is that there does not seem to have been extensive use of this lot by CSE during most of the pandemic. This suggests that CSE did manage to significantly reduce the number of people using the building during peak hours, although it doesn't tell us what combination of working from home, working in the Vanier Parkway building, or moving to different work hours was used to accomplish this, or how those measures may have varied over time.

To my mind, the most intriguing phenomenon turns up during the winter of 2020/21. By December 2020, after the snow starts to arrive, it is clear that the overflow lot is being plowed. This suggests it was in use at least somewhat by that time or at least that CSE expected it to be imminently in use. The plowing continues in January but then abruptly stops, with the lot appearing completely snow-covered for the last two-thirds of the month. The same pattern appears in February: plowed for the first third of the month and then a snow-covered wasteland for the rest. It gets plowed again at the beginning of March, and from that point on appears to be in consistent use.

January 2021 was the worst month to date for new COVID-19 cases in Ottawa, so it may be that the agency implemented additional peak-hours reductions in occupancy of the building during that month, and perhaps February as well, and thus didn't need the lot during those months. That theory doesn't explain why the lot was cleared in early February, however. Maybe the agency's snow-clearing contract specified a minimum number of days of work per month and the contractor plowed the lot until those days were used up whether the lot was in use or not.

Complicating analysis of this question is the fact that the winter imagery was frequently difficult to interpret, due to lower light levels, fewer clear days, and less contrast between snow-covered vehicle roofs and parking lots that themselves might have some snow on them. The CSIS lot seemed less affected by this problem, possibly because it is more sheltered from blowing snow.

What about the CFIOG workforce at the intercept station at CFS Leitrim? Satellite imagery shows there are around 500-550 parking spots at Leitrim, of which 350-400 were typically in use on pre-pandemic weekdays. There is little affordable housing near the station and it doesn't have good transit connections, so unlike the other sites discussed here, the number of cars in its lots is probably pretty close to the number of people working at the station at that moment. Imagery from the pandemic period suggests that the CFIOG reduced peak-hours staffing at the station by as much as 40% from late March to May 2020, with occupancy returning to 80% or 90% of normal levels only in the fall. This was probably mostly accomplished by moving people to non-peak-hours shifts in the evening and overnight, a change that presumably was easier to implement with the predominantly military personnel at Leitrim than it would have been at other sites. As with CSE, the winter imagery was often too poor for clear interpretation.

Interestingly, in no case is there any evidence that a significant amount of work was moved to weekends at any of these sites. Spreading five days of work across seven would seem like an easy way to reduce the number of people in the buildings at any time, but no, weekends appear to be sacrosanct.

Conclusion

Analysis of satellite photos of the parking lots at CSE headquarters, CSIS headquarters, Canadian Forces Station Leitrim, NSA Fort Meade, and GCHQ Cheltenham showed clear evidence of staffing changes at most of these sites in response to the COVID-19 pandemic. With the exception of CSE, where use of a parking garage complicates the question, roughly the same pattern was seen at all of these sites: a sharp reduction in parking lot use (implying even deeper reductions in peak-hour building occupancy) around late March 2020 as the first wave of the pandemic struck; greater but still reduced parking lot occupancy in May and June 2020; and a return to full lots by the end of the summer of 2020. There was very little evidence of reduced parking lot use during the winter 2020/2021 wave of the pandemic. However, the winter imagery was more difficult to interpret, particularly for CSE and Leitrim, so this observation is necessarily more tentative.

There are undoubtedly easier ways for intelligence agencies — and even individuals who aren't working from home on a zero-dollar budget — to answer these questions. For example, a couple of days of surveillance sitting in a car in the shopping centre lot across from the CSE and CSIS buildings would get you a much more accurate estimate of the number of people working in those buildings and their various hours of work. Commercially available smartphone location and activity data would probably also reveal a great deal, and the smartphone data potentially available to intelligence agencies could be even more revealing. Access to higher-resolution satellite imagery would also be very helpful.

Still, as this blog post shows, even relatively low-resolution satellite imagery can provide some intriguing insight into the ways Canadian and partner intelligence agencies responded to COVID-19.

-----------------------------
This research was undertaken as part of my research fellowship with the Citizen Lab, at the Munk School of Global Affairs and Public Policy, University of Toronto. Planet Labs imagery was accessed with the assistance of Citizen Lab director Ron Deibert. All Planet Labs Imagery © 2021 Planet Labs Inc.