Thursday, August 18, 2022

Notes on CSE's 2021-22 Annual Report


CSE's 2021-2022 Annual Report was released on June 28th. At roughly 15,000 words, the report is significantly longer and more informative than last year's, and about five times as long as CSE's first annual report, released in 2020. Although large gaps remain (and to some extent will always remain), this is starting to be a respectable — and useful — document.

Of course, a lot of that text focuses on the cyber security side of the agency, the Canadian Centre for Cyber Security, which accounts for about 30% of CSE's resources. Relatively little discusses the signals intelligence (SIGINT) and cyber operations side, which accounts for the rest.

This is unsurprising, as spying and online covert action need a pretty substantial level of secrecy. But they are also the areas where CSE's activities are most likely to negatively impact the general public, and boilerplate assurances that CSE is prohibited from directing its activities at Canadians are not enough.

For one thing, this prohibition does not apply when CSE is acting under its assistance mandate, providing support to CSIS, the RCMP, CBSA and other law enforcement and security agencies, subject to their authorities. The report has just one sentence referring to CSE's support activities (p. 12).

Also, between incidental collection of communications and bulk collection of metadata, CSE and its Five Eyes partners can collect, analyze, and report a great deal of information related to Canadians in the course of pursuing their non-Canadian targets.

In its classified reporting to the Minister of National Defence the agency provides a wide range of data on the amount of Canadian-related information it acquires and uses. There is no reason why much of that data could not be declassified and reported here, where it would provide useful reassurance of the limited extent to which CSE invades the privacy of Canadians. That's of course unless the data wouldn't actually be reassuring, in which case there's all the more reason why we should see it.

For more on the kinds of information that could be reported, see my comments on last year's report. Some of this information could and probably should be reported by the National Security and Intelligence Review Agency (NSIRA) also, but in that case too it depends on CSE approving its declassification.

One welcome bit of new information in the report is the discussion of active cyber operations (ACO) and defensive cyber operations (DCO) (pp. 13-14), where we learn a little more about the way authorizations work and the types of activities CSE is conducting.

The report confirms, for example, that a single authorization may cover multiple cyber operations and explains that "there are also cases where an Authorization may be anticipatory, with no operations required in the end."

The examples provided of the types of cyber operation that CSE has conducted are much more revealing than anything previously acknowledged by the agency, noting, for example, the use of "active cyber operations capabilities to disrupt the efforts of foreign-based extremists" and "to assist the Canadian Armed Forces in support of their mission." Note, however, that in neither of these cases is it made clear whether the operations mentioned were conducted under CSE's own active cyber authorities or as assistance activities.

The report also reveals that "CSE has embarked on a long-term campaign designed to reduce the ability of cybercrime groups to target Canadians, Canadian businesses and institutions. Working with Canadian and allied partners, CSE has helped reduce the ability of cybercriminals to launch ransomware attacks and to profit from the sale of stolen information."

Overall, then, the section on cyber operations is much more informative than the grudging acknowledgements the agency has made in the past on the subject and presumably reflects a deliberate decision to use the annual report as the place to begin providing at least a sliver of the kind of transparency CSE keeps talking about.

 

Other information

Also nice to see: the pages on SIGINT (11-12) update the statistics on SIGINT reports, clients, and customer departments/agencies introduced last year and add some general information about the kinds of intelligence topics CSE pursues: "CSE intercepts and analyzes electronic communications and other foreign signals to inform the Government of Canada about the activities of foreign entities that seek to undermine Canada’s national security and prosperity.... CSE SIGINT also supports government policy-making in defence, security and international affairs."

Among the (non-exhaustive) examples of intelligence topics given are:

  • activities of hostile states, including cyber threats
  • cybercrime
  • espionage directed against Canada, including economic espionage
  • foreign interference and disinformation campaigns
  • kidnappings of Canadians abroad
  • terrorism and extremism, including ideologically motivated violent extremism (IMVE), and
  • threats to Canadians and Canadian forces abroad

Unmentioned, however, are the sorts of things that fall into the polite-fiction category, where we pretend no one knows we do them even though everyone knows we do, such as intelligence collection on other countries' negotiating positions at international conferences or data relevant to trade policy.

In no case should any of these topics be surprising, however, which underlines the pointlessness of treating broad intelligence priorities (as opposed to specific targets) as a huge secret.

The report also has a short section following up on NSIRA's concerns about CSE's sharing of Canadian Identifying Information (CII) with SIGINT customers (see my earlier post here). "The [NSIRA] review made 11 recommendations to improve our processes for dealing with these requests. Since the review began, CSE has completed 10 out of the 11 recommendations.... The final recommendation, to conduct a Privacy Impact Assessment (PIA) has been launched. We expect to complete the PIA in 2022."

"The review also raised concerns that some disclosures of CII during the period of the review may have been non-compliant. After detailed analysis of CSE’s program, and the disclosures related to 2,351 Canadian identifiers cited in NSIRA’s report, and following consultations with government partners, CSE is satisfied that all but one of those disclosures were compliant. The single disclosure that was not compliant with the Privacy Act has been retracted and the data that was disclosed has been purged by the receiving institution."

Whether an NSIRA examination would draw exactly the same conclusions may be doubted, but I suspect it would agree in the great majority of cases. (NSIRA's original point wasn't that the requests were unjustifiable, but that the case for their justification had not been properly provided.) Still, it's good to see CSE using its annual report to follow up on issues arising from review agency reports.

 

Resources

On p. 56 we learn that CSE now has around 3200 full-time employees, which is up about 200 from the year before. The agency is now about 3 1/2 times as large as it was at the end of the Cold War! And it's still growing.

The promises made in Budget 2022 imply that CSE could be headed to around 4000 employees over the next several years, although some of that possible growth might go to contractors rather than staff. 

But you won't find any forward-looking budget or staffing data here. Nor will you find current budget data, other than the 2021-22 budget authorities number: $859 million. Note, however, that this number should really be $860 million, since it is almost certainly based on the $859,771,899 figure recorded in the 2021-22 Supplementary Estimates (C). Based on past performance, the actual amount that CSE ends up spending during 2021-22 is likely to be somewhat lower than this, but we won't know that number for some time.

Back when CSE was still part of the Department of National Defence, we used to get a lot more budget data about CSE, with spending broken down into salaries and personnel, operations and maintenance, and capital spending, and also projected into future years:

 

But all of that detail ended when CSE became a stand-alone department in 2011, and the agency has never provided any kind of public explanation of why it can no longer release such information.

By contrast, CSE's colleagues at the Australian Signals Directorate (ASD) manage to publish reams of spending data every year with no evident ill effects. Apparently CSE's data is uniquely sensitive in ways that must never be publicly explained.

 

Conclusion

The above griping notwithstanding, I do think this report is a significant improvement on its predecessors. Kudos to CSE for that.

And this year they finally made it available as a PDF as well as a web document! Yay!

 

For a much more comprehensive look at the contents of the report, check out Chris Parsons' post here

See also media coverage by Alex Boutilier and Cat Tunney.

 

Update 20 August 2022:  

The references to "Mandate C' in the original version of this post have been changed to "assistance mandate". As I was gently reminded, the Mandate C nickname dates to the pre-CSE Act period, i.e., before 2019. While fogies like me may still reach for it as a handy shorthand way to refer to CSE's mandate to assist federal law enforcement and security agencies (including, since 2019, the Canadian Forces and the Department of National Defence), when writing for others it's better to be comprehensible and accurate.


Sunday, July 31, 2022

Diversity in the top ranks of CSE

Improving diversity within CSE and other parts of the intelligence community is an ongoing challenge, but with the appointment of the first non-white Canadian to the position of Chief of CSE (effective August 31st), I thought I'd take a look at how things are going at the top level of the agency's hierarchy. As the chart below shows, that group is actually pretty diverse.

Chart showing top executives at CSE
At the top of the chart are incoming CSE Chief Caroline Xavier and, below her, Associate Chief Dan Rogers. The next level shows Deputy Chiefs and equivalents: from left to right, Deputy Chief SIGINT (DC SIGINT) Alia Tayyeb; Canadian Centre for Cyber Security (CCCS) Head Sami Khoury; Acting Deputy Chief Enterprise Technology Services (DC ETS) Darrell Schroer; Acting Deputy Chief Authorities, Compliance and Transparency (DC ACT) Nabih Eldebs; Deputy Chief Strategic Policy, Planning & Partnerships (DC SPPP) Wendy Hadwen; and Deputy Chief Corporate Services (DC CS) Gibby Armstrong. I have also shown the Cyber Centre's Associate Head, Rajiv Gupta. Other CSE officials at Gupta's rank (Director-General) are rarely publicly identified, so that's as far as it is practical to look.

CSE doesn't keep me updated on its executive appointments (or any other matter), so it's possible that some of the incumbents in these positions have changed, but this chart should be pretty close.

Of the nine officials shown in the chart, four are women, and five (three men and two women) are non-white. Some of the officials may also belong to other traditionally excluded or under-represented groups, such as 2SLGBTIQ+ persons, religious minorities, or persons with disabilities, but I have no information about that.

 

Dwyer straits

Photo of Peter Dwyer
CSE wasn't always as diverse as this. There was a time, in fact, when the battle for diversity in the upper ranks of the agency meant a demand to hire more (white) Canadian men instead of so many (white) British men.

As far as I can tell, CSE never had employment policies as overtly racist as those at GCHQ, which systematically barred all "coloured" people from employment at the agency until the 1980s, or even those at NSA and its predecessors, where, for example, until 1956 almost all African American employees were concentrated in a low-paid, segregated unit dubbed, inevitably, "the Plantation".

But of course a lack of evidence of egregious racism in no way means that no racist or otherwise discriminatory practices existed at CSE. And there is no reason to assume the agency has been any less discriminatory in its practices than the overall public service, or indeed Canadian society in general.

It wasn't until 1977 that CSE even established an advisory position on equal opportunities for women. Like today, about one-third of CSE's staff at that time were women, but they were "concentrated in lower level - lower paying jobs" such as clerical and secretarial work and were rarely promoted to upper management positions. As I noted here, the top echelons of the agency have come a long way in that respect since then.

Statistics on equity, diversity, and inclusion across the entire staff of CSE are hard to come by, but they have started to be reported in recent years. CSE's most recent annual report, for example, published these statistics on employment equity representation versus workforce availability (click image for larger version):

As these numbers show, CSE still has a long way left to go with respect to persons with disabilities and those described as "visible minorities". (The term "visible minorities," the report notes, "is considered outdated. We use it here in the context of the Employment Equity Act, which is currently under review.")

It's also worth recognizing that the "workforce availabilities" shown in CSE's chart relate to the specific occupational categories CSE seeks to fill and thus themselves reflect persisting societal and systemic barriers to inclusion. As target levels they are at best relative measures of progress.

This can be seen in the statistics pertaining to women, who are assessed as having a workforce availability of 35.4% for CSE even though they represent 50.4% of Canada's population and their availability for the public service as a whole is assessed to be 52.7%.

The same point could be made with respect to Indigenous people. While CSE seems to be doing reasonably well, with Indigenous people representing 1.93% of the agency's staff versus a workforce availability of 2.08%, the assessed availability of Indigenous people with respect to the public service as a whole is twice as high (4.0%), suggesting there is a lot of room for growth if obstacles to participation in occupations of interest to CSE were reduced.

NSICOP's study of diversity and inclusion in the Canadian security and intelligence community, published in 2020, provides a useful further discussion of these issues and some additional statistical information, notably representation at the executive level of Canadian S&I agencies in 2017-18. (I'm not sure where the cut-off for this category is in CSE, but it likely includes everyone from the Chief down to the Director-General and, I would guess, Director level.) Interestingly, CSE significantly under-performed in terms of visible minority representation within the executive category at that time.

As the NSICOP report and the CSE annual report both acknowledge, women, Indigenous people, persons with disabilities, and visible minorities are not the only groups relevant to questions of equity, diversity, and inclusion.

In May 2021, a senior official from CSE's SIGINT branch, Artur Wilczynski, was appointed Assistant Deputy Minister, Senior Advisor for People, Equity, Diversity and Inclusion as part of "a focused effort to bolster a welcoming and inclusive community at CSE, to identify and break down systemic barriers to full participation, and to help empower historically discriminated against groups within the Public Service." Prior to his retirement earlier this summer, Wilczynski oversaw the production of CSE's first equity, diversity, and inclusion guide, which incorporates this broader understanding of equity-deserving groups, including the 2SLGBTIQ+ community, religious minorities, the neurodivergent, and others.

This episode of the Intrepid podcast, featuring Wilczynski and Nabih Eldebs (then the Director General of Policy, Disclosure and Review at CSE), is also a good source of information on the recent state of play at the agency. 

 

Conclusion

Obviously, the presence of women and non-white people in key leadership positions at CSE does not mean that problems of systemic discrimination and under-representation no longer exist at the agency, or even necessarily that meaningful progress is being made. And it would certainly be a mistake to use year-to-year changes in appointments to upper executive positions as a measure of the agency's overall progress or lack thereof. But representation does matter. The agency seems to be making good-faith (if undoubtedly imperfect) efforts to improve its performance on these issues at all levels of the organization, and in that context the fact that the top levels of CSE are visibly diverse sends an important message of hope that all Canadians can find a home at the agency.

 

Friday, July 08, 2022

Xavier to be next Chief of CSE

On 8 July 2022, Prime Minister Trudeau appointed Caroline Xavier to be the next Chief of CSE, effective 31 August 2022. Xavier will replace incumbent Shelly Bruce, who is retiring.

Xavier is the third woman in a row to be appointed to the job of Chief. (But fret not, guys, there were eight men in a row before that, so it's way too early to consider yourselves hard done by.) She will also be the first racialized Canadian to get the job. Xavier was born in Montreal to parents who came to Canada from Haiti. According to the CBC, when she gave this interview on diversity and equity in the public service in 2020, she was "the only Black person serving as an associate deputy minister in the federal government."

Working at CSE will be something of a homecoming for Xavier, who served as Director, IM/IT Infrastructure and Operational Services in the Chief Information Officer Branch of the agency from 2004 to 2006. She also has experience working with the intelligence community at the Privy Council Office. Although currently the Associate Deputy Minister of Immigration, Refugees and Citizenship, from 2017 to 2020 she was the Assistant Secretary to the Cabinet, Security and Intelligence, where "she was responsible for advising and supporting the National Security and Intelligence Advisor on security, intelligence and emergency management issues. Ms. Xavier was the Co-Chair to the Cabinet Committee on Global Affairs and Public Security, and also served as secretary to Cabinet Committee on Incident Response Group." (See her bios here and here.)

The first four chiefs of CSE, who collectively ran CSE for 53 years, were all hired from inside the closed confines of the SIGINT world. The appointment of Ian Glen in 1999 ended that tradition, and for the next 19 years succeeding chiefs were all drawn from outside the agency. Then, in 2018, the job went back in-house when Shelly Bruce was given the nod, capping a career spent almost entirely inside the agency.

As Bruce's time in office seemed likely to end soon, I had been wondering recently, would the government again choose a chief from in-house (in which case, Dan Rogers, who was recently appointed to the position of Associate Chief, seemed like a plausible candidate) or would it revert to hiring from outside the agency? As it turns out, the decision was a bit of both.

As a former CSE employee who has spent most of her public service career in other parts of the government, and who has recent experience near the top of the Canadian security and intelligence community, Xavier should bring the advantages of both backgrounds to the job — familiarity with CSE, its activities, and its place in the Canadian and Five Eyes communities, and deep knowledge of, and connections to, the broader public service and government policy world.

Xavier will become the 11th Chief in CSE's 76-year history. The previous chiefs were:

  • Edward M. Drake (1946 - 1971)
  • N. Kevin O'Neill (1971 - 1980)
  • Peter R. Hunt (1980 - 1989)
  • A. Stewart Woolner (1989 - 1999)
  • D. Ian Glen (1999 - 2001)
  • Keith Coulter (2001 - 2005)
  • John L. Adams (2005 - 2012)
  • John Forster (2012 - 2015)
  • Greta Bossenmaier (2015 - 2018)
  • Shelly Bruce (2018 - 2022)

Sunday, June 19, 2022

NSIRA report on Avoiding Complicity in Mistreatment by Foreign Entities

On May 19th, NSIRA released the declassified version of its Review of Departmental Frameworks for Avoiding Complicity in Mistreatment by Foreign Entities (NSIRA Review 2019-06). Ministerial directions were issued to a number of Canadian departments and agencies in 2011 and, later, in 2017 on managing the risks of information sharing with other countries; these MDs were subsequently replaced by the provisions of the Avoiding Complicity in Mistreatment by Foreign Entities Act in 2019. NSIRA's review looked specifically at the actions taken by the six departments and agencies that received the 2017 MD, including CSE, which unsurprisingly is the agency I'm going to focus on here.

CSE comes out looking good in this report. While NSIRA noted deficiencies in the way many of the six organizations handled this issue and made a series of recommendations applicable to all of them, CSE was broadly seen as having done well in meeting its obligations.

I have to say I don't find this result greatly surprising, as two and a half decades of review by OCSEC and now NSIRA have made CSE highly conscious of the importance of ensuring that ministerial directions and other legal requirements are clearly reflected in internal policies and procedures and that compliance with those policies and procedures is effectively monitored and documented.

(This is not to suggest that reviews no longer find matters of this kind — they're still among the most common issues raised by CSE's watchdogs. But the agency has come a long way over the years in aligning its policy regime and paperwork with actual existing practice.)

What I mostly want to highlight about this report is not compliance questions, but the evidence it provides of the long way CSE has yet to go on the transparency front.

Let's look specifically at page 22 of NSIRA's report, where the annex related to CSE begins. 

 For reasons mysterious to me, CSE evidently insisted on redacting the following non-secrets: 

 

● that CSE's process under the 2011 Ministerial Directive excluded review of normal information-sharing with the Five Eyes;


 

● that prior to 2017, CSE's ITS (i.e., cyber) side and its SIGINT side each conducted Mistreatment Risk Assessments (MRAs); 


 

● that the Corporate and Operational Policy Section of CSE, which now performs these assessments for the entire agency, is or at least was known internally by the alphanumeric designator D2 (and, more specifically, the sub-unit responsible was D2A);



 

● and that the CSE branch that contains D2 is Policy and Communications, under the direction of the Deputy Chief, Policy and Communications (DC PC) (listed as Director General, Policy and Communications (DG PC) in the out-of-date chart shown below).


 

Was it really necessary for CSE to insist on redacting all that information from NSIRA's report? If it was, then maybe they shouldn't have revealed it all already.

 

Something useful is learned

Happily, it's not all blank spaces and black holes.

On the useful information front, I've wondered for some time how CSE finessed the Five Eyes issue in the years since the 2017 Ministerial Directive appeared, since that version and the subsequent 2019 Avoiding Complicity Act contain no Five Eyes exception. 

Here the report is actually quite helpful. Although it doesn't make the Five Eyes connection explicit, the report reveals that CSE does two types of mistreatment risk assessment: case-specific ones and annual ones, the latter of which are "used to exclude countries from the normal MRA process".

I don't think there's much question which countries' boxes get ticked every year for that.


Friday, May 27, 2022

Intelligence Commissioner 2021 Annual Report

The 2021 annual report of the Office of the Intelligence Commissioner (ICO) was tabled in Parliament on May 5th. From the perspective of this blog, the most interesting news in the report was that one of the three Foreign Intelligence Authorizations (FIAs) granted to CSE by the Minister of National Defence in 2021 was only "partially" approved by the Intelligence Commissioner (IC). This marks the first time since the 2019 passage of the National Security Act, 2017, which created the current oversight regime, that an FIA has not been fully approved.

FIAs enable CSE to conduct its foreign intelligence program by legalizing aspects of its SIGINT collection activities that would otherwise be illegal, such as intercepting "private communications" or breaking into computer systems to steal information. CSE typically receives three FIAs per year, each valid for a one-year period. The exact subjects of those FIAs are classified, but collectively they cover the full range of CSE collection activities, probably grouped into computer network exploitation, various kinds of radio intercept activities, and cable collection operations. The authorizations are vital to CSE because, without them, the agency would be unable to collect intelligence under its foreign intelligence mandate without running the risk of violating the law.

FIAs are issued by the Defence Minister, but they only come into force if the Minister's decision is approved as "reasonable" by the IC. In 2021, for the first time, the IC did not fully approve one of CSE's FIAs. In the case of one particular activity covered by one of the FIAs, the Commissioner judged that "the Minister's conclusions lacked information on the nature of the activity described and on how such activity would be reasonable and proportionate. The IC was of the view that the Minister’s conclusions did not bear the essential elements of reasonableness: justification, transparency, intelligibility and did not establish whether they were justified in relation to the relevant factual and legal contexts." As a result, the IC "determined that he must not approve the Foreign Intelligence Authorization relating to this specific activity."



 

 

 

 

 

 

 

 

 

So, what exactly was the CSE activity that didn't make the cut? Those of you who are familiar with watchdog reports will know better than to expect the IC to reveal that information to us — or, perhaps more correctly, know better than to expect CSE to permit the IC to reveal it to us. Whether the activity in question is a secret legitimately worth keeping or one of those everyone-knows-we-do-it-but-we-obstinately-refuse-to-admit-it secrets we may never know.

Interestingly, however, in its 2020 annual report (released to the public in December 2021), the National Security and Intelligence Review Agency (NSIRA) also raised concerns about an unidentified CSE activity that at least conceivably could be the same program.

In that case, NSIRA recommended that "CSE should seek a fulsome legal assessment on activities authorized by a specific Foreign Intelligence Authorization prior to undertaking any collection activities under this ministerial authorization (MA)." In its response to NSIRA, CSE accepted the recommendation "in principle" but seemed to suggest that it had already done sufficient legal assessment of the activity.

Similarly, in declining to approve the particular activity that was of concern to the IC, the Commissioner stated (among other points) that the Minister's conclusions "did not establish whether they were justified in relation to the relevant ... legal contexts."

NSIRA also appears to have been concerned about the reasonableness and proportionality of CSE's planned activities, as CSE's response to NSIRA specifically noted CSE's belief that, in its view, the activities were "reasonable and proportionate". For its part, the IC stated that "the Minister's conclusions lacked information ... on how such activity would be reasonable and proportionate."

Were the two watchdog agencies talking about the same proposed activity?

We don't know. But if they were (and this is just an "if"), a couple of points are worth noting.

First, as the NSIRA report reveals, the activity in question is something comparatively new to CSE, "enabled since the CSE Act" (which was passed in 2019), and it had not yet begun operations at the time of NSIRA's examination. This suggests the possibility that it also may not have been in operation during the time the IC looked at it, which would mean that CSE did not have to shut down an active program when the authorization for it was refused. (This might also explain why no additional or amended FIA was presented to the IC later in the year to get the activity back in operation — it wasn't ready to go anyway.)

It might seem strange that an authorization would be sought for a program that isn't ready to go into operation, but it has been known to happen under the previous (pre-2019) ministerial authorization regime. Presumably, the goal of such early approvals is to have the authorization already in place when the program is ready to begin, and perhaps also to check whether the program is in fact likely to receive authorization before a large amount of time and money has been expended on its development and installation.

The second point worth noting is that this may represent a concrete example of NSIRA and the IC working together, sharing information and highlighting issues of importance or concern to one another. This information sharing, although limited largely to certain types of formal reporting, was one of the benefits that was foreseen when the new review and oversight regime was created in 2019.

The IC report contains a brief description of how this kind of cooperation works: "The IC must provide a copy of his or her decisions to NSIRA in order to assist it in fulfilling its review mandate. In addition, the IC is entitled to receive a copy of certain reports, or parts of reports, prepared by NSICOP and NSIRA, if they relate to the IC’s powers, duties or functions."

It goes on to add: "In 2021, the IC received one such report from NSIRA."

But if that report had anything to do with the CSE foreign intelligence authorization discussed here, they're not telling us.

Presumably CSE at least knows whether there is a link between the two watchdogs' concerns. If they are linked, maybe CSE has now revisited its somewhat dismissive response to NSIRA's recommendation.

 

Partially reasonable

As I noted above, this was the first time that the IC approved an FIA only in part. But it didn't come as a complete surprise, as the possibility of such a decision was flagged in both of the IC's previous reports: in both documents, the table summarizing the Commissioner's decisions contained a column labeled "Partially Reasonable" that clearly implied partial rejections were possible.

If you look up the Intelligence Commissioner Act, you will see that s.20(1) offers the Commissioner just two courses of action: approving the authorization or not approving the authorization. It doesn't say anything about approving most of the bits while rejecting other bits. So, in all honesty, I don't understand the statutory basis for this procedure.

But the Intelligence Commissioner obviously does see a basis for this approach, CSE shows no sign of disagreeing with him, and other people who — very much unlike me — have an actual understanding of Canadian national security law and statutory interpretation are comfortable with it too. So I classify this in the category of things-that-clearly-work-that-way-even-though-I-don't-really-understand-why.

And it does seem like a practical approach. It would obviously be undesirable to have large, multi-program authorizations like these refused every time there was a problem with one small element within them. We also wouldn't want the IC to be tempted — or to feel pressured — to let legitimate concerns about particular programs slide for fear of the broad disruption that a refusal might cause. 

An alternative approach would be to require a separate FIA for each separate information collection activity that CSE wished to conduct. But depending on how those activities were broken down, that could lead to a significantly large number of authorizations, each of which would need to be reviewed and signed by the Minister and then considered by the Commissioner. That would create a great deal of additional paperwork, but it's not clear that it would have any actual advantages over the current approach.

 

More transparency to come?

Last year's IC report promised that "the ICO will explore the possibility of publishing redacted and translated versions of the IC’s decisions on the ICO website." This year's report contains an update on that initiative, noting that "the ICO has made considerable efforts to publish the IC’s decisions on the ICO website. The ICO is working towards having the decisions available online as soon as feasible."

Presumably the delay is primarily the result of CSE's on-going reluctance to countenance the publication of any information the public might find remotely informative. It will be interesting to see what, if anything, is eventually permitted to appear on the ICO website. Among other possibilities, maybe at that point we'll learn if this year's partial rejection was related to the same program that prompted concerns at NSIRA.

 

Media coverage

As far as I can tell, the ICO report received no media coverage.

But Christopher Parsons' detailed Twitter thread looking at aspects of the report is well worth reading. See also this update to the thread, in which the ICO explains the statutory basis for its approach to authorizations. 

Since Chris's Twitter posts don't last forever, he has generously suggested that I also reproduce the ICO's reply here: