Thursday, June 13, 2013

Décary speaks

CSE's oversight commissioner, Robert Décary, has issued a highly unusual (possibly unprecedented) public statement that seeks to assuage some of the concerns swirling around CSE and the privacy of Canadians:
The Honourable Robert Décary, Q.C., Communications Security Establishment Commissioner, believes that public discussion would benefit from additional information about how he verifies whether CSEC complies with the law and protects the privacy of Canadians in the conduct of its activities.

As Communications Security Establishment Commissioner, a position established under the National Defence Act, I strive to strike a balance between — on the one hand — the government's need for foreign signals intelligence and IT security services, and — on the other hand — the need to ensure compliance with the law and the protection of the privacy of Canadians. Through the public annual reports, I also strive to provide assurance to Canadians with respect to their privacy.

Since my appointment, I have sought to clarify and explain more fully what my office and I do and how we do it, to help ensure that public discussion is based on fact. While it is not for me to disclose operational information of the Communications Security Establishment Canada (CSEC), I do encourage the government to be as transparent as possible. Every reasonable person recognizes, however, there are very real constraints imposed by national security and the Security of Information Act.

I am completely independent and operate at arms-length from the government. I have all the powers of a Commissioner under Part II of the Inquiries Act, including the power of subpoena, to access and review any information held by CSEC. We have secure offices on-site at CSEC. My employees have unobstructed access to CSEC systems, observe CSEC analysts first hand to verify how they conduct their work, interview them, and test information obtained against the contents of CSEC's databases.

Under the National Defence Act, CSEC is specifically required to protect the privacy of Canadians in the execution of its duties. Similarly, it is required to protect the privacy of Canadians in accordance with other laws, including the Canadian Charter of Rights and Freedoms, the Privacy Act, and the Criminal Code. The Minister of National Defence has provided further specific direction to the Chief of CSEC, regarding how he expects the agency will protect the privacy of Canadians in fulfilling its duties. The Chief has further elaborated and provided guidance to staff, through various internal policies, regarding the procedures and practices that must be followed.

When reviewing CSEC's activities — including any CSEC use or retention of metadata — for compliance, I assess them against all three factors: legal requirements; ministerial expectations; and internal policy controls. If I believe a law, ministerial direction or policy is not adequate, I make a recommendation to the Minister to address the deficiency.

I verify that CSEC does not direct its foreign signals intelligence collection and IT security activities at Canadians — wherever they might be in the world — or at any person in Canada. CSEC is prohibited from requesting an international partner to undertake activities that CSEC itself is legally prohibited from conducting.

It is well understood that Canadian federal law enforcement and security agencies may lawfully investigate Canadians. When these organizations request the assistance of CSEC, I verify that CSEC complies with any limitations imposed by law on the agency to which CSEC is providing assistance, for example, any conditions imposed by a judge in a warrant.

Given the structure of the international telecommunications environment, it is possible that CSEC may, while targeting a foreign entity located outside Canada, with a ministerial authorization, unintentionally intercept a communication that originates or terminates in Canada, which is a "private communication" as defined by the Criminal Code. I monitor and examine the small number of private communications unintentionally intercepted by CSEC and verify how CSEC treats these communications.

In the case of metadata, I verify that it is collected and used by CSEC only for purposes of providing intelligence on foreign entities located outside Canada and to protect information infrastructures of importance to the government. I have reviewed CSEC metadata activities and have found them to be in compliance with the law and to be subject to comprehensive and satisfactory measures to protect the privacy of Canadians. However, given that these activities may impact the privacy of Canadians, I had already approved, prior to recent events, the start of a specific review relating to these activities.

Additionally, in its reports, and in other information CSEC shares with its domestic and international partners, CSEC must render impossible the identification of Canadians, and I verify that this is done. As noted in my report last year, I have found that CSEC does take measures to protect the privacy of Canadians in what it shares with its domestic and international partners. For example, CSEC suppresses Canadian identity information in what is shared with its international partners. CSEC applies the same privacy rules to information acquired from domestic and international partners, and I verify that these rules are followed. In addition, open and ongoing discussion between the partners helps to limit the potential to affect the privacy of Canadians.

Furthermore, I examine any operational incidents that did or could have an impact on the privacy of Canadians to ensure that CSEC has addressed them and to identify any systemic issues about compliance with the law or the protection of the privacy of Canadians that should be the subject of follow-up review.

I provide the results of my reviews, in classified reports, to the Minister of National Defence, who is accountable to Parliament for CSEC. I am also required to submit an unclassified report to the Minister on my activities each year, which the Minister must then table in Parliament. My latest report is completed and I submitted it to the Minister.

A necessary element of my mandate also includes informing the Minister of any activities that I believe might present, or have the potential to present, a risk of non-compliance. If I find that CSEC did not comply with the law, I have the authority and the duty to report it to the Minister and to the Attorney General of Canada.

A number of my reports have included recommendations aimed at strengthening CSEC practices that contribute to compliance and incorporate measures that protect the privacy of Canadians. Some Commissioners' recommendations have resulted in CSEC suspending certain activities to re-examine how the activities are conducted. I closely monitor CSEC's implementation of my recommendations.

CSEC has accepted and implemented or is working to address the vast majority of recommendations made by my predecessors and me. Recommendations are made to proactively prevent possible privacy risks. In the context of ongoing and future reviews, my office will continue to seek ways in which CSEC compliance, and the privacy protections afforded to Canadians, can be further strengthened.
I think this is a helpful contribution.

The Commissioner's statement is much more detailed and comprehensible than the contents of his annual reports (and those of his predecessors), which are normally the only information the Commissioner provides to Canadians.

Those reports contain only one explicit mention of metadata, for example, and that instance, dating from 2007, only mentions that the Commissioner intended to review CSE's use of it. Today's statement is by far the most informative comment that we have ever had from a Commissioner on that topic.

Can we look forward to this greater degree of detail and clarity in future reports? It would certainly be a significant improvement.

Still, even this statement remains maddeningly vague and obtuse.

We are told, to return to the metadata question, that CSE collects and uses metadata "only for purposes of providing intelligence on foreign entities located outside Canada and to protect information infrastructures of importance to the government". But this second element -- which no one has mentioned until now, and which it would seem must certainly involve domestic communications within Canada -- is introduced and then dropped with no explanation whatsoever. Has he just told us that domestic metadata is indeed being collected and used? If so, he might have been a little clearer about it.

And even with respect to the first element, we are left to wonder why neither the Defence Minister nor the Commissioner is willing to clarify whether metadata concerning communications that cross the border (i.e. that have one end in Canada) fall within the category of data that might be collected "for purposes of providing intelligence on foreign entities located outside Canada". Why not just give us straight answers on the metadata question?

The Commissioner's statement also leaves the impression that the only time the actual content of such cross-border communications is intercepted is when such interceptions occur "unintentionally". Are we supposed therefore to understand that CSE never intentionally intercepts the phone calls that a known foreign intelligence target in Kandahar makes to persons unknown in Toronto?

That's certainly not how then-CSE Chief Keith Coulter described the new rules in 2001:
Under the current legal framework [prior to the passage of Bill C-36], if a terrorist in Afghanistan is communicating with someone in Pakistan, CSE could intercept that communication. If, however, the same terrorists are communicating with someone in Toronto, CSE is prohibited under the current regime from intercepting that communication. Let me be clear. Under the new regime CSE would still not target the individual in Canada. CSE cannot do that now, and it would not be authorized to do that under the new legislation. However, if this terrorist located in Afghanistan communicated with somebody in Canada, this legislation would give CSE the authority to follow that communication into Canada.
At the time the new legislation was passed, CSE told us all in no uncertain terms that the ability to follow a foreign-intelligence-related communication into Canada was vital to the agency's ability to function effectively in the modern world. For some reason the Commissioner seems to want to leave the impression that this only happens "unintentionally".

Similarly, the Commissioner's statement affirms that "CSEC is prohibited from requesting an international partner to undertake activities that CSEC itself is legally prohibited from conducting", but it skips past the vital question of how often those partners may nonetheless supply information that CSE would not itself be permitted to collect.

This is one of the key questions in this whole business. The former %^&*ing Solicitor General has just told us that the practice was common only a few years ago, and yet this statement pretends that the issue doesn't even exist.

Despite all of the disconcerting news of the past week or so, I still hold the view that CSE really is pretty careful when it comes to the privacy of Canadians.

And I'm glad that we have the CSE Commissioner to help hold the agency's feet to the fire in that regard.

But this statement is not good enough. You don't reassure people very much when you leave the distinct impression that your words have been carefully chosen to avoid giving straight answers.


Post a Comment

<< Home