Friday, January 03, 2014

Inside CSE: New section on CSE website

CSE recently added a new feature to its website. Called Inside CSE, the new section explains a bit more about the agency, its mandate, and how it functions:
Recent media reporting has created new and unprecedented interest in the Communications Security Establishment, specifically regarding how we operate and what we do on behalf of the Government of Canada and Canadians. So we’d like to tell you more about CSE in an effort to provide more information and greater transparency. In this section you will find many previously unpublished facts about CSE, including what we can and cannot do as an organization.
The "previously unpublished facts" promised in the introductory paragraph are pretty few and far between (unless the author means only that the information was "previously unpublished" on the CSE website).

But the four "fact sheets" that follow do provide a considerably more complete and frank description of the agency's activities than the secret asterisk-laden pronouncements CSE has typically made.

Notably, the fact sheets explicitly acknowledge that
While CSE cannot and does not target Canadians or persons in Canada in its foreign signals intelligence work, CSE’s capabilities may, under the Assistance Mandate, be employed by national security or law enforcement agencies in a variety of circumstances—including intercept operations against a Canadian or individuals in Canada. In those cases, CSE is acting in an assistance role, is operating under the requesting agency’s legal authority (such as a warrant) and is subject to the provisions of their mandate and policies.
[Update 7 January 2014: For the sake of those not steeped in the intricacies of CSE's three-part mandate, I should probably clarify here that there are three main avenues through which CSE can be involved in monitoring Canadians/persons in Canada. The first, as described in the paragraph above, is through part (c) of CSE's mandate, which authorizes CSE to provide assistance to security and law enforcement agencies. It is nice to see CSE being a bit more frank about its involvement in this kind of monitoring, which in the past it has typically glossed over or ignored entirely. CSE can also monitor certain Canadian communications in the course of its mandate (b) operations (protection of information infrastructures), subject to Ministerial Authorizations. Very little information is available about what sort of monitoring is conducted in those operations. Finally, CSE is permitted, again subject to Ministerial Authorizations, to intercept cross-border communications that involve Canadians/persons in Canada in the course of its mandate (a) (foreign intelligence) operations, as long as the "target" of those intercepts is a non-Canadian outside of Canada, as described in the paragraphs below.

CSE's comments on these other aspects of its mandate, and on its other activities in general, remain deliberately vague, and even misleading.]

CSE reports, for example, that
in the course of targeting foreign entities outside Canada in an interconnected and highly networked world, it is possible that we may incidentally intercept Canadian communications or information.... If a private communication is incidentally intercepted (e.g. a foreign individual we are targeting overseas is communicating with someone in Canada), CSE takes steps to protect the privacy of that information.
If you don't know better, you might assume on reading that description that CSE doesn't really want to know who its foreign targets are communicating with in Canada and what they are saying to each other, and that when such calls do get vacuumed up with the other collected communications CSE quickly acts to weed them out.

The reality is quite different.

"Incidental" means that the person on the Canadian end of the communication was not the "target" of the collection, but it does not mean that the collection of that communication was unintentional. For CSE, the fact that it has been able since 2001 to collect communications that either begin or end in Canada (as long as the target of the collection is outside of Canada) is a feature, not a bug.

As CSE Chief Keith Coulter testified to the Subcommittee on Public Safety and National Security of the Standing Committee on Justice, Human Rights, Public Safety and Emergency Preparedness on May 4th, 2005, "if we had a terrorist target abroad and it had a communication into Canada, we wanted to be able to acquire that. If there was an al-Qaeda target in a faraway place and they were communicating into a city in Canada, that was a communication we sought the authority, from Parliament, to acquire, use, and retain, and that's what it gave us [when it passed the Anti-Terrorism Act in 2001]."

Note that the communications so acquired are also used and retained. Yes, there are elaborate procedures in place to protect the privacy of Canadians and persons in Canada, and there is every reason to believe that those procedures are taken very seriously by CSE, but if the information acquired corresponds to the government's intelligence collection priorities, it is retained and it is used.

And appropriately so. There are reasonable questions that can be asked about whether the particular system in place is the best one for protecting the privacy of Canadians, and about the wider intelligence collection techniques and priorities of the government, but few people would object to the idea that, with suitable controls, the Canadian government ought to be able to monitor the communications of people plotting terrorist attacks in Canada.

The point I want to make here is not that no such collection should occur; it is that describing such collection as "incidental" and implying that it is always unintentional is deliberately -- and pointlessly -- misleading.

If CSE wants Canadians to trust that it is not misusing its extremely intrusive capabilities, it needs to give us straight answers to clear questions whenever it can. (And surely that includes cases where the Chief of CSE has already put the real answer on the public record.)

CSE also needs to be as transparent as possible.

As the fact sheets argue, CSE does need to conduct much of its activities in secret.

But the fact sheets do not explain why the level of detail on CSE's plans, priorities, and funding that was reported when CSE was part of the Department of National Defence (discussed here) cannot continue to be reported by CSE now that it has become a stand-alone agency.

What changed between June 2011, when the last such report was released, and November 2011, when CSE became independent? Did a seismic shift in the world situation suddenly make this information too dangerous to release? Did the Canadian public and the Canadian parliament suddenly develop much less need to know what this taxpayer-funded and potentially extraordinarily intrusive agency is up to?

Keeping essential secrets is one thing; choosing to no longer report information that had been publicly reported for years is quite another.

The addition of the "Inside CSE" section to CSE's website is a small but real step forward in transparency for the agency, for which it can be commended, but it does not make up for the giant backward step it recently took in terminating most of its detailed public reporting.

Update 4 January 2014:

News coverage: Daniel Proussalidis, "CSE admits it 'incidentally' spied on Canadians," Toronto Sun, 3 January 2014.

Update 6 January 2014:

David Pugliese, "CSE Backtracks And Now Admits It Spies On Canadians….Spy Agency Still Provides Misleading Information on Its Website Says CSE Watcher," Defence Watch blog, 6 January 2014.

Update 7 January 2014:

Ian Macleod, "Spy agency admits it spies on Canadians ‘incidentally’," Ottawa Citizen, 6 January 2014.

Further update 7 January 2014:

"CSEC Admits It 'Incidentally' Spies On Canadians," Huffington Post Canada, 7 January 2014.


Post a Comment

<< Home