Friday, January 31, 2014

More on CSEC metadata spying

The CBC has posted the CSEC document (IP Profiling Analytics & Mission Impacts, 10 May 2012) describing its efforts to analyze the metadata of Canadians and other persons in Canada travelling through a Canadian airport and other locations (original story: Greg Weston, Glenn Greenwald & Ryan Gallagher, "CSEC used airport Wi-Fi to track Canadian travellers: Edward Snowden documents," CBC News, 30 January 2014).

Ron Deibert's op/ed on this new information is a must-read: Ron Deibert, "Now we know Ottawa can snoop on any Canadian. What are we going to do?," Globe and Mail, 31 January 2014.

CSEC has posted an official response to the CBC story in which it denies that the agency did anything unlawful (CSE statement re: January 30 CBC story):
CSE is mandated to collect foreign signals intelligence to protect Canada and Canadians, and by law, only directs its foreign intelligence activities at foreign entities.

In order to fulfill this key foreign intelligence role for the country, CSE is legally authorized to collect and analyze metadata. In simple terms, metadata is technical information used to route communications, and not the contents of a communication. ...

It is important to note that no Canadian or foreign travellers were tracked. No Canadian communications were, or are, targeted, collected or used.

The Defence Minister has also assured Canadians that CSEC has done nothing wrong (Laura Payton, "CSEC Snowden docs: Spy agency does not target Canadian communications, minister insists," CBC News, 31 January 2014):
Under repeated questioning by opposition MPs, Nicholson didn't directly deny the story, but said that the document detailing work by the Communications Security Establishment Canada doesn't show that Canadian communications were targeted or used.

"It's my understanding that CSEC made it clear to CBC that nothing in the documents that they had obtained showed that Canadian communications were targeted, collected, or used, nor that travellers' movements were tracked," Nicholson said in the House of Commons. ...

New Democrat MP David Christopherson asked Nicholson to categorically deny the agency has tracked Canadians, but Nicholson returned to his response about the CSEC commissioner.
Others are unconvinced that CSEC has the legal right to conduct the kinds of monitoring detailed in the leaked document.

The government's defence seems to rely primarily on the distinction between a "private communication" and metadata (information about the source, address, route, etc. of a communication but not about its content, or other data, such as geolocation information, transmitted by computers and smartphones and software applications). Despite its potential to reveal a vast array of private information about individuals, metadata, the government argues, is subject to much less stringent laws and rules concerning its collection, use, retention, and provision to others.

The distinction has always mystified me a bit. Metadata is not a series of random bytes spewed into the ether for no purpose. It is information that is sent to or from a device for a reason, to tell a computer server what file to send, to tell a router where to send a packet, to provide billing information to a telecommunications provider, to provide phone book data to an app provider for resale to others, or whatever. All of those exchanges of data are communications between an individual who (wittingly or not) has consented to the provision of that information to a company, or communications between companies, or internal communications within a company.

In the Criminal Code, "private communication" means "any oral communication, or any telecommunication, that is made by an originator who is in Canada or is intended by the originator to be received by a person who is in Canada and that is made under circumstances in which it is reasonable for the originator to expect that it will not be intercepted by any person other than the person intended by the originator to receive it...."

So why would a metadata communication that originates or ends in Canada not be a "private communication"? Some metadata communications may be quite distant from any direct human agency, and perhaps the claimed distinction lies somewhere in that fact, but if I dial a number on my telephone am I not communicating with the telephone company to ask it to connect me to a specific other phone? Is there any valid distinction to be drawn between that communication and asking an operator to make the connection for me? If I click on a hyperlink, am I not communicating with a computer server at some other location to ask it to send me a file?

Anyway, I'm not a lawyer, and the ways of the law are strange and mysterious to me.

Privacy lawyer David Fraser is a lawyer, however, and he concludes that CSEC has no legal authority to collect metadata (including WiFi) of Canadians without a warrant.

See also the B.C. Civil Liberties Association's response to the controversy: "Canada’s illegal spying on airport travellers must stop: BCCLA," 31 January 2014.

The question of lawfulness is of vital importance, and we need a definitive answer concerning the kinds of activities CSEC and other government agencies are permitted to undertake.

But lawfulness is not the only important question.

Let's assume for the moment that the government's secret interpretation of Canadian law does in fact allow for CSEC to conduct the kind of operations described in the leaked document, and let's assume further that this secret interpretation would in fact be upheld by Canadian courts if put to the test (we may soon find out as a result of the BCCLA's case).

Personally, I have little doubt that the government does believe that it has been acting legally.

But if CSEC's actions in this case have in fact been lawful, what does that mean for Canadians?

It means:

1) CSEC can legally obtain, analyze, use, retain, and share bulk metadata concerning communications and non-communications activities that take place in whole or in part in Canada, irrespective of the nationality of the participants in those activities and with no apparent upper limit. It might very well be legal for CSEC to obtain, analyze, use, retain, and share, without any kind of judicial warrant, all of the communications and non-communications metadata generated in Canada or transmitted into or through Canada. (There are privacy rules that apply to information concerning Canadians obtained by CSEC, but their principal effect is to require that such information be used, retained, shared, etc. only if it is relevant to the purposes for which it was collected. The rules also require that Canadian identity information be withheld except when it is needed to understand the information.)

2) Such activities can be conducted under CSEC's foreign intelligence mandate without violating s.273.64(2)(a) of the National Defence Act, which requires that CSEC's foreign intelligence activities "shall not be directed at Canadians or any person in Canada". In other words, while this provision may prevent CSEC from singling out a specific, individual Canadian for targeted monitoring (such monitoring would have to be done through other legal processes), it does not, contrary to what any reasonable Canadian might have thought, present any impediment to CSEC collection of vast amounts of information generated by or about Canadians in Canada or abroad or any person in Canada, even if the goal is to analyze activities that are taking place in Canada.

3) It is possible that such metadata could also be made available to other agencies of the government in the performace of their duties. Unlike CSEC, federal law enforcement and security agencies such as CSIS and the RCMP do have the mandate to target individual Canadians. They require judicial warrants to conduct intrusive investigations, but they do not require warrants to use non-intrusive investigative techniques. And CSEC is legally empowered under part (c) of its mandate to "provide technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties." As CSEC has noted, such agencies "must have the proper legal authority, such as a warrant from a court"; however, as the phrase "such as" indicates, not all such activities require a warrant. Does CSIS require a warrant to analyze metadata (or receive the results of such analyses)? Does the RCMP?

Maybe all of the above is in fact legal.

But, if so, is that supposed to reassure us?

Update 4 February 2014:

The CSE Commissioner says it's all good: "Statement by CSE Commissioner the Honourable Jean-Pierre Plouffe re: January 30 CBC story," 31 January 2014.


Post a Comment

<< Home