Wednesday, January 29, 2014

Things to note in the government's response to the BCCLA lawsuit

The government's response to the B.C. Civil Liberties Association lawsuit against CSEC monitoring of Canadians (previously discussed here) contains quite a lot of interesting detail about CSEC operations, much of which is little known or understood and some of which I believe is new to the public domain.

Presented for your consideration, a selection of things you may not have known about CSEC operations:

1) There are four categories of information about Canadians that CSEC may end up collecting, using, retaining, and/or sharing abroad (private communications, Metadata, communications of Canadians abroad, and information "about" Canadians obtained from other communications), of which only the first requires a Ministerial authorization for CSEC to lawfully collect. All four kinds of information are subject to extensive privacy safeguards, but those safeguards do not prevent their collection, use, retention, or sharing with international partner agencies if the information is relevant to the government's intelligence or cyber protection requirements:
CSE shares foreign intelligence and cyber threat information with the Five Eyes to the extent authorized under the National Defence Act, and in accordance with Canadian national interests. The sharing of such information is further governed by international agreements, as well as domestic laws, policies and procedures, which include privacy safeguards with respect to private communications, Metadata, communications of Canadians abroad and information about Canadians.
2) The Ministerial authorizations that enable CSEC to intercept "private communications" lawfully when operating under the foreign intelligence and cyber protection parts of its mandate do not pertain to specific foreign intelligence targets, they pertain to methods of intercepting communications:
Ministerial authorizations relate to a specific method of acquiring foreign signals intelligence or of protecting computer systems (i.e., an activity or class of activities specified in the Ministerial authorizations). Ministerial authorizations do not relate to a specific individual or entity.
A single authorization might permit the monitoring of all Internet traffic, for example. (Intercept activities conducted under such an authorization would still need to be "directed at foreign entities located outside Canada", however.) There are currently four Ministerial authorizations in force, three related to foreign intelligence and one related to cyber protection. It is likely that collectively they cover all forms of communication that could contain "private communications" that CSEC might intercept.

3) Intercept activities conducted under the Ministerial authorizations related to cyber protection do not need to be directed at foreign entities outside Canada. They are, however, limited to communications with or related to Canadian federal government computer systems or networks:
CSE’s activities under its IT Security Mandate are directed at the acquisition of data, irrespective of its origin, that would potentially risk harm to the network being protected.... Where CSE activities under its IT Security Mandate risk incidentally intercepting private communications, the Minister issues an authorization under s.273.65(3) of the National Defence Act for the sole purpose of protecting the computer systems or networks of the Government of Canada from mischief, unauthorized use or interference... only when the Minister is satisfied that: (a) the interception is necessary to identify, isolate or prevent harm to Government of Canada computer systems or networks...
Note that only the Minister need be satisfied that these conditions (and suitable privacy protections) exist; the CSE Commissioner is empowered only to confirm that a cyber protection (or foreign intelligence) authorization is in place.

4) CSEC does not require a Ministerial authorization to acquire, analyze, use, retain, or share metadata. Among other uses, metadata is used to analyze communications patterns to identify individuals whose communications may be worth selecting for interception and to "filter" bulk-accessed communications streams to enable CSEC to select specific communications for interception:
The acquisition and use of Metadata is critical to the fulfillment of CSE’s mandate. Metadata is important in allowing CSE to: understand how telecommunications networks operate; distinguish foreign communications from private communications so that CSE can tailor its activities to its mandate while minimizing impact on the privacy of Canadians and persons in Canada; identify malicious foreign cyber activity; and better understand and discover foreign targets. Metadata allows CSE, usually through automated tools, to filter information found on the global information infrastructure without looking at the content of any communications.
The percentage of global communications that CSEC and its Five Eyes allies subject to metadata-based "filtering" is not known, but it is likely to be significant, and the goal of the agencies may well be eventually to subject 100% of global communications to filtering.

There is a big difference, of course, between filtering your communications and intercepting them, unless the filters end up selecting you for interception (which could be, for example, because you communicated with someone who communicated with someone who communicated with someone who has been identified as a foreign intelligence target).

5) The government's response to civil claim specifies that this discussion of metadata is limited to origin, destination, routing, call management data, etc., related to telecommunications:
For the purposes of the directives described in paragraphs 7 and 27-29 of the notice of civil claim, "Metadata" means associated with a telecommunication to identify, describe, manage or route that telecommunication or any part of it as well as the means by which it was transmitted, but excludes any information or part of information which could reveal the purport of a telecommunication, or the whole or part of its content. Any reference to Metadata in this response to civil claim will be to this definition.
Other forms of metadata collection, such as cellphone location data, which the Five Eyes agencies extensively collect, are not addressed in the government's response -- despite the fact that the B.C. Civil Liberties Association's complaint specifically included "geo-location information" in its definition of metadata.

[Update 25 September 2014: I think I was wrong on this point. The metadata used to route the telecommunication, which is included in the government's definition, would indicate the cellphone location.]

6) Nowhere in the government's response does it explicitly admit that in at least some cases it is well aware that a communication that it is collecting under its foreign intelligence mandate is a "private communication". It also fails to admit that it would choose to intercept some such communications even if it had the ability to avoid all of them. The impression that it appears to be trying to give the court is that "private communications" are only intercepted because it is impossible to avoid doing so in all cases:
It is not possible for CSE to completely avoid the interception of private communications. There were six Ministerial authorizations issued for under [sic] s.273.65(1) of the National Defence Act in 2011. For the twelve month period that they were in place, although incidental interception was authorized because it was impossible to know if a foreign entity would contact someone in Canada, for five of those Ministerial authorizations, no private communications were intercepted. For the remaining Ministerial authorization, the number of intercepted communications recognized as private communications that were used and retained by CSE was small....

In conducting activities under its Foreign Intelligence Mandate, CSE has no knowledge of who a targeted foreign individual or entity outside Canada will be communicating with, nor of the location of that other communicant. It is possible that a person in Canada may be the other party to a targeted communication.
In fact, in at least some cases, CSEC does have the ability to know before the interception of a communication that the other party is located in Canada. For example, in the case of a phone call to a fixed landline number in Canada, the call setup data transmitted in Signalling System 7 (which CSEC would have to monitor in order to select the call for interception in the first place) would indicate that the call about to be established was to a phone located in Canada.

In 2005, then-CSEC Chief Keith Coulter made it very clear that one of the reasons the Ministerial authorization system was established was specifically to enable the lawful interception of the communications of foreign targets into Canada, even though such communications are by definition private communications:
if we had a terrorist target abroad and it had a communication into Canada, we wanted to be able to acquire that. If there was an al-Qaeda target in a faraway place and they were communicating into a city in Canada, that was a communication we sought the authority, from Parliament, to acquire, use, and retain, and that's what it gave us [when it passed the Anti-Terrorism Act in 2001].
Nowhere in its statement of response does the government acknowledge this fact.

Which leads me to ask, has the government already forgotten the phrase "duty of candour"?

(My thanks to Canadian Press for sharing a copy of the government's response.)


Blogger 1337sewer said...

Hi, very informative blog post. Can you direct me to the source of the government's response to BCCLA's Notice of Claim?


April 06, 2014 9:25 pm  
Blogger Bill Robinson said...

Hi, Desiree.

I'm not aware of it being available online anywhere. E-mail me at the address listed in my profile and I will send you the PDF.

- Bill

April 08, 2014 12:42 pm  

Post a Comment

<< Home