Thursday, February 13, 2014

Q: Why did CSEC spy on Canadian wi-fi? A: It's all good!

The CSE Commissioner has updated his earlier comments on the legality of CSEC's wi-fi metadata spying (previous discussion here, here, here, and here). Yesterday, the Commissioner, or his office, added an additional question and answer addressing the issue to the Commissioner's Frequently Asked Questions page:
The Commissioner’s office has been briefed by CSEC about the metadata activity referred to in the CBC story. We questioned CSEC employees involved in the activity and who prepared the presentation, and we examined results of the activity.

This activity is used by CSEC to understand global communications networks. We concluded that this CSEC activity does not involve “mass surveillance” or tracking of Canadians or persons in Canada; no CSEC activity was directed at Canadians or persons in Canada.

We are also satisfied that the details and explanation that the Chief of CSEC provided on February 3, 2014, before the Senate Committee on National Security and Defence are accurate.
The Commissioner's answer also asserted flat out that
If CSEC were tracking the movements, on-line or other activities of persons at a Canadian airport, that would be illegal.
The claim that CSEC's activities in this affair have been legal hinges, first and foremost, on a secret (and judicially untested) interpretation of the term "directed at", as explained in an excellent post by law professor Craig Forcese ("Faith-based Accountability: Metadata and CSEC Review," National Security Law blog, 13 February 2014):
I don't know enough about the technology to have an opinion on whether the CSEC program involved "tracking". Whether it was "mass surveillance" is, I suppose, in the eyes of the beholder, since this is a colloquial and not a legal concept. But when the Commissioner says "no CSEC activity was directed at Canadians or persons in Canada" this is a legal judgment -- this language circumscribes CSEC's foreign intelligence mandate in its governing legislation.

I have struggled with what this phrase means, speculating on tools of statutory interpretation that might favour a government view on the reach of "directed". But even then, my imagination has failed to find ways to make even a narrow view of "directed" line up with what seem to be the core facts: information was collected by CSEC from a Canadian airport that, by definition, came (exclusively, I would think) from Canadians or persons in Canada. I do not think it makes any legal difference from a CSEC mandate perspective if this information was extracted from a willing (or unwilling) third party, or that it was archived and not real time.

But it is very possible I am wrong. There is only so much one can say conclusively when confronted with the inequality of arms in this most secret of areas. But legal doubts need to be assuaged with real law. And so the government needs to show its legal cards. It is long past the time when a bare assertion of legality suffices, when that assertion is based on a legal theory that no one outside of government has seen.
The relevance of the question extends far beyond the brief wi-fi analysis experiment reported by the CBC. What is at stake is whether the term "directed at" allows only a limited and carefully conscribed window into the communications and non-communications activities of Canadians/persons in Canada or has the effect of throwing open the barn door to the wholesale collection, analysis, use, retention, and sharing of vast quantitities of metadata or other information, including potentially "private communications", by or about Canadians.

The National Defence Act requires both that CSEC's foreign-intelligence-related collection of "private communications" be "directed at" a foreign entity outside of Canada and that its collection of other kinds of information not be "directed at" Canadians or persons in Canada. In both cases, the meaning of "directed at" is fundamental.

The CSE Commissioner's support for CSEC's actions in the wi-fi affair seems to mean that he and CSEC agree that "directed at" is not a simple synonym for selection of communications based on the identity/location of the communicants. It seems to refer not to who is communicating but to the kind of information being sought. And if that is true, then (in the government's view) the legal door may be open to the processing of every single "private communication" made by Canadians -- as long as the purpose of the activity is to collect information related to foreign entities located outside Canada.

And the door to the processing of metadata and other kinds of information that the government does not consider to be "private communications" could be open even wider, requiring only that CSEC's actions not be specifically directed at obtaining information about Canadians or persons in Canada. Collection of all metadata produced in Canada might be conducted, for example, as part of the global collection of such data in order "to understand global communications networks" (the purpose, according to the Commissioner, of the wi-fi experiment).

It is worth recalling at this point that there is no evidence that the metadata used in the wi-fi experiment was collected specifically for that experiment. It appears, instead, to have been drawn from an existing metadata database that almost certainly extends far beyond the several Canadian airports, hotels, businesses, coffee shops, and other locations where the monitored devices were detected and also almost certainly extends far beyond the two-week window of the experiment.

Is CSEC currently collecting a comprehensive, or near comprehensive, or any kind of ongoing database of metadata concerning communications-related activity in Canada? And is it analyzing those activities for information relevant to its foreign intelligence targets, such as visits to websites associated with suspect causes?

And what about the "private communications" of Canadians? If "directed at" is not a synonym for selection of communications based on the identity/location of the communicants, then monitoring "directed at" Al Qaeda (a foreign entity located abroad), for example, could very well include the processing of Canadian "private communications" for suspicious content even when no known foreign suspect is a party to the communication. (And nothing says the target of the monitoring has to be a terrorist group; it could be, as an earlier commenter here suggested, the European Union, or one of any number of other foreign intelligence targets.)

The CSE Commissioner has stated that "The number of communications with a Canadian end (a “private communication”) that are unintentionally [sic] intercepted, and used or retained by CSEC under SIGINT ministerial authorizations, is small; the number is small enough that the Commissioner is reviewing all of these private communications". This is an important reassurance, but "used or retained" refers to those communications that CSEC determines to contain information pertinent to its foreign intelligence targets; clear statements about how many Canadian "private communications" are actually processed in order to find those that are used or retained are much harder to find.

And even if the number actually being processed is also currently small, as may well be the case for reasons of technology or policy or whatever, it is vitally important to know where the line that defines what is legal is drawn. Exactly what, in the view of the government and of the CSE Commissioner, can CSEC legally do? Technology and policy can change, and they can do so far from the public eye. The sole aspect of CSEC's behaviour for which the CSE Commissioner has a mandate to hold CSEC to account is the legality of that behaviour. And a reassurance in that regard means nothing if we have no idea what behaviour may be regarded as legal.

Nor, it could also be pointed out, are any of the Commissioner's reassurances useful if we have no way to interpret what he is saying.

When the CSE Commissioner can tell Canadians that a CSEC activity that apparently drew on a massive database of metadata concerning the activities of Canadians and other persons in Canada, assembled a set of user IDs seen at a Canadian airport, and then followed those IDs backward and forward in time to a variety of different Canadian locations "[did] not involve 'mass surveillance' or tracking of Canadians or persons in Canada" -- when the Commissioner can assure us that "If CSEC were tracking the movements, on-line or other activities of persons at a Canadian airport, that would be illegal" and then go on to assert that CSEC's wi-fi experiment doing just that was not illegal -- it is clear that we are not using a shared vocabulary.

Dear CSE Commissioner: We cannot know your meaning unless we share a vocabulary. If we do not know your meaning, your assurances are meaningless.

News coverage:

- Jim Bronskill, "Watchdog review clears spy agency's experiment with airport Wi-Fi data," Canadian Press, 13 February 2014
- Stewart Bell, "Spy agency did not illegally snoop on Canadians over airport Wi-Fi: watchdog," National Post, 13 February 2014

Update 14 February 2014:

- "Watch the metadata-gatherers closely," editorial, Globe and Mail, 13 February 2014
- Noushin Khushrushahi, "Guard dog or watchdog? It’s time to set the story the straight about CSEC spying,", 13 February 2014

Further update 14 February 2014:

- Greg Weston, "CSEC exoneration a 'mockery of public accountability'," CBC News, 14 February 2014


Anonymous Richard Roskell said...

Hi Bill, excellent comments on the issues at stake.

In my view the only interpretation of the term, "directed at" that's internally consistent with CSEC's enabling legislation is as you're hypothesizing.

"Directed at" refers ONLY to the information that's being sought concerning a foreign entity. It does not refer to the communicators of that information.

Article 273.64 of the NDA gives the first hint of this reality. CSEC's foreign intelligence gathering...

"(2) ...
(a) shall not be directed at Canadians or any person in Canada; and
(b) shall be subject to measures to protect the privacy of Canadians in the use and retention of intercepted information."

The only reason subsection (b) is necessary is because Canadian communications ARE being intercepted and analyzed. The interceptions aren't "directed at" a Canadian, they're seeking information about a foreign entity. When the interception takes place, unspecified measures are taken to protect the privacy of the Canadian communicator.

But as I said, that's just the first hint of what "directed at" means to CSEC. But in Article 273.65, the meaning becomes clear. Article 273.65 allows CSEC, under direction of the Minister, to specifically target private Canadian communications. In 273.65 (2a) the legislation further states that, "the interception will be directed at foreign entities located outside Canada." In other words, CSEC does not consider intercepting Canadian communications to be 'directing' their inquiry at Canadians, as long as the information ultimately being sought is about a foreign entity.

I believe the only logical conclusion is that CSEC believes it has the authority to intercept, through mass surveillance, ALL Canadian communications and analyze them for information related to foreign intelligence. These mass intercepts are subject to unspecified measures to protect the privacy of individual Canadians. CSEC also has the authority, when so directed by the Minister, to specifically target the communications of individual Canadians and people in Canada, again as long as the information being sought is related to a foreign entity.

I believe the above to be the case because it's the only interpretation that's internally consistent under CSEC's enabling legislation and mandate.

February 19, 2014 2:58 pm  

Post a Comment

<< Home