Sunday, June 22, 2014

CSEC is "Strategic Partner" of Special Collection Service



More evidence of CSEC's covert collection activities at Canadian diplomatic facilities: This slide from a March 2011 presentation on the Special Collection Service, the joint NSA-CIA organization that oversees SIGINT collection in U.S. diplomatic facilities, shows that CSEC is one of the Second Party agencies with which SCS has "Strategic Partnerships". Although not listed by name on the slide, CSEC's role is confirmed by the illustration, which includes the logos of four of the Five Eyes agencies: NSA, GCHQ, DSD (now ASD), and CSEC.

The 2011 presentation, one of the documents leaked by Edward Snowden, was published last week by Der Spiegel.

Earlier reporting by Der Spiegel confirmed that CSEC operates collection sites in unspecified Canadian diplomatic facilities and that the U.S., U.K., and Australia do likewise in their own facilities. The installations are known as STATEROOM sites by the Five Eyes.

The absence of GCSB from both documents suggests that New Zealand's agency, which is much smaller than the other Five Eyes agencies, does not operate its own embassy collection sites.

Saturday, June 21, 2014

CSEC not trusted by Canadians

A recent Forum Research poll examining Canadians' attitudes towards privacy indicates that CSEC is among the least-trusted institutions in the country—as far as protection of our private data goes.

According to the poll, only 8% of Canadians trust CSEC "a great deal", while another 31% trust the agency somewhat. By contrast, 29% do not trust the agency much, and 12% do not trust it "at all". The remaining 19% of respondants said they "don't know".

If these figures can be taken to mean that more than 80% of Canadians have actually heard of CSEC, then clearly the publicity storm of the last year has had a significant effect.

Trust in CSEC is greatest among Conservative supporters (47% trust CSEC a great deal or somewhat) and, surprisingly, Bloc Quebecois supporters (43%). The latter number suggests that CSEC has finally overcome the once-widespread (but unfounded) suspicion that the agency spies extensively on Quebecers. The trust numbers among supporters of the other parties are 41% for the Liberals, 39% for the NDP, 31% for the Greens, and 26% for all other parties.

Family doctors were the most trusted institution among the choices presented in the poll: 61% of Canadians trust their family doctors with their data a great deal, and another 30% trust them somewhat.

Even CSIS is more trusted than CSEC: 23% trust CSIS a great deal and 31% trust it somewhat.

Full details of the poll here.

The poll also reported on Canadians' attitudes towards Bill C-13, the so-called Cyberbullying Bill.

Further discussion:
Ben Makuch, "Canadians Don't Trust the Harper Government's New Cyberbullying Bill," Motherboard, 20 June 2014.

Friday, June 20, 2014

Private member's bill seeks greater oversight of CSEC

Liberal Defence critic Joyce Murray has introduced a private member's bill designed to improve oversight over CSEC (Jim Bronskill, "Bill aims to make e-spies more accountable," Canadian Press, 19 June 2014):
A private member’s bill sponsored by the Liberal defence critic would bolster oversight of Canada’s electronic eavesdropping agency by transferring some ministerial powers to the courts.

Joyce Murray’s bill tabled Thursday also proposes requiring Communications Security Establishment Canada, known as CSEC, to issue an annual public report.

In addition, the legislation would create a security-cleared committee of parliamentarians to keep a watchful eye on Canadian intelligence activities.

...

Murray says her bill would restore public trust in an agency she considers vital to protecting the security of Canadians by:

— Forcing the defence minister to apply to the Federal Court for an order authorizing CSEC to intercept communications when there is a chance Canadians’ private exchanges may be swept up.

— Strengthening obligations to destroy unnecessary information about Canadians in a timely way.

— Requiring the CSEC chief to keep a record of each request the agency receives for technical or operational assistance from a federal police or security agency.

Private member’s bills rarely become law, and the Conservatives have already indicated they do not support the idea of creating a full-fledged national security committee of parliamentarians.

...

Murray’s bill would broaden the commissioner’s mandate — for instance by requiring the watchdog to report not just on compliance with the law but on all court orders and ministerial directives.

It would also ensure the commissioner’s annual report was sufficiently detailed “to meaningfully inform Parliament and the public on matters of public interest.”

The legislation is timely and ambitious, said Wesley Wark, a University of Ottawa intelligence expert whom Murray consulted in preparing the legislation.

“It takes stock of all that we have learned about global electronic surveillance practices from the Snowden revelations and tries to find a Canadian fix,” he said.

“Even if the bill is ultimately not passed it will generate a much needed public debate in Canada about the democratic limits that need to be placed on an intelligence agency.”
The full text of Murray's bill, Bill C-622, can be found here. The section concerning the creation of a dedicated oversight committee composed of MPs and senators is an improved version of Wayne Easter's Bill C-551, which was introduced in November 2013.

It's refreshing to see members of parliament grappling seriously with the issues surrounding CSEC and drawing on outside expertise to get a better understanding of what the agency does and how its activities might better be overseen.

Further coverage and commentary:
- Giuseppe Valiante, "Liberal MP tables bill to tighten CSES's spying," Toronto Sun, 19 June 2014
- Tamir Israel, "Private Member Bill Attempts to Bring CSEC Under Control," CIPPIC blog, 18 June 2014

[Update 10 October 2014: There is some possibility that Murray's private member's bill will be ruled out of order, which would prevent it from being voted on. See Kady O'Malley, "Liberal MP's CSEC oversight bill may be nixed by House Speaker," CBC News, 8 October 2014. Not that there has ever been much chance of the bill passing a vote anyway, given the government's evident opposition to action on this issue.]

See also Colin Freeze, "Canadian agencies’ warrantless snooping on shaky legal ground, critics warn," Globe and Mail, 19 June 2014. Freeze's article notes the Murray bill but focuses on the questionable legality of current data accesses by CSEC and CSIS:
Canadian spies who snoop on citizens’ Internet and phone records without a warrant risk running afoul of the law if they do not change the way they operate, critics say.

Like police agencies at home and spy agencies abroad, the federal government’s two main intelligence services are being forced to adjust to a climate of growing privacy concerns.

...

Critics say CSEC’s legal foundations are shaky and fixes are needed. “The government has been operating on a theory that what they’re collecting is something magical that doesn’t attract a reasonable expectation of privacy,” said Craig Forcese, a law professor at the University of Ottawa.

Secret hearings and secret authorizations have long shielded intelligence-agency practices in Canada from public view, yet new Conservative legislation and last week’s Supreme Court rulings have helped bring broader issues to the fore.

Tuesday, June 17, 2014

Implications of Supreme Court ruling for CSEC

Law professor Craig Forcese discusses the implications for CSEC operations of the Supreme Court's recent R. v. Spencer ruling ("Why Spencer Changes the Playing Field for CSEC & National Security Spying," National Security Law blog, 17 June 2014):
The decision affirms the views I expressed in my draft article on CSEC and constitutional search and seizure rules (and requires me to shorten and make even more emphatic parts of this article prior to publication). But it goes much further than I thought likely in entrenching constitutional protection for the penumbra of data that surrounds communication. The Supreme Court is prepared to extend section 8 protections to the most benign data -- name and address and telephone number -- associated with an IP address and which everyone appreciates a telecommunication company collects for billing purposes.

It is inconceivable to me that it will now demur when it comes to other, even more intimate forms of metadata created by modern communication -- geolocations, place called, duration of calls, websites surfed etc. While the reasonable expectation of privacy will always depend on the totality of circumstances, I think the constitutional die is now cast when it comes to the sorts of metadata most contentious in the post-Snowden debates.

We don't know, of course, what the government has been in fact collecting under the umbrella of "metadata". Nevertheless, the concept is so broad and Spencer so dramatic, that I assume at least some of what the government has in the past collected in the apparent belief that it does not attract a reasonable expectation of privacy is now subject to the full protections of section 8.

As I discuss in my paper, I do not believe that it matters in the CSEC context that CSEC may be collecting Canadian origin information under its "Mandate A" incidentally, or for a national security purpose. Neither of those concerns is a conventional justification for warrantless searches, nor does either necessitate a judge-free intercept system for any practical purpose.

In this last respect, there is no technical reason why a judge couldn't be tasked with the approval process currently conducted by the minister as part of the ministerial authorization of private communication interceptions. And that authorization could easily be broadened to cover authorizations for all intercepts that trigger section 8, not just "private communication". (As I argue in my paper, I think the latter reaches metadata, but there is not one-for-one overlap in all instances between private communications and section 8's requirements.)

The Lawsuits

Putting CSEC on a constitutional footing will require amendments to the National Defence Act.

More generally, after Justice Blanchard and Justice Mosley's decisions in relation to CSIS extraterritorial surveillance, after Spencer, after Snowden, it is abundantly clear that Canadian national security surveillance law needs legislative renovation. Our national security surveillance laws give every impression of now being a patchwork of untenable theories whose persistence depends almost entirely on them not getting in front of a court. And the era of none of this being fodder for courts is now at an end.
Worth reading the whole piece.

Sunday, June 08, 2014

CSEC confirms collection of economic intelligence

The CSEC Q&As document I discussed a few days ago contains a short section acknowledging that CSEC does indeed collect economic intelligence, but asserting that such intelligence is not used to provide a "competitive advantage" to Canadian companies (see page 11 of the document):
In Canada, foreign signals intelligence exists to support the Government in the pursuit of its national interests within the scope of defence, security and international affairs. This includes economic interests because in any state a strong economy is integral to national security. For instance, intelligence on economic matters can provide us early warning of impending international financial crises, or provide insight into terrorist financing.

However, it should be clearly understood that Canada's foreign signals intelligence activities are NOT used to provide Canadian private companies with any competitive advantage. Private businesses, here in Canada or anywhere, should compete fairly in the global marketplace on the merits of their own offerings, without any assistance provided by state intelligence capabilities.
This statement is much clearer than the other, rather elliptical statements CSEC has made on this topic, and it lays to rest the question of whether or not CSEC does collect economic intelligence (see earlier discussion here, here, here, here, and here.)

Many people, including at least two of the senators who have examined CSEC in recent years, do not believe CSEC's claim that economic intelligence is never used to benefit Canadian companies. Several specific instances of such assistance have been alleged over the last few decades, but no case has ever been officially confirmed, and mostly these instances involved quasi-public enterprises rather than private companies. CSEC's statement doesn't make any assurances about public sector activities.

As others have noted, there are several reasons why assistance is not likely to be directly provided to private corporations on a large scale. First of all, many companies have global operations and global ownership these days, and the nationality of their head office does not necessarily indicate whether assistance to that company would help the Canadian economy as a whole. Second, the fact that many of the competitors that Canadian companies face are companies based in Canada's Five Eyes allies clearly limits the extent to which CSEC could draw on its partners' capabilities for such purposes. The danger of embarrassing and costly leaks would also be great if such information were widely shared.

There is also probably some genuine ideological commitment on the part of recent governments to the idea that the free market should be permitted to choose economic winners and losers on their own merits, as the final sentence of CSEC's statement asserts.

That same commitment, however, could also be used to justify some commercial intelligence gathering. CSEC states that economic intelligence is not used to "provide Canadian private companies with any competitive advantage". But what about situations where a Canadian company may be at an unfair disadvantage, as for example when a foreign competitor subverts the competition by bribing the buyer? The CSEC statement does seem to leave open the possibility of action to level the competitive playing field. The U.S., which also denies gathering economic intelligence to provide an unfair advantage to American companies, has acknowledged doing this kind of monitoring.

Principles only go so far with most governments, however, and there does seem to be reason to suspect that when the stakes are high enough, say billions of dollars in contracts or thousands of jobs in a key industry, a helpful word may get whispered in a crucial ear from time to time in both countries, not just to level the playing field but to tilt it in favour of the home team.

CSEC had a "Business Support Unit" in the mid-2000s. It would be interesting to know if this unit or something similar still exists and, if so, what precisely its function is.

Saturday, June 07, 2014

May 2014 CSEC staff size

2134.

(If you click through on the link and get a different figure, it's probably because the Canada Public Service Agency has updated its website; they update the numbers once a month.)

Tuesday, June 03, 2014

The best oversight hearing parliament (n)ever held

As most observers will confirm, parliamentary oversight of the Canadian intelligence community is sadly inadequate. Question period is useless for discussing intelligence matters, few MPs and Senators ever develop any expertise on intelligence-related issues, and the various committees that ostensibly watch over our intelligence agencies spend next to no time examining their activities and have no ability to look at classified information. Efforts to create a special committee dedicated to monitoring the intelligence community and empowered to examine classified information, similar to those that already exist in Canada’s intelligence allies, have foundered on the current government’s unwillingness to act.

With the government refusing to budge, the prospects for early improvement of parliamentary oversight in Canada do not look good. But a document recently obtained through the Access to Information Act by Globe and Mail reporter Colin Freeze may show the way to a easy means of significantly improving the quality of existing oversight.

What Freeze obtained was a briefing document for CSEC Chief John Forster that contains prepared answers for questions that CSEC thought might arise during the Chief’s appearance before the Senate Committee on National Security and Defence in February.

That meeting was highly unusual in that it was dedicated to discussing CSEC and the broader intelligence community. More typically, the Commons and Senate committees that ostensibly watch over CSEC—and are also expected to monitor the entire field of Canadian defence policy, the operations, equipment, training, and welfare of the Canadian Forces, and everything else that falls under the auspices of the Department of National Defence and its $18-billion annual budget (and, in the case of the Senate committee, the rest of the security and intelligence community)—pay little or no attention to CSEC.

Even when CSEC does come up, the discussion is typically brief and superficial. Chief Forster was present, for example, at the meeting of the House of Commons Standing Committee on National Defence last week when it discussed defence-related spending estimates, but CSEC came up only twice during the meeting, in softball questions asked by a Conservative MP. Nothing substantive was discussed about the agency, and Defence Minister Rob Nicholson did all the talking; Forster never said a word.

Except for the rare occasions when CSEC finds itself in the headlines, parliament’s “oversight” mechanisms simply don’t have the time or necessary focus to keep a regular eye on the agency and elicit important information about its activities (or those of the other members of the intelligence community).

As a result, the 87 pages—87 pages!—of answers that were prepared for Forster in February have gone largely unused. The hot topic of the “airport wi-fi” study did get extensively discussed at that meeting, but the great bulk of the information in Forster’s prepared answers was never provided to parliamentarians and thus never placed on the public record.

Until now.

To me, this Q&As document represents the most informative CSEC oversight hearing that parliament has (n)ever held.

The document not only contains information about CSEC’s wi-fi study, which did get extensively discussed at the meeting, it also contains a wide variety of other information about the agency and its activities, much of which has never been published before, ranging from minor facts about the organization (e.g., CSEC’s legal office has eight[!] Department of Justice lawyers working in it) to an explanation of the different cost estimates for CSEC’s new headquarters and a discussion of why and in what ways CSEC collects economic intelligence.

Want to know the basis for CSEC’s claim that no Canadians were “tracked” during the wi-fi study? That’s in there too.

According to the Q&As document,
If CSEC were to track anyone, as we do with legitimate foreign targets outside Canada:
- We would need to know who they are;
- We would need to actively locate and find the individual; and
- We would need to monitor their movements in real-time.
So it’s all about the definition of the word. Yes, CSEC did analyze data to determine the changing locations of specific electronic devices at different times, and, yes, it is often possible for CSEC to identify the owner/user of such devices, but individual identities were not determined in this study, no specific individuals were “actively located and found”, and the study was done after the fact, not in real time. So no “tracking” was done.

You and I may call it tracking, but by CSEC’s definition (and apparently that of the CSE Commissioner), tracking was not done.

Agree with it or not, this explanation is far more detailed and precise than any previous explanation of “tracking” on the public record, and it is helpful to know the basis of CSEC’s claim that no “tracking” took place.

Regular release of Q&A documents like this one would substantially increase the amount of information produced by our existing parliamentary oversight mechanism.

To be sure, regular publication of what is in many ways simply an extended CSEC FAQ, no matter how detailed, can never substitute for in-depth and appropriately skeptical questioning, with extended discussion and follow-up questions, by engaged parliamentarians. The document represents at most half of a good hearing—it’s more a contribution to the informational foundations for effective oversight than a contribution to oversight itself. And even in that respect it presents only CSEC’s side of the story, spun the way CSEC wants to spin it, with inconvenient details omitted and self-serving assumptions unchallenged.

CSEC’s explanation of its actions during the CSIS 30-08 warrants debacle, for example, conveniently omits the fact that CSEC official James Abbott’s testimony during the original hearing was, by his own later admission, “crafted” in order to avoid providing key information to the court, thus breaching his “duty of candour” to the court.

Nonetheless, the regular release and publication of Q&A documents such as this one could make a significant contribution towards improving oversight of CSEC. Such publications would not only significantly increase the amount of information available about these agencies, but by increasing the knowledge base available to parliamentarians and other interested observers they could also foster more sophisticated questioning and more valuable use of the discussion time available when CSEC’s Chief does appear before committees.

It might even be possible to establish an iterative process in which additional questions are communicated to CSEC prior to meetings, prompting it to prepare additional answers that, whether used in committee or not, subsequently become part of the published record and grist for additional questions.

None of this is intended as an argument against more substantive reform of parliamentary oversight, which is desperately needed in Canada and requires much more than just the publication of more information.

But if we can increase the amount of information generated through the existing system by ten or twenty or fifty times, why not make that a regular part of the way things are done?