Friday, October 24, 2014

Forcese on CSEC and the law

In a presentation to the SERENE-RISC cybersecurity conference on October 22nd, law professor Craig Forcese provided a very useful explanation of the current state of Canadian law pertaining to communications surveillance and privacy, including the implications for CSEC ("Does the State Belong in the Computers of the Nation? Legal Developments in Cybersurveillance," National Security Law blog, 23 October 2014).

The section pertaining to CSEC is excerpted below with a few of my own comments added, but the entire presentation is worth reading:
[I]n 2001, after 9/11, the National Defence Act was amended to codify formally the intercept powers of Communications Security Establishment Canada. Of particular note, the new law opened the door to lawful intercept by CSEC of Canadian “private communications” as part of its so-called Mandate A – that is, collecting foreign signals intelligence.

Up until this point, had CSEC intercepted Canadian private communications in performing this function, it would have committed a crime under Part VI of the Criminal Code. After 2001, CSEC was exempted from Part VI so long as the Minister of National Defence authorized any intercept of private communications.
My comment: There is every reason to believe that CSEC did in fact sometimes inadvertently collect private communications in the years prior to those changes. However, it was never accused by the CSE Commissioner of having broken the law in those instances, presumably because Part VI applies only to those who "wilfully" intercept a private communication. As the Commissioners were able to confirm, CSEC worked actively to avoid such collection as much as possible. No such measures were ever likely to be perfect, however. As the Commissioner's 2000-2001 report noted,
Despite the efficiencies inherent in new technologies, CSE is still likely to receive inadvertently some small amount of Canadian communications. Moreover, each new collection system or technique that comes on stream seems to bring with it this potential. However, CSE is well aware that it must continually upgrade its capabilities to screen out Canadian communications or risk acting unlawfully if it does not make every effort to do so.
The big problem for CSEC in 2001 was not that inadvertent collection of the occasional private communication might place the agency in legal jeopardy; it was that CSEC was not permitted to collect communications into Canada involving its foreign intelligence targets, no matter how potentially important (say, a phone call from Osama bin Laden to a phone number in Ottawa) and that even if it did inadvertently collect such a communication it would not have been permitted to use or retain it.

That's what the ministerial authorization regime was designed to change.

Back to Forcese:
Obviously, the fact that authorization comes from the minister, and not a judge, places CSEC on a fundamentally different footing than the police or CSIS. Moreover, unlike CSIS or Part VI authorizations, CSEC authorizations are more generic permissions, relating to an “activity” or “class of activity” and not to a specific individual or individuals.
I would just interject here, for those who may not be following the issue, that in the government's view the activities or classes of activities specified in these authorizations pertain to the nature of the monitoring activity to be conducted, not the nature of the activity being monitored. CSE Commissioners have long disagreed with CSEC on this question, and have called for amendments to the National Defence Act to clarify its meaning. See here, for example.

Back to Forcese:
And in terms of transparency, the CSEC review body tells us how many ministerial authorizations exist, but we know nothing about their content (which rests a closely guarded secret).

These differences in the CSEC lawful access regime [in comparison to those applying to CSIS and law enforcement agencies] likely reflected the perception that CSEC’s eyes were outward looking, focused on foreign signals intelligence that only incidentally and haphazardly swept up domestic communications. Conventional privacy protections could, in these circumstances, be muted.

Much has since been said and debated in the post-Snowden period as to what CSEC does and does not intercept, and how and in what circumstances it captures private communications. I will not rehearse that saga here.

Instead I make my key point: since 1974, the scope of lawful access has gone from: first, police investigating crime and intercepting with specific judicial authorization that then is subsequently disclosed; second, CSIS investigating security intelligence matters and intercepting with specific judicial authorization, that is never disclosed, and; third, CSEC collecting “foreign intelligence” by intercepting private communication (at least incidentally) with more generic authorization, not from a independent judicial officer, but from a member of the political executive, that is never disclosed.
Proceeding on, Forcese notes that
In the result, we have a system of surveillance law designed for a criminal law paradigm, tweaked to deal with security intelligence and essentially abandoned in all material respects for foreign signals intelligence.

This may have been sustainable in a period when the world partitioned neatly into these three categories. However, since 9/11, national security – and specifically anti-terrorism – concerns have become increasingly hybridized criminal/security intelligence/foreign intelligence issues. In actual surveillance practice, it is apparent that the foreign intelligence/security/crime boundary is murky. For instance, there has been some controversy in the past between CSEC and its review body about whether some CSEC activities truly amount to foreign intelligence gathering.

That particular concern seems now to have been resolved. More recently, however, controversy over CSEC’s metadata collection activity reflects a second notable development since the 1970s: how technological change has undermined a privacy regime first constructed for a simpler communications age. By all reasonable accounts, metadata – especially when pooled with Big Data – can be even more revealing of human behaviour than even intercepted communication content. Yet, the government seems regularly to take the view that metadata is not private communication, as a legal matter.

I dispute this particular conclusion in 12,000 words or less in an article that will appear in due course. However, to the extent this position animates inside-government approaches on this issue, it has the effect of making the privacy protections in Part VI irrelevant. Indeed under this reasoning, CSEC doesn’t even need a ministerial authorization for its metadata intercepts.

In the result, we have intercepts of potentially revealing information with no advance judicial or even legally mandatory ministerial oversight, and no formal disclosure requirements of any sort. (One counterargument is that the review bodies serve as the public’s proxies in holding the security services to account. I do not dismiss their significance. In the area of privacy, they are, however, irrelevant. The cardinal principle of privacy protection in Canadian law is advance authorization of invasions of privacy by an independent judicial officer, not after the fact criticisms by an arm’s length wing of executive government.)
Looking to the future, Forcese argues that the Supreme Court's recent Spencer ruling has
obvious implications for security surveillance by CSEC. The Supreme Court is prepared to extend section 8 protections to the most benign data -- name and address and telephone number -- associated with an IP address.

It is inconceivable to me that it will now demur when it comes to other, even more intimate forms of metadata created by modern communication -- geolocations, place called, duration of calls, websites surfed etc. While the degree of privacy protection will always depend on circumstances, I think the constitutional die is now cast when it comes to the sorts of metadata most contentious in the post-Snowden debates.

We don't know, of course, what CSEC (and perhaps other agencies) have been in fact collecting under the umbrella of "metadata". Nevertheless, the concept is so broad and Spencer so dramatic, that I assume at least some of what the government has in the past collected is now subject to the full protections of section 8.

And so putting CSEC’s activities on a sounder constitutional footing will require amendments to its governing statute. In this respect, I strongly support the private member’s law project tabled by Joyce Murray -- Bill C-622 [discussed here], now reaching second reading in the Commons. Among other things, this bill would graft a modified judicial warrant regime on CSEC activities. I would encourage those of you with an interest in this area to review this bill, and if you can, support it. When this bill was first tabled before Spencer, I believed it was constitutionally necessary, as well as good policy. Spencer more than affirmed that belief. I confess surprise and disappointment that the government has not moved itself to place CSEC intercept of private communications on a firmer constitutional footing, not least because the BC Civil Liberties Association is suing it over the issue. Regularizing the accountability process around intrusive and secretive surveillance seems an issue that transcends most conventional political boundaries.
It will be interesting to see if the legislative amendments soon to be introduced by the government address the collection of metadata and, more broadly, CSEC's overall intercept (and oversight) regime.

It wouldn't hurt if the government demonstrated some genuine respect for the role of the CSE Commissioner and also moved on the amendments to the National Defence Act that Commissioners have long called for. (More here.)


Post a Comment

<< Home