Saturday, March 14, 2015

Does CSE comply with the law?

The Prime Minister and his ministers frequently reassure Canadians that they need not worry about the potential for misuse of CSE’s highly intrusive eavesdropping powers because the CSE Commissioner reviews CSE’s compliance with the law and has always declared CSE to be in compliance.

This April 2014 statement by then-Defence Minister Rob Nicholson is a good example:
Since 1996, a fully independent CSE commissioner—a series of esteemed retired or supernumerary judges—has regularly reviewed CSE activities for compliance with the law. The commissioner and his full-time staff and expert consultants have full access to all CSE personnel, systems, and documents. In more than 17 years, the commissioner has never found CSE to have acted unlawfully.
[As of January 2016, however, they'll have to stop saying "never" if they want to continue making such assurances.]

Such statements artfully avoid the fact that CSE is able to collect and analyze a surprisingly large amount of information about Canadians entirely legally, at least in the view of the government and the Commissioner. (Others are not so sure about the legality of such activities; see here and here for a couple of different views.)

But, still, the CSE Commissioner’s annual affirmation ought to have some reassurance value.

At least, it would if it actually meant what the government would like you to think it means.

If they had to guess, most people would probably imagine that the process of compliance monitoring looks something like this:

The CSE Commissioner examines CSE's activities during the year under review, determines whether or not they comply with the law, and reports his conclusions.

The reality is a bit more… complex.

A look at the reporting done by CSE Commissioners over the history of their operations suggests that the actual process looks more like this (click on flowchart to see larger version):

The following notes, keyed to the numbers in brackets in the flowchart, provide further explanation and some actual examples:

1: The first question facing the Commissioner is whether to even look at a particular activity of the agency. No review body can examine every activity undertaken at every moment by the agency it watches. CSE Commissioners prioritize the activities they review to try to cover the most significant risks, and anything not on their list during the current set of reviews goes unexamined.

As the Commissioner’s 2003-04 report explained,
I can report that the activities of CSE that my office reviewed during the past year complied with the law and with ministerial authority. It is important to place this assertion in context. It should not be taken to mean that I am certifying that all CSE’s activities in 2003-2004 were lawful. I cannot make this assertion, because I did not review all their activities—and no independent reviewer could. However, my office reviews a wide range of activities in considerable depth, based on our assessment of where the risks of unlawful activity are likely to be greatest. This is the appropriate context for the assurance my work provides.
Although not repeated in every report, the same caveat applies to every year's work by the Commissioner.

An example of one of the questions the CSE Commissioner has chosen not to address is CSE’s cooperation with CSIS to “craft” the affidavit and oral testimony that CSE provided to the Federal Court of Canada in 2009 in support of a CSIS application for a warrant to monitor Canadians traveling abroad. Justice Richard Mosley declared that CSIS’s failure to disclose to the court that the assistance of Second Parties would be sought in the execution of such warrants was a breach of its “duty of candour” to the court. He did not specifically characterize CSE’s behaviour, but he did note CSE official James D. Abbott's acknowledgement that his testimony was “‘crafted’ with legal counsel to exclude any reference to the role of the second parties”.

Is it legal to withhold relevant information from a judge in order to get a warrant approved? The CSE Commissioner has chosen not to report on this question.

2: The Commissioner’s ability to review CSE relies on the agency keeping meticulous records of its activities, and Commissioners frequently recommend ways to improve CSE’s record-keeping. Nonetheless, sometimes CSE’s records are missing or insufficient to enable the Commissioner to properly assess the legality of a CSE activity, as noted here:
[A]s I and my predecessors have noted in previous reports, inadequate or missing information in CSEC’s corporate records can impair my ability to conduct reviews and to determine whether CSEC’s activities comply with the law. This has left me, in some instances, in a position of providing only a negative assurance to the Minister that I have no evidence of non-compliance with the law, rather than providing positive assurance, supported by evidence of compliance.
A specific example of this problem was cited in the 2012-13 annual report:
I had no concern with respect to the majority of the CSEC activities reviewed. However, a small number of records suggested the possibility that some activities may have been directed at Canadians, contrary to law. A number of CSEC records relating to these activities were unclear or incomplete. After in-depth and lengthy review, I was unable to reach a definitive conclusion about compliance or non-compliance with the law.
3: The position of CSE Commissioner is occupied by a retired or supernumerary judge, but the Commissioner's office does not function as a court and the Commissioner is not empowered to make legal determinations. When the Commissioner concludes that an activity does not comply with the law but CSE and its Department of Justice legal advisors insist that it does, the Commissioner does not declare CSE non-compliant. Instead, he either refrains from issuing an assessment or bases his assessment on the CSE/DOJ interpretation pending further discussion.

In 2006-07, for example, the Commissioner reported that
a detailed examination of CSE’s response to RCMP requests for intelligence-related information identified two issues of concern that required further legal study by CSE. The first was whether mandate (a) was the appropriate authority in all instances for CSE to provide intelligence support to the RCMP in the pursuit of its domestic criminal investigations. Pending a re-examination of this issue by CSE, no assessment was made of the lawfulness of CSE’s activities in support of this agency under mandate (a) as currently interpreted and applied by CSE.
In a separate, and still ongoing, case, the Commissioners have provided annual assessments of legality, but those assessments have been based on the government's interpretation of the law:
With respect to my reviews of CSE activities carried out under ministerial authorization, I note that I concluded on their lawfulness in light of the Department of Justice interpretation of the applicable legislative provisions.
4: As in any large organization, incidents occasionally occur in which policies are violated despite CSE’s efforts to ensure compliance. Ministerial directives with respect to privacy protection are sometimes violated, for example. The Commissioner has sometimes reported such violations, but in the absence of evidence that the violation was intentional on the part of the agency or the result of gross negligence [or lack of "due diligence"], he does not declare CSE in non-compliance because of such incidents. For example, in 2013-14 the Commissioner reported that
during my review I found instances where procedures relating to the identification of private communications were not followed correctly by CSEC employees. In one instance, a private communication was recognized but, contrary to policy, that communication was incorrectly marked for retention even though it had not been assessed as essential to international affairs, defence or security. In another situation, CSEC identified several private communications, but did not mark them for retention or deletion until several weeks after they were identified. In addition, there were other instances of analysts retaining foreign intelligence private communications—in some cases, for several months—that had been, but no longer were, essential to international affairs, defence or security.
In none of these cases was CSE itself declared to be in non-compliance with the law.

Similarly, although it is illegal for CSE to intercept “private communications” except when it has a Ministerial Authorization to do so, when such interceptions inadvertently occurred during the five years between the first appointment of a CSE Commissioner and the establishment of the Ministerial Authorization regime in 2001, CSE was not declared to be in violation of the law because, the Commissioner reported, the agency's extensive efforts to prevent such interceptions demonstrated that it did not intend to act unlawfully:
Despite the efficiencies inherent in new technologies, CSE is still likely to receive inadvertently some small amount of Canadian communications. Moreover, each new collection system or technique that comes on stream seems to bring with it this potential. However, CSE is well aware that it must continually upgrade its capabilities to screen out Canadian communications or risk acting unlawfully if it does not make every effort to do so.
5: Commissioners have also demonstrated that they will not declare CSE in violation of the law if CSE has agreed to cease or to appropriately modify a practice that the Commissioner believed to be non-compliant. For example,
I am able to report that, overall, the activities of CSE examined during this reporting period complied with the law, with one qualification. It concerned a condition of an information technology security ministerial authorization, which CSE has already undertaken to rectify.
Similarly, when CSE eventually agreed to modify its practices in the Mandate (a) versus Mandate (c) question cited in point 3 above, the Commissioner dropped the issue without ever pronouncing publicly on the compliance of CSE’s activities prior to the change:
In his 2007–2008 Annual Report, Commissioner Gonthier stated that pending a re-examination of the legal issues raised, no assessment would be made of the lawfulness of CSEC's activities in support of the RCMP under the foreign signals intelligence part of CSEC's mandate. He also noted that CSEC's support to CSIS raised similar issues.… Subsequent to these reviews and statements in the annual reports, the Chief of CSEC suspended these activities. CSEC then made significant changes to related policies, procedures and practices.… Because of the significant changes made by CSEC to these activities and the positive results of this review, I am of the view that CSEC has addressed the previous findings and recommendations.
[The Commissioner's practice of not reporting non-compliance as long as the activity in question had been halted by CSE was departed from dramatically in January 2016, however, when Commissioner Plouffe reported CSE to be in non-compliance with the law despite the fact that the agency had already ended the activity.]

6: CSE Commissioners have also shown that they will not declare CSE in non-compliance as long as the government has promised to make amendments to the law to clarify that the activities in question are indeed authorized under the law—no matter how many years may go by with no evidence of the government actually taking steps to implement that promise.

See, for example, this statement:
At the end of the 2008–2009 reporting period, I continue to apply the interim solution put in place by my predecessors: that is, to review CSEC's foreign intelligence collection activities under ministerial authorizations on the basis of the [National Defence Act] as it is interpreted by Justice Canada. However, in some important respects, I disagree with that interpretation—as have both my predecessors.

In April 2006, my immediate predecessor noted in his last report as CSE Commissioner that "my one regret will be if I leave this position without a resolution of the legal interpretation issues that have bedevilled this office since December 2001." In my 2007–2008 report, I noted the Government had indicated that legislative amendments would be brought forward "in due course". This has yet to occur. I want to emphasize, however, that the length of time that has passed without producing amended legislation puts at risk the integrity of the review process.
That was written in 2009. As of March 2015 those promised amendments are still nowhere to be seen. The current Commissioner continues to apply the “interim” solution of assessing compliance based on the government's interpretation, and the firm warning of the 2008-09 report has withered into little more than a pro forma acknowledgement:
Since the enactment of Part V.1 of the National Defence Act in December 2001, all CSE Commissioners have voiced concerns that certain fundamental provisions in the legislation lack clarity. In 2007, the government committed to amending the legislation to clarify these ambiguities. It is hoped that this can be resolved in the near future.
Fourteen years after the problematic provisions were enacted, Commissioners continue to assess CSE as being in compliance while they await amendments that never arrive.

What would it take to declare CSE in non-compliance?

Given the system in place, what would it take for a CSE Commissioner to actually declare CSE to be in non-compliance with the law?

Based on the model above, the Commissioner would have to choose to examine the activity, sufficient records would have to exist to support a compliance judgement, the Commissioner would have to conclude that the activity violates the law, CSE and the Department of Justice would have to agree with that conclusion, CSE would have to affirm, or the Commissioner would have to demonstrate, that the activity was authorized by the agency [or that it had been permitted to occur due to a lack of due diligence], CSE would have to declare that it intends to continue doing it, and the government would have to refuse to promise to amend the law (at some undefined point in the future) in order to permit the activity. If all those conditions were met, and the Commissioner subsequently reported the issue to the Attorney-General, and no promise (sincere or otherwise) to change either the activity or the law were forthcoming following that step, then and only then would he report to the public that CSE was not in compliance with the law.

In short, the likelihood that a CSE Commissioner will ever declare that CSE is not in compliance with the law, no matter how often those laws may be transgressed in practice, is practically nil.

[But never say never! In January 2016, the CSE Commissioner deviated dramatically from this "model" and did declare CSE to be in non-compliance even though the violation was deemed to have been unintentional and the activity had already been halted. There's no way to tell at this point whether that was a one-time event or it heralds a more permanent change in the Commissioners' approach to compliance assessment.

Until that picture becomes clearer, I won't make any change to the compliance flowchart—which was always a bit tongue-in-cheek anyway—that accompanies this article.]

I should probably make it clear at this point that I don’t believe CSE does intentionally break the law—as it and its Department of Justice advisors understand the law—as a normal part of its operations. I believe that compliance with the law is a fundamental part of CSE’s ethos, and I think the activities of the CSE Commissioner have done a lot to reinforce that ethos and ensure that it is followed in practice.

For me, a much bigger concern is the amount of information that can be collected, one way or another, without violating the law, and the potential for that information, although it may not be misused now, to be misused sometime in the future. Consider, for example, the fact that no laws were broken—according to the CSE Commissioner—by the extensive collection and analysis of Canadian communications metadata revealed in the “Airport Wi-Fi” story.

Whether or not you agree that legal compliance is ultimately not the key issue, however, know this:

While the Prime Minister and his ministers are no longer able (as of January 2016) to claim that all CSE Commissioners have always declared CSE’s activities to be in compliance with the law, they will undoubtedly reach for similar claims, such as "CSE has never intentionally broken the law" or, assuming there are clean reports in future years, "the most recent Commissioner's report has affirmed that all of CSE's activities were in compliance with the law."

But the reality of that assurance will always be a whole lot more hedged and contingent and qualified than the government would like you to think it is.

Update 29 January 2016: The conclusion to this post was amended and the comments in brackets added to the body of the post following the release of the CSE Commissioner's 2014-15 Annual Report.


Blogger Alison said...

Thanks for this very clear explanation of the unlikelihood a CSE Commissioner will ever declare that CSE is not in compliance with the law.

Re the airport wi-fi story, how likely do you think it is the "Special Source" mentioned is a product like Stingray ?

March 16, 2015 12:26 pm  
Blogger Bill Robinson said...

Hi, Alison. Thanks for the comment!

I doubt that CSE would be using something like Stingray within Canada. I think it's more likely CSE's special source material comes from one or more of the big telcos. But I'm just guessing.

March 18, 2015 12:12 am  

Post a Comment

<< Home