Sunday, June 19, 2016

Twenty years of OCSEC

Today is the twentieth anniversary of the establishment of the Office of the CSE Commissioner (OCSEC). The first CSE Commissioner, Claude Bisson, was appointed on 19 June 1996.

Since 1996, there have been six CSE Commissioners:
  • Claude Bisson (1996-2003)
  • Antonio Lamer (2003-2006)
  • Charles Gonthier (2006-2009)
  • Peter Cory (2009-2010)
  • Robert Décary (2010-2013)
  • Jean-Pierre Plouffe (2013-present)

OCSEC has been the subject of a lot of criticism over the past two decades, some of it justified and a lot of it not.

Here's one of my own contributions to that literature. (You can decide for yourself whether it falls into the justified or unjustified camp.)

Such criticisms shouldn't blind us to the vitally important role that OCSEC has played over the years in reinforcing an ethos of legal compliance at CSE and ensuring that mechanisms to monitor and assess that compliance are established and implemented. But a strong case can be made that CSE's review body—like those of the Canadian security and intelligence community as a whole—is in dire need of improvement.

Kent Roach and Craig Forcese argue that OCSEC and the review bodies for CSIS and the RCMP should be combined into a single agency that would monitor all components of the Canadian security and intelligence community, as part of a wider set of accountability improvements ("Bridging the National Security Accountability Gap: A Three-Part System to Modernize Canada's Inadequate Review of National Security," Ottawa Faculty of Law Working Paper No. 2016-05, 31 March 2016).

Wesley Wark's recent comments on the future of review ("Canada’s spy watchdogs: Good, but not good enough," Globe and Mail, 1 February 2016) are also worth reading.

The Trudeau government took a major step towards implementation of one aspect of this reform agenda with the introduction on June 16th of Bill C-22, which will establish a committee of parliamentarians to review the S&I community as a whole. (See Forcese's comments on that step here.)

Other changes may be yet in the offing.

For the time being, however, the future of the 20-year-old OCSEC remains undecided.

Friday, June 10, 2016

Australia's participation in Pine Gap

Yet another paper in our on-going series on the SIGINT station at Pine Gap, Australia:

Desmond Ball, Bill Robinson, and Richard Tanter, "Australia’s participation in the Pine Gap enterprise", NAPSNet Special Reports, June 8, 2016. Full text here (1.7 MB PDF).

Earlier reports:

- Desmond Ball, Bill Robinson, and Richard Tanter, "The Antennas of Pine Gap", NAPSNet Special Reports, February 21, 2016;

- Desmond Ball, Bill Robinson, and Richard Tanter, "Management of Operations at Pine Gap", NAPSNet Special Reports, November 24, 2015;

- Desmond Ball, Bill Robinson, and Richard Tanter, "The SIGINT Satellites of Pine Gap: Conception, Development and in Orbit", NAPSNet Special Reports, October 15, 2015;

- Desmond Ball, Bill Robinson, and Richard Tanter, "The Higher Management of Pine Gap", NAPSNet Special Reports, August 17, 2015; and

- Desmond Ball, Bill Robinson, and Richard Tanter, "The militarisation of Pine Gap: Organisations and Personnel", NAPSNet Special Reports, August 13, 2015;

- Desmond Ball, Bill Robinson, Richard Tanter, and Philip Dorling, "The corporatisation of Pine Gap", NAPSNet Special Reports, June 24, 2015.

More to come!

Thursday, June 09, 2016

Moritsugu appointed DG Military SIGINT

According to DND ("The Chief of the Defence Staff announces additional Canadian Armed Forces General and Flag Officer senior appointments, promotions, and retirements," Department of National Defence, 9 June 2016), CFIOG Commander Col Steven Moritsugu has been promoted to Brigadier-General (acting while so employed) and appointed "Director General Defence Military Signals and Intelligence" [sic] at CSE, i.e., DG Military SIGINT.

Moritsugu replaces BGen Martin Girard, who became DG Military SIGINT in 2014.

Saturday, June 04, 2016

Going dark(er): CSE employee numbers no longer published

The federal government has published statistics on-line on the number of employees in its various departments and agencies since at least 2005. The statistics in this "Population Affiliation Report" were updated monthly, and the Communications Security Establishment was among the agencies whose staff numbers were reported.

The CSE numbers provided an important way to keep track of the evolution of the agency—one of the very few ways available. To prevent their disappearing into the memory hole I made a point of recording these monthly numbers on this blog. (Here are the earliest and most recent examples.)

Unfortunately, the February 2016 numbers, which were published in March, look like the last ones we are going to get. The Treasury Board Secretariat has stopped publishing the statistics.

According to the reply I received when I asked the good folks at TBS why the numbers had stopped appearing, the "internal sources" that the report draws from are currently under review. A public update on plans for the report is promised at the end of the summer, but it doesn't sound like the prior practice is going to pick up where it left off.

The shutdown applies to the entire Population Affiliation Report (i.e., to all the departments and agencies), and I don't see any reason to think that it was intended specifically to stop the reporting of CSE's employee counts. But it certainly has had that effect.

The blackout comes at an unfortunate time, as just a couple of months ago the agency's new minister, Minister of National Defence Sajjan, directed CSE to "find new opportunities to communicate with the public more openly about their activities."

So far, CSE's primary response to that directive has been to launch a Twitter account featuring links to the agency's website and lighthearted comments on donuts. It has not inspired them to reverse the significant shutdown in public reporting that took place in 2011.

And I would venture to guess that those new communications opportunities will also not include monthly reporting on CSE's employee counts.

It may be that the Treasury Board's review will lead eventually to such statistics being accessible in some other form, in keeping with the broader trend towards greater public access to government data and the professed philosophy of the new Liberal government.

But for now, at least, the public picture of what goes on at Canada's national cryptologic agency just got a little bit darker.

Thursday, June 02, 2016

Mistaken metadata-sharing went on for years

The CSE Commissioner's classified report on CSE's bungled metadata-sharing program, parts of which have been made public during the BCCLA's lawsuit against CSE, indicates that the agency's failure to properly remove information that could identify Canadians went on for years and involved both DNR (phone-related) and DNI (Internet-related) metadata.

From the Globe and Mail's report (Colin Freeze, "Spy agency accidentally shared Canadians’ data with allies for years," Globe and Mail, 1 June 2016):
The confidential report was written by Jean-Pierre Plouffe, a retired Quebec judge who heads the Office of the CSE Commissioner, the spy agency’s watchdog agency. In it, he suggests the unlawful seepage of Canadians’ phone and Internet records to foreign intelligence agencies could date back to the mid-2000s, and that the overall amount of compromised material is unclear.

Given this, Mr. Plouffe is urging Parliament to pass laws spelling out how it wants the spy agency to function. “As CSE’s collection posture has strengthened, … the volume of metadata collected has increased considerably,” Mr. Plouffe writes in his 2015 report. He urged federal politicians to give clearer direction on surveillance.

“Metadata” are logs of communications without the content of the conversation. The watchdog’s report reveals that, during its international spying, CSE has been capturing phone logs and sharing them with allies since 2005. Internet logs have been shared since 2009.

In 2014, CSE suspended sharing both sorts of records when it realized its automated systems had failed to scrub out what it calls the “Canadian identifying information” that turned up in the wider mix. Mr. Plouffe, who has the last word on such matters, eventually ruled that although CSE’s system failures were inadvertent, they violated the Privacy Act and National Defence Act. ...

The report reveals that CSE refers to the phone logs it collects as “Dialled Number Recognition” (DNR) metadata. The agency started sharing such material with Five Eyes allies in 2005, thinking it had devised ways to automatically strike out telling portions of any Canadian phone numbers that turned up.

Then, starting two years ago, CSE discovered that “DNR metadata was not being minimized properly,” according to the watchdog report. Mr. Plouffe added: “CSE is unable to determine how many systems were impacted and for how long.”

CSE calls the Internet logs it collects “Digital Network Intelligence” (DNI) metadata, and this material can consist of e-mail addresses and Internet protocol addresses that indicate who is communicating to who.

A scrubbing system was developed for that material as well – but this, too, failed. “DNI metadata was being shared with [Five Eyes] Second Parties … with minimization applied to Canadian e-mail address fields, but no minimization applied to Canadian IP address fields,” Mr. Plouffe writes.

He adds that “CSE was under the impression that minimization was taking place, when in fact it was not.”

The spy agency suspended sharing when the problems were discovered in 2014, and apparently have not resumed it.
CSE Chief Greta Bossenmaier confirmed in testimony to the Standing Committee on National Defence on May 19th that, as at that date, metadata-sharing has not yet resumed.

Update 3 June 2016:

- Michelle Zilio & Colin Freeze, "Ottawa accused of breaking intelligence agency transparency vow," Globe and Mail, 2 June 2016.

- "The 'top secret' surveillance directives," Globe and Mail, 2 June 2016.

- Brian Gable, "On with the day" (editorial cartoon), Globe and Mail, 3 June 2016. Another example of "Canadian Security Establishment", sadly.

- Jim Bronskill, "Court disclosure could mean spy allies cut Canada off, CSE warns," Canadian Press, 3 June 2016.

- "Media Release: Civil Liberties Watchdog Fights in Federal Court for Release of Documents on Illegal Spying On Canadians," British Columbia Civil Liberties Association, 2 June 2016.