Thursday, January 28, 2016

CSE Commissioner: CSE violated law

The CSE Commissioner's 2014-15 Annual Report was finally tabled today, nearly 10 months after the end of the fiscal year covered by the document.

There is a lot that's interesting in the report, but the big news—which was actually in the press release from the Commissioner's office that accompanied the report rather than in the report itself—is that the Commissioner has declared that "CSE's failure to minimize certain Canadian identity information prior to it being shared with its partners did not comply with paragraph 273.64(2)(b) and section 273.66 of the [National Defence Act], and, as a consequence, did not comply with section 8 of the Privacy Act. The Commissioner therefore exercised his legal duty under paragraph 273.63(2)(c) of the NDA and informed the Minister of National Defence and the Attorney General of Canada of this non-compliance with the law."

In plain language, the Commissioner declared that CSE had failed to comply with the law.

In the 20 years since the office was first created, no CSE Commissioner has ever made such a declaration before.

The Canadian Identity Information in question was contained in "certain types of metadata" that "were not being minimized properly before being shared with CSE's partners in the United States, the United Kingdom, Australia and New Zealand", presumably through GLOBALREACH. The exact nature of the metadata involved has not been revealed.

According to the Commissioner and CSE, CSE identified the problem in late 2013, reported it to the Commissioner, and suspended the data transfers pending a solution to the problem, which Defence Minister Sajjan described today as being caused by "technical deficiencies in CSE systems". These deficiencies must be quite fundamental, however, as it is now 2016 and the problem remains unresolved.

The press release from the Commissioner's office also reports that, "while the Commissioner stated he believes the actions of CSE [in transferring the unminimized metadata] were not intentional, it did not, however, act with due diligence when it failed to ensure that the Canadian identity information was properly minimized." This seems to be the basis of the Commissioner's conclusion that, in this instance, CSE did not comply with the law, whereas in earlier cases unintentional violations of the law have not been characterized as non-compliance.

Perhaps the Commissioner was especially annoyed in this case because in 2013 his predecessor had assured Canadians that "in its reports, and in other information [e.g., metadata] CSE shares with its domestic and international partners, CSE must render impossible the identification of Canadians, and I verify that this is done. As noted in my report last year, I have found that CSE does take measures to protect the privacy of Canadians in what it shares with its domestic and international partners." [Quotation updated 29 January 2016 for reasons of terminological exactitude. HT to WG.]

The Commissioner's declaration that CSE did not comply with the law brings to an abrupt and welcome end the nearly 20-year-old Ottawa tradition of deflecting all questions about CSE activities with the refrain that "the independent CSE Commissioner has always found CSE to be in compliance with the law". (It looks like this blog post is going to need some revision.)

I'll comment on some of the other interesting and significant elements in the 2014-15 report in future posts.

[See Part I of those comments here.]

Related coverage and commentary:

- Jim Bronskill, "Canada’s electronic spy agency broke privacy law by sharing metadata, watchdog says," Canadian Press, 28 January 2016
- Robert Fife & Colin Freeze, "Canada's spy agencies broke surveillance laws, watchdogs reveal," Globe and Mail, 28 January 2016
- Justin Ling, "Canadian Spies Get Spanked Again For Sharing Citizens' Data With the NSA," Vice News, 28 January 2016
- "Canada's electronic spy agency stops sharing some metadata with partners," CBC News, 28 January 2016
- "Electronic spy agency stops sharing information with partners over privacy concerns," CTV News, 28 January 2016
- Monique Muise, "Watchdog says electronic spy agency shared info about Canadians," Global News, 28 January 2016
- "Canadian intelligence agency stops sharing metadata with foreign intelligence agencies following revelations that shared information was not being sufficiently protected," OpenMedia news release, 28 January 2016

Update 29 January 2016:

- Alex Boutilier, "Canada’s electronic spy agency broke privacy laws, watchdog says," Toronto Star, 28 January 2016. Note the discussion of CSE's accompanying "technical briefing": "A high-ranking CSE official, who Thursday gave a technical briefing on the condition they not be named, described the issue as a technical glitch discovered in late 2013.... While CSE downplayed the severity of the breach — saying the privacy impact was “low” — it was significant enough to prompt the first press briefing in the agency’s 70-year history." A good point.

As for CSE's insistence on no use of names, if I had to guess, I'd say the speaker was probably Shelly Bruce. After all, what "high-ranking" CSE official would be better for speaking to this issue than the Deputy Chief who is in charge of the SIGINT program at the agency? (It might also explain why the Toronto Star used "they" as the pronoun in this instance.) But if it was Bruce, why insist on non-attribution? As the link shows, Bruce's name and position are not in any way secret. Maybe it wasn't Bruce, in which case the non-attribution might make some minimal amount of sense.

Update 31 January 2016:

Here are the speaking notes for high-ranking CSE official They Who Must Not Be Named. Minor quibble: CSE will be celebrating its 70th birthday on 1 September 2016. It's a bit premature, therefore, to declare in January 2016 that "CSE has been at work, protecting Canada and Canadians, for over 70 years."

Update 1 February 2016:

- Wesley Wark, "Canada’s spy watchdogs: Good, but not good enough," Globe and Mail, 1 February 2016
- Tim Harper, "A privacy breach and a country left in the dark," Toronto Star, 29 January 2016

Update 4 February 2016:

- Tamir Israel & Christopher Parsons, "Why We Need to Reevaluate How We Share Intelligence Data With Allies," Just Security, 3 February 2016

Friday, January 08, 2016

December 2015 CSE staff size


(If you click through on the link and get a different figure, it's probably because the Treasury Board has updated its website; they update the numbers once a month.)

Thursday, January 07, 2016

"Spook Central" at night

Beautiful night photo of CSE headquarters (upper right) and CSIS headquarters (lower left)—the Yin and Yang of Canadian spookdom—by Ottawa photographer Chuck Clark:

(Photograph taken on January 5th, 2016.)

You can see an earlier night shot by Chuck here.

Friday, January 01, 2016

CANUSA Agreement, Appendix B

Among the 52,000 pages of material released by NSA as part of the Friedman collection is this document, which is the 27 March 1953 version of Appendix B of the CANUSA Agreement, the foundational agreement governing Canada-U.S. communications intelligence (COMINT) cooperation. The existence of the CANUSA Agreement has been well known for many years, but to the best of my knowledge no part of this Top Secret Codeword classified agreement has ever been released before.

The CANUSA Agreement was modeled very closely on the UKUSA Agreement, and the Appendix B's of the two agreements are virtually identical. You can see the 19 March 1953 version of Appendix B of the UKUSA (or BRUSA as it was then called) Agreement here (pages 4-31). Bonus: By cross-ruffing between the two documents you can fill in most of the redactions made in them.

The 1956 and earlier versions of the UKUSA/BRUSA Agreement were largely declassified in 2010. The CANUSA Agreement, by contrast, has not been released.

Which raises the question, what is Appendix B of the CANUSA Agreement doing on the NSA website?

My guess is that, because the two Appendix B's were so similar, NSA's redactors did not realize that the CANUSA document was actually part of that agreement rather than UKUSA.

What distinguishes the two most clearly is that the CANUSA appendix refers to the U.S. Communications Intelligence Board (USCIB) and the Communications Research Committee (CRC)—the interdepartmental committees that governed the NSA and Canada's CBNRC respectively—while the UKUSA appendix refers to USCIB and the London Signals Intelligence Board (LSIB), the latter being the equivalent body for GCHQ.

The fact that the redactors removed one of the few explicit references to Canada (see para. 37b on p. 9) in the CANUSA appendix would seem to confirm that they didn't realize the entire appendix related to Canada. They failed, however, to remove the references to Canada in Annexure B3 (see especially para. 1d on p. 20).

There is a lot of interesting detail in the appendix about the nitty-gritty of access to COMINT, COMINT dissemination and security rules, limitations on the travel and activities of indoctrinated personnel, and the categorization of various types of COMINT.

There is also an important paragraph on the subject of economic intelligence (para. 39, p. 9):
Category III and II COMINT shall never under any circumstances or in any form be disseminated to any Ministry, Department, Agency, Organization, Office, or individual from which or from whom it might reasonably be expected to find its way, officially or extra-officially, into the possession of any person or group who could use it for commercial competition or commercial gain or advantage.
The same paragraph is also in the UKUSA appendix.

It's worth noting, however, that the UKUSA Agreement itself required only that there be "no dissemination of information derived from COMINT sources to any individual or agency, governmental or otherwise, that will exploit it for commercial purposes" without the "prior notification and consent of the other party" (see para. 10 here); the same provision may well have also been in the CANUSA Agreement.

Whether these or similar provisions survive in the current CANUSA and UKUSA Agreements and their associated documents has not been made public, but it is notable that recent CSE statements do use similar language. I'm a little skeptical about how such principles get applied in practice (note that the UKUSA Agreement provision allows for cases of such use where both parties agree), but in my humble opinion the sentiment is a good one.

We do know that Appendix B of the UKUSA Agreement was modified slightly in 1956 as part of a wider process of updating and reorganizing the agreement's appendices (see pp. 3 and 12-13 here). For consistency's sake, the CANUSA Appendix B probably underwent the same changes. What may have happened since 1956, however, has not been made public.

And, until the Friedman release, no part of the CANUSA Agreement or its appendices, past or present, had ever been made public.

To my mind, the release of Appendix B is a positive step forward, even if (as is probably the case) it was done by mistake.

Is there any reason why the rest of the CANUSA Agreement can't be released?