Monday, January 30, 2017

Releases of Canadian identities to Five Eyes partners

How often does CSE hand over information about Canadians to the United States and other Five Eyes allies? A partial answer is obtainable by examining a recent Access to Information release.

CSE's end-product reports must relate to its foreign intelligence or cyber defence responsibilities. (Information collected by CSE for Canadian law enforcement or security agencies is a separate matter.)

But sometimes these end-product reports do contain information about Canadians. When that happens, the name and other identifying information of that Canadian — known as Canadian Identity Information (CII) — is "suppressed", i.e., replaced by a generic reference such as "a named Canadian" or "a Canadian businessman". (There are certain exceptions to this rule, but they seem to be relatively limited, probably amounting to fewer than 100 cases per year.)

The information that is suppressed in those reports is not deleted, however. It is retained in CSE's data banks and is available to clients who request it if they can demonstrate both the authority and an operational justification for obtaining it. This applies to CSE clients located in Canada's Five Eyes allies, also known as Second Parties, as well as to domestic Canadian agencies.

Given the potential for the misuse of such information, particularly in light of the accession of the Trump administration, it would be helpful to know how often Canadian Identity Information is released to Canada's Five Eyes allies.

CSE has always refused to declassify this information. However, it is possible to get a sense of the scale of the releases by examining the gaps left in the agency's annual reports released under the Access to Information Act (release A-2015-00086).

Here are the relevant sections of the released versions of those reports for the five years from 2010-2011 to 2014-2015 inclusive.

2010-2011 Annual Report:

"In addition, CSEC released [redacted 3-digit number] identities to its Five-Eyes partners."

The width of this redaction indicates that it originally contained a 3-digit number, which means that somewhere between 100 and 999 pieces of Canadian Identity Information were released to Five Eyes partners in 2010-2011.

2011-2012 Annual Report:

"In addition, CSEC released [redacted] Canadian identities to its Five Eyes partners."

In this case, because the redaction occurs at the end of a line it is not possible to determine how many digits the redacted number had. However, the following year's report (see below) indicates that the 2011-2012 figure was also a 3-digit number.

2012-2013 Annual Report:

"In addition, CSEC released [redacted 4-digit number] Canadian identities to its Five Eyes partners. This represents a significant increase in the number of identities released in 2011-2012 ([redacted 3-digit number + close-parentheses] and is attributable to a [redacted] released to the US allies to enable them to efficiently assess the [redacted]"

The cause of this one-time jump was revealed in the following year's report to be "a single cyber defence report" that presumably contained a very large number (at least one thousand, possibly multiple thousands) of Canadian identities.

2013-2014 Annual Report:

"In 2013-14, Second Parties requested [redacted 3-digit number] Canadian identities, of which [redacted 3-digit number] were released. This is a [redacted] from the previous year, when [redacted 4-digit number] were released; however, during the previous year, [redacted 4-digit number] of those releases were from a single cyber defence report."

Here the number of released identities falls back to the more normal hundreds range.

Also worth noting is the fact, evident from the way the sentence is constructed, that not all requested identities are released.

This is also confirmed by various comments that the CSE Commissioner has made over the years. The Commissioner's 2014-2015 report even provided some data on this question, noting that a sample of recent Five Eyes requests examined by his office included "roughly an equal number of denials and disclosures of Canadian identity information." No information on the long-term average CII disclosure rate has been released, however. In some years, such as the year when a thousand or more identities were released from a single report, the disclosure rate has probably been much, much higher than 50%.

2014-2015 Annual Report:

"In FY 2014-15, Second Parties [redacted; probably "requested" + 3-digit number] Canadian identities, of [redacted; probably "which" + 3-digit number] were released. [Redacted] of these releases were to [redacted]"

In this release, CSE redacted larger portions of the text, possibly to make this kind of analysis more difficult. It's fairly easy to guess what the redacted words actually were, but the extra redactions do make the overall conclusions less certain.

(Thanks for that, CSE redactors. I'm sure the nation's security hangs on preventing the bad guys — or maybe the Canadian public? — from knowing with certainty whether the number of Canadian identities revealed to Five Eyes partners in a given past year was a 3-digit number or a 4-digit number.)

The most recent annual report of the CSE Commissioner provides another data point related to this question: Between 1 July 2014 and 30 June 2015, Five Eyes partners made 111 requests for Canadian Identity Information.

However, request numbers do not translate directly to release numbers for several reasons: requests are sometimes denied; requests may be made for the same identity by multiple clients; and finally and most importantly, a single request can pertain to multiple identities — in the case of the cyber defence report mentioned above, perhaps thousands of identities were released as a result of a single request. The fact that more than 100 requests were made suggests, however, that most requests involve only a small number of identities.

Taken together, these documents demonstrate with reasonable certainty that CSE releases at least one hundred and sometimes more than one thousand pieces of Canadian Identity Information to Canada's Five Eyes allies every year. Something like one or two items a day might be a reasonable guess.

And that's not the only way such information is shared. CSE also intercepts foreign communications on behalf of its partner agencies using selectors that they provide. It then forwards those intercepts, some of which are likely to contain incidentally collected Canadian communications or other information about Canadians, directly to them.

(CSE's recent metadata minimization failure also led to CII being provided to Five Eyes allies, but in that case the information would not have been provided if the systems had been working as required.)

It is likely that most of the information released through these processes goes to CSE's largest and closest collaborator, the U.S. National Security Agency, but some would also go to the other partner agencies.

In the vast majority of these cases, I would guess, the provision of this information makes a valuable contribution to Canadian and Allied security — in some cases it probably even contributes to the security of the named Canadians themselves. But as the Commissioner's classified 17 July 2013 report to the Minister of National Defence (A Review of CSEC Information Sharing with the Second Parties, Access release A-2014-00062) noted, the results of such sharing are not necessarily always benign:
While the case of Mr. Maher Arar did not relate specifically to CSEC or to SIGINT information sharing with the Second Parties, it is an example of how Canada's closest international partners may make their own decisions in relation to a Canadian.... The case of Mr. Arar demonstrates how [Government of Canada] information sharing with the U.S. or other partners may affect a Canadian and possibly put a Canadian in personal jeopardy.
This possibility is especially relevant now, with the Trump administration openly discussing a return to the use of torture, secret prisons, and other violations of civil liberties and international law. But even under the Obama administration some of these risks, including for example the possibility of targeted killings, were present.

The Canadian government has policies in place to govern international information-sharing when there is a substantial risk that the information shared could lead to the torture or other mistreatment of an individual, but many people question whether they are sufficiently restrictive.

In CSE's case, a Ministerial Directive signed in 2011 obliges the agency to conduct a mistreatment risk assessment whenever it considers releasing CII to a non-Five Eyes country.

But my reading of the limited information that has been released on that directive suggests that the Five Eyes countries are exempt from this requirement, except when those countries seek to forward Canadian information to a non-Five Eyes country. It would be very useful to know if that is in fact the case.

Saturday, January 28, 2017

Citizen Lab fellowship

I am very pleased to report that I have accepted a fellowship at the Citizen Lab for 2017.

Citizen Lab is based at the Munk School of Global Affairs at the University of Toronto. It focuses on "advanced research and development at the intersection of Information and Communication Technologies (ICTs), human rights, and global security."

The book Black Code, written by Citizen Lab's director, Ron Deibert, gives a good sense of the kinds of issues the Lab addresses. You should also check out their many publications.

I've been a big fan of the Citizen Lab's work for years and the thought of being associated with such an amazing place is frankly a bit daunting. They may be expecting results!

I'll do my best.

I should stress at this point that the opinions I express on this blog and elsewhere will continue to be mine alone: I will in no way be speaking for the Citizen Lab.

We're still working out the details of the project(s) I'll be involved in during the fellowship so I can't say much about that right now, other than the obvious fact that the signals intelligence activities of Canada and its Five Eyes allies will be central to it.

Monday, January 16, 2017

ATIpper #9: CSE releases its definition of data

More from the Access to Information files:

Behold the CSE definition of data:

Access release A-2014-00013

Ouf, a bit heavily redacted, don't you think?

Let's try again.

Access release A-2015-00005

Oh, sure, much better. Thanksabunch.

Another try.

Released in 2016 Federal Court filing

All right, now we're starting to make some progress.

And finally...

Access release A-2011-00566

This. This is the kind of access to information response I like!

Which is great until you realize that this final response was in fact the first of the four releases.

Sunday, January 15, 2017

CSE recruiting the "best & brightest"

CSE is looking to recruit the "best & brightest"... er... hipsters, apparently, for its next student co-op period.

Now, I have absolutely nothing against hipsters, and I'm glad CSE doesn't either. Even the CIA has baristas these days. If the Edward Drake Building didn't get a kick-ass espresso machine or two as part of its $880-million price tag, it certainly should have.

But I do have qualms about any part of the national security state using the phrase "the best and the brightest" in an evidently non-ironic sense.

Maybe CSE's PR folks need to read the book.

What's going on in Washington these days is certainly not a repeat of the "best and brightest" episode.

But as a certain German once popular in Russia wrote, "all great world-historic facts and personages appear, so to speak, twice.... the first time as tragedy, the second time as farce."

Discrimination Unit, 283 Bank Street

Here are a couple of photos of the building that housed the Canadian Army's Discrimination Unit from early 1943 to August of that year.

Bank Street facade

Somerset Street facade

The Discrimination Unit (DU) was established in 1942 to sort the communications intercepted by the Army's Special Wireless Stations and analyze the "to" and "from" addresses and other external features of Japanese army and air force communications. According to the History of the Examination Unit, "Their work was chiefly the deriving of intelligence concerning the movement of Japanese troops in the Pacific area through a study of the preambles of military messages." Today we might call this work metadata analysis, but at the time it was known as Traffic Analysis, or T/A.

Most of the Japanese messages received at the Discrimination Unit were subsequently relayed to the U.S. Army's Signal Security Agency, which had the facilities to break the Japanese encryption systems and read the messages' content. Some were also processed at the Examination Unit (XU), Canada's own code-breaking agency.

When it was created in March 1942, the DU shared quarters with the XU in a house at 345 Laurier Avenue East, adjacent to Prime Minister Mackenzie King's residence. By the beginning of 1943, however, the two units had outgrown the space available in the house. As a result, the DU was moved to new offices at 283 Bank Street, at the northeast corner of Bank and Somerset, where it occupied some or all of the space used by the Gowling Business College. It's not clear what the Gowling Business College did at this point; by the end of 1943, however, newspaper ads show that it was again (or still) in operation at the Bank Street building.

By that time, the DU had already decamped for a new location, the top floor of the La Salle Academy, a Catholic boys' school on Guigues Street at Sussex Drive. In August 1943, the Army DU, the nascent RCAF Discrimination Unit, and a group of RCN T/A personnel jointly occupied the Guigues Street facility, while the school continued to operate on the floors below. In November 1943 they were joined by a Joint Machine Unit operating IBM punched-card machines to assist the traffic analysts. The JMU also assisted the cryptanalysts at the XU.

These units were later amalgamated with the Japanese section of the XU to form the Joint Discrimination Unit, which eventually evolved into Canada's postwar SIGINT organization, the CBNRC, now called CSE.

As can be seen in the photographs above, the Bank Street building was a multi-use facility with retail spaces on the ground floor, offices or other commercial space on the second floor, and a hall used for public events on the top floor.

Over the years it hosted a variety of businesses, including the Gowling Business College, a hardware store, a jewellers, a Chinese restaurant, Imperial Cleaners & Dyers, the offices of the British Canadian Industrial Company and the International Land and Lumber Company, an 18-hole miniature golf course, and the public events hall, known originally as Queen's Hall and later as Hollywood Garden.

According to this article, the building was destroyed by fire in the mid-1960s.

The site is now occupied by the Primecorp Building (275 Bank Street), which offers a similar mix of retail space and offices.

Friday, January 13, 2017

ATIpper #8: CANUSA "almost identical" to UKUSA Agreement

Another item from The Canadian Intelligence Community (16 March 1990; Access release A-2016-00658, p. 19):

This snippet contains a number of useful bits of information:
  • Canada "agreed to be party" to the UKUSA Agreement at the Commonwealth SIGINT Conference of 1946;
  • The 1949 CANUSA Agreement was "almost identical" to the UKUSA Agreement; and
  • The CANUSA Agreement was "revised slightly in 1960".
The first point confirms this U.S.-U.K. document (p. 4), which reported that "The terms of the U.S. - British Communication Intelligence agreement had been explained to the Dominion representatives [at the February-March Commonwealth SIGINT Conference], in so far as they were affected, and had been accepted by them." Canada did not actually become party to the UKUSA Agreement (or BRUSA Agreement, as it was then known), but Canada, Australia, and New Zealand did agree to abide by its provisions and were accepted as partners.

On the second point, it has been clear for some time that the CANUSA Agreement was based closely on the UKUSA Agreement, but it's very useful to see it officially confirmed that the two agreements are "almost identical". The UKUSA Agreement was declassified and made public by the U.S. and U.K. in 2010. Surely it's long past time for the U.S. and Canada to do the same with the CANUSA Agreement. Because it's 2017.

Finally, we have the revelation that the CANUSA Agreement was "revised slightly" in 1960. The various appendices of the UKUSA and CANUSA agreements, which spell out details such as security procedures and communications systems, were under almost continuous revision in the early years of the agreements, so the change made in 1960 must have been something more fundamental than that. The Canadian Intelligence Community doesn't explain the nature of that change, unfortunately.

However, we do know from p. 32 of the document that the 1957 Tripartite [U.S.-U.K.-Canada] Alerts Agreement, which had originally covered only intelligence-sharing with respect to military threats from Communist countries, was extended in 1960 to include intelligence-sharing on a global basis ("consultations on threats to world peace and security anywhere in the world from any source").

Perhaps the 1960 amendment of the Tripartite Alerts Agreement led to or inspired a similar amendment formally recognizing that broader range of intelligence-sharing within the CANUSA Agreement as well.

Update 23 April 2017: You can read the 1949 version of the CANUSA Agreement here.

Update 31 March 2019: See here for a substantial part of the appendices.

Sunday, January 08, 2017

ATIpper #7: 1948 Quinquepartite SIGINT Agreement

The Canadian Intelligence Community (16 March 1990; Library and Archives Canada release A-2016-00658, p. 32) is also the source of this interesting summary of Canada's early SIGINT agreements:

(Note that the snippet incorrectly asserts that the BRUSA Agreement was signed in 1945: its text was negotiated during the fall of 1945, but the actual signing by the U.S. and the U.K. took place on 5 March 1946.)

The BRUSA (later called UKUSA) Agreement and the 1949 CANUS (or CANUSA) Agreement are by now well known, but much less is known about the 1948 Quinquepartite (i.e., five-party) SIGINT Agreement listed in the snippet.

A number of public sources have suggested that this agreement, said to have been signed in June 1948, was in fact the UKUSA Agreement, which then replaced the 1946 BRUSA Agreement.

However, the BRUSA/UKUSA documents declassified in 2010 don't seem to support this interpretation. Those documents demonstrate that the two-party BRUSA Agreement was subsequently renamed UKUSA, and that it remained a two-party agreement even in 1956. (Indeed, it still is today.)

Another BRUSA/UKUSA document (p. 4) does seem to confirm, however, that Canada, Australia, and New Zealand agreed at the February-March 1946 Commonwealth SIGINT Conference to abide by the provisions of the BRUSA Agreement:
Referring to the Commonwealth Conference just concluded, the Chairman reported that this had been highly successful. The terms of the U.S. - British Communication Intelligence agreement had been explained to the Dominion representatives, in so far as they were affected, and had been accepted by them. The Dominions had also agreed to abide by Joint Security Regulations to be issued from London after they had been agreed between STANCIB and the London Sigint Board.
So what was the nature of the five-party agreement signed in 1948?

One possibility is that the five countries signed a document formalizing the commitments made in 1946 by Canada, Australia, and New Zealand to abide by the provisions of the BRUSA Agreement and the related SIGINT security rules. What the "minor changes from the BRUSA agreement" would have entailed, I don't know.

If more information has been released about this agreement I would appreciate hearing about it.

Friday, January 06, 2017

ATIpper #6: 1957 Division of Effort

More from the Access to Information (ATI) files:

Some nice information here from the Isbister Report (Intelligence Operations in the Canadian Government, 9 November 1970) about how CBNRC (now CSE) set its intelligence processing tasks and priorities at that time:

Note especially the revelation that "the division of main responsibilities for SIGINT tasks [was] reached at a Tripartite (US-UK-Canada) SIGINT Conference in 1957 in the interests of avoiding unnecessary duplication. A working arrangement for the allocation of tasks was proposed by CBNRC/GCHQ/NSA. It was approved by [the Director of Communications Security] and reported in October 1957 to [the Communications Security Board] which exercised policy control before [the Intelligence Policy Committee] was formed."

A 1990 document (The Canadian Intelligence Community, 16 March 1990; discussed here earlier) adds the further detail that "Canada undertook to bear the main responsibility for the collection and analysis of SIGINT on the Soviet Arctic."

The passage also suggests that the 1957 division of effort may have been part of a larger Canada-United Kingdom-United States CANUKUS Agreement, the exact date of which has never been clear to me. (Tripartite COMINT conferences were already being held by the three countries by 1950.)

The allied division of effort was subsequently expanded to all of the Five Eyes members and covered "not only the exchange and exploitation of intelligence on Communist countries, but also on the most important strategic areas of the world."

Canada's decision to largely abandon its cryptanalysis program in 1957 was probably related to the task-allocation decisions made by the three partners that year. (CSE's cryptanalytic capabilities were revived in the 1980s.)

The end of the Cold War may well have spelled the end to any formal division of effort among the Five Eyes allies.

CSE's statutory mandate, added to the National Defence Act in 2001, specifies that CSE foreign intelligence collection must be done "in accordance with government of Canada intelligence priorities", and CSE Chief John Adams, testifying in 2007, denied that any sort of formal division of effort then existed among the allies:
The Chairman: Do protocols exist where you have divided up the spectrum, as it were?

Mr. Adams: No, they do not, senator. It is based purely on our priorities as defined by the government.

The Chairman: Allied countries do not get together and say, ``You seem to be doing fairly well in this area, but we have a bit of a gap over here; any chance of you moving into it?''

Mr. Adams: No, we do not. If it is important to Canada, we will be there, if we can get there, obviously.

In discussions, as I said earlier, knowing the priorities that we have, we would share if there are mutual priorities and mutual national interests.
That being said, I rather suspect that, formally or informally, one of our national intelligence priorities is to make sure that we continue to collect enough intelligence of sufficient interest to our Five Eyes allies to ensure that they continue to see value in sharing the intelligence they collect with us.

ATIpper #5: 200,000 end product reports produced per year in 1990

A 16 March 1990 document called The Canadian Intelligence Community, released by Library and Archives Canada (release A-2016-00658), has quite a lot of really interesting information in it, including a couple of unprecedented details on the production of end product reports by Canada and its Five Eyes allies:

"The extremely close relationships existing between CSE and the counterpart organizations in the USA (National Security Agency) and the UK (Government Communications HQ) entail extensive technical co-operation as well as the exchange of end-product reports. On the latter point, the activities carried out by CSE result in the availability to the government of about 200,000 reports a year, only 10,000 of which are actually produced in Canada."

The report also specifies that NSA alone "produces in excess of 100,000 reports each year, most of which are shared with Canada."

I'm guessing that the temperature in Hell would have to be pretty close to 0 degrees Kelvin for CSE's redactors to ever release a comparable set of numbers.

Much has changed since 1990, but it seems likely that CSE and its allies are still producing a similar or perhaps even greater number of end product reports every year.

Tuesday, January 03, 2017

ATIpper #4: CANUSA confusion

More from the Access to Information (ATI) files:

Some secrets are worth protecting, and some aren't. A good example of the latter category is the 1949 Canada-U.S. COMINT Agreement, otherwise known as the CANUSA Agreement.

For some reason, CSE continues to believe that almost all information about this 68-year-old agreement is a deep national secret that must never be revealed.

As a result, even a simple introductory sentence about the agreement gets redacted, as in this example from access release A-2014-00062:

Or this example, redacted from a separate version of the same document released to the British Columbia Civil Liberties Association and subsequently made public in a Federal Court filing:

Clearly CSE does not want this information revealed.

But no one is perfect, so here—thanks to another access release, A-2013-00084—is what the redacted sentence actually said:

“The CANUSA Agreement established the relationship between the Canadian Communications Research Committee (a predecessor of CSEC) and the U.S. Communication Intelligence Board (a predecessor of NSA) respecting COMINT.”

Let's hope the nation's security will someday recover from this blow.

Personally I have no doubt that it will, and very quickly too, as the newly revealed secret information is not actually correct.

The Communications Research Committee was not a predecessor of CSE, and the U.S. Communication Intelligence Board was not a predecessor of NSA. The Communications Research Committee was an interdepartmental committee chaired by External Affairs and set up, as the History of CBNRC explains, to "control all SIGINT activities, including policy control of CBNRC and Canadian intercept stations". The U.S. Communication Intelligence Board was the parallel U.S. body that controlled U.S. SIGINT policy. The actual SIGINT organizations at the time were the CBNRC (the Communications Branch of the National Research Council, CSE's original name) and AFSA (the Armed Forces Security Agency), respectively.

Perhaps the author was thinking of a different CRC. The organization that became CBNRC in September 1946 was briefly known as the Communications Research Centre earlier in 1946. By 1949, however, that name was long gone.

What is correct is that the Communications Research Committee and the U.S. Communication Intelligence Board were the signatories of the CANUSA Agreement.

The good news here for CSE is that the document that contains this sadly misinformed sentence was written by CSE's watchdog agency, the Office of the CSE Commissioner (OCSEC), not CSE itself.

The bad news is that OCSEC reports are submitted to CSE in draft form so that CSE can check them for factual accuracy. And although we don't know what the good folks at OCSEC originally drafted, editorial notes that were also released as part of access release A-2014-00062 confirm that it was CSE that suggested the incorrect interpretation:

[Update 30 July 2019: The incorrect information can even be found in CSE policy documents.

(This example is from the OPS-1-13 policy document, 5 December 2012 version.)]

Pardon me while I address our national cryptologic agency directly for a moment:

You know, if you just proactively declassified the whole CANUSA Agreement—like the U.S. and the U.K. did with the CANUSA Agreement's model, the UKUSA Agreement, more than six years ago—you might save yourselves a lot of embarrassment.

Just saying.

Update 23 April 2017: The 1949 version of the CANUSA Agreement was finally released in April 2017. But not proactively—I had to cough up five bucks to spur things along.

Update 31 March 2019: See here for a substantial part of the appendices.