Monday, January 30, 2017

Releases of Canadian identities to Five Eyes partners

How often does CSE hand over information about Canadians to the United States and other Five Eyes allies? A partial answer is obtainable by examining a recent Access to Information release.

CSE's end-product reports must relate to its foreign intelligence or cyber defence responsibilities. (Information collected by CSE for Canadian law enforcement or security agencies is a separate matter.)

But sometimes these end-product reports do contain information about Canadians. When that happens, the name and other identifying information of that Canadian — known as Canadian Identity Information (CII) — is "suppressed", i.e., replaced by a generic reference such as "a named Canadian" or "a Canadian businessman". (There are certain exceptions to this rule, but they seem to be relatively limited, probably amounting to fewer than 100 cases per year.)

The information that is suppressed in those reports is not deleted, however. It is retained in CSE's data banks and is available to clients who request it if they can demonstrate both the authority and an operational justification for obtaining it. This applies to CSE clients located in Canada's Five Eyes allies, also known as Second Parties, as well as to domestic Canadian agencies.

Given the potential for the misuse of such information, particularly in light of the accession of the Trump administration, it would be helpful to know how often Canadian Identity Information is released to Canada's Five Eyes allies.

CSE has always refused to declassify this information. However, it is possible to get a sense of the scale of the releases by examining the gaps left in the agency's annual reports released under the Access to Information Act (release A-2015-00086).

Here are the relevant sections of the released versions of those reports for the five years from 2010-2011 to 2014-2015 inclusive.

2010-2011 Annual Report:

"In addition, CSEC released [redacted 3-digit number] identities to its Five-Eyes partners."

The width of this redaction indicates that it originally contained a 3-digit number, which means that somewhere between 100 and 999 pieces of Canadian Identity Information were released to Five Eyes partners in 2010-2011.

2011-2012 Annual Report:

"In addition, CSEC released [redacted] Canadian identities to its Five Eyes partners."

In this case, because the redaction occurs at the end of a line it is not possible to determine how many digits the redacted number had. However, the following year's report (see below) indicates that the 2011-2012 figure was also a 3-digit number.

2012-2013 Annual Report:

"In addition, CSEC released [redacted 4-digit number] Canadian identities to its Five Eyes partners. This represents a significant increase in the number of identities released in 2011-2012 ([redacted 3-digit number + close-parentheses] and is attributable to a [redacted] released to the US allies to enable them to efficiently assess the [redacted]"

The cause of this one-time jump was revealed in the following year's report to be "a single cyber defence report" that presumably contained a very large number (at least one thousand, possibly multiple thousands) of Canadian identities.

2013-2014 Annual Report:

"In 2013-14, Second Parties requested [redacted 3-digit number] Canadian identities, of which [redacted 3-digit number] were released. This is a [redacted] from the previous year, when [redacted 4-digit number] were released; however, during the previous year, [redacted 4-digit number] of those releases were from a single cyber defence report."

Here the number of released identities falls back to the more normal hundreds range.

Also worth noting is the fact, evident from the way the sentence is constructed, that not all requested identities are released.

This is also confirmed by various comments that the CSE Commissioner has made over the years. The Commissioner's 2014-2015 report even provided some data on this question, noting that a sample of recent Five Eyes requests examined by his office included "roughly an equal number of denials and disclosures of Canadian identity information." No information on the long-term average CII disclosure rate has been released, however. In some years, such as the year when a thousand or more identities were released from a single report, the disclosure rate has probably been much, much higher than 50%.

2014-2015 Annual Report:

"In FY 2014-15, Second Parties [redacted; probably "requested" + 3-digit number] Canadian identities, of [redacted; probably "which" + 3-digit number] were released. [Redacted] of these releases were to [redacted]"

In this release, CSE redacted larger portions of the text, possibly to make this kind of analysis more difficult. It's fairly easy to guess what the redacted words actually were, but the extra redactions do make the overall conclusions less certain.

(Thanks for that, CSE redactors. I'm sure the nation's security hangs on preventing the bad guys — or maybe the Canadian public? — from knowing with certainty whether the number of Canadian identities revealed to Five Eyes partners in a given past year was a 3-digit number or a 4-digit number.)

The most recent annual report of the CSE Commissioner provides another data point related to this question: Between 1 July 2014 and 30 June 2015, Five Eyes partners made 111 requests for Canadian Identity Information.

However, request numbers do not translate directly to release numbers for several reasons: requests are sometimes denied; requests may be made for the same identity by multiple clients; and finally and most importantly, a single request can pertain to multiple identities — in the case of the cyber defence report mentioned above, perhaps thousands of identities were released as a result of a single request. The fact that more than 100 requests were made suggests, however, that most requests involve only a small number of identities.

Taken together, these documents demonstrate with reasonable certainty that CSE releases at least one hundred and sometimes more than one thousand pieces of Canadian Identity Information to Canada's Five Eyes allies every year. Something like one or two items a day might be a reasonable guess.

And that's not the only way such information is shared. CSE also intercepts foreign communications on behalf of its partner agencies using selectors that they provide. It then forwards those intercepts, some of which are likely to contain incidentally collected Canadian communications or other information about Canadians, directly to them.

(CSE's recent metadata minimization failure also led to CII being provided to Five Eyes allies, but in that case the information would not have been provided if the systems had been working as required.)

It is likely that most of the information released through these processes goes to CSE's largest and closest collaborator, the U.S. National Security Agency, but some would also go to the other partner agencies.

In the vast majority of these cases, I would guess, the provision of this information makes a valuable contribution to Canadian and Allied security — in some cases it probably even contributes to the security of the named Canadians themselves. But as the Commissioner's classified 17 July 2013 report to the Minister of National Defence (A Review of CSEC Information Sharing with the Second Parties, Access release A-2014-00062) noted, the results of such sharing are not necessarily always benign:
While the case of Mr. Maher Arar did not relate specifically to CSEC or to SIGINT information sharing with the Second Parties, it is an example of how Canada's closest international partners may make their own decisions in relation to a Canadian.... The case of Mr. Arar demonstrates how [Government of Canada] information sharing with the U.S. or other partners may affect a Canadian and possibly put a Canadian in personal jeopardy.
This possibility is especially relevant now, with the Trump administration openly discussing a return to the use of torture, secret prisons, and other violations of civil liberties and international law. But even under the Obama administration some of these risks, including for example the possibility of targeted killings, were present.

The Canadian government has policies in place to govern international information-sharing when there is a substantial risk that the information shared could lead to the torture or other mistreatment of an individual, but many people question whether they are sufficiently restrictive.

In CSE's case, a Ministerial Directive signed in 2011 obliges the agency to conduct a mistreatment risk assessment whenever it considers releasing CII to a non-Five Eyes country.

But my reading of the limited information that has been released on that directive suggests that the Five Eyes countries are exempt from this requirement, except when those countries seek to forward Canadian information to a non-Five Eyes country. It would be very useful to know if that is in fact the case.


Post a Comment

<< Home