Wednesday, December 23, 2020

First NSIRA annual report released

The first annual report of the National Security and Intelligence Review Agency (NSIRA) was released on December 11th. In many ways the new agency is off to a promising start. But when it comes to information on CSE, the report is a disappointment.

NSIRA was created in 2019, when the National Security Act, 2017 (Bill C-59) was finally done crawling its way through parliament. The new agency took over the duties of the existing watchdog agencies for CSE and CSIS, the Office of the CSE Commissioner (OCSEC) and the Security Intelligence Review Committee (SIRC), but with an expanded mandate that includes examination of the reasonableness and necessity as well as the legality of their activities. It was also given the job of reviewing the other security and intelligence activities across the government of Canada.

The report covers NSIRA's activities during the six months from its July 2019 creation to the end of 2019. Normally we should expect to see NSIRA's annual report sometime in the first half of the year that follows, but since the agency was still in the process of establishing itself and hiring staff, and had to do all that in the middle of a pandemic, it's unsurprising that this first report was delayed to December.

In keeping with the purpose of this site, I'm going to focus primarily on the report's treatment of the Communications Security Establishment. But I'll start with a few comments on the editorial philosophy underlying the report. NSIRA intends to proactively release unclassified versions of each individual review it conducts during the year as soon as they are available, so it is planning to spend less space reporting on those reviews in its annual report and to focus instead on the most significant issues of the year and broad lessons, trends, or themes that may arise. The annual report will also cover other aspects of the agency's operations, such as its complaints investigation function.

This seems like a sound approach to me, and I am especially pleased to see the agency's commitment to the proactive and timely release of the reports on its individual reviews. This has the potential to be a really useful step that, as NSIRA states, could help "to increase transparency and accountability, and to open the door to extensive discussions and debate in the public sphere."

The proof, however, will be in the pudding. This Christmas we got just one pudding, NSIRA’s 2019 Annual Report on the Disclosure of Information under the Security of Canada Information Disclosure Act, which was also released on 11 December.

The value of these releases will depend greatly on the intelligibility of the information provided in them. The need to protect intelligence agency secrets is real, and using a "write-to-release" approach, as NSIRA intends to do, may well be a practical necessity, but NSIRA will have to ensure that the resulting reports are not content-free as well as secret-free. If the end result is the sort of Delphic gibberish that so often characterized the public versions of OCSEC reports, the resulting discussions and debate in the public sphere are unlikely to be any more substantial than they were with OCSEC's reports, which typically were read and sometimes commented upon by me and, um... Hmm. Well, me, at least. Definitely me.

(And to be fair, yes, a few others. There was always a small coterie of the dutiful and the diehard in both academia and the media who could be counted on to read OCSEC's reports, and even, on rare occasions, to write something about one of them. But I doubt any of us disagree about their limited value as a base for public discussion or debate.)

Ultimately, the intelligibility question hinges on the commitment to transparency not just of NSIRA, but of the agencies that NSIRA reviews, as they are the ones who determine what information can be declassified and discussed in public. It was CSE who demanded for years and years that data like the number of Canadians referenced in signals intelligence reports and even words like "metadata", "bulk", "unselected", and "contact chaining" had to remain classified — even when they were already the subject of wide public discussion in other jurisdictions. Through constant pressure OCSEC made considerable progress over the years in expanding the range of what it was permitted to discuss publicly. But if a base for debate was the goal, there was still a long, long way left to go.

What we will need from NSIRA, therefore, is a commitment to engage in an ongoing struggle on this issue. And to consistently keep the public informed.

Happily, it looks like they have already begun to do this. On page 25 of the report we learn that CSE refused to permit NSIRA to reveal the numbers of the various types of ministerial authorizations (MAs) that the agency received under the CSE Act. This is a bad sign for CSE's supposed commitment to greater transparency. (Note to CSE: Invisibility is not the desired end goal of transparency.) But the fact that NSIRA is publicly disputing CSE's position is a very good sign.

Dirty deeds done at government rates

It is also positive that, although it wasn't able to give us the numbers, NSIRA was able to tell us that MAs were indeed signed in 2019 for both active, i.e., offensive, cyber operations (ACO) and defensive cyber operations (DCO). I think this is the first time that fact has been confirmed. CSE's cyber operations powers, which represent a fundamental change in the agency's role, were only granted to CSE in 2019, and knowing the MA numbers would provide some minimal sense of how much CSE is ramping up those activities.
The review agency also notes that it "considers our reviews of ACO/DCO actions to be particularly important. Unlike in the case of CSIS [threat reduction measures], CSE has no statutory obligation to notify NSIRA when it undertakes ACO/DCO activities. NSIRA intends, however, to focus proactively on these activities." The report's endnotes also contain this warning: "Under the governing statutory framework, it ... seems likely that ACO/DCO activities undertaken by CSE must accord with relevant international law." I suspect we'll be hearing more about this issue eventually.

Foreign intelligence and cybersecurity MAs

CSE also refused to permit NSIRA to report the number of foreign intelligence and federal and non-federal cybersecurity MAs granted in 2019. These MAs are also new, but the numbers of similar MAs were reported by OCSEC, NSIRA's predecessor, in each of the prior 6 years. Not any more, says CSE.

[Update 21 February 2021: The Intelligence Commissioner's Annual Report 2019, released in January 2021, gave us the total number of foreign intelligence and cybsersecurity authorizations issued in 2019: five. It also told us that four were year-long authorizations and one was for six months only. Which pretty much answers our overall numbers questions. Under the previous system of MAs, there were 3 one-year-long SIGINT MAs and 1 one-year-long cybersecurity MA issued every year. We know from NSIRA's report that there were at least two cybersecurity MAs this time, one for federal government infrastructures and one for the new category of non-federal infrastructures (presumably the six-month authorization), so it looks like the 2019 numbers were three SIGINT MAs, one federal cybersecurity MA, and one non-federal cybersecurity MA. My guess is that the last number, the number of non-federal MAs could vary by quite a lot from year to year, but the other ones aren't likely to change much. We'll see.]

These MAs are supposed to cover all CSE information collection activities that "might otherwise contravene an act of Parliament or interfere with the reasonable expectation of privacy of a Canadian or any person in Canada." So it is intriguing that the report tells us that NSIRA's future review of CSE collection techniques "will start by focusing on certain collection techniques that are authorized under a ministerial authorization and comparing them to techniques that are authorized through other channels." Just what are these other channels? Is this a reference to "publicly available information" or is there something else squeaking through here somehow? They're not suggesting that intercepts of communications involving persons in Canada that are passed to CSE by allies are exempt from expectations of privacy, are they? I for one will be interested to see what emerges from this investigation.

Missing information

Meanwhile, a whole lot of other items of information previously reported by OCSEC are also missing from this report, notably data on CSE's use of private communications (PCs), i.e. communications with at least one end in Canada.

The missing data includes:
  • The number of recognized PCs retained for possible use under CSE's foreign intelligence program.
  • The number of those PCs used in CSE SIGINT reporting.
  • The number of reports PCs were used in.
  • The number of PCs retained by CSE at the end of the review period.
  • The percentage change in the total number of recognized PCs intercepted by CSE's foreign intelligence program.
  • The number of PCs "with substantive content" used or retained by CSE's cybersecurity program.
Also missing:
  • The number of requests made by Canadian government clients for disclosure of Canadian Identity Information (CII) cited in reports by CSE or Five Eyes partners.
  • The number of requests for CII made by Five Eyes partners.
  • The number of requests made by other states.
The report does tell us the number of privacy incidents added to CSE's Privacy Incidents File in 2019: 123. But it doesn't explain why this is nearly three times as many as the 44 reported in the last OCSEC report. Nor do we get the number in the Second Party [Privacy] Incidents File.

NSIRA does recommend, however, that "CSE should examine the totality of all privacy incidents with the view to identifying systemic trends or areas of weakness in existing policy and/or practice that may reduce privacy incidents." So maybe NSIRA wants to know why the number went up too.

The report also notes that NSIRA warned CSE during its review that one method used to mitigate privacy incidents "did not appear to meet legal and Ministerial Authorization criteria and has the potential to engage section 8 of the Charter." According to the report, CSE decided in November 2019 to "rescind the practice" in question, but NSIRA nonetheless recommended that "CSE should rescind this policy, or obtain a legal opinion on the lawfulness of this practice."

Presumably we will receive updates of CSE's responses to NSIRA recommendations in future annual reports.

OCSEC made a regular practice of doing this (although often in rather vague terms), but in another case where information that used to be reported has for the moment ceased to appear, the NSIRA report fails to follow up on the status of the ten OCSEC recommendations that the last OCSEC report said CSE was working on.

All in all, there's a lot of information about CSE that was provided in the last OCSEC annual report that is not in this successor report.

Unlike the MA situation, in most of these cases, I would assume, this is not because CSE has suddenly insisted on withholding it.

And maybe it's not gone for good. It may be that some of this information will appear during the year as NSIRA releases specific reports about its individual reviews. I certainly hope that's the case.

But it is not at all clear that any more releases (beyond those reviews mentioned in the report) are coming from OCSEC's final year/NSIRA's first year. Nor is it evident that NSIRA intends in future years to continue collecting and reporting the data missing from this report.

So, is NSIRA off to a good start or not?

In many ways I think it is, but with respect to reporting on CSE, the picture is mixed, and it's not possible to be certain at this point.

Update 20 February 2021: Leah West and I discuss the NSIRA report and the recent report of the Intelligence Commissioner with Stephanie Carvin on Episode 148 of the Intrepid Podcast.


Post a Comment

<< Home