Saturday, June 26, 2021

NSIRA review calls into question legality of identity disclosures

On June 18th, the National Security and Intelligence Review Agency (NSIRA) released the public version of its report on a review the agency conducted in 2020 of CSE's disclosure of Canadian Identity Information to government of Canada clients. NSIRA concluded that CSE’s disclosure regime "may not be in compliance with the Privacy Act", and thus the review agency "submitted a compliance report" to the Minister of National Defence. Although couched in tentative terms, this conclusion is probably about as close as NSIRA is likely to get to saying that CSE broke the law.

OCSEC, the agency that reviewed CSE prior to NSIRA's creation in 2019, made a similar finding only once in its 23 years of existence. That case concerned metadata sharing with foreign partners. It's starting to look like NSIRA, which is still less than two years old, may be considerably more inclined to call out activities that it feels fall short of legal compliance than OCSEC was.

What is the significance of "Canadian Identity Information"?

Canadian Identity Information (CII) is any specific piece of information that can identify a Canadian citizen, permanent resident, or corporation incorporated in Canada, including but not limited to names, phone numbers, email addresses, IP addresses, and identifiers such as passport numbers. Except when operating under Part C of its mandate (discussed below), CSE is only permitted to target foreign entities (persons, groups, corporations) located outside Canada. But sometimes the information obtained by that targeting, or by various types of untargeted collection, contains information about Canadians, potentially including identity information. A foreign target might communicate with a person in Canada, for example, or two foreign entities might discuss information pertaining to a Canadian. Such information may be used in CSE foreign intelligence or cybersecurity reports or otherwise retained by the agency if it is assessed as being "essential" to "international affairs, defence, security or cybersecurity". But normally CII may only be included in those reports if it is "suppressed", which means replaced in the report by a generic reference such as "a Canadian person" or "a Canadian company". Client departments can request that CSE provide them with the information that was suppressed if they have the lawful authority and a suitable operational justification for receiving it.

CII releases were insufficiently justified

NSIRA looked at CSE's record of disclosing CII to Canadian government clients from 1 July 2018 to 31 July 2019, and it did not like what it saw. Over that thirteen-month period, CSE received requests from 15 departments for disclosure of a total of 3708 Canadian identifiers that had been suppressed in reports by CSE or its Five Eyes partners; 3671 (99%) of the identifiers were disclosed to the requesters.

After a closer examination of a sample of the requests accounting for 2351 identifiers, NSIRA found "69% [of the requests] to be justified, 28% to be insufficiently justified to warrant the release of CII, 2% that could not be evaluated, and 1% that CSE denied." (Note that NSIRA did not conclude that these 28% could not be justified, but simply that they had not been sufficiently justified.) NSIRA also found information disclosed by CSE that hadn't even been requested: "NSIRA observed cases where CSE disclosed Canadians’ names and other personal information even when the recipient only asked CSE for a company’s identity."

Disclosures to CSIS, the RCMP, and the Canadian Border Services Agency (CBSA), which accounted for about half of the sample, were considered by NSIRA to be generally appropriate, "with some exceptions." This suggests, however, that half or more of the releases to the 12 other client departments were not considered sufficiently justified. NSIRA recommended that CSE cease disclosing CII to clients other than CSIS, the RCMP, and the CBSA until it addressed the findings and recommendations contained in the review. Such clients would include major intelligence consumers such as Global Affairs Canada and the Privy Council Office, as well as lesser users like Innovation, Science and Economic Development Canada.

Section 16 reporting

Some of the CII released by CSE was derived from information collected in support of CSIS Act s.16 collection of foreign intelligence within Canada. This information is normally collected under the aegis of Federal Court warrants issued to CSIS, and in some cases CSIS asks CSE to help with its collection or processing. CSE sometimes also reports some of the resulting information through its own foreign intelligence reporting channels. If, for example, a CSIS s.16 operation is established to monitor the communications of the South Korean embassy for economic intelligence purposes, as was done in the 1990s, it is CSE that does most or perhaps all of the processing and reporting of the resulting intelligence.

According to NSIRA, the procedures that CSIS uses to limit the release of CII acquired under s.16 are significantly stricter than those applied by CSE in its releases, and as far as NSIRA could tell the Court was not aware that CSE's laxer practices were also being applied to the information collected under its warrants. NSIRA therefore recommended that the Federal Court be fully informed of CSE’s disclosure practices and that, in the interim, CSE cease disclosing CII collected under s.16. In January 2021, CSIS did give the Court a copy of NSIRA's classified report. What happened in the interim and what actions the Court may subsequently have taken are not revealed.

Misleading statements to parliament

NSIRA also commented that CSE's 2018 testimony about s.16 activities to a parliamentary committee was "not a complete representation of the lifecycle of information collected by CSE in its assistance", in that it failed to acknowledge CSE's use of information collected through CSIS s.16 activities. CSE's resort to what I call "secret asterisks" in its public statements about Mandate C activities has long been a source of fulminations on this blog, so it's good to see some attention to this aspect of CSE's public communications.

CSE's response

According to NSIRA, CSE accepted all of the recommendations made in the report. An unclassified version of CSE's response was helpfully made available with the report.

It is evident from that response, however, that CSE disputed NSIRA's characterization of its disclosure practices, arguing that CSE's actions were actually fully compliant with the Privacy Act. It is unclear whether the Minister of National Defence, who forwarded NSIRA's compliance report and CSE's response to Attorney General David Lametti, agreed with CSE's position on the issue or simply washed his hands of it (as he so often seems to do). We also have no information about what the Attorney General did with this information.

It may be that CSE felt a bit blindsided by NSIRA's conclusions. In its defence the agency noted that, "In his final 2018-2019 review, the [CSE] Commissioner confirmed that CSE’s disclosures of CII complied with the law and were done in accordance with ministerial direction."

But it's worth recognizing that even that review expressed serious concerns about CSE's CII practices:

In just under 20 percent of requests, clients provided operational justifications that were generic. CSE explained that generic justifications had been developed in discussion with clients and tested over time. CSE also explained that its analysts learn its clients’ mandates, authorities and requirements. However, the Commissioner’s office believes these generic requests could not be described as robust, as required by CSE policy, because they did not provide an important element required for approving a client’s disclosure request: the requestor’s specific reason for the Canadian identity information. CSE believes these generic requests meet the minimum requirements of policy. However, because the requests contain generic justifications that did not sufficiently outline the requirement for the suppressed information, they failed to meet the Commissioner’s office’s expectations for justifications of Canadian identity information disclosures.

For reference, this is what a Request for Release of Suppressed Information form looks like for CII suppressed in foreign intelligence reports (or at least what it looked like in 2014):

The redacted section contains 13 possible generic justifications for why the requested information is required, the first of which (we know from an earlier release) is "capabilities/intentions/activities of a foreign person, state, organization or terrorist group relating to international affairs, defence or security". The requestor is asked to mark those justifications that apply with an X.

If the process for the release of suppressed information still uses this form or something much like it, then frankly it's not obvious to me how any of the other 80% of requests (or 69% of requests by NSIRA's count) provide robust, specific justifications either. Maybe in those cases the necessary details were provided in the answers to questions 2 and 3.

One nice thing about CSE's response: for the first time since 2011, the agency seems to have given us a reasonably accurate list of the broad Canadian intelligence priorities the agency responds to: "from support to Canadian military operations, [to intelligence about] espionage, terrorism and kidnappings to geostrategic concerns, cyber threats, foreign interference and global crises, among others."

Now, these may all sound rather obvious, and that's exactly what they are, but that hasn't stopped CSE from treating them like life-and-death national secrets in the recent past, so maybe we can take this step as a small sign of progress in the agency's long struggle to learn the difference between things that really do need to be secret and everything else.

Back to the report...

It would be useful if the full list of recommendations made by NSIRA were clearly laid out in the report, in as close to the original wording as declassification permits, to help the public keep track of them. According to the background notes on NSIRA's website, NSIRA made 11 recommendations in this review. It is possible to work out the gist of six or so of these recommendations from the text of the public version, but the rest have been left as a mystery. Maybe the others were rolled into the recommendations provided, but who can tell?

When NSIRA promised to proactively release public versions of its classified reports instead of force researchers to go through the tediously slow and frustrating Access to Information process in order to get a usefully detailed view of what the review agency had to say, I was hopeful that a major improvement in transparency was on the way. The unclassified version that NSIRA released is considerably more detailed than the summaries that were formerly published in OCSEC's annual reports, and it's notable that it includes the first published data on the number of CII items disclosed by CSE (as opposed to the number of requests). This is to NSIRA's and CSE's credit. Kudos also for publishing the report as a searchable PDF and making an unclassified version of CSE's response available. But in the absence of a proper summary of the report's findings and recommendations, it looks like people like me will still be stuck using the Access road.

[Update 22 December 2021: NSIRA's 2020 Annual Report, released on December 10th, reproduces all 11 of the review's recommendations in slightly sanitized but still useful form. It also does this for the other reviews completed during the year, along with the target agency's responses up to that point. NSIRA also states in the report that it "intends to publish and track such information from all reviews on its website." It's great to see NSIRA adopt this approach, and I hope (and expect) that in future NSIRA will also reproduce its recommendations in the released versions of its individual reviews.]

One of the other benefits that I had hoped to enjoy as a result of proactive release was greater timeliness. In this case, the original classified report was submitted to the Minister of National Defence on 25 November 2020, which means it took nearly seven months for this summary to be released. Yes, there's a pandemic going on. But let's hope post-COVID releases will be able to reduce that lag time considerably.

News coverage and commentary:

Jim Bronskill, "Canada's cyberspy agency may have broken privacy law, intelligence watchdog says," Canadian Press, 18 June 2021.

Alex Boutilier, "Spy agency may have broken privacy laws in sharing Canadians' information, watchdog says," Toronto Star, 18 June 2021.

Christopher Parsons, "NSIRA Calls CSE’s Lawfulness Into Question," Technology, Thoughts & Trinkets blog, 18 June 2021.

Intrepid podcast: Episode 161: Review of Review: NSIRA Calls Out CSE and CSIS, uploaded 30 June 2021.

Update 28 June 2021: The original version of this post stated that the CII requests that NSIRA examined were made over a four-year one-month period. While NSIRA did look at some of CSE's disclosure practices over that longer period, the statistics pertaining to identifiers requested and disclosed covered just thirteen months, from 1 July 2018 to 31 July 2019.