Tuesday, February 20, 2024

Redactile dysfunction

Anyone who uses Canada’s access to information process on a regular basis will likely come to suspect that information is occasionally withheld not for national security or other legitimate reasons, but to protect the institution withholding the information from potential embarrassment or controversy. This is not a legitimate reason for withholding information under the access law, but since the information in question has been, well, withheld, it is very difficult to detect this unlawful practice when it may occur. Normally.

Occasionally, however, we do get to see the information that lies behind the redactions — and, perhaps unsurprisingly, in some of those cases our suspicions do seem justified.

Case in point: In 2021, NSIRA released the declassified version of its Review of CSE’s Self-Identified Privacy Incidents and Procedural Errors (NSIRA Review 08-501-2). This was not an access to information release as such, but the report had been subjected to a comparable redaction process overseen by CSE prior to its release.

Among the items redacted from NSIRA’s report were the details of one of the practices CSE had been using to mitigate privacy incidents during which CSE or one of its Second Party partners had inadvertently identified a Canadian person or institution in SIGINT reports.

NSIRA did not believe that the practice was an appropriate way to respond to such cases and recommended that it be rescinded.

I was reminded of this report recently when I was going through CSE’s response to access to information request A-2022-00029, in which the original requester had sought the release of a series of briefing notes written by CSE for the Minister of National Defence.

One of those briefing notes concerned NSIRA’s review and the steps that CSE was taking to respond to it. It too redacted all details of that particular mitigation technique, even though CSE had abolished the practice in response to NSIRA’s objections, and had in fact done so even before NSIRA had finalized its report.

What was this inappropriate practice which, even after its abandonment, was too sensitive for NSIRA to be permitted to disclose?

The NSIRA report did manage to retain one clue. A flowchart of CSE’s process for responding to privacy incidents reproduced at the end of the report contained this intriguing, partly redacted step possibly relevant to NSIRA’s concerns:

To get the full answer, however, you have to turn to the documents that were provided to the British Columbia Civil Liberties Association (BCCLA) during its recent litigation against CSE. (Those documents were also subjected to a stringent redaction process, but — possibly because they were provided for use in the Federal Court — the redactions were often less sweeping than those made to documents released through the access to information process.)

According to sections 8.3 and 8.4 of OPS-1-7: Operational Procedures for Naming in SIGINT Reports (provided to the BCCLA as document AGC 0019),

Generally speaking, you must cancel and reissue reports in which you inadvertently named or contextually identified Canadians or Second Parties. However, after issuing a number of reports (more than 10) in which you named or contextually identified Canadians or Second Parties you believed to be foreign, you may learn that the person, corporation or organization is actually Canadian (or Second Party). In this case, you may be able to obtain retroactive blanket approval for these historical reports.
You must contact Operational Policy, who will assess retroactive blanket approval requests on a case-by-case basis. The Director, COP is responsible for granting retroactive blanket approvals. With a retroactive blanket approval you do not need to cancel or reissue these 10 or more historical reports since this might draw unwanted attention to the inadvertently identified Canadian.


It was this policy of retroactive naming approval that NSIRA objected to, and that CSE agreed to rescind but evidently wanted to keep secret.


Why keep this information secret?

Nothing about this information reveals even the slightest clue about what CSE and its partners seek to collect intelligence on, how they go about collecting intelligence, how their own security might be compromised, or anything else of a legitimately sensitive nature.

All it does is tell Canadians that if CSE or its partners name or contextually identify you in 10 or more reports under the mistaken belief that you are not Canadian, and then later they learn the truth, the response in at least some cases in the past was to retroactively approve the mentions in the old reports on the rather doubtful grounds that dredging up those reports to either cancel or correct them might draw more attention to the individuals inappropriately named than leaving them untouched in the files.

Is it embarrassing for CSE that it used to embrace a policy that both NSIRA and now CSE itself recognize was not an appropriate way to protect Canadians’ privacy? Potentially, sure, yes.

Is it embarrassing that CSE needs to have a policy for what to do when it or its partners mistakenly identify a Canadian on 10 or more separate occasions? Yeah, that too. There are reasons why that sort of error happens, but it’s certainly not a great look.

This is not the only case in which CSE redacted information for no evident reason other than it was potentially embarrassing.

The agency also did it to this recommendation from a June 2006 report by NSIRA’s predecessor, the CSE Commissioner:

Once again, we know the missing words thanks to a document provided to the BCCLA (AGC 0260):

The text that CSE redacted was: “and ensure that all decisions and resulting activities are based upon criteria that have been consistently applied and are statutorily defensible.”

Is it embarrassing for CSE that the CSE Commissioner felt obliged to recommend that all the agency’s decisions and actions be based on consistently applied and statutorily defensible criteria? Arguably, yes, since it implies that CSE had sometimes failed to do so in the past.

But is there any way in which redacting those words from a document obtained through the Access to Information Act could be construed as itself statutorily defensible? Not a [redacted] chance.

The Access to Information Act is a law, and it applies to CSE as much as to any other federal government institution. That act gives those institutions an enormous amount of discretion in deciding what information to release and what to withhold, but it does not give them the option to withhold information just because they think it could make them look bad.

Let me repeat that. Potential embarrassment is NOT A LAWFUL JUSTIFICATION FOR REDACTING INFORMATION requested under the Access to Information Act. It’s just not. 

It’s not.

How often does this sort of redaction get made? Who knows?

Is it too much to ask that CSE hold itself — or, if necessary, that NSIRA hold CSE — to the standard of compliance with this law?


Tuesday, February 13, 2024

RIP David Kahn

U.S. journalist and author David Kahn died on January 24th. He was 93.

Kahn's 1967 book The Codebreakers, which covered the history of code making and breaking from its ancient origins to the mid-20th century, thrust the previously little known field of cryptology into the public eye to an unprecedented degree and thus helped open the era of public discussion of signals intelligence.

Preferring its comfortable obscurity, the U.S. National Security Agency feared the impending publication of the book so much that it looked for ways to prevent its publication. Fortunately, it was unsuccessful. In the years since then the agency has gradually come to recognize the value of greater public awareness of its work. In 2020 it inducted Kahn into its Cryptologic Hall of Honor

In addition to writing The Codebreakers, Kahn was one of the founding editors of the journal Cryptologia. In 1991 I sent him a draft of an article that I had written about CSE's 1980s cryptanalytic renaissance, and when he very graciously replied it was with a copy-edited version accepted for publication in the journal. "The Fall and Rise of Cryptanalysis in Canada" appeared in the January 1992 issue. You can read a slightly updated version I posted on this blog here.

The New York Times published an excellent obituary of David Kahn on February 9th.