Tuesday, August 09, 2016

2015-16 OCSEC report: News from the salvage operation

The 2015-2016 annual report of the Office of the CSE Commissioner (OCSEC), CSE's watchdog agency, was tabled in parliament on July 20th, whereupon it immediately sank without a trace. To the best of my knowledge, not a single news article has been published touching on any aspect of the report. [Until now.] (There was at least one commentary, however.) Not even Lloyd's List reported on the document when it went down.

It is perhaps not surprising that the report caused not a ripple. Last year's effort, tabled just six months earlier, was accompanied by a first-of-its-kind declaration that CSE had violated Canadian law. This year's report has no comparable James Cameron-class shocker: "This past year, all of the CSE activities reviewed complied with the law" (page 16).

Still, there's plenty of Glomar-worthy material in the wreck if you're willing to undertake the deep dive to recover it.

Join me as we watch the watchers' watchers and try to salvage some click-worthy items from this year's OCSEC report.

Spying on Canadians rose 4400%

I for one would click on a headline like that.

According to this year's report, CSE's foreign intelligence, or Mandate A, program used or retained as potentially useful 342 "private communications"—communications with at least one end in Canada—that were intercepted by CSE under ministerial authorization during the 2014-2015 authorization period (page 31).

As I discussed last year, this number is only the tip of the much larger iceberg that comprises Canadian communications processed by CSE, but it is an important statistic nonetheless. And this year what it shows is a dramatic increase in the number of private communications being used or retained by the Mandate A program.

Last year, the Commissioner reported that only 16 PCs had been used or retained at the end of the 2013-2014 authorization period, and this year he adjusted that figure without explanation to just 13 PCs. Maybe three of the retained PCs were subsequently deleted, maybe there was a change in the counting rules, maybe there is some other explanation that the Commissioner was unable to provide, or maybe I'm just missing something.

In any case, 342 is 26 times larger than 13.

And the change in the rate of PC use or retention was even greater, as the 2014-2015 authorization period was abnormally short, only seven months long. (This is discussed further below.) The rate at which the CSE Mandate A program used or retained Canadian communications that had been intercepted by CSE was 45 times as high in the 2014-15 authorization period as it was in 2013-2014 period. That's right, forty-five times.

Now, you might think the Commissioner would offer an explanation for such a dramatic change in one of the few statistical measures that OSCEC reports provide, and—mirabile dictu—he does. In a manner of speaking.
[The increase] was a consequence of the technical characteristics of a particular communications technology and of the manner in which private communications are counted. (page 33)
Now all we need is an explanation of the explanation.

My guess, and it's just a guess, is that this refers to something like SMS texting or a Facebook chat, in which each part of an extended conversation might be counted as a separate message.

If this is correct, then the dramatic rise in the number of private communications used or retained in 2014-2015 may have resulted from a relatively small number of conversations between just a few individuals. The overall number of Canadians whose communications were used or retained may not have increased at all.

An explanation along these lines might in turn explain the striking lack of concern with which the Commissioner greets what at first glance would appear to be a huge jump in the monitoring of Canadians.

But all this is just guesswork. Those of a less Pollyannish bent might make other guesses.

Nowhere does the Commissioner explicitly say there's nothing to be concerned about, and if that's how he actually feels about it, it would have been helpful if he had let his readers know.

This simple trick cut Ministerial Authorization periods by 42%

Another fact that surfaces only when you raise and reassemble portions of the text is that the five Ministerial Authorizations (MAs) that enable CSE to lawfully intercept private communications, which normally run for one full year apiece and which in recent years have extended from December 1st of one year until November 30th of the following, were cut short last year. Instead of lasting twelve full months, they were all replaced after seven, on June 30th, 2015 (see pages 30 and 34).

No explanation is provided for this change.

It is conceivable that Jason Kenney, who became Defence Minister on February 9th of that year, had his own ideas about the MA regime and didn't want to wait 10 months to introduce them, especially with an election looming. Another possibility is they were rewritten to accommodate new activities authorized by Bill C-51, which received Royal Assent on June 18th.

What the actual explanation may be I have no idea.

Our allies promised not to target Canadians and you'll never guess what happened next

We are often told that the Five Eyes partners do not target one another's citizens. Compared to the way other countries' citizens are treated, this appears to be largely true. But exceptions certainly occur.

In recent years, the CSE Commissioner has acknowledged that our Second Party partners do sometimes target Canadians, in "exceptional circumstances". This year he put it this way (page 19):
The cooperative agreements that exist between the five eyes partners include a commitment to respect the privacy of each nation’s citizens and to act in a manner consistent with each nation’s policies relating to privacy. Nevertheless, it is recognized that each of the partners is an agency of a sovereign nation that may, in exceptional circumstances, derogate from the agreements if it is judged necessary for their respective national interests. In such exceptional circumstances, one of CSE’s partners may acquire and report on information about a Canadian or a person in Canada.
So, OK, fair enough. Exceptional circumstances. Ticking nuclear bombs, national emergencies. Who could really expect otherwise?

But how widely do those national interests extend? I recall speculating a few years ago that
If, for example, the U.S. were to decide that its national interests required it to check into the possibility that would-be terrorists are plotting against the U.S. from inside Canada, we might very well expect them to go ahead and do exactly that. (But of course what are the chances that they would decide that?)
We now have an answer.

The Commissioner goes on to say:
A partner may report on Canadians located outside of Canada who are known to be engaging in or supporting terrorist activities, for example, a report about a known Canadian “foreign fighter” that may be planning to return to Canada or to attack Canadians.
For example.

Let's be clear here. I have no problem with the monitoring of people who are engaged in terrorist activities (assuming due process is followed), but according to CSIS there are some 180 individuals "with a nexus to Canada" who are engaged in terrorist activity abroad.

This is starting to sound a lot more routine than exceptional.

And there's more:
When a partner does undertake an activity relating to a Canadian, the partner may acquire information that, in addition to meeting its own national security requirements, relates to the security of Canada and, as such, may be provided to the Canadian Security Intelligence Service (CSIS) in support of its mandate to investigate and advise government on threats to the security of Canada.

Prior to February 2015, the process to provide this kind of reporting to CSIS was manual and did not involve CSE. To help address the evolving terrorist threat and the increase in the number of foreign fighters, CSIS required a more timely mechanism to securely exchange information. To this end, CSIS requested CSE assistance under part (c) of CSE’s mandate (paragraph 273.64(1)(c) of the National Defence Act (NDA)), to establish a mechanism for CSIS to receive and handle these reports via CSE’s established channels. ...

The Commissioner found that CSE’s activities to transmit these reports to CSIS were conducted in accordance with the law and with ministerial direction relating to the protection of the privacy of Canadians.
So we've gone from "naw, doesn't happen" to "oh, well, sure, but only in exceptional circumstances" to "pretty much all the time" to "we had to formalize the exchange of all this stuff to ensure its regular and timely delivery".

But terrorists, right?

Or, maybe, as former Solicitor General Wayne Easter said in 2013, “terrorism, crime or sex offenders.”

That crime bit covers a pretty wide range of exceptions.

It's worth noting that all of this is separate from Canada's own ability to monitor such persons, based on judicial warrants granted to CSIS or the RCMP, which, aside from those agencies' own capabilities, includes CSE's worldwide intercept capabilities, CSE's ability to use Second Party intercept facilities by supplying Canadian "identifiers" to those systems, and the government's ability, acting through CSE, to request that the Second Parties themselves monitor specific Canadian targets using capabilities that may not be available for direct Canadian use.

Canada's ability to enlist Second Party systems suffered a setback in November 2013 when the process for Domestic Intercept of Foreign Telecommunications and Search (DIFTS) warrants blew up.

But everything appears to be back on track in that regard. The Commissioner is currently planning to conduct "a follow-up review of CSE assistance to the Canadian Security Intelligence Service (CSIS)... relating to the interception of the telecommunications of specified Canadians located outside Canada (formerly called Domestic Intercept of Foreign Telecommunications and Search warrants)." (page 52)

This little-known legal case caused CSE to suspend more metadata activities

OCSEC continues to work its way through a sweeping, multi-year review of CSE's metadata activities. This year the Commissioner finished his examination of "specific foreign signals intelligence metadata activities that were set aside during the first part of the review in order to fully investigate incidents relating to CSE’s failure to minimize Canadian identity information in certain metadata it shared with its second party partners" (i.e., the omnishambles that earned CSE its first declaration of legal non-compliance and led to the ongoing suspension of a wide range of metadata sharing with the Second Parties).

One set of activities examined by the Commissioner (see page 24), which were conducted by CSE's Office of Counter Terrorism, sparked a number of concerns. These included "guidance on a specific metadata activity that involves Canadian identity information remains vague and should be clarified", "a small number of the activities raised questions about CSE authorities", and "the Commissioner noted inconsistencies in CSE documentation and record-keeping practices".

No recommendations resulted from these "issues and irregularities", however,
because, subsequent to the period under review, CSE suspended indefinitely these particular metadata analysis activities in response to case law developments (Canadian Security Intelligence Service Act (Re), 2012 FC 1437, relating to the application of “directed at”)." It is positive to observe that CSE followed and modified its practices to address related jurisprudence. Prior to its decision to suspend these activities, CSE did not meet its commitment to address a recommendation the Commissioner made in a February 2014 review of the activities of the Office of Counter Terrorism (OCT) to amend relevant policy to reflect current practices and to enhance record keeping. However, this can be explained by the short period of time between the OCT review and the suspension of the activities. As long as the suspension remains in effect, the Commissioner does not expect CSE to implement the recommendation.
A couple of things are worth noting here. As the Commissioner says, it is certainly good to see CSE modifying its practices to respond to relevant jurisprudence.

It is less good to see that the suspension apparently took place sometime after February 2014, i.e., at least 15 months after Madam Justice Mactavish's ruling. Does the Commissioner have a view on the legality of CSE's conduct during the period between December 2012 and the suspension of the activities? Are we back to this model?

Also, how is it that these activities—possibly contact chaining involving Canadian identifiers—were the subject of an OCSEC recommendation back in February 2014, but that recommendation was simply to "amend relevant policy to reflect current practices and to enhance record keeping" and not to suspend the activities in response to the December 2012 ruling? Doesn't OCSEC follow and respond to related jurisprudence as well?

In last year's report, the Commissioner commented that "the Canadian legal landscape has... changed since my office last conducted an in-depth review of CSE’s collection and use of metadata". The Supreme Court's Wakeling and Spencer cases were specifically cited in this regard, but the Commissioner gave no indication of what implications, if any, he believed those and other rulings might have for CSE's activities.

The topic of the Mactavish ruling is worth a closer look. CSIS wanted to monitor the communications of one or more Canadian individuals or entities during an operation to collect foreign intelligence in Canada in accordance with s.16 of the CSIS Act. The agency argued that the Canadian communications could be directly (not just incidentally) collected despite an explicit ban on directing s.16 operations at Canadians since the operation would in fact be directed at gathering intelligence about a foreign target. The court rejected CSIS's view.

What makes this ruling especially relevant for CSE is that CSE's mandate, spelled out in the National Defence Act, dictates that the agency's foreign intelligence and cyber defence activities "shall not be directed at Canadians or any person in Canada"; CSE is permitted to intercept private communications in the course of foreign intelligence collection if a suitable Ministerial Authorization is in place, but such operations must be "directed at foreign entities located outside Canada". The meaning of the phrase "directed at" is thus fundamental to the relationship between CSE and Canadians.

That CSE suspended certain activities of the Office of Counter Terrorism in the wake of the Mactavish ruling suggests that the agency may have been directing some of its foreign intelligence activities a little too directly at its compatriots.

On a separate issue, the Commissioner also reported (pages 24-25) that he had recommended that CSE "issue written guidance to formalize and strengthen existing practices for addressing potential privacy concerns with second party partners" and, further, that the agency had subsequently "issued guidance to operational employees to address cases where the privacy of Canadians may be at risk."

One hopes this guidance is more than just "transfer the information to CSIS forthwith."

This named Canadian could be you

When a CSE report mentions a Canadian individual, corporation, or other organization, specific identifying information (name, phone number, etc.) is normally "suppressed" and replaced with a generic reference such as "a named Canadian". SIGINT clients reading the report can subsequently request the suppressed information from CSE, and if the department or agency has a suitable mandate and operational justification, CSE will provide it (without any warrant, as far as I can tell).

This year for the first time the Commissioner reported the total number of requests made by Government of Canada clients for Canadian identity information over the course of one year (1 July 2014–30 June 2015). That number was 1,126 (page 40), or about three requests per day, a total that may or may not be down slightly from the previous year.

How many of those requests were approved was not reported. CSE does sometimes deny requests for identity information, but no data has been provided as to how often this occurs; my impression is that the percentage approved is very high.

In some ways, the number of Canadian identity requests made may be more revealing of the degree to which Canadians are monitored in the course of CSE's operations than the 342 PCs number noted above. But it is far from an ideal measure. It shows only the number of requests that were made, not the total number of suppressed Canadian identities that appeared in CSE reporting during the year. (That number might be in the tens of thousands if identity requests are made in something like 10% of cases; if identity requests are made in more like 80 or 90 percent of cases, on the other hand, the practice of suppressing identities would seem to be largely a sham.) The figure also excludes both those Canadians who appear in Second Party reports made available to Canadian government clients through CSE and those who appear in intercepts or other information provided by CSE to CSIS and the RCMP under CSE's Mandate C.

It also needs to be noted, as the report itself states, that the number of identity requests is not the same as the number of individual identities requested:
the number of requests represent[s] the number of instances that institutions or partners submitted separate requests for disclosure of identity information suppressed in reports, providing a unique operational justification in each case. One request may involve multiple Canadian identities, and one Canadian identity may be disclosed multiple times to different institutions or partners.
In addition to reporting the number of identity requests by Canadian clients, the OCSEC report also provided for the first time the number of Canadian identity requests made to CSE by Canada's Five Eyes partners (111) and the number made for "disclosure to non-five eyes entities" (six: five made by a government of Canada client and one—which was denied—made by a Five Eyes partner). The approval rate for the 111 partner requests was not provided, but last year's report, which did not provide a request number, stated that partner requests "resulted in roughly an equal number of denials and disclosures of Canadian identity information".

Data recently released in the U.S. about NSA collection under the FAA Section 702 program (just one part of overall NSA collection) provides a potentially useful point of comparison: "In 2015, NSA disseminated 4,290 FAA Section 702 intelligence reports that included U.S. person information. Of those 4,290 reports, the U.S. person information was masked [equivalent to minimized] in 3,168 reports and unmasked in 1,122 reports." Some of the reports with masked identities probably contained more than one masked identity, so the total number of masked identities was probably closer to 5,000, or maybe even 10,000. (The same individual might turn up in more than one report, however, so the total number of separate identities was probably considerably lower than that.)

The U.S. data also reported that "654 U.S. person identities" were unmasked in response to requests related to these reports. This suggests that something like ten percent of masked identities were ultimately unmasked in U.S. reporting, at least with respect to the 702 program.

If the NSA can publish the number of masked U.S. identities that are later revealed in response to its reporting, albeit for just one program, I see no reason why CSE cannot release comparable information for the number of minimized Canadian identities ultimately revealed. Similarly, although the U.S. data doesn't give the exact percentage of masked identities that are ultimately revealed, I see no reason why CSE couldn't release that information, and the percentage of requests that are approved, as well.

Such information would reveal a great deal to the public about the effectiveness of the measures that exist to protect their privacy while providing little or nothing of use to SIGINT targets seeking to evade CSE monitoring. What is CSE hiding, and from whom is it hiding it, when it won't show us this data?

The CSE Commissioner should insist on reporting this kind of information. And if CSE refuses to allow it, the Commissioner should indicate that parts of his report have been censored. (And, yes, in this respect the power of classification/declassification is indeed a censorship power.)

At least, that's my view.

There's more stuff worth examining in the Commissioner's 2015-2016 report, but that's it for this blog post. I'll report on my follow-up expedition in a future post.

Update 24 August 2016:

The report gets some news coverage:

Ian MacLeod, "Federal spies suddenly intercepting 26 times more Canadian phone calls and communications," Ottawa Citizen, 24 August 2016.

Sunday, June 19, 2016

Twenty years of OCSEC

Today is the twentieth anniversary of the establishment of the Office of the CSE Commissioner (OCSEC). The first CSE Commissioner, Claude Bisson, was appointed on 19 June 1996.

Since 1996, there have been six CSE Commissioners:
  • Claude Bisson (1996-2003)
  • Antonio Lamer (2003-2006)
  • Charles Gonthier (2006-2009)
  • Peter Cory (2009-2010)
  • Robert Décary (2010-2013)
  • Jean-Pierre Plouffe (2013-present)

OCSEC has been the subject of a lot of criticism over the past two decades, some of it justified and a lot of it not.

Here's one of my own contributions to that literature. (You can decide for yourself whether it falls into the justified or unjustified camp.)

Such criticisms shouldn't blind us to the vitally important role that OCSEC has played over the years in reinforcing an ethos of legal compliance at CSE and ensuring that mechanisms to monitor and assess that compliance are established and implemented. But a strong case can be made that CSE's review body—like those of the Canadian security and intelligence community as a whole—is in dire need of improvement.

Kent Roach and Craig Forcese argue that OCSEC and the review bodies for CSIS and the RCMP should be combined into a single agency that would monitor all components of the Canadian security and intelligence community, as part of a wider set of accountability improvements ("Bridging the National Security Accountability Gap: A Three-Part System to Modernize Canada's Inadequate Review of National Security," Ottawa Faculty of Law Working Paper No. 2016-05, 31 March 2016).

Wesley Wark's recent comments on the future of review ("Canada’s spy watchdogs: Good, but not good enough," Globe and Mail, 1 February 2016) are also worth reading.

The Trudeau government took a major step towards implementation of one aspect of this reform agenda with the introduction on June 16th of Bill C-22, which will establish a committee of parliamentarians to review the S&I community as a whole. (See Forcese's comments on that step here.)

Other changes may be yet in the offing.

For the time being, however, the future of the 20-year-old OCSEC remains undecided.

Friday, June 10, 2016

Australia's participation in Pine Gap

Yet another paper in our on-going series on the SIGINT station at Pine Gap, Australia:

Desmond Ball, Bill Robinson, and Richard Tanter, "Australia’s participation in the Pine Gap enterprise", NAPSNet Special Reports, June 8, 2016. Full text here (1.7 MB PDF).

Earlier reports:

- Desmond Ball, Bill Robinson, and Richard Tanter, "The Antennas of Pine Gap", NAPSNet Special Reports, February 21, 2016;

- Desmond Ball, Bill Robinson, and Richard Tanter, "Management of Operations at Pine Gap", NAPSNet Special Reports, November 24, 2015;

- Desmond Ball, Bill Robinson, and Richard Tanter, "The SIGINT Satellites of Pine Gap: Conception, Development and in Orbit", NAPSNet Special Reports, October 15, 2015;

- Desmond Ball, Bill Robinson, and Richard Tanter, "The Higher Management of Pine Gap", NAPSNet Special Reports, August 17, 2015; and

- Desmond Ball, Bill Robinson, and Richard Tanter, "The militarisation of Pine Gap: Organisations and Personnel", NAPSNet Special Reports, August 13, 2015;

- Desmond Ball, Bill Robinson, Richard Tanter, and Philip Dorling, "The corporatisation of Pine Gap", NAPSNet Special Reports, June 24, 2015.

More to come!

Thursday, June 09, 2016

Moritsugu appointed DG Military SIGINT

According to DND ("The Chief of the Defence Staff announces additional Canadian Armed Forces General and Flag Officer senior appointments, promotions, and retirements," Department of National Defence, 9 June 2016), CFIOG Commander Col Steven Moritsugu has been promoted to Brigadier-General (acting while so employed) and appointed "Director General Defence Military Signals and Intelligence" [sic] at CSE, i.e., DG Military SIGINT.

Moritsugu replaces BGen Martin Girard, who became DG Military SIGINT in 2014.

Saturday, June 04, 2016

Going dark(er): CSE employee numbers no longer published

The federal government has published statistics on-line on the number of employees in its various departments and agencies since at least 2005. The statistics in this "Population Affiliation Report" were updated monthly, and the Communications Security Establishment was among the agencies whose staff numbers were reported.

The CSE numbers provided an important way to keep track of the evolution of the agency—one of the very few ways available. To prevent their disappearing into the memory hole I made a point of recording these monthly numbers on this blog. (Here are the earliest and most recent examples.)

Unfortunately, the February 2016 numbers, which were published in March, look like the last ones we are going to get. The Treasury Board Secretariat has stopped publishing the statistics.

According to the reply I received when I asked the good folks at TBS why the numbers had stopped appearing, the "internal sources" that the report draws from are currently under review. A public update on plans for the report is promised at the end of the summer, but it doesn't sound like the prior practice is going to pick up where it left off.

The shutdown applies to the entire Population Affiliation Report (i.e., to all the departments and agencies), and I don't see any reason to think that it was intended specifically to stop the reporting of CSE's employee counts. But it certainly has had that effect.

The blackout comes at an unfortunate time, as just a couple of months ago the agency's new minister, Minister of National Defence Sajjan, directed CSE to "find new opportunities to communicate with the public more openly about their activities."

So far, CSE's primary response to that directive has been to launch a Twitter account featuring links to the agency's website and lighthearted comments on donuts. It has not inspired them to reverse the significant shutdown in public reporting that took place in 2011.

And I would venture to guess that those new communications opportunities will also not include monthly reporting on CSE's employee counts.

It may be that the Treasury Board's review will lead eventually to such statistics being accessible in some other form, in keeping with the broader trend towards greater public access to government data and the professed philosophy of the new Liberal government.

But for now, at least, the public picture of what goes on at Canada's national cryptologic agency just got a little bit darker.

Thursday, June 02, 2016

Mistaken metadata-sharing went on for years

The CSE Commissioner's classified report on CSE's bungled metadata-sharing program, parts of which have been made public during the BCCLA's lawsuit against CSE, indicates that the agency's failure to properly remove information that could identify Canadians went on for years and involved both DNR (phone-related) and DNI (Internet-related) metadata.

From the Globe and Mail's report (Colin Freeze, "Spy agency accidentally shared Canadians’ data with allies for years," Globe and Mail, 1 June 2016):
The confidential report was written by Jean-Pierre Plouffe, a retired Quebec judge who heads the Office of the CSE Commissioner, the spy agency’s watchdog agency. In it, he suggests the unlawful seepage of Canadians’ phone and Internet records to foreign intelligence agencies could date back to the mid-2000s, and that the overall amount of compromised material is unclear.

Given this, Mr. Plouffe is urging Parliament to pass laws spelling out how it wants the spy agency to function. “As CSE’s collection posture has strengthened, … the volume of metadata collected has increased considerably,” Mr. Plouffe writes in his 2015 report. He urged federal politicians to give clearer direction on surveillance.

“Metadata” are logs of communications without the content of the conversation. The watchdog’s report reveals that, during its international spying, CSE has been capturing phone logs and sharing them with allies since 2005. Internet logs have been shared since 2009.

In 2014, CSE suspended sharing both sorts of records when it realized its automated systems had failed to scrub out what it calls the “Canadian identifying information” that turned up in the wider mix. Mr. Plouffe, who has the last word on such matters, eventually ruled that although CSE’s system failures were inadvertent, they violated the Privacy Act and National Defence Act. ...

The report reveals that CSE refers to the phone logs it collects as “Dialled Number Recognition” (DNR) metadata. The agency started sharing such material with Five Eyes allies in 2005, thinking it had devised ways to automatically strike out telling portions of any Canadian phone numbers that turned up.

Then, starting two years ago, CSE discovered that “DNR metadata was not being minimized properly,” according to the watchdog report. Mr. Plouffe added: “CSE is unable to determine how many systems were impacted and for how long.”

CSE calls the Internet logs it collects “Digital Network Intelligence” (DNI) metadata, and this material can consist of e-mail addresses and Internet protocol addresses that indicate who is communicating to who.

A scrubbing system was developed for that material as well – but this, too, failed. “DNI metadata was being shared with [Five Eyes] Second Parties … with minimization applied to Canadian e-mail address fields, but no minimization applied to Canadian IP address fields,” Mr. Plouffe writes.

He adds that “CSE was under the impression that minimization was taking place, when in fact it was not.”

The spy agency suspended sharing when the problems were discovered in 2014, and apparently have not resumed it.
CSE Chief Greta Bossenmaier confirmed in testimony to the Standing Committee on National Defence on May 19th that, as at that date, metadata-sharing has not yet resumed.

Update 3 June 2016:

- Michelle Zilio & Colin Freeze, "Ottawa accused of breaking intelligence agency transparency vow," Globe and Mail, 2 June 2016.

- "The 'top secret' surveillance directives," Globe and Mail, 2 June 2016.

- Brian Gable, "On with the day" (editorial cartoon), Globe and Mail, 3 June 2016. Another example of "Canadian Security Establishment", sadly.

- Jim Bronskill, "Court disclosure could mean spy allies cut Canada off, CSE warns," Canadian Press, 3 June 2016.

- "Media Release: Civil Liberties Watchdog Fights in Federal Court for Release of Documents on Illegal Spying On Canadians," British Columbia Civil Liberties Association, 2 June 2016.

Saturday, April 30, 2016

Recent items of interest

Recent news and commentary related to CSE or signals intelligence in general:

- Matthew Braga, "Canada Needs to Revive the Encryption Debate It Had in the 1990s," Motherboard, 26 April 2016.

- "Minister Sajjan delivers keynote address at the 2016 SINET IT Security Entrepreneurs Forum," Government of Canada news release, 20 April 2016. Text of the speech here. [Update 6 May 2016: I don't know where the Minister or his speechwriters got the idea that CSE has been around for "close to 75 years". CSE (then called CBNRC) was born on 1 September 1946, or close to 70 years ago.]

- Alex Boutilier, "Canada’s spies closely watching quantum tech developments," Toronto Star, 20 April 2016.

- Victoria Ahearn, "5 moments from The Good Wife’s visit to Toronto," Canadian Press, 18 April 2016. CSE makes a cameo appearance in the U.S. TV series The Good Wife. But they got the CSE badge wrong (HT to Justin Ling).

- Jordan Pearson & Justin Ling, "Exclusive: How Canadian Police Intercept and Read Encrypted BlackBerry Messages," Motherboard, 14 April 2016. See also Justin Ling & Jordan Pearson, "Exclusive: Canadian Police Obtained BlackBerry’s Global Decryption Key," Vice News, 14 April 2016; Jordan Pearson, "Canada Desperately Needs to Have a Public Debate About Encryption," Motherboard, 14 April 2016; and Justin Ling, "BlackBerry's CEO Won’t Answer Media Calls, Instead He Blogged About Cooperating With Canadian Cops," Vice News, 18 April 2016. Chen's blog post. CSE's March 2011 warning on the (in)security of Blackberry PIN-to-PIN messaging. Chris Parsons on the vulnerability of BlackBerry messages.

- Ben Makuch, "The 'Darth Vader' of Cyberwar Sold Services to Canada," Vice News, 11 April 2016.

- "Spy Shit," Canadaland podcast episode 129, 10 April 2016. Matt Braga and Jesse Brown discuss "the Panama Papers, CSIS, C-51, and Ben Makuch's ongoing battle with the RCMP". Well worth a listen, but the statement (at about 13:50) that the CSE Commissioner has never declared CSE in violation of the law is not correct.

- Leslie Young, "Former CSIS head Richard Fadden says Canada could someday carry out cyber attacks," Global News, 6 April 2016. More here.

- Sunny Dhillon, "Edward Snowden's talk in Vancouver had an 'electric quality'," Globe and Mail, 6 April 2016.

- Ron Deibert, "My conversation with Edward Snowden," Ronald Deibert blog, 3 April 2016. Video here: "Fireside Chat: Ron Deibert, Edward Snowden & Amie Stephanovich," RightsCon, 1 April 2016. Interesting Snowden comment: "It's true, [CSE's] oversight is hideous, because it was never really thought about. But there's a reason for that. In my experience of the Five Eyes, the Canadian intelligence services were always the least aggressive, they were the least adventurous, they didn't really push the legal boundaries. It was difficult to target Canadians, legally and so on and so forth, for surveillance. And it wasn't until the recent government—I'm not Canadian so I'm not going to name [garbled], I believe it was the Harper government—that things really started to change and oversight became much more important because they became much more aggressive in a short period of time."

- Alex Boutilier, "Canada’s spy agencies looking to work together more, say top secret documents," Toronto Star, 2 April 2016.

- Jim Bronskill, "Government instructions to CSIS on bill C-51 to remain largely secret," Canadian Press, 27 March 2016.

- Jim Bronskill, "Federal agencies sharing information under Bill C-51 provisions," Canadian Press, 24 March 2016.

-Ian MacLeod, "Spy agency watchdog ‘in a difficult position’ with huge budget cuts looming," Ottawa Citizen, 24 March 2016. Possibly a sign the government is planning a major overhaul of the various review agencies?

- Colin Freeze, "RCMP, CSIS see no significant support for operations from federal budget," Globe and Mail, 23 March 2016.

- Colin Freeze, "B.C. multimillionaire pleads guilty to hacking into U.S. military for China," Globe and Mail, 22 March 2016.

- Kyle Matthews & Chantalle Gonzalez, "Our mission against ISIL has one major flaw — it ignores the Internet," National Post, 22 March 2016.

- Dylan Robertson, "Canada Doubles Spending on Counter-Radicalization," Vice News, 22 March 2016.

- Matthew Braga & Colin Freeze, "Agencies did not get federal authorization to use surveillance devices," Globe and Mail, 11 March 2016.

- Emma Loop, "The Drone And The Damage Done: How Canada’s UAV Operation Wounded Its Own," Buzzfeed, 16 March 2016.

- Karen DeYoung, "Canada to boost its advise-and-train mission, intelligence capabilities in Iraq," Washington Post, 11 March 2016.

- B.C. Civil Liberties Association et al., "The necessary components of an effective and integrated national security accountability framework for Canada," 9 March 2016.

- Susan Lunn, "Ralph Goodale says Ukraine cyberattack caused 'international anxiety'," CBC News, 8 March 2016.

- Alex Boutilier, "Cyber security review still in early days, Public Security officials tell Senate," Toronto Star, 7 March 2016.

- Peter Zimonjic, "CSIS head says new powers to disrupt plots used almost 2 dozen times," CBC News, 7 March 2016.

- Colin Freeze, "Documents reveal CSIS wary of Bill C-51 reforms," Globe and Mail, 3 March 2016. The documents.

- David Christopher, "Adopting the UK model won't be enough for Ralph Goodale to address Canada's spy oversight woes," OpenMedia, 26 February 2016.

- Editorial, "Give Parliament the power to scrutinize spy agencies," Toronto Star, 24 February 2016. Response from CSE Chief Greta Bossenmaier.

- Matthew Braga, "Why Canada isn’t having a policy debate over encryption," Globe and Mail, 23 February 2016.

- Alex Boutilier, "Canada’s spies expecting a budget boost," Toronto Star, 23 February 2016. More on CSE's budget here.

- Amanda Connolly, "‘It’s impossible’ to know impact of CSE metadata glitch: commissioner," iPolitics, 22 February 2016. More here.

- Alex Boutilier, "CSE can assist in ‘threat reduction’ without a warrant, documents show," Toronto Star, 20 February 2016.

- Daniel Lang, "Why don't we charge more people with terrorism?" Toronto Sun, 19 February 2016.

- Lucas Powers, "Apple's encryption battle with the FBI could spill into Canada," CBC News, 19 February 2016.

- Bruce Campion-Smith, "Canada’s spy agency CSIS gears up for expanded role in Islamic State fight," Toronto Star, 18 February 2016.

- Luc Portelance & Ray Boisvert, "It’s time for Canada to get serious about national security," National Post, 16 February 2016. See also Stewart Bell, "Canadian security agencies under strain while threats have ‘seldom been so high,’ former senior officials say," National Post, 16 February 2016.

Also of interest: CSE now has a twitter feed. Maybe this is what the Minister had in mind when he said he has "directed CSE to find new opportunities to communicate with the public more openly about their activities." I can't say it has done much to demystify the place so far. I have a suggestion that I've made in the past, but which I think bears repeating. How about reinstating the degree of public reporting that existed prior to November 2011, when CSE became a stand-alone agency?

Do "old" opportunities not count?

SIGINT history:

The word on the grapevine is that CSE, in a fit of brainlessness some time ago, destroyed the only copies of A History of the Examination Unit: 1941-1945, Gilbert Robinson's July 1945 history of Canada's first cryptanalytic organization. If true, the significantly redacted but still somewhat useful version released many years ago under the Access to Information Act, preserved by me and presumably some other folks, may be all we have left. I'd be very pleased to report that this is not true and the document does still exist in its complete form.