Thursday, October 13, 2016

RIP Des Ball

My friend and colleague Desmond Ball passed away on October 12th.

Des was a prolific and engaged scholar, incredibly knowledgeable, and a towering figure in his field. I will always feel privileged to have been able to work with him on a few of our shared interests over the past decade. You can read more about him here.

A list of our recent publications (written with co-author Richard Tanter) on the signals intelligence base at Pine Gap, Australia, is here.

Sunday, October 09, 2016

CSE: What do we know? What do we need to know?

A summary version of the presentation I made at the Sécurité internationale, sécurité intérieure: connexions et fractures colloquium at Laval University on October 6th:

The Communications Security Establishment: What do we know? What do we need to know?

Some of the people here today will know a great deal about the Communications Security Establishment, but it is likely that most do not know a lot about it, so I'd like to begin with some background information about the agency.

(The photo shows the Edward Drake Building, CSE's new headquarters. Source.)

CSE has a three-part mandate laid out in the National Defence Act.

The SIGINT program addresses all three elements of CSE's mandate and accounts for $421 million of the agency's $584 million budget for FY 2016-17, while the ITSEC program is focused on Mandate B and accounts for $163 million.

The agency recently celebrated its 70th birthday, but its origins lie in the signals intelligence co-operation initiated between the Western allies during the Second World War.

(CSE's first headquarters was located on the third floor of the La Salle Academy, a Catholic boys school in downtown Ottawa, shown on the left. The facility had previously been occupied by one of CSE's wartime predecessor organizations, the Joint Discrimination Unit.)

Although Canada was a very small player in Second World War SIGINT, it participated in the planning that allocated intercept and processing tasks among the allies and shared in the intelligence output. This deep integration of SIGINT activities laid the foundations for the very close co-operation that has persisted to the present.

Lt-Col Ed Drake is circled in red in this photo from a 1944 planning conference. (Source.) Five other Canadians and the British cryptanalyst supplied to Canada to run the Examination Unit (the civilian in the back row) are also in the photo.

The U.S. and U.K. agreed to continue SIGINT cooperation into the post-war era even before the war ended, with the new primary target to be the Soviet Union. The BRUSA (later renamed UKUSA) agreement, the founding document of the post-war partnership, was negotiated in the fall of 1945 and signed on 5 March 1946.

Canada and the other Dominions of the British Empire were not signatories of the agreement, but provision for their participation was written into it, and they agreed to abide by its terms at a conference held in London the month before it was signed. The U.S., represented by STANCIB (the State Department, Army, Navy Communications Intelligence Board), reserved the right to deal directly with Canada, but it agreed to deal with the other dominions through the U.K.

By the time CSE, known originally as the Communications Branch of the NRC, was formally established on 1 September 1946, its position as junior member of a multinational SIGINT conglomerate had thus already been determined.

The CBNRC was transferred to the Department of National Defence and renamed the Communications Security Establishment on 1 April 1975. In November 2011 it became a stand-alone agency, still under the Minister of National Defence but no longer a part of the department.

The radio intercept stations that supplied CBNRC/CSE are operated by the military, currently the Canadian Forces Information Operations Group.

Oh, and there's Ed Drake again.

We turn now to an extremely abbreviated history of the organization:

There was a Cold War, during most of which CSE focused almost exclusively on the Soviet Union.

Then the Cold War ended, and CSE found new targets, principally diplomatic and economic.

And then this happened, and CSE's focus shifted once again.

Which brings us up to the present.

Since 9/11, counter-terrorism has been CSE's top priority, with Support to Military Operations also of increased importance.

The advent of the Internet also had a dramatic effect on the agency's operations, opening whole new avenues for SIGINT operations, including Computer Network Exploitation activities to access "data at rest" on target computer systems.

The Internet soon became the primary hunting ground of the SIGINT partners, and they undertook to Master the Internet.

The post-9/11 era saw the greatest period of growth in CSE's history. Now apparently stabilized at a staff of about 2100–2200, CSE has 2.3 times as many employees as it had prior to 9/11 and 3.5 times as many as it had through most of the Cold War.

Its budget has also grown dramatically in recent years. At $584 million in FY 2016-17, CSE's current budget is 4.3 times as high in inflation-adjusted dollars as its pre-9/11 budget. (The spike to nearly $900 million in 2014-15 was the result of a one-time $300 million payment made when the agency's new headquarters was completed.)

Canada's legacy radio intercept stations—Alert, Gander, Masset, and Leitrim— are still in operation, the first three now operated remotely from Leitrim...

...but the real SIGINT action now takes place in cyberspace. (Source.)

And, inevitably, mixed in among the Internet traffic that CSE monitors is the Internet traffic of Canadians. (This graphic depicts the amount of worldwide Internet traffic that passes through Canada or the United States. Source.)

The intermingling of Canadian Internet traffic with that of the rest of the world means that CSE encounters Canadian communications even when it is trying not to do so. And this raises an important question:

I have three answers to that question.

The first answer is the one you usually get from CSE or government ministers and members of parliament—often these exact words. This prohibition is indeed written into the National Defence Act, not this precise formulation, but words to the same effect.

However, there are several important exceptions to this absolute-sounding rule:

First, the rule prohibits only activities "directed at" specific Canadians or persons in Canada. Thus, for example, bulk collection of metadata, because it is not collected with any specific target in mind, is permitted—even if, as in the "Airport wi-fi" case, all of the metadata in question relates to persons in Canada.

"Incidental" collection of Canadian communications (collected when one of CSE's foreign targets communicates with a Canadian) is also permitted.

Targeted collection of Canadian communications is permitted under Mandate C (i.e., when a federal law enforcement or security agency requests such collection and has lawful authority for the request).

Finally, CSE is permitted to receive Canadian communications collected and forwarded by its SIGINT allies, although it is not permitted to request the targeting of Canadians. CSE recently formalized procedures for providing such intercepts to CSIS.

None of these exceptions opens the door to unlimited mass surveillance of all Canadians, and such information as we have suggests that the amount of Canadian-related information collected by CSE is, with the exception of metadata, mostly very limited.

But the information we have is itself very incomplete, and a surprisingly large amount of legal surveillance could be hidden behind the details that remain redacted.

This leads to my third answer: We don't know.

We don't know the full meaning of "directed at" as the government understands the term. CSE modified its activities following a 2012 court case that rejected an attempt by CSIS to broaden the meaning of the term, which suggests that, at that time at least, CSE was operating with an excessively permissive understanding of its meaning.

Furthermore, the question of "directed at" could become less and less meaningful as CSE and its SIGINT allies move towards a "collect it all" posture. "Collect it all" is more an aspiration than a reality at the moment, but growth in monitoring and storage capabilities could make it more feasible as time goes on.

An unknown amount of activity could also be underway to analyze metadata or other non-content data on behalf of CSIS or the RCMP. Such processing might fall beneath the threshold considered to require a judicial warrant, and thus would be subject to much less stringent limits. Canadian communications that are not considered "private communications" under the Criminal Code might also be subject to looser rules.

The potential for larger-than-realized access to Canadian-related information through allied collection and sharing also needs to be recognized.

Finally, it might also be questioned whether CSE actually obeys the various rules that limit the extent to which it is legally permitted to monitor Canadians.

This leads to my next question:

I have four answers to this question.

The notable exception occurred in 2015 when the CSE Commissioner declared CSE in violation of the law. (The decision was reported to the public in 2016).

The complications arise because not every instance in which CSE fails or may have failed to follow legal requirements is assessed by the Commissioner as formal non-compliance (see my somewhat tongue in cheek discussion here).

Here's the short explanation of that.

It's worth noting that these are mostly fairly minor incidents. There's no systematic program of monitoring Canadians hiding among these items, although some of the disagreements over legal interpretations do touch on CSE's core activities.

Over the years, CSE Commissioners have recommended a long list of amendments that would clear up these interpretation issues and place CSE on a sounder legal footing. The government promised action on a number of amendments as long ago as 2007, but nine years later we're still waiting.

A broader question relates to uncertainties in the proper interpretation of the laws that pertain to CSE's activities. In this respect, not even CSE really knows if it obeys the law. In many cases, the courts have simply not addressed these questions.

This could change as a result of the BCCLA and CCLA court challenges currently underway.

My final thought with respect to CSE and the law is, why wouldn't we expect it obey the law (at least, as the agency understands it)?

There is every reason to believe that compliance with the law is a fundamental part of CSE's ethos, and if the government wanted the agency to do something not currently legal, it could probably manage to make it legal. It's the government that writes the laws after all, although that power is somewhat checked by the courts.

The question of whether the government will grant itself additional "lawful access" powers is currently back on the parliamentary agenda.

The question of compliance with the law is certainly important.

But, for me, the greater concern is what's being done, or could be done, entirely within the law.

It may be that CSE's activities related to Canadians are comparatively minor and tightly constrained. But they might also be quite a lot larger than the information that is currently public suggests. We just don't know.

And the potential for excessive, intrusive surveillance will only grow in the future.

Which leads to my final question:

I don't have a lot of answers to this question.

Maybe we can rely on "sunny ways"?

(The photo shows Prime Minister Trudeau addressing CSE employees at the Edward Drake Building in June 2016. To the best of my knowledge, this was the first time a prime minister visited CSE.)

More seriously, a number of proposals have been made to improve the oversight/review mechanisms and reform the legal regime pertaining to CSE and other members of the Canadian intelligence community.

I will now punt this question to people who know what they are talking about, such as Kent Roach and Craig Forcese.

Thank you.

Monday, September 19, 2016

Everyone does it, media edition

From today's Globe and Mail editorial on cybersecurity:
The former head of the Canadian Security Establishment, the electronic spy agency, recently argued in a Canadian Global Affairs Institute policy paper that the military should have the authority to go on the cyber offensive.
Other recent media examples:

- Toronto Star

- National Post/Ottawa Citizen

- CBC News

- Canadian Press

- Vice News

See also Even NSA does it, Part I and Part II and Even GCHQ does it.

Thursday, September 01, 2016

Marking 70 years of eavesdropping in Canada

As the Communications Security Establishment turns 70, Bill Robinson looks at how the agency has evolved over the years — growing its staff, adapting to new technologies and changing its targets.

(Published on, 1 September 2016)

On Sept. 1, Canada's electronic eavesdropping agency, the Communications Security Establishment (CSE), will celebrate its seventieth birthday. The 62 civilians who showed up for work on Sept. 3, 1946 (the 1st was a Sunday and the 2nd was Labour Day) would hardly recognize the 2,100-person cyberspy agency that CSE has become today. But while much has changed, many of CSE's fundamental features have been in place since the beginning.

The original name of Canada's signals intelligence (SIGINT) agency was the Communications Branch of the National Research Council (CBNRC). Authorized to grow to 179 employees, CBNRC was the peacetime incarnation of the Joint Discrimination Unit, a small civilian–military organization that had itself evolved from the civilian Examination Unit, Canada's first code-breaking agency, and the SIGINT processing units established by the three military services.

Today CSE occupies a brand-new billion-dollar glass-walled complex with its own supercomputer centre and attached data warehouse in suburban Ottawa. CBNRC's original accommodations were less luxurious. Housed on the top floor of the La Salle Academy, a Catholic boys' school in downtown Ottawa, Canada's most secret intelligence agency shared its quarters not only with the teachers and students of the school but with a professional theatre company that used the school auditorium as a playhouse. CBNRC staffers would come downstairs during their lunch hours to eavesdrop on up-and-coming actors like Christopher Plummer and William Shatner rehearsing their parts.

Like its wartime predecessors, CBNRC was envisaged from the start as a contribution to a transnational SIGINT collection, processing, and reporting conglomerate rather than a free-standing agency that focused primarily on monitoring Canadian targets for Canadian customers. By contributing to the collective pool of Allied intelligence, Canada gained access to a much wider array of information than it could ever obtain on its own.

Although Canada was not a signatory of the BRUSA (later renamed UKUSA) Agreement that extended U.S. and UK SIGINT cooperation into the postwar era, provision for cooperation with Canada and other British dominions was explicitly written into its terms, and the Canadian government had agreed to contribute a string of radio intercept stations and to coordinate its cryptanalytic activities with those of its partners even before the agreement was formally signed on March 5, 1946. A Canada–U.S. agreement, signed in 1949, further cemented Canada's role in the eavesdropping alliance. Australia and, later, New Zealand were also integrated into the network, creating the five-nation partnership now known as the Five Eyes.

The Soviet Union was the primary target of the partners, but attention was also directed at other countries of interest. CBNRC's initial targets, located in Europe, South America, and the Far East, were set in consultation with Britain and the U.S., and much of the work depended on the traffic collected by those allies. Canada's own intercept sites focused primarily on the Soviet Union and provided their traffic mainly to the U.S. and UK for processing.

The SIGINT allies made steady progress against Soviet communications in the first few years, and it seemed likely that the dramatic successes of the war, when the U.S. and Britain were able to read many of Germany and Japan's most secret messages, would be repeated. But the Soviets soon learned of the allies' successes and moved quickly to improve the security of their own systems. In 1948, just as the Cold War seemed about to go hot, the growing cryptanalytic window into the Soviet Union went dark. It would be 30 years before the allies of the UKUSA Agreement regained significant access to Soviet high-level encrypted communications.

The birth of metadata collection

Unable to read the Soviets' most secret messages, the UKUSA allies resorted to plain-language (unencrypted) communications and traffic analysis, the study of the external features of messages such as sender, recipient, length, date and time of transmission—what today we call metadata. By compiling, sifting, and fusing a myriad of apparently unimportant facts from the huge volume of low-level Soviet civilian and military communications, it was possible to learn a great deal about the USSR's armed forces, the Soviet economy, and other developments behind the Iron Curtain without breaking Soviet codes. Plain language and traffic analysis remained key sources of intelligence on the Soviet Bloc for much of the Cold War.

But it took a lot of people to process all that material. The U.S. and UK SIGINT agencies, NSA and GCHQ, expanded rapidly during the 1950s, and CBNRC did likewise, growing from 200 employees in 1950 to 600 by the end of the decade and refocusing almost exclusively on the Soviet Union and the Arctic. The Canadian cryptanalytic program, originally CBNRC's primary activity, was largely abandoned in 1957. Instead of reading top-secret dispatches from Khrushchev to his generals, CBNRC analysts processed reams of unencrypted teletype and Morse Code messages and wrote reports on gold production in Siberia, aircraft factories in Ukraine, and air defence operations in the Soviet Arctic. Canadian intercept sites tracked the movements of Soviet aircraft inside Soviet airspace by listening in on the messages passed between the USSR's own radar stations.

At the beginning of the 1970s, following the launch of the CANYON series of eavesdropping satellites by the U.S., CSE set up a special unit of Russian-language transcribers to help process the masses of voice intercepts that began pouring in from short-range radio systems and microwave lines that had previously been beyond the range of the eavesdroppers.

The times they are a-changing

Pressures were building for change, however.

In 1974, CBNRC was outed in the media and became the target of probing questions in the House of Commons. A year later it was given a new home in the Department of National Defence and a new name, the Communications Security Establishment.

At the same time, the growing capabilities of eavesdropping satellites, photoreconnaissance satellites, and, with the advent of the supercomputer, the code-breakers at NSA and GCHQ gave the UKUSA allies an increasingly complete picture of developments in the Soviet Bloc. Plain language and traffic analysis, CSE's specialties, declined in importance, while the deepening Cold War tensions at the end of the decade placed the agency under pressure to step up its contributions to the UKUSA effort.

The response was the first significant increase in CSE's staff since the 1950s. During the 1980s and early 1990s CSE grew by 50 percent, topping out at just over 900 employees. The agency also hired a new team of code-breakers, purchased a Cray supercomputer to support them, installed satellite monitoring dishes at the Leitrim intercept station, and established covert monitoring sites in Canadian embassies around the world. The focus of the agency's efforts remained on the Soviet target, but other issues, such as Sikh extremism, also appeared on the target list.

End of the Cold War, start of a new vision of 'safety'

The Cold War ended just as CSE was completing its build-up. In 1989 the Berlin Wall came down, and by the end of 1991 the Soviet Union had disintegrated. Many of CSE's most important targets disappeared. History itself, according to the famous claim, had come to an end.

For the first time since the end of the Second World War the Canadian government was forced to confront the question, what foreign intelligence does Canada need? With economic competition widely expected to dominate future relations among states, "prosperity issues" topped the list of priorities that emerged.

CSE's continued access to the UKUSA network and the new capabilities it had acquired in the 1980s positioned it well for the new era. Instead of facing cuts like CSIS and the Canadian Forces (and indeed most of the federal government as the Chretien government sought to eliminate a sizeable budget deficit), CSE underwent only minor reductions, ending the 1990s with the same number of employees as it had at the beginning of the decade.

The picture was not entirely rosy, however. The Internet had arrived as a significant player in global communications, and CSE lacked the legal authority to intercept communications that might involve Canadians. The growing use of fibre optic cables and the spread of encryption led to renewed fears of going dark. The UKUSA SIGINT agencies began to consider the merits of actively hunting intelligence through computer hacking (computer network exploitation, or CNE) rather than passively gathering whatever information happened to come their way.

In 2000, CSE set a new vision for itself: “to be the agency that masters the global information network to enhance Canada’s safety and prosperity.”

Safety would soon become the dominant priority.

Turning points: The War on Terror and the Internet

When history resumed on that bright September morning in 2001, counter-terrorism and support to military operations in Afghanistan became CSE's highest priority. The Anti-Terrorism Act gave CSE a statutory mandate for the first time and empowered it to conduct CNE operations and to intercept communications involving Canadians (when the actual targets of the intercepts were foreigners located outside of Canada). The doors to the treasury also opened, and recruiting began for the largest expansion in the agency's history. By the time it finished in 2013, CSE had more than doubled, growing to more than 2,100 employees.

Osama bin Laden may have been the indirect father of that dramatic growth, but something else was also going on: CSE and its Five Eyes partners had decided to become the Masters of the Internet.

Bank robbers go where the money is; SIGINT agencies go where the data is. Increasingly, that means the Internet. Canada's legacy intercept stations—Alert, Gander, Masset, and Leitrim—are still in operation, the U.S. eavesdropping satellites are busy tracking mobile phones in Syria and Yemen, but the real action takes place in the global network of fibre-optic cables and packet-switching routers that comprise the physical infrastructure of cyberspace. CSE maintains that "the Five-Eyes alliance is more valuable now than at any other time in history, given the increasingly complex technological challenges faced by the partners."

Traffic analysis—now called data mining—is back, with vast quantities of metadata collected to sift and prioritize the staggering flood of plain-language communications coursing through the cables. Encrypted communications are also collected—and decrypted when feasible and judged worth the effort. In many cases, it's not. Worries about going dark have surfaced once again as encrypted Internet services gradually spread. But don't expect encryption to put an end to SIGINT. Increased reliance on CNE is likely to be the response.

Cyber warfare also looms on the horizon. CSE may already be using computer network attack techniques to help CSIS disrupt threats to Canadian security. However, true cyber warfare is likely to be a mission of the armed forces, as it is in the United States. In July, former CSE Chief John Adams called publicly for the acquisition of offensive cyber warfare capabilities by the Canadian Forces.

Another new factor is the presence of Canadians in CSE's hunting grounds. CSE was unable to assist during the FLQ crisis in 1970—it had no capability to monitor Canadians. In the post-2001 era, that is no longer true: the Internet traffic of Canadians mixes with that of everybody else, and CSE encounters it even when it is trying not to. When operating under judicial warrants obtained by CSIS or the RCMP, it deliberately goes after Canadian communications. CSE also passes on information about Canadians collected by its Five Eyes partners.

A special watchdog—the CSE Commissioner—was established in 1996 to monitor the legality of CSE's activities. Over the years, Commissioners have often reported weaknesses in the measures the agency takes to protect Canadian privacy, but only once, last year, has a Commissioner declared CSE in non-compliance with the law.

Whether CSE's watchdog is an adequate safeguard for the privacy of Canadians is a matter of continuing debate. One thing, however, is clear: As CSE enters its 71st year, the days when its gaze faced exclusively outward are gone for good.

Tuesday, August 09, 2016

2015-16 OCSEC report: News from the salvage operation

The 2015-2016 annual report of the Office of the CSE Commissioner (OCSEC), CSE's watchdog agency, was tabled in parliament on July 20th, whereupon it immediately sank without a trace. To the best of my knowledge, not a single news article has been published touching on any aspect of the report. [Until now.] (There was at least one commentary, however.) Not even Lloyd's List reported on the document when it went down.

It is perhaps not surprising that the report caused not a ripple. Last year's effort, tabled just six months earlier, was accompanied by a first-of-its-kind declaration that CSE had violated Canadian law. This year's report has no comparable James Cameron-class shocker: "This past year, all of the CSE activities reviewed complied with the law" (page 16).

Still, there's plenty of Glomar-worthy material in the wreck if you're willing to undertake the deep dive to recover it.

Join me as we watch the watchers' watchers and try to salvage some click-worthy items from this year's OCSEC report.

Spying on Canadians rose 4400%

I for one would click on a headline like that.

According to this year's report, CSE's foreign intelligence, or Mandate A, program used or retained as potentially useful 342 "private communications"—communications with at least one end in Canada—that were intercepted by CSE under ministerial authorization during the 2014-2015 authorization period (page 31).

As I discussed last year, this number is only the tip of the much larger iceberg that comprises Canadian communications processed by CSE, but it is an important statistic nonetheless. And this year what it shows is a dramatic increase in the number of private communications being used or retained by the Mandate A program.

Last year, the Commissioner reported that only 16 PCs had been used or retained at the end of the 2013-2014 authorization period, and this year he adjusted that figure without explanation to just 13 PCs. Maybe three of the retained PCs were subsequently deleted, maybe there was a change in the counting rules, maybe there is some other explanation that the Commissioner was unable to provide, or maybe I'm just missing something.

In any case, 342 is 26 times larger than 13.

And the change in the rate of PC use or retention was even greater, as the 2014-2015 authorization period was abnormally short, only seven months long. (This is discussed further below.) The rate at which the CSE Mandate A program used or retained Canadian communications that had been intercepted by CSE was 45 times as high in the 2014-15 authorization period as it was in 2013-2014 period. That's right, forty-five times.

Now, you might think the Commissioner would offer an explanation for such a dramatic change in one of the few statistical measures that OSCEC reports provide, and—mirabile dictu—he does. In a manner of speaking.
[The increase] was a consequence of the technical characteristics of a particular communications technology and of the manner in which private communications are counted. (page 33)
Now all we need is an explanation of the explanation.

My guess, and it's just a guess, is that this refers to something like SMS texting or a Facebook chat, in which each part of an extended conversation might be counted as a separate message.

If this is correct, then the dramatic rise in the number of private communications used or retained in 2014-2015 may have resulted from a relatively small number of conversations between just a few individuals. The overall number of Canadians whose communications were used or retained may not have increased at all.

An explanation along these lines might in turn explain the striking lack of concern with which the Commissioner greets what at first glance would appear to be a huge jump in the monitoring of Canadians.

But all this is just guesswork. Those of a less Pollyannish bent might make other guesses.

Nowhere does the Commissioner explicitly say there's nothing to be concerned about, and if that's how he actually feels about it, it would have been helpful if he had let his readers know.

This simple trick cut Ministerial Authorization periods by 42%

Another fact that surfaces only when you raise and reassemble portions of the text is that the five Ministerial Authorizations (MAs) that enable CSE to lawfully intercept private communications, which normally run for one full year apiece and which in recent years have extended from December 1st of one year until November 30th of the following, were cut short last year. Instead of lasting twelve full months, they were all replaced after seven, on June 30th, 2015 (see pages 30 and 34).

No explanation is provided for this change.

It is conceivable that Jason Kenney, who became Defence Minister on February 9th of that year, had his own ideas about the MA regime and didn't want to wait 10 months to introduce them, especially with an election looming. Another possibility is they were rewritten to accommodate new activities authorized by Bill C-51, which received Royal Assent on June 18th.

What the actual explanation may be I have no idea.

Our allies promised not to target Canadians and you'll never guess what happened next

We are often told that the Five Eyes partners do not target one another's citizens. Compared to the way other countries' citizens are treated, this appears to be largely true. But exceptions certainly occur.

In recent years, the CSE Commissioner has acknowledged that our Second Party partners do sometimes target Canadians, in "exceptional circumstances". This year he put it this way (page 19):
The cooperative agreements that exist between the five eyes partners include a commitment to respect the privacy of each nation’s citizens and to act in a manner consistent with each nation’s policies relating to privacy. Nevertheless, it is recognized that each of the partners is an agency of a sovereign nation that may, in exceptional circumstances, derogate from the agreements if it is judged necessary for their respective national interests. In such exceptional circumstances, one of CSE’s partners may acquire and report on information about a Canadian or a person in Canada.
So, OK, fair enough. Exceptional circumstances. Ticking nuclear bombs, national emergencies. Who could really expect otherwise?

But how widely do those national interests extend? I recall speculating a few years ago that
If, for example, the U.S. were to decide that its national interests required it to check into the possibility that would-be terrorists are plotting against the U.S. from inside Canada, we might very well expect them to go ahead and do exactly that. (But of course what are the chances that they would decide that?)
We now have an answer.

The Commissioner goes on to say:
A partner may report on Canadians located outside of Canada who are known to be engaging in or supporting terrorist activities, for example, a report about a known Canadian “foreign fighter” that may be planning to return to Canada or to attack Canadians.
For example.

Let's be clear here. I have no problem with the monitoring of people who are engaged in terrorist activities (assuming due process is followed), but according to CSIS there are some 180 individuals "with a nexus to Canada" who are engaged in terrorist activity abroad.

This is starting to sound a lot more routine than exceptional.

And there's more:
When a partner does undertake an activity relating to a Canadian, the partner may acquire information that, in addition to meeting its own national security requirements, relates to the security of Canada and, as such, may be provided to the Canadian Security Intelligence Service (CSIS) in support of its mandate to investigate and advise government on threats to the security of Canada.

Prior to February 2015, the process to provide this kind of reporting to CSIS was manual and did not involve CSE. To help address the evolving terrorist threat and the increase in the number of foreign fighters, CSIS required a more timely mechanism to securely exchange information. To this end, CSIS requested CSE assistance under part (c) of CSE’s mandate (paragraph 273.64(1)(c) of the National Defence Act (NDA)), to establish a mechanism for CSIS to receive and handle these reports via CSE’s established channels. ...

The Commissioner found that CSE’s activities to transmit these reports to CSIS were conducted in accordance with the law and with ministerial direction relating to the protection of the privacy of Canadians.
So we've gone from "naw, doesn't happen" to "oh, well, sure, but only in exceptional circumstances" to "pretty much all the time" to "we had to formalize the exchange of all this stuff to ensure its regular and timely delivery".

But terrorists, right?

Or, maybe, as former Solicitor General Wayne Easter said in 2013, “terrorism, crime or sex offenders.”

That crime bit covers a pretty wide range of exceptions.

It's worth noting that all of this is separate from Canada's own ability to monitor such persons, based on judicial warrants granted to CSIS or the RCMP, which, aside from those agencies' own capabilities, includes CSE's worldwide intercept capabilities, CSE's ability to use Second Party intercept facilities by supplying Canadian "identifiers" to those systems, and the government's ability, acting through CSE, to request that the Second Parties themselves monitor specific Canadian targets using capabilities that may not be available for direct Canadian use.

Canada's ability to enlist Second Party systems suffered a setback in November 2013 when the process for Domestic Intercept of Foreign Telecommunications and Search (DIFTS) warrants took an unexpected torpedo amidships.

But everything appears to be back to smooth sailing in that regard. The Commissioner is currently planning to conduct "a follow-up review of CSE assistance to the Canadian Security Intelligence Service (CSIS)... relating to the interception of the telecommunications of specified Canadians located outside Canada (formerly called Domestic Intercept of Foreign Telecommunications and Search warrants)." (page 52)

This little-known legal case caused CSE to suspend more metadata activities

OCSEC continues to work its way through a sweeping, multi-year review of CSE's metadata activities. This year the Commissioner finished his examination of "specific foreign signals intelligence metadata activities that were set aside during the first part of the review in order to fully investigate incidents relating to CSE’s failure to minimize Canadian identity information in certain metadata it shared with its second party partners" (i.e., the omnishambles that earned CSE its first declaration of legal non-compliance and led to the ongoing suspension of a wide range of metadata sharing with the Second Parties).

One set of activities examined by the Commissioner (see page 24), which were conducted by CSE's Office of Counter Terrorism, sparked a number of concerns. These included "guidance on a specific metadata activity that involves Canadian identity information remains vague and should be clarified", "a small number of the activities raised questions about CSE authorities", and "the Commissioner noted inconsistencies in CSE documentation and record-keeping practices".

No recommendations resulted from these "issues and irregularities", however,
because, subsequent to the period under review, CSE suspended indefinitely these particular metadata analysis activities in response to case law developments (Canadian Security Intelligence Service Act (Re), 2012 FC 1437, relating to the application of “directed at”)." It is positive to observe that CSE followed and modified its practices to address related jurisprudence. Prior to its decision to suspend these activities, CSE did not meet its commitment to address a recommendation the Commissioner made in a February 2014 review of the activities of the Office of Counter Terrorism (OCT) to amend relevant policy to reflect current practices and to enhance record keeping. However, this can be explained by the short period of time between the OCT review and the suspension of the activities. As long as the suspension remains in effect, the Commissioner does not expect CSE to implement the recommendation.
A couple of things are worth noting here. As the Commissioner says, it is certainly good to see CSE modifying its practices to respond to relevant jurisprudence.

It is less good to see that the suspension apparently took place sometime after February 2014, i.e., at least 15 months after Madam Justice Mactavish's ruling. Does the Commissioner have a view on the legality of CSE's conduct during the period between December 2012 and the suspension of the activities? Are we back to this model?

Also, how is it that these activities—possibly contact chaining involving Canadian identifiers—were the subject of an OCSEC recommendation back in February 2014, but that recommendation was simply to "amend relevant policy to reflect current practices and to enhance record keeping" and not to suspend the activities in response to the December 2012 ruling? Doesn't OCSEC follow and respond to related jurisprudence as well?

In last year's report, the Commissioner commented that "the Canadian legal landscape has... changed since my office last conducted an in-depth review of CSE’s collection and use of metadata". The Supreme Court's Wakeling and Spencer cases were specifically cited in this regard, but the Commissioner gave no indication of what implications, if any, he believed those and other rulings might have for CSE's activities.

The topic of the Mactavish ruling is worth a closer look. CSIS wanted to monitor the communications of one or more Canadian individuals or entities during an operation to collect foreign intelligence in Canada in accordance with s.16 of the CSIS Act. The agency argued that the Canadian communications could be directly (not just incidentally) collected despite an explicit ban on directing s.16 operations at Canadians since the operation would in fact be directed at gathering intelligence about a foreign target. The court rejected CSIS's view.

What makes this ruling especially relevant for CSE is that CSE's mandate, spelled out in the National Defence Act, dictates that the agency's foreign intelligence and cyber defence activities "shall not be directed at Canadians or any person in Canada"; CSE is permitted to intercept private communications in the course of foreign intelligence collection if a suitable Ministerial Authorization is in place, but such operations must be "directed at foreign entities located outside Canada". The meaning of the phrase "directed at" is thus fundamental to the relationship between CSE and Canadians.

That CSE suspended certain activities of the Office of Counter Terrorism in the wake of the Mactavish ruling suggests that the agency may have been directing some of its foreign intelligence activities a little too directly at its compatriots.

On a separate issue, the Commissioner also reported (pages 24-25) that he had recommended that CSE "issue written guidance to formalize and strengthen existing practices for addressing potential privacy concerns with second party partners" and, further, that the agency had subsequently "issued guidance to operational employees to address cases where the privacy of Canadians may be at risk."

One hopes this guidance is more than just "transfer the information to CSIS forthwith."

This named Canadian could be you

When a CSE report mentions a Canadian individual, corporation, or other organization, specific identifying information (name, phone number, etc.) is normally "suppressed" and replaced with a generic reference such as "a named Canadian". SIGINT clients reading the report can subsequently request the suppressed information from CSE, and if the department or agency has a suitable mandate and operational justification, CSE will provide it (without any warrant, as far as I can tell).

This year for the first time the Commissioner reported the total number of requests made by Government of Canada clients for Canadian identity information over the course of one year (1 July 2014–30 June 2015). That number was 1,126 (page 40), or about three requests per day, a total that may or may not be down slightly from the previous year.

How many of those requests were approved was not reported. CSE does sometimes deny requests for identity information, but no data has been provided as to how often this occurs; my impression is that the percentage approved is very high.

In some ways, the number of Canadian identity requests made may be more revealing of the degree to which Canadians are monitored in the course of CSE's operations than the 342 PCs number noted above. But it is far from an ideal measure. It shows only the number of requests that were made, not the total number of suppressed Canadian identities that appeared in CSE reporting during the year. (That number might be in the tens of thousands if identity requests are made in something like 10% of cases; if identity requests are made in more like 80 or 90 percent of cases, on the other hand, the practice of suppressing identities would seem to be largely a sham.) The figure also excludes both those Canadians who appear in Second Party reports made available to Canadian government clients through CSE and those who appear in intercepts or other information provided by CSE to CSIS and the RCMP under CSE's Mandate C.

It also needs to be noted, as the report itself states, that the number of identity requests is not the same as the number of individual identities requested:
the number of requests represent[s] the number of instances that institutions or partners submitted separate requests for disclosure of identity information suppressed in reports, providing a unique operational justification in each case. One request may involve multiple Canadian identities, and one Canadian identity may be disclosed multiple times to different institutions or partners.
In addition to reporting the number of identity requests by Canadian clients, the OCSEC report also provided for the first time the number of Canadian identity requests made to CSE by Canada's Five Eyes partners (111) and the number made for "disclosure to non-five eyes entities" (six: five made by a government of Canada client and one—which was denied—made by a Five Eyes partner). The approval rate for the 111 partner requests was not provided, but last year's report, which did not provide a request number, stated that partner requests "resulted in roughly an equal number of denials and disclosures of Canadian identity information".

Data recently released in the U.S. about NSA collection under the FAA Section 702 program (just one part of overall NSA collection) provides a potentially useful point of comparison: "In 2015, NSA disseminated 4,290 FAA Section 702 intelligence reports that included U.S. person information. Of those 4,290 reports, the U.S. person information was masked [equivalent to suppressed] in 3,168 reports and unmasked in 1,122 reports." Some of the reports with masked identities probably contained more than one masked identity, so the total number of masked identities was probably closer to 5,000, or maybe even 10,000. (The same individual might turn up in more than one report, however, so the total number of separate identities was probably considerably lower than that.)

The U.S. data also reported that "654 U.S. person identities" were unmasked in response to requests related to these reports. This suggests that something like ten percent of masked identities were ultimately unmasked in U.S. reporting, at least with respect to the 702 program.

If the NSA can publish the number of masked U.S. identities that are later revealed in response to its reporting, albeit for just one program, I see no reason why CSE cannot release comparable information for the number of minimized Canadian identities ultimately revealed. Similarly, although the U.S. data doesn't give the exact percentage of masked identities that are ultimately revealed, I see no reason why CSE couldn't release that information, and the percentage of requests that are approved, as well.

Such information would reveal a great deal to the public about the effectiveness of the measures that exist to protect their privacy while providing little or nothing of use to SIGINT targets seeking to evade CSE monitoring. What is CSE hiding, and from whom is it hiding it, when it won't show us this data?

The CSE Commissioner should insist on reporting this kind of information. And if CSE refuses to allow it, the Commissioner should indicate that parts of his report have been censored. (And, yes, in this respect the power of classification/declassification is indeed a censorship power.)

At least, that's my view.

There's more stuff worth examining in the Commissioner's 2015-2016 report, but that's it for this blog post. I'll report on my follow-up expedition in a future post.

Update 24 August 2016:

The Commissioner's report gets some news coverage:

Ian MacLeod, "Federal spies suddenly intercepting 26 times more Canadian phone calls and communications," National Post, 24 August 2016.

Update 25 August 2016:

And a very similar article:

Rachel Browne, "Canada’s Spy Agency Now Intercepting Private Messages 26 Times More Than Previously," Vice News, 25 August 2016.

...And another one:

Ian Allen, "Did domestic snooping by Canadian spy agency increase 26-fold in a year?" IntelNews, 25 August 2016.

Gotta love this line: "According to the CSE commissioner’s report for 2015, which was released in July, but was only recently made available to the media..." So that's what happened!

Sunday, June 19, 2016

Twenty years of OCSEC

Today is the twentieth anniversary of the establishment of the Office of the CSE Commissioner (OCSEC). The first CSE Commissioner, Claude Bisson, was appointed on 19 June 1996.

Since 1996, there have been six CSE Commissioners:
  • Claude Bisson (1996-2003)
  • Antonio Lamer (2003-2006)
  • Charles Gonthier (2006-2009)
  • Peter Cory (2009-2010)
  • Robert Décary (2010-2013)
  • Jean-Pierre Plouffe (2013-present)

OCSEC has been the subject of a lot of criticism over the past two decades, some of it justified and a lot of it not.

Here's one of my own contributions to that literature. (You can decide for yourself whether it falls into the justified or unjustified camp.)

Such criticisms shouldn't blind us to the vitally important role that OCSEC has played over the years in reinforcing an ethos of legal compliance at CSE and ensuring that mechanisms to monitor and assess that compliance are established and implemented. But a strong case can be made that CSE's review body—like those of the Canadian security and intelligence community as a whole—is in dire need of improvement.

Kent Roach and Craig Forcese argue that OCSEC and the review bodies for CSIS and the RCMP should be combined into a single agency that would monitor all components of the Canadian security and intelligence community, as part of a wider set of accountability improvements ("Bridging the National Security Accountability Gap: A Three-Part System to Modernize Canada's Inadequate Review of National Security," Ottawa Faculty of Law Working Paper No. 2016-05, 31 March 2016).

Wesley Wark's recent comments on the future of review ("Canada’s spy watchdogs: Good, but not good enough," Globe and Mail, 1 February 2016) are also worth reading.

The Trudeau government took a major step towards implementation of one aspect of this reform agenda with the introduction on June 16th of Bill C-22, which will establish a committee of parliamentarians to review the S&I community as a whole. (See Forcese's comments on that step here.)

Other changes may be yet in the offing.

For the time being, however, the future of the 20-year-old OCSEC remains undecided.

Friday, June 10, 2016

Australia's participation in Pine Gap

Yet another paper in our on-going series on the SIGINT station at Pine Gap, Australia:

Desmond Ball, Bill Robinson, and Richard Tanter, "Australia’s participation in the Pine Gap enterprise", NAPSNet Special Reports, June 8, 2016. Full text here (1.7 MB PDF).

Earlier reports:

- Desmond Ball, Bill Robinson, and Richard Tanter, "The Antennas of Pine Gap", NAPSNet Special Reports, February 21, 2016;

- Desmond Ball, Bill Robinson, and Richard Tanter, "Management of Operations at Pine Gap", NAPSNet Special Reports, November 24, 2015;

- Desmond Ball, Bill Robinson, and Richard Tanter, "The SIGINT Satellites of Pine Gap: Conception, Development and in Orbit", NAPSNet Special Reports, October 15, 2015;

- Desmond Ball, Bill Robinson, and Richard Tanter, "The Higher Management of Pine Gap", NAPSNet Special Reports, August 17, 2015; and

- Desmond Ball, Bill Robinson, and Richard Tanter, "The militarisation of Pine Gap: Organisations and Personnel", NAPSNet Special Reports, August 13, 2015;

- Desmond Ball, Bill Robinson, Richard Tanter, and Philip Dorling, "The corporatisation of Pine Gap", NAPSNet Special Reports, June 24, 2015.

More to come!