Monday, July 03, 2017

Bill C-59: New dogs for new tricks

The Liberal government's Bill C-59 would affect the Communications Security Establishment in a number of important ways (most notably the addition of a foreign cyber operations mandate). One of the most consequential potential changes is the bill's proposal to eliminate CSE's existing watchdog agency, the Office of the CSE Commissioner (OCSEC), and replace it with two newly created entities, the National Security and Intelligence Review Agency (NSIRA) and the Intelligence Commissioner, each with significantly expanded powers.

National Security and Intelligence Review Agency

The proposed National Security and Intelligence Review Agency would absorb and replace the current Canadian Security Intelligence Service watchdog agency, the Security Intelligence Review Committee (SIRC), and expand its mandate to include not just CSIS activities but also CSE activities—taking on most of the OCSEC role—as well as the national security and intelligence–related activities of all other federal departments and agencies, including the RCMP and the Canadian Border Services Agency. This would meet two long-sought goals: ensuring that all elements of Canada's security and intelligence community are brought under scrutiny and knocking down some of the silo walls between existing review bodies that have made investigations of inter-agency activities difficult.

Even more important from the perspective of CSE review is that NSIRA would be empowered to make findings and recommendations that relate not just to a department’s compliance with the law, but also to "the reasonableness and necessity of a department’s exercise of its powers." Like many other observers, I have always felt that OCSEC's mandate, limited to questions of compliance with the law, was too narrow. (If you're interested, here I am calling for a broader mandate back in 1996.) Extending the purview of the new review agency to include the reasonableness and necessity of CSE activities would be a very important expansion compared to OCSEC's role.

Also useful would be NSIRA's proposed power to acquire "any documents and explanations that the Agency deems necessary for the exercise of its powers and the performance of its duties and functions" (excluding Cabinet documents) and the fact that it, not CSE, would be "entitled to decide whether information relates to the review or complaint in question." OCSEC struggled on a number of occasions to gain access to documents that CSE (or in one case National Defence) felt were not relevant to the Commissioner's work. Specifying in the legislation that NSIRA has the power to decide whether information is relevant should reduce that kind of resistance.

Another interesting innovation is that NSIRA would have the power to produce not only an annual report that must be made public (as is already the case for OCSEC), but also special reports on topics that it considers it to be in the public interest to report on. One purpose of issuing such reports would probably be to reassure the public about issues that have become matters of public concern. (The public statement that OCSEC issued following the CBC's publication of the CSE "airport wi-fi" document might be considered a forerunner to this kind of reporting.) In other cases, however, such reports might serve as a means for the agency to draw attention to its own concerns.

As with the OCSEC annual report, the Minister would receive NSIRA special reports ahead of time but would not have the formal power to censor their contents. I say no formal power because the government would of course retain the ability to decide whether classified information can be declassified, enabling it to prevent the release of many—or even all—of the details of the matters that might be discussed in such reports. But it would not enable the government to stop the watchdog from publicly reporting, for example, that "CSE's [redacted] program presents a serious threat to the privacy of Canadians." Thus, even in the worst-case, where few or no details were deemed releasable, such reports could serve as vital bell-ringers for parliament, the courts, and the public.

Intelligence Commissioner

The other new watchdog proposed in Bill C-59 is the Intelligence Commissioner, a position that would be filled initially by re-mandating the current CSE Commissioner, Jean-Pierre Plouffe. OCSEC would be disestablished and its budget and staff transferred, at least initially, to the Intelligence Commissioner. (I would expect, however, that many OCSEC employees would almost immediately move to NSIRA, which would take on the bulk of the tasks currently performed by OCSEC.)

The provisions for appointing new Intelligence Commissioners ("The Governor in Council, on the recommendation of the Prime Minister, is to appoint a retired judge of a superior court as the Intelligence Commissioner") differ slightly from those pertaining to the CSE Commissioner in the National Defence Act ("The Governor in Council may appoint a supernumerary judge or a retired judge of a superior court as Commissioner of the Communications Security Establishment"). The change in the rules may be in part a response to the concern about the appropriateness of appointing supernumerary judges that was expressed by the first CSE Commissioner, Claude Bisson. Another change is that the appointment would in future be mandatory ("is to appoint") rather than technically optional ("may appoint"). (The weakness of the original wording was discussed by CSE's Director of Legal Services, David Akman, here.)

The Intelligence Commissioner would have two main responsibilities: "(a) reviewing the conclusions on the basis of which certain authorizations are issued or amended, and certain determinations are made, under the Communications Security Establishment Act and the Canadian Security Intelligence Service Act; and (b) if those conclusions are reasonable, approving those authorizations, amendments and determinations."

With respect to CSE, these duties would pertain specifically to "Foreign Intelligence Authorizations" and "Cybersecurity Authorizations", the functional equivalents of the Ministerial Authorizations provided under the current law to permit CSE to engage in activities that might lead to the incidental interception of "private communications" (communications that begin or end in Canada) without violating the law.

Unlike the current authorizations, however, the implementation of Foreign Intelligence and Cybersecurity authorizations would depend on the approval of the Intelligence Commissioner, based on the Commissioner's assessment of the reasonableness of the Minister's decision to issue the authorization. Without the Commissioner's approval, the authorization would not be able to take effect. (Note, however, that a proposed new category of authorizations pertaining to offensive and defensive cyber operations, i.e., Computer Network Attack activities, would not be subject to this procedure, or indeed examined by the Intelligence Commissioner at all.)

These proposals would give the Intelligence Commissioner "oversight" powers fundamentally different from those heretofore exercised by Canada's "review" bodies. (See here for a description of the difference between oversight and review in official Canadian parlance.)

A number of legal experts have expressed doubt as to whether CSE's current procedures for authorizing its activities take sufficient account of the privacy rights of Canadians under the Charter of Rights and Freedoms (see, for example, here), and a challenge to those activities brought by the British Columbia Civil Liberties Association is currently before the courts. Thus, the government's goal in creating the quasi-judicial Intelligence Commissioner position is probably to Charter-proof those activities, along with certain data retention and processing activities conducted by CSIS.

Do the changes the government is proposing go far enough? They are less ambitious than those proposed in 2014 in Liberal MP Joyce Murray's private member's bill, Bill C-622, which was defeated by the Harper government. Murray's proposal, supported by the Liberal Party at the time (and essentially repeated in the Liberal election platform), would have required CSE to obtain an order from the Federal Court to authorize it to intercept or acquire communications whenever that activity might lead to the incidental collection of communications or metadata involving Canadians.

Still, two of Canada's leading national-security law experts, professors Craig Forcese and Kent Roach, have expressed support for the government's proposal, concluding it would put CSE "on a much sturdier constitutional foundation which does not rely simply on ministerial authorization."

CSE typically obtains four Ministerial Authorizations (MAs) per year under the current system, three for various SIGINT activities that might (indeed do) involve the incidental interception of Canadian communications and one for cybersecurity activities that likewise involve incidental interception. The three SIGINT authorizations are very broad in scope, probably covering the interception of circuit-switched communications, such as traditional phone calls; the interception of packet-switched communications, i.e., Internet communications; and the collection of communications through Computer Network Exploitation, i.e., computer hacking activities.

The authorizations that would be approved by the Intelligence Commissioner are likely to be similar in scope. Like the current MAs, each authorization would last for up to one year and would cover classes of interception activity rather than specific targets. Under the new rules, each authorization could be renewed for one additional year without requiring the approval of the Intelligence Commissioner. On average, therefore, the Commissioner might be asked to approve as few as two authorizations per year.

However, the number might be somewhat larger. It's possible that Intelligence Commissioners would insist on a finer-grained approach, with more numerous authorizations addressing more limited and more tightly constrained sets of activities. One difference that might lead to an increase in the number of authorizations is that the new system would cover not just communications but all information collection, including metadata. [Update 5 August 2017: Also, a separate cybersecurity authorization would be required for each non-governmental critical infrastructure system or network that CSE undertook to protect, so the number of those authorizations could become quite large.]

But however it developed, the proposed system would not be remotely as particularized as the target-by-target warrants required by the court system for interceptions inside Canada by CSIS or the police.

On the whole, then, the new system would probably not be a great deal more cumbersome for CSE than the current one. There is certainly some chance that Intelligence Commissioners would insist on more detailed proposals and/or more extensive privacy protections in the authorizations, but that should be seen as a feature of the proposal, not a bug.

Another potential advantage of the new system is that it would bring much greater expertise to the authorization process than the Minister of National Defence could ever bring. The Department of National Defence is a huge and complex portfolio and the Minister, being human, is much too busy to develop and maintain in-depth knowledge of the minutiae of CSE's activities. This is a problem, because other than OCSEC's after-the-fact reports on specific review topics, the Minister currently has little or no access to expertise about CSE and its operations outside of the information provided by the agency itself.

In its 2015-16 annual report, OCSEC suggested that the CSE Commissioner might be able to assist the Minister in this regard, providing "an independent expert assessment of proposed ministerial authorizations, whether the conditions for authorization set out in the Act are met, and concomitant privacy protections. The Commissioner is already doing this work; only the timing would change, so that the Commissioner can provide an assessment to the Minister before the authorizations are signed, enhancing accountability." The proposed Intelligence Commissioner role would in a sense build on this OCSEC suggestion.

C-59 would also require that NSIRA brief the Minister of National Defence at least once per calendar year "on the exercise of, or the performance by, the Communications Security Establishment of its powers, duties and functions". This process would also help to ensure that the Minister gets more than just a retrospective outside perspective on the activities of the agency.

Unlike the CSE Commissioner, the Intelligence Commissioner would not have a public reporting role. All reporting to the public would come from NSIRA and the proposed National Security and Intelligence Committee of Parliamentarians. However, the Commissioner would be required to provide a copy of every approval decision, positive or negative, to NSIRA, so it's possible that NSIRA will report on the authorizations processed by the Intelligence Commissioner. That would be a very important service.

The Intelligence Commissioner would also have the right to receive copies of any reports produced by NSIRA or the Committee of Parliamentarians that relate to the Intelligence Commissioner's duties. Unfortunately, there does not appear to be any provision for information-sharing or cooperation among these bodies on a less formal level, and the justices of the Federal Court would be left picking through the public reports of NSIRA and the Committee of Parliamentarians, much as they do now with SIRC and OCSEC reports, to get any hint of concerns that might be relevant to issues within the court's purview. In this respect, the problem of review bodies being confined to separate silos would not be resolved by this legislation.

Farewell to OCSEC

I have somewhat mixed feelings about the plan to eliminate OCSEC.

CSE's watchdog has been much criticized over the two decades it has been in operation, and I've taken my share of shots at it over that time, but the Commissioners have always done important work, and I have been impressed in recent years by the determination of the current Commissioner and his staff to expand the envelope of what OCSEC can say and do.

Still, the government's proposals incorporate a number of important improvements and innovations, and between NSIRA and the office of the Intelligence Commissioner it looks as though Mr. Plouffe and the former OCSEC staff will be able to continue the work they have been doing and expand it in significant ways. It seems like a good decision.

Mr. Plouffe's term as CSE Commissioner was recently extended to October 18th, 2018, and I doubt he will want a second extension, so even if the bill is passed and enters into force relatively quickly he probably will not spend a lot of time in the Intelligence Commissioner's job. The staff of OCSEC I hope (and expect) will stay on with NSIRA and the office of the Intelligence Commissioner. The new watchdogs will need their expertise.

In the meantime, we can expect Mr. Plouffe and his staff to continue doing the work of OCSEC. They deserve our thanks for the diligent and important work they have done for Canadians over the years.