Sunday, April 23, 2017

CANUSA Agreement declassified

In 1949, Canada and the United States signed the CANUSA Agreement, codifying the extraordinarily close cooperation between the two countries on communications intelligence collection, processing, and dissemination.

The agreement was laid out in a Top Secret codeword-classified exchange of letters between G.G. (Bill) Crean, the Chairman of the Communications Research Committee (the interdepartmental committee that governed Canadian SIGINT policy), and Major General Charles P. Cabell, the Chairman of the equivalent U.S. body, the United States Communications Intelligence Board.

It was based closely on the U.S.-U.K. BRUSA Agreement of 1946, which was later renamed the UKUSA Agreement and is considered the foundational document of the Five Eyes SIGINT alliance.

The UKUSA Agreement was declassified and published online in 2010 along with most of its appendices and annexures, although some had significant redactions.

The CANUSA Agreement, by contrast, remained classified—until now.

Here is the full text of the agreement, minus as many as 83 pages of appendices and annexures, as released under Access to Information request A-2016-00131.

Kudos to the Communications Security Establishment for finally releasing this important historical document.

I usually leach off other people's access requests for the documents I cite on this blog, but in this case I put up my own five bucks to make a formal request since the public shaming I tried in January didn't seem to be working any better than the gentle persuasion I tried in November.

And, to be clear, the five bucks was only partly successful.

I asked for the appendices and annexures to the agreement to be released as well, but evidently that proposition was too great a shock to the system over there. This, despite the fact that (as I pointed out here) the 27 March 1953 version of Appendix B has been available online since 2015.

That particular horse probably got out by mistake, but it's not going to go back in the barn, pardners. Why pretend otherwise?

Another point: I also asked for the release of "all subsequent modified or amended versions of that agreement up to the present day."

We know from this document that the agreement was "revised slightly in 1960", but we don't know in what way.

And we still don't. Maybe the 1960 version was somewhere in those 83 pages that CSE redacted.

On the plus side, the Dominion is safe from whatever ill consequences would ensue if that specific 57-year-old horse ever got out.

But enough with the nay-saying.

At the risk of riding my metaphor off in all directions, I shouldn't look a gift (or, technically, five-dollar) horse in the mouth.

The CANUSA Agreement has finally been released into the wild. And that's a good thing.

Sunday, April 09, 2017

CBNRC's mini-SHAMROCK



From August 1945 to May 1975 the NSA's SHAMROCK program collected most of the cable traffic passing between the United States and international locations and processed their contents for foreign intelligence — and occasionally domestic intelligence — purposes. Public outrage following the program's exposure in the mid-1970s led to the passage of the 1978 Foreign Intelligence Surveillance Act.

Just before that all happened, however, Canada sought to establish its own mini-SHAMROCK program.

Canadian government documents indicate that in the early 1970s the Communications Branch of the National Research Council (CBNRC, as CSE was called in those days) set up a test cable monitoring operation in Montreal. The Canadian program, which has not previously been revealed, was run in cooperation with the Canadian Overseas Telecommunications Corporation (COTC), the Crown corporation that had a monopoly on overseas telephone, telex, and telegram services from Canada at that time. (COTC was renamed Teleglobe Canada in 1975 and was later privatized, eventually becoming part of Tata Communications.)

Canada had long been a regular consumer of the cable traffic collected on international circuits around the world by its U.S. and U.K. allies, but its own SIGINT activities were focused almost entirely on the radio communications of the Soviet Union, particularly those in the Arctic.

At the beginning of the 1970s, this posture was seen as not fully meeting Canadian needs.

CBNRC reportedly was unable to contribute much during the October Crisis in 1970, as it had virtually no capacity to monitor Canadian communications. Ottawa wanted desperately to know more about "revolutionary elements" in Canada, including any links they might have to other countries. Intelligence consumers were also interested in more Canadian-related foreign and economic intelligence than we could get from our allies.

The documentary evidence is sparse, but a pilot project for monitoring cross-border cable communications appears to have been set up at COTC's Montreal facilities, which were the gateway for Canadian transatlantic communications, in 1971 or perhaps a little earlier.

A draft memorandum on "The Canadian Intelligence Program" written for the Cabinet Committee on Security and Intelligence in April 1972 reported that "a survey is being carried out to determine the value of arrangements with the Canadian Overseas Telecommunications Corporation by which we would have the opportunity to examine messages between Canada and locations abroad which would (1) clarify links between revolutionary activities abroad, (2) provide information concerning known revolutionary elements, and (3) contribute intelligence about foreign and economic affairs of direct interest to Canada."



Later that month, CBNRC sought approval to convert the test operation to full operational status during the coming fiscal year, 1973-74. But with the intelligence program review still underway and fiscal pressures being felt all across the government, the Cabinet declined to give the project the go ahead that year.

The following two excerpts tell that part of the tale.

In the first, Intelligence Advisory Committee chairman A.F. (Bert) Hart discusses CBNRC's proposal for funds "for additional activities related to placing two test operations (Moscow and COTC Montreal) on a full operational basis in the fiscal year 1973/74" and comments that the plan may have to be revised.



(The Moscow operation, Canada's first intercept site inside an embassy, was unrelated to the COTC project.)

The second excerpt, taken from the History of CBNRC, shows that the Cabinet did in fact decline to approve the extra expenditures required to go fully operational that year.



The decision to restrict the SIGINT budget to Level A presumably meant that the COTC Montreal operation did not go fully operational in 1973-74, unless internal budget reallocations or Supplementary Estimates later provided for it.

The proposal was not dead, however, and it is possible that the budget planning for 1974-75 approved an operational capability. The available records don't answer this question.

Either way, though, it was moot.

On 14 January 1974, the Protection of Privacy Act received Royal Assent, adding Section VI (Invasion of Privacy) to the Criminal Code, and trampling CBNRC's mini-SHAMROCK proposal in the process.

According to the History of CBNRC, nobody had asked CBNRC what effect the new act might have on SIGINT collection:

"in 1971 the [Director of Communications Security (DCS), the External Affairs official in charge of the Canadian SIGINT program], without any discussion with CBNRC, assured his Under-Secretary, and through him his Minister, that the clause in the current draft bill on Protection of Privacy which forbade the interception of "private" communications in and out of Canada would not have any bad effects on Canadian intelligence. This official opinion was to wipe out for the remainder of CB's existence traffic useful in such studies as [redacted]."



Additional details of the story can be found in other sections of the History:

"Legislation in Canada and the US affected CB's activities in a more basic way. A Protection of Privacy Bill was being drafted by the Canadian Department of Justice in 1971. The Department of External Affairs queried some aspects of the draft bill which might affect legitimate intelligence interests adversely. Copies of the queries, which went out over the signature of the Under-Secretary of State for External Affairs (USSEA), went to the Cabinet Secretary, the Chief of the Defence Staff (CDS) and the Director General of the Security Service (DGSS) in the RCMP, but not to Director CB. After receiving answers from Justice, the USSEA told his Minister in June that "radio communications would not come within the prohibition" against the interception of "private communications". Also, the "use or disclosure" of communications intercepted outside Canada would not constitute an offence, because such an act would not be "wilful", as being based on selection from a mass of material picked up without any "mens rea". He also told his Minister that relevant information would be made available to intelligence authorities (presumably including CB), even if obtained for specifically security purposes under a warrant issued by the Solicitor General. However, these did not all turn out to be the interpretations of several subsequent Solicitors General and Ministers of Justice."




One of the effects of the Protection of Privacy Act was to end CBNRC access to telephone, telegram, and telex messages with one or more ends in Canada, as these were by definition "private communications". CBNRC was prohibited both from collecting the messages itself and from asking its allies to collect the traffic for it.



(Under the Department of Justice's current interpretation of the law, CSE is in fact permitted to receive one-end Canadian traffic intercepted by Canada's allies. However, it is not permitted to ask those allies to target the communications of specific Canadians or persons in Canada except when it is at the request of a federal law enforcement or security agency operating under a warrant. Whether the same interpretations were applied in 1974 is not clear.)

The paragraph 4.25 that was cited in the preceding excerpt summed up the situation in 1975, as CBNRC became CSE: "[T]hings were still humming in most areas except in the ability to produce SIGINT on the subject [redacted; presumably "International Trade", but possibly also the collection of intelligence on "revolutionary elements"] which had been given a high priority by the intelligence community. Here unfortunately a strict interpretation of the new Protection of Privacy Act meant that the main source of information on this subject, that is [redacted] was now regarded as taboo. Some work was beginning to be done on selected foreign [redacted] but this new plant only reached its full flowering after the conversion from CBNRC to CSE, and so will have to be matter for a later history."



(The final sentence of this excerpt may or may not apply to the private communications issue: it could be a reference to the expansion in collection from embassy sites that began in the early 1980s.)

By mid-1975, it was not just CSE's mini-SHAMROCK program that was dead: the original U.S. SHAMROCK program had itself been shut down, although elements of it would soon enough be started up again following the passage of the Foreign Intelligence Surveillance Act.

It's likely that CSE did get permission to access cross-border traffic for certain purposes later in the 1970s or the years that followed. Communications that transited through Canada on their way between Europe and the Far East may have been considered fair game, for example. Such communications were a significant source of revenue for COTC, or Teleglobe Canada as it was known by then.

But it wasn't until the passage of the Anti-Terrorism Act in 2001 that CSE regained broad-based access for foreign intelligence purposes to communications that begin or end in Canada (and, even then, only when collected in the course of targeting non-Canadians located outside Canada).

Saturday, February 25, 2017

CSE 2017-18 budget to be $596 million

The 2017-18 Main Estimates, tabled in parliament on February 23rd, show a projected 2017-18 CSE budget of $595,983,723.

As the document shows, the budget projected for 2017-18 is slightly higher than the $583.6 million that was originally projected for the current fiscal year (2016-17) and slightly lower than the $599.8 million 2016-17 "to date" figure, which reflects additions made to CSE's budget authorities during the fiscal year. It is $23.6 million lower than the $619.5 million that was actually spent in 2015-16.

After accounting for inflation, this would suggest that CSE's 2017-18 budget will be roughly 7% smaller than it was in 2015-16.

CSE's actual spending in 2017-18 could well turn out to be greater than its 2015-16 spending, however. The agency has received large in-year budget top-ups every year for the last seven years.

Thus, it may be safer to say that CSE's budget appears to have stabilized for the moment at the roughly $600 million level, but with significant year-to-year fluctuations.

That level is about 4.4 times as high, after adjusting for inflation, as CSE's pre-9/11 budget.

According to the Main Estimates, 72% of the money will go to CSE's SIGINT program, while the IT Security program will account for the remaining 28%.

Saturday, February 18, 2017

Kevin O'Neill in 1945

I was recently reading The Emperor's Codes, Michael Smith's 2011 book about the Allied effort to break Japanese codes during the Second World War, and to my surprise I ran across a 1945 photo that shows Kevin O'Neill, the Bletchley Park veteran who later became the Director of CBNRC/Chief of CSE.



O'Neill, who finished the war with the rank of Major in the British Army, worked on the Tunny problem, among other systems, during his time at Bletchley. But by 1945 he was part of the British liaison team at the U.S. Army's Signal Security Agency at Arlington Hall in Washington.

For reasons not clear to me, he appears in this photo (second from the right) with members of the British liaison office at the U.S. Navy's code-breaking agency, OP-20-G, which was located at the Naval Communications Annex. Note how, aside from civilian Wilfred (not William) Bodsworth, everyone in the photo other than O'Neill is in naval uniform.

O'Neill and John Manson, another British Army Major serving at the Signal Security Agency, were recruited by Ed Drake in 1946, becoming part of CBNRC's initial staff. Manson died in 1952, but O'Neill remained with the agency for his entire career, becoming the Director of CBNRC in 1971 and retiring as Chief of CSE in 1980.

Friday, February 17, 2017

List of Senior U.S. Liaison Officers at CSE

I've finally managed to get a reasonably complete list of the Senior United States Liaison Officers, or SUSLOs, assigned to CSE over the years.

SUSLOs are assigned by NSA to all of the Five Eyes SIGINT agencies, with the various SUSLOs distinguished from one another by suffixes. The SUSLO assigned to Canada is known as the SUSLO/O, for Ottawa.

The photo above shows Velva Klaessy, who served as SUSLO/O from 1970 to 1971. Klaessy was the first woman to serve as SUSLO at any location.

SUSLO/O list (with years of arrival and departure)
Lt. Robert Carl, USN (Acting)19501950
Maj. Oval Jones, USAF19501952
LCdr. Arthur Conant, USN19521953
Maj. Robert Morin, USAF19531955
Maj. Ralph Barch, USA19551958
LCol. Robert Maurer, USA19581960
Fred Sims19601963
William Kaczmar19631966
Maurice Edens19661970
Velva Klaessy19701971
Francis Irons19711974
Martin Sullivan19741977
Melville Boucher19771981
William Gerdes19811984
George Abbott19841990
Gary Kirkey19901992
Robert Arndt19921995
John Dirks19951999
Maria O'Connor19992002
Cindy Farkus20022005
?20052008
Donna Marie Barbano20082011
Cynthia Daniels20112014

The SUSLO identities from 1950 to 1974 are from a recently released version of History of CBNRC (Access release A-2015-00045). The more recent identities were assembled by me from public domain materials, with invaluable assistance from U.S. intelligence historian Matthew Aid, and may still contain some errors. I haven't included the current SUSLO/O on the list.

For earlier compilations of CSE's own liaison officers, the CANSLOs, see here and here.


Monday, February 06, 2017

ATIpper #10: CSE might have moved to Kingston

More from the Access to Information files:

According to access release A-2013-00055, CSE considered 17 properties in the National Capital Region, Arnprior, and Kingston when it was choosing the location for its new headquarters complex.

As is well known, the site ultimately chosen was in Ottawa's east end, adjacent to CSIS's headquarters.

But the agency's number two choice was Kingston.



It's a bit hard to believe that Kingston was ever seriously considered, however.

The fact that CSE personnel would have to drive two hours each way every time they needed to attend a meeting in Ottawa would surely have weighed heavily against selecting the site.

And convincing the agency's more than 2000 employees to move to Kingston would also likely have proved difficult and disruptive to morale.


Update 8 February 2017:

David Pugliese, "Kingston was the number two choice for CSE’s new headquarters," Ottawa Citizen, 7 February 2017

Monday, January 30, 2017

Releases of Canadian identities to Five Eyes partners

How often does CSE hand over information about Canadians to the United States and other Five Eyes allies? A partial answer is obtainable by examining a recent Access to Information release.

CSE's end-product reports must relate to its foreign intelligence or cyber defence responsibilities. (Information collected by CSE for Canadian law enforcement or security agencies is a separate matter.)

But sometimes these end-product reports do contain information about Canadians. When that happens, the name and other identifying information of that Canadian — known as Canadian Identity Information (CII) — is "suppressed", i.e., replaced by a generic reference such as "a named Canadian" or "a Canadian businessman". (There are certain exceptions to this rule, but they seem to be relatively limited, probably amounting to fewer than 100 cases per year.)

The information that is suppressed in those reports is not deleted, however. It is retained in CSE's data banks and is available to clients who request it if they can demonstrate both the authority and an operational justification for obtaining it. This applies to CSE clients located in Canada's Five Eyes allies, also known as Second Parties, as well as to domestic Canadian agencies.

Given the potential for the misuse of such information, particularly in light of the accession of the Trump administration, it would be helpful to know how often Canadian Identity Information is released to Canada's Five Eyes allies.

CSE has always refused to declassify this information. However, it is possible to get a sense of the scale of the releases by examining the gaps left in the agency's annual reports released under the Access to Information Act (release A-2015-00086).

Here are the relevant sections of the released versions of those reports for the five years from 2010-2011 to 2014-2015 inclusive.

2010-2011 Annual Report:



"In addition, CSEC released [redacted 3-digit number] identities to its Five-Eyes partners."

The width of this redaction indicates that it originally contained a 3-digit number, which means that somewhere between 100 and 999 pieces of Canadian Identity Information were released to Five Eyes partners in 2010-2011.


2011-2012 Annual Report:



"In addition, CSEC released [redacted] Canadian identities to its Five Eyes partners."

In this case, because the redaction occurs at the end of a line it is not possible to determine how many digits the redacted number had. However, the following year's report (see below) indicates that the 2011-2012 figure was also a 3-digit number.


2012-2013 Annual Report:



"In addition, CSEC released [redacted 4-digit number] Canadian identities to its Five Eyes partners. This represents a significant increase in the number of identities released in 2011-2012 ([redacted 3-digit number + close-parentheses] and is attributable to a [redacted] released to the US allies to enable them to efficiently assess the [redacted]"

The cause of this one-time jump was revealed in the following year's report to be "a single cyber defence report" that presumably contained a very large number (at least one thousand, possibly multiple thousands) of Canadian identities.


2013-2014 Annual Report:



"In 2013-14, Second Parties requested [redacted 3-digit number] Canadian identities, of which [redacted 3-digit number] were released. This is a [redacted] from the previous year, when [redacted 4-digit number] were released; however, during the previous year, [redacted 4-digit number] of those releases were from a single cyber defence report."

Here the number of released identities falls back to the more normal hundreds range.

Also worth noting is the fact, evident from the way the sentence is constructed, that not all requested identities are released.

This is also confirmed by various comments that the CSE Commissioner has made over the years. The Commissioner's 2014-2015 report even provided some data on this question, noting that a sample of recent Five Eyes requests examined by his office included "roughly an equal number of denials and disclosures of Canadian identity information." No information on the long-term average CII disclosure rate has been released, however. In some years, such as the year when a thousand or more identities were released from a single report, the disclosure rate has probably been much, much higher than 50%.


2014-2015 Annual Report:



"In FY 2014-15, Second Parties [redacted; probably "requested" + 3-digit number] Canadian identities, of [redacted; probably "which" + 3-digit number] were released. [Redacted] of these releases were to [redacted]"

In this release, CSE redacted larger portions of the text, possibly to make this kind of analysis more difficult. It's fairly easy to guess what the redacted words actually were, but the extra redactions do make the overall conclusions less certain.

(Thanks for that, CSE redactors. I'm sure the nation's security hangs on preventing the bad guys — or maybe the Canadian public? — from knowing with certainty whether the number of Canadian identities revealed to Five Eyes partners in a given past year was a 3-digit number or a 4-digit number.)

The most recent annual report of the CSE Commissioner provides another data point related to this question: Between 1 July 2014 and 30 June 2015, Five Eyes partners made 111 requests for Canadian Identity Information.

However, request numbers do not translate directly to release numbers for several reasons: requests are sometimes denied; requests may be made for the same identity by multiple clients; and finally and most importantly, a single request can pertain to multiple identities — in the case of the cyber defence report mentioned above, perhaps thousands of identities were released as a result of a single request. The fact that more than 100 requests were made suggests, however, that most requests involve only a small number of identities.

Taken together, these documents demonstrate with reasonable certainty that CSE releases at least one hundred and sometimes more than one thousand pieces of Canadian Identity Information to Canada's Five Eyes allies every year. Something like one or two items a day might be a reasonable guess.

And that's not the only way such information is shared. CSE also intercepts foreign communications on behalf of its partner agencies using selectors that they provide. It then forwards those intercepts, some of which are likely to contain incidentally collected Canadian communications or other information about Canadians, directly to them.

(CSE's recent metadata minimization failure also led to CII being provided to Five Eyes allies, but in that case the information would not have been provided if the systems had been working as required.)

It is likely that most of the information released through these processes goes to CSE's largest and closest collaborator, the U.S. National Security Agency, but some would also go to the other partner agencies.

In the vast majority of these cases, I would guess, the provision of this information makes a valuable contribution to Canadian and Allied security — in some cases it probably even contributes to the security of the named Canadians themselves. But as the Commissioner's classified 17 July 2013 report to the Minister of National Defence (A Review of CSEC Information Sharing with the Second Parties, Access release A-2014-00062) noted, the results of such sharing are not necessarily always benign:
While the case of Mr. Maher Arar did not relate specifically to CSEC or to SIGINT information sharing with the Second Parties, it is an example of how Canada's closest international partners may make their own decisions in relation to a Canadian.... The case of Mr. Arar demonstrates how [Government of Canada] information sharing with the U.S. or other partners may affect a Canadian and possibly put a Canadian in personal jeopardy.
This possibility is especially relevant now, with the Trump administration openly discussing a return to the use of torture, secret prisons, and other violations of civil liberties and international law. But even under the Obama administration some of these risks, including for example the possibility of targeted killings, were present.

The Canadian government has policies in place to govern international information-sharing when there is a substantial risk that the information shared could lead to the torture or other mistreatment of an individual, but many people question whether they are sufficiently restrictive.

In CSE's case, a Ministerial Directive signed in 2011 obliges the agency to conduct a mistreatment risk assessment whenever it considers releasing CII to a non-Five Eyes country.

But my reading of the limited information that has been released on that directive suggests that the Five Eyes countries are exempt from this requirement, except when those countries seek to forward Canadian information to a non-Five Eyes country. It would be very useful to know if that is in fact the case.