Notes prepared for Who is Watching the Watchers?: A Panel of Canadian Privacy and Surveillance in the Post-Snowden Era, uOttawa, Faculty of Law (October 16, 2013)
Over the last half year, Canada’s once largely unknown signals intelligence agency has twice become a veritable media blockbuster. In both instance instances, this notoriety arises as a collateral consequence of the Snowden datadump on US signals intelligence and intercept practices.
Last summer, the Globe and Mail focused on CSEC’s metadata intercept practices, during a time in which the US National Security Agency’s equivalent conduct was under the microscope. More recently, documents obtained directly from Snowden seem to disclose covert surveillance of some sort by CSEC on the Brazilian ministry of mines, perhaps undertaken as part of the “five eyes” signals intelligence alliance between Canada, the United States, the United Kingdom, Australia and New Zealand.
In this brief talk, I wish to briefly identify several legal issues these two controversies raise. CSEC’s mandate is prescribed by the National Defence Act, in s.273.64(1). For our purposes, two of the three paragraphs in this subsection are relevant. Under paragraph (a), CSEC is to “acquire and use information from the global information infrastructure for the purpose of providing foreign intelligence, in accordance with Government of Canada intelligence priorities” (Mandate A). Under paragraph (c), CSEC is “to provide technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties” (Mandate C).
In relation to both the Brazilian and metadata controversies, CSEC acts (or purports to act) under Mandate A. Under Mandate A, there are (legally speaking) basically two types of information that may be swept up in the collection effort. There is information that has no Canadian nexus in the sense that it does not meet the definition of “private communication” under the Criminal Code (which means, among other things, a communication originating in Canada or that is intended to be received in Canada). And there is information with a Canadian nexus because it does meet the definition of “private communication”. The Brazilian scenario is an example of the former, while metadata (potentially) implicates the latter.
Where there is no Canadian nexus, the domestic law essentially falls silent. The only real domestic legal issues arising from the Brazilian scenario is whether the data intercepted by CSEC truly lies within Mandate A as “foreign intelligence”. The latter is broadly defined in the NDA as “information or intelligence about the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group, as they relate to international affairs, defence or security”. Since “international affairs” is a broadly textured concept of potentially mutable scope and shape, it is difficult (although not impossible) to object to the purported Brazilian spying as ultra vires CSEC’s mandate.
From an international law perspective, the issue is closer. If CSEC intercepts were undertaken on Brazilian territory, there is an obvious sovereignty concern. This, I would argue, would include any access that involved cracking servers located on Brazilian territory. If, on the other hand, the intercepts were undertaken remotely and involved intercepts of transnational electronic leakage – say because intercepted communications were captured outside of Brazil -- there is no sovereignty concern (at least insofar as Brazil’s sovereignty is concerned). Article 22 of the International Telecommunications Convention does provide that members will “take all possible measures, compatible with the system of telecommunication used, with a view to ensuring the secrecy of international correspondence.” This is, however, hardly a resounding prohibition as the treaty also states that members “[n]evertheless, …reserve the right to communicate such correspondence to the competent authorities in order to ensure the application of their internal laws or the execution of international conventions to which they are parties.” Put another way, a domestic law steering international communications to a security agency on national security grounds is plausibly an “internal law” that trumps the secrecy proviso found in the Convention.
The metadata issue is much more complex. First, and principally, the communications infrastructure is so closely webbed together that one can never truly be sure that a general intercept program motivated by foreign intelligence collection will not capture Canadian data. Under its governing Act, CSEC must not direct its foreign intelligence activities at Canadians or any person in Canada and must observe privacy protections on the use and retention of information. Further, there is a rule that the defence minister must issue a formal, written “ministerial authorization” for activities that intercept private communication. In practice, authorizations are sought on an almost standing basis, because of the high risk (and actual reality) that any intercept activity might inadvertently capture private communication.
Having reviewed heavily redacted documents obtained from CSEC and other government agencies on CSEC metadata collection, it would appear (although one can’t be certain) that CSEC has not sought or received ministerial authorization in relation to metadata collection. Instead, it collects pursuant to a ministerial directive and internal policy. If this is so, this must mean that CSEC and its Justice lawyer advisors are confident that metadata collection does not implicate incidental collection of private communication. My suspicion, reading between the heavily redacted lines in these documents, is that this view in turn reflects an understanding of metadata as something other than “communications”.
Private communication, under the Criminal Code, is any oral communication or any telecommunication. The government legal theory must be, therefore, that metadata – data about data – is neither an oral communication nor a telecommunication. This theory depends, on other words, on an interpretation of the Act that limits its reach to content and not the superstructure around that content (e.g., who was called, when from what location and number, for how long etc.), even if that superstructure is, in turn, quite informative. This may be a plausible legal hypothesis, but one upon which much turns: unauthorized intercept of private communication is a crime.
There is an additional legal wrinkle in this discussion, one relating to the Charter. I understand that CSEC intercepts may be generic and on a different footing than the sort of particularized intercepts undertaken by domestic law enforcement and security agencies, to which warrant requirements apply. But still, I have been uncomfortable with the idea that mere ministerial authorization exonerating inadvertent collection of private communication satisfies Hunter v. Southam s.8 expectations. The minister is many things, but a disinterested judicial officer he is not. Moreover, it is especially unclear to me that whatever the definition of private communication in the Criminal Code, the s.8 privacy protections are to be defined as limited to “communications content” and not “data about data”. The s.8 test, after all, is reasonable expectation of privacy, and in an age in which the state can craft a highly intimate mosaic from electronic breadcrumbs, simply labeling something metadata seems unlikely to immunize it from constitutional expectations.
And finally, there are tantalizing hints in the documents obtained under Access to Information that CSEC may be quite ambitious in its understanding of its Mandate A in relation to metadata. In 2005, CSEC’s review body, the commissioner of CSEC, suggested that there were some collection activities undertaken under Mandate A that should have been undertaken under Mandate C. Mandate C – assistance to law enforcement and domestic security intelligence agencies – depends on these bodies being themselves authorized to collect information. In practice, that typically would mean a warrant under the Criminal Code or the CSIS Act.
What we don’t know is what exactly CSEC did under Mandate A that should have been done (in the commissioner’s eyes) under Mandate C. One suspects that if the Commissioner concluded that Mandate A was inapplicable, this was not about collection of foreign intelligence. And so did this cooperation involve direct intercepts of Canadian targets – something that CSEC can do as a proxy for RCMP or CSIS? If it did, did an RCMP or CSIS warrant undergird that collection? If not, is it because even when it comes to domestic metadata collection, the government’s lawyers take the view that no warrant is required? Extrapolating from prior government positions on lawful access reform, warrantless intercept of domestic metadata would not be an uncharacteristic position for the government to take. These are questions of enormous public interest – and hardly the stuff that deserves the heady protection of secrecy law.
In the final analysis, these and other privacy and surveillance laws are starting to look increasingly creaky and antiquated. The square peg of conventional privacy protections does not fit the round hole of modern intercept capacities. My personal view is that the whole privacy protection regime needs to be rebuilt from the ground up. As I have suggested before, the traditional preoccupation with controls on collection needs to be supplemented (if not replaced) with a serious rethink on retention and dissemination.