Security Surveillance, Lawful Access and Boiling Frogs

Speaking Notes from The Politics of Surveillance Workshop, May 8, 2014 (Ottawa)

This panel is entitled “Rendering Surveillance More Transparent” and the abstract that appears in the program urges that “[c]itizens need to be able to assess the values of privacy, security and due process in an informed, open fashion”.  It also questions whether surveillance transparency is a “silver bullet” and asks if “on-going reporting simply provide a false sense of security and veneer of legitimacy”.

As per the request of the organizer, in my 10 minutes, what I’d like to do is provide a backdrop that might help inform our discussion on these matters.  Specifically, I’d like to briefly outline the evolution of surveillance law and practice in Canada. 

My conclusion shall be this: In the area of security surveillance, privacy law has not kept pace with two key developments: first, the considerable overlap between what were once the fairly discrete areas of criminal law investigations, security intelligence investigations and foreign signals intelligence collection; and, second, the technological communications revolution.  Along the way, we are experiencing a net degradation of transparency around surveillance.  Much of this is a product of creeping happenstance, sticky, backward-looking law and untested inside-government legal interpretations piled on interpretation.  The net effect is that privacy risks being the equivalent of a frog boiled in an incrementally heated pot of water.  That is, the process is incremental and subtle, but the end result is the same: a dead frog.

A.  Privacy and Crime

Let me trace a chronology of law, surveillance and technology in developing this argument.  In 1974, Parliament enacted the Protection of Privacy Act -- now known as Part VI of the Criminal Code. Part VI is the most important of what we call “lawful access” provisions – that is, it makes unauthorized intercept of private communications a crime.  In practice, and subject to some limited exceptions, lawful access requires a judicial authorization.

Judicial blessing in advance of interference with a reasonable expectation of privacy has since also become the standard under section 8 of the Canadian Charter of Rights and Freedoms.  And the practice for judicial authorizations of all sorts in privacy matters has been specificity – that is, warrants are issued for finite purposes against finite targets in finite circumstances and locales.

Part VI was, and is, directed principally at law enforcement – it is the means by which the RCMP, for instance, receive wiretap authorizations.

B.  Privacy and Security Intelligence

That said, the key principles undergirding Part VI lawful access – advance authorization by judges with specificity – also became part of the regulatory system for the Canadian Security Intelligence Service, when that body was created in 1984.

There were, however, differences between criminal law surveillance and the security intelligence surveillance conducted by CSIS. (Note that “security intelligence” is a shorthand for a finite list of issues enumerated in the CSIS Act and relating to “threats to the security of Canada”). 

For one thing, Part VI authorizations must ultimately be disclosed – both their particulars (to the person surveilled, after expiry of the authorization) and also annual statistics on the number of such measures. 

In practice, the annual numbers of CSIS warrants do appear in the CSIS review body’s annual reports.  However, the existence of CSIS warrants are not disclosed to their targets, and only come to light in the rare instance where a CSIS investigation morphs into a criminal matter and is passed on to the police and ultimately results in criminal charges, or even more rarely when a particular CSIS surveillance operation becomes a matter of public controversy.

Canadian law, in other words, places criminal law surveillance and security intelligence surveillance on a different legal footing when it comes to transparency.

C.  Privacy and Foreign Intelligence

Then in 2001, the National Defence Act was amended to codify formally the intercept powers of Communications Security Establishment Canada.  Of particular note, the new law opened the door to lawful intercept by CSEC of Canadian “private communications” as part of what I’ll call its Mandate A – that is, collecting foreign signals intelligence. 

Up until this point, had CSEC intercepted private communications in performing this function, it would have committed a crime under Part VI of the Criminal Code.  After 2001, CSEC was exempted from Part VI so long as the Minister of National Defence authorized any intercept of private communications. 

Obviously, the fact that authorization comes from the minister, and not a judge, places CSEC on a fundamentally different footing than the police or CSIS.  Moreover, unlike CSIS or Part VI authorizations, CSEC authorizations are for an “activity” or “class of activity” and do not relate to a specific individual or individuals.  They are, in other words, more generic intercept permissions.  And in terms of transparency, the CSEC review body tells us how many ministerial authorizations exist, but we know nothing about their content (which rests a closely guarded secret).

These differences in the CSEC lawful access regime likely reflected the perception that CSEC’s eyes were outward looking, focused on foreign signals intelligence that only incidentally and haphazardly swept up domestic communications.  Conventional privacy protections could, in these circumstances, be muted.

Much has since been said and debated as to what CSEC does and does not intercept, and how and in what circumstances it captures private communications.  I will not rehearse that saga here.  Nor will I address the constitutionality of the CSEC law, a matter now in dispute in the lawsuit brought by the BC Civil Liberties Association last Autumn. 

Instead I make my key point: since 1974, the scope of lawful access has gone from: first, police investigating crime and intercepting with specific and delimited judicial authorization that then is subsequently disclosed; second, CSIS investigating security intelligence matters and intercepting with specific and delimited judicial authorization, that is never disclosed, and; third, CSEC collecting “foreign intelligence” by intercepting private communication (at least incidentally) with more generic authorization, not from a independent judicial officer, but from a member of the political executive, that is never disclosed.

D. Implications of Morphing Mandates and Technological Change

In the result, we have a system of surveillance law designed for a criminal law paradigm, tweaked to deal with security intelligence and essentially abandoned in all material respects for foreign signals intelligence. 

This may have been sustainable in a period when the world partitioned neatly into these three categories.  However, since 9/11, national security – and specifically anti-terrorism – concerns have become increasingly hybridized criminal/security intelligence/foreign intelligence issues.  This is illustrated in the law books by the fact that in 2001, Part VI was amended to lengthen the maximum duration of a police intercept authorization in anti-terrorism criminal investigations, to lower the thresholds required to obtain such authorizations, and to make delays in disclosure of the authorizations’ existence easier to obtain.

In actual surveillance practice, meanwhile, it is apparent that the foreign intelligence/security/crime boundary is murky.  For instance, there has been some controversy in the past between CSEC and its review body about whether some CSEC activities truly amount to foreign intelligence gathering.  In 2008, for instance, the CSEC review body asked, in internal communication with the government, “[i]s CSE[C]’s (a) mandate the appropriate authority to conduct [redaction] in the context of a criminal or national security investigation of a Canadian in Canada?” The review body ultimately called on CSEC to re-examine and reassess the legislative authority used to conduct at least some of its collection activities.

That particular concern seems now to have been resolved.  More recently, however, controversy over CSEC’s metadata collection program reflects a second notable development since the 1970s: how technological change has undermined a privacy regime first constructed for a simpler communications age.  By all reasonable accounts, metadata – especially when pooled with Big Data – can be even more revealing of human behaviour than even intercepted communication content.  Yet, the government seems regularly to take the view that metadata is not private communication, as a legal matter. 

I dispute this particular conclusion in 12,000 words or less in an article that will appear in due course.  However, to the extent this position animates inside-government approaches on this issue, it has the effect of rendering the privacy protections in Part VI irrelevant, and indeed exempts CSEC from needing even a ministerial authorization for its metadata intercepts.

In the result, we have intercepts of potentially revealing information with no statutorily-prescribed advance judicial or even ministerial oversight and no formal disclosure requirements of any sort.  One counterargument is that the review bodies serve as the public’s proxies in holding the security services to account.  I do not dismiss their significance.  In the area of privacy, they are, however, irrelevant.  The cardinal principle of privacy protection in Canadian law is advance authorization of invasions of privacy by an independent judicial officer, not after the fact criticisms by an arm’s length wing of executive government.

I personally believe that these issues are likely to be resolved on Charter grounds, and probably not in the government’s favour.  But it is also now apparent that this will need to be fiercely litigated.   

And so I’ll end with a pious admonishment.  The blurring of mandates, and the evolution of invasive search and Big Data analysis powers in the hands of the state’s security services should not change the existing scope of privacy protections, whether statutory or constitutional.  This is a common sense observation that Canadians should reasonably expect their government to honour by instinct, not resist at every turn.