I have prepared a series of blog entries on Noël J’s recent Federal Court judgment on CSIS’s retention of metadata from its warranted threat investigations. In this first entry, I try to articulate what this case is about.
It may be useful to start with an analogy (however imperfect): this case is about CSIS fishing in the sea for sharks. When it uses certain sorts of intrusive nets to sweep up sharks, that net use must be authorized by the court. But technology being what it is, the nets also sweep up other fish – a by-catch. The court accepted that by-catch can happen, but did not actually know what CSIS was doing with the by-catch. In fact, CSIS was keeping a fin from each fish caught in the by-catch. The court learned about this after 10 years of CSIS fin-collection. And then when it learned about it, the court concludes that the law governing CSIS obliged “catch-and-release”: the by-catch fish should have been released unmolested once identified as by-catch and not sharks. Because CSIS did not do this, it acted unlawfully. Plus in failing to tell the court, it violated very strong duties that it do so.
I will deal with the by-catch issue in this blog entry, and the duty of candour in a subsequent entry. I also have entries on the policy issues – which I think are significant on a number of grounds and perhaps more sweeping that seems apparent given the scope of the actual legal issues.
Basic Legal Background
Under its “section 12” mandate, CSIS collects, to the extent it is strictly necessary, and analyzes and retains information and intelligence on activities it has reasonable grounds to suspect constitute threats to the security of Canada.
This passage has several “magic words”: “to the extent that it is strictly necessary”; “reasonable grounds to suspect”; and, “threats to the security of Canada”.
“Threats to the security of Canada” is the only passage actually defined in the CSIS Act (in section 2). Suffice for our purposes to say it is broad.
“Reasonable grounds to suspect” has a generally well-understood meaning (although I still struggle to imagine how it is applied in practice): “suspects on reasonable grounds” is a suspicion based on objectively articulable grounds that may be lower in quantity or content than the requirement of reasonable belief, but must be more than a subjective hunch. R v Kang-Brown, 2008 SCC 18.
“Strictly necessary” has a fairly intuitive meaning. Less intuitive is whether this necessity standard qualifies merely collection, or also applies to analyze and retain. I will return to this below.
Under section 12, CSIS collects information. Where the means of that collection are sufficiently intrusive to trigger section 8 of the Charter (the protection against “unreasonable” searches and seizures) or the Part VI Criminal Code prohibition against unauthorized intercept of private communications (typically, a wiretap), it must get a Federal Court warrant. A judge will only issue a warrant if persuaded that CSIS has reasonable grounds to believe that it is required to investigate threats to the security of Canada.
"Reasonable grounds to believe" is a higher standards than the reasonable grounds to suspect standard that must be met for CSIS to begin an information collection investigation under section 12. Sometimes called “reasonable and probable grounds” in the constitutional caselaw, reasonable grounds to believe is much lower than the criminal trial standard of “beyond a reasonable doubt.” Instead, it is defined as a “credibly-based probability” or “reasonable probability.” R v Debot,  2 SCR 1140. In the administrative law context, courts have described it as a bona fide belief of a serious possibility, based on credible evidence. Chiau v Canada (Minister of Citizenship and Immigration),  2 FC 297 (FCA).
CSIS obtains warrants in a closed-court (aka secret) process in which only the government side is represented. The warrants can, and often do, impose conditions on CSIS investigations. There are templates for standard warrant applications. These templates are occasionally updated, a process that requires CSIS to apply to the Federal Court. This case came about through a belated updating process.
Operational Data Analysis Centre (ODAC)
CSIS collects many data in the course of its section 12 investigations. Not unreasonably, it wants to keep these data in order to pool them in a manner that it can then search to further investigations in the future. And so it created ODAC in 2006. It turns out it did not tell the Federal Court about ODAC, at least not in any real concrete manner.
This is important, because ODAC was pooling information collected via warrant. And that information included not only content and metadata produced by an investigative target’s own communications (the collection of which was authorized by warrant), but also so-called “associated data”. As the Court defined it, “associated data” are data “collected through the operation of the warrants from which the content was assessed as unrelated to threats and of no use to an investigation, prosecution, national defence, or international affairs”. In our analogy, we would call this "by-catch". Presumably a lot of these would be data from third-parties; that is, communication-related information involving non-targets, swept into the CSIS surveillance net. For telephony, this might include the speech of the person on the other end of a conversation, or the accompanying metadata (e.g., telephone number; geolocation of a cell phone, etc.)
For email, this could be a heck of a lot of content and metadata totally unrelated to the target’s communication. Email travels in packets across the internet, and packets bundle unrelated segments of individual emails. And so intercepting a target’s emails generally means intercepting all the packets, and the accompanying content and metadata of other people’s communications bundled with them.
CSIS chose, in the ODAC, to retain some of this “associated data”; and specifically, the metadata, although not the actual content of the communication.
This is a privacy issue. These metadata have been compared to “data on data” — that is, they constitute the contextual information that surrounds the content of an Internet transaction or communication. In a 2013 report, the Privacy Commissioner of Ontario compared metadata to “digital crumbs” that reveal “time and duration of a communication, the particular devices, addresses, or numbers contacted, which kinds of communications services we use, and at what geolocations.” And pooling metadata and applying “Big Data” analytics can paint an intimate portrait of people – which is exactly why it might be of interest to an intelligence service.
But the retention of these metadata is also a legal issue. For one thing, it now seems pretty clear after the Supreme Court’s Spencer decision that metadata are protected by section 8 of the Charter. For another thing, the CSIS Act determines what CSIS can do with the information it collects.
The Legal Issue
The Court did not reach the section 8 issue, although it acknowledged that the matter had been argued before it. Instead it focused on the CSIS Act issue. And there, the key consideration is whether CSIS can retain the information it collects through its investigations.
On this point, there are now two answers.
First, as per the Supreme Court’s holdings in Charkaoui II, CSIS actually has a constitutional duty to retain information related to its targets, or to threats to the security of Canada. As the Federal Court summarized this rule: “information that is indeed linked to threats to the security of Canada or to the target of a warrant must be retained in its original state by the CSIS to comply with the protected rights under section 7 of the Charter”.
Or put in more lay terms: CSIS can’t destroy information collected on targets/threats, because people implicated in those threats may subsequently be subject to legal proceedings that oblige full government disclosure in order to allow for a fair trial. And if CSIS has destroyed the original collected information (and, the argument would go) simply kept a cheery-picking summary, then no fair trial can be had.
But, second, this Charkaoui II rule does not apply to information unrelated to the target or threats – that is “associated data”. Charkaoui II was not about “associated data”. And so the Federal Court looked to the CSIS Act, and basically concluded as follows: associated data, by definition, is non-threat related. It is not, therefore, something that is “strictly necessary” to the investigation of threats to the security of Canada. Collecting it is, therefore, something CSIS should not be in the business of doing. Now, technology means it can’t help but collect it while undertaking its bona fide “strictly necessary” collection of threat-related information (remember the concept of “by-catch"). And so, court warrants allow for this incidental collection. But authorizing incidental collection does not bless indefinite retention. And indeed, indefinite retention is not something any court could authorize without effectively usurping the “strictly necessary” standard found in section 12.
And so CSIS retention of the “associated” metadata was illegal.
In my next entry, I’ll begin talking about the broader implications of this case.
 Ann Cavoukian, A Primer on Metadata: Separating Fact from Fiction (Toronto: Information and Privacy Commissioner Ontario, 2013) at 3.