Bill C-59

Bill C-59 Flowcharts: Revised and Expanded

Once more unto the breach...

Bill C-59 will hopefully, finally, soon (?) inch its way to the senate committee, after second reading (still underway) in the senate. I confess, I am looking at the parliamentary calendar and starting to feel a bit nervous. As readers of this blog or listerners to "A Podcast Called INTREPID" will know, I do not embrace every aspect of C-59. But I think it a vital bill -- and a vast improvement on the status quo -- measured on both accountability and security grounds.  And in its absence, that status quo will oblige a number of public interest groups to reignite their various court challenges. (If I were the government, I'd be worried about at least some of those challenges.) And watchdog entities like SIRC will have to continue issuing reports saying CSIS is in non-compliance with its current laws (in relation to datasets) and the CSE commissioner will be obliged to continue its decade-long complaints about statutory ambiguities. None of this is sustainable. And meanwhile, our security services would have all the powers and competencies necessary for the analog era. So this is an important law project.

But it is also important for people to understand what is in this complicated bill. I have reached my 20th year as a lawyer, and I continue to believe the most important thing I ever learned in law school is how to reduce a complicated area of law to a decision-tree flow chart. Unless you can make those boxes in the flow chart connect, you are missing something, or the law is missing something. So I continue to make such charts and devices, usually for my personal understanding.

In the event, however, that my labours are useful to others, I post my revised and expanded bill C-59 flowcharts. These now do two things: 1. They outline how CSE's new mandate powers will operate, and the checks and balances on those. 2. They show how CSIS's security intelligence, threat reduction, foreign intelligence and "dataset" (bulk data collection and retention) regimes will work (and the checks and balances on those), if C-59 becomes law.

I have done my best *not* to make mistakes, and have shared these charts with knowledgeable people who have made helpful comments. But caveat emptor -- there will be glitches. Also, there are areas where provisions may be interpreted differently. I have tried to flag those areas where I know others have a different take -- that provides evidence either that I am idiosyncratic or that the provision in question is ambiguous. And then I have also flagged areas where I have concerns that I know I am not alone in having. (Those are in the red boxes.)  Here, I feel danger lies, as these uncertainties could be tomorrow's controversies.

If anyone spies any errors, please let me know.

Revised C-59 Flow Charts:

1. CSE Manadates (as of Senate first reading)

2. CSIS Powers (as of Senate first reading)

Bill C-59 and the Judicialization of Intelligence

With the teaching term winding down, I am preparing more formal papers, stitching together pieces memorialized as blogs on this site. My first effort is here. Abstract:

Canada's Bill C-59 responds to quandaries common to democracies in the early part of the 21st century. Among these challenges: How broad a remit should intelligence services have to build pools of data in which to fish for threats? And how best can a liberal democracy structure its oversight and review institutions to guard against improper conduct by security and intelligence services in this new data-rich environment? This paper examines how C-59 proposes re-shaping the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE) in fashions responding to these dilemmas. Specifically, it highlights C-59’s proposed changes to CSIS’s capacity to collect bulk data as part of its intelligence mandates, and also the new oversight system proposed for CSE’s foreign intelligence and cybersecurity regimes. The paper examines the objectives motivating both sets of changes, and suggests that in its architecture, C-59 tries to web together the challenges of intelligence in a technologically-sophisticated, information-rich environment, with privacy protections derived from a simpler age but updated to meet new demands.

Does CSE risk a Re X moment with the current drafting in C-59?

This is a third quick posting on some of issues I have been wondering about in the CSE Act, proposed by bill C-59. I have not reviewed all the submissions to the Commons national security committee (which have been often excellent and thoughtful).  But I am not aware of any discussion so far on today’s topic: lining the CSE Act up with international law.

Here, my preoccupation is with active and defensive cyber operations, and not foreign intelligence collection.  The latter raises arguably similar international law issues, but I have canvassed those elsewhere, in other contexts. (See here and here). (On this issue, I am in receipt of a new article from European colleagues examining this same question – which I look very much forward to reading.)

Nor do my remarks relate to CSE’s (cyber) participation in an armed conflict. Such involvement would, I assume, arise in an exercise of the CSE’s assistance mandate, in relation to the Canadian Armed Forces. There, an obvious concern is with CSE’s direct participation in hostilities, while an unprivileged belligerent (that is, something other than an armed force). This prospect raises real concerns under the laws of armed conflict.  Not least: participating CSE employees could be targeted and prosecuted for their conduct, enjoying neither protected status or combatant’s immunity. But I hope to able to point readers to an excellent digest of those issues by a more expert analyst soon.

My focus here is on CSE’s autonomous active/defensive cyber mandate, anticipated in sections 19 and 20 of the proposed Act. And so, active cyber may involve activities on or through the global information infrastructure to degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security.

That is a vast mandate, constrained by a caveat that the activities be outward facing from Canada and not cause (intentionally or by criminal negligence) death or bodily harm or willfully attempt in any manner to obstruct, pervert or defeat the course of justice or democracy.

CSE is exempted from a narrow range of law

Cyber ops must be authorized by the defence minister (in the case of active cyber, blessed or requested by the foreign affairs minister). But the activity itself need not comply with “any other Act of Parliament or of any foreign state” (s.31; 30).  As far as I can tell, this is the only carve-out pertaining to other legal regimes applicable to cyber ops.  (If I am missing something, happy to be disabused.)

And the modest scope of this carve-out is what gives me pause. If it enacts this provision, Parliament authorizes violations of federal and foreign “Acts”, something it is free to do in a system based on parliamentary sovereignty.

CSE is not exempted from international law

Parliament is also free to authorize violations of Canada’s international law obligations. This does not relieve Canada of state responsibility in international law for such violations.  But it does make it legally possible in domestic law to violate international law.  But herein lies the rub. The Supreme Court has made it abundantly clear that Parliament is assumed to legislate in compliance with Canada’s international obligations, and that deviations from this presumption cannot be presumed. Instead, there must be “unequivocal legislative intent to default on an international obligation”.  See Hape, para. 53.

This was the exact issue that ensnarled CSIS in the Re X decision on extraterritorial invasive surveillance. Parliament corrected that problem in bill C-44 (2015), by permitting the Federal Court to authorize warrants even in violation of foreign or “other” law. “Other” in the context might reasonably be construed as “international”, although it might be argued otherwise.

Strangely, the CSE Act does not do this. It does not replicate the CSIS bill C-44 formula of “foreign and other laws”. It reaches, at best, foreign “Acts” (that is, primary legislation). I do not see how this reference to “Acts” can be read to empower CSE to violate international law. (Indeed, I do not see it as unambiguously authorizing violations of other possible sources of foreign law – for instance, constitutional, common law or regulations or equivalents. But the international law issue is the big question, since it binds Canada). There is much international law indisputably applicable to Canada that is not codified or covered in foreign “Acts”.  Indeed, it would be incongruous, indeed patently ridiculous, to assert that foreign “Acts” constitute the sum total of international obligations binding on Canada.

International law precludes extraterritorial exercise of enforcement jurisdiction

Accordingly, were I giving legal advice in relation to an active cyber operation, I would conclude that CSE cannot act, unless that cyber operation complies with international law. And that raises the big issue: international law precludes the exercise by a state of “enforcement jurisdiction” on the territory of another states, without its consent or some other permissive rule of international law. I have discussed here the application of the “enforcement jurisdiction” in a cyber context. Where it might exist will be debated, on the margins. But the more kinetic the impact of the active cyber, the more likely the violation of this norm.

(And I’d add that the permission to breach “Acts of Parliament” offers no different answer on this question.  As Hape notes, customary international law – of which the bar on extraterritorial enforcement jurisdiction is a part – is considered part of the common law of Canada – and that is only displaced by statute. The CSE Act does not displace it. It does not displace any Canadian law other than “Acts of Parliament”.)

The result should be a real and significant fetter on exactly what sort of activity CSE can perform as part of its unilateral active/defensive cyber mandate.

I have no real issue with this as a policy choice – by disposition I am not tremendously keen on a state doing an end-run around established doctrines of international law using data streams where it cannot use corporeal bodies.

Was this a policy choice or a drafting issue?

My concern is, however, that the government may not have fully turned its mind to this issue in designing the CSE Act. Put another way, it may have drafted an outcome it does not intend to honour. If it really does think it has exempted CSE from the considerable strictures of international law, and CSE acts accordingly, CSE may have its own Re X moment. If its policy objective is a muscular cyber ops capacity, the government may wish to have Parliament speak on the international law issue in an amendment – because silence retains the full international law fetter.

(And if that weren’t enough, we need to look over our shoulders at this throw-away line from the Supreme Court in Hape: “Neither Parliament nor the provincial legislatures have the power to authorize the enforcement of Canada’s laws over matters in the exclusive territorial jurisdiction of another state.” We’ll assume that the Supreme Court did not mean to suggest that Parliament lacks jurisdiction – period – to authorize invasions of a foreign state’s sovereignty.) 

It is true this kind of esoteric legal issue may never be adjudicated. But people have been saying things like that for years. I am still waiting for it to be true.

The (Quasi) Judicialization of CSE Cyber Operations (Active & Defensive)

 

As noted in my prior post, there are a number of really interesting briefs prepared by various stakeholders, going into the next round of House of Commons legislative hearings on bill C-59.  Many seek to ratchet tighter the accountability structures in the bill, especially for CSE and CSIS (where they don’t call for the outright abandonment of these agencies’ proposed new powers).

I haven’t had chance to review all the specific ideas, but two of these sets of recommendations stand out for me in this area.  In my last post, I addressed the question of “publicly available information”.  In this one, I want to noodle through the extremely complex question of whether the Intelligence Commissioner should have oversight jurisdiction to vet and approve, in advance, and on a reasonableness standard CSE’s proposed active and defensive operations (“cyber ops”).

Citizen Lab and the current CSE commissioner have both urged this role for the new Intelligence Commissioner, supplementing that official’s responsibility to vet ministerial authorizations issued for foreign intelligence (FI) and cybersecurity (CS).  (As an aside: for my part, I have suggested that the ministerial authorizations for FI and CS do not meet constitutional standards, because they are only required where CSE violates an “Act” through its collection.  So if at issue was “private communication”, intercept without authorization would violate the Criminal Code.  But the government has argued that private communication does not include metadata.  In fact, there is no Act of Parliament violated by the foreign collection of metadata, including the incidental collection of Canadian metadata -- if there was, CSE would have been violating it for years. And so, under the current drafting of C-59, there is no requirement to seek a ministerial authorization vetted by the IC.  And yet, there is a clear constitutional privacy interest in that metadata. There is *nothing* in either the current CSE law or the proposed CSE Act that meets the standards in the jurisprudence permitting “warrantless” intercepts -- or could meet that standard, in my view, given the nature of CSE’s bulk activities. End result: a new constitutional lawsuit, scandal, acrimony, disaster. Please, please fix this! Make sure the authorization process is triggered by all collection activities or classes of activities that engage information in which a Canadian or person in Canada has a reasonable expectation of privacy.)

The CSE Act Structures Cyber Ops MAs and FI/CS MAs Differently

But back to the proposal to extend the IC function to cyber-ops.  First observation: for cyber-ops, ministerial authorizations are required for all cyber-ops (s. 23(2)(b)).  This isn’t like FI and CS, where there is a trigger obliging some activities to go for approval and not others (s.23(3) and (4)). In my comment above, I suggest the FI/CS MA trigger is too narrow. I *want* to steer FI and CS activities that implicate Charter rights into the MA and then the IC process. But I am not proposing steering those that *do not* otherwise violate Canadian law through this process.  I do not think, for instance, that a CSE targeted intercept that collected the telephone call of a foreign person in a foreign state, with no prospect of any nexus to Canada, attracts Charter rights. Without embarking in a discussion of the Supreme Court’s (unclear) Hape decision, it would be unlikely that the Charter applies, and that the target has any section 8 rights. And I am not among those inclined to think international law imposes meaningful privacy obligations on Canada in these circumstances – and certainly not a judicial pre-authorization requirement.  I do think there could be extraterritorial enforcement jurisdiction violations in international law, but in the area of spying it is a close call; international law is, as I have said, creatively ambiguous in this area. So I would not embark on the “judicialization of intelligence” in such a manner, again assuming there was no prospect of a Canadian nexus.  I make these sorts of points in greater detail in this article.

So my initial point: To simply superimpose IC oversight on cyber ops MA means, under the current architecture, asking the IC to approve all CSE cyber ops activities. (ss. 30 and 31). 

Would this be a good thing?

That may sound like a good idea right out of the gate.  But I have been going around in circles because I find it complex. I thought I’d memorialize my struggles.

  • First, cyber ops should not, if the Act is applied properly, implicate the collection of information, except as properly authorized by a FI/CS authorization (s.35(4)).  Right away, this makes it unlawful under the statute to use cyber ops as a stalking horse for some sort of autonomous information collection activity (on top of likely unconstitutional to the extent that information collected does attract s.8 protections). So the privacy issues should be muted here, even if the activities authorized by the cyber op authorization may involve some of the same techniques/practices.
  • Second, some cyber ops may implicate other Charter rights and Canadian law. At first blush, this may be rare (even very rare) because those rights and laws are usually confined to the territory of Canada. That said, the “real and substantial connection” test may make things like criminal mischief commenced here and remotely conducted against a foreign computer a crime with a sufficient nexus to Canada. But I am not sure that superimposing the IC into the approval process for such actions is an *obligation*.  We do allow our security services to break statute law in pursuing aspects of their mandate and we don’t always require pre-authorization by a judicial officer.  For example, Criminal Code, s.25.1 for the police allows law-breaking through administrative approvals within the police services.  On the other hand, CSIS threat reduction power does oblige judicial pre-authorization for breaches of Canadian law, which would presumably include overseas conduct that, on a real and substantial connection to Canada basis, violates Canadian law (or in some other manner where the Canadian law applies extraterritorially).  The CSE Commissioner, in his brief, points to this CSIS precedent to justify his view that cyber ops should be subjected to IC oversight. It is hard to argue against this parallel.
  • Third, international law may be breached by cyber ops.  (And indeed, international law is likely breached by CSIS extraterritorial threat reduction and perhaps intrusive surveillance done in violation of a foreign state’s laws, and thus its sovereignty.  That is a violation in the area of extraterritorial enforcement jurisdiction.  I have argued that this international law breach would require pre-authorization by the Federal Court, under the current CSIS Act. See here.) Invasive cyber conduct and international law is an issue I have discussed here, in the context of covert action.

This third argument is a strong justification for an IC involvement in cyber op authorizations.  But it depends on a final supposition: that either international law or domestic law or good policy is served by having an independent judicial officer scrutinize Canada’s international conduct and bless (or not) breaches of it. There are many, many areas where Canada’s international obligations are engaged where we do not involve pre-vetting by judges. The overseas conduct of the Canadian Armed Forces is an example.  When the Canadian Armed Forces chooses to bombard an enemy, say in Afghanistan, it is reviewed for legality under international law, most notably by the JAG team.  But they do not seek the blessing of a judge. Our system expects (and under the terms of the Baker decision of the Supreme Court, I would argue, obliges) members of the executive to observe Canada’s international obligations in exercising their discretion.  But we do not then submit that judgment to advance approval by a judge – indeed, it is near impossible to subject it to any form of judicial review, as many of these matters are considered non-justiciable (if they do not raise Charter issues, which as suggested above they rarely do).

CSE cyber ops are the sort of activity that would typically be considered an exercise of defence or foreign policy, and absent some statutory displacement, governed by the royal prerogative.  That is why the military could hack away and turn off lights and never need to meet a statutorily-prescribed approval regime.  But because CSE only has statutory powers (since 2001), it must look to its statute to find the power for cyber ops. Hence, C-59.  So the question is: because CSE is a statutory creature, should the once relatively unfettered powers to engage in defence and international affairs now implicate judicial pre-authorization?

This provokes additional questions: would we be best served by an IC looking at all cyber ops to establish the reasonableness of them?  If so, would the IC be empowered to assess the inevitable political dimension of the minister’s authorization – his or her judgment, for example, that the security risk posed by a malignant server justifies CSE reaching out and turning it off? Or would we craft language confining the role of the IC to indisputably legal issues? If so, would the IC be better equipped to assess Canada’s compliance with international law than the executive?  Which raises a question: then why stop with IC involvement in the cyber world? Should the artillery officer's orders also be pre-vetted by a Combat Commissioner for compliance with IHL (international humanitarian law)?

The bottom line: I am torn on this issue. I worry about giving the IC too global a role in areas of high policy where he or she would not be equipped to apply rules, but rather second guess political judgment.  For one thing: the IC then ends up wearing whatever they approve.  And if they dispute, without clear legal standards to ground that dispute, then we have a clash of responsibilities. Who should be responsible for these decisions of high policy: a minister accountable to Parliament or an appointed quasi-judicial officer?

On the other hand, if you agree that judicial pre-authorization is required for extraterritorial CSIS threat reduction (at minimum), what’s good for CSIS under threat reduction should probably also be good for CSE under cyber ops. I must say, in both cases, I wonder a lot about what a court (or the IC, if its remit is extended) would say in response to an op that violates, say, the sovereignty interest of a foreign state.  This is a whole lot of novel territory.  Which makes it interesting, but also worthy of close consideration.

I am probably missing much and wrong on other issue, but heck, it’s my blog.  This is probably one of this entries that will soon be supplemented with a lot of supplemental additions.

 

Updated: A listener's guide to C-59

The Parliamentary process on bill C-59, the largest overhaul of Canadian national security law since 1984, is well underway.  You can find the proceedings in front of the House of Commons Standing Committee on National Security and Public Safety here.

Lots of people have written primers. Kent Roach and I did a basic early assessment here.  And I posted a meditation here. I have posted two "decision-tree" schematics, one on the new CSE powers and other on CSIS datasets.  The written notes to my committee appearance are here.

But for those following along with A Podcast Called INTREPID, Stephanie Carvin and I have been getting into the weeds. And we finally got through the whole bill! So here is a Listener's Guide to Bill C-59:

  • Episode 3: The Challenge of Watching Watchers: bill C-59's new "review" body, the National Security and Intelligence Review Agency.
  • Episode 6: Commissioner, Minister, Lawyer, Spy: bill C-59's fix to CSE's current (very) constitutionally-suspect system of foreign intelligence and cybersecurity activities implicating Canadian private communication or metadata. (We did not discuss how we haven't quite fixed the problem but could with a few words of amemdment. See here. I think I have been persuaded that my one-word fix may fix the a constitutional problem and create an operational problem. So I have a different, five or six word fix that I presented to the committee here.)  This podcast also discusses new powers for CSIS to receive and analyze and retain information not tied only to threats to the security of Canada. (Feel free to shake your head should anyone claim that C-59 does not include substantial new powers for intelligence services).
  • Episode 8: The Legal Pile-One, the No-Fly Glitch, and the Police Probe: includes a discussion of Canada's creaky no-fly list and how C-59 fixes it in part, but still fails to resolve it in full.
  • Episode 9: Cyber-Cyber-Bang-Bang: discusses C-59's considerable expansion of CSE's mandate to include offensive and defensive cyber.  (Again, feel free to shake your head should anyone claim that C-59 does not include substantial new powers for intelligence services).
  • Episode 10: The first thing we do, let's disrupt all the lawyers: discusses C-59 and CSIS threat reduction powers and what changes and what doesn't.  And discusses new criminal immunity powers for CSIS sources (and officers) doing intelligence work and the checks and balances. (Please keep shaking that head if people try to tell you this bill doesn't offer anything to the security services).
  • Episode 12: The SCISA in the Limit (on Information-Sharing): C-59 and the Security of Canada Information Sharing Act, focusing on the tension between the ready flow of information and privacy.
  • Episode 14: Locking Them Up: We foocus on the Criminal Code amendments: the parts of C-59 that can involve locking people up or otherwise constraining their liberty. They discussing changes to the bill C-51 speech crime and also "preventive detention" and "peace bonds" as well as the terrorism group listing process.

Hope some of this helps!

Statement to House of Commons SECU on C-59

Statement

SECU Hearings on C-59

Craig Forcese

5 December 2017

I wish to extend my sincere thanks to the committee for inviting me to appear on bill C-59. It is always an honour to be asked to share my observations before this committee.

My colleague Kent Roach is appearing before you next week. He and I have divided-up C-59. Today, I shall be addressing the new Communications Security Establishment Act and the amendments to the CSIS Act.

I support most of the changes C-59 makes in these areas. I recognize the policy objectives they seek to address. I believe the statutory language is usually carefully considered and robust. But I do have one serious concern.

 

CSE Act

I begin with the CSE Act and make my single recommendation today. I respectfully submit that this committee should amend s.23(3) and (4) to indicate CSE may not, without ministerial authorization, contravene the reasonable expectation of privacy of any Canadian or person in Canada.

I have provided a brief describing the rationale for this change. (And I should disclose I have been an affiant in the current constitutional lawsuit brought by the BC Civil Liberties Association challenging CSE activities. But today I appear on my own behalf.)

To summarize my concern:

While engaged in foreign intelligence and cybersecurity activities, CSE incidentally collects information in which Canadians or persons in Canada have a reasonable expectation of privacy. Because this is done without advance authorization by an independent judicial officer, this likely violates section 8 of the Charter.

Bill C-59 attempts to cure this constitutional issue through a ministerial authorization process, one that involves vetting for reasonableness by an Intelligence Commissioner, a retired superior court judge.

This is a creative and novel solution. It preserves a considerable swath of ministerial discretion and responsibility. It is not a full warrant system. Still, given the unique nature of CSE activities, I believe it constitutionally-defensible.

But the new system will only resolve the constitutional problem if it steers all collection activities implicating constitutionally-protected information into the new authorization process.

The problem is this: C-59’s present drafting only triggers this authorization process where “an Act of Parliament” would otherwise be contravened. This is a constitutionally-underinclusive “trigger”. Some collection of information in which a Canadian has a constitutional interest does not violate an “Act of Parliament” (for example, some sorts of metadata).

The solution is simple. Expand the trigger to reads: “Activities carried out by the Establishment in furtherance of [the foreign intelligence or cybersecurity aspects] of its mandate must not contravene any other Act of Parliament or involve the acquisition of information in which a Canadian or person in Canada has a reasonable expectation of privacy unless they are carried out under an authorization”.

This may seem a lawyerly tweaking. But if we fail to cure the existing problem with CSE’s collection authorization process, a court may ultimately determine CSE has been collecting massive quantities of data in violation of the constitution. Such a finding would decimate relations with civil society actors, placing CSE squarely in the cross-hairs of a renewed controversy and making it very difficult for private sector enterprises to partner with CSE on cybersecurity without risking reputational fall-out themselves.

With C-59, we have a chance to minimize this kind of problem.

 

CSIS Act

I turn to the CSIS Act changes. C-59 does three things.  First, it permits CSIS new authority to collect and potentially retain so-called datasets.

Here, the tension lies in balancing the operational need for CSIS to be able to query and exploit information against the privacy imperative.

Rather than prescribe hard standards for datasets, C-59 opts for a system of in-advance oversight. The Intelligence Commissioner is charged with approving the classes of Canadian datasets that may be initially collected, and the Federal Court authorizes any retention of actual datasets.

While I am wary of the idea of datasets, I cannot dispute the rationale for it, and can find no fault with the system of checks and balances.

The second CSIS Act change relates to revisions to CSIS’s threat reduction powers, introduced in C-51 in 2015. These provisions were rightly controversial. For our part, Kent Roach and I did not dispute the idea of threat reduction. But we worried CSIS threat reduction done as a continuation of our awkward, siloed police and intelligence operations runs the risk of derailing later criminal investigations and prosecutions. This would be tragic from a security perspective.

From a rights perspective, C-51 lacked nuance. It opened the door to a violation of any Charter right, subject to an unappealable, secret Federal Court warrant. The regime was radical and, in my view, almost certainly unconstitutional. It was, therefore, unworkable, whatever the strength of the policy objectives that propelled it.

C-59 places the system on a more credible constitutional foundation. It ratchets tighter the outer limit on CSIS threat reduction powers. By barring detention – a power I sincerely doubt the service ever wished – it eliminates concerns about the many Charter violations for which detention is a necessary predicate.

And by legislating a closed list of activities that can be done when a warrant is sought, Parliament tells us what Charter interests are plausibly in play: essentially, free speech and mobility rights.

I believe that if threat reduction is to be retained, this new system reasonably reconciles policy and constitutional issues.

Last, the C-59 CSIS Act changes create new immunities for CSIS officers and sources engaged in intelligence functions who may violate law during those activities.

The breadth of Canada’s terrorism offences make is certain that a confidential source or undercover officer will commit a terrorism offence simply by participating with the terror group that they infiltrate. An immunity is necessary. The issue is whether there are sufficient checks and balances guarding against abuse of this immunity. Again, I think C-59 does a good job in festooning the immunity provisions with such checks.

I will end, though, with a caution. Our conventional manner of siloed police and CSIS parallel investigations lags best practices in other jurisdictions, which employ more blended investigations. As the Air India bombing inquiry observed, we struggle with what is known as intelligence-to-evidence.

The government is working on this matter. We should be conscious, however, that what CSIS does in its investigations, whether in terms of immunized criminal conduct or authorized threat reduction, could derail prosecutions if not done with a close eye to down-stream impacts.

This issue might usefully be a topic of inquiry for the new security and intelligence committee of parliamentarians.

Thank you for your attention and I look forward to any questions.

Bill C-59 Flowcharts: CSIS dataset approval processes

Again, for my own use, to make sure I understand how the system will work, I have prepared a "decision-tree" on the proposed CSIS acquisition and retention of "datasets" -- that is, electronic archives of information that is not itself strictly necessary for a threat investigation under s.12.

Again, caveat emptor, as I do not claim this is perfect!  But if of use to others, I share. (If it does not open when you click on the thumbnail, if may be downloaded here.)

Bill C-59 Flowcharts: CSE mandates approval processes

Ottawa is apparently full of flowcharts outlining the bill C-59 powers to various security services. In preparation for my own appearance at SECU, I had time to draw up a diagram on CSE's new powers. I prepared this for personal use late into a Sunday evening, so I cannot promise it is perfect. But if it is a helpful starting point for others, I post here. (If the chart does not appear in full resolution when you click below, click here).

A Listener's Guide to Bill C-59

Bill C-59 is back with a rush. The initial debate in the Commons was disappointing and I fear for the future of the little that remains of my hair. So without pointing specific fingers: We need to debate what is *really* in this bill (or not), not what various political bases want to *believe* is in the bill. There are important things that can be meaningfully debated about what *is* in the bill and what *is not* in the bill.  There is no meaningful debate to be had about things one *imagines* are in the bill.

Once more unto the breach, I will try to squeeze a few compact video primers into the short space between the end of the teaching term and the beginning of the grading purgatory. Kent Roach and I did a basic early assessment here.  And I posted a meditation here. But for those following along with A Podcast Called INTREPID, Stephanie Carvin and I are getting into the weeds .  So here is a Listener's Guide to Bill C-59:

  • Episode 3: The Challenge of Warching Watchers: bill C-59's new "review" body, the National Security and Intelligence Review Agency.
  • Episode 6: Commissioner, Minister, Lawyer, Spy: bill C-59's fix to CSE's current (very) constitutionally-suspect system of foreign intelligence and cybersecurity activities implicating Canadian private communication or metadata. (We did not discuss how we haven't quite fixed the problem but could with a few words of amemdment. See here. I think I have been persuaded that my one-word fix may fix the a constitutional problem and create an operational problem. So I have a different, five or six word fix.)  This podcast also discusses new powers for CSIS to receive and analyze and retain information not tied only to threats to the security of Canada. (Feel free to shake your head should anyone claim that C-59 does not include substantial new powers for intelligence services).
  • Episode 8: The Legal Pile-One, the No-Fly Glitch, and the Police Probe: includes a discussion of Canada's creaky no-fly list and how C-59 fixes it in part, but still fails to resolve it in full.
  • Episode 9: Cyber-Cyber-Bang-Bang: discusses C-59's considerable expansion of CSE's mandate to include offensive and defensive cyber.  (Again, feel free to shake your head should anyone claim that C-59 does not include substantial new powers for intelligence services).
  • Episode 10: The first thing we do, let's disrupt all the lawyers: discusses C-59 and CSIS threat reduction powers and what changes and what doesn't.  And discusses new criminal immunity powers for CSIS sources (and officers) doing intelligence work and the checks and balances. (Please keep shaking that head if people try to tell you this bill doesn't offer anything to the security services).

In Episode 12, we will discuss C-59 and the Security of Canada Information Sharing Act.  And in Episode 14, we intend to discuss C-59 and changes to the C-51 speech crime and some of C-51 changes to preventive detention.

You can decide for yourself whether you like what's in C-59 or not, and whether its good policy.  You can decide for yourself if the bill grapples properly with hard dilemmas. We have our own views and perhaps make our own errors. But we believe that any opinion on C-59 is necessarily guided by (a) knowing what those dilemmas are and (b) what is in C-59. Hope this helps.

A One-Word Fix: Bill C-59, the Constitution & Communications Security Establishment Activities

As the parliamentary season starts, I have begun working up more detailed thinking on bill C-59, the government's massive national security law overhaul. A lot of this bill is about heading off constitutional and other legal train-wrecks. But it also includes measured moves into new areas, with attention to drafting these powers in manners that (hopefully) will not ignite new legal controversies. In some respect, it is about getting the law out of the way as a source of doubt, at the cost of accepting more structural checks and balances.

In a first note, I set out observations on the new "intelligence commissioner" process for CSE foreign intelligence activities. The focus here is on the question of whether C-59 is enough to cure the constitutional objections to CSE's current manner of operating. For what it is worth, I think it is one word away from doing that.

The Shiny Bauble of Ministerial Responsibility

There is another issue not addressed in the paper. Does the presence of the intelligence commissioner constitute an erosion of ministerial responsibility? This seems to be a recurring issue in some parts of Ottawa. I am not entirely sure everyone means the same thing in discussing the concept, but what it means is: a minister answerable in Parliament for subordinates, and responsible for the conduct of those subordinates.

Those who have read some of my public law work will know that my view on ministerial responsibility in Canadian government in relation to the second half of the above sentence is: "What a wonderful idea. Too bad it doesn't exist." As I concluded after surveying practice between 1950 and 2009, it is rare to the point of being unknown for ministers to resign in response to wrongdoings committed by their subordinates, at least officially. (Senator Forsey arrived at similar conclusions in his notable 1985 work, The Question of Confidence). The buck-stops-here concept of ministerial responsibility is a magnificent myth, not a reality. There is a reason why Donald Savoie called one his books "Breaking the Bargain".

So, it seems a bad idea to preserve a myth by insisting on a form of unilateral executive oversight of CSE activities that is almost certainly unconstitutional without the interpostion of an independent judicial officer.

And in the area of CSE, there are several additional exhibits tending to suggest that the status quo is a bad idea.  First, on information and belief, the minister of national defence's office has not had the internal capacity (at least in the past) to "red team" thoroughly CSE authorizations to intercept private communications.  Put another way, I fear ministerial oversight has been modest.

Second, so modest has been ministerial oversight in this area that when the Snowden disclosures came out and there were revelations of CSE collection of Wifi information from Toronto airport, it was CSE's review body that stepped most vocally into the breach to offer conclusions and observations. Put another way, the review body took bullets, something that should never happen in a world with functional ministerial responsibility.

Third, C-59 does not actually remove the minister from the driver's seat. It just puts the intelligence commissioner in the back seat, looking over the minister's shoulder.  Unlike with conventional warrants, which judges shape (albeit with input from government lawyers), the C-59 system requires the minister to kick first at the authorization can, and set the terms and conditions.  Only then does the intelligence commissioner review and bless (or not). This is a double-lock system in which the minister turns the key first. It is not one in which the ministers is subordinated. Instead, he or she is watched.

As my article suggests, I think this is probably the most clever way to square the constitution with CSE's rather sui generis activities.  Take it away, and you run the real risk that the current system ends up at the Supreme Court. That Court has, of late, rarely turned down an opportunity to apply new understandings of privacy rules to new technology. Leaving it to the Court to speak first on this issue -- and perhaps narrow the range of options -- would be a huge mistake.

Added to which: a court finding that CSE's activities since (probably well before) 2001 have been unconstitutional would be disastrous for CSE. Indeed, even as we need to call upon it to do more in the area of cybersecurity and cyberassurance in the public and private sectors, its reputation would be shattered.  And those private sector companies that touch it with a ten foot pole risk collateral reputational injury.  Put another way, C-59 needs to solve the problem of a CSE currently tied to the tracks, with a Charter train rumbling toward it.

So you need to be a real risk-lover to preserve a status quo that a) does not include much, if any, real ministerial responsibility, but b) has managed to produce a lot of reputation-damaging fall-out.

A Law for New Seasons: Bill C-59 from the "Big Picture" Perspective of National Security Reform

Over the next few months, I will try to post thoughts on Bill C-59, the government’s massive national security overhaul package. Kent Roach and I have posted two quick assessments: an oped in Maclean’s and a longer piece at the Institute for Research on Public Policy website. I also provided reactions to the media in various placed, including on The House here and Power & Politics here.

(We always worry about pushing out analyses of such complex legislation on an insta-response basis, and qualify what we say with an open invitation to point out errors and omissions. Like most people, I learn best when I write, reflect, discuss, revise.)

In this space, I want to meditate on two issues emerging in the discussion.  First, that C-59 is about correcting C-51, creating the impression (fanned by some politicians) that C-59 rolls back security powers.  Second, the resource and burden issue.

 

C-59: Reforming without subtracting

A word of warning: Kent and I always took the view that C-51 was dealing (mostly) with real problems, but the solutions were so festooned with their own shortcomings that they didn’t solve the problems, but did create a host of new ones.  (The speech crime was the exception: it was always a solution in search of an invented problem).

I won’t repeat our analysis here. (We set out our conclusions in the 600 pages of False Security.)

This is by way of saying: I was never in the “repeal and return to the prior status quo” camp.  Because that status quo meant returning to a security law system that creaked with age and inadequacy.

 

Fixing the Problematic Parts

If we expect the state to protect us, we need to give it tools.  In part, this is because I believe the civil liberties implications of the day after a security failure are always worse than the civil liberties challenges raised during a calm, premeditated effort to give security services reasonable tools to prevent that incident. (After some bomb goes off, everyone assumes that it stems from a failure of law, and that we need fewer rights.  Usually, the reason is more complex: sometimes it is operational. And sometimes it is simply a manifestation of the old IRA slogan about security services needing to successful all the time, and terrorists only once. Those impossible odds mean something will always happen.  And so you need social resilience, not a stampede to turn your society into North Korea.)

When we do security law and policy reform properly, the questions always are: which tools, are they proportional, and are they compatible with a liberal democracy (and avoid the “burning villages to save them” problem).  And for anti-terror tools, focused on a threat embedded in a civil population, “overclocking” on your tools may precipitate the very threat you intend to stave-off.  (Witness the nonsense discussion on the margins of the internet last month, after the UK incidents, raising the prospect of mass internment. Setting aside the egregious rights violations, this is out past Pluto in terms of security: people need to spend more time examining the blowback consequences of mass internment. It’s a pretty good way to turn a difficult security environment into a 100-year war.)

C-59 is about correcting C-51’s (unnecessary, probably-never-actually-wanted-by-the-security-services) excess, and I think it generally does a good job here (with the real remaining concern being the light-touch amendments to the Security of Canada Information Sharing Act, renamed and tempered, but still vast).  For instance, I doubt CSIS ever wanted to be in the detention and rendition business – so why create a law that made that a legal possibility?

For more on these fixes, see our IRPP piece, linked above.

 

Dealing with (Some) of the Puzzling Omissions

But C-59 is also about giving new powers to the security services.  Four things stand out. First, by placing CSIS threat disruption powers on a more plausible (although surely still novel) constitutional foundation, it makes those actually usable.  (CSIS has clearly not been prepared to use threat reduction that raised constitutional issues under C-51, probably appreciating that the C-51 formula was an invitation for controversy in the courts and out).

Not everyone will think we’ve hit the sweet spot.  See Michael Nesbitt’s excellent analysis.  But we are way closer than with C-51 – with that bill’s formula, it was really hard to find a constitutional lawyer (not taking instruction from government) who thought we were even in the ballmark.  And whatever we might conclude about how carefully drafted some of the new “closed list” powers are, I simply cannot think of any other way to square the constitution with some of the more potent threat reduction powers I believe are quite properly on the table (e.g., interfering with a suspected terrorist’s communications). 

Second, I had not quite appreciated the extent to which CSIS was on the cusp on being paralyzed by its old law. For one thing, the limitations in its Act on retaining information – most dramatically illustrated by the Fall 2016 Federal Court decision on the CSIS ODAC initiative (see a write up here) -- must be deeply constrictive of CSIS deploying big data analytics – or even basic Boolean searching – on information…that they cannot have.  There are, of course, all sorts of privacy concerns – which is where close study is required of both the revamped collection and retention rules and their checks and balances. But at some point, one must concede that if you are to have an intelligence service, it needs to be able to collect, retain and analyze intelligence. (Privacy protections have always has been about checks and balances, from their inception in the early common law through to the present day).

For another thing, I had not quite appreciated how dramatically changes in the concept of Crown immunity – and doubts about its application to CSIS operations – must be crimping operations. It may not be too much of an exaggeration to say, with all the new terrorism crimes introduced since 2001, that every CSIS officer and source covertly infiltrating a terror plot is at risk of prosecution. CSIS recruiting must go something like: “Thank you for your service. As soon as you participate with this group, you are a criminal. But we’ll put in a good word with the prosecutor – assuming we’re prepared to cough up our secret op details. Hopefully things will be ok.”  The response must be something like: “No way.” Or: “Ok, give me $8 million.”

I have no way to know if the problem is that dramatic. But legally, it may be. And if so, together the limit on CSIS data retention and the crimp on human source immunity is pretty serious.  It might mean that Canada risks not having a real security intelligence service. 

Unless you think the world is much safer than I think it is, that is an unhappy prospect.  It is actually astonishing that this was not fixed a long time ago.  So the issue is: are you happy with the C-59 solutions?  And in responding, the first thing I look for it: checks and balances.  So far as I work through the details, I think they measure up quite well – indeed, potentially very well, measured against international comparisons.

Third, the Communications Security Establishment has been burdened with too little law, and too narrow a mandate. On law, we have known since it was first given statutory footing in 2001 that the issue of Canadian-origin information intercepts raised constitutional issues. People have been writing about it for a long time. But it was one of those questions that were, um, academic, until Snowden.  After that, it became a matter of public controversy, and litigation.  Fixing this was never that hard – and I am very pleased to see that C-59 proposes what I think is a viable and even elegant approach.  (Although there is a bug in the drafting, I think, that may leave the problem unfixed.  That requires more explaining, and I will blog on that soon.)

On mandate, CSE’s cybersecurity mandate basically reaches: get into a defensive crouch, protecting your core and vital organs, while the North Koreans, Russians, Chinese, hackers etc pummel you. But the world has changed since 2001. The new “active” and “defensive” cyber operations powers, and the broadening of the traditional cybersecurity mandate make a lot of sense.  Again, that assumes you agree that the world presents real security challenges that require viable responses.  If you do, then the remaining question is: are you happy with the checks and balances?

Four, tempering C-51, and adding a whole host of checks and balances is actually security-affirming.  In a democracy, the activities of the security service depend on consent and cooperation. Security powers that validate a lot of conspiracy theories erode that “social license”. 

C-51 took a lot of conspiracy theories from “plausible only if you assume everyone is a legal rogue and ethically unhinged”, to “legally possible, even if still doubtful in practice because the people involved are not venal and unethical”.  (Our various commissions of inquiry criticized the services, but did not suggest wrongdoing was ill-intentioned – with the exception of the poisonous leaks someone released to smear Maher Arar.)  But as anyone who has spent more than 5 minutes working in a human institution knows, people and institutions make mistakes – sometimes enormous mistakes. Silos, group think, cognitive bias, habit, incompetence, laziness, inattention, petty jealousies.  All the vices of the human form. Law, guidelines, protocols, oversight, review and checks and balances are what we use to minimize the prospect of systems failing, especially where the consequences of failure are significant.

C-59 puts the law back in play as a code of conduct, in a way that C-51 relaxed too much.  I think that is important. One might expect this of a law professor. But I cannot really think of any examples of where “the gloves are coming off” approach to security law and policy in a democracy has worked well.  It tends to produce outcomes that some future political leader needs to apologize for, after a commission of inquiry, disastrous court losses, public acrimony and a general erosion of public trust.

 

Administrative Burden: Better than the alternative

And that brings me to the administrative burden conversation.  C-59 will amp up the checks and balances in national security law considerably.  So considerably that Canada may well be back to where it was in 1984: a leader in this area.  Predictably, there will be anxiety that this will shackle responses, drain resources and infuse lawyers and overseers into the nitty-gritty of security work.  C-59 is, in some respects, the judicialization of intelligence that former CSIS director Jim Judd disliked a decade or so ago.

It is also consistent with developments in other Five Eye states, and even the French have new law in the area of intelligence. (The French, famously, have had little).  It is inevitable: as soon as you focus on security threat emanating from your civil society, intelligence starts to drift closer to police work.  And so, it needs to abide by at least some of those standards that guard police work (many of which echo those announced by Robert Peel in establishing the first police force in the 19th century).

The new systems could be impossibly bureaucratic.  Or they could be elegant and effective.  Much will turn on design, resourcing, staffing. Inattention on these issues will produce disasters: impairing necessary security conduct, done by cautious, risk-adverse services; and/or overpromising on accountability without delivering.

But I will say this: they are the quid pro quo to accomplishing that security expansion noted in the first four points of this blog.  C-59 should establish a regularized, professionalized system of checks and balances.  And whatever burden they impose, that would be dwarfed by the burden imposed by a creaky, inadequately constructed security system that lurches from scandal to commission of inquiry to judicial slap-down; with powers uncertain, planning interrupted by public controversy and all your staff-time devoted to appeasing a disgruntled Parliament, judge or commissioner.  In other words: the 2000s. I don’t know anyone (in any walk of life) that wants to go back to the scandal/response system of national security policy-making. That would be bad for security and rights.

 

Conclusion

In sum, C-59 is probably in, or near, the Goldilocks space between too hot and too cold. Which is not to say it is perfect, or that it fixes everything, or will please everyone.  For instance, the SCISA is not falling. (The author chuckles to himself.) And it isn’t to say we won’t suddenly discover a new concern in the 150 page document.

But based on about 5 readings of the full text and some deep dives on some of the more complex parts, it appears to be more carefully crafted than anything we’ve seen in this area in a long time – probably the 1988 Emergencies Act, and before that the 1984 CSIS Act.  That’s a good place to be, going into the parliamentary process.