The Meng extradition proceeding will clearly test one area of Canadian law: extradition law. (See here). It will also now probe another: constitutional rights at the border. Ms Meng’s lawyers filed a civil action suing officials (and especially the CBSA) for detaining Ms Meng at the border. There (plaintiffs allege) officials conducted pretextual border detention, questioning and searches (including of her electronic devices, for which she provided the passcode) in aid of US authorities, not in support of Ms Meng’s arrest for extradition purposes. The statement of claim is posted here. There have been questions about the legal niceties of this case. We offer a few quick observations.
The Federal Court this week released a lengthy decision that, unusually, dealt with CSIS’s s.16 “foreign intelligence” mandate. In so doing, it proved, once again, that an Act mostly left fallow for a generation spits up weeds.
The decision is deeply redacted, and we know precisely nothing about the target, subject-matter issue or investigative technique at issue. And that means there is no way for me judge whether I think the Court “got it right”. But the underlying storyline is easy enough to imagine, even if the precise specifics are secret. And the policy issues can be surfaced with a hypothetical.
Who Was the Target?
The target was a foreigner physically in Canada. They could not be Canadian (or a Canadian permanent resident) – CSIS cannot investigate a Canadian or Canadian permanent resident under its s.16 mandate. And they had to be in Canada. This was a warrant application. A warrant would only be required, constitutionally, if the foreigner was in Canada. And besides, if the foreigner was overseas, CSE could have targeted him or her under its foreign intelligence mandate, Mandate A. But CSE cannot direct its foreign intelligence activities at any person in Canada. So bottom line: the person was in Canada.
What was the Foreigner in Canada in Doing?
We do not know what our foreigner in Canada – who we shall call Bob – was doing. We do know what Bob was not doing. He was not involved in terrorism, espionage, sabotage or foreign-influenced activities (at least not foreign-influenced activities within Canada or related to Canada, while detrimental to the interests of Canada). And I suppose for the sake of completeness, I should add Bob was not involved in subversion of the Canadian government. Because if Bob was involved in any of these things, he would pose a “threat to the security of Canada” and this would have been a s.12 CSIS “security intelligence” investigation.
But it was a s.16 investigation. Which means that Bob was being investigated to collect information or intelligence relating to the capabilities, intentions or activities of any foreign state or group of foreign states or some foreign person. This is what is called “foreign intelligence”. Basically, that means anything other than security intelligence.
Bob from Mordor
So, because all the good parts in the decision are redacted, let’s make up our hypothetical: Bob was a diplomat from the Embassy of Mordor, who was in fact from the Mordor Acquisition and Liaison Intelligence Collation Entity (MALICE). And while in Canada, Bob was part of an intelligence operation designed to influence the Government of Isengard, in a manner advantageous to Mordor.
Global Affairs Canada, which has an obvious interest in developments in Isengard, wants to get a handle on this foreign influence campaign. And so, it turns to CSIS. There is no clear way an investigation into this influence op falls within a “threat to the security of Canada”. (I suppose in some cases, it would be so egregious as to be “detrimental to the interests of Canada”, even though directed at a third state, but you can only bend that language so far.)
So, under s.16, the Minister of Foreign Affairs requests, and the Minister of Public Safety agrees, that CSIS will conduct a foreign intelligence investigation. But s.16 also says that CSIS may only engage in foreign intelligence collection “within Canada”.
Alice of Isengard
That works fine, to a point. Bob is in Canada. But his chief asset in Isengard is Alice, someone who has influential contacts in the National Repressive Ring Association (NRRA). And Alice is not in Canada. And moreover, Bob and Alice have 1990s style operational security. When they communicate, they do so by logging into Gondor Mail (G-Mail), an email service in Gondor. And they modify draft emails in an email account to which they both have access, housed on G-Mail’s Gondor-based servers.
The Warrant on Bob
CSIS wants to monitor Bob’s communications in Canada. Now Bob is a foreigner, but as noted, he has Charter s.8 rights. And so CSIS needs a warrant. And CSIS wants, with that warrant, to wiretap not just Bob’s phone but also access his email communications. But, nuts, the G-Mail servers are overseas. And CSIS is no position to somehow insert keystroke logging on Bob’s embassy computer. And so, the only way (I shall assume, because I am not a tech-guy) to access the G-Mail draft folder is by hacking into the Gondor-based servers.
Now, pursuant to Mandate C, CSE can provide the technical wherewithal to do this. But CSIS needs to have lawful authority to seek this CSE assistance, meaning if CSIS needs a warrant, CSIS has to have one.
Whether CSIS needs a warrant may be a close call. If the communication is outside Canada, then perhaps the Charter does not apply because it generally does not apply extraterritorially. After all, if Bob were physically outside Canada, he would enjoy no Charter rights. (The Hape exception would apply only if Canada were in violation of its international human rights obligations -- not clear cut here – and, says earlier Federal Court jurisprudence, where the victim was a Canadian – not true here.).
So, is it too much to say that CSIS's intercept of Bob’s Gondor communications doesn’t require a warrant? Hmmm. Maybe. But this might still be a “private communication” under the Criminal Code (and I could easily change the facts so that it would be). And if so, the fact that one side of this communication starts in Canada is enough to require a judicial authorization process. So not much relief there. And besides, CSIS remembers the infamous Re X case and decides it is better to go to court now, to avoid a train wreck later.
So CSIS does the appropriate thing and concludes it probably needs a warrant. And more than that, it might also reasonably argue that on our facts (communication commences in Canada, travelling overseas through Canada etc) the collection really was “within Canada, enough”, and thus squares with s.16 of the Act. (A view that would be consistent with: the assumption that the Charter applies to Bob’s transiting communications, and the concept of private communication in the Criminal Code, and arguably the concept of territoriality in cases like R. v. Libman.)
But there is also another view: the content of what CSIS is intercepting is not in Canada. It can only be accessed by reaching out electronically across Canadian borders to Gondor, all the way over in Middle Earth.
So, what’s the answer? How do we read “within Canada” in s.16? Well, obviously it means “within Canada”, but what does that mean for footloose-communications? The redactions are thick in this case, and we really don’t know what sort of extraterritorial activity was at issue. But after a lengthy and seemingly exhaustive statutory interpretation exercise, the Federal Court says: this [REDACTED FOR PAGES] extraterritorial CSIS intrusive investigative activity was not within Canada.
Let's assume that hacking into Bob's Gondor Mail would also exceed whatever threshold of impermissible extraterritoriality was at issue in the Federal Court case. That is, it too would not be "within Canada". So, CSIS, in our story, you are out of luck. Maybe you should just ask Gondor to collect and share the Gondor Mail communications itself? But do you want to rely on Denethor II, son of Echtelion II, Steward of Gondor? In The Two Towers, he struck me as a bit unhinged, to be honest. And perhaps he was a little too inclined to appeasement to Mordor.
The CSE Knock-On Effect
Ok, then. Open Door Number 2: if the communication is not “within Canada”, then that must mean that CSE can, in fact, collect under Mandate A (foreign intelligence). Surely, if the communication being targeted is not within Canada (and involves no one, but foreigners), then CSE collection activities are not being “directed at Canadians or any person in Canada” (the quoted phrase being a stipulation that limits what CSE can do under Mandate A). But hold that “surely”. It is a bit disingenuous to say: “so we are investigating Bob, who is a person in Canada, and we are specifically interested in Bob, and that is why we are doing this collection activity, but when we go after this particular communication, we are not directing collection at Bob, the person in Canada”. That seems too clever by half.
And anyway, the Federal Court has a collateral discussion in this case with knock-on implications that will make life for CSE very difficult. Basically, intrusive activity overseas of the sort at issue in the case (whatever they may be) constitute an extraterritorial exercise of enforcement jurisdiction. Done without the consent of the territorial state, this violates international law. And Canadian statutes will be read to comply with international law, unless they explicitly derogate from it. And neither the CSIS Act (for s.16, but not for s.12) nor the current National Defence Act (for CSE) nor the proposed Bill C-59 CSE Act derogate from international law. (On the latter issue, see my discussion here.)
So CSE, you have no legislative jurisdiction to engage in extraterritorial activities of (at minimum) the same degree or more intrusive than the ones at issue in this Federal Court case. Which means you can kiss Mandate A and B goodbye under the current National Defence Act, to the extent they exceed this threshold (which, reading between the redactions, is quite low). And unless you amend bill C-59, you can also kiss those defensive and active cyber powers away. Unless, that is, you just want to plow ahead and see what the Intelligence Commissioner, the new National Security and Intelligence Review Agency, and the National Security and Intelligence Committee of Parliamentarians have to say about this issue. This, in my view, would be insane, since a quick flick of the legislative pen could cure this problem for you, CSE.
Fixing the CSIS Act
As for CSIS, well, you could roll the dice and appeal. Or you too could fix this by legislative amendment (which is what happened to the s.12 power when this same issue arose a decade ago, and was resolved by 2015’s C-44).
But let’s be clear here: if you want CSIS to have its current extraterritorial security intelligence functions (plus its post-2015 threat reductions powers) and now extraterritorial foreign intelligence functions, you are creating, essentially, a blended MI5/MI6. And until recently, it was considered a bad idea to put security intelligence and a full foreign intelligence function in the same agency: rule-of-law security intelligence should be kept segregated from somewhat-less-than-rule-of-law James Bond.
So, we might wish, finally, to do some serious thinking about design issues, accountability issues, resource issues, training issues, etc, before we knee-jerk amend the CSIS Act (yet again). So, enter a ponderous process of deliberation. On the other hand, this is not a situation you want to leave hanging. Because in my story, Bob from MALICE is still out there, swanning away on Gondor Mail. (In truth, I don’t know how important that prospect is – it took to 2018 before this issue got to court, and yet presumably the technological dilemma I describe here could have arisen decades ago. So maybe this case won’t have much practical effect.)
But bottom line: sometimes national security law is hard. And perhaps it is sometimes harder than it has to be. I think it’s often hard because we don’t update the statute law enough. But that’s just me.
With the teaching term winding down, I am preparing more formal papers, stitching together pieces memorialized as blogs on this site. My first effort is here. Abstract:
Canada's Bill C-59 responds to quandaries common to democracies in the early part of the 21st century. Among these challenges: How broad a remit should intelligence services have to build pools of data in which to fish for threats? And how best can a liberal democracy structure its oversight and review institutions to guard against improper conduct by security and intelligence services in this new data-rich environment? This paper examines how C-59 proposes re-shaping the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE) in fashions responding to these dilemmas. Specifically, it highlights C-59’s proposed changes to CSIS’s capacity to collect bulk data as part of its intelligence mandates, and also the new oversight system proposed for CSE’s foreign intelligence and cybersecurity regimes. The paper examines the objectives motivating both sets of changes, and suggests that in its architecture, C-59 tries to web together the challenges of intelligence in a technologically-sophisticated, information-rich environment, with privacy protections derived from a simpler age but updated to meet new demands.
Personal Speaking Notes (February 2018)
(posted publicly with permission)
I have been asked to reflect on common trans-Atlantic intelligence dilemmas, and then a variation on our traditional trans-Atlantic search for solutions. To that end, I’ll say a few words about both the UK Investigatory Powers Act and some of the proposed aspects of bill C-59.
In some large measure, both the UK IPA (Investigatory Powers Act) and C-59 constitute what former CSIS director Jim Judd once called “the judicialization of intelligence”. Mr Judd raised concerns about this development. Intelligence has traditionally operated in a manner obliquely governed by law, if at all. There is a disconnect between a covert intelligence function – and its requirements – and the more overt culture of law and lawyers and judges. Intelligence needs are fluid. Law is rigid. Intelligence needs are immediate and exigent. Law can be laborious.
But law has inevitably encroached on intelligence. An academic colleague – Dennis Molinero – has uncovered a trove of documents from the 1950s. At that time, these documents show, national security domestic intercept warrants were issued by Prime Minister Louis St Laurent as an exercise of discretionary power under something called the Emergency Powers Act. There was the vaguest of statutory imprimaturs, and certainly no independent judicial oversight in the form of preauthorization.
We abandoned that approach in 1974, and the original iteration of the what is now Part VI of the Criminal Code. And in 1984, we built CSIS search and seizure around a judicial warrant process – and the next year, the Supreme Court decided Hunter v Southam. Since then, in cases like the Federal Court of Appeal’s decision in Atwal, through to Justice Crompton’s recent decision in the In the Matter of Islamist Terrorism case, the domestic intelligence search and seizure expectations have been placed on a constitutional footing largely indistinguishable from that of criminal law.
In the IPA, the UK has moved considerably closer to our model than had been the case before. Once the purview of ministers, executive warrantry is now supplemented by review by judicial commissioners. The shorthand is: double-lock (executive approval of a warrant supplemented by judicial review, prior to execution).
But in Canada, we have yet to address two dilemmas also at issue in the IPA. Both fall in the realm of what in the UK context is called “bulk powers”. And since in bill C-59 we moving in this area, and judicializing, it is on this topic I wish to focus a few remarks.
So first, let me define bulk powers: a bulk power is one that allows intelligence agencies access to a large quantity of data, most of which is not associated with existing targets of investigation. It is the mass access, in other words, to data from a population not itself suspected of threat-related activity. The commonplace example, since Snowden, is internet or telephony metadata for entire populations of communications users. But bulk powers can also involve content, and not just the metadata surrounding that content.
Bulk powers are controversial – they are the heart of the post-Snowden preoccupations. They inevitably raise new questions around privacy, and in the Canadian context, Charter rights. Not least: bulk powers are irreconcilable with the requirements of classic warrants. There is no specificity. By definition, bulk powers are not targeted; they are indiscriminate.
In the IPA context, the world of bulk powers can be divided into bulk interception; bulk equipment interference; bulk acquisition; and bulk personal datasets. Of these, I want to focus on bulk interception and bulk personal datasets.
Bulk interception is what is sounds like: the collection of transiting communications passing through communications providers or otherwise through the ether.
Canadian law permits bulk collection by the Communications Security Established, our signals intelligence service. It is subject to the caveat that acting under its foreign intelligence or cyber security mandate, CSE may not direct its activities at Canadians or persons in Canada. But in practice, bulk interception cannot be limited to foreigners, even if the objective is foreign intelligence. The way communications transit the internet and other communications systems creates a certainty that bulk intercept directed outside the country will intercept the communications of Canadians and persons in Canada. This is known as incidental collection.
In Canada, we have struggled with this issue. Part of the answer is in Part VI Criminal Code. As you know, it outlaws unauthorized intercept of private communications. A private communication is one with at least one end in Canada. Since in bulk interception, at least some private communications would be captured in a manner meeting this definition of intercept in Part VI, CSE must be exempted from its reach. And that is what the National Defence Act does, where CSE acquires a defence minister authorization in advance for at least the class of foreign intelligence or cybersecurity activities that might capture this private communication.
The constitutional issue is more fraught. Not least, the defence minister is not the independent judicial officer invoked as the gold standard under Hunter v Southam for Charter section 8. The consequence has been the constitutional lawsuit brought against CSE by the BCCLA associations and now efforts at refinement in C-59. And specifically, C-59 anticipates a quasi-judicial intelligence commissioner who will review the ministerial authorization before its execution. This past week, representatives of the CSE testifying before the Commons committee accepted the underlying constitutional expectation: They said under C-59, CSE will seek ministerial authorization (which in term triggers review by the intelligence commissioner) for any activity that would interfere with the reasonable expectation of privacy of a Canadian or a person in Canada, or contravene an Act of Parliament.
I am hoping that signals a willingness to amend the bill to say just that, on its face, but for our part my key point is this: C-59 clearly accepts the underlying premise: judicialization of bulk intelligence interception. In this respect, C-59 emulates the IPA.
But I wish to be clear, again: this is not a warrant. It will lack specificity. It will be issued for classes of activities, not specific activities or operations. It is review on reasonableness of a ministerial authorization, not the more hands-on warrant process. Does that meet Hunter’s standards? I am inclined to suggest, yes, because the warrant cookie cutter cannot possibly apply to a form of bulk intercept in which intercept of s.8 rights-bearer communications is entirely incidental, and not targeted.
Before leaving CSE, I will say a word about another C-59 change.
We have also gone one step further than the IPA in giving CSE a specific offensive cyber mandate – called active cyber. This could and almost certainly would implicate equipment interference, but interference untied to information acquisition and instead done “on or through the global information infrastructure to degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security.”
At present, there is considerable debate in Parliament about whether the intelligence commissioner should have advance oversight responsibilities in relation to this mandate. Currently, he or she will not. I am of two views on whether judicialization in this area would be wise or not.
Turning to domestic-facing bulk powers, I need to switch agencies and talk about CSIS. And here we have drawn clear inspiration from the IPA in the area of bulk personal datasets. The UK understanding of this expression is an apt descriptor of what is now also in play in Canada:
"A bulk personal dataset includes personal data relating to a number of individuals, and the nature of that set is such that the majority of individuals contained within it are not, and are unlikely to become, of interest to the intelligence services in the exercise of their statutory functions. Typically these datasets are very large, and of a size which means they cannot be processed manually."
Why have such things? The C-59 changes are a response, yes, to the Federal Court’s 2016 decision on what was known as ODAC. But it also responds to a broader concern about the ambit of the Service’s threat investigation mandate. That mandate is anchored in s.12 of the CSIS Act. As interpreted by the courts, it permits the Service to collect, and analyse and retain information and intelligence respecting activities that may on reasonable grounds be suspected of constituting threats to the security of Canada, to the extent strictly necessary. As Justice Noel and Justice Crampton concluded in both the ODAC case and the more recent In the Matter of Islamist Terrorism decision, this is a significant fetter on CSIS. It ties information collection, retention and analysis to a narrow band of threat investigations. It also makes it difficult for CSIS to change the frequency of its fish radar and expand its reach to search other parts of the ocean for fish that have not already come to its attention.
A spy service fishing in more ocean is, in some eyes, the stuff of Big Brother and nightmares. On the other hand, an intelligence service that cannot have access to the ocean in performing its function is also likely unable to perform its functions very well. And there is a lot of ocean out there in the digital era. So how can we reconcile oceans full of data generated by innocents with the intelligence function of clearing the fog of uncertainty and revealing not just the known threats but also the unknown threats?
The solution in both the UK and Canadian context is to judicialize the fish detecting radar. And the model is again a double lock: ministerial approval for ingestion of datasets and judicial commissioner approval.
The result, in the Canadian context, is enormous complexity. Broadly speaking, there are a set of legislated rules in C-59 for the ingestion of datasets, and then a more demanding set of rules for the digestion. (I credit a Department of Justice lawyer for this ingestion/digestion analogy, which is quite apt). So for Canadian datasets – datasets primarily comprising Canadian information – there is approval of classes of datasets that may be ingested by CSIS by both the minister and the quasi-judicial intelligence commissioner. Once ingested, there is a limited vetting by CSIS. And then any subsequent retention for actual use – that is digestion -- must be approved by the Federal Court, which is empowered to impose conditions on that subsequent use. There is also a requirement that querying generally be done only where strictly necessary in performance of CSIS’s mandates.
Those charts show why some intelligence operators complain that C-59 is a gift to lawyers. I suppose it is no surprise, then, that I think this is a clever regime. Not least, it short circuits inevitable frontier s.8 issues; to wit, does s.8 attach to the big data analysis of information, the individual bits of which triggers no reasonable expectation of privacy. It seems almost certain that the jurisprudence will get there. C-59 heads this issue off at the pass by superimposing independent judicial authorization guiding and conditioning that big data analysis.
So, on that happy note, I shall end there.
As noted in my prior post, there are a number of really interesting briefs prepared by various stakeholders, going into the next round of House of Commons legislative hearings on bill C-59. Many seek to ratchet tighter the accountability structures in the bill, especially for CSE and CSIS (where they don’t call for the outright abandonment of these agencies’ proposed new powers).
I haven’t had chance to review all the specific ideas, but two of these sets of recommendations stand out for me in this area. In my last post, I addressed the question of “publicly available information”. In this one, I want to noodle through the extremely complex question of whether the Intelligence Commissioner should have oversight jurisdiction to vet and approve, in advance, and on a reasonableness standard CSE’s proposed active and defensive operations (“cyber ops”).
Citizen Lab and the current CSE commissioner have both urged this role for the new Intelligence Commissioner, supplementing that official’s responsibility to vet ministerial authorizations issued for foreign intelligence (FI) and cybersecurity (CS). (As an aside: for my part, I have suggested that the ministerial authorizations for FI and CS do not meet constitutional standards, because they are only required where CSE violates an “Act” through its collection. So if at issue was “private communication”, intercept without authorization would violate the Criminal Code. But the government has argued that private communication does not include metadata. In fact, there is no Act of Parliament violated by the foreign collection of metadata, including the incidental collection of Canadian metadata -- if there was, CSE would have been violating it for years. And so, under the current drafting of C-59, there is no requirement to seek a ministerial authorization vetted by the IC. And yet, there is a clear constitutional privacy interest in that metadata. There is *nothing* in either the current CSE law or the proposed CSE Act that meets the standards in the jurisprudence permitting “warrantless” intercepts -- or could meet that standard, in my view, given the nature of CSE’s bulk activities. End result: a new constitutional lawsuit, scandal, acrimony, disaster. Please, please fix this! Make sure the authorization process is triggered by all collection activities or classes of activities that engage information in which a Canadian or person in Canada has a reasonable expectation of privacy.)
The CSE Act Structures Cyber Ops MAs and FI/CS MAs Differently
But back to the proposal to extend the IC function to cyber-ops. First observation: for cyber-ops, ministerial authorizations are required for all cyber-ops (s. 23(2)(b)). This isn’t like FI and CS, where there is a trigger obliging some activities to go for approval and not others (s.23(3) and (4)). In my comment above, I suggest the FI/CS MA trigger is too narrow. I *want* to steer FI and CS activities that implicate Charter rights into the MA and then the IC process. But I am not proposing steering those that *do not* otherwise violate Canadian law through this process. I do not think, for instance, that a CSE targeted intercept that collected the telephone call of a foreign person in a foreign state, with no prospect of any nexus to Canada, attracts Charter rights. Without embarking in a discussion of the Supreme Court’s (unclear) Hape decision, it would be unlikely that the Charter applies, and that the target has any section 8 rights. And I am not among those inclined to think international law imposes meaningful privacy obligations on Canada in these circumstances – and certainly not a judicial pre-authorization requirement. I do think there could be extraterritorial enforcement jurisdiction violations in international law, but in the area of spying it is a close call; international law is, as I have said, creatively ambiguous in this area. So I would not embark on the “judicialization of intelligence” in such a manner, again assuming there was no prospect of a Canadian nexus. I make these sorts of points in greater detail in this article.
So my initial point: To simply superimpose IC oversight on cyber ops MA means, under the current architecture, asking the IC to approve all CSE cyber ops activities. (ss. 30 and 31).
Would this be a good thing?
That may sound like a good idea right out of the gate. But I have been going around in circles because I find it complex. I thought I’d memorialize my struggles.
- First, cyber ops should not, if the Act is applied properly, implicate the collection of information, except as properly authorized by a FI/CS authorization (s.35(4)). Right away, this makes it unlawful under the statute to use cyber ops as a stalking horse for some sort of autonomous information collection activity (on top of likely unconstitutional to the extent that information collected does attract s.8 protections). So the privacy issues should be muted here, even if the activities authorized by the cyber op authorization may involve some of the same techniques/practices.
- Second, some cyber ops may implicate other Charter rights and Canadian law. At first blush, this may be rare (even very rare) because those rights and laws are usually confined to the territory of Canada. That said, the “real and substantial connection” test may make things like criminal mischief commenced here and remotely conducted against a foreign computer a crime with a sufficient nexus to Canada. But I am not sure that superimposing the IC into the approval process for such actions is an *obligation*. We do allow our security services to break statute law in pursuing aspects of their mandate and we don’t always require pre-authorization by a judicial officer. For example, Criminal Code, s.25.1 for the police allows law-breaking through administrative approvals within the police services. On the other hand, CSIS threat reduction power does oblige judicial pre-authorization for breaches of Canadian law, which would presumably include overseas conduct that, on a real and substantial connection to Canada basis, violates Canadian law (or in some other manner where the Canadian law applies extraterritorially). The CSE Commissioner, in his brief, points to this CSIS precedent to justify his view that cyber ops should be subjected to IC oversight. It is hard to argue against this parallel.
- Third, international law may be breached by cyber ops. (And indeed, international law is likely breached by CSIS extraterritorial threat reduction and perhaps intrusive surveillance done in violation of a foreign state’s laws, and thus its sovereignty. That is a violation in the area of extraterritorial enforcement jurisdiction. I have argued that this international law breach would require pre-authorization by the Federal Court, under the current CSIS Act. See here.) Invasive cyber conduct and international law is an issue I have discussed here, in the context of covert action.
This third argument is a strong justification for an IC involvement in cyber op authorizations. But it depends on a final supposition: that either international law or domestic law or good policy is served by having an independent judicial officer scrutinize Canada’s international conduct and bless (or not) breaches of it. There are many, many areas where Canada’s international obligations are engaged where we do not involve pre-vetting by judges. The overseas conduct of the Canadian Armed Forces is an example. When the Canadian Armed Forces chooses to bombard an enemy, say in Afghanistan, it is reviewed for legality under international law, most notably by the JAG team. But they do not seek the blessing of a judge. Our system expects (and under the terms of the Baker decision of the Supreme Court, I would argue, obliges) members of the executive to observe Canada’s international obligations in exercising their discretion. But we do not then submit that judgment to advance approval by a judge – indeed, it is near impossible to subject it to any form of judicial review, as many of these matters are considered non-justiciable (if they do not raise Charter issues, which as suggested above they rarely do).
CSE cyber ops are the sort of activity that would typically be considered an exercise of defence or foreign policy, and absent some statutory displacement, governed by the royal prerogative. That is why the military could hack away and turn off lights and never need to meet a statutorily-prescribed approval regime. But because CSE only has statutory powers (since 2001), it must look to its statute to find the power for cyber ops. Hence, C-59. So the question is: because CSE is a statutory creature, should the once relatively unfettered powers to engage in defence and international affairs now implicate judicial pre-authorization?
This provokes additional questions: would we be best served by an IC looking at all cyber ops to establish the reasonableness of them? If so, would the IC be empowered to assess the inevitable political dimension of the minister’s authorization – his or her judgment, for example, that the security risk posed by a malignant server justifies CSE reaching out and turning it off? Or would we craft language confining the role of the IC to indisputably legal issues? If so, would the IC be better equipped to assess Canada’s compliance with international law than the executive? Which raises a question: then why stop with IC involvement in the cyber world? Should the artillery officer's orders also be pre-vetted by a Combat Commissioner for compliance with IHL (international humanitarian law)?
The bottom line: I am torn on this issue. I worry about giving the IC too global a role in areas of high policy where he or she would not be equipped to apply rules, but rather second guess political judgment. For one thing: the IC then ends up wearing whatever they approve. And if they dispute, without clear legal standards to ground that dispute, then we have a clash of responsibilities. Who should be responsible for these decisions of high policy: a minister accountable to Parliament or an appointed quasi-judicial officer?
On the other hand, if you agree that judicial pre-authorization is required for extraterritorial CSIS threat reduction (at minimum), what’s good for CSIS under threat reduction should probably also be good for CSE under cyber ops. I must say, in both cases, I wonder a lot about what a court (or the IC, if its remit is extended) would say in response to an op that violates, say, the sovereignty interest of a foreign state. This is a whole lot of novel territory. Which makes it interesting, but also worthy of close consideration.
I am probably missing much and wrong on other issue, but heck, it’s my blog. This is probably one of this entries that will soon be supplemented with a lot of supplemental additions.
As predicted, edits already. Edited to correct the suggestion that classes of activity/activities disctinction didn't matter in the cyber op world.
A number of really interesting briefs have been prepared by various stakeholders, going into the next round of House of Commons legislative hearings on bill C-59. Many seek to ratchet tighter the accountability structures in the bill, especially for CSE and CSIS (where they don’t call for the outright abandonment of these agencies’ proposed new powers).
I haven’t had chance to review all the specific ideas, but two of these sets of recommendations stand out for me in this area. Let me address the first in this post, and a second in one to follow.
Stakeholders have expressed a recurring concern about “publicly available” information. Both CSE and (to a slightly lesser extent CSIS, in relation to datasets) are exempted from the special oversight accountability structures imposed on information collection, where the information is said to be “public”. Indeed, in relation “publically available information”, CSE is relieved of its obligation not to direct its activities at Canadians. Neither the CSE nor the CSIS dataset rules include a truly meaningful definition of public information, raising concerns about the fuzzy line between public and not-so-public. The phone book (does it still exist?) is one thing. Hacked information now spilled out on the web and technically publicly available "at the time of its collection" (the CSIS definition), is another. Should there be safeguards on its collection, retention and use by intelligence agencies? The CSIS amendments provide rules on the retention, querying and exploitation of public information, yes, but exempt it from the more thorough independent vetting system for other sorts of datasets.
On the one hand, it would be naïve and prejudicial to ask intelligence agencies to turn a blind eye to any source of information within legal mandate and contributing to their mission. On the other hand, it would be pernicious to create a nudge-nudge-wink-wink intelligence service market for unlawfully acquired information. Or even, possibly, lawfully released information revealing personal information in unexpected ways. Given the Supreme Court’s trajectory, it is possible it will ultimately conclude that a person retains a constitutional privacy interest in even public information (at least of a certain character).
But even if Charter s.8 does not go this far, there may be policy reasons to treat the state’s acquisition of “public” information differently than similar private sector activities. For one thing, the private sector is not generally equipped with guns and jails and the coercive apparatus of the state. Nor does it have access to the full panoply of information we are all compelled to provide to the state, in our interaction with its regulatory function (think tax info). So the state has unparalleled capacity to scrape public information and combine it with both closed intelligence and other state-acquired information. That gives “public” information a qualitatively different significance in the hands of the state. Predicting in advance what implications this has is impossible, which is an argument in favour of an independent oversight function even where “public” information is at issue. (Back-end review seems insufficient, especially since review bodies have powers of recommendation, only. And in some instances in the past, issues raised by these bodies have taken years to redress. Independent pre-authorization, required to undertake the activity, is a more robust way to oblige careful consideration of the dilemmas, and if section 8 were ever engaged, is likely required anyway.)
All of this is to say that these concerns are worth redressing, at minimum by plugging even public information acquisition into the independent vetting systems anticipated for both CSIS datasets and CSE foreign intelligence and cybersecurity mandates. I fear that otherwise, this issue will become a festering source of unease about the good faith of the security services, and perhaps a source of future controversy.
FYI, readers may wish to refer to my process flowchart to see what I mean about the different treatment of publicly available information under the CSIS dataset regime.
And on the fourth day of Christmas, federally-appointed judges gave to us…four new Charter s.8 cases. There are two Federal Court cases involving CSIS intercept of IMSI information and seeking access to subscriber data. And two Supreme Court cases involving text messages received by the recipient and stored by the service provider.
Here’s the one-paragraph (often one long-run-on sentence) summaries:
- In the Matter of Islamist Terrorism (2017 FC 1047): In the course of targeted investigations under s.12 of the CSIS Act, CSIS may intercept International Mobile Subscriber Identity (IMSI) and International Mobile Equipment Identity (IMEI) numbers emitted by mobile devices communications connecting to cellular networks without warrant, even though the privacy interest protected by section 8 applies, where CSIS does so in a minimally intrusive manner without seeking means of identifying the individual (in practice, because they already know who it is), does not capture communications content, does not geo-locate, does not interfere with 9/11 and emergency communications, and destroys all incidentally collected, non-target information. Bulk collection would be a different story (which is why this case is, in net, bad for CSE and its incidental collection of private communications and metadata).
- In the Matter of XXXX Threat-Related Activities (2017 FC 1048): CSIS cannot obtain a general court authorization allowing it to obtain basic identifying information from communications service providers for individuals whose identities are not yet known, but who may come to CSIS’s attention in the future, and the court cannot delegate such an authorization function when persons do come to CSIS’s attention to a designated CSIS official. But CSIS may obtain such authorization from the court for individuals and, indeed, classes of individuals where the court can understand the nexus between that class and the investigation, on a reasonable grounds to believe standard.
- R v. Marakah (2017 SCC 59): A sender retains a reasonable expectation of privacy in the communication, and inferences that can be drawn from it, stemming from text messages sent to a recipient and the diminishment of this control because the text message passes through a service provider and could be shared by the recipient does not change this and a warrantless search of the recipient’s phone to obtain these messages in circumstances where there was no plausible “search incident to arrest” breaches section 8 of the Charter.
- R v. Jones (2017 SCC 60): A service provider may properly intercept text messages for service delivery purposes, but this does not negate the sender’s reasonable expectation of privacy and the police must generally have court authorization to then obtain these text messages. Historical text messages may be obtained through the general production order in s.487.014 of the Criminal Code (on a reasonable grounds to believe standard) and need not receive a wiretap authorization under Part VI of the Criminal Code, unless the intercept will involve prospective communications, as opposed to historic communications.
These cases, combined with the federal Privacy Commissioner’s decision on a complaint about RCMP IMSI collection activities, create, well, a maze. The Privacy Commissioner concluded in September that RCMP warrantless collection was unconstitutional. This is hard to square with the new Federal Court’s decision on CSIS, but the Privacy Commissioner would probably say that the RCMP offered no specifics on what they were doing of the sort that led the Federal Court to conclude that CSIS’s warrantless intercepts were still reasonable, although done warrantlessly.
So here’s a brief scenario.
Hans, the scheming villain from a famous holiday classic, is working for the Chinese government, and conducting himself in a manner that constitutes a threat to the security of Canada under the CSIS Act and a violation of the criminal provisions found in the Security of Information Act (SOIA). So both CSIS and police have investigations underway (and are doing all that difficult deconfliction work that is a Canadian thing).
CSIS knows that Hans has a cellphone and they want to figure out what the IMSI number is. So they conduct a targeted intercept meeting the standards described In the Matter of Islamist Terrorism (above). They do this without warrant.
RCMP also wants to know what Hans’s IMSI number is. So either CSIS gives it them through an advisory letter (which seems very, very unlikely). Or they collect it themselves. But they have to use s.492.2 of the Criminal Code to get a transmission data recorder order from a judge, on a reasonable grounds to suspect standard.
Now CSIS wants to know where Hans has been going and what he will saying. So they need to go to Federal Court and obtain judicial authorization for an intercept under s.21 of the CSIS Act, on a reasonable grounds to believe standard. Section 21 is a one-standard provision for all sorts of intercepts, so this same standard will apply for archived geolocational metadata (obtained from a service provider) and content (wiretapped).
And now the police also want to know where Hans has been going and what he will saying. To know what he is saying, they need a Part VI Criminal Code warrant, allowing a wiretap. This too is on a reasonable grounds to believe standard. But for archived geolocational data, the police may be able to obtain a production order directed at the service provider, requiring that this sort of “transmission data” (metadata) be produced. Transmission data production orders may be obtained on a reasonable grounds to suspect standard.
So perhaps the police, who find it easier to share with CSIS than the vice versa, can share the transmission data with CSIS, obviating the need for CSIS to get their own metadata-related warrant?
Both CSIS and the police decide they should also figure out what Hans has been texting his friends in Beijing. Again, CSIS proceeds via Federal Court authorization under s.21 of the CSIS Act, for both archived texts and future intercepts. This requires a reasonable grounds to believe standard.
As per Jones, the police for their part can obtain the archived text messages from the service provider using a general production order under s.487.014 of the Criminal Code, issued by a judge on a reasonable grounds to believe standard. But to track his on-going texts, they need a Part VI wiretap order, on a reasonable grounds to believe standard. (And even if they had Hans’ friend’s phone, Marakah establishes they would need a search warrant to search it for the text messages, on a reasonable grounds to believe standard. Of course, if they arrested Hans they might be able to search his phone without warrant, as a search incident to arrest per Fearon. But Hans would need to have left it unlocked.)
This is all getting rather complicated. A “cacophony of lawful access rules” joins “herd of bison”, “murder of crows” and “pack of wolves” as a Canadian thing. It will be interesting to see if the government moves on lawful access reform in 2018. (So far this is a government showing real appetite to fix big things in the national security/public safety law space.)
For those looking for an immersive audio experience, Stephanie Carvin and I offer a longer discussion of these cases in Ep 15 of our Podcast Called Intrepid.
Edited this a bit because I realized that I messed up in the discussion of s.487.014.
As the parliamentary season starts, I have begun working up more detailed thinking on bill C-59, the government's massive national security law overhaul. A lot of this bill is about heading off constitutional and other legal train-wrecks. But it also includes measured moves into new areas, with attention to drafting these powers in manners that (hopefully) will not ignite new legal controversies. In some respect, it is about getting the law out of the way as a source of doubt, at the cost of accepting more structural checks and balances.
In a first note, I set out observations on the new "intelligence commissioner" process for CSE foreign intelligence activities. The focus here is on the question of whether C-59 is enough to cure the constitutional objections to CSE's current manner of operating. For what it is worth, I think it is one word away from doing that.
The Shiny Bauble of Ministerial Responsibility
There is another issue not addressed in the paper. Does the presence of the intelligence commissioner constitute an erosion of ministerial responsibility? This seems to be a recurring issue in some parts of Ottawa. I am not entirely sure everyone means the same thing in discussing the concept, but what it means is: a minister answerable in Parliament for subordinates, and responsible for the conduct of those subordinates.
Those who have read some of my public law work will know that my view on ministerial responsibility in Canadian government in relation to the second half of the above sentence is: "What a wonderful idea. Too bad it doesn't exist." As I concluded after surveying practice between 1950 and 2009, it is rare to the point of being unknown for ministers to resign in response to wrongdoings committed by their subordinates, at least officially. (Senator Forsey arrived at similar conclusions in his notable 1985 work, The Question of Confidence). The buck-stops-here concept of ministerial responsibility is a magnificent myth, not a reality. There is a reason why Donald Savoie called one his books "Breaking the Bargain".
So, it seems a bad idea to preserve a myth by insisting on a form of unilateral executive oversight of CSE activities that is almost certainly unconstitutional without the interpostion of an independent judicial officer.
And in the area of CSE, there are several additional exhibits tending to suggest that the status quo is a bad idea. First, on information and belief, the minister of national defence's office has not had the internal capacity (at least in the past) to "red team" thoroughly CSE authorizations to intercept private communications. Put another way, I fear ministerial oversight has been modest.
Second, so modest has been ministerial oversight in this area that when the Snowden disclosures came out and there were revelations of CSE collection of Wifi information from Toronto airport, it was CSE's review body that stepped most vocally into the breach to offer conclusions and observations. Put another way, the review body took bullets, something that should never happen in a world with functional ministerial responsibility.
Third, C-59 does not actually remove the minister from the driver's seat. It just puts the intelligence commissioner in the back seat, looking over the minister's shoulder. Unlike with conventional warrants, which judges shape (albeit with input from government lawyers), the C-59 system requires the minister to kick first at the authorization can, and set the terms and conditions. Only then does the intelligence commissioner review and bless (or not). This is a double-lock system in which the minister turns the key first. It is not one in which the ministers is subordinated. Instead, he or she is watched.
As my article suggests, I think this is probably the most clever way to square the constitution with CSE's rather sui generis activities. Take it away, and you run the real risk that the current system ends up at the Supreme Court. That Court has, of late, rarely turned down an opportunity to apply new understandings of privacy rules to new technology. Leaving it to the Court to speak first on this issue -- and perhaps narrow the range of options -- would be a huge mistake.
Added to which: a court finding that CSE's activities since (probably well before) 2001 have been unconstitutional would be disastrous for CSE. Indeed, even as we need to call upon it to do more in the area of cybersecurity and cyberassurance in the public and private sectors, its reputation would be shattered. And those private sector companies that touch it with a ten foot pole risk collateral reputational injury. Put another way, C-59 needs to solve the problem of a CSE currently tied to the tracks, with a Charter train rumbling toward it.
So you need to be a real risk-lover to preserve a status quo that a) does not include much, if any, real ministerial responsibility, but b) has managed to produce a lot of reputation-damaging fall-out.
On Thursday, WikiLeaks released three CIA tasking orders detailing their plan to closely monitor 2012 French presidential candidates, including current President Francois Hollande and current first-round frontrunner Marine Le Pen.
Canada is listed along with New Zealand, Great Britain, the United States and Australia in a section indicating which countries are assisting with the “HUMINT” or human intelligence aspects of the operation. Those countries make up the Five Eyes intelligence sharing alliance.
Within hours, the NDP was calling on the government to explain the document: “Canadians don’t expect their government to spy on our closest allies, especially when it involves their own domestic elections. There’s nothing more sensitive than that, as we’re observing right now with the allegations in the U.S. election.”
This was a remarkable escalation of events.
The actual documents are here. Like most leaked documents, they lack context, even if they are genuine. More than that, they are also sprinkled with agency nomenclature that requires parsing.
The single reference to Canada reads:
Apparently on this basis of this single reference, the news reports concluded Canada was asked to "assist" the CIA. (As the story eventually notes: "The documents contain only a single reference to Canada, making it unclear what parts of the CIA efforts Canada may have been involved in.")
But this whole allegation of Canadian participation seems (very) doubtful. First, none of Canada's actual intelligence agencies has the legal competency to conduct covert, overseas HUMINT foreign intelligence gathering. CSIS is confined to security intelligence in its overseas activities (and this France activity would not be security intelligence, as defined in s.2 of the CSIS Act). CSIS's broader foreign intelligence collection must be conducted "within Canada" under s.16 of the CSIS Act.
CSE is a signals intelligence agency and would clearly be acting outside of its statutory mandate in doing HUMINT.
Military intelligence operates pursuant to the royal prerogative of defence -- and it is hard to see how that fits.
Global Affairs Canada has a broader remit -- including under the general language of the DFAIT Act and also a conceivable remit under the royal prerogative relating to foreign affairs. It has no express statutory intelligence function, but its legal authorities are broad enough to allow it to collect information in its diplomatic/foreign relations function. Whether it runs covert HUMINT is another matter -- it has confidential contacts, but I'd be surprised to learn it runs more complex HUMINT sources. (Sadly, because Global Affairs is subject to no external independent review, there is little on the public record on its activities, but see this statement made to Parliament. There, then-DFAIT specified "Canadian diplomats do not work under cover or collect intelligence covertly from human sources").
All of this is to say that there is only a narrow range of options if Canada were to participate in a (let us assume covert) CIA HUMINT foreign intelligence (as opposed to security intelligence) activity: either it is a Global Affairs program of greater breadth than what has been reported in the past, or it is a Canadian intelligence service acting illegally.
But we don't need to go down this rabbit hole for one reason above all else: the document does not seem to say what the news stories inferred. "S//REL TO USA, AUS, CAN, GBR, NZL" is a classification tag (governing intelligence sharing). It translates into Secret//Release to USA, Australia, Canada, Great Britain, New Zealand" (or, in other words, the Five Eyes). See this guide to US classification nomenclature.
It does not, in other words, mean (in any respect that I can discern) that Canada is "assisting with the 'HUMINT' or human intelligence aspects of the operation" (whatever those might be -- and the document is actually very unclear on what, if anything, was being done in terms of HUMINT).
Put another way, unless you want to believe that Canada must be complicit just because you don't trust intelligence agencies, there appears to be no evidence supporting the conclusion on a Canadian role reported in the news stories.
This is the final post in a series of blog entries on Noël J’s recent Federal Court judgment on CSIS’s retention of metadata from its warranted threat investigations. In my first entry, I tried to explain what this case is about. In my second, I raised concerns about how we manage legal doubt in the security and intelligence community.
In this final blog entry, I want to focus on two political/policy dimensions: First, the relationship between CSIS and its accountability structure; second, the knock-on implications of reform generally in the national security area. There is definitely some editorializing in this piece, but heck: it is my blog.
CSIS and Its Overseers
CSIS is generally law-abiding. “Generally” means that is has acted improperly at times. The CSIS Metadata case is an example. The misconduct in other instances can be even more serious. The Air India bombing matter was its sin at birth. The Grant Bristow affair was quite the saga. CSIS should not have rendered Mr Jabarah illegally and unconstitutionally in 2002. The immigration security certificate matters were/are a mess. The agency bears at least partial responsibility for the foreign maltreatment of Messieurs Arar, Almalki, El-Maati and Nureddin. The unconstitutional extortion (because that is what it was) of Mr Mejid was inexplicable. The interrogation of Omar Khadr at Guantanamo Bay was a serious error of judgment. The Federal Court’s finding of CSIS complicity (the Court’s own word) in Mr Abdelrazik’s detention in Sudan was distressing.
And CSIS now also has a pattern of underwhelming adherence to its duty of candour in relation to courts, its review body (the Security and Intelligence Review Committee) and the minister of public safety:
- Violations of the duty of candour to the Federal Court (Metadata Case; Re X (FC and FCA); Almrei);
- Violations of duty to disclose to SIRC in complaints proceedings (2013-4 and, on information and belief, in the Liddar complaint in 2005);
- Concerns about duty of candour to SIRC in review proceedings:
- Concerns about notification to the minister (including this past year).
And I suppose there are other examples, perhaps less well documented.
But to be clear, I do not view these infractions singularly or collectively to mean that CSIS is “rogue”. I need not imagine mala fides to be concerned. I am sure those inside the agency would tell me that there is a backstory to all of these instances. And so, I shall apply Occam’s Razor: CSIS makes mistakes, like any bureaucracy. But its mistakes tend to be quite consequential to individuals and the rule of law.
And so the question then is: what to do about it?
Less Aggressive Legal Positions in CSIS
Let’s face it, the statutory framework governing national security law needs a serious renovation, especially in areas affected by technology. So come back to Parliament and legislate, don’t pound the round peg of existing law into the square hole of new operational needs. When you do that, and lose, then you get hit with a jab and an uppercut: a finding of unlawfulness, usually on some sensitive civil liberties issue; and, a serious rule of law/running amok concern. You manage to ally a civil liberties issue (where the issues are often complex) with the rule of law issue (where the issues are pretty darn straight-forward).
I do not understand why CSIS would ever risk a negative duty of candour finding. It poisons the well – and that well happens to be the place where you need to go to get warrants.
Build Up the C-22 Committee of Parliamentarians While Also Fixing Expert Review
Well, enhanced oversight/review is in order. I have argued elsewhere that the proposed bill C-22 committee of parliamentarians is an important innovation, but requires enhancement to relax the strictures on the committee’s ability to see secret information.
Kent Roach and I have also argued that no committee of parliamentarians can ever hope to fulfill fully the detailed compliance function of the existing expert review bodies. And those review bodies must be rebuilt so that either a single body or (less ideally) multiple bodies have all-of-government security review jurisdiction and can cooperate seamlessly in performing their accountability functions. Abandoning expert review because of the advent of a committee of parliamentarians would be like tearing your seatbelt out of your car because now you have an airbag: they serve different functions, and besides a little redundancy is a good thing when trying to make potentially dangerous things safe.
And also, low hanging fruit: clean up SIRC’s funding so that it doesn’t lurch annually through periods fiscal doubt.
Build Formal Gateways between Review Bodies and the Federal Court
And in the wake of the Federal Court’s CSIS Metadata judgment, it seems that we need to fix the “broken telephone” between the review bodies and the courts. In two instances now – Re X and CSIS Metadata – the Court has been alerted to CSIS conduct, not directly, but very indirectly and obliquely by comments in SIRC’s public report. In CSIS Metadata, the Court used the word “manipulate” to characterize the risk that CSIS can leverage the distant relationship between the court and SIRC and serve as a broken telephone between the two.
And so a clear reform would include new statutory language allowing direct reporting by SIRC to the Federal Court on SIRC’s audits of CSIS warrants. Personally, I think the Court could impose such reporting requirements as a condition on the warrant (perhaps as simple as an obligation of CSIS to trigger a CSIS Act s.54 ministerial report and then a commitment to share it with the court). But Justice lawyers would probably throw red flags all over the field. So since fixing expert review means getting into the legislation anyway, better to put this all on sound statutory footing.
The Big “P” Politics
I’ll end with a slight broadening of the lens and, with trepidation, stray into the politics of this moment in Canadian national security history. Last Thursday’s decision, of course, shoves the pendulum in the reform direction, until the next time something goes boom. But of course, this back and forth swing is silly: there are real issues, and the issues are real regardless of where the pendulum is on its arc. We need a clear-eyed political gaze – and a lot of hard work.
For all those who think this is easy, and that a government further left or further right would wave a magic wand and things would be different, well, I don’t believe in magic wands. The magic wears off pretty quickly, and the deeper reform needs remain (see bill C-51, filed under category: “dark arts”). So let’s talk some more about concrete solutions, and not find in every “gotcha” moment (or every terrorist incident) proof for our predispositions.
This is the second of a series of blog entries on Noël J’s recent Federal Court judgment on CSIS’s retention of metadata from its warranted threat investigations. In my first entry, I tried to explain what this case is about.
In this blog entry, I begin to explore its implications, as I see them. First up: what a tangled web our legal system has weaved.
Readers of this blog will know that I have developed an allergy to a commonplace practice in Canadian national security law: secret law. As I have noted before, Justice Canada legal opinions construing the scope of vague, open-textured statutory powers have the de facto effect of legislating the practical reach of those powers.
These opinions are clothed in solicitor-client privilege -- with the end effect of allowing a tool permitting frank advice between lawyer and client to be used to deny the public access to a true understanding of how the government interprets its legal powers. That may happen also in other areas, but in this one, the Justice Canada legal advice often is the last say: the covert nature of national security activities means that no one may be aware of how these powers are being used, and in a position to adjudicate the true scope of the law in front of an impartial magistrate.
In the hot-house of internal government deliberations, legal positions that might not withstand a thorough vetting become sacrosanct. And subsequent construals of powers build on earlier, undisclosed legal positions, producing outcomes that are very difficult to understand.
Examples I have encountered in my wanderings include:
- a conclusion that the actual physical amalgamation of information does not amount to collection in a legal sense (CSIS; and possibly also CSE) (either a variation of the issue in play in the Federal Court case, or the very issue at stake – I don’t know);
- a conclusion that the compilation and analysis of metadata from travellers at a Canadian airport is not (as a legal matter) "acquisition and use" of information in a manner "directed" at Canadians or any person in Canada (CSE);
- creative theories in the Re X case about CSIS extraterritorial warrants;
- a conclusion that CSIS’s new Bill C-51 threat reduction powers, done in violation of the Charter, can be constitutional if done pursuant to Federal Court warrant;
- a conclusion (or at least implication) that somehow, and despite its (admittedly tortured) wording, the new bill C-51 Security of Canada Information Sharing Act is lawful authority effectively trumping the Privacy Act;
- a conclusion that the exception to the definition of “undermining the security of Canada” in that same Act does not exclude violent protest, advocacy or dissent (a reasonable policy position, but the “violence” qualifier is not in the Act);
- a conclusion that narrows the textual reading of the bill C-51 “advocacy or promotion of terrorism offences in general” (again, a welcome policy position, but not the way the offence reads).
These are all conclusions that are difficult to view as guided by the law Parliament has enacted.
The CSIS Metadata Case
Enter the CSIS metadata case. As described in my prior post, this case turns on whether retaining “associated data” (that is, non-threat related information) collected in warranted intercepts of communications by targets was lawful. The Federal Court concluded it was not. And it reasoning on this point is awfully compelling.
Less compelling is the argument offered by the Department of Justice in defending this practice. And these arguments have knock on implications if they govern the legal advice given in other contexts.
Argument 1: The statutory limitations on CSIS’s intelligence gathering in section 12 are relieved by a Federal Court warrant.
That is, once a Federal Court warrant issues, then Parliament’s constraints on CSIS’s section 12 mandate do not matter any more.
Now, as someone who teaches public and constitutional law, and defends basic constitutional norms of parliamentary supremacy, and contests the delusion that (except in rare instances inapplicable here) the executive has powers beyond those granted by Parliament, this argument struck me as astonishing. Here, the Justice Department is arguing that, in a secret hearing not subject to appeal in which only it is represented, it may negotiate a warrant with a court having the effect of superseding Parliament’s instructions on the powers CSIS is to have.
Let’s extend the Justice Department’s argument to the powers CSIS has after Bill C-51: it may do anything to reduce broadly defined “threats to the security of Canada” under section 12.1, so long as proportionate to the threat. Under section 12.2, it must not, however, engage in bodily harm, violate sexual integrity or obstruct justice. In other words, Parliament sets an out limit (albeit a ridiculously undemanding one that we believe needs to be made more robust).
But, under the Justice Department legal reasoning, if CSIS goes to Federal Court and obtains a warrant (as it may do so under s.21.1), these limits could be superseded by the warrant. And so, under the Justice Department logic, the Federal Court could authorize CSIS to, say, engage in targeted killing (remember, the C-51 changes also say that CSIS may, with Federal Court warrant, violate the Charter).
I have yet to meet the Federal Court judge that would authorize such a thing. But that is not my point. My point is that under the Justice Department logic, the basic constraints on CSIS’s powers legislated by Parliament in Bill C-51 can be negotiated out of existence in a secret, one-sided court proceeding, with no appeal.
Fortunately, Justice Noël rejects this Justice Department argument. But it is a bit terrifying it was ever made.
Argument 2: Metadata and the privacy issue.
In a second argument, the Justice Department seemed to advance the view that metadata do not trigger privacy concerns under the Charter at the collection stage. Instead, as I follow the discussion, that threshold is crossed when they are amalgamated and searched.
The court did not resolve this matter, it seems to me. But it is another distressing position with ramifications across government (including in relation to the infamous CSE incidental collection of Canadian metadata in its foreign intelligence and information technology security functions).
If accepted, this argument allows the accrual of vast pools of metadata, undisciplined by Charter collection rules. Under Bill C-51’s Security of Canada Information Sharing Act, that information could then start sloshing about government. At some point, the amalgamation and analysis of it would cross the Charter threshold, even according to the Justice argument. But what happens then? Are we to expect that government departments will come to Federal Court proactively seeking a warrant as they run algorithms through these databases? Absent legislated structures, I don’t see this happening.
So, again, this is another unhelpful legal theory.
Argument 3: CSIS and its lawyers didn’t need to tell the Federal Court about the metadata retention.
And now we get to the fireworks in this case: the duty of candour issue. I shall do a separate blog entry on this issue in particular. But among the other astonishing issues: the government lawyers apparently took the view that they did not need to tell the court how data collected under court warrant was being used, because the court did not have supervisory authority. This is a gobsmacking position, which basically confirms experience with other cases (like Re X): once the warrant walks out the door, the government does as it wills with it. It is a legal position that court itself discards with some energy: the government legal view reflected a “worrisome lack of understanding”.
And so I can only expect at this point that every single Federal Court warrant will have a “return and report” clause affixed to them. And the Federal Court will now move in the direction of the US FISA court in terms of auditing performance.
Which is fine, as far as it goes. But what about all the other doubtful legal positions that never get in front of court – and they are likely legion.
Well, one of the most important aspects of the national security and intelligence committee of parliamentarians anticipated by C-22 is that they will have access to information that is protected by solicitor-client privilege. If I was in charge, the first thing I’d do: an audit of national security legal opinions, done with the assistance of a small bevy of special advocates.
I have prepared a series of blog entries on Noël J’s recent Federal Court judgment on CSIS’s retention of metadata from its warranted threat investigations. In this first entry, I try to articulate what this case is about.
It may be useful to start with an analogy (however imperfect): this case is about CSIS fishing in the sea for sharks. When it uses certain sorts of intrusive nets to sweep up sharks, that net use must be authorized by the court. But technology being what it is, the nets also sweep up other fish – a by-catch. The court accepted that by-catch can happen, but did not actually know what CSIS was doing with the by-catch. In fact, CSIS was keeping a fin from each fish caught in the by-catch. The court learned about this after 10 years of CSIS fin-collection. And then when it learned about it, the court concludes that the law governing CSIS obliged “catch-and-release”: the by-catch fish should have been released unmolested once identified as by-catch and not sharks. Because CSIS did not do this, it acted unlawfully. Plus in failing to tell the court, it violated very strong duties that it do so.
I will deal with the by-catch issue in this blog entry, and the duty of candour in a subsequent entry. I also have entries on the policy issues – which I think are significant on a number of grounds and perhaps more sweeping that seems apparent given the scope of the actual legal issues.
Basic Legal Background
Under its “section 12” mandate, CSIS collects, to the extent it is strictly necessary, and analyzes and retains information and intelligence on activities it has reasonable grounds to suspect constitute threats to the security of Canada.
This passage has several “magic words”: “to the extent that it is strictly necessary”; “reasonable grounds to suspect”; and, “threats to the security of Canada”.
“Threats to the security of Canada” is the only passage actually defined in the CSIS Act (in section 2). Suffice for our purposes to say it is broad.
“Reasonable grounds to suspect” has a generally well-understood meaning (although I still struggle to imagine how it is applied in practice): “suspects on reasonable grounds” is a suspicion based on objectively articulable grounds that may be lower in quantity or content than the requirement of reasonable belief, but must be more than a subjective hunch. R v Kang-Brown, 2008 SCC 18.
“Strictly necessary” has a fairly intuitive meaning. Less intuitive is whether this necessity standard qualifies merely collection, or also applies to analyze and retain. I will return to this below.
Under section 12, CSIS collects information. Where the means of that collection are sufficiently intrusive to trigger section 8 of the Charter (the protection against “unreasonable” searches and seizures) or the Part VI Criminal Code prohibition against unauthorized intercept of private communications (typically, a wiretap), it must get a Federal Court warrant. A judge will only issue a warrant if persuaded that CSIS has reasonable grounds to believe that it is required to investigate threats to the security of Canada.
"Reasonable grounds to believe" is a higher standards than the reasonable grounds to suspect standard that must be met for CSIS to begin an information collection investigation under section 12. Sometimes called “reasonable and probable grounds” in the constitutional caselaw, reasonable grounds to believe is much lower than the criminal trial standard of “beyond a reasonable doubt.” Instead, it is defined as a “credibly-based probability” or “reasonable probability.” R v Debot,  2 SCR 1140. In the administrative law context, courts have described it as a bona fide belief of a serious possibility, based on credible evidence. Chiau v Canada (Minister of Citizenship and Immigration),  2 FC 297 (FCA).
CSIS obtains warrants in a closed-court (aka secret) process in which only the government side is represented. The warrants can, and often do, impose conditions on CSIS investigations. There are templates for standard warrant applications. These templates are occasionally updated, a process that requires CSIS to apply to the Federal Court. This case came about through a belated updating process.
Operational Data Analysis Centre (ODAC)
CSIS collects many data in the course of its section 12 investigations. Not unreasonably, it wants to keep these data in order to pool them in a manner that it can then search to further investigations in the future. And so it created ODAC in 2006. It turns out it did not tell the Federal Court about ODAC, at least not in any real concrete manner.
This is important, because ODAC was pooling information collected via warrant. And that information included not only content and metadata produced by an investigative target’s own communications (the collection of which was authorized by warrant), but also so-called “associated data”. As the Court defined it, “associated data” are data “collected through the operation of the warrants from which the content was assessed as unrelated to threats and of no use to an investigation, prosecution, national defence, or international affairs”. In our analogy, we would call this "by-catch". Presumably a lot of these would be data from third-parties; that is, communication-related information involving non-targets, swept into the CSIS surveillance net. For telephony, this might include the speech of the person on the other end of a conversation, or the accompanying metadata (e.g., telephone number; geolocation of a cell phone, etc.)
For email, this could be a heck of a lot of content and metadata totally unrelated to the target’s communication. Email travels in packets across the internet, and packets bundle unrelated segments of individual emails. And so intercepting a target’s emails generally means intercepting all the packets, and the accompanying content and metadata of other people’s communications bundled with them.
CSIS chose, in the ODAC, to retain some of this “associated data”; and specifically, the metadata, although not the actual content of the communication.
This is a privacy issue. These metadata have been compared to “data on data” — that is, they constitute the contextual information that surrounds the content of an Internet transaction or communication. In a 2013 report, the Privacy Commissioner of Ontario compared metadata to “digital crumbs” that reveal “time and duration of a communication, the particular devices, addresses, or numbers contacted, which kinds of communications services we use, and at what geolocations.” And pooling metadata and applying “Big Data” analytics can paint an intimate portrait of people – which is exactly why it might be of interest to an intelligence service.
But the retention of these metadata is also a legal issue. For one thing, it now seems pretty clear after the Supreme Court’s Spencer decision that metadata are protected by section 8 of the Charter. For another thing, the CSIS Act determines what CSIS can do with the information it collects.
The Legal Issue
The Court did not reach the section 8 issue, although it acknowledged that the matter had been argued before it. Instead it focused on the CSIS Act issue. And there, the key consideration is whether CSIS can retain the information it collects through its investigations.
On this point, there are now two answers.
First, as per the Supreme Court’s holdings in Charkaoui II, CSIS actually has a constitutional duty to retain information related to its targets, or to threats to the security of Canada. As the Federal Court summarized this rule: “information that is indeed linked to threats to the security of Canada or to the target of a warrant must be retained in its original state by the CSIS to comply with the protected rights under section 7 of the Charter”.
Or put in more lay terms: CSIS can’t destroy information collected on targets/threats, because people implicated in those threats may subsequently be subject to legal proceedings that oblige full government disclosure in order to allow for a fair trial. And if CSIS has destroyed the original collected information (and, the argument would go) simply kept a cheery-picking summary, then no fair trial can be had.
But, second, this Charkaoui II rule does not apply to information unrelated to the target or threats – that is “associated data”. Charkaoui II was not about “associated data”. And so the Federal Court looked to the CSIS Act, and basically concluded as follows: associated data, by definition, is non-threat related. It is not, therefore, something that is “strictly necessary” to the investigation of threats to the security of Canada. Collecting it is, therefore, something CSIS should not be in the business of doing. Now, technology means it can’t help but collect it while undertaking its bona fide “strictly necessary” collection of threat-related information (remember the concept of “by-catch"). And so, court warrants allow for this incidental collection. But authorizing incidental collection does not bless indefinite retention. And indeed, indefinite retention is not something any court could authorize without effectively usurping the “strictly necessary” standard found in section 12.
And so CSIS retention of the “associated” metadata was illegal.
In my next entry, I’ll begin talking about the broader implications of this case.
 Ann Cavoukian, A Primer on Metadata: Separating Fact from Fiction (Toronto: Information and Privacy Commissioner Ontario, 2013) at 3.
Green Papers, consultations, discussions, workshops, roundtables, hearings. There is a risk of overdose for a national security law and policy reform enthusiast. And an aching fear that all this is sound and fury that, in the end, will signify precisely nothing. For all the goodwill in the world, reform in this area (even more than most) is course-correcting an oil tanker. But I'm not sure that all of it has to be hard. A few thoughts on the Communications Security Establishment (CSE) and the post-Snowden concerns about oversight:
Put simply, the issue is this: CSE acquires information that enjoys constitutional protection, without going through the process (or anything approximating the process) that the constitution requires before the state acquires this information. That is, at core, the issue in the BCCLA's constitutional challenge. (In the interest of full disclosure: on behalf of BCCLA, I provided factual background information for use by the court in that proceeding).
At issue is information acquired as part of CSE's Mandate A (foreign intelligence) or Mandate B (information technology security) functions. In neither instance can CSE direct its activities at Canadians or persons inside Canada. But in truth, Canadian origin information will be swept up in its activities, simply because of the nature of electronic communications.
But our constitutional standards for search and seizure do not say you are "protected against unreasonable search and seizures, except when the search and seizure is simply a predictable, foreseen accident stemming from other activities". Put another way, the fact that information in which Canadians have a reasonable expectation of privacy is incidentally but forseeably (rather than intentionally) collected by the state should not abrogate the constitutional right (although I accept it may shape the precise protections that the Charter will then require, see below).
Perhaps the closest analogy: under a conventional wiretap warrant, a court would be expected to take into account the prospect of inadvertent police collection of communications conducted by third-party members of the public (that is, non-targets). See, e.g., R. v. Thomson. Members of the public have a reasonable expectation of privacy, even when they are not the target of the state. Likewise, all Canadians and all persons in Canada have a reasonable expectation of privacy in relation to their private communications and related information that may be inadvertently acquired by CSE.
More than this, the incidentally-collected information is then placed in circulation by CSE internationally and domestically. Canadian identifying information is "minimized" (redacted), but the redactions can be lifted on request from a partner (and, unfortunately, some has been shared without minimization because of technical glitches).
The legal standards for this lifting are unclear. I have reviewed transcripts and reviewed the CSE Commissioner reports. From the information on the record that I have seen, it sounds like they are lifted when there is a Privacy Act justification for doing so. It is still not clear (to me), however, whether the lifting done for CSIS or federal law enforcement is prefaced by a warrant. In the result, CSE may be administratively sharing information that other agencies could only themselves collect pursuant to a warrant.
For the video version on all this, see here.
To be clear, there is no malice in any of this. There is no intent to do an end-run. There is no dastardly plot. What has happened is that the technology has outstripped rules and procedures designed for a simpler technological era, and a different threat environment.
In its 2015 election platform, the Liberal Party promised to "limit Communications Security Establishment’s powers by requiring a warrant to engage in the surveillance of Canadians". Now, this was an awkwardly worded promise. CSE does not surveille Canadians per se under Mandate A or B: it incidentally sucks up Canadian information. But that nuance aside, the Liberal promise does suggest something will be done about the problem above.
Except: there has been no follow up. The issue is absent from the government's national security consultation Green Paper.
But this issue is not going to go away. Not least: the more integrated the security services, the more likely that the practices of one will be a poison pill to another.
Say, for instance, the seed for RCMP criminal charges in a terrorism case is information-sharing from CSE based on its metadata program, done under its "Mandate A" foreign intelligence activities. And the trial court learns that CSE's collection of Canadian metadata, although done incidentally, was never authorized by a court (it never is, at present). And more than that, the subsequent de-minimization of the Canadian identifying information by CSE was done on request of the RCMP pursuant to a Privacy Act exception. That is, all this information ends up with the RCMP administratively, and not supported by a warrant. Because this does not line up constitutionally, these practices could collapse the criminal trial, and a dangerous person could walk free.
So cleaning up the procedure should be a priority for public safety as much as for principled constitutional reasons.
The most straightforward solution is to look to how the Americans have reformed their Foreign Intelligence Surveillance Court. Advance judicial authorization, overseeing potentially quite general search activities by a signals intelligence service, is doable.
In Canada, we know from the Atwal case ( 1 F.C. 107), that the Charter does not require cookie cutter warrants for all forms of search and seizure. As the Federal Court of Appeal decided (in applying different criteria to a CSIS warrant than to a police wiretap): "To conclude, as Hunter v Southam anticipated, that a different standard should apply where national security is involved is not necessarily to apply a lower standard but rather one which takes account of reality" (emphasis mine). And so in that case, it made no sense to require CSIS to show it was investigating a criminal offence -- its mandate is to investigate threats to the security of Canada.
So there is at least some flexibility in design, so long as we preserve the core essentials of the section 8 jurisprudence: advance authorization by an independent judicial officer. To some large degree, that was what Joyce Murray's private member's bill, C-622, was trying to do.
In truth, that bill conceded the classic concept that searches could only be authorized on reasonable and probable grounds -- but that seemed a defensible concession since CSE was not being authorized to search for Canadian origin information, just directed by a judge on what to do about incidental acquisition. Put another way, this is roughly analogous to the process a judge must undertake in issuing a police wiretap authorization to minimize and control the intercept of third-party communications.
Adding that sort of judicial supervision is, in my view, much more likely than the status quo to bring CSE into the constitutional tent. And I remain unpersuaded that this would degrade CSE's role or functions. Again, this issue has been managed in the United States.
On the other hand, a government determined to defend the status quo on the basis that "CSE's national security function is constitutionally special" risks losing that argument in court. It's a foolish game trying to predict court rulings. But much like the Supreme Court's Spencer decision did with basic subscriber data, the terms of a court loss may shackle the government's range of options.
And so, it makes much more sense for the government to legislate a fix first, rather than to run the risk of a court imposing a fix developed in the narrow confines of adversarial litigation.
At the very least, the present situation creates uncertainty, and also prolongs the lingering after-effects of the Snowden revelations. CSE remains subject to civil society doubts (which then trickle over to private sector service providers in too close proximity to CSE). And it does this at a time when we badly need a widely-credible CSE to help spearhead cyber-security.
And so, in all the sound and fury of changing Canadians security laws, this change should be low hanging fruit.
Over the last several years and certainly since the Snowden revelations, there has been considerable discussion and controversy over the interception amd acquisition by Canada’s signals intelligence agency, the Communications Security Establishment, of metadata. In this 10 minute primer, I do my best to lay out the basics on the legal and policy framework of this interception and collection, as well as discussing controversies and reform possibilities.
I have posted a draft chapter on the implications of bill C-44 and related matters for Canada's extraterritorial intrusive surveillance operations, especially for CSIS. The paper can be found here. The abstract is as follows:
Spying by Canadian agencies is now “judicialized” to an unprecedented extent. In the area of extraterritorial surveillance, the result has been a series of difficult court decisions, and an inadequate legislative response. This brief article explores these assertions. It begins by briefly setting the stage, examining the role and jurisdiction of Canada’s two chief intelligence services. The article then highlights recent controversies, before describing the arcane legal questions they have provoked. Finally, it suggests looking to the Australian model of distinguishing between anti-terror and other types of intelligence operations to bifurcate the judicialization of extraterritorial intelligence collection.
CBA National Section on International Law Notes
May 28, 2015
Thank you for your invitation. I have been asked here this evening to speak about the international law aspects of two new laws – bill C-44, now enacted, and bill C-51, all but certain to be enacted by next week.
Most of you are probably familiar with at least C-51. It is a large omnibus, with a number of moving parts. But perhaps the most controversial part of the bill would give our covert security service -- CSIS – the powers to “reduce” threats to the security of Canada by taking any “measure”, except bodily harm, violation of sexual integrity or obstruction of justice.
The government calls these “disruption” powers, although no one has clearly articulated what that means. What we do know, however, from the legislative history is that the government intends CSIS to be able to pick from a menu of responses. Politically, this has been painted as an anti-terror response. Legally, CSIS’s new powers reach its entire national security mandate, and so apply to sabotage and espionage, violent subversion and so-called foreign influenced activities, as well as terrorism.
We also have some sense from the legislative history as what specifically the government has in mind. Famously, the government has said it wants CSIS to be able to speak to parents of radicalizing children. CSIS already does so, and so we need to look further.
The parliamentary record includes suggestions that, legally speaking, the government believes the new powers could be used to interfere with mobility rights (as in returning Canadians); that the door is not closed legally speaking on rendition; and that the door is not closed in terms of some form of detention, although not criminal arrest.
Other things that CSIS specifically identified as being among its new powers are “disrupting a financial transaction done through the Internet, disabling mobile devices use in support of terrorist activities, and tampering with equipment that would be used in support of terrorist activities”.
And the government also pointed to analogs – actually quite poor – in other laws that allows the state to remove content from the internet, in the context of discussing the CSIS power. This suggests internet site take-downs are on the list.
Exercising some of these powers would require warrants, because the bill requires a warrant where a measure would breach Canadian law or the Charter.
You may be less familiar with bill C-44. This bill was tabled in the Fall, and on its face seeks to remedy confusion caused by a series of Federal Court cases concerning the extraterritorial reach of CSIS’s conventional surveillance jurisdiction. Specifically, the court cases cast doubt on whether CSIS may legally conduct covert surveillance in violation of foreign law, and therefore territorial sovereignty. At any rate, they held that the court itself was not empowered to issue a warrant permitting such activity.
Through a perplexing serious of events, these questions are now before the Supreme Court in the Re X matter, scheduled for hearing this Fall.
Critically, both C-51 and C-44 provide new extraterritorial reach for CSIS activities: they emphatically allow CSIS to operate internationally, and they emphatically allow courts to issue warrants in violation of foreign and "other (aka international) law.
Which brings me to today’s topic: how it this to be evaluated with an eye to international law? And do we risk becoming the proverbial “ugly Canadians”, because of international law banditry?
I will start by saying that the international law of spying is underdeveloped. Certainly, sovereignty is a core precept of public international law, guarding a state’s essentially exclusive jurisdiction over its own territory. A concomitant principle is the rule of non-interference in the internal and external affairs of any other state.
I want to focus first on collection of intelligence from human or electronic sources by non-diplomats. Non-diplomatic state agents collecting human intelligence or engaging in electronic surveillance do not benefit from any diplomatic cover, or arguments that their activities fall within the scope of a diplomatic mission.
They are, therefore, personally culpable for any violation of the laws of the state in which they spy, and their states are responsible for any resulting breaches of international law.
On this last point, however, everything hinges on the breadth of the customary prohibitions on intervening in the internal or external affairs of any other state. Does, for instance, a failure by a state agent to comply fully with the territorial state’s laws always amount a breach of sovereignty, and therefore of international law?
The exercise of what is known as “enforcement jurisdiction” by one state and its agents in the territory of another is clearly a breach of international law – it is impermissible for one state to exercise its physical power on the territory of another, absent consent or some other permissive rule of international law. And so I pause here to say that much of the physical, kinetic activity that CSIS might undertake under C-51, done covertly without state consent, would violate international law.
More uncertain is whether a state agent’s violation of domestic rules through spying necessarily constitutes a violation of international law.
There is no international jurisprudence on peacetime espionage, state practice is a muddle, and the academic literature is deeply divided on the question of legality.
Helpfully, the academic literature splits into three categories: those who regard espionage as illegal in international law; those who see it as “not illegal”; and those who envisage espionage as neither legal nor illegal.
The very fact that there are three camps with such diametric and somewhat uncertain positions itself suggests that the third view – neither legal nor illegal -- lies closest to the truth: there is no clear answer on the international legality of extraterritorial espionage, assessed from the sovereignty perspective. And the international community seems content with an artful ambiguity on the question.
On the other hand, human rights principles constrain the means and methods of spying by prohibiting torture, cruel, inhuman and degrading treatment and unauthorized intrusions into privacy. But when and whether these rules apply to extraterritorial spying is a complex question.
The answer to that question depends on whether international human rights instruments have extraterritorial reach. Put succinctly, a state’s obligations under the Torture Convention extend to territories over which it has factual control. Its ICCPR responsibilities, meanwhile, attach to persons under its effective control, including potentially those detained surreptitiously for purposes of interrogation.
The rules governing extreme forms of interrogation do, therefore, extend to extraterritorially. It is difficult to see, however, how the ICCPR concept of “effective control” applies to privacy interests and constrains, for instance, extraterritorial electronic surveillance. Extraterritorial surveillance, almost by definition, will not be of persons within the spying state’s effective control.
I would note that since the Snowden revelations, there has been a lot of soft law emerging in this area – and so customary law here will likely become a moving target. But we’re not there yet.
And so what does all this mean for CSIS going forward. First, covert surveillance done without the consent of a foreign state may currently be ungoverned by international law – although whether it would nevertheless be governed by section 8 of the Charter is a novel issue that may well be reached by the Supreme Court in the Re X case. And so international law is mostly unhelpful in assessing C-44. (Subject to the caveat that the more kinetic the surveillance -- the more it amounts to a physical exercise of state powers -- the more likely it is to stray across an enforcement jurisdiction boundary).
The situation with C-51 is more complex. Some of CSIS’s possible, so-called disruption activities clearly stray into the enforcement jurisdiction range: holding someone in custody; rendering someone. These are kinetic activities of a sort that amount to enforcing state powers on the territory of another state.
It is also possible to conceive of hacking into a foreign bank account to delete an account or attacking a foreign server to bring down a website as sufficiently physical acts in today’s world to amount to the wrongful exercise of enforcement jurisdiction.
More than this if CSIS detains someone or renders someone, it seems very likely that the human rights standards in the ICCPR apply. The effective control standard would be met.
CSIS, review bodies, and courts will need to keep this range of possibilities in mind as they approach CSIS’s new powers. It would be cardinal mistake to treat every exercise of CSIS’s new powers as equivalent, in international law. Each requires a unique international law assessment.
I will end on a final point: I mentioned that in both bills, the Federal Court is empowered to issue a warrant authorizing CSIS conduct. At issue, however, is when the Service needs to seek a warrant – if it doesn’t need to actually seek a warrant, it can act unilaterally.
C-44 is ambiguous – probably intentionally -- on this question. It specifies no precise trigger for seeking a warrant. The implied trigger would be whenever a warrant is required under the Charter. Since the extraterritorial reach of the Charter is a disputed issue, we will need clarity from the Supreme Court on that question in Re X.
In C-51, a warrant must be sought if CSIS’s conduct will violate Canadian law or the Charter. Canadian statutory law rarely applies outside Canada, and again the reach of the Charter is contested. And so, this too risks becoming a closely litigated issue.
To obviate the possibility of CSIS unilateral extraterritorial action, my own view would be that principles of customary international law, such as state sovereignty, are part of the common law of Canada. Common law persists unless displaced by statute. These are settled issues in Canadian law. I would then argue that there has been no such displacement of the common law by C-51. And since CSIS requires a warrant for a breach of Canadian law – a concept that properly includes common law – a warrant is required under C-51 every time the Service does anything that violates state sovereignty.
I suspect that the government will not warmly embrace this analysis. And so I imagine some of these arguments will soon be made in a more formal setting.
Thanks for your interest.
We have now posted the third of a series of independent “backgrounder” documents that we shall author on Bill C-51, the Anti-terrorism Act 2015. All of these documents are archived at http://www.antiterrorlaw.ca.
The proposed Security of Canada Information Sharing Act in Bill C-51 declares a legitimate government interests in sharing information about security threats. Yet after close textual review, we conclude that the proposed law is both excessive and unbalanced. Why do we reach such strong conclusions?
The Act will relax constraints on the flow of information about “activities that undermine the security of Canada”. This is a new and astonishingly broad concept that is much more sweeping than any definition of security in Canadian national security law. In comes very close to a carte blanche, authorizing a “total information awareness” approach and a unitary view of governmental information holding and sharing. In that respect, we consider it a radical departure from conventional understandings of privacy.
The proposed legislation is unbalanced because it authorizes information sharing without meaningful enhanced review. While the bill pays lip-service to accountability, it does not incorporate an accountability regime matching its scope. Even as it erodes privacy, it fails to learn from the lessons of the Arar and Iaccobucci commissions of inquiry about the injustice that may stem from poorly governed information sharing.
The claim in the government’s backgrounder that the existing accountability institutions, including the Privacy Commissioner, are equipped for this task is not convincing to anyone familiar with the Arar report.
[NB: We have posted this paper for immediate download on SSRN. While SSRN catalogues the paper for inclusion in its holding, this page will be watermarked “Under review by SSRN”. Readers will still be able to access the paper. We plan to upload revised editions as we add details and refine points. We have also posted to a “mirror” site, but will not update the paper here.]
I have posted my brief article on CSIS extraterritorial surveillance and related issues, expanding on testimony to the Commons Standing Committee on National Security on Bill C-44. The article may be accessed via SSRN here. The abstract is as follows:
Written in response to the tabling of Bill C-44 in the Canadian Parliament, this article addresses three issues: judicial oversight of foreign spying conducted by the Canadian Security Intelligence Service; judicial oversight of intelligence sharing between Canadian agencies and international security partners; and review of Canadian security and intelligence agencies. The article raises concerns about the status quo, and proposes reforms.
Yesterday, the Commons Standing Committee on National Security and Public Safety asked me to present views on Bill C-44, amending the CSIS Act. I was honoured to accept the invitation and thank the Committee members for their questions and clear and serious engagement on the issue. What follows below is a copy of my statement, with annex. Since by necessity, these remarks were somewhat telegraphic, I am presently drafting a slightly longer article amplifying my position, and explaining in more detail the rationale for some of the language in the proposed amendments. Until then, I have posted before more detailed discussions of Wakeling, extraterritorial spying in C-44, and the bigger issue of accountability. Kent Roach and I have also opined on C-44 in the National Post.
November 26, 2014
My thanks to the Committee for asking me to testify today. I will focus exclusively on the foreign surveillance aspects of the Bill. Later today, Professor Kent Roach will be appearing before you, and he will speak to the informer privilege component.
My views in brief: I support the proposed amendments to sections 12 and 21. That said, I think there are three omissions in this Bill that this Committee should correct. I see these corrections as necessary to preempt another half decade of litigation, controversy and uncertainty.
Clause 8 addresses the core confusion flowing from three Federal Court decisions. In enacting these amendments, you will now be emphatically asking a court to bless CSIS covert surveillance that may violate international or foreign law.
In our system, Parliament has authority to grant expressly powers that violate international law, so long as those powers do not then also violate the constitution. I personally see no constitutional complaint, assuming we are confining our discussion to surveillance issues (and not, for instance, including interrogation or other more aggressive forms of investigation).
As noted, however, I do see several critical omissions in this bill.
Uncertainty over “trigger” for seeking foreign spying warrant
First, it is not clear when the Service will be obliged to obtain a foreign surveillance warrant. The existing statute speaks of “belief on reasonable grounds that a warrant is required”. In a domestic surveillance operation, these grounds arise when failure to obtain a warrant would violate section 8 of the Charter (governing searches and seizures) or Part VI of the Criminal Code.
But the applicability of these two laws – and especially the Charter -- to foreign surveillance is uncertain. As a consequence, the existing “reasonable grounds” threshold is unhelpfully ambiguous when applied to the new warrant powers in this bill.
I think in the final analysis, a warrant will be required whenever foreign surveillance involves covert interception of telecommunications. I also believe the amendments may be interpreted as requiring a warrant anytime an operation may violate international or foreign law.
These would be sensible standards. But because the bill is not emphatic, establishing these standards may require another round of litigation. I strongly urge this committee, therefore, to preempt the necessity of another half-decade of uncertainty by adding clear language on the trigger for seeking a foreign surveillance warrant.
I have proposed language in an annex to my brief.
Uncertainty over legality in CSIS’s international information-sharing practices
Second, since this bill was tabled, the Supreme Court has issued its decision in Wakeling. The case concerned the RCMP, but the holding extends, in practice, equally to CSIS.
A majority of the court concluded that section 8 of the Charter applies to sharing between Canadian authorities and foreign counterparts of intercepted communications. To be constitutional, a reasonable law must authorize intercept sharing. A reasonable law is one that includes sufficient accountability and safeguard regimes.
Right now, there is no clear law on CSIS international intercept sharing. At best, there is generic, more open-ended permission, which seems unlikely to survive constitutional challenge.
I would strongly urge this committee to again preempt years of litigation by codifying an express statutory authorization for intercept sharing that also includes required safeguards. I have proposed language in the annex addressing this.
Continued Failure to Respond to Serious Accountability Gaps
Last, we are now at the 10th anniversary of the Arar Commission. I note with profound concern that Parliament has failed to legislate any of the Commission’s critical recommendations dealing with coordination between the review bodies for CSIS, CSE and the RCMP.
Instead, we have closer and deeper coordination between security services, but review remains firmly limited to institutional silos. And indeed, we have reported instances of the security services questioning, and perhaps impeding, the ability of review bodies to coordinate their review functions.
This bill gives CSIS a freer hand and will necessarily deepen its relationship with CSE and foreign agencies. It should also include provisions that augment the authority of the review bodies to keep tabs. I propose language in the annex that addresses this concern.
Let me end with a related plea to this committee. CSIS’s review body SIRC is suffering the affects of neglect. Its membership has been below strength for a considerable period of time, it has been rocked by scandal at the leadership level, and its level of resourcing has not kept pace with growth in the operational budget of CSIS.
For all of these reasons, I would ask this committee to move on the issue of accountability.
Let me end there.
Annex: Proposed Amendments Correcting Omissions in Bill C-44
A. Amendments Clarifying When A Foreign Surveillance Warrant Would be Required
21. (3.2) For greater certainty, a warrant under this section is required for any investigation outside of Canada that
a) involves an investigative activity that, were it conducted inside Canada, would require a warrant by reason of the Canadian Charter of Rights and Freedoms, or
b) may be inconsistent with international law or the law of the state in which the investigative activity is conducted.
B. Amendments Making CSIS International Intercept Sharing Constitutional, Given Wakeling Holding of the Supreme Court of Canada
19. (2)(e) where a disclosure is made in accordance with a warrant or authorization issued under section 21 to a person or authority with responsibility in a foreign state for performing duties and functions analogous to those of the Service under this Act and is intended to be in the interests of the national security, national defence or international relations of Canada.
21. (3.3) (a) Information collected by the Service through the interception of a communication to which Part VI of the Criminal Code would otherwise apply in the absence of section 28 of this Act may only be disclosed under section 19(2)(e) in accordance with an authorization issued by a judge.
(b) The judge may issue the authorization referred to in paragraph (a) either as part of the warrant authorizing the interception of the communication in the first place or after a separate application by the Director or any employee designated by the Minister for the purpose.
(c) A judge may make the authorization referred to in paragraph (a) only where persuaded on a balance of probabilities that the information, once shared, will not be used for activities or purposes that violate international law, including but not limited to, torture as defined in section 269.1 of the Criminal Code or other forms of cruel, inhuman or degrading treatment or punishment within the meaning of the Convention Against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment, signed at New York on December 10, 1984.
C. Enhancing Coordination of Review Among Security Review Bodies to Reflect Recommendations of the Arar Commission
56. (a) If on reasonable grounds it believes it necessary for the performance of any of its functions under this Act, those of the Commissioner of the Communications Security Establishment under the National Defence Act, or those of the Civilian Review and Complaints Commission for the Royal Canadian Mounted Police under the RCMP Act, the Review Committee may convey any information which it itself is empowered to obtain and possess under this Act to:
a) the Commissioner of Communications Security Establishment under the National Defence Act, or,
b) the Civilian Review and Complaints Commission for the Royal Canadian Mounted Police under the RCMP Act
(b) Before conveying any information referred to in paragraph (a), the Review Committee must notify the Director and give reasonable time for the Director to make submissions.
(c) In the event that the Director objects to the sharing of information under this section the Review Committee may decline to share the information if persuaded on reasonable grounds that the sharing of the information at issue under this section would seriously injure the Service’s performance of its duties and functions under the Act.
(d) If the Review Committee dismisses the Director’s objection, the Director may apply to a judge within 10 days for an order staying the information sharing.
(e) A judge may issue the stay order referred to in paragraph (d) if persuaded on reasonable grounds that the sharing of the information at issue under this section would seriously injure the Service’s performance of its duties and functions under the Act.
(f) At any time, the Review Committee may apply to a judge for a lifting of any stay issued under paragraph (e) on the basis of changed circumstances.
(g) For greater certainty, the Review Committee may request information it believes necessary for the performance of any of its functions under this Act from the Commissioner of Communications Security Establishment under the National Defence Act, or, the Civilian Review and Complaints Commission for the Royal Canadian Mounted Police under the RCMP Act.
National Defence Act
274.64 (a) If on reasonable grounds the Commissioner believes it necessary for the performance of any of the Commissioner’s functions under this Act, those of the Security Intelligence Review Committee under the CSIS Act, or those of the Civilian Review and Complaints Commission for the Royal Canadian Mounted Police under the RCMP Act, the Commissioner may convey any information which the Commissioner is empowered to obtain and possess under this Act to:
a) the Security Intelligence Review Committee under the CSIS Act, or,
b) the Civilian Review and Complaints Commission for the Royal Canadian Mounted Police under the RCMP Act
(b) Before conveying any information referred to in paragraph (a), the Commissioner must notify the Chief and give reasonable time for the Chief to make submissions.
(c) In the event that the Chief objects to the sharing of information under this section the Commissioner may decline to share the information if persuaded on reasonable grounds that the sharing of the information at issue under this section would seriously injure the Establishment’s performance of its duties and functions under the Act.
(d) If the Commissioner dismisses the Chief’s objection, the Chief may apply within 10 days to a judge designated under section 2 of the CSIS Act for an order staying the information sharing.
(e) The judge may issue the stay order referred to in paragraph (d) if persuaded on reasonable grounds that the sharing of the information at issue in the application would seriously injure the Establishment’s performance of its duties and functions under the Act.
(f) At any time, the Commissioner may apply to a judge for a lifting of any stay issued under paragraph (e) on the basis of changed circumstances.
(g) For greater certainty, the Commissioner may request information the Commissioner believes necessary for the performance of any of the Commissioner’s functions under this Act from the Security Intelligence Review Committee under the CSIS Act, or the Civilian Review and Complaints Commission for the Royal Canadian Mounted Police under the RCMP Act.
45.471 (a) Notwithstanding any other provision in this Act, if on reasonable grounds the Commission believes it necessary for the performance of any of its functions under this Act, those of the Security Intelligence Review Committee under the CSIS Act, or those of the Commissioner of Communications Security Establishment under the National Defence Act, the Commission may convey any information which it itself is empowered to obtain and possess under this Act to:
a) the Commissioner of Communications Security Establishment under the National Defence Act, or,
b) the Security Intelligence Review Committee under the CSIS Act
(b) Before conveying any information referred to in paragraph (a), the Commission must notify the Commissioner and give reasonable time for the Commissioner to make submissions.
(c) In the event that the Commissioner objects to the sharing of information under this section the Commission may decline to share the information if persuaded on reasonable grounds that the sharing of the information at issue in the application would seriously injure the Force’s performance of its duties and functions under the Act.
(d) If the Commission dismisses the Commission’s objection, the Commissioner may apply within 10 days to a judge designated under section 2 of the CSIS Act for an order staying the information sharing.
(e) The judge may issue the stay order referred to in paragraph (d) if persuaded on reasonable grounds that the sharing of the information at issue in the application would seriously injure the Force’s performance of its duties and functions under the Act.
(f) At any time, the Commission may apply to a judge for a lifting of any stay issued under paragraph (e) on the basis of changed circumstances.
(g) For greater certainty, the Commission may request information it believes necessary for the performance of any of its functions under this Act from the Commissioner of Communications Security Establishment under the National Defence Act, or, the Security Intelligence Review Committee under the CSIS Act.
The Supreme Court of Canada released its decision in Wakeling v. United States on Friday, adding another picket in the progressive hedging-in of intelligence practices by law. In my view, the case has serious implications for CSIS (and potentially CSEC) international intelligence-sharing, to the point that conventional practices in the area are now constitutionally doubtful. Placing those practices on a firmer constitutional footing is a reasonably straightforward fix. The question in my mind is whether the government will use the opportunity presented by Bill C-44, amending the CSIS Act, to preempt the inevitable next generation of constitutional challenges. Or alternatively will it follow what appears to be its standard practice of waiting until matters become so untenable that a legal fix is practically dictated to it.
Adding New Charter Rights to the Mix
Wakeling was about the sharing of intercepted private communications by the RCMP to US authorities in a drug case. The intercepts were authorized under Part VI of the Criminal Code, the key wiretap provision in Canadian criminal law. As issue was whether the further sharing of this lawfully intercepted communication was constitutional.
Six of the seven judges in the case concluded that the further sharing of lawfully intercepted communications engaged section 8 of the Charter, the protection against searches and seizures. These six judges varied in their characterization of the section 8 interest, and in their assessment of whether the Part VI rules met the requirements of section 8. But bottom line: a clear majority of the Supreme Court of Canada held that the transborder sharing of intercepted private communication must meet section 8 standards. (I will call this type of information "intercept information").
This is an enormously important holding. Up to this point, most of us examining the legality of international information sharing have focused on the Charter section 7 protection involving threats to live, liberty and security of the person. See, e.g., my article on intelligence sharing and torture. I, like others, have argued that where intelligence sharing puts a person in peril of foreign mistreatment, it may be curbed by section 7 obligations (and indeed, may be actionable as a constitutional breach where it is not). This section 7 issue arises in relation to any information sharing that causes such a peril, not just the sharing of intercept information. So it would extend to, for example, surveillance records stemming from following someone in a public place.
Now, the Supreme Court has added a wrinkle and carved out an extra Charter protection when the information being shared is intercept information. Here, Wakeling suggests, the sharing is not to be examined as a Charter section 7 issue, but instead as a Charter section 8 question.
When Does Information Sharing Trigger Section 8
Section 8 requires that searches and seizures of reasonable expectation of privacy (REP) information be reasonable. The first issue, therefore, is whether the search or seizure implicated REP information. In Wakeling, three judges concluded that section 8 was triggered not because the information sharing constituted a separate search above and beyond the original intercept, but because the "highly intrusive nature of electronic surveillance and the statutory limits on the disclosure of its fruits suggest a heightened reasonable expectation of privacy in the wiretap context. Once a lawful interception has taken place and the intercepted communications are in the possession of law enforcement, that expectation is diminished but not extinguished" (at para. 39).
Another three judges phrased the matter a little differently: "In light of the intrusive nature of wiretapping, the highly personal nature of the information in question, and the very real risks that may be created by disclosure to foreign officials, it is clear that a substantial privacy interest remains in wiretapped information. This restricts how the information may be divulged and used" (at para. 125)
While the wording of these six judges varies, I believe that nothing confines their holding to information intercepted under Part VI of the Criminal Code. It shouldn't matter who is conducting the electronic surveillance. It would be frankly unbelievable for the Court to conclude that RCMP intercept is sensitive, and CSIS and CSEC intercept less sensitive. (Indeed, RCMP intercept is arguably the most benign, since it is part of criminal investigations and more likely then to feature in an open court trial. CSIS and CSEC surveillance is almost always the darkest of secrets.) And so if the intercept was instead conducted under the CSIS Act or by CSEC under the National Defence Act, the logic would remain, and the constitutional conclusions should be identical.
(A wrinkle for CSEC would be that intercept of Canadian communications under its independent, foreign intellignece mandate is supposedly done incidentally, and I believe that the Canadian information is then "minimized" to remove identifying information. If only minimized data is shared, it may be that section 8 privacy interests are not triggered by the information sharing in the same way as they are by the actual collection. So the CSEC discussion on section 8 and its application to intercept sharing would be more complex).
When is Information Sharing Compliant with Section 8
The most pressing issue must be whether a further sharing of intercept information is compliant with section 8. Boiled to its essence, section 8 requires that information sharing to be reasonable. And to be reasonable, it must be a) authorized by law, b) the law must be reasonable, and 3) the information sharing under that law must be carried out in a reasonable manner.
In Wakeling, the RCMP information sharing was (at least implicitly) authorized in Part VI of the Criminal Code itself, in section 193(2). The six judges who agreed that section 8 applied ultimately split on whether this provision was reasonable. That is what produced the ultimate outcome in the case. But despite their differences, along the way, they can collectively be taken signal what is minimally required to be reasonable.
First, everyone agrees the sharing of intercept information must be prescribed by law. It was for the RCMP in Part VI, as noted. Life is much murkier for CSIS and CSEC. Neither of these agencies have statutes in which an intercept power is then matched with express language on cross-border intercept sharing. At best, the CSIS Act contains, in section 17, a power to enter into administrative arrangement that may reach information sharing, and in section 19, lists domestic (not foreign) bodies to whom disclosure of information obtained by CSIS may be permitted. The National Defence Act doesn't even go this far.
And so, neither CSIS nor CSEC are empowered by express law to engage in international sharing of intercept information.
The inevitable fallback would be section 8 of the Privacy Act, a generic, all-of-government provision that permits disclosure of personal information in limited circumstances. One of those circumstances is disclosure "under an agreement or arrangement between the Government of Canada or an institution thereof and...the government of a foreign state, an international organization of states or an international organization established by the governments of states, or any institution of any such government or organization, for the purpose of administering or enforcing any law or carrying out a lawful investigation". Another is disclosure "for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose".
So are these generic provisions enough to constitute "prescribed by law"? Possibly, although the highly generic, non-intercept or agency specific nature of this permission may make the "authorization" so ambiguous that a court would disagree that even this basic, first requirement was met. The Supreme Court ducked this question in Wakeling.
At any rate, it seems very likely to me that even if it did see the Privacy Act as satisfying "presrcibed by law", a court looking to the signposts erected by Wakeling would conclude that this law was not itself "reasonable". As noted, three of the Supreme Court judges conclude that the Part VI authorization was unreasonable. These judges would almost certainly feel no differently about the Privacy Act, given its even more ambiguous and generic nature. So three strikes right there.
For the three judges who held that Part VI's s.193(2) was reasonable, there were a number of considerations. These included sufficient precision in terms of the purpose of the disclosure, sufficient precision in terms of to whom the disclosure was made, and (most importantly) the existence of safeguards. The safeguards in section 193 included the overarching requirement under Part VI that intercepts ultimately be disclosed to the target. That target is then in a position to pursue concerns and complaints, including about any further information disclosure. Further, a failure to comply with Part VI intercept rules is a crime. This creates an incentive for police to document properly their information sharing practices. Moreover, police also use "caveats" in an effort to limit downstream use of the shared information.
These three judges did not insist that these accountability mechanisms all be present. However, they were clearly moved by the fact that accountability mechanisms of these sort actually exist in deciding whether the law was reasonable.
At least arguably, the Privacy Act provisions are a lot more ambiguous and generic than the more express to whom and for what purposes disclosure requirements in Part VI. Most critcially, none of the Part VI accountability mechanisms exist in the Privacy Act (although intelligence services do have a caveating practice). In fact, there are no accountability mechanisms at all. (I don't see plausible arguments that review body (SIRC) assessment cures the section 8 problems. For one thing, that is retrospective and not prospective. For another, it is haphazard: not all intercept sharing will be known to, or reviewed by, SIRC. And so accountability would be accidental at best. Ditto, even more so, for the Privacy Commissioner).
It stands to reason, therefore, that the Privacy Act disclosure provisions measure up poorly against Wakeling's section 8 requirements, as compared to Part VI.
In the result, we should probably add another three judges to the column of "unconsittutional". That makes a clear majority.
So that then means that intelligence service intercept sharing is not done pursuant to a law meeting section 8 requirements. That would then trigger a section 1 analysis. We know from Wakeling that at least three judges would likely reject a section 1 justification because of the absence of accountability mechanisms. I would not hold my breadth on another three upholding the law on section 1 grounds, given how easy a cure would be in this case.
And so what would cure constitutional deficiencies in security service international intercept sharing? Part VI outright disclosure of the fact of intercept to the target seems a non-starter because of the intelligence nature of the CSIS intercept (although frankly that issue remains to be litigated).
The obvious cure is, therefore, a supplemental supervision of the information sharing by a proxy for the target. Yes, three judges on the Supreme Court were disinclined to insist on "disclosure warrants". But that was in a Part VI context, with that Part's existing accountability mechanisms. Absent those accountability mechanisms, "disclosure warrants" in which a judge cures the section 8 problems by authorizing intercept sharing is much more plausible requirement.
In my view, the government would be wise to use bill C-44 to head this issue off at the pass, and introduce a) new language in section 19 of the CSIS Act expressly authorizing intercept sharing with a level of detail that reaches or exceeds that in Part VI of the Criminal Code (rather than crossing their fingers and hoping that the Privacy Act suffices) and b) introducing new features to the CSIS warrant provisions that includes a "first come back to the judge" requirement when intercepts are to be shared across borders. (I find myself wondering if "coming back" could instead be "anticipate and make sure you seek express authorization initially".)
Regardless of the outcome on the constitutionality of laws governing information sharing, the Supreme Court seems to have signaled expectations on how that intercept sharing is to be conducted. Key passages from even the three judges who thought s.193 was enough suggest that the government must believe, objectively and reasonably that the information will not be misused for, e.g., maltreatment. All those failures in the last decade to consider the record of a foreign state on torture would not be exonerated, and I think that a government that shares intercepts without contemplating these issues now has both Charter section 8 and section 7 exposure.
So to sum up: 1. Intercept sharing triggers section 8. 2. Section 8 requires that the sharing be authorized by law. 3. The law authorizing security intelligence service intercept sharing is, at best, broad and generic all-of-government permissions in the Privacy Act. 4. For this reason, it either is not enough to actually authorize the specific intercept sharing at issue or is so general and so lacking in accountability measures as to be itself unreasonable (and therefore unconstitutional). 5. So fix (at least) CSIS's governing law by, among other things, including express intercept sharing rules and then accountability mechanisms (most plausibly a judicial intercept sharing warrant). 6. Even if you have a constitutional law authorizing sharing, you must still exercise it reasonably, and that means no information sharing where you know or ought to know that it will exploited to visit maltreatment on a person.
If you fail to meet these standards, you violate the constitution. And on top of everything else, that means you have civil liability exposure. (Which makes me wonder if the people currently suing the government for the various information sharing practices of the past can amend their statements of claim post-Wakeling).