Chapter 11: Surveillance

Another Rule of Law Test in the Meng Extradition Matter

The Meng extradition proceeding will clearly test one area of Canadian law: extradition law. (See here). It will also now probe another: constitutional rights at the border. Ms Meng’s lawyers filed a civil action suing officials (and especially the CBSA) for detaining Ms Meng at the border. There (plaintiffs allege) officials conducted pretextual border detention, questioning and searches (including of her electronic devices, for which she provided the passcode) in aid of US authorities, not in support of Ms Meng’s arrest for extradition purposes. The statement of claim is posted here. There have been questions about the legal niceties of this case. We offer a few quick observations.

Oh, What Tangled Webs the CSIS Act Weaves: The Federal Court's Latest Decision on CSIS's Foreign Intelligence Mandate

The Federal Court this week released a lengthy decision that, unusually, dealt with CSIS’s s.16 “foreign intelligence” mandate. In so doing, it proved, once again, that an Act mostly left fallow for a generation spits up weeds.

The decision is deeply redacted, and we know precisely nothing about the target, subject-matter issue or investigative technique at issue. And that means there is no way for me judge whether I think the Court “got it right”. But the underlying storyline is easy enough to imagine, even if the precise specifics are secret. And the policy issues can be surfaced with a hypothetical.

Who Was the Target?

The target was a foreigner physically in Canada. They could not be Canadian (or a Canadian permanent resident) – CSIS cannot investigate a Canadian or Canadian permanent resident under its s.16 mandate. And they had to be in Canada. This was a warrant application. A warrant would only be required, constitutionally, if the foreigner was in Canada. And besides, if the foreigner was overseas, CSE could have targeted him or her under its foreign intelligence mandate, Mandate A.  But CSE cannot direct its foreign intelligence activities at any person in Canada. So bottom line: the person was in Canada.

What was the Foreigner in Canada in Doing?

We do not know what our foreigner in Canada – who we shall call Bob – was doing. We do know what Bob was not doing. He was not involved in terrorism, espionage, sabotage or foreign-influenced activities (at least not foreign-influenced activities within Canada or related to Canada, while detrimental to the interests of Canada). And I suppose for the sake of completeness, I should add Bob was not involved in subversion of the Canadian government. Because if Bob was involved in any of these things, he would pose a “threat to the security of Canada” and this would have been a s.12 CSIS “security intelligence” investigation.

But it was a s.16 investigation.  Which means that Bob was being investigated to collect information or intelligence relating to the capabilities, intentions or activities of any foreign state or group of foreign states or some foreign person. This is what is called “foreign intelligence”. Basically, that means anything other than security intelligence.

Bob from Mordor

So, because all the good parts in the decision are redacted, let’s make up our hypothetical: Bob was a diplomat from the Embassy of Mordor, who was in fact from the Mordor Acquisition and Liaison Intelligence Collation Entity (MALICE).  And while in Canada, Bob was part of an intelligence operation designed to influence the Government of Isengard, in a manner advantageous to Mordor.

Global Affairs Canada, which has an obvious interest in developments in Isengard, wants to get a handle on this foreign influence campaign. And so, it turns to CSIS. There is no clear way an investigation into this influence op falls within a “threat to the security of Canada”.  (I suppose in some cases, it would be so egregious as to be “detrimental to the interests of Canada”, even though directed at a third state, but you can only bend that language so far.)

So, under s.16, the Minister of Foreign Affairs requests, and the Minister of Public Safety agrees, that CSIS will conduct a foreign intelligence investigation.  But s.16 also says that CSIS may only engage in foreign intelligence collection “within Canada”.

Alice of Isengard

That works fine, to a point. Bob is in Canada. But his chief asset in Isengard is Alice, someone who has influential contacts in the National Repressive Ring Association (NRRA). And Alice is not in Canada.  And moreover, Bob and Alice have 1990s style operational security.  When they communicate, they do so by logging into Gondor Mail (G-Mail), an email service in Gondor.  And they modify draft emails in an email account to which they both have access, housed on G-Mail’s Gondor-based servers.

The Warrant on Bob

CSIS wants to monitor Bob’s communications in Canada. Now Bob is a foreigner, but as noted, he has Charter s.8 rights. And so CSIS needs a warrant.  And CSIS wants, with that warrant, to wiretap not just Bob’s phone but also access his email communications. But, nuts, the G-Mail servers are overseas. And CSIS is no position to somehow insert keystroke logging on Bob’s embassy computer. And so, the only way (I shall assume, because I am not a tech-guy) to access the G-Mail draft folder is by hacking into the Gondor-based servers.

Now, pursuant to Mandate C, CSE can provide the technical wherewithal to do this. But CSIS needs to have lawful authority to seek this CSE assistance, meaning if CSIS needs a warrant, CSIS has to have one.

Whether CSIS needs a warrant may be a close call. If the communication is outside Canada, then perhaps the Charter does not apply because it generally does not apply extraterritorially. After all, if Bob were physically outside Canada, he would enjoy no Charter rights.  (The Hape exception would apply only if Canada were in violation of its international human rights obligations -- not clear cut here – and, says earlier Federal Court jurisprudence, where the victim was a Canadian – not true here.).

So, is it too much to say that CSIS's intercept of Bob’s Gondor communications doesn’t require a warrant?  Hmmm. Maybe. But this might still be a “private communication” under the Criminal Code (and I could easily change the facts so that it would be). And if so, the fact that one side of this communication starts in Canada is enough to require a judicial authorization process.  So not much relief there.  And besides, CSIS remembers the infamous Re X case and decides it is better to go to court now, to avoid a train wreck later.

So CSIS does the appropriate thing and concludes it probably needs a warrant. And more than that, it might also reasonably argue that on our facts (communication commences in Canada, travelling overseas through Canada etc) the collection really was “within Canada, enough”, and thus squares with s.16 of the Act. (A view that would be consistent with: the assumption that the Charter applies to Bob’s transiting communications, and the concept of private communication in the Criminal Code, and arguably the concept of territoriality in cases like R. v. Libman.)

But there is also another view: the content of what CSIS is intercepting is not in Canada. It can only be accessed by reaching out electronically across Canadian borders to Gondor, all the way over in Middle Earth.

So, what’s the answer? How do we read “within Canada” in s.16? Well, obviously it means “within Canada”, but what does that mean for footloose-communications? The redactions are thick in this case, and we really don’t know what sort of extraterritorial activity was at issue. But after a lengthy and seemingly exhaustive statutory interpretation exercise, the Federal Court says: this [REDACTED FOR PAGES] extraterritorial CSIS intrusive investigative activity was not within Canada.

Let's assume that hacking into Bob's Gondor Mail would also exceed whatever threshold of impermissible extraterritoriality was at issue in the Federal Court case. That is, it too would not be "within Canada". So, CSIS, in our story, you are out of luck. Maybe you should just ask Gondor to collect and share the Gondor Mail communications itself?  But do you want to rely on Denethor II, son of Echtelion II, Steward of Gondor? In The Two Towers, he struck me as a bit unhinged, to be honest.  And perhaps he was a little too inclined to appeasement to Mordor.

The CSE Knock-On Effect

Ok, then. Open Door Number 2: if the communication is not “within Canada”, then that must mean that CSE can, in fact, collect under Mandate A (foreign intelligence). Surely, if the communication being targeted is not within Canada (and involves no one, but foreigners), then CSE collection activities are not being “directed at Canadians or any person in Canada” (the quoted phrase being a stipulation that limits what CSE can do under Mandate A).  But hold that “surely”.  It is a bit disingenuous to say: “so we are investigating Bob, who is a person in Canada, and we are specifically interested in Bob, and that is why we are doing this collection activity, but when we go after this particular communication, we are not directing collection at Bob, the person in Canada”.  That seems too clever by half.

And anyway, the Federal Court has a collateral discussion in this case with knock-on implications that will make life for CSE very difficult. Basically, intrusive activity overseas of the sort at issue in the case (whatever they may be) constitute an extraterritorial exercise of enforcement jurisdiction. Done without the consent of the territorial state, this violates international law. And Canadian statutes will be read to comply with international law, unless they explicitly derogate from it. And neither the CSIS Act (for s.16, but not for s.12) nor the current National Defence Act (for CSE) nor the proposed Bill C-59 CSE Act derogate from international law. (On the latter issue, see my discussion here.)

So CSE, you have no legislative jurisdiction to engage in extraterritorial activities of (at minimum) the same degree or more intrusive than the ones at issue in this Federal Court case.  Which means you can kiss Mandate A and B goodbye under the current National Defence Act, to the extent they exceed this threshold (which, reading between the redactions, is quite low). And unless you amend bill C-59, you can also kiss those defensive and active cyber powers away.  Unless, that is, you just want to plow ahead and see what the Intelligence Commissioner, the new National Security and Intelligence Review Agency, and the National Security and Intelligence Committee of Parliamentarians have to say about this issue. This, in my view, would be insane, since a quick flick of the legislative pen could cure this problem for you, CSE.

Fixing the CSIS Act

As for CSIS, well, you could roll the dice and appeal. Or you too could fix this by legislative amendment (which is what happened to the s.12 power when this same issue arose a decade ago, and was resolved by 2015’s C-44). 

But let’s be clear here: if you want CSIS to have its current extraterritorial security intelligence functions (plus its post-2015 threat reductions powers) and now extraterritorial foreign intelligence functions, you are creating, essentially, a blended MI5/MI6.  And until recently, it was considered a bad idea to put security intelligence and a full foreign intelligence function in the same agency: rule-of-law security intelligence should be kept segregated from somewhat-less-than-rule-of-law James Bond.

So, we might wish, finally, to do some serious thinking about design issues, accountability issues, resource issues, training issues, etc, before we knee-jerk amend the CSIS Act (yet again). So, enter a ponderous process of deliberation. On the other hand, this is not a situation you want to leave hanging. Because in my story, Bob from MALICE is still out there, swanning away on Gondor Mail. (In truth, I don’t know how important that prospect is – it took to 2018 before this issue got to court, and yet presumably the technological dilemma I describe here could have arisen decades ago. So maybe this case won’t have much practical effect.)

But bottom line: sometimes national security law is hard. And perhaps it is sometimes harder than it has to be. I think it’s often hard because we don’t update the statute law enough. But that’s just me.

Bill C-59 and the Judicialization of Intelligence

With the teaching term winding down, I am preparing more formal papers, stitching together pieces memorialized as blogs on this site. My first effort is here. Abstract:

Canada's Bill C-59 responds to quandaries common to democracies in the early part of the 21st century. Among these challenges: How broad a remit should intelligence services have to build pools of data in which to fish for threats? And how best can a liberal democracy structure its oversight and review institutions to guard against improper conduct by security and intelligence services in this new data-rich environment? This paper examines how C-59 proposes re-shaping the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE) in fashions responding to these dilemmas. Specifically, it highlights C-59’s proposed changes to CSIS’s capacity to collect bulk data as part of its intelligence mandates, and also the new oversight system proposed for CSE’s foreign intelligence and cybersecurity regimes. The paper examines the objectives motivating both sets of changes, and suggests that in its architecture, C-59 tries to web together the challenges of intelligence in a technologically-sophisticated, information-rich environment, with privacy protections derived from a simpler age but updated to meet new demands.

The Judicialization of Bulk Powers for Intelligence Agencies

Personal Speaking Notes (February 2018)

(posted publicly with permission)        

I have been asked to reflect on common trans-Atlantic intelligence dilemmas, and then a variation on our traditional trans-Atlantic search for solutions.  To that end, I’ll say a few words about both the UK Investigatory Powers Act and some of the proposed aspects of bill C-59. 

In some large measure, both the UK IPA (Investigatory Powers Act) and C-59 constitute what former CSIS director Jim Judd once called “the judicialization of intelligence”. Mr Judd raised concerns about this development.  Intelligence has traditionally operated in a manner obliquely governed by law, if at all. There is a disconnect between a covert intelligence function – and its requirements – and the more overt culture of law and lawyers and judges. Intelligence needs are fluid.  Law is rigid. Intelligence needs are immediate and exigent. Law can be laborious.

But law has inevitably encroached on intelligence. An academic colleague – Dennis Molinero – has uncovered a trove of documents from the 1950s.  At that time, these documents show, national security domestic intercept warrants were issued by Prime Minister Louis St Laurent as an exercise of discretionary power under something called the Emergency Powers Act. There was the vaguest of statutory imprimaturs, and certainly no independent judicial oversight in the form of preauthorization.

We abandoned that approach in 1974, and the original iteration of the what is now Part VI of the Criminal Code.  And in 1984, we built CSIS search and seizure around a judicial warrant process – and the next year, the Supreme Court decided Hunter v Southam. Since then, in cases like the Federal Court of Appeal’s decision in Atwal, through to Justice Crompton’s recent decision in the In the Matter of Islamist Terrorism case, the domestic intelligence search and seizure expectations have been placed on a constitutional footing largely indistinguishable from that of criminal law.

In the IPA, the UK has moved considerably closer to our model than had been the case before. Once the purview of ministers, executive warrantry is now supplemented by review by judicial commissioners.  The shorthand is: double-lock (executive approval of a warrant supplemented by judicial review, prior to execution).

But in Canada, we have yet to address two dilemmas also at issue in the IPA. Both fall in the realm of what in the UK context is called “bulk powers”.  And since in bill C-59 we moving in this area, and judicializing, it is on this topic I wish to focus a few remarks.

So first, let me define bulk powers: a bulk power is one that allows intelligence agencies access to a large quantity of data, most of which is not associated with existing targets of investigation. It is the mass access, in other words, to data from a population not itself suspected of threat-related activity. The commonplace example, since Snowden, is internet or telephony metadata for entire populations of communications users.  But bulk powers can also involve content, and not just the metadata surrounding that content.

Bulk powers are controversial – they are the heart of the post-Snowden preoccupations. They inevitably raise new questions around privacy, and in the Canadian context, Charter rights.  Not least: bulk powers are irreconcilable with the requirements of classic warrants. There is no specificity. By definition, bulk powers are not targeted; they are indiscriminate.

In the IPA context, the world of bulk powers can be divided into bulk interception; bulk equipment interference; bulk acquisition; and bulk personal datasets.  Of these, I want to focus on bulk interception and bulk personal datasets.

Bulk interception is what is sounds like: the collection of transiting communications passing through communications providers or otherwise through the ether. 

Canadian law permits bulk collection by the Communications Security Established, our signals intelligence service. It is subject to the caveat that acting under its foreign intelligence or cyber security mandate, CSE may not direct its activities at Canadians or persons in Canada. But in practice, bulk interception cannot be limited to foreigners, even if the objective is foreign intelligence. The way communications transit the internet and other communications systems creates a certainty that bulk intercept directed outside the country will intercept the communications of Canadians and persons in Canada.  This is known as incidental collection.

In Canada, we have struggled with this issue. Part of the answer is in Part VI Criminal Code. As you know, it outlaws unauthorized intercept of private communications. A private communication is one with at least one end in Canada. Since in bulk interception, at least some private communications would be captured in a manner meeting this definition of intercept in Part VI, CSE must be exempted from its reach.  And that is what the National Defence Act does, where CSE acquires a defence minister authorization in advance for at least the class of foreign intelligence or cybersecurity activities that might capture this private communication.

The constitutional issue is more fraught. Not least, the defence minister is not the independent judicial officer invoked as the gold standard under Hunter v Southam for Charter section 8.  The consequence has been the constitutional lawsuit brought against CSE by the BCCLA associations and now efforts at refinement in C-59.  And specifically, C-59 anticipates a quasi-judicial intelligence commissioner who will review the ministerial authorization before its execution. This past week, representatives of the CSE testifying before the Commons committee accepted the underlying constitutional expectation: They said under C-59, CSE will seek ministerial authorization (which in term triggers review by the intelligence commissioner) for any activity that would interfere with the reasonable expectation of privacy of a Canadian or a person in Canada, or contravene an Act of Parliament.

I am hoping that signals a willingness to amend the bill to say just that, on its face, but for our part my key point is this: C-59 clearly accepts the underlying premise: judicialization of bulk intelligence interception. In this respect, C-59 emulates the IPA.

But I wish to be clear, again: this is not a warrant. It will lack specificity. It will be issued for classes of activities, not specific activities or operations. It is review on reasonableness of a ministerial authorization, not the more hands-on warrant process. Does that meet Hunter’s standards?  I am inclined to suggest, yes, because the warrant cookie cutter cannot possibly apply to a form of bulk intercept in which intercept of s.8 rights-bearer communications is entirely incidental, and not targeted.

Before leaving CSE, I will say a word about another C-59 change.

We have also gone one step further than the IPA in giving CSE a specific offensive cyber mandate – called active cyber.  This could and almost certainly would implicate equipment interference, but interference untied to information acquisition and instead done “on or through the global information infrastructure to degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security.” 

At present, there is considerable debate in Parliament about whether the intelligence commissioner should have advance oversight responsibilities in relation to this mandate.  Currently, he or she will not.  I am of two views on whether judicialization in this area would be wise or not.

Turning to domestic-facing bulk powers, I need to switch agencies and talk about CSIS.  And here we have drawn clear inspiration from the IPA in the area of bulk personal datasets.  The UK understanding of this expression is an apt descriptor of what is now also in play in Canada:

"A bulk personal dataset includes personal data relating to a number of individuals, and the nature of that set is such that the majority of individuals contained within it are not, and are unlikely to become, of interest to the intelligence services in the exercise of their statutory functions. Typically these datasets are very large, and of a size which means they cannot be processed manually."

Why have such things? The C-59 changes are a response, yes, to the Federal Court’s 2016 decision on what was known as ODAC.  But it also responds to a broader concern about the ambit of the Service’s threat investigation mandate. That mandate is anchored in s.12 of the CSIS Act. As interpreted by the courts, it permits the Service to collect, and analyse and retain information and intelligence respecting activities that may on reasonable grounds be suspected of constituting threats to the security of Canada, to the extent strictly necessary.  As Justice Noel and Justice Crampton concluded in both the ODAC case and the more recent In the Matter of Islamist Terrorism decision, this is a significant fetter on CSIS. It ties information collection, retention and analysis to a narrow band of threat investigations.  It also makes it difficult for CSIS to change the frequency of its fish radar and expand its reach to search other parts of the ocean for fish that have not already come to its attention.

A spy service fishing in more ocean is, in some eyes, the stuff of Big Brother and nightmares. On the other hand, an intelligence service that cannot have access to the ocean in performing its function is also likely unable to perform its functions very well.  And there is a lot of ocean out there in the digital era.  So how can we reconcile oceans full of data generated by innocents with the intelligence function of clearing the fog of uncertainty and revealing not just the known threats but also the unknown threats?

The solution in both the UK and Canadian context is to judicialize the fish detecting radar. And the model is again a double lock: ministerial approval for ingestion of datasets and judicial commissioner approval.

The result, in the Canadian context, is enormous complexity. Broadly speaking, there are a set of legislated rules in C-59 for the ingestion of datasets, and then a more demanding set of rules for the digestion. (I credit a Department of Justice lawyer for this ingestion/digestion analogy, which is quite apt).  So for Canadian datasets – datasets primarily comprising Canadian information – there is approval of classes of datasets that may be ingested by CSIS by both the minister and the quasi-judicial intelligence commissioner.  Once ingested, there is a limited vetting by CSIS.  And then any subsequent retention for actual use – that is digestion -- must be approved by the Federal Court, which is empowered to impose conditions on that subsequent use.  There is also a requirement that querying generally be done only where strictly necessary in performance of CSIS’s mandates.

I have included charts in the materials. (See also here).

Those charts show why some intelligence operators complain that C-59 is a gift to lawyers.  I suppose it is no surprise, then, that I think this is a clever regime.  Not least, it short circuits inevitable frontier s.8 issues; to wit, does s.8 attach to the big data analysis of information, the individual bits of which triggers no reasonable expectation of privacy. It seems almost certain that the jurisprudence will get there. C-59 heads this issue off at the pass by superimposing independent judicial authorization guiding and conditioning that big data analysis.

So, on that happy note, I shall end there.

Thank you.

The (Quasi) Judicialization of CSE Cyber Operations (Active & Defensive)

 

As noted in my prior post, there are a number of really interesting briefs prepared by various stakeholders, going into the next round of House of Commons legislative hearings on bill C-59.  Many seek to ratchet tighter the accountability structures in the bill, especially for CSE and CSIS (where they don’t call for the outright abandonment of these agencies’ proposed new powers).

I haven’t had chance to review all the specific ideas, but two of these sets of recommendations stand out for me in this area.  In my last post, I addressed the question of “publicly available information”.  In this one, I want to noodle through the extremely complex question of whether the Intelligence Commissioner should have oversight jurisdiction to vet and approve, in advance, and on a reasonableness standard CSE’s proposed active and defensive operations (“cyber ops”).

Citizen Lab and the current CSE commissioner have both urged this role for the new Intelligence Commissioner, supplementing that official’s responsibility to vet ministerial authorizations issued for foreign intelligence (FI) and cybersecurity (CS).  (As an aside: for my part, I have suggested that the ministerial authorizations for FI and CS do not meet constitutional standards, because they are only required where CSE violates an “Act” through its collection.  So if at issue was “private communication”, intercept without authorization would violate the Criminal Code.  But the government has argued that private communication does not include metadata.  In fact, there is no Act of Parliament violated by the foreign collection of metadata, including the incidental collection of Canadian metadata -- if there was, CSE would have been violating it for years. And so, under the current drafting of C-59, there is no requirement to seek a ministerial authorization vetted by the IC.  And yet, there is a clear constitutional privacy interest in that metadata. There is *nothing* in either the current CSE law or the proposed CSE Act that meets the standards in the jurisprudence permitting “warrantless” intercepts -- or could meet that standard, in my view, given the nature of CSE’s bulk activities. End result: a new constitutional lawsuit, scandal, acrimony, disaster. Please, please fix this! Make sure the authorization process is triggered by all collection activities or classes of activities that engage information in which a Canadian or person in Canada has a reasonable expectation of privacy.)

The CSE Act Structures Cyber Ops MAs and FI/CS MAs Differently

But back to the proposal to extend the IC function to cyber-ops.  First observation: for cyber-ops, ministerial authorizations are required for all cyber-ops (s. 23(2)(b)).  This isn’t like FI and CS, where there is a trigger obliging some activities to go for approval and not others (s.23(3) and (4)). In my comment above, I suggest the FI/CS MA trigger is too narrow. I *want* to steer FI and CS activities that implicate Charter rights into the MA and then the IC process. But I am not proposing steering those that *do not* otherwise violate Canadian law through this process.  I do not think, for instance, that a CSE targeted intercept that collected the telephone call of a foreign person in a foreign state, with no prospect of any nexus to Canada, attracts Charter rights. Without embarking in a discussion of the Supreme Court’s (unclear) Hape decision, it would be unlikely that the Charter applies, and that the target has any section 8 rights. And I am not among those inclined to think international law imposes meaningful privacy obligations on Canada in these circumstances – and certainly not a judicial pre-authorization requirement.  I do think there could be extraterritorial enforcement jurisdiction violations in international law, but in the area of spying it is a close call; international law is, as I have said, creatively ambiguous in this area. So I would not embark on the “judicialization of intelligence” in such a manner, again assuming there was no prospect of a Canadian nexus.  I make these sorts of points in greater detail in this article.

So my initial point: To simply superimpose IC oversight on cyber ops MA means, under the current architecture, asking the IC to approve all CSE cyber ops activities. (ss. 30 and 31). 

Would this be a good thing?

That may sound like a good idea right out of the gate.  But I have been going around in circles because I find it complex. I thought I’d memorialize my struggles.

  • First, cyber ops should not, if the Act is applied properly, implicate the collection of information, except as properly authorized by a FI/CS authorization (s.35(4)).  Right away, this makes it unlawful under the statute to use cyber ops as a stalking horse for some sort of autonomous information collection activity (on top of likely unconstitutional to the extent that information collected does attract s.8 protections). So the privacy issues should be muted here, even if the activities authorized by the cyber op authorization may involve some of the same techniques/practices.
  • Second, some cyber ops may implicate other Charter rights and Canadian law. At first blush, this may be rare (even very rare) because those rights and laws are usually confined to the territory of Canada. That said, the “real and substantial connection” test may make things like criminal mischief commenced here and remotely conducted against a foreign computer a crime with a sufficient nexus to Canada. But I am not sure that superimposing the IC into the approval process for such actions is an *obligation*.  We do allow our security services to break statute law in pursuing aspects of their mandate and we don’t always require pre-authorization by a judicial officer.  For example, Criminal Code, s.25.1 for the police allows law-breaking through administrative approvals within the police services.  On the other hand, CSIS threat reduction power does oblige judicial pre-authorization for breaches of Canadian law, which would presumably include overseas conduct that, on a real and substantial connection to Canada basis, violates Canadian law (or in some other manner where the Canadian law applies extraterritorially).  The CSE Commissioner, in his brief, points to this CSIS precedent to justify his view that cyber ops should be subjected to IC oversight. It is hard to argue against this parallel.
  • Third, international law may be breached by cyber ops.  (And indeed, international law is likely breached by CSIS extraterritorial threat reduction and perhaps intrusive surveillance done in violation of a foreign state’s laws, and thus its sovereignty.  That is a violation in the area of extraterritorial enforcement jurisdiction.  I have argued that this international law breach would require pre-authorization by the Federal Court, under the current CSIS Act. See here.) Invasive cyber conduct and international law is an issue I have discussed here, in the context of covert action.

This third argument is a strong justification for an IC involvement in cyber op authorizations.  But it depends on a final supposition: that either international law or domestic law or good policy is served by having an independent judicial officer scrutinize Canada’s international conduct and bless (or not) breaches of it. There are many, many areas where Canada’s international obligations are engaged where we do not involve pre-vetting by judges. The overseas conduct of the Canadian Armed Forces is an example.  When the Canadian Armed Forces chooses to bombard an enemy, say in Afghanistan, it is reviewed for legality under international law, most notably by the JAG team.  But they do not seek the blessing of a judge. Our system expects (and under the terms of the Baker decision of the Supreme Court, I would argue, obliges) members of the executive to observe Canada’s international obligations in exercising their discretion.  But we do not then submit that judgment to advance approval by a judge – indeed, it is near impossible to subject it to any form of judicial review, as many of these matters are considered non-justiciable (if they do not raise Charter issues, which as suggested above they rarely do).

CSE cyber ops are the sort of activity that would typically be considered an exercise of defence or foreign policy, and absent some statutory displacement, governed by the royal prerogative.  That is why the military could hack away and turn off lights and never need to meet a statutorily-prescribed approval regime.  But because CSE only has statutory powers (since 2001), it must look to its statute to find the power for cyber ops. Hence, C-59.  So the question is: because CSE is a statutory creature, should the once relatively unfettered powers to engage in defence and international affairs now implicate judicial pre-authorization?

This provokes additional questions: would we be best served by an IC looking at all cyber ops to establish the reasonableness of them?  If so, would the IC be empowered to assess the inevitable political dimension of the minister’s authorization – his or her judgment, for example, that the security risk posed by a malignant server justifies CSE reaching out and turning it off? Or would we craft language confining the role of the IC to indisputably legal issues? If so, would the IC be better equipped to assess Canada’s compliance with international law than the executive?  Which raises a question: then why stop with IC involvement in the cyber world? Should the artillery officer's orders also be pre-vetted by a Combat Commissioner for compliance with IHL (international humanitarian law)?

The bottom line: I am torn on this issue. I worry about giving the IC too global a role in areas of high policy where he or she would not be equipped to apply rules, but rather second guess political judgment.  For one thing: the IC then ends up wearing whatever they approve.  And if they dispute, without clear legal standards to ground that dispute, then we have a clash of responsibilities. Who should be responsible for these decisions of high policy: a minister accountable to Parliament or an appointed quasi-judicial officer?

On the other hand, if you agree that judicial pre-authorization is required for extraterritorial CSIS threat reduction (at minimum), what’s good for CSIS under threat reduction should probably also be good for CSE under cyber ops. I must say, in both cases, I wonder a lot about what a court (or the IC, if its remit is extended) would say in response to an op that violates, say, the sovereignty interest of a foreign state.  This is a whole lot of novel territory.  Which makes it interesting, but also worthy of close consideration.

I am probably missing much and wrong on other issue, but heck, it’s my blog.  This is probably one of this entries that will soon be supplemented with a lot of supplemental additions.

 

C-59 and collection of all that is in the eye of the beholder?

A number of really interesting briefs have been prepared by various stakeholders, going into the next round of House of Commons legislative hearings on bill C-59.  Many seek to ratchet tighter the accountability structures in the bill, especially for CSE and CSIS (where they don’t call for the outright abandonment of these agencies’ proposed new powers).

I haven’t had chance to review all the specific ideas, but two of these sets of recommendations stand out for me in this area.  Let me address the first in this post, and a second in one to follow.

Stakeholders have expressed a recurring concern about “publicly available” information.  Both CSE and (to a slightly lesser extent CSIS, in relation to datasets) are exempted from the special oversight accountability structures imposed on information collection, where the information is said to be “public”.  Indeed, in relation “publically available information”, CSE is relieved of its obligation not to direct its activities at Canadians. Neither the CSE nor the CSIS dataset rules include a truly meaningful definition of public information, raising concerns about the fuzzy line between public and not-so-public.  The phone book (does it still exist?) is one thing. Hacked information now spilled out on the web and technically publicly available "at the time of its collection" (the CSIS definition), is another. Should there be safeguards on its collection, retention and use by intelligence agencies?  The CSIS amendments provide rules on the retention, querying and exploitation of public information, yes, but exempt it from the more thorough independent vetting system for other sorts of datasets.

On the one hand, it would be naïve and prejudicial to ask intelligence agencies to turn a blind eye to any source of information within legal mandate and contributing to their mission.  On the other hand, it would be pernicious to create a nudge-nudge-wink-wink intelligence service market for unlawfully acquired information.  Or even, possibly, lawfully released information revealing personal information in unexpected ways.  Given the Supreme Court’s trajectory, it is possible it will ultimately conclude that a person retains a constitutional privacy interest in even public information (at least of a certain character). 

But even if Charter s.8 does not go this far, there may be policy reasons to treat the state’s acquisition of “public” information differently than similar private sector activities. For one thing, the private sector is not generally equipped with guns and jails and the coercive apparatus of the state.  Nor does it have access to the full panoply of information we are all compelled to provide to the state, in our interaction with its regulatory function (think tax info). So the state has unparalleled capacity to scrape public information and combine it with both closed intelligence and other state-acquired information.  That gives “public” information a qualitatively different significance in the hands of the state.  Predicting in advance what implications this has is impossible, which is an argument in favour of an independent oversight function even where “public” information is at issue.  (Back-end review seems insufficient, especially since review bodies have powers of recommendation, only. And in some instances in the past, issues raised by these bodies have taken years to redress. Independent pre-authorization, required to undertake the activity, is a more robust way to oblige careful consideration of the dilemmas, and if section 8 were ever engaged, is likely required anyway.)

All of this is to say that these concerns are worth redressing, at minimum by plugging even public information acquisition into the independent vetting systems anticipated for both CSIS datasets and CSE foreign intelligence and cybersecurity mandates.  I fear that otherwise, this issue will become a festering source of unease about the good faith of the security services, and perhaps a source of future controversy.

A One-Word Fix: Bill C-59, the Constitution & Communications Security Establishment Activities

As the parliamentary season starts, I have begun working up more detailed thinking on bill C-59, the government's massive national security law overhaul. A lot of this bill is about heading off constitutional and other legal train-wrecks. But it also includes measured moves into new areas, with attention to drafting these powers in manners that (hopefully) will not ignite new legal controversies. In some respect, it is about getting the law out of the way as a source of doubt, at the cost of accepting more structural checks and balances.

In a first note, I set out observations on the new "intelligence commissioner" process for CSE foreign intelligence activities. The focus here is on the question of whether C-59 is enough to cure the constitutional objections to CSE's current manner of operating. For what it is worth, I think it is one word away from doing that.

The Shiny Bauble of Ministerial Responsibility

There is another issue not addressed in the paper. Does the presence of the intelligence commissioner constitute an erosion of ministerial responsibility? This seems to be a recurring issue in some parts of Ottawa. I am not entirely sure everyone means the same thing in discussing the concept, but what it means is: a minister answerable in Parliament for subordinates, and responsible for the conduct of those subordinates.

Those who have read some of my public law work will know that my view on ministerial responsibility in Canadian government in relation to the second half of the above sentence is: "What a wonderful idea. Too bad it doesn't exist." As I concluded after surveying practice between 1950 and 2009, it is rare to the point of being unknown for ministers to resign in response to wrongdoings committed by their subordinates, at least officially. (Senator Forsey arrived at similar conclusions in his notable 1985 work, The Question of Confidence). The buck-stops-here concept of ministerial responsibility is a magnificent myth, not a reality. There is a reason why Donald Savoie called one his books "Breaking the Bargain".

So, it seems a bad idea to preserve a myth by insisting on a form of unilateral executive oversight of CSE activities that is almost certainly unconstitutional without the interpostion of an independent judicial officer.

And in the area of CSE, there are several additional exhibits tending to suggest that the status quo is a bad idea.  First, on information and belief, the minister of national defence's office has not had the internal capacity (at least in the past) to "red team" thoroughly CSE authorizations to intercept private communications.  Put another way, I fear ministerial oversight has been modest.

Second, so modest has been ministerial oversight in this area that when the Snowden disclosures came out and there were revelations of CSE collection of Wifi information from Toronto airport, it was CSE's review body that stepped most vocally into the breach to offer conclusions and observations. Put another way, the review body took bullets, something that should never happen in a world with functional ministerial responsibility.

Third, C-59 does not actually remove the minister from the driver's seat. It just puts the intelligence commissioner in the back seat, looking over the minister's shoulder.  Unlike with conventional warrants, which judges shape (albeit with input from government lawyers), the C-59 system requires the minister to kick first at the authorization can, and set the terms and conditions.  Only then does the intelligence commissioner review and bless (or not). This is a double-lock system in which the minister turns the key first. It is not one in which the ministers is subordinated. Instead, he or she is watched.

As my article suggests, I think this is probably the most clever way to square the constitution with CSE's rather sui generis activities.  Take it away, and you run the real risk that the current system ends up at the Supreme Court. That Court has, of late, rarely turned down an opportunity to apply new understandings of privacy rules to new technology. Leaving it to the Court to speak first on this issue -- and perhaps narrow the range of options -- would be a huge mistake.

Added to which: a court finding that CSE's activities since (probably well before) 2001 have been unconstitutional would be disastrous for CSE. Indeed, even as we need to call upon it to do more in the area of cybersecurity and cyberassurance in the public and private sectors, its reputation would be shattered.  And those private sector companies that touch it with a ten foot pole risk collateral reputational injury.  Put another way, C-59 needs to solve the problem of a CSE currently tied to the tracks, with a Charter train rumbling toward it.

So you need to be a real risk-lover to preserve a status quo that a) does not include much, if any, real ministerial responsibility, but b) has managed to produce a lot of reputation-damaging fall-out.

Much Ado about Probably Very Little: Canadian intelligence and 2012 French election

Last week, some Canadian newspapers posted a story [here and here] about CIA documents leaked by Wikileaks. The second article described the implications of this document as follows:

On Thursday, WikiLeaks released three CIA tasking orders detailing their plan to closely monitor 2012 French presidential candidates, including current President Francois Hollande and current first-round frontrunner Marine Le Pen.

Canada is listed along with New Zealand, Great Britain, the United States and Australia in a section indicating which countries are assisting with the “HUMINT” or human intelligence aspects of the operation. Those countries make up the Five Eyes intelligence sharing alliance.

Within hours, the NDP was calling on the government to explain the document: “Canadians don’t expect their government to spy on our closest allies, especially when it involves their own domestic elections. There’s nothing more sensitive than that, as we’re observing right now with the allegations in the U.S. election.”

This was a remarkable escalation of events.

The actual documents are here.  Like most leaked documents, they lack context, even if they are genuine.  More than that, they are also sprinkled with agency nomenclature that requires parsing.

The single reference to Canada reads:

Apparently on this basis of this single reference, the news reports concluded Canada was asked to "assist" the CIA. (As the story eventually notes: "The documents contain only a single reference to Canada, making it unclear what parts of the CIA efforts Canada may have been involved in.")

But this whole allegation of Canadian participation seems (very) doubtful.  First, none of Canada's actual intelligence agencies has the legal competency to conduct covert, overseas HUMINT foreign intelligence gathering.  CSIS is confined to security intelligence in its overseas activities (and this France activity would not be security intelligence, as defined in s.2 of the CSIS Act). CSIS's broader foreign intelligence collection must be conducted "within Canada" under s.16 of the CSIS Act.

CSE is a signals intelligence agency and would clearly be acting outside of its statutory mandate in doing HUMINT.

Military intelligence operates pursuant to the royal prerogative of defence -- and it is hard to see how that fits.

Global Affairs Canada has a broader remit -- including under the general language of the DFAIT Act and also a conceivable remit under the royal prerogative relating to foreign affairs. It has no express statutory intelligence function, but its legal authorities are broad enough to allow it to collect information in its diplomatic/foreign relations function. Whether it runs covert HUMINT is another matter -- it has confidential contacts, but I'd be surprised to learn it runs more complex HUMINT sources. (Sadly, because Global Affairs is subject to no external independent review, there is little on the public record on its activities, but see this statement made to Parliament.  There, then-DFAIT specified "Canadian diplomats do not work under cover or collect intelligence covertly from human sources").

All of this is to say that there is only a narrow range of options if Canada were to participate in a (let us assume covert) CIA HUMINT foreign intelligence (as opposed to security intelligence) activity: either it is a Global Affairs program of greater breadth than what has been reported in the past, or it is a Canadian intelligence service acting illegally.

But we don't need to go down this rabbit hole for one reason above all else: the document does not seem to say what the news stories inferred. "S//REL TO USA, AUS, CAN, GBR, NZL" is a classification tag (governing intelligence sharing). It translates into Secret//Release to USA, Australia, Canada, Great Britain, New Zealand" (or, in other words, the Five Eyes). See this guide to US classification nomenclature.

It does not, in other words, mean (in any respect that I can discern) that Canada is "assisting with the 'HUMINT' or human intelligence aspects of the operation" (whatever those might be -- and the document is actually very unclear on what, if anything, was being done in terms of HUMINT).

Put another way, unless you want to believe that Canada must be complicit just because you don't trust intelligence agencies, there appears to be no evidence supporting the conclusion on a Canadian role reported in the news stories.

CSIS and the Metadata Muddle Pt 2: On Secret Law, Courts and the Rule of Law

This is the second of a series of blog entries on Noël J’s recent Federal Court judgment on CSIS’s retention of metadata from its warranted threat investigations. In my first entry, I tried to explain what this case is about.

In this blog entry, I begin to explore its implications, as I see them. First up: what a tangled web our legal system has weaved.

Secret Laws

Readers of this blog will know that I have developed an allergy to a commonplace practice in Canadian national security law: secret law.  As I have noted before, Justice Canada legal opinions construing the scope of vague, open-textured statutory powers have the de facto effect of legislating the practical reach of those powers.

These opinions are clothed in solicitor-client privilege -- with the end effect of allowing a tool permitting frank advice between lawyer and client to be used to deny the public access to a true understanding of how the government interprets its legal powers. That may happen also in other areas, but in this one, the Justice Canada legal advice often is the last say: the covert nature of national security activities means that no one may be aware of how these powers are being used, and in a position to adjudicate the true scope of the law in front of an impartial magistrate.

In the hot-house of internal government deliberations, legal positions that might not withstand a thorough vetting become sacrosanct. And subsequent construals of powers build on earlier, undisclosed legal positions, producing outcomes that are very difficult to understand.

Examples I have encountered in my wanderings include:

  • a conclusion that the actual physical amalgamation of information does not amount to collection in a legal sense (CSIS; and possibly also CSE) (either a variation of the issue in play in the Federal Court case, or the very issue at stake – I don’t know);
  • a conclusion that the compilation and analysis of metadata from travellers at a Canadian airport is not (as a legal matter) "acquisition and use" of information in a manner "directed" at Canadians or any person in Canada (CSE);
  • creative theories in the Re X case about CSIS extraterritorial warrants;
  • a conclusion that CSIS’s new Bill C-51 threat reduction powers, done in violation of the Charter, can be constitutional if done pursuant to Federal Court warrant;
  • a conclusion (or at least implication) that somehow, and despite its (admittedly tortured) wording, the new bill C-51 Security of Canada Information Sharing Act is lawful authority effectively trumping the Privacy Act;
  • a conclusion that the exception to the definition of “undermining the security of Canada” in that same Act does not exclude violent protest, advocacy or dissent (a reasonable policy position, but the “violence” qualifier is not in the Act);
  • a conclusion that narrows the textual reading of the bill C-51 “advocacy or promotion of terrorism offences in general” (again, a welcome policy position, but not the way the offence reads).

These are all conclusions that are difficult to view as guided by the law Parliament has enacted.

The CSIS Metadata Case

Enter the CSIS metadata case. As described in my prior post, this case turns on whether retaining “associated data” (that is, non-threat related information) collected in warranted intercepts of communications by targets was lawful.  The Federal Court concluded it was not. And it reasoning on this point is awfully compelling.

Less compelling is the argument offered by the Department of Justice in defending this practice.  And these arguments have knock on implications if they govern the legal advice given in other contexts.

Argument 1: The statutory limitations on CSIS’s intelligence gathering in section 12 are relieved by a Federal Court warrant.

That is, once a Federal Court warrant issues, then Parliament’s constraints on CSIS’s section 12 mandate do not matter any more.

Now, as someone who teaches public and constitutional law, and defends basic constitutional norms of parliamentary supremacy, and contests the delusion that (except in rare instances inapplicable here) the executive has powers beyond those granted by Parliament, this argument struck me as astonishing.  Here, the Justice Department is arguing that, in a secret hearing not subject to appeal in which only it is represented, it may negotiate a warrant with a court having the effect of superseding Parliament’s instructions on the powers CSIS is to have.

Let’s extend the Justice Department’s argument to the powers CSIS has after Bill C-51: it may do anything to reduce broadly defined “threats to the security of Canada” under section 12.1, so long as proportionate to the threat. Under section 12.2, it must not, however, engage in bodily harm, violate sexual integrity or obstruct justice.  In other words, Parliament sets an out limit (albeit a ridiculously undemanding one that we believe needs to be made more robust).

But, under the Justice Department legal reasoning, if CSIS goes to Federal Court and obtains a warrant (as it may do so under s.21.1), these limits could be superseded by the warrant.  And so, under the Justice Department logic, the Federal Court could authorize CSIS to, say, engage in targeted killing (remember, the C-51 changes also say that CSIS may, with Federal Court warrant, violate the Charter).

I have yet to meet the Federal Court judge that would authorize such a thing.  But that is not my point.  My point is that under the Justice Department logic, the basic constraints on CSIS’s powers legislated by Parliament in Bill C-51 can be negotiated out of existence in a secret, one-sided court proceeding, with no appeal.

Fortunately, Justice Noël rejects this Justice Department argument. But it is a bit terrifying it was ever made.

Argument 2: Metadata and the privacy issue. 

In a second argument, the Justice Department seemed to advance the view that metadata do not trigger privacy concerns under the Charter at the collection stage.  Instead, as I follow the discussion, that threshold is crossed when they are amalgamated and searched. 

The court did not resolve this matter, it seems to me. But it is another distressing position with ramifications across government (including in relation to the infamous CSE incidental collection of Canadian metadata in its foreign intelligence and information technology security functions). 

If accepted, this argument allows the accrual of vast pools of metadata, undisciplined by Charter collection rules.  Under Bill C-51’s Security of Canada Information Sharing Act, that information could then start sloshing about government.  At some point, the amalgamation and analysis of it would cross the Charter threshold, even according to the Justice argument.  But what happens then?  Are we to expect that government departments will come to Federal Court proactively seeking a warrant as they run algorithms through these databases?  Absent legislated structures, I don’t see this happening.

So, again, this is another unhelpful legal theory.

Argument 3: CSIS and its lawyers didn’t need to tell the Federal Court about the metadata retention. 

And now we get to the fireworks in this case: the duty of candour issue.  I shall do a separate blog entry on this issue in particular.  But among the other astonishing issues: the government lawyers apparently took the view that they did not need to tell the court how data collected under court warrant was being used, because the court did not have supervisory authority. This is a gobsmacking position, which basically confirms experience with other cases (like Re X): once the warrant walks out the door, the government does as it wills with it.  It is a legal position that court itself discards with some energy: the government legal view reflected a “worrisome lack of understanding”.

And so I can only expect at this point that every single Federal Court warrant will have a “return and report” clause affixed to them.  And the Federal Court will now move in the direction of the US FISA court in terms of auditing performance.

Which is fine, as far as it goes.  But what about all the other doubtful legal positions that never get in front of court – and they are likely legion.

Well, one of the most important aspects of the national security and intelligence committee of parliamentarians anticipated by C-22 is that they will have access to information that is protected by solicitor-client privilege.  If I was in charge, the first thing I’d do: an audit of national security legal opinions, done with the assistance of a small bevy of special advocates.

10 Minute Primers: An Enigma Wrapped in a Secret, Governed by Uncertain Law: CSE and metadata

Over the last several years and certainly since the Snowden revelations, there has been considerable discussion and controversy over the interception amd acquisition by Canada’s signals intelligence agency, the Communications Security Establishment, of metadata.  In this 10 minute primer, I do my best to lay out the basics on the legal and policy framework of this interception and collection, as well as discussing controversies and reform possibilities.

 

10 Minute Primer: An Enigma Wrapped in a Secret, Governed by Uncertain Law: CSE and metadata from Craig Forcese on Vimeo.

One Warrant to Rule Them All: Re-Conceiving the Judicialization of Extraterritorial Intelligence Collection

I have posted a draft chapter on the implications of bill C-44 and related matters for Canada's extraterritorial intrusive surveillance operations, especially for CSIS.  The paper can be found here.  The abstract is as follows:

Spying by Canadian agencies is now “judicialized” to an unprecedented extent. In the area of extraterritorial surveillance, the result has been a series of difficult court decisions, and an inadequate legislative response. This brief article explores these assertions. It begins by briefly setting the stage, examining the role and jurisdiction of Canada’s two chief intelligence services. The article then highlights recent controversies, before describing the arcane legal questions they have provoked. Finally, it suggests looking to the Australian model of distinguishing between anti-terror and other types of intelligence operations to bifurcate the judicialization of extraterritorial intelligence collection.

The Ugly Canadian? International Law and Canada’s New Covert National Security Vision

Speaking Notes

CBA National Section on International Law Notes
May 28, 2015

Craig Forcese

Thank you for your invitation.  I have been asked here this evening to speak about the international law aspects of two new laws – bill C-44, now enacted, and bill C-51, all but certain to be enacted by next week.

Most of you are probably familiar with at least C-51.  It is a large omnibus, with a number of moving parts.  But perhaps the most controversial part of the bill would give our covert security service -- CSIS – the powers to “reduce” threats to the security of Canada by taking any “measure”, except bodily harm, violation of sexual integrity or obstruction of justice.  

The government calls these “disruption” powers, although no one has clearly articulated what that means.  What we do know, however, from the legislative history is that the government intends CSIS to be able to pick from a menu of responses.  Politically, this has been painted as an anti-terror response.  Legally, CSIS’s new powers reach its entire national security mandate, and so apply to sabotage and espionage, violent subversion and so-called foreign influenced activities, as well as terrorism.

We also have some sense from the legislative history as what specifically the government has in mind.  Famously, the government has said it wants CSIS to be able to speak to parents of radicalizing children.  CSIS already does so, and so we need to look further. 

The parliamentary record includes suggestions that, legally speaking, the government believes the new powers could be used to interfere with mobility rights (as in returning Canadians); that the door is not closed legally speaking on rendition; and that the door is not closed in terms of some form of detention, although not criminal arrest. 

Other things that CSIS specifically identified as being among its new powers are “disrupting a financial transaction done through the Internet, disabling mobile devices use in support of terrorist activities, and tampering with equipment that would be used in support of terrorist activities”.

And the government also pointed to analogs – actually quite poor – in other laws that allows the state to remove content from the internet, in the context of discussing the CSIS power.  This suggests internet site take-downs are on the list. 

Exercising some of these powers would require warrants, because the bill requires a warrant where a measure would breach Canadian law or the Charter.

You may be less familiar with bill C-44.  This bill was tabled in the Fall, and on its face seeks to remedy confusion caused by a series of Federal Court cases concerning the extraterritorial reach of CSIS’s conventional surveillance jurisdiction.  Specifically, the court cases cast doubt on whether CSIS may legally conduct covert surveillance in violation of foreign law, and therefore territorial sovereignty. At any rate, they held that the court itself was not empowered to issue a warrant permitting such activity. 

Through a perplexing serious of events, these questions are now before the Supreme Court in the Re X matter, scheduled for hearing this Fall.

Critically, both C-51 and C-44 provide new extraterritorial reach for CSIS activities: they emphatically allow CSIS to operate internationally, and they emphatically allow courts to issue warrants in violation of foreign and "other (aka international) law.

Which brings me to today’s topic:  how it this to be evaluated with an eye to international law?  And do we risk becoming the proverbial “ugly Canadians”, because of international law banditry?

I will start by saying that the international law of spying is underdeveloped.  Certainly, sovereignty is a core precept of public international law, guarding a state’s essentially exclusive jurisdiction over its own territory.  A concomitant principle is the rule of non-interference in the internal and external affairs of any other state.

I want to focus first on collection of intelligence from human or electronic sources by non-diplomats.  Non-diplomatic state agents collecting human intelligence or engaging in electronic surveillance do not benefit from any diplomatic cover, or arguments that their activities fall within the scope of a diplomatic mission. 

They are, therefore, personally culpable for any violation of the laws of the state in which they spy, and their states are responsible for any resulting breaches of international law. 

On this last point, however, everything hinges on the breadth of the customary prohibitions on intervening in the internal or external affairs of any other state.  Does, for instance, a failure by a state agent to comply fully with the territorial state’s laws always amount a breach of sovereignty, and therefore of international law?

The exercise of what is known as “enforcement jurisdiction” by one state and its agents in the territory of another is clearly a breach of international law – it is impermissible for one state to exercise its physical power on the territory of another, absent consent or some other permissive rule of international law.  And so I pause here to say that much of the physical, kinetic activity that CSIS might undertake under C-51, done covertly without state consent, would violate international law.

More uncertain is whether a state agent’s violation of domestic rules through spying necessarily constitutes a violation of international law.

There is no international jurisprudence on peacetime espionage, state practice is a muddle, and the academic literature is deeply divided on the question of legality. 

Helpfully, the academic literature splits into three categories: those who regard espionage as illegal in international law; those who see it as “not illegal”; and those who envisage espionage as neither legal nor illegal. 

The very fact that there are three camps with such diametric and somewhat uncertain positions itself suggests that the third view – neither legal nor illegal -- lies closest to the truth: there is no clear answer on the international legality of extraterritorial espionage, assessed from the sovereignty perspective. And the international community seems content with an artful ambiguity on the question.

On the other hand, human rights principles constrain the means and methods of spying by prohibiting torture, cruel, inhuman and degrading treatment and unauthorized intrusions into privacy.  But when and whether these rules apply to extraterritorial spying is a complex question.

The answer to that question depends on whether international human rights instruments have extraterritorial reach.  Put succinctly, a state’s obligations under the Torture Convention extend to territories over which it has factual control.  Its ICCPR responsibilities, meanwhile, attach to persons under its effective control, including potentially those detained surreptitiously for purposes of interrogation. 

The rules governing extreme forms of interrogation do, therefore, extend to extraterritorially.  It is difficult to see, however, how the ICCPR concept of “effective control” applies to privacy interests and constrains, for instance, extraterritorial electronic surveillance.  Extraterritorial surveillance, almost by definition, will not be of persons within the spying state’s effective control.

I would note that since the Snowden revelations, there has been a lot of soft law emerging in this area – and so customary law here will likely become a moving target.  But we’re not there yet.

And so what does all this mean for CSIS going forward.  First, covert surveillance done without the consent of a foreign state may currently be ungoverned by international law – although whether it would nevertheless be governed by section 8 of the Charter is a novel issue that may well be reached by the Supreme Court in the Re X case.  And so international law is mostly unhelpful in assessing C-44.  (Subject to the caveat that the more kinetic the surveillance -- the more it amounts to a physical exercise of state powers -- the more likely it is to stray across an enforcement jurisdiction boundary).

The situation with C-51 is more complex.  Some of CSIS’s possible, so-called disruption activities clearly stray into the enforcement jurisdiction range: holding someone in custody; rendering someone.  These are kinetic activities of a sort that amount to enforcing state powers on the territory of another state. 

It is also possible to conceive of hacking into a foreign bank account to delete an account or attacking a foreign server to bring down a website as sufficiently physical acts in today’s world to amount to the wrongful exercise of enforcement jurisdiction.

More than this if CSIS detains someone or renders someone, it seems very likely that the human rights standards in the ICCPR apply.  The effective control standard would be met.

CSIS, review bodies, and courts will need to keep this range of possibilities in mind as they approach CSIS’s new powers.  It would be cardinal mistake to treat every exercise of CSIS’s new powers as equivalent, in international law. Each requires a unique international law assessment.

I will end on a final point: I mentioned that in both bills, the Federal Court is empowered to issue a warrant authorizing CSIS conduct.  At issue, however, is when the Service needs to seek a warrant – if it doesn’t need to actually seek a warrant, it can act unilaterally. 

C-44 is ambiguous – probably intentionally -- on this question.  It specifies no precise trigger for seeking a warrant.  The implied trigger would be whenever a warrant is required under the Charter.  Since the extraterritorial reach of the Charter is a disputed issue, we will need clarity from the Supreme Court on that question in Re X.

In C-51, a warrant must be sought if CSIS’s conduct will violate Canadian law or the Charter.  Canadian statutory law rarely applies outside Canada, and again the reach of the Charter is contested.  And so, this too risks becoming a closely litigated issue. 

To obviate the possibility of CSIS unilateral extraterritorial action, my own view would be that principles of customary international law, such as state sovereignty, are part of the common law of Canada.  Common law persists unless displaced by statute.  These are settled issues in Canadian law.  I would then argue that there has been no such displacement of the common law by C-51.  And since CSIS requires a warrant for a breach of Canadian law – a concept that properly includes common law – a warrant is required under C-51 every time the Service does anything that violates state sovereignty.

I suspect that the government will not warmly embrace this analysis.  And so I imagine some of these arguments will soon be made in a more formal setting.

Thanks for your interest.

Bill C-51 Backgrounder #3: Sharing Information and Lost Lessons from the Maher Arar Experience

We have now posted the third of a series of independent “backgrounder” documents that we shall author on Bill C-51, the Anti-terrorism Act 2015. All of these documents are archived at http://www.antiterrorlaw.ca.

The proposed Security of Canada Information Sharing Act in Bill C-51 declares a legitimate government interests in sharing information about security threats. Yet after close textual review, we conclude that the proposed law is both excessive and unbalanced. Why do we reach such strong conclusions?

The Act will relax constraints on the flow of information about “activities that undermine the security of Canada”. This is a new and astonishingly broad concept that is much more sweeping than any definition of security in Canadian national security law. In comes very close to a carte blanche, authorizing a “total information awareness” approach and a unitary view of governmental information holding and sharing. In that respect, we consider it a radical departure from conventional understandings of privacy.

The proposed legislation is unbalanced because it authorizes information sharing without meaningful enhanced review. While the bill pays lip-service to accountability, it does not incorporate an accountability regime matching its scope. Even as it erodes privacy, it fails to learn from the lessons of the Arar and Iaccobucci commissions of inquiry about the injustice that may stem from poorly governed information sharing.

The claim in the government’s backgrounder that the existing accountability institutions, including the Privacy Commissioner, are equipped for this task is not convincing to anyone familiar with the Arar report.

[NB: We have posted this paper for immediate download on SSRN. While SSRN catalogues the paper for inclusion in its holding, this page will be watermarked “Under review by SSRN”. Readers will still be able to access the paper.  We plan to upload revised editions as we add details and refine points. We have also posted to a “mirror” site, but will not update the paper here.]

Judicialization of Extraterritorial Spying: Gaps and Gap-Fillers in the World of CSIS Foreign Operations

I have posted my brief article on CSIS extraterritorial surveillance and related issues, expanding on testimony to the Commons Standing Committee on National Security on Bill C-44.  The article may be accessed via SSRN here.  The abstract is as follows:

Written in response to the tabling of Bill C-44 in the Canadian Parliament, this article addresses three issues: judicial oversight of foreign spying conducted by the Canadian Security Intelligence Service; judicial oversight of intelligence sharing between Canadian agencies and international security partners; and review of Canadian security and intelligence agencies. The article raises concerns about the status quo, and proposes reforms.

Foreign Spying, Information sharing & Arar Commission Fixes to Accountability: Brief on Bill C-44

Yesterday, the Commons Standing Committee on National Security and Public Safety asked me to present views on Bill C-44, amending the CSIS Act.  I was honoured to accept the invitation and thank the Committee members for their questions and clear and serious engagement on the issue.  What follows below is a copy of my statement, with annex.  Since by necessity, these remarks were somewhat telegraphic, I am presently drafting a slightly longer article amplifying my position, and explaining in more detail the rationale for some of the language in the proposed amendments.  Until then, I have posted before more detailed discussions of Wakeling, extraterritorial spying in C-44, and the bigger issue of accountability. Kent Roach and I have also opined on C-44 in the National Post.

**

November 26, 2014

My thanks to the Committee for asking me to testify today. I will focus exclusively on the foreign surveillance aspects of the Bill.  Later today, Professor Kent Roach will be appearing before you, and he will speak to the informer privilege component.

Summary

My views in brief:  I support the proposed amendments to sections 12 and 21.  That said, I think there are three omissions in this Bill that this Committee should correct.  I see these corrections as necessary to preempt another half decade of litigation, controversy and uncertainty.

Foreign Spying

Clause 8 addresses the core confusion flowing from three Federal Court decisions.  In enacting these amendments, you will now be emphatically asking a court to bless CSIS covert surveillance that may violate international or foreign law.

In our system, Parliament has authority to grant expressly powers that violate international law, so long as those powers do not then also violate the constitution.  I personally see no constitutional complaint, assuming we are confining our discussion to surveillance issues (and not, for instance, including interrogation or other more aggressive forms of investigation).

As noted, however, I do see several critical omissions in this bill. 

Uncertainty over “trigger” for seeking foreign spying warrant

First, it is not clear when the Service will be obliged to obtain a foreign surveillance warrant.  The existing statute speaks of “belief on reasonable grounds that a warrant is required”.  In a domestic surveillance operation, these grounds arise when failure to obtain a warrant would violate section 8 of the Charter (governing searches and seizures) or Part VI of the Criminal Code.

But the applicability of these two laws – and especially the Charter -- to foreign surveillance is uncertain.  As a consequence, the existing “reasonable grounds” threshold is unhelpfully ambiguous when applied to the new warrant powers in this bill. 

I think in the final analysis, a warrant will be required whenever foreign surveillance involves covert interception of telecommunications.  I also believe the amendments may be interpreted as requiring a warrant anytime an operation may violate international or foreign law.  

These would be sensible standards.  But because the bill is not emphatic, establishing these standards may require another round of litigation.  I strongly urge this committee, therefore, to preempt the necessity of another half-decade of uncertainty by adding clear language on the trigger for seeking a foreign surveillance warrant. 

I have proposed language in an annex to my brief.

Uncertainty over legality in CSIS’s international information-sharing practices

Second, since this bill was tabled, the Supreme Court has issued its decision in Wakeling.  The case concerned the RCMP, but the holding extends, in practice, equally to CSIS. 

A majority of the court concluded that section 8 of the Charter applies to sharing between Canadian authorities and foreign counterparts of intercepted communications.  To be constitutional, a reasonable law must authorize intercept sharing.  A reasonable law is one that includes sufficient accountability and safeguard regimes. 

Right now, there is no clear law on CSIS international intercept sharing.  At best, there is generic, more open-ended permission, which seems unlikely to survive constitutional challenge. 

I would strongly urge this committee to again preempt years of litigation by codifying an express statutory authorization for intercept sharing that also includes required safeguards.  I have proposed language in the annex addressing this.

Continued Failure to Respond to Serious Accountability Gaps

Last, we are now at the 10th anniversary of the Arar Commission.  I note with profound concern that Parliament has failed to legislate any of the Commission’s critical recommendations dealing with coordination between the review bodies for CSIS, CSE and the RCMP. 

Instead, we have closer and deeper coordination between security services, but review remains firmly limited to institutional silos.  And indeed, we have reported instances of the security services questioning, and perhaps impeding, the ability of review bodies to coordinate their review functions.

This bill gives CSIS a freer hand and will necessarily deepen its relationship with CSE and foreign agencies.  It should also include provisions that augment the authority of the review bodies to keep tabs. I propose language in the annex that addresses this concern.

Let me end with a related plea to this committee. CSIS’s review body SIRC is suffering the affects of neglect.  Its membership has been below strength for a considerable period of time, it has been rocked by scandal at the leadership level, and its level of resourcing has not kept pace with growth in the operational budget of CSIS. 

For all of these reasons, I would ask this committee to move on the issue of accountability.

Let me end there.

 

Annex: Proposed Amendments Correcting Omissions in Bill C-44

A. Amendments Clarifying When A Foreign Surveillance Warrant Would be Required

21. (3.2) For greater certainty, a warrant under this section is required for any investigation outside of Canada that

a) involves an investigative activity that, were it conducted inside Canada, would require a warrant by reason of the Canadian Charter of Rights and Freedoms, or

b) may be inconsistent with international law or the law of the state in which the investigative activity is conducted.

 

B. Amendments Making CSIS International Intercept Sharing Constitutional, Given Wakeling Holding of the Supreme Court of Canada

19. (2)(e) where a disclosure is made in accordance with a warrant or authorization issued under section 21 to a person or authority with responsibility in a foreign state for performing duties and functions analogous to those of the Service under this Act and is intended to be in the interests of the national security, national defence or international relations of Canada.

21. (3.3) (a) Information collected by the Service through the interception of a communication to which Part VI of the Criminal Code would otherwise apply in the absence of section 28 of this Act may only be disclosed under section 19(2)(e) in accordance with an authorization issued by a judge.

(b) The judge may issue the authorization referred to in paragraph (a) either as part of the warrant authorizing the interception of the communication in the first place or after a separate application by the Director or any employee designated by the Minister for the purpose.

(c) A judge may make the authorization referred to in paragraph (a) only where persuaded on a balance of probabilities that the information, once shared, will not be used for activities or purposes that violate international law, including but not limited to, torture as defined in section 269.1 of the Criminal Code or other forms of cruel, inhuman or degrading treatment or punishment within the meaning of the Convention Against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment, signed at New York on December 10, 1984.

 

C. Enhancing Coordination of Review Among Security Review Bodies to Reflect Recommendations of the Arar Commission

CSIS Act

56. (a)  If on reasonable grounds it believes it necessary for the performance of any of its functions under this Act, those of the Commissioner of the Communications Security Establishment under the National Defence Act, or those of the Civilian Review and Complaints Commission for the Royal Canadian Mounted Police under the RCMP Act, the Review Committee may convey any information which it itself is empowered to obtain and possess under this Act to:

a) the Commissioner of Communications Security Establishment under the National Defence Act, or,

b) the Civilian Review and Complaints Commission for the Royal Canadian Mounted Police under the RCMP Act

(b) Before conveying any information referred to in paragraph (a), the Review Committee must notify the Director and give reasonable time for the Director to make submissions. 

(c) In the event that the Director objects to the sharing of information under this section the Review Committee may decline to share the information if persuaded on reasonable grounds that the sharing of the information at issue under this section would seriously injure the Service’s performance of its duties and functions under the Act.

(d) If the Review Committee dismisses the Director’s objection, the Director may apply to a judge within 10 days for an order staying the information sharing.

(e) A judge may issue the stay order referred to in paragraph (d) if persuaded on reasonable grounds that the sharing of the information at issue under this section would seriously injure the Service’s performance of its duties and functions under the Act.

(f) At any time, the Review Committee may apply to a judge for a lifting of any stay issued under paragraph (e) on the basis of changed circumstances.

(g) For greater certainty, the Review Committee may request information it believes necessary for the performance of any of its functions under this Act from the Commissioner of Communications Security Establishment under the National Defence Act, or, the Civilian Review and Complaints Commission for the Royal Canadian Mounted Police under the RCMP Act.

 

National Defence Act

274.64  (a) If on reasonable grounds the Commissioner believes it necessary for the performance of any of the Commissioner’s functions under this Act, those of the Security Intelligence Review Committee under the CSIS Act, or those of the Civilian Review and Complaints Commission for the Royal Canadian Mounted Police under the RCMP Act, the Commissioner may convey any information which the Commissioner is empowered to obtain and possess under this Act to:

a) the Security Intelligence Review Committee under the CSIS Act, or,

b) the Civilian Review and Complaints Commission for the Royal Canadian Mounted Police under the RCMP Act

(b) Before conveying any information referred to in paragraph (a), the Commissioner must notify the Chief and give reasonable time for the Chief to make submissions.

(c) In the event that the Chief objects to the sharing of information under this section the Commissioner may decline to share the information if persuaded on reasonable grounds that the sharing of the information at issue under this section would seriously injure the Establishment’s performance of its duties and functions under the Act.

(d) If the Commissioner dismisses the Chief’s objection, the Chief may apply within 10 days to a judge designated under section 2 of the CSIS Act for an order staying the information sharing.

(e) The judge may issue the stay order referred to in paragraph (d) if persuaded on reasonable grounds that the sharing of the information at issue in the application would seriously injure the Establishment’s performance of its duties and functions under the Act.

(f) At any time, the Commissioner may apply to a judge for a lifting of any stay issued under paragraph (e) on the basis of changed circumstances.

(g) For greater certainty, the Commissioner may request information the Commissioner believes necessary for the performance of any of the Commissioner’s functions under this Act from the Security Intelligence Review Committee under the CSIS Act, or the Civilian Review and Complaints Commission for the Royal Canadian Mounted Police under the RCMP Act.

 

RCMP Act

45.471  (a)  Notwithstanding any other provision in this Act, if on reasonable grounds the Commission believes it necessary for the performance of any of its functions under this Act, those of the Security Intelligence Review Committee under the CSIS Act, or those of the Commissioner of Communications Security Establishment under the National Defence Act, the Commission may convey any information which it itself is empowered to obtain and possess under this Act to: 

a) the Commissioner of Communications Security Establishment under the National Defence Act, or,

b) the Security Intelligence Review Committee under the CSIS Act

(b) Before conveying any information referred to in paragraph (a), the Commission must notify the Commissioner and give reasonable time for the Commissioner to make submissions.

(c) In the event that the Commissioner objects to the sharing of information under this section the Commission may decline to share the information if persuaded on reasonable grounds that the sharing of the information at issue in the application would seriously injure the Force’s performance of its duties and functions under the Act.

(d) If the Commission dismisses the Commission’s objection, the Commissioner may apply within 10 days to a judge designated under section 2 of the CSIS Act for an order staying the information sharing.

(e) The judge may issue the stay order referred to in paragraph (d) if persuaded on reasonable grounds that the sharing of the information at issue in the application would seriously injure the Force’s performance of its duties and functions under the Act.

(f) At any time, the Commission may apply to a judge for a lifting of any stay issued under paragraph (e) on the basis of changed circumstances.

(g) For greater certainty, the Commission may request information it believes necessary for the performance of any of its functions under this Act from the Commissioner of Communications Security Establishment under the National Defence Act, or, the Security Intelligence Review Committee under the CSIS Act.

 

Judicialization of Intelligence Cont'd: Intelligence Sharing, Post Wakeling

The Supreme Court of Canada released its decision in Wakeling v. United States on Friday, adding another picket in the progressive hedging-in of intelligence practices by law.  In my view, the case has serious implications for CSIS (and potentially CSEC) international intelligence-sharing, to the point that conventional practices in the area are now constitutionally doubtful.  Placing those practices on a firmer constitutional footing is a reasonably straightforward fix.  The question in my mind is whether the government will use the opportunity presented by Bill C-44, amending the CSIS Act, to preempt the inevitable next generation of constitutional challenges.  Or alternatively will it follow what appears to be its standard practice of waiting until matters become so untenable that a legal fix is practically dictated to it.

Adding New Charter Rights to the Mix

Wakeling was about the sharing of intercepted private communications by the RCMP to US authorities in a drug case.  The intercepts were authorized under Part VI of the Criminal Code, the key wiretap provision in Canadian criminal law.  As issue was whether the further sharing of this lawfully intercepted communication was constitutional.

Six of the seven judges in the case concluded that the further sharing of lawfully intercepted communications engaged section 8 of the Charter, the protection against searches and seizures.  These six judges varied in their characterization of the section 8 interest, and in their assessment of whether the Part VI rules met the requirements of section 8.  But bottom line: a clear majority of the Supreme Court of Canada held that the transborder sharing of intercepted private communication must meet section 8 standards. (I will call this type of information "intercept information").

This is an enormously important holding.  Up to this point, most of us examining the legality of international information sharing have focused on the Charter section 7 protection involving threats to live, liberty and security of the person.  See, e.g., my article on intelligence sharing and torture.  I, like others, have argued that where intelligence sharing puts a person in peril of foreign mistreatment, it may be curbed by section 7 obligations (and indeed, may be actionable as a constitutional breach where it is not).  This section 7 issue arises in relation to any information sharing that causes such a peril, not just the sharing of intercept information.  So it would extend to, for example, surveillance records stemming from following someone in a public place.

Now, the Supreme Court has added a wrinkle and carved out an extra Charter protection when the information being shared is intercept information.  Here, Wakeling suggests, the sharing is not to be examined as a Charter section 7 issue, but instead as a Charter section 8 question.

When Does Information Sharing Trigger Section 8

Section 8 requires that searches and seizures of reasonable expectation of privacy (REP) information be reasonable.  The first issue, therefore, is whether the search or seizure implicated REP information.  In Wakeling, three judges concluded that section 8 was triggered not because the information sharing constituted a separate search above and beyond the original intercept, but because the "highly intrusive nature of electronic surveillance and the statutory limits on the disclosure of its fruits suggest a heightened reasonable expectation of privacy in the wiretap context. Once a lawful interception has taken place and the intercepted communications are in the possession of law enforcement, that expectation is diminished but not extinguished" (at para. 39). 

Another three judges phrased the matter a little differently: "In light of the intrusive nature of wiretapping, the highly personal nature of the information in question, and the very real risks that may be created by disclosure to foreign officials, it is clear that a substantial privacy interest remains in wiretapped information.  This restricts how the information may be divulged and used" (at para. 125)

While the wording of these six judges varies, I believe that nothing confines their holding to information intercepted under Part VI of the Criminal Code.  It shouldn't matter who is conducting the electronic surveillance.  It would be frankly unbelievable for the Court to conclude that RCMP intercept is sensitive, and CSIS and CSEC intercept less sensitive.  (Indeed, RCMP intercept is arguably the most benign, since it is part of criminal investigations and more likely then to feature in an open court trial.  CSIS and CSEC surveillance is almost always the darkest of secrets.)  And so if the intercept was instead conducted under the CSIS Act or by CSEC under the National Defence Act, the logic would remain, and the constitutional conclusions should be identical.

(A wrinkle for CSEC would be that intercept of Canadian communications under its independent, foreign intellignece mandate is supposedly done incidentally, and I believe that the Canadian information is then "minimized" to remove identifying information.  If only minimized data is shared, it may be that section 8 privacy interests are not triggered by the information sharing in the same way as they are by the actual collection.  So the CSEC discussion on section 8 and its application to intercept sharing would be more complex).

When is Information Sharing Compliant with Section 8

The most pressing issue must be whether a further sharing of intercept information is compliant with section 8.  Boiled to its essence, section 8 requires that information sharing to be reasonable.  And to be reasonable, it must be a) authorized by law, b) the law must be reasonable, and 3) the information sharing under that law must be carried out in a reasonable manner.

In Wakeling, the RCMP information sharing was (at least implicitly) authorized in Part VI of the Criminal Code itself, in section 193(2).  The six judges who agreed that section 8 applied ultimately split on whether this provision was reasonable.  That is what produced the ultimate outcome in the case.  But despite their differences, along the way, they can collectively be taken signal what is minimally required to be reasonable.

First, everyone agrees the sharing of intercept information must be prescribed by law.  It was for the RCMP in Part VI, as noted.  Life is much murkier for CSIS and CSEC.  Neither of these agencies have statutes in which an intercept power is then matched with express language on cross-border intercept sharing.  At best, the CSIS Act contains, in section 17, a power to enter into administrative arrangement that may reach information sharing, and in section 19, lists domestic (not foreign) bodies to whom disclosure of information obtained by CSIS may be permitted.  The National Defence Act doesn't even go this far.

And so, neither CSIS nor CSEC are empowered by express law to engage in international sharing of intercept information. 

The inevitable fallback would be section 8 of the Privacy Act, a generic, all-of-government provision that permits disclosure of personal information in limited circumstances.  One of those circumstances is disclosure "under an agreement or arrangement between the Government of Canada or an institution thereof and...the government of a foreign state, an international organization of states or an international organization established by the governments of states, or any institution of any such government or organization, for the purpose of administering or enforcing any law or carrying out a lawful investigation".  Another is disclosure "for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose".

So are these generic provisions enough to constitute "prescribed by law"?  Possibly, although the highly generic, non-intercept or agency specific nature of this permission may make the "authorization" so ambiguous that a court would disagree that even this basic, first requirement was met. The Supreme Court ducked this question in Wakeling.

At any rate, it seems very likely to me that even if it did see the Privacy Act as satisfying "presrcibed by law", a court looking to the signposts erected by Wakeling would conclude that this law was not itself "reasonable".  As noted, three of the Supreme Court judges conclude that the Part VI authorization was unreasonable.  These judges would almost certainly feel no differently about the Privacy Act, given its even more ambiguous and generic nature.  So three strikes right there.

For the three judges who held that Part VI's s.193(2) was reasonable, there were a number of considerations.  These included sufficient precision in terms of the purpose of the disclosure, sufficient precision in terms of to whom the disclosure was made, and (most importantly) the existence of safeguards.  The safeguards in section 193 included the overarching requirement under Part VI that intercepts ultimately be disclosed to the target.  That target is then in a position to pursue concerns and complaints, including about any further information disclosure.  Further, a failure to comply with Part VI intercept rules is a crime.  This creates an incentive for police to document properly their information sharing practices.  Moreover, police also use "caveats" in an effort to limit downstream use of the shared information.

These three judges did not insist that these accountability mechanisms all be present.  However, they were clearly moved by the fact that accountability mechanisms of these sort actually exist in deciding whether the law was reasonable.

At least arguably, the Privacy Act provisions are a lot more ambiguous and generic than the more express to whom and for what purposes disclosure requirements in Part VI.  Most critcially, none of the Part VI accountability mechanisms exist in the Privacy Act (although intelligence services do have a caveating practice).  In fact, there are no accountability mechanisms at all.  (I don't see plausible arguments that review body (SIRC) assessment cures the section 8 problems.  For one thing, that is retrospective and not prospective.  For another, it is haphazard: not all intercept sharing will be known to, or reviewed by, SIRC.  And so accountability would be accidental at best.  Ditto, even more so, for the Privacy Commissioner).

It stands to reason, therefore, that the Privacy Act disclosure provisions measure up poorly against Wakeling's section 8 requirements, as compared to Part VI. 

In the result, we should probably add another three judges to the column of "unconsittutional".  That makes a clear majority.

So that then means that intelligence service intercept sharing is not done pursuant to a law meeting section 8 requirements.  That would then trigger a section 1 analysis.  We know from Wakeling that at least three judges would likely reject a section 1 justification because of the absence of accountability mechanisms.  I would not hold my breadth on another three upholding the law on section 1 grounds, given how easy a cure would be in this case.

Cures

And so what would cure constitutional deficiencies in security service international intercept sharing?  Part VI outright disclosure of the fact of intercept to the target seems a non-starter because of the intelligence nature of the CSIS intercept (although frankly that issue remains to be litigated). 

The obvious cure is, therefore, a supplemental supervision of the information sharing by a proxy for the target.  Yes, three judges on the Supreme Court were disinclined to insist on "disclosure warrants".  But that was in a Part VI context, with that Part's existing accountability mechanisms.  Absent those accountability mechanisms, "disclosure warrants" in which a judge cures the section 8 problems by authorizing intercept sharing is much more plausible requirement.

In my view, the government would be wise to use bill C-44 to head this issue off at the pass, and introduce a) new language in section 19 of the CSIS Act expressly authorizing intercept sharing with a level of detail that reaches or exceeds that in Part VI of the Criminal Code (rather than crossing their fingers and hoping that the Privacy Act suffices) and b) introducing new features to the CSIS warrant provisions that includes a "first come back to the judge" requirement when intercepts are to be shared across borders.  (I find myself wondering if "coming back" could instead be "anticipate and make sure you seek express authorization initially".)

Other Stuff

Regardless of the outcome on the constitutionality of laws governing information sharing, the Supreme Court seems to have signaled expectations on how that intercept sharing is to be conducted.  Key passages from even the three judges who thought s.193 was enough suggest that the government must believe, objectively and reasonably that the information will not be misused for, e.g., maltreatment.  All those failures in the last decade to consider the record of a foreign state on torture would not be exonerated, and I think that a government that shares intercepts without contemplating these issues now has both Charter section 8 and section 7 exposure.

Conclusion

So to sum up: 1. Intercept sharing triggers section 8.  2. Section 8 requires that the sharing be authorized by law.  3. The law authorizing security intelligence service intercept sharing is, at best, broad and generic all-of-government permissions in the Privacy Act. 4. For this reason, it either is not enough to actually authorize the specific intercept sharing at issue or is so general and so lacking in accountability measures as to be itself unreasonable (and therefore unconstitutional).  5. So fix (at least) CSIS's governing law by, among other things, including express intercept sharing rules and then accountability mechanisms (most plausibly a judicial intercept sharing warrant). 6. Even if you have a constitutional law authorizing sharing, you must still exercise it reasonably, and that means no information sharing where you know or ought to know that it will exploited to visit maltreatment on a person.

If you fail to meet these standards, you violate the constitution.  And on top of everything else, that means you have civil liability exposure.  (Which makes me wonder if the people currently suing the government for the various information sharing practices of the past can amend their statements of claim post-Wakeling).