CSE

Bill C-59 Flowcharts: Revised and Expanded

Once more unto the breach...

Bill C-59 will hopefully, finally, soon (?) inch its way to the senate committee, after second reading (still underway) in the senate. I confess, I am looking at the parliamentary calendar and starting to feel a bit nervous. As readers of this blog or listerners to "A Podcast Called INTREPID" will know, I do not embrace every aspect of C-59. But I think it a vital bill -- and a vast improvement on the status quo -- measured on both accountability and security grounds.  And in its absence, that status quo will oblige a number of public interest groups to reignite their various court challenges. (If I were the government, I'd be worried about at least some of those challenges.) And watchdog entities like SIRC will have to continue issuing reports saying CSIS is in non-compliance with its current laws (in relation to datasets) and the CSE commissioner will be obliged to continue its decade-long complaints about statutory ambiguities. None of this is sustainable. And meanwhile, our security services would have all the powers and competencies necessary for the analog era. So this is an important law project.

But it is also important for people to understand what is in this complicated bill. I have reached my 20th year as a lawyer, and I continue to believe the most important thing I ever learned in law school is how to reduce a complicated area of law to a decision-tree flow chart. Unless you can make those boxes in the flow chart connect, you are missing something, or the law is missing something. So I continue to make such charts and devices, usually for my personal understanding.

In the event, however, that my labours are useful to others, I post my revised and expanded bill C-59 flowcharts. These now do two things: 1. They outline how CSE's new mandate powers will operate, and the checks and balances on those. 2. They show how CSIS's security intelligence, threat reduction, foreign intelligence and "dataset" (bulk data collection and retention) regimes will work (and the checks and balances on those), if C-59 becomes law.

I have done my best *not* to make mistakes, and have shared these charts with knowledgeable people who have made helpful comments. But caveat emptor -- there will be glitches. Also, there are areas where provisions may be interpreted differently. I have tried to flag those areas where I know others have a different take -- that provides evidence either that I am idiosyncratic or that the provision in question is ambiguous. And then I have also flagged areas where I have concerns that I know I am not alone in having. (Those are in the red boxes.)  Here, I feel danger lies, as these uncertainties could be tomorrow's controversies.

If anyone spies any errors, please let me know.

Revised C-59 Flow Charts:

1. CSE Manadates (as of Senate first reading)

2. CSIS Powers (as of Senate first reading)

The Judicialization of Bulk Powers for Intelligence Agencies

Personal Speaking Notes (February 2018)

(posted publicly with permission)        

I have been asked to reflect on common trans-Atlantic intelligence dilemmas, and then a variation on our traditional trans-Atlantic search for solutions.  To that end, I’ll say a few words about both the UK Investigatory Powers Act and some of the proposed aspects of bill C-59. 

In some large measure, both the UK IPA (Investigatory Powers Act) and C-59 constitute what former CSIS director Jim Judd once called “the judicialization of intelligence”. Mr Judd raised concerns about this development.  Intelligence has traditionally operated in a manner obliquely governed by law, if at all. There is a disconnect between a covert intelligence function – and its requirements – and the more overt culture of law and lawyers and judges. Intelligence needs are fluid.  Law is rigid. Intelligence needs are immediate and exigent. Law can be laborious.

But law has inevitably encroached on intelligence. An academic colleague – Dennis Molinero – has uncovered a trove of documents from the 1950s.  At that time, these documents show, national security domestic intercept warrants were issued by Prime Minister Louis St Laurent as an exercise of discretionary power under something called the Emergency Powers Act. There was the vaguest of statutory imprimaturs, and certainly no independent judicial oversight in the form of preauthorization.

We abandoned that approach in 1974, and the original iteration of the what is now Part VI of the Criminal Code.  And in 1984, we built CSIS search and seizure around a judicial warrant process – and the next year, the Supreme Court decided Hunter v Southam. Since then, in cases like the Federal Court of Appeal’s decision in Atwal, through to Justice Crompton’s recent decision in the In the Matter of Islamist Terrorism case, the domestic intelligence search and seizure expectations have been placed on a constitutional footing largely indistinguishable from that of criminal law.

In the IPA, the UK has moved considerably closer to our model than had been the case before. Once the purview of ministers, executive warrantry is now supplemented by review by judicial commissioners.  The shorthand is: double-lock (executive approval of a warrant supplemented by judicial review, prior to execution).

But in Canada, we have yet to address two dilemmas also at issue in the IPA. Both fall in the realm of what in the UK context is called “bulk powers”.  And since in bill C-59 we moving in this area, and judicializing, it is on this topic I wish to focus a few remarks.

So first, let me define bulk powers: a bulk power is one that allows intelligence agencies access to a large quantity of data, most of which is not associated with existing targets of investigation. It is the mass access, in other words, to data from a population not itself suspected of threat-related activity. The commonplace example, since Snowden, is internet or telephony metadata for entire populations of communications users.  But bulk powers can also involve content, and not just the metadata surrounding that content.

Bulk powers are controversial – they are the heart of the post-Snowden preoccupations. They inevitably raise new questions around privacy, and in the Canadian context, Charter rights.  Not least: bulk powers are irreconcilable with the requirements of classic warrants. There is no specificity. By definition, bulk powers are not targeted; they are indiscriminate.

In the IPA context, the world of bulk powers can be divided into bulk interception; bulk equipment interference; bulk acquisition; and bulk personal datasets.  Of these, I want to focus on bulk interception and bulk personal datasets.

Bulk interception is what is sounds like: the collection of transiting communications passing through communications providers or otherwise through the ether. 

Canadian law permits bulk collection by the Communications Security Established, our signals intelligence service. It is subject to the caveat that acting under its foreign intelligence or cyber security mandate, CSE may not direct its activities at Canadians or persons in Canada. But in practice, bulk interception cannot be limited to foreigners, even if the objective is foreign intelligence. The way communications transit the internet and other communications systems creates a certainty that bulk intercept directed outside the country will intercept the communications of Canadians and persons in Canada.  This is known as incidental collection.

In Canada, we have struggled with this issue. Part of the answer is in Part VI Criminal Code. As you know, it outlaws unauthorized intercept of private communications. A private communication is one with at least one end in Canada. Since in bulk interception, at least some private communications would be captured in a manner meeting this definition of intercept in Part VI, CSE must be exempted from its reach.  And that is what the National Defence Act does, where CSE acquires a defence minister authorization in advance for at least the class of foreign intelligence or cybersecurity activities that might capture this private communication.

The constitutional issue is more fraught. Not least, the defence minister is not the independent judicial officer invoked as the gold standard under Hunter v Southam for Charter section 8.  The consequence has been the constitutional lawsuit brought against CSE by the BCCLA associations and now efforts at refinement in C-59.  And specifically, C-59 anticipates a quasi-judicial intelligence commissioner who will review the ministerial authorization before its execution. This past week, representatives of the CSE testifying before the Commons committee accepted the underlying constitutional expectation: They said under C-59, CSE will seek ministerial authorization (which in term triggers review by the intelligence commissioner) for any activity that would interfere with the reasonable expectation of privacy of a Canadian or a person in Canada, or contravene an Act of Parliament.

I am hoping that signals a willingness to amend the bill to say just that, on its face, but for our part my key point is this: C-59 clearly accepts the underlying premise: judicialization of bulk intelligence interception. In this respect, C-59 emulates the IPA.

But I wish to be clear, again: this is not a warrant. It will lack specificity. It will be issued for classes of activities, not specific activities or operations. It is review on reasonableness of a ministerial authorization, not the more hands-on warrant process. Does that meet Hunter’s standards?  I am inclined to suggest, yes, because the warrant cookie cutter cannot possibly apply to a form of bulk intercept in which intercept of s.8 rights-bearer communications is entirely incidental, and not targeted.

Before leaving CSE, I will say a word about another C-59 change.

We have also gone one step further than the IPA in giving CSE a specific offensive cyber mandate – called active cyber.  This could and almost certainly would implicate equipment interference, but interference untied to information acquisition and instead done “on or through the global information infrastructure to degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security.” 

At present, there is considerable debate in Parliament about whether the intelligence commissioner should have advance oversight responsibilities in relation to this mandate.  Currently, he or she will not.  I am of two views on whether judicialization in this area would be wise or not.

Turning to domestic-facing bulk powers, I need to switch agencies and talk about CSIS.  And here we have drawn clear inspiration from the IPA in the area of bulk personal datasets.  The UK understanding of this expression is an apt descriptor of what is now also in play in Canada:

"A bulk personal dataset includes personal data relating to a number of individuals, and the nature of that set is such that the majority of individuals contained within it are not, and are unlikely to become, of interest to the intelligence services in the exercise of their statutory functions. Typically these datasets are very large, and of a size which means they cannot be processed manually."

Why have such things? The C-59 changes are a response, yes, to the Federal Court’s 2016 decision on what was known as ODAC.  But it also responds to a broader concern about the ambit of the Service’s threat investigation mandate. That mandate is anchored in s.12 of the CSIS Act. As interpreted by the courts, it permits the Service to collect, and analyse and retain information and intelligence respecting activities that may on reasonable grounds be suspected of constituting threats to the security of Canada, to the extent strictly necessary.  As Justice Noel and Justice Crampton concluded in both the ODAC case and the more recent In the Matter of Islamist Terrorism decision, this is a significant fetter on CSIS. It ties information collection, retention and analysis to a narrow band of threat investigations.  It also makes it difficult for CSIS to change the frequency of its fish radar and expand its reach to search other parts of the ocean for fish that have not already come to its attention.

A spy service fishing in more ocean is, in some eyes, the stuff of Big Brother and nightmares. On the other hand, an intelligence service that cannot have access to the ocean in performing its function is also likely unable to perform its functions very well.  And there is a lot of ocean out there in the digital era.  So how can we reconcile oceans full of data generated by innocents with the intelligence function of clearing the fog of uncertainty and revealing not just the known threats but also the unknown threats?

The solution in both the UK and Canadian context is to judicialize the fish detecting radar. And the model is again a double lock: ministerial approval for ingestion of datasets and judicial commissioner approval.

The result, in the Canadian context, is enormous complexity. Broadly speaking, there are a set of legislated rules in C-59 for the ingestion of datasets, and then a more demanding set of rules for the digestion. (I credit a Department of Justice lawyer for this ingestion/digestion analogy, which is quite apt).  So for Canadian datasets – datasets primarily comprising Canadian information – there is approval of classes of datasets that may be ingested by CSIS by both the minister and the quasi-judicial intelligence commissioner.  Once ingested, there is a limited vetting by CSIS.  And then any subsequent retention for actual use – that is digestion -- must be approved by the Federal Court, which is empowered to impose conditions on that subsequent use.  There is also a requirement that querying generally be done only where strictly necessary in performance of CSIS’s mandates.

I have included charts in the materials. (See also here).

Those charts show why some intelligence operators complain that C-59 is a gift to lawyers.  I suppose it is no surprise, then, that I think this is a clever regime.  Not least, it short circuits inevitable frontier s.8 issues; to wit, does s.8 attach to the big data analysis of information, the individual bits of which triggers no reasonable expectation of privacy. It seems almost certain that the jurisprudence will get there. C-59 heads this issue off at the pass by superimposing independent judicial authorization guiding and conditioning that big data analysis.

So, on that happy note, I shall end there.

Thank you.

Statement to House of Commons SECU on C-59

Statement

SECU Hearings on C-59

Craig Forcese

5 December 2017

I wish to extend my sincere thanks to the committee for inviting me to appear on bill C-59. It is always an honour to be asked to share my observations before this committee.

My colleague Kent Roach is appearing before you next week. He and I have divided-up C-59. Today, I shall be addressing the new Communications Security Establishment Act and the amendments to the CSIS Act.

I support most of the changes C-59 makes in these areas. I recognize the policy objectives they seek to address. I believe the statutory language is usually carefully considered and robust. But I do have one serious concern.

 

CSE Act

I begin with the CSE Act and make my single recommendation today. I respectfully submit that this committee should amend s.23(3) and (4) to indicate CSE may not, without ministerial authorization, contravene the reasonable expectation of privacy of any Canadian or person in Canada.

I have provided a brief describing the rationale for this change. (And I should disclose I have been an affiant in the current constitutional lawsuit brought by the BC Civil Liberties Association challenging CSE activities. But today I appear on my own behalf.)

To summarize my concern:

While engaged in foreign intelligence and cybersecurity activities, CSE incidentally collects information in which Canadians or persons in Canada have a reasonable expectation of privacy. Because this is done without advance authorization by an independent judicial officer, this likely violates section 8 of the Charter.

Bill C-59 attempts to cure this constitutional issue through a ministerial authorization process, one that involves vetting for reasonableness by an Intelligence Commissioner, a retired superior court judge.

This is a creative and novel solution. It preserves a considerable swath of ministerial discretion and responsibility. It is not a full warrant system. Still, given the unique nature of CSE activities, I believe it constitutionally-defensible.

But the new system will only resolve the constitutional problem if it steers all collection activities implicating constitutionally-protected information into the new authorization process.

The problem is this: C-59’s present drafting only triggers this authorization process where “an Act of Parliament” would otherwise be contravened. This is a constitutionally-underinclusive “trigger”. Some collection of information in which a Canadian has a constitutional interest does not violate an “Act of Parliament” (for example, some sorts of metadata).

The solution is simple. Expand the trigger to reads: “Activities carried out by the Establishment in furtherance of [the foreign intelligence or cybersecurity aspects] of its mandate must not contravene any other Act of Parliament or involve the acquisition of information in which a Canadian or person in Canada has a reasonable expectation of privacy unless they are carried out under an authorization”.

This may seem a lawyerly tweaking. But if we fail to cure the existing problem with CSE’s collection authorization process, a court may ultimately determine CSE has been collecting massive quantities of data in violation of the constitution. Such a finding would decimate relations with civil society actors, placing CSE squarely in the cross-hairs of a renewed controversy and making it very difficult for private sector enterprises to partner with CSE on cybersecurity without risking reputational fall-out themselves.

With C-59, we have a chance to minimize this kind of problem.

 

CSIS Act

I turn to the CSIS Act changes. C-59 does three things.  First, it permits CSIS new authority to collect and potentially retain so-called datasets.

Here, the tension lies in balancing the operational need for CSIS to be able to query and exploit information against the privacy imperative.

Rather than prescribe hard standards for datasets, C-59 opts for a system of in-advance oversight. The Intelligence Commissioner is charged with approving the classes of Canadian datasets that may be initially collected, and the Federal Court authorizes any retention of actual datasets.

While I am wary of the idea of datasets, I cannot dispute the rationale for it, and can find no fault with the system of checks and balances.

The second CSIS Act change relates to revisions to CSIS’s threat reduction powers, introduced in C-51 in 2015. These provisions were rightly controversial. For our part, Kent Roach and I did not dispute the idea of threat reduction. But we worried CSIS threat reduction done as a continuation of our awkward, siloed police and intelligence operations runs the risk of derailing later criminal investigations and prosecutions. This would be tragic from a security perspective.

From a rights perspective, C-51 lacked nuance. It opened the door to a violation of any Charter right, subject to an unappealable, secret Federal Court warrant. The regime was radical and, in my view, almost certainly unconstitutional. It was, therefore, unworkable, whatever the strength of the policy objectives that propelled it.

C-59 places the system on a more credible constitutional foundation. It ratchets tighter the outer limit on CSIS threat reduction powers. By barring detention – a power I sincerely doubt the service ever wished – it eliminates concerns about the many Charter violations for which detention is a necessary predicate.

And by legislating a closed list of activities that can be done when a warrant is sought, Parliament tells us what Charter interests are plausibly in play: essentially, free speech and mobility rights.

I believe that if threat reduction is to be retained, this new system reasonably reconciles policy and constitutional issues.

Last, the C-59 CSIS Act changes create new immunities for CSIS officers and sources engaged in intelligence functions who may violate law during those activities.

The breadth of Canada’s terrorism offences make is certain that a confidential source or undercover officer will commit a terrorism offence simply by participating with the terror group that they infiltrate. An immunity is necessary. The issue is whether there are sufficient checks and balances guarding against abuse of this immunity. Again, I think C-59 does a good job in festooning the immunity provisions with such checks.

I will end, though, with a caution. Our conventional manner of siloed police and CSIS parallel investigations lags best practices in other jurisdictions, which employ more blended investigations. As the Air India bombing inquiry observed, we struggle with what is known as intelligence-to-evidence.

The government is working on this matter. We should be conscious, however, that what CSIS does in its investigations, whether in terms of immunized criminal conduct or authorized threat reduction, could derail prosecutions if not done with a close eye to down-stream impacts.

This issue might usefully be a topic of inquiry for the new security and intelligence committee of parliamentarians.

Thank you for your attention and I look forward to any questions.

Bill C-59 Flowcharts: CSE mandates approval processes

Ottawa is apparently full of flowcharts outlining the bill C-59 powers to various security services. In preparation for my own appearance at SECU, I had time to draw up a diagram on CSE's new powers. I prepared this for personal use late into a Sunday evening, so I cannot promise it is perfect. But if it is a helpful starting point for others, I post here. (If the chart does not appear in full resolution when you click below, click here).

A One-Word Fix: Bill C-59, the Constitution & Communications Security Establishment Activities

As the parliamentary season starts, I have begun working up more detailed thinking on bill C-59, the government's massive national security law overhaul. A lot of this bill is about heading off constitutional and other legal train-wrecks. But it also includes measured moves into new areas, with attention to drafting these powers in manners that (hopefully) will not ignite new legal controversies. In some respect, it is about getting the law out of the way as a source of doubt, at the cost of accepting more structural checks and balances.

In a first note, I set out observations on the new "intelligence commissioner" process for CSE foreign intelligence activities. The focus here is on the question of whether C-59 is enough to cure the constitutional objections to CSE's current manner of operating. For what it is worth, I think it is one word away from doing that.

The Shiny Bauble of Ministerial Responsibility

There is another issue not addressed in the paper. Does the presence of the intelligence commissioner constitute an erosion of ministerial responsibility? This seems to be a recurring issue in some parts of Ottawa. I am not entirely sure everyone means the same thing in discussing the concept, but what it means is: a minister answerable in Parliament for subordinates, and responsible for the conduct of those subordinates.

Those who have read some of my public law work will know that my view on ministerial responsibility in Canadian government in relation to the second half of the above sentence is: "What a wonderful idea. Too bad it doesn't exist." As I concluded after surveying practice between 1950 and 2009, it is rare to the point of being unknown for ministers to resign in response to wrongdoings committed by their subordinates, at least officially. (Senator Forsey arrived at similar conclusions in his notable 1985 work, The Question of Confidence). The buck-stops-here concept of ministerial responsibility is a magnificent myth, not a reality. There is a reason why Donald Savoie called one his books "Breaking the Bargain".

So, it seems a bad idea to preserve a myth by insisting on a form of unilateral executive oversight of CSE activities that is almost certainly unconstitutional without the interpostion of an independent judicial officer.

And in the area of CSE, there are several additional exhibits tending to suggest that the status quo is a bad idea.  First, on information and belief, the minister of national defence's office has not had the internal capacity (at least in the past) to "red team" thoroughly CSE authorizations to intercept private communications.  Put another way, I fear ministerial oversight has been modest.

Second, so modest has been ministerial oversight in this area that when the Snowden disclosures came out and there were revelations of CSE collection of Wifi information from Toronto airport, it was CSE's review body that stepped most vocally into the breach to offer conclusions and observations. Put another way, the review body took bullets, something that should never happen in a world with functional ministerial responsibility.

Third, C-59 does not actually remove the minister from the driver's seat. It just puts the intelligence commissioner in the back seat, looking over the minister's shoulder.  Unlike with conventional warrants, which judges shape (albeit with input from government lawyers), the C-59 system requires the minister to kick first at the authorization can, and set the terms and conditions.  Only then does the intelligence commissioner review and bless (or not). This is a double-lock system in which the minister turns the key first. It is not one in which the ministers is subordinated. Instead, he or she is watched.

As my article suggests, I think this is probably the most clever way to square the constitution with CSE's rather sui generis activities.  Take it away, and you run the real risk that the current system ends up at the Supreme Court. That Court has, of late, rarely turned down an opportunity to apply new understandings of privacy rules to new technology. Leaving it to the Court to speak first on this issue -- and perhaps narrow the range of options -- would be a huge mistake.

Added to which: a court finding that CSE's activities since (probably well before) 2001 have been unconstitutional would be disastrous for CSE. Indeed, even as we need to call upon it to do more in the area of cybersecurity and cyberassurance in the public and private sectors, its reputation would be shattered.  And those private sector companies that touch it with a ten foot pole risk collateral reputational injury.  Put another way, C-59 needs to solve the problem of a CSE currently tied to the tracks, with a Charter train rumbling toward it.

So you need to be a real risk-lover to preserve a status quo that a) does not include much, if any, real ministerial responsibility, but b) has managed to produce a lot of reputation-damaging fall-out.