foreign intelligence

Canada's Foreign Intelligence Desert

The recent flare-up in relations between Canada and the Kingdom of Saudi Arabia (KSA) places into sudden relief the challenges in Canada's foreign intelligence architecture. It follows hard on the heels of a Federal Court decision affirming the Canadian Security Intelligence Service (CSIS) can only collect foreign intelligence "within Canada". That case is discussed at length here and on Episode 48 of A Podcast Called INTREPID.

Just to be clear: CSIS may investigate threats to the security of Canada anywhere. "Threats to the security of Canada" are espionage, sabotage, foreign influenced activity (within or relating to Canada, and detrimental to Canada), terrorism and (in principle) subversion (in practice, CSIS has not run a counter-subversion program since the 1980s).

"Security intelligence" is *not* intelligence on the foreign, economic or defence policy or posture of another country, unless it falls within one of the categories listed above. Rather, these broader classes of information are "foreign intelligence" (defined, obliquely, in the CSIS Act as: "intelligence relating to the capabilities, intentions or activities of [foreigners or foreign states or groups]").

Canada's electronic intelligence service, the Communications Security Establishment (CSE), has the mandate to collect foreign intelligence, anywhere. But it does so electronically, through the "global information infrastructure" (defined in the National Defence Act as including "electromagnetic emissions, communications systems, information technology systems and networks, and any data or technical information carried on, contained in or relating to those emissions, systems or networks"). CSE does not collect HUMINT (intelligence from human sources).

For its part, Global Affairs Canada does collect diplomatic information, but is not per se an intelligence service. The scope of its collection activities is not well-documented and murky to an outsider like me. It is my understanding that GAC's Associate Deputy Minister for “International Security” manages a “threat assessment and intelligence services division” and that GAC possesses a Global Security Reporting Program (GSRP). My assumption, though, is that GAC will not run confidential sources, for a host of reasons.

In its reported form, the KSA spat is not a security intelligence matter -- unless you count that terrible, threatening tweet picturing an Air Canada jet flying toward the Toronto skyline. But understanding what is going on in KSA is clearly of foreign intelligence interest.

I would assume Global Affairs is feeding diplomatic intelligence into the decision-making process. I assume CSE is involved in signals intelligence. But beyond what Global Affairs is doing through its diplomatic networks, no Canadian intelligence agency can collect information from confidential sources outside of Canada on "the capabilities, intentions or activities of" the KSA.

This is a different sort of "gap" than the one at issue in the recent Federal Court case (which seemingly dealt with footloose communications, not extraterritorial confidential human sources). And it is a gap of longstanding duration, regularly discussed every decade or so.

We have muddled through so far with no human foreign intelligence service because of our minor footprint in foreign relations and because of close, allied relations.

But those allied relations are not what they used to be. I have precisely zero confidence that non-security intelligence sharing with the United Kingdom or the United States on a matter like the KSA is done in Canada's interest, rather than the interests of the UK and US. And that means intelligence-sharing may be selective. And even if it is not currently selective, it could well be selective in the future. We do not control the spigots.

Should we?

Creating an enhanced human foreign intelligence capacity is no small thing. In the past, I expressed considerable skepticism it was worth the risk, or that we could pull it off without starving more important activities of resources.

But the geopolitical situation is more complicated now than at any time since the Second World War, with a move toward multipolarity rather than the near-unipolarity of the post-Cold War and the bipolarity of the Cold War. States may realign in keeping with Viscount Palmerston's old adage that a state has no permanent friends or permanent enemies, just permanent interests.

It is not clear to me that Canada knows what its permanent interests are -- even (what for me is the unambiguous) need to remain a permanent friend of the United States is under strain among the commenting class.

But we may also not have the tools to preserve those permanent interests, anyway. If revisionist states see Canada as the runt of the Western litter and as a low-cost place for target-practice, a better understanding of the world seems wise. I am, therefore, no longer sure that building an enhanced foreign intelligence capacity is just one of those shiny baubles, distracting from more important things.

How to do this is another question. (It would be useful to know, for example, what exactly GAC does in this space rather than treat it as a black box.)

These are all questions now worth serious study.


Oh, What Tangled Webs the CSIS Act Weaves: The Federal Court's Latest Decision on CSIS's Foreign Intelligence Mandate

The Federal Court this week released a lengthy decision that, unusually, dealt with CSIS’s s.16 “foreign intelligence” mandate. In so doing, it proved, once again, that an Act mostly left fallow for a generation spits up weeds.

The decision is deeply redacted, and we know precisely nothing about the target, subject-matter issue or investigative technique at issue. And that means there is no way for me judge whether I think the Court “got it right”. But the underlying storyline is easy enough to imagine, even if the precise specifics are secret. And the policy issues can be surfaced with a hypothetical.

Who Was the Target?

The target was a foreigner physically in Canada. They could not be Canadian (or a Canadian permanent resident) – CSIS cannot investigate a Canadian or Canadian permanent resident under its s.16 mandate. And they had to be in Canada. This was a warrant application. A warrant would only be required, constitutionally, if the foreigner was in Canada. And besides, if the foreigner was overseas, CSE could have targeted him or her under its foreign intelligence mandate, Mandate A.  But CSE cannot direct its foreign intelligence activities at any person in Canada. So bottom line: the person was in Canada.

What was the Foreigner in Canada in Doing?

We do not know what our foreigner in Canada – who we shall call Bob – was doing. We do know what Bob was not doing. He was not involved in terrorism, espionage, sabotage or foreign-influenced activities (at least not foreign-influenced activities within Canada or related to Canada, while detrimental to the interests of Canada). And I suppose for the sake of completeness, I should add Bob was not involved in subversion of the Canadian government. Because if Bob was involved in any of these things, he would pose a “threat to the security of Canada” and this would have been a s.12 CSIS “security intelligence” investigation.

But it was a s.16 investigation.  Which means that Bob was being investigated to collect information or intelligence relating to the capabilities, intentions or activities of any foreign state or group of foreign states or some foreign person. This is what is called “foreign intelligence”. Basically, that means anything other than security intelligence.

Bob from Mordor

So, because all the good parts in the decision are redacted, let’s make up our hypothetical: Bob was a diplomat from the Embassy of Mordor, who was in fact from the Mordor Acquisition and Liaison Intelligence Collation Entity (MALICE).  And while in Canada, Bob was part of an intelligence operation designed to influence the Government of Isengard, in a manner advantageous to Mordor.

Global Affairs Canada, which has an obvious interest in developments in Isengard, wants to get a handle on this foreign influence campaign. And so, it turns to CSIS. There is no clear way an investigation into this influence op falls within a “threat to the security of Canada”.  (I suppose in some cases, it would be so egregious as to be “detrimental to the interests of Canada”, even though directed at a third state, but you can only bend that language so far.)

So, under s.16, the Minister of Foreign Affairs requests, and the Minister of Public Safety agrees, that CSIS will conduct a foreign intelligence investigation.  But s.16 also says that CSIS may only engage in foreign intelligence collection “within Canada”.

Alice of Isengard

That works fine, to a point. Bob is in Canada. But his chief asset in Isengard is Alice, someone who has influential contacts in the National Repressive Ring Association (NRRA). And Alice is not in Canada.  And moreover, Bob and Alice have 1990s style operational security.  When they communicate, they do so by logging into Gondor Mail (G-Mail), an email service in Gondor.  And they modify draft emails in an email account to which they both have access, housed on G-Mail’s Gondor-based servers.

The Warrant on Bob

CSIS wants to monitor Bob’s communications in Canada. Now Bob is a foreigner, but as noted, he has Charter s.8 rights. And so CSIS needs a warrant.  And CSIS wants, with that warrant, to wiretap not just Bob’s phone but also access his email communications. But, nuts, the G-Mail servers are overseas. And CSIS is no position to somehow insert keystroke logging on Bob’s embassy computer. And so, the only way (I shall assume, because I am not a tech-guy) to access the G-Mail draft folder is by hacking into the Gondor-based servers.

Now, pursuant to Mandate C, CSE can provide the technical wherewithal to do this. But CSIS needs to have lawful authority to seek this CSE assistance, meaning if CSIS needs a warrant, CSIS has to have one.

Whether CSIS needs a warrant may be a close call. If the communication is outside Canada, then perhaps the Charter does not apply because it generally does not apply extraterritorially. After all, if Bob were physically outside Canada, he would enjoy no Charter rights.  (The Hape exception would apply only if Canada were in violation of its international human rights obligations -- not clear cut here – and, says earlier Federal Court jurisprudence, where the victim was a Canadian – not true here.).

So, is it too much to say that CSIS's intercept of Bob’s Gondor communications doesn’t require a warrant?  Hmmm. Maybe. But this might still be a “private communication” under the Criminal Code (and I could easily change the facts so that it would be). And if so, the fact that one side of this communication starts in Canada is enough to require a judicial authorization process.  So not much relief there.  And besides, CSIS remembers the infamous Re X case and decides it is better to go to court now, to avoid a train wreck later.

So CSIS does the appropriate thing and concludes it probably needs a warrant. And more than that, it might also reasonably argue that on our facts (communication commences in Canada, travelling overseas through Canada etc) the collection really was “within Canada, enough”, and thus squares with s.16 of the Act. (A view that would be consistent with: the assumption that the Charter applies to Bob’s transiting communications, and the concept of private communication in the Criminal Code, and arguably the concept of territoriality in cases like R. v. Libman.)

But there is also another view: the content of what CSIS is intercepting is not in Canada. It can only be accessed by reaching out electronically across Canadian borders to Gondor, all the way over in Middle Earth.

So, what’s the answer? How do we read “within Canada” in s.16? Well, obviously it means “within Canada”, but what does that mean for footloose-communications? The redactions are thick in this case, and we really don’t know what sort of extraterritorial activity was at issue. But after a lengthy and seemingly exhaustive statutory interpretation exercise, the Federal Court says: this [REDACTED FOR PAGES] extraterritorial CSIS intrusive investigative activity was not within Canada.

Let's assume that hacking into Bob's Gondor Mail would also exceed whatever threshold of impermissible extraterritoriality was at issue in the Federal Court case. That is, it too would not be "within Canada". So, CSIS, in our story, you are out of luck. Maybe you should just ask Gondor to collect and share the Gondor Mail communications itself?  But do you want to rely on Denethor II, son of Echtelion II, Steward of Gondor? In The Two Towers, he struck me as a bit unhinged, to be honest.  And perhaps he was a little too inclined to appeasement to Mordor.

The CSE Knock-On Effect

Ok, then. Open Door Number 2: if the communication is not “within Canada”, then that must mean that CSE can, in fact, collect under Mandate A (foreign intelligence). Surely, if the communication being targeted is not within Canada (and involves no one, but foreigners), then CSE collection activities are not being “directed at Canadians or any person in Canada” (the quoted phrase being a stipulation that limits what CSE can do under Mandate A).  But hold that “surely”.  It is a bit disingenuous to say: “so we are investigating Bob, who is a person in Canada, and we are specifically interested in Bob, and that is why we are doing this collection activity, but when we go after this particular communication, we are not directing collection at Bob, the person in Canada”.  That seems too clever by half.

And anyway, the Federal Court has a collateral discussion in this case with knock-on implications that will make life for CSE very difficult. Basically, intrusive activity overseas of the sort at issue in the case (whatever they may be) constitute an extraterritorial exercise of enforcement jurisdiction. Done without the consent of the territorial state, this violates international law. And Canadian statutes will be read to comply with international law, unless they explicitly derogate from it. And neither the CSIS Act (for s.16, but not for s.12) nor the current National Defence Act (for CSE) nor the proposed Bill C-59 CSE Act derogate from international law. (On the latter issue, see my discussion here.)

So CSE, you have no legislative jurisdiction to engage in extraterritorial activities of (at minimum) the same degree or more intrusive than the ones at issue in this Federal Court case.  Which means you can kiss Mandate A and B goodbye under the current National Defence Act, to the extent they exceed this threshold (which, reading between the redactions, is quite low). And unless you amend bill C-59, you can also kiss those defensive and active cyber powers away.  Unless, that is, you just want to plow ahead and see what the Intelligence Commissioner, the new National Security and Intelligence Review Agency, and the National Security and Intelligence Committee of Parliamentarians have to say about this issue. This, in my view, would be insane, since a quick flick of the legislative pen could cure this problem for you, CSE.

Fixing the CSIS Act

As for CSIS, well, you could roll the dice and appeal. Or you too could fix this by legislative amendment (which is what happened to the s.12 power when this same issue arose a decade ago, and was resolved by 2015’s C-44). 

But let’s be clear here: if you want CSIS to have its current extraterritorial security intelligence functions (plus its post-2015 threat reductions powers) and now extraterritorial foreign intelligence functions, you are creating, essentially, a blended MI5/MI6.  And until recently, it was considered a bad idea to put security intelligence and a full foreign intelligence function in the same agency: rule-of-law security intelligence should be kept segregated from somewhat-less-than-rule-of-law James Bond.

So, we might wish, finally, to do some serious thinking about design issues, accountability issues, resource issues, training issues, etc, before we knee-jerk amend the CSIS Act (yet again). So, enter a ponderous process of deliberation. On the other hand, this is not a situation you want to leave hanging. Because in my story, Bob from MALICE is still out there, swanning away on Gondor Mail. (In truth, I don’t know how important that prospect is – it took to 2018 before this issue got to court, and yet presumably the technological dilemma I describe here could have arisen decades ago. So maybe this case won’t have much practical effect.)

But bottom line: sometimes national security law is hard. And perhaps it is sometimes harder than it has to be. I think it’s often hard because we don’t update the statute law enough. But that’s just me.

Much Ado about Probably Very Little: Canadian intelligence and 2012 French election

Last week, some Canadian newspapers posted a story [here and here] about CIA documents leaked by Wikileaks. The second article described the implications of this document as follows:

On Thursday, WikiLeaks released three CIA tasking orders detailing their plan to closely monitor 2012 French presidential candidates, including current President Francois Hollande and current first-round frontrunner Marine Le Pen.

Canada is listed along with New Zealand, Great Britain, the United States and Australia in a section indicating which countries are assisting with the “HUMINT” or human intelligence aspects of the operation. Those countries make up the Five Eyes intelligence sharing alliance.

Within hours, the NDP was calling on the government to explain the document: “Canadians don’t expect their government to spy on our closest allies, especially when it involves their own domestic elections. There’s nothing more sensitive than that, as we’re observing right now with the allegations in the U.S. election.”

This was a remarkable escalation of events.

The actual documents are here.  Like most leaked documents, they lack context, even if they are genuine.  More than that, they are also sprinkled with agency nomenclature that requires parsing.

The single reference to Canada reads:

Apparently on this basis of this single reference, the news reports concluded Canada was asked to "assist" the CIA. (As the story eventually notes: "The documents contain only a single reference to Canada, making it unclear what parts of the CIA efforts Canada may have been involved in.")

But this whole allegation of Canadian participation seems (very) doubtful.  First, none of Canada's actual intelligence agencies has the legal competency to conduct covert, overseas HUMINT foreign intelligence gathering.  CSIS is confined to security intelligence in its overseas activities (and this France activity would not be security intelligence, as defined in s.2 of the CSIS Act). CSIS's broader foreign intelligence collection must be conducted "within Canada" under s.16 of the CSIS Act.

CSE is a signals intelligence agency and would clearly be acting outside of its statutory mandate in doing HUMINT.

Military intelligence operates pursuant to the royal prerogative of defence -- and it is hard to see how that fits.

Global Affairs Canada has a broader remit -- including under the general language of the DFAIT Act and also a conceivable remit under the royal prerogative relating to foreign affairs. It has no express statutory intelligence function, but its legal authorities are broad enough to allow it to collect information in its diplomatic/foreign relations function. Whether it runs covert HUMINT is another matter -- it has confidential contacts, but I'd be surprised to learn it runs more complex HUMINT sources. (Sadly, because Global Affairs is subject to no external independent review, there is little on the public record on its activities, but see this statement made to Parliament.  There, then-DFAIT specified "Canadian diplomats do not work under cover or collect intelligence covertly from human sources").

All of this is to say that there is only a narrow range of options if Canada were to participate in a (let us assume covert) CIA HUMINT foreign intelligence (as opposed to security intelligence) activity: either it is a Global Affairs program of greater breadth than what has been reported in the past, or it is a Canadian intelligence service acting illegally.

But we don't need to go down this rabbit hole for one reason above all else: the document does not seem to say what the news stories inferred. "S//REL TO USA, AUS, CAN, GBR, NZL" is a classification tag (governing intelligence sharing). It translates into Secret//Release to USA, Australia, Canada, Great Britain, New Zealand" (or, in other words, the Five Eyes). See this guide to US classification nomenclature.

It does not, in other words, mean (in any respect that I can discern) that Canada is "assisting with the 'HUMINT' or human intelligence aspects of the operation" (whatever those might be -- and the document is actually very unclear on what, if anything, was being done in terms of HUMINT).

Put another way, unless you want to believe that Canada must be complicit just because you don't trust intelligence agencies, there appears to be no evidence supporting the conclusion on a Canadian role reported in the news stories.