surveillance

Oh, What Tangled Webs the CSIS Act Weaves: The Federal Court's Latest Decision on CSIS's Foreign Intelligence Mandate

The Federal Court this week released a lengthy decision that, unusually, dealt with CSIS’s s.16 “foreign intelligence” mandate. In so doing, it proved, once again, that an Act mostly left fallow for a generation spits up weeds.

The decision is deeply redacted, and we know precisely nothing about the target, subject-matter issue or investigative technique at issue. And that means there is no way for me judge whether I think the Court “got it right”. But the underlying storyline is easy enough to imagine, even if the precise specifics are secret. And the policy issues can be surfaced with a hypothetical.

Who Was the Target?

The target was a foreigner physically in Canada. They could not be Canadian (or a Canadian permanent resident) – CSIS cannot investigate a Canadian or Canadian permanent resident under its s.16 mandate. And they had to be in Canada. This was a warrant application. A warrant would only be required, constitutionally, if the foreigner was in Canada. And besides, if the foreigner was overseas, CSE could have targeted him or her under its foreign intelligence mandate, Mandate A.  But CSE cannot direct its foreign intelligence activities at any person in Canada. So bottom line: the person was in Canada.

What was the Foreigner in Canada in Doing?

We do not know what our foreigner in Canada – who we shall call Bob – was doing. We do know what Bob was not doing. He was not involved in terrorism, espionage, sabotage or foreign-influenced activities (at least not foreign-influenced activities within Canada or related to Canada, while detrimental to the interests of Canada). And I suppose for the sake of completeness, I should add Bob was not involved in subversion of the Canadian government. Because if Bob was involved in any of these things, he would pose a “threat to the security of Canada” and this would have been a s.12 CSIS “security intelligence” investigation.

But it was a s.16 investigation.  Which means that Bob was being investigated to collect information or intelligence relating to the capabilities, intentions or activities of any foreign state or group of foreign states or some foreign person. This is what is called “foreign intelligence”. Basically, that means anything other than security intelligence.

Bob from Mordor

So, because all the good parts in the decision are redacted, let’s make up our hypothetical: Bob was a diplomat from the Embassy of Mordor, who was in fact from the Mordor Acquisition and Liaison Intelligence Collation Entity (MALICE).  And while in Canada, Bob was part of an intelligence operation designed to influence the Government of Isengard, in a manner advantageous to Mordor.

Global Affairs Canada, which has an obvious interest in developments in Isengard, wants to get a handle on this foreign influence campaign. And so, it turns to CSIS. There is no clear way an investigation into this influence op falls within a “threat to the security of Canada”.  (I suppose in some cases, it would be so egregious as to be “detrimental to the interests of Canada”, even though directed at a third state, but you can only bend that language so far.)

So, under s.16, the Minister of Foreign Affairs requests, and the Minister of Public Safety agrees, that CSIS will conduct a foreign intelligence investigation.  But s.16 also says that CSIS may only engage in foreign intelligence collection “within Canada”.

Alice of Isengard

That works fine, to a point. Bob is in Canada. But his chief asset in Isengard is Alice, someone who has influential contacts in the National Repressive Ring Association (NRRA). And Alice is not in Canada.  And moreover, Bob and Alice have 1990s style operational security.  When they communicate, they do so by logging into Gondor Mail (G-Mail), an email service in Gondor.  And they modify draft emails in an email account to which they both have access, housed on G-Mail’s Gondor-based servers.

The Warrant on Bob

CSIS wants to monitor Bob’s communications in Canada. Now Bob is a foreigner, but as noted, he has Charter s.8 rights. And so CSIS needs a warrant.  And CSIS wants, with that warrant, to wiretap not just Bob’s phone but also access his email communications. But, nuts, the G-Mail servers are overseas. And CSIS is no position to somehow insert keystroke logging on Bob’s embassy computer. And so, the only way (I shall assume, because I am not a tech-guy) to access the G-Mail draft folder is by hacking into the Gondor-based servers.

Now, pursuant to Mandate C, CSE can provide the technical wherewithal to do this. But CSIS needs to have lawful authority to seek this CSE assistance, meaning if CSIS needs a warrant, CSIS has to have one.

Whether CSIS needs a warrant may be a close call. If the communication is outside Canada, then perhaps the Charter does not apply because it generally does not apply extraterritorially. After all, if Bob were physically outside Canada, he would enjoy no Charter rights.  (The Hape exception would apply only if Canada were in violation of its international human rights obligations -- not clear cut here – and, says earlier Federal Court jurisprudence, where the victim was a Canadian – not true here.).

So, is it too much to say that CSIS's intercept of Bob’s Gondor communications doesn’t require a warrant?  Hmmm. Maybe. But this might still be a “private communication” under the Criminal Code (and I could easily change the facts so that it would be). And if so, the fact that one side of this communication starts in Canada is enough to require a judicial authorization process.  So not much relief there.  And besides, CSIS remembers the infamous Re X case and decides it is better to go to court now, to avoid a train wreck later.

So CSIS does the appropriate thing and concludes it probably needs a warrant. And more than that, it might also reasonably argue that on our facts (communication commences in Canada, travelling overseas through Canada etc) the collection really was “within Canada, enough”, and thus squares with s.16 of the Act. (A view that would be consistent with: the assumption that the Charter applies to Bob’s transiting communications, and the concept of private communication in the Criminal Code, and arguably the concept of territoriality in cases like R. v. Libman.)

But there is also another view: the content of what CSIS is intercepting is not in Canada. It can only be accessed by reaching out electronically across Canadian borders to Gondor, all the way over in Middle Earth.

So, what’s the answer? How do we read “within Canada” in s.16? Well, obviously it means “within Canada”, but what does that mean for footloose-communications? The redactions are thick in this case, and we really don’t know what sort of extraterritorial activity was at issue. But after a lengthy and seemingly exhaustive statutory interpretation exercise, the Federal Court says: this [REDACTED FOR PAGES] extraterritorial CSIS intrusive investigative activity was not within Canada.

Let's assume that hacking into Bob's Gondor Mail would also exceed whatever threshold of impermissible extraterritoriality was at issue in the Federal Court case. That is, it too would not be "within Canada". So, CSIS, in our story, you are out of luck. Maybe you should just ask Gondor to collect and share the Gondor Mail communications itself?  But do you want to rely on Denethor II, son of Echtelion II, Steward of Gondor? In The Two Towers, he struck me as a bit unhinged, to be honest.  And perhaps he was a little too inclined to appeasement to Mordor.

The CSE Knock-On Effect

Ok, then. Open Door Number 2: if the communication is not “within Canada”, then that must mean that CSE can, in fact, collect under Mandate A (foreign intelligence). Surely, if the communication being targeted is not within Canada (and involves no one, but foreigners), then CSE collection activities are not being “directed at Canadians or any person in Canada” (the quoted phrase being a stipulation that limits what CSE can do under Mandate A).  But hold that “surely”.  It is a bit disingenuous to say: “so we are investigating Bob, who is a person in Canada, and we are specifically interested in Bob, and that is why we are doing this collection activity, but when we go after this particular communication, we are not directing collection at Bob, the person in Canada”.  That seems too clever by half.

And anyway, the Federal Court has a collateral discussion in this case with knock-on implications that will make life for CSE very difficult. Basically, intrusive activity overseas of the sort at issue in the case (whatever they may be) constitute an extraterritorial exercise of enforcement jurisdiction. Done without the consent of the territorial state, this violates international law. And Canadian statutes will be read to comply with international law, unless they explicitly derogate from it. And neither the CSIS Act (for s.16, but not for s.12) nor the current National Defence Act (for CSE) nor the proposed Bill C-59 CSE Act derogate from international law. (On the latter issue, see my discussion here.)

So CSE, you have no legislative jurisdiction to engage in extraterritorial activities of (at minimum) the same degree or more intrusive than the ones at issue in this Federal Court case.  Which means you can kiss Mandate A and B goodbye under the current National Defence Act, to the extent they exceed this threshold (which, reading between the redactions, is quite low). And unless you amend bill C-59, you can also kiss those defensive and active cyber powers away.  Unless, that is, you just want to plow ahead and see what the Intelligence Commissioner, the new National Security and Intelligence Review Agency, and the National Security and Intelligence Committee of Parliamentarians have to say about this issue. This, in my view, would be insane, since a quick flick of the legislative pen could cure this problem for you, CSE.

Fixing the CSIS Act

As for CSIS, well, you could roll the dice and appeal. Or you too could fix this by legislative amendment (which is what happened to the s.12 power when this same issue arose a decade ago, and was resolved by 2015’s C-44). 

But let’s be clear here: if you want CSIS to have its current extraterritorial security intelligence functions (plus its post-2015 threat reductions powers) and now extraterritorial foreign intelligence functions, you are creating, essentially, a blended MI5/MI6.  And until recently, it was considered a bad idea to put security intelligence and a full foreign intelligence function in the same agency: rule-of-law security intelligence should be kept segregated from somewhat-less-than-rule-of-law James Bond.

So, we might wish, finally, to do some serious thinking about design issues, accountability issues, resource issues, training issues, etc, before we knee-jerk amend the CSIS Act (yet again). So, enter a ponderous process of deliberation. On the other hand, this is not a situation you want to leave hanging. Because in my story, Bob from MALICE is still out there, swanning away on Gondor Mail. (In truth, I don’t know how important that prospect is – it took to 2018 before this issue got to court, and yet presumably the technological dilemma I describe here could have arisen decades ago. So maybe this case won’t have much practical effect.)

But bottom line: sometimes national security law is hard. And perhaps it is sometimes harder than it has to be. I think it’s often hard because we don’t update the statute law enough. But that’s just me.

One Warrant to Rule Them All: Re-Conceiving the Judicialization of Extraterritorial Intelligence Collection

I have posted a draft chapter on the implications of bill C-44 and related matters for Canada's extraterritorial intrusive surveillance operations, especially for CSIS.  The paper can be found here.  The abstract is as follows:

Spying by Canadian agencies is now “judicialized” to an unprecedented extent. In the area of extraterritorial surveillance, the result has been a series of difficult court decisions, and an inadequate legislative response. This brief article explores these assertions. It begins by briefly setting the stage, examining the role and jurisdiction of Canada’s two chief intelligence services. The article then highlights recent controversies, before describing the arcane legal questions they have provoked. Finally, it suggests looking to the Australian model of distinguishing between anti-terror and other types of intelligence operations to bifurcate the judicialization of extraterritorial intelligence collection.

Bill C-51 Backgrounder #3: Sharing Information and Lost Lessons from the Maher Arar Experience

We have now posted the third of a series of independent “backgrounder” documents that we shall author on Bill C-51, the Anti-terrorism Act 2015. All of these documents are archived at http://www.antiterrorlaw.ca.

The proposed Security of Canada Information Sharing Act in Bill C-51 declares a legitimate government interests in sharing information about security threats. Yet after close textual review, we conclude that the proposed law is both excessive and unbalanced. Why do we reach such strong conclusions?

The Act will relax constraints on the flow of information about “activities that undermine the security of Canada”. This is a new and astonishingly broad concept that is much more sweeping than any definition of security in Canadian national security law. In comes very close to a carte blanche, authorizing a “total information awareness” approach and a unitary view of governmental information holding and sharing. In that respect, we consider it a radical departure from conventional understandings of privacy.

The proposed legislation is unbalanced because it authorizes information sharing without meaningful enhanced review. While the bill pays lip-service to accountability, it does not incorporate an accountability regime matching its scope. Even as it erodes privacy, it fails to learn from the lessons of the Arar and Iaccobucci commissions of inquiry about the injustice that may stem from poorly governed information sharing.

The claim in the government’s backgrounder that the existing accountability institutions, including the Privacy Commissioner, are equipped for this task is not convincing to anyone familiar with the Arar report.

[NB: We have posted this paper for immediate download on SSRN. While SSRN catalogues the paper for inclusion in its holding, this page will be watermarked “Under review by SSRN”. Readers will still be able to access the paper.  We plan to upload revised editions as we add details and refine points. We have also posted to a “mirror” site, but will not update the paper here.]

Judicialization of Extraterritorial Spying: Gaps and Gap-Fillers in the World of CSIS Foreign Operations

I have posted my brief article on CSIS extraterritorial surveillance and related issues, expanding on testimony to the Commons Standing Committee on National Security on Bill C-44.  The article may be accessed via SSRN here.  The abstract is as follows:

Written in response to the tabling of Bill C-44 in the Canadian Parliament, this article addresses three issues: judicial oversight of foreign spying conducted by the Canadian Security Intelligence Service; judicial oversight of intelligence sharing between Canadian agencies and international security partners; and review of Canadian security and intelligence agencies. The article raises concerns about the status quo, and proposes reforms.

Foreign Spying, Information sharing & Arar Commission Fixes to Accountability: Brief on Bill C-44

Yesterday, the Commons Standing Committee on National Security and Public Safety asked me to present views on Bill C-44, amending the CSIS Act.  I was honoured to accept the invitation and thank the Committee members for their questions and clear and serious engagement on the issue.  What follows below is a copy of my statement, with annex.  Since by necessity, these remarks were somewhat telegraphic, I am presently drafting a slightly longer article amplifying my position, and explaining in more detail the rationale for some of the language in the proposed amendments.  Until then, I have posted before more detailed discussions of Wakeling, extraterritorial spying in C-44, and the bigger issue of accountability. Kent Roach and I have also opined on C-44 in the National Post.

**

November 26, 2014

My thanks to the Committee for asking me to testify today. I will focus exclusively on the foreign surveillance aspects of the Bill.  Later today, Professor Kent Roach will be appearing before you, and he will speak to the informer privilege component.

Summary

My views in brief:  I support the proposed amendments to sections 12 and 21.  That said, I think there are three omissions in this Bill that this Committee should correct.  I see these corrections as necessary to preempt another half decade of litigation, controversy and uncertainty.

Foreign Spying

Clause 8 addresses the core confusion flowing from three Federal Court decisions.  In enacting these amendments, you will now be emphatically asking a court to bless CSIS covert surveillance that may violate international or foreign law.

In our system, Parliament has authority to grant expressly powers that violate international law, so long as those powers do not then also violate the constitution.  I personally see no constitutional complaint, assuming we are confining our discussion to surveillance issues (and not, for instance, including interrogation or other more aggressive forms of investigation).

As noted, however, I do see several critical omissions in this bill. 

Uncertainty over “trigger” for seeking foreign spying warrant

First, it is not clear when the Service will be obliged to obtain a foreign surveillance warrant.  The existing statute speaks of “belief on reasonable grounds that a warrant is required”.  In a domestic surveillance operation, these grounds arise when failure to obtain a warrant would violate section 8 of the Charter (governing searches and seizures) or Part VI of the Criminal Code.

But the applicability of these two laws – and especially the Charter -- to foreign surveillance is uncertain.  As a consequence, the existing “reasonable grounds” threshold is unhelpfully ambiguous when applied to the new warrant powers in this bill. 

I think in the final analysis, a warrant will be required whenever foreign surveillance involves covert interception of telecommunications.  I also believe the amendments may be interpreted as requiring a warrant anytime an operation may violate international or foreign law.  

These would be sensible standards.  But because the bill is not emphatic, establishing these standards may require another round of litigation.  I strongly urge this committee, therefore, to preempt the necessity of another half-decade of uncertainty by adding clear language on the trigger for seeking a foreign surveillance warrant. 

I have proposed language in an annex to my brief.

Uncertainty over legality in CSIS’s international information-sharing practices

Second, since this bill was tabled, the Supreme Court has issued its decision in Wakeling.  The case concerned the RCMP, but the holding extends, in practice, equally to CSIS. 

A majority of the court concluded that section 8 of the Charter applies to sharing between Canadian authorities and foreign counterparts of intercepted communications.  To be constitutional, a reasonable law must authorize intercept sharing.  A reasonable law is one that includes sufficient accountability and safeguard regimes. 

Right now, there is no clear law on CSIS international intercept sharing.  At best, there is generic, more open-ended permission, which seems unlikely to survive constitutional challenge. 

I would strongly urge this committee to again preempt years of litigation by codifying an express statutory authorization for intercept sharing that also includes required safeguards.  I have proposed language in the annex addressing this.

Continued Failure to Respond to Serious Accountability Gaps

Last, we are now at the 10th anniversary of the Arar Commission.  I note with profound concern that Parliament has failed to legislate any of the Commission’s critical recommendations dealing with coordination between the review bodies for CSIS, CSE and the RCMP. 

Instead, we have closer and deeper coordination between security services, but review remains firmly limited to institutional silos.  And indeed, we have reported instances of the security services questioning, and perhaps impeding, the ability of review bodies to coordinate their review functions.

This bill gives CSIS a freer hand and will necessarily deepen its relationship with CSE and foreign agencies.  It should also include provisions that augment the authority of the review bodies to keep tabs. I propose language in the annex that addresses this concern.

Let me end with a related plea to this committee. CSIS’s review body SIRC is suffering the affects of neglect.  Its membership has been below strength for a considerable period of time, it has been rocked by scandal at the leadership level, and its level of resourcing has not kept pace with growth in the operational budget of CSIS. 

For all of these reasons, I would ask this committee to move on the issue of accountability.

Let me end there.

 

Annex: Proposed Amendments Correcting Omissions in Bill C-44

A. Amendments Clarifying When A Foreign Surveillance Warrant Would be Required

21. (3.2) For greater certainty, a warrant under this section is required for any investigation outside of Canada that

a) involves an investigative activity that, were it conducted inside Canada, would require a warrant by reason of the Canadian Charter of Rights and Freedoms, or

b) may be inconsistent with international law or the law of the state in which the investigative activity is conducted.

 

B. Amendments Making CSIS International Intercept Sharing Constitutional, Given Wakeling Holding of the Supreme Court of Canada

19. (2)(e) where a disclosure is made in accordance with a warrant or authorization issued under section 21 to a person or authority with responsibility in a foreign state for performing duties and functions analogous to those of the Service under this Act and is intended to be in the interests of the national security, national defence or international relations of Canada.

21. (3.3) (a) Information collected by the Service through the interception of a communication to which Part VI of the Criminal Code would otherwise apply in the absence of section 28 of this Act may only be disclosed under section 19(2)(e) in accordance with an authorization issued by a judge.

(b) The judge may issue the authorization referred to in paragraph (a) either as part of the warrant authorizing the interception of the communication in the first place or after a separate application by the Director or any employee designated by the Minister for the purpose.

(c) A judge may make the authorization referred to in paragraph (a) only where persuaded on a balance of probabilities that the information, once shared, will not be used for activities or purposes that violate international law, including but not limited to, torture as defined in section 269.1 of the Criminal Code or other forms of cruel, inhuman or degrading treatment or punishment within the meaning of the Convention Against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment, signed at New York on December 10, 1984.

 

C. Enhancing Coordination of Review Among Security Review Bodies to Reflect Recommendations of the Arar Commission

CSIS Act

56. (a)  If on reasonable grounds it believes it necessary for the performance of any of its functions under this Act, those of the Commissioner of the Communications Security Establishment under the National Defence Act, or those of the Civilian Review and Complaints Commission for the Royal Canadian Mounted Police under the RCMP Act, the Review Committee may convey any information which it itself is empowered to obtain and possess under this Act to:

a) the Commissioner of Communications Security Establishment under the National Defence Act, or,

b) the Civilian Review and Complaints Commission for the Royal Canadian Mounted Police under the RCMP Act

(b) Before conveying any information referred to in paragraph (a), the Review Committee must notify the Director and give reasonable time for the Director to make submissions. 

(c) In the event that the Director objects to the sharing of information under this section the Review Committee may decline to share the information if persuaded on reasonable grounds that the sharing of the information at issue under this section would seriously injure the Service’s performance of its duties and functions under the Act.

(d) If the Review Committee dismisses the Director’s objection, the Director may apply to a judge within 10 days for an order staying the information sharing.

(e) A judge may issue the stay order referred to in paragraph (d) if persuaded on reasonable grounds that the sharing of the information at issue under this section would seriously injure the Service’s performance of its duties and functions under the Act.

(f) At any time, the Review Committee may apply to a judge for a lifting of any stay issued under paragraph (e) on the basis of changed circumstances.

(g) For greater certainty, the Review Committee may request information it believes necessary for the performance of any of its functions under this Act from the Commissioner of Communications Security Establishment under the National Defence Act, or, the Civilian Review and Complaints Commission for the Royal Canadian Mounted Police under the RCMP Act.

 

National Defence Act

274.64  (a) If on reasonable grounds the Commissioner believes it necessary for the performance of any of the Commissioner’s functions under this Act, those of the Security Intelligence Review Committee under the CSIS Act, or those of the Civilian Review and Complaints Commission for the Royal Canadian Mounted Police under the RCMP Act, the Commissioner may convey any information which the Commissioner is empowered to obtain and possess under this Act to:

a) the Security Intelligence Review Committee under the CSIS Act, or,

b) the Civilian Review and Complaints Commission for the Royal Canadian Mounted Police under the RCMP Act

(b) Before conveying any information referred to in paragraph (a), the Commissioner must notify the Chief and give reasonable time for the Chief to make submissions.

(c) In the event that the Chief objects to the sharing of information under this section the Commissioner may decline to share the information if persuaded on reasonable grounds that the sharing of the information at issue under this section would seriously injure the Establishment’s performance of its duties and functions under the Act.

(d) If the Commissioner dismisses the Chief’s objection, the Chief may apply within 10 days to a judge designated under section 2 of the CSIS Act for an order staying the information sharing.

(e) The judge may issue the stay order referred to in paragraph (d) if persuaded on reasonable grounds that the sharing of the information at issue in the application would seriously injure the Establishment’s performance of its duties and functions under the Act.

(f) At any time, the Commissioner may apply to a judge for a lifting of any stay issued under paragraph (e) on the basis of changed circumstances.

(g) For greater certainty, the Commissioner may request information the Commissioner believes necessary for the performance of any of the Commissioner’s functions under this Act from the Security Intelligence Review Committee under the CSIS Act, or the Civilian Review and Complaints Commission for the Royal Canadian Mounted Police under the RCMP Act.

 

RCMP Act

45.471  (a)  Notwithstanding any other provision in this Act, if on reasonable grounds the Commission believes it necessary for the performance of any of its functions under this Act, those of the Security Intelligence Review Committee under the CSIS Act, or those of the Commissioner of Communications Security Establishment under the National Defence Act, the Commission may convey any information which it itself is empowered to obtain and possess under this Act to: 

a) the Commissioner of Communications Security Establishment under the National Defence Act, or,

b) the Security Intelligence Review Committee under the CSIS Act

(b) Before conveying any information referred to in paragraph (a), the Commission must notify the Commissioner and give reasonable time for the Commissioner to make submissions.

(c) In the event that the Commissioner objects to the sharing of information under this section the Commission may decline to share the information if persuaded on reasonable grounds that the sharing of the information at issue in the application would seriously injure the Force’s performance of its duties and functions under the Act.

(d) If the Commission dismisses the Commission’s objection, the Commissioner may apply within 10 days to a judge designated under section 2 of the CSIS Act for an order staying the information sharing.

(e) The judge may issue the stay order referred to in paragraph (d) if persuaded on reasonable grounds that the sharing of the information at issue in the application would seriously injure the Force’s performance of its duties and functions under the Act.

(f) At any time, the Commission may apply to a judge for a lifting of any stay issued under paragraph (e) on the basis of changed circumstances.

(g) For greater certainty, the Commission may request information it believes necessary for the performance of any of its functions under this Act from the Commissioner of Communications Security Establishment under the National Defence Act, or, the Security Intelligence Review Committee under the CSIS Act.

 

A Longer Arm for CSIS: Assessing the Extraterritorial Spying Provisions

The government tabled Bill C-44 yesterday.  Mostly amendments to the CSIS Act, the bill is largely a response to court cases over the last six years that have complicated CSIS's legal landscape.  Other than the hubristic over promise of its short title ("Protection of Canada from Terrorists Act"), few of the proposed CSIS Act changes are a surprise.  Indeed, several of them are too long in coming.

Put another way, this is not a response to last week's Ottawa attacks -- the other legal shoe (perhaps a steel-toed Kodiak boot) has yet to drop.

In this post, I shall begin discussing the Bill's key CSIS Act changes.  Here, I want to focus on the extraterritorial operations issue.

1. Responding to Justices Blanchard and Mosley

Once upon a time (that is, before 2008), most observers (myself included) assumed that CSIS's core "security intelligence" mandate in s.12 of the Act included overseas operations.  We believed this because the definition of "threats to the security of Canada" included references to threats from both inside and outside Canada, and because s.12 did not delimit CSIS security intelligence operations to the territory of Canada (unlike s.16, relating to CSIS's "foreign intelligence" mandate).

In a Federal Court decision made public in 2008, Justice Blanchard demurred, concluding (among other things) that s.12 did not possess an extraterritorial aspect, at least in relation to the covert surveillance at issue in that case.  He also concluded that a Federal Court had no authority to issue a warrant authorizing (presumably covert) surveillance on Canadians located overseas.  The statute did not authorize what would be, in his view, a violation of international law (to wit: spying in a foreign state, without that state's consent). For more on this decision and the international law angle, see my article posted here.

The Service then faced a choice: A. appeal, B. pull in its eyes and go blind, C. concoct some sort of work-around, or D. amend the CSIS Act to reverse Justice Blanchard's construal.  It chose option C, unfortunately in my view.  Its work-around resulted ultimately in a practice of seeking warrants on the basis that while surveillance was directed outwards, it was physically conducted in Canada.  Except the practice morphed from there, and turned into a system of seeking surveillance assistance from allied spy services.  When the Federal Court (in the form of Justice Mosley) learned of this (not directly, but incidentally when reading the reports of the CSIS and Communications Security Establishment review bodies), the Service was called in and issued a stern rebuke.  The blow by blow behind this saga is distilled here, as best as I understand it.  The decision condemning the CSIS practice was then appealed. That appeal has apparently been decided, but the Federal Court of Appeal has not released a public version.  The fact that the government has now reacted with legislation suggests that the outcome was not to the government's liking.

So fast forward to yesterday: the bill now makes abundantly clear that s.12 investigations may be conducted "within or outside Canada" (same with security clearance investigations).  So we return to the situation many of us thought to be the case pre-2008.

2. A Very Canadian Honesty about Spying

The more interesting change is in the amendments to s.21.  These would permit CSIS to seek and obtain a warrant from the Federal Court for overseas investigations.  And "[w]ithout regard to any other law, including that of any foreign state, a judge may, in a warrant issued under subsection (3), authorize activities outside Canada to enable the Service to investigate a threat to the security of Canada."

This reverses the other aspect of Blanchard J's decision: his refusal to authorize a warrant where to do so might violate international law (namely, the sovereignty of another country).  After all, what we are really talking about with covert surveillance, some of which may be so covert the territorial state is unaware of it.  And that may violate that foreign state's law, and by extension is sovereignty.  The latter would violate international law.

Now we need to be clear (because I am hearing strange things on this): in our constitutional system, Parliament is absolutely and without any doubt able to legislate in violation of international law, so long as the principle at issue isn't also a principle of our constitutional law.  A prohibition on violating the state sovereignty of another state is not a Canadian constitutional law principle.  (While international human rights law is often the benchmark for construing the Charter, nothing in international human rights law is offended by a system of authorized surveillance by the state, even in another state.  Human rights law just doesn't have granularity on this question.  Whether it should is an important discussion.  But in its present form, privacy law in international human rights law is anemic, despite best efforts to "talk it up".  See my views on this here.)

In my 2010 article, I concluded, however, that "it will be no simple thing to overcome this caution [on international law, by Blanchard J.] by legislative amendment.  No Canadian politician – cognizant of Canada’s modest position in the hierarchy of nations – will enthusiastically endorse an amendment that authorizes emphatically what other states only accept tacitly: that extraterritorial spying is permissible." 

And yet, showing that I misjudged the political and diplomatic courage of this government, that is exactly what the new bill proposes.  I have never seen (and I have started looking in earnest) a state codify so clearly in its law books that it's organs will authorize spying in another state, regardless of the law of that state.  States spy all the time, of course.  But this is real Canadian honesty.  I think I admire that.

3. CSIS and CSEC

And so what will it do?  First, it will probably keep some folks at Foreign Affairs up at night.

Second, it will regularize the CSIS/CSEC relationship.  There seems to be a lot of confusion on this point and on CSEC's mandate in general.  Cutting to the chase, CSEC can do foreign signals intelligence (Mandate A).  That's been the source of controversy post-Snowden, because of concerns that its Mandate A operations are drifting into the domestic sphere, or at least implicating Canadians.  Much has been said, denied and is unknown about all this.

But CSEC can (and has legally been able, since 2001) to provide "technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties" under its so-called Mandate C.  (These letters are in reference to the powers listed in the National Defence Act, s.273.64).

So CSIS comes with warrant in hand, and CSEC can act as CSIS's technological appendage, shielded by the lawful authority in the CSIS warrant.  The issue in the 2013 decision by Justice Mosley is that CSIS was coming and seeking assistance beyond the scope of the shielding warrant.

Now, with the bill, it will be clear that CSIS is authorized to conduct overseas invetigations, and that the Court can authorize intercepts by warrant. 

So yes, Canadians (and non-Canadians) who pose a threat to the security of Canada can be lawfully spied upon, inside or outside the country. 

Personally, I think this is sensible, if it is subjected to proper oversight and review.  And therein lies the rub.

4. Federal Court Extraterritorial Warrants: When do you seek them?

First, the amendments give the Federal Court the power to issue the extraterritorial warrant, but don't establish when CSIS needs to seek one on the first place.  This is more than a technical lapse.  It really is a conundrum.  The trigger for the obligation to seek a warrant is where CSIS believes "on reasonable grounds, that a warrant is required" to investigate a threat, now inside or outside Canada.  And that begs the question, when is it reasonable think a warrant is required.  The classic answer is: where your investigation amounts to a search or seizure regulated by s. 8 of the Charter -- in other words, where at stake is a reasonable expectation of privacy.  So, short answer: where the Charter applies.

But does the Charter apply overseas?  That question causes consternation up and down the court system.  But whatever else may be the case, the Supreme Court in Hape suggested that s.8 of the Charter doesn't really reach beyond the borders. So that may well mean that you never need to actually seek the warrant for overseas investigations that the Act will now permit you to get from the Federal Court.

The wary lawyers at CSIS didn't want to make that assumption when they went to Blanchard J in 2007, in the case that sparked this whole drama in the first place.  And they were probably right to be cautious.  For one thing, Hape was an overseas police investigation done with the assistance of foreign authorities.  The Court was clearly motivated by concerns of comity, and not superimposing on a foreign state Canadian niceties. But I could see a court concluding that s. 8 does reach circumstances in which, rather than acting in concert with foreign states, you acted secretly without even the oversight associated with that foreign law.  This distinguishes Hape, and constitutional law abhors a vacuum.

Likewise, if the surveillance does reveal facts that are later used as evidence in a criminal trial, I could also easily see a court saying: "So, let me understand this.  You were acting covertly without the knowledge of the territorial state, and in violation of its laws.  And you also had no oversight by the courts in Canada.  So basically, you were making it all up on your own.  And now you want us to admit this as evidence and for us to say, no problem, fair trial.  Well, on that point we demur, as Hape allows us to."

Still, it would be nice to have some language in the bill specifying in greater detail the trigger for seeking warrants in the first place.

4. Federal Court Extraterritorial Warrants: Lions and Tigers and Bears

Second, assuming we do have a practice of regularly seeking Federal Court extraterritorial warrants, I think this is a positive development.  A Federal Court, confronted with a request to spy in violation of a foreign states laws and international law, will breathe fire to ensure that the Service's homework is done thoroughly and that the warrant is, well, warranted.  Because if the whole operation goes sideways, it's not just the Service whose credibility will now be in question.

Foreign Affairs will not be the only place with sleepless people.

5. Review, Where Art Thou?

But here's the big issue for me: The clock ticks, post-Arar and nowhere, on no horizon, are the review and accountability reforms recommended by that inquiry on the agenda.  And yet our review system clearly groans in its efforts to keep pace.  SIRC chairs resign in controversy.  It remains understaffed, and deserving of more resources.  The latest SIRC report suggests all is not well with the CSIS cooperation with its review body.  SIRC and the CSEC commissioner coordinate, but are reportedly criticized by the security services when they make moves to deepen their coordination.  Other important and powerful agencies -- such as CBSA -- wander about without any review at all.  Parliamentarians are blind and often oblivious, and no legislated committee of parliamentarians has attracted government support despite private members bills calling for such measures.

The accountability system is a village around which has grown a metropolis.  Let me editorialize (it is my blog): This is absurd.  Absolutely, Federal Court oversight via warrant is a fine development, assuming its used.  But it is only part of the equation, and one that the government has been forced to address, not proactively develop.  More generally, it is time for the "Protecting Canadians from the Protection of Canadians from Terrorism Act".  Enact the Arar recommendations, staff the review bodies earnestly, completely, on a full time basis and with resources to spare.  Make Parliamentarians relevant by supporting a law project like Bill C-622.

Does the State Belong in the Computers of the Nation? Legal Developments in Cybersurveillance

[After returning from extended travels, I delievered the following talk on Wed Oct 22 at the Confernece Centre in downtown Ottawa, as part of the SERENE-RISC cybersecurity conference.  After our panel, we were notified that the building was in lockdown because of events unfolding across the Canal.  The policy and political conversation will likely focus now on new powers and procedures for security and intelligence agencies.  I debated, therefore, whether to post these notes at this time.  However, history persuades me that it is better to twin any discussion of state powers with consideration of accountability, or risk violating the law of unintended consequences.] 

Pre-Recorded Screencast

 

Does the State Belong in the Computers of the Nation? from Craig Forcese on Vimeo.

 

Speaking Notes

I’ve entitled my talk, somewhat tongue in cheek, “Does the State Belong in the Computers of the Nation?”

So let me answer.  Yes, there are absolutely circumstances where the state should have powers of surveillance – nothing separates communication by electronic device from the sort of important policy concerns that justify carefully controlled and overseen state surveillance.  And those policy concerns are compelling.  Not least, there are bad people who would do us harm, and anticipating and preempting their conduct is often our best defence.  That requires intelligence, and intelligence often depends on surveillance.

But everything hinges on my caveat: “carefully controlled and overseen”.  Let me explain: in using these terms, I am talking of what I’ll call Privacy 1.0 – the idea that the best protection of privacy comes from supervising and limiting the data that government can collect in the first place.  As an aside: I think we also need more serious conversations about Privacy 2.0 – what the state can do with data already in its possession.  But I shall focus today on Privacy 1.0 and control of collection.

And on this issue, for a surprisingly long period of time, the rules governing intercept of computer-based communications have been murky, mostly because of the mismatch between modern electronic communication and laws designed for a different age.  This disconnect has created ambiguities that have variously been the source of uncertainty and also of creative state interpretations of exactly what it is they are legally able to do.

To the extent that Parliament has intervened, it has generally done so in a manner seeking clarity at the expense of privacy.  However, in the last year the Supreme Court has entirely recrafted the legal landscape in a manner that makes much past practice and past legislative projects irrelevant.  Put more concretely, the Court has signaled that “carefully controlled and overseen” still has a place in assessing the legality of state surveillance.

In the next 10 minutes, I want to set out where we’ve come from in this area, where we are now, and suggest where we may be heading.  My focus will be mostly, but not exclusively, on national security related surveillance.

Part 1: Where Have We Come From

In the area of security surveillance, privacy law has generally not kept pace with two key developments: first, the considerable overlap between what were once the fairly discrete areas of criminal law investigations, security intelligence investigations and foreign signals intelligence collection; and, second, the technological communications revolution. 

A.  Privacy and Crime

Let me trace a chronology of law, surveillance and technology in developing this thesis.  In 1974, Parliament enacted the Protection of Privacy Act -- now known as Part VI of the Criminal Code. Part VI is the most important of what we call “lawful access” provisions.  Part VI makes unauthorized intercept of private communications a crime.  In practice, and subject to some limited exceptions, lawful access therefore requires a judicial pre-authorization.

Judicial blessing in advance of interference with a reasonable expectation of privacy has since also become the standard under section 8 of the Canadian Charter of Rights and Freedoms.  And the practice for judicial authorizations of all sorts in privacy matters has been “specificity” – that is, warrants are issued for finite purposes against finite targets in finite circumstances and locales.

Part VI was, and is, directed principally at law enforcement – it is the means by which the RCMP, for instance, receives wiretap authorizations.

B.  Privacy and Security Intelligence

That said, the key principles undergirding Part VI lawful access – advance authorization by judges with specificity – also became part of the regulatory system for the Canadian Security Intelligence Service, when that body was created in 1984.

There were, however, differences between criminal law surveillance and the security intelligence surveillance conducted by CSIS. (Note that “security intelligence” is a shorthand for a finite list of issues enumerated in the CSIS Act and relating to “threats to the security of Canada”). 

For one thing, Part VI authorizations must ultimately be disclosed – both their particulars (to the person surveilled, after expiry of the authorization) and also annual statistics on the number of such measures. 

In practice, the annual numbers of CSIS warrants do appear in the CSIS review body’s annual reports.  However, the existence of CSIS warrants are not disclosed to their targets, and only come to light in the rare instance where a CSIS investigation morphs into a criminal matter (and is passed on to the police and ultimately results in criminal charges), or even more rarely when a particular CSIS surveillance operation becomes a matter of public controversy.

Canadian law, in other words, places criminal law surveillance and security intelligence surveillance on a different legal footing when it comes to transparency.

C.  Privacy and Foreign Intelligence

Then in 2001, after 9/11, the National Defence Act was amended to codify formally the intercept powers of Communications Security Establishment Canada.  Of particular note, the new law opened the door to lawful intercept by CSEC of Canadian “private communications” as part of its so-called Mandate A – that is, collecting foreign signals intelligence. 

Up until this point, had CSEC intercepted Canadian private communications in performing this function, it would have committed a crime under Part VI of the Criminal Code.  After 2001, CSEC was exempted from Part VI so long as the Minister of National Defence authorized any intercept of private communications. 

Obviously, the fact that authorization comes from the minister, and not a judge, places CSEC on a fundamentally different footing than the police or CSIS.  Moreover, unlike CSIS or Part VI authorizations, CSEC authorizations are more generic permissions, relating to an “activity” or “class of activity” and not to a specific individual or individuals. And in terms of transparency, the CSEC review body tells us how many ministerial authorizations exist, but we know nothing about their content (which rests a closely guarded secret).

These differences in the CSEC lawful access regime likely reflected the perception that CSEC’s eyes were outward looking, focused on foreign signals intelligence that only incidentally and haphazardly swept up domestic communications.  Conventional privacy protections could, in these circumstances, be muted.

Much has since been said and debated in the post-Snowden period as to what CSEC does and does not intercept, and how and in what circumstances it captures private communications.  I will not rehearse that saga here.

Instead I make my key point: since 1974, the scope of lawful access has gone from: first, police investigating crime and intercepting with specific judicial authorization that then is subsequently disclosed; second, CSIS investigating security intelligence matters and intercepting with specific judicial authorization, that is never disclosed, and; third, CSEC collecting “foreign intelligence” by intercepting private communication (at least incidentally) with more generic authorization, not from a independent judicial officer, but from a member of the political executive, that is never disclosed.

 

D. Implications of Morphing Mandates and Technological Change

In the result, we have a system of surveillance law designed for a criminal law paradigm, tweaked to deal with security intelligence and essentially abandoned in all material respects for foreign signals intelligence. 

This may have been sustainable in a period when the world partitioned neatly into these three categories.  However, since 9/11, national security – and specifically anti-terrorism – concerns have become increasingly hybridized criminal/security intelligence/foreign intelligence issues.   In actual surveillance practice, it is apparent that the foreign intelligence/security/crime boundary is murky.  For instance, there has been some controversy in the past between CSEC and its review body about whether some CSEC activities truly amount to foreign intelligence gathering. 

That particular concern seems now to have been resolved. More recently, however, controversy over CSEC’s metadata collection activity reflects a second notable development since the 1970s: how technological change has undermined a privacy regime first constructed for a simpler communications age. By all reasonable accounts, metadata – especially when pooled with Big Data – can be even more revealing of human behaviour than even intercepted communication content.  Yet, the government seems regularly to take the view that metadata is not private communication, as a legal matter. 

I dispute this particular conclusion in 12,000 words or less in an article that will appear in due course.  However, to the extent this position animates inside-government approaches on this issue, it has the effect of making the privacy protections in Part VI irrelevant.  Indeed under this reasoning, CSEC doesn’t even need a ministerial authorization for its metadata intercepts.

In the result, we have intercepts of potentially revealing information with no advance judicial or even legally mandatory ministerial oversight, and no formal disclosure requirements of any sort.  (One counterargument is that the review bodies serve as the public’s proxies in holding the security services to account.  I do not dismiss their significance.  In the area of privacy, they are, however, irrelevant.  The cardinal principle of privacy protection in Canadian law is advance authorization of invasions of privacy by an independent judicial officer, not after the fact criticisms by an arm’s length wing of executive government.)

 

Part 2. Recent Developments

So what has happened recently? Well over the last 18 months, the Supreme Court has begun to reclaim lost legal ground, reasserting established rules on search and seizure and underscoring their relevance in the cyber world.  Three cases serve as a sort of trilogy in this area – Telus, Vu and most recently (and most importantly) Spencer.  (We are expecting a fourth case, Fearon, on searches of smart phones).

For reasons of economy, I focus on Spencer, a decision with which I imagine many of you are familiar.  To cut to the chase: Spencer was about internet subscriber data in a police child pornography investigation.  The information in question was the name, address and telephone number of the customer associated with an IP address.  It was, in other words, the most benign form of data attached to an IP address -- what some have called "postal envelope" information. In a nutshell, the court nevertheless held that the Charter's section 8 protections against unreasonable searches and seizures extend to this subscriber data.  If the police want it from a service provider, they need to come a-knocking with a warrant.

The Court was unmoved by the fact that the information was actually in the possession of a third party service provider or that there was a service contract that (at least ambiguously) suggested disclosure was a possibility. 

Because of all this, I regard Spencer as one of the most important privacy decisions made by the Supreme Court, bar none.

 

Part 3  Where are We Going?

Let me provide some thoughts about what all this may mean for the future.  First, the Spencer holding has obvious knock on effects in the legislative arena.  For one thing, earlier proposals spearheaded by Vic Toews when he was public safety minister permitting warrantless access to subscriber information, are now clearly unconstitutional. 

There are also secondary issues with law projects before Parliament now.  For instance, Bill C-13 (the so-called cyberbullying bill) has now moved onto the senate.  It contains warrant provisions for metadata – called transmission data – albeit ones that requires relatively little of police to obtain.  But it also purports to allow law enforcement to continue asking for voluntary disclosure by service providers – something that would almost certainly violate the constitutional rules outlined in Spencer.  And it purports to immunize service providers who do disclose in response to such a request.

The question is a novel one, but it is quite plausible that the immunity provision would fail on constitutional grounds if challenged in court.  Accordingly, no service provider should ever respond to a state request for subscriber data with anything other than: “please show me your warrant”.

Second, I think there are obvious implications for security surveillance by CSEC.  The Supreme Court is prepared to extend section 8 protections to the most benign data -- name and address and telephone number -- associated with an IP address. 

It is inconceivable to me that it will now demur when it comes to other, even more intimate forms of metadata created by modern communication -- geolocations, place called, duration of calls, websites surfed etc.  While the degree of privacy protection will always depend on circumstances, I think the constitutional die is now cast when it comes to the sorts of metadata most contentious in the post-Snowden debates.

We don't know, of course, what CSEC (and perhaps other agencies) have been in fact collecting under the umbrella of "metadata".  Nevertheless, the concept is so broad and Spencer so dramatic, that I assume at least some of what the government has in the past collected is now subject to the full protections of section 8. 

And so putting CSEC’s activities on a sounder constitutional footing will require amendments to its governing statute.  In this respect, I strongly support the private member’s law project tabled by Joyce Murray  -- Bill C-622, now reaching second reading in the Commons.  Among other things, this bill would graft a modified judicial warrant regime on CSEC activities.  I would encourage those of you with an interest in this area to review this bill, and if you can, support it.  When this bill was first tabled before Spencer, I believed it was constitutionally necessary, as well as good policy.  Spencer more than affirmed that belief.  I confess surprise and disappointment that the government has not moved itself to place CSEC intercept of private communications on a firmer constitutional footing, not least because the BC Civil Liberties Association is suing it over the issue.  Regularizing the accountability process around intrusive and secretive surveillance seems an issue that transcends most conventional political boundaries.

Let me conclude, then, by reverting back to the question posed in the title of my presentation: “Does the State Belong in the Computers of the Nation?”  My answer was yes, subject to careful control and oversight.  The Spencer decision has breathed new life into Privacy Law 1.0, intercept gatekeeping rules.  And I think it is important to now ensure that control and oversight by courts become part again of the entire contemporary world of state surveillance.