The Federal Court this week released a lengthy decision that, unusually, dealt with CSIS’s s.16 “foreign intelligence” mandate. In so doing, it proved, once again, that an Act mostly left fallow for a generation spits up weeds.
The decision is deeply redacted, and we know precisely nothing about the target, subject-matter issue or investigative technique at issue. And that means there is no way for me judge whether I think the Court “got it right”. But the underlying storyline is easy enough to imagine, even if the precise specifics are secret. And the policy issues can be surfaced with a hypothetical.
Who Was the Target?
The target was a foreigner physically in Canada. They could not be Canadian (or a Canadian permanent resident) – CSIS cannot investigate a Canadian or Canadian permanent resident under its s.16 mandate. And they had to be in Canada. This was a warrant application. A warrant would only be required, constitutionally, if the foreigner was in Canada. And besides, if the foreigner was overseas, CSE could have targeted him or her under its foreign intelligence mandate, Mandate A. But CSE cannot direct its foreign intelligence activities at any person in Canada. So bottom line: the person was in Canada.
What was the Foreigner in Canada in Doing?
We do not know what our foreigner in Canada – who we shall call Bob – was doing. We do know what Bob was not doing. He was not involved in terrorism, espionage, sabotage or foreign-influenced activities (at least not foreign-influenced activities within Canada or related to Canada, while detrimental to the interests of Canada). And I suppose for the sake of completeness, I should add Bob was not involved in subversion of the Canadian government. Because if Bob was involved in any of these things, he would pose a “threat to the security of Canada” and this would have been a s.12 CSIS “security intelligence” investigation.
But it was a s.16 investigation. Which means that Bob was being investigated to collect information or intelligence relating to the capabilities, intentions or activities of any foreign state or group of foreign states or some foreign person. This is what is called “foreign intelligence”. Basically, that means anything other than security intelligence.
Bob from Mordor
So, because all the good parts in the decision are redacted, let’s make up our hypothetical: Bob was a diplomat from the Embassy of Mordor, who was in fact from the Mordor Acquisition and Liaison Intelligence Collation Entity (MALICE). And while in Canada, Bob was part of an intelligence operation designed to influence the Government of Isengard, in a manner advantageous to Mordor.
Global Affairs Canada, which has an obvious interest in developments in Isengard, wants to get a handle on this foreign influence campaign. And so, it turns to CSIS. There is no clear way an investigation into this influence op falls within a “threat to the security of Canada”. (I suppose in some cases, it would be so egregious as to be “detrimental to the interests of Canada”, even though directed at a third state, but you can only bend that language so far.)
So, under s.16, the Minister of Foreign Affairs requests, and the Minister of Public Safety agrees, that CSIS will conduct a foreign intelligence investigation. But s.16 also says that CSIS may only engage in foreign intelligence collection “within Canada”.
Alice of Isengard
That works fine, to a point. Bob is in Canada. But his chief asset in Isengard is Alice, someone who has influential contacts in the National Repressive Ring Association (NRRA). And Alice is not in Canada. And moreover, Bob and Alice have 1990s style operational security. When they communicate, they do so by logging into Gondor Mail (G-Mail), an email service in Gondor. And they modify draft emails in an email account to which they both have access, housed on G-Mail’s Gondor-based servers.
The Warrant on Bob
CSIS wants to monitor Bob’s communications in Canada. Now Bob is a foreigner, but as noted, he has Charter s.8 rights. And so CSIS needs a warrant. And CSIS wants, with that warrant, to wiretap not just Bob’s phone but also access his email communications. But, nuts, the G-Mail servers are overseas. And CSIS is no position to somehow insert keystroke logging on Bob’s embassy computer. And so, the only way (I shall assume, because I am not a tech-guy) to access the G-Mail draft folder is by hacking into the Gondor-based servers.
Now, pursuant to Mandate C, CSE can provide the technical wherewithal to do this. But CSIS needs to have lawful authority to seek this CSE assistance, meaning if CSIS needs a warrant, CSIS has to have one.
Whether CSIS needs a warrant may be a close call. If the communication is outside Canada, then perhaps the Charter does not apply because it generally does not apply extraterritorially. After all, if Bob were physically outside Canada, he would enjoy no Charter rights. (The Hape exception would apply only if Canada were in violation of its international human rights obligations -- not clear cut here – and, says earlier Federal Court jurisprudence, where the victim was a Canadian – not true here.).
So, is it too much to say that CSIS's intercept of Bob’s Gondor communications doesn’t require a warrant? Hmmm. Maybe. But this might still be a “private communication” under the Criminal Code (and I could easily change the facts so that it would be). And if so, the fact that one side of this communication starts in Canada is enough to require a judicial authorization process. So not much relief there. And besides, CSIS remembers the infamous Re X case and decides it is better to go to court now, to avoid a train wreck later.
So CSIS does the appropriate thing and concludes it probably needs a warrant. And more than that, it might also reasonably argue that on our facts (communication commences in Canada, travelling overseas through Canada etc) the collection really was “within Canada, enough”, and thus squares with s.16 of the Act. (A view that would be consistent with: the assumption that the Charter applies to Bob’s transiting communications, and the concept of private communication in the Criminal Code, and arguably the concept of territoriality in cases like R. v. Libman.)
But there is also another view: the content of what CSIS is intercepting is not in Canada. It can only be accessed by reaching out electronically across Canadian borders to Gondor, all the way over in Middle Earth.
So, what’s the answer? How do we read “within Canada” in s.16? Well, obviously it means “within Canada”, but what does that mean for footloose-communications? The redactions are thick in this case, and we really don’t know what sort of extraterritorial activity was at issue. But after a lengthy and seemingly exhaustive statutory interpretation exercise, the Federal Court says: this [REDACTED FOR PAGES] extraterritorial CSIS intrusive investigative activity was not within Canada.
Let's assume that hacking into Bob's Gondor Mail would also exceed whatever threshold of impermissible extraterritoriality was at issue in the Federal Court case. That is, it too would not be "within Canada". So, CSIS, in our story, you are out of luck. Maybe you should just ask Gondor to collect and share the Gondor Mail communications itself? But do you want to rely on Denethor II, son of Echtelion II, Steward of Gondor? In The Two Towers, he struck me as a bit unhinged, to be honest. And perhaps he was a little too inclined to appeasement to Mordor.
The CSE Knock-On Effect
Ok, then. Open Door Number 2: if the communication is not “within Canada”, then that must mean that CSE can, in fact, collect under Mandate A (foreign intelligence). Surely, if the communication being targeted is not within Canada (and involves no one, but foreigners), then CSE collection activities are not being “directed at Canadians or any person in Canada” (the quoted phrase being a stipulation that limits what CSE can do under Mandate A). But hold that “surely”. It is a bit disingenuous to say: “so we are investigating Bob, who is a person in Canada, and we are specifically interested in Bob, and that is why we are doing this collection activity, but when we go after this particular communication, we are not directing collection at Bob, the person in Canada”. That seems too clever by half.
And anyway, the Federal Court has a collateral discussion in this case with knock-on implications that will make life for CSE very difficult. Basically, intrusive activity overseas of the sort at issue in the case (whatever they may be) constitute an extraterritorial exercise of enforcement jurisdiction. Done without the consent of the territorial state, this violates international law. And Canadian statutes will be read to comply with international law, unless they explicitly derogate from it. And neither the CSIS Act (for s.16, but not for s.12) nor the current National Defence Act (for CSE) nor the proposed Bill C-59 CSE Act derogate from international law. (On the latter issue, see my discussion here.)
So CSE, you have no legislative jurisdiction to engage in extraterritorial activities of (at minimum) the same degree or more intrusive than the ones at issue in this Federal Court case. Which means you can kiss Mandate A and B goodbye under the current National Defence Act, to the extent they exceed this threshold (which, reading between the redactions, is quite low). And unless you amend bill C-59, you can also kiss those defensive and active cyber powers away. Unless, that is, you just want to plow ahead and see what the Intelligence Commissioner, the new National Security and Intelligence Review Agency, and the National Security and Intelligence Committee of Parliamentarians have to say about this issue. This, in my view, would be insane, since a quick flick of the legislative pen could cure this problem for you, CSE.
Fixing the CSIS Act
As for CSIS, well, you could roll the dice and appeal. Or you too could fix this by legislative amendment (which is what happened to the s.12 power when this same issue arose a decade ago, and was resolved by 2015’s C-44).
But let’s be clear here: if you want CSIS to have its current extraterritorial security intelligence functions (plus its post-2015 threat reductions powers) and now extraterritorial foreign intelligence functions, you are creating, essentially, a blended MI5/MI6. And until recently, it was considered a bad idea to put security intelligence and a full foreign intelligence function in the same agency: rule-of-law security intelligence should be kept segregated from somewhat-less-than-rule-of-law James Bond.
So, we might wish, finally, to do some serious thinking about design issues, accountability issues, resource issues, training issues, etc, before we knee-jerk amend the CSIS Act (yet again). So, enter a ponderous process of deliberation. On the other hand, this is not a situation you want to leave hanging. Because in my story, Bob from MALICE is still out there, swanning away on Gondor Mail. (In truth, I don’t know how important that prospect is – it took to 2018 before this issue got to court, and yet presumably the technological dilemma I describe here could have arisen decades ago. So maybe this case won’t have much practical effect.)
But bottom line: sometimes national security law is hard. And perhaps it is sometimes harder than it has to be. I think it’s often hard because we don’t update the statute law enough. But that’s just me.