Private Member Bill Attempts to Bring CSEC Under Control

| June 18, 2014

Bill C-622, the CSEC Accountability and Transparency Act, introduced today by Joyce Murray, (Liberal-Vancouver Quadra), seeks to address a number of the many problems inherent in the surveillance activities of Canada's foreign intelligence signals agency, the Communications Security Establishment of Canada (CSEC). CSEC currently operates largely on its own, subject only to broadly-frame authorizations and directives from the Minister of National Defence (MND) and non-binding oversight from the CSE Commissioner. While the Bill fails to substantially restrict CSEC's mass harvesting of Canadians' data by imposing disciplined surveillance practices, it does make meaningful progress on the long list of CSEC-related problems that need to be addressed, by:

  • Removing the MND's capacity to authorize interception of Canadians' private communications. Such authorization can only come from a judge following an adversarial proceeding;
  • Adopting an inclusive definition-Protected Information-which unambiguously includes all data associated with communications, including metadata, not just content;
  • Imposing stricter limits on how long CSEC can retain Canadian data that is incidentally collected in its surveillance activities, however the MND may override these limits under certain conditions; and
  • Removing CSEC's ability to conduct 'classes of surveillance activities', but retaining its capacity spy on 'classes of persons' without any need for reasonable grounds.

In addition, the Bill enhances transparency and oversight by establishing a non-partisan parliamentary oversight committee and requiring the CSE Commissioner's annual report on CSEC activities to include greater detail.

While not a complete or definitive solution, the measures in this Bill are most timely. As global concern over the excessively broad and largely unsupervised activities of foreign intelligence agencies is reaching new heights, it is imperative that steps be taken to restore confidence in these agencies and in our digital networks in general. The string of revelations regarding the unprecedented scope of foreign intelligence surveillance activities provided by whistleblower Edward Snowden has triggered international debate on whether these agencies were granted too much privacy invasive latitude in the wake of 9/11. This growing global concern was recognized in an historic United Nations Resolution on the right to privacy in the digital age (A/C.3/68/L.45). Against this backdrop, Canada's foreign intelligence framework is so permissive that some of its foreign intelligence partners (such as the NSA) look to it with envy. It is becoming increasingly clear that CSEC makes full use of this latitude in order to extensively collect and retain sensitive information.

Removal of the MND's power to authorize CSEC's privacy invasive activities is an important step. Only a court possesses the objectivity and legitimacy to authorize the types of communications surveillance activities typically carried out by foreign intelligence agencies. Moreover, the Bill mandates the use of special counsel to ensure that judges are not authorizing surveillance activities without a full and adversarial presentation of the law and fact before them. Further, the Bill also requires CSEC to frame its surveillance activities in somewhat more targeted parameters. Currently, CSEC seeks authorization to surveil "classes of activities", a term CSEC has interpreted to mean it is able to target entire 'classes of communications activities', over the objections of former CSE Commissioners:

My predecessors and I have long held the view that a plain reading of the National Defence Act supports the interpretation that the interception authorized by the Minister is that of a private communication in relation to an activity or class of activities which is targeted or the object of inquiry, and not to a method of collection as contended by CSEC. Therefore, an important amendment would be to clarify the meaning of the term activity or class of activities. -- Former CSE Commissioner Charles Gonthier

However, the Bill permits CSEC to retain its ability to target 'classes of people' while failing to require CSEC to have reasonable grounds for doing so. This provides judges with a limited reviewing role, comparable to that entrusted to the U.S. Foreign Intelligence Surveillance Court (FISC) which oversees the NSA.

Additionally, the Bill addresses key shortcomings in CSEC's current authorization framework, which is limited to the 'interception of private communications'. The term is loaded with ambiguities with respect to whether it includes the interception of 'metadata' or not. In addition, it is limited to interception of communications, while these days data can be acquired by a broad range of mechanisms. The Bill addresses these problems by adopting an inclusive definition of 'protected information', which unambiguously applies to metadata. It also expands CSEC's authorization framework to apply to the acquisition of such data in general. 

While the Bill's lack of a reasonable grounds requirement suggests that it will not meaningfully restrain CSEC's ability to mass harvest Canadians' data, it does impose stricter retention obligations -- Canadian data can only be kept for a maximum of 90 days. This will apply to any data capable of being linked to a Canadian, making it more difficult for CSEC to retain significant amounts of Canadians' data through the use of ineffective de-identification practices. However, the MND retains the ability to override this restriction if he feels it is essential for international affairs, defence or security.

While a meaningful step, many other problems with CSEC's framework remain. Foremost amongst these are a need to adopt a reasonable grounds standard, so that CSEC is obligated to conduct its surveillance activities in a disciplined manner and cannot mass harvest everyone's data simply because it is now technically feasible to do so. Without such a standard, the reviewing activities of judges are largely regulated to rubber stamping surveillance requests. The US Foreign Intelligence Surveillance Court (FISC) which oversees the NSA, for example, rarely if ever rejects surveillance requests. This is because the court lacks any meaningful standard by which to measure the breadth of NSA requests.

Problems relating to the manner in which CSEC interacts with its Five Eyes partners must also be addressed. In late 2013, the federal court held that these Five Eyes partners (which include key foreign intelligence agencies such as the U.S. National Security Agency (NSA) and the U.K. Government Communications Headquarters (GCHQ)) conduct electronic surveillance activities in violation of international human rights obligations. [paras. 102 & 105] The Federal Court went on to hold that there is no legal authority in existing statutes that would authorize CSEC to use its expansive Five Eyes resources when assisting agencies such as CSIS surveil the communications of Canadians abroad. [para. 122] While this decision is currently under appeal, it raises clear and direct problems that arise from CSEC's heavy reliance on the resources of foreign intelligence agencies such as the NSA. The simple process of tasking such agencies to surveil an individual can lead to serious consequences if the foreign agencies take this as an indication that the individual is a 'suspect', including placement on a watch list or even torture. It is therefore incumbent on the government to place these informational exchanges under stricter control. 

In addition, the distinction between collection of Canadian and non-Canadian data must be revisited, as it is a distinction that is neither feasible nor proper in light of the heavily integrated nature of modern communications networks. Allowing the wholesale collection of non-Canadian data leads to the collection of Canadian data, as the two are heavily integrated. Moreover, privacy is an internationally recognized human right, and there is no justification for ignoring the rights of others simply because they reside elsewhere. In addition, CSEC is currently empowered to carry out its electronic surveillance activities in pursuit of any foreign intelligence objective.

The term foreign intelligence itself requires careful re-consideration, given its central role as a check on CSEC's expansive surveillance powers. The term is extremely broad and capable of encompassing many quotidian activities that pose no real threat to national security. Many of these activities may be central to the democratic process, and wholesale spying on these can undermine important political mechanisms and chill legitimate democratic criticism. In light of such concerns, President Obama recently limited the use of foreign intelligence data to a circumscribed list of six serious classes of threats and extended some protections to non-U.S. persons (PPD-28).

Finally, it is reported that CSEC has been complicit in the undermining of technical security standards and safeguards. Such actions undermine the integrity of communications systems as a whole, and should not be within the proper purview of a signals intelligence agency such as CSEC. Along these lines, the U.S. Congress is considering a budget amendment that would prohibit the NSA from using funds in order to require or request anyone from building surveillance backdoors into his or her and services and undermining security standards. Thought should be given as to whether CSEC's ability to use its formidable powers should be similarly constrained.

-------------------
Tamir Israel, Staff Lawyer
Last updated June 18, 2014