About this Project

This blog comments on Canadian (and occasionally comparative) national security law to update my National Security Law textbook and now also my 2015 book, False Security: The Radicalization of Anti-terrorism, co-authored with Kent Roach.

Please also see www.antiterrorlaw.ca for Bill C-51-related analyses by Craig Forcese and Kent Roach.

For narrated lectures on various topics in national security law, please visit my 2017 "national security nutshell" series, available through iTunes.

 

For a continuing conversation on Canadian national security law and policy, please join Stephanie Carvin and me at A Podcast Called INTREPID.

 

Please also visit my archive of "secret law" in the security area.

By Craig Forcese

Full Professor
Faculty of Law

Email: cforcese[at]uottawa.ca

Twitter: @cforcese

 

National Security Law Blog Search
Subscribe to National Security Law Blog

Best Law School/
Law Professor Blog Award

 

Most Recent Blog Postings

Entries by craigforcese (258)

Friday
Dec152017

A Warrant for All Seasons: Four New Charter Section 8 Cases

And on the fourth day of Christmas, federally-appointed judges gave to us…four new Charter s.8 cases.  There are two Federal Court cases involving CSIS intercept of IMSI information and seeking access to subscriber data. And two Supreme Court cases involving text messages received by the recipient and stored by the service provider.

Here’s the one-paragraph (often one long-run-on sentence) summaries:

  • In the Matter of Islamist Terrorism (2017 FC 1047): In the course of targeted investigations under s.12 of the CSIS Act, CSIS may intercept International Mobile Subscriber Identity (IMSI) and International Mobile Equipment Identity (IMEI) numbers emitted by mobile devices communications connecting to cellular networks without warrant, even though the privacy interest protected by section 8 applies, where CSIS does so in a minimally intrusive manner without seeking means of identifying the individual (in practice, because they already know who it is), does not capture communications content, does not geo-locate, does not interfere with 9/11 and emergency communications, and destroys all incidentally collected, non-target information.  Bulk collection would be a different story (which is why this case is, in net, bad for CSE and its incidental collection of private communications and metadata).
  • In the Matter of XXXX Threat-Related Activities (2017 FC 1048): CSIS cannot obtain a general court authorization allowing it to obtain basic identifying information from communications service providers for individuals whose identities are not yet known, but who may come to CSIS’s attention in the future, and the court cannot delegate such an authorization function when persons do come to CSIS’s attention to a designated CSIS official.  But CSIS may obtain such authorization from the court for individuals and, indeed, classes of individuals where the court can understand the nexus between that class and the investigation, on a reasonable grounds to believe standard.
  • R v. Marakah (2017 SCC 59): A sender retains a reasonable expectation of privacy in the communication, and inferences that can be drawn from it, stemming from text messages sent to a recipient and the diminishment of this control because the text message passes through a service provider and could be shared by the recipient does not change this and a warrantless search of the recipient’s phone to obtain these messages in circumstances where there was no plausible “search incident to arrest” breaches section 8 of the Charter.
  • R v. Jones (2017 SCC 60): A service provider may properly intercept text messages for service delivery purposes, but this does not negate the sender’s reasonable expectation of privacy and the police must generally have court authorization to then obtain these text messages. Historical text messages may be obtained through the general production order in s.487.014 of the Criminal Code (on a reasonable grounds to believe standard) and need not receive a wiretap authorization under Part VI of the Criminal Code, unless the intercept will involve prospective communications, as opposed to historic communications.

These cases, combined with the federal Privacy Commissioner’s decision on a complaint about RCMP IMSI collection activities, create, well, a maze.  The Privacy Commissioner concluded in September that RCMP warrantless collection was unconstitutional.  This is hard to square with the new Federal Court’s decision on CSIS, but the Privacy Commissioner would probably say that the RCMP offered no specifics on what they were doing of the sort that led the Federal Court to conclude that CSIS’s warrantless intercepts were still reasonable, although done warrantlessly.

So here’s a brief scenario.

Hans, the scheming villain from a famous holiday classic, is working for the Chinese government, and conducting himself in a manner that constitutes a threat to the security of Canada under the CSIS Act and a violation of the criminal provisions found in the Security of Information Act (SOIA).  So both CSIS and police have investigations underway (and are doing all that difficult deconfliction work that is a Canadian thing).

CSIS knows that Hans has a cellphone and they want to figure out what the IMSI number is.  So they conduct a targeted intercept meeting the standards described In the Matter of Islamist Terrorism (above).  They do this without warrant.

RCMP also wants to know what Hans’s IMSI number is. So either CSIS gives it them through an advisory letter (which seems very, very unlikely).  Or they collect it themselves.  But they have to use s.492.2 of the Criminal Code to get a transmission data recorder order from a judge, on a reasonable grounds to suspect standard.

Now CSIS wants to know where Hans has been going and what he will saying.  So they need to go to Federal Court and obtain judicial authorization for an intercept under s.21 of the CSIS Act, on a reasonable grounds to believe standard.  Section 21 is a one-standard provision for all sorts of intercepts, so this same standard will apply for archived geolocational metadata (obtained from a service provider) and content (wiretapped).

And now the police also want to know where Hans has been going and what he will saying. To know what he is saying, they need a Part VI Criminal Code warrant, allowing a wiretap. This too is on a reasonable grounds to believe standard.  But for archived geolocational data, the police may be able to obtain a production order directed at the service provider, requiring that this sort of “transmission data” (metadata) be produced. Transmission data production orders may be obtained on a reasonable grounds to suspect standard.

So perhaps the police, who find it easier to share with CSIS than the vice versa, can share the transmission data with CSIS, obviating the need for CSIS to get their own metadata-related warrant?

Both CSIS and the police decide they should also figure out what Hans has been texting his friends in Beijing. Again, CSIS proceeds via Federal Court authorization under s.21 of the CSIS Act, for both archived texts and future intercepts.  This requires a reasonable grounds to believe standard.

As per Jones, the police for their part can obtain the archived text messages from the service provider using a general production order under s.487.014 of the Criminal Code, issued by a judge on a reasonable grounds to believe standard.  But to track his on-going texts, they need a Part VI wiretap order, on a reasonable grounds to believe standard.  (And even if they had Hans’ friend’s phone, Marakah establishes they would need a search warrant to search it for the text messages, on a reasonable grounds to believe standard.  Of course, if they arrested Hans they might be able to search his phone without warrant, as a search incident to arrest per Fearon.  But Hans would need to have left it unlocked.)

This is all getting rather complicated. A “cacophony of lawful access rules” joins “herd of bison”, “murder of crows” and “pack of wolves” as a Canadian thing.  It will be interesting to see if the government moves on lawful access reform in 2018. (So far this is a government showing real appetite to fix big things in the national security/public safety law space.)

Thursday
Dec072017

Updated: A listener's guide to C-59

The Parliamentary process on bill C-59, the largest overhaul of Canadian national security law since 1984, is well underway.  You can find the proceedings in front of the House of Commons Standing Committee on National Security and Public Safety here.

Lots of people have written primers. Kent Roach and I did a basic early assessment here.  And I posted a meditation here. I have posted two "decision-tree" schematics, one on the new CSE powers and other on CSIS datasets.  The written notes to my committee appearance are here.

But for those following along with A Podcast Called INTREPID, Stephanie Carvin and I have been getting into the weeds. And we finally got through the whole bill! So here is a Listener's Guide to Bill C-59:

  • Episode 3: The Challenge of Warching Watchers: bill C-59's new "review" body, the National Security and Intelligence Review Agency.
  • Episode 6: Commissioner, Minister, Lawyer, Spy: bill C-59's fix to CSE's current (very) constitutionally-suspect system of foreign intelligence and cybersecurity activities implicating Canadian private communication or metadata. (We did not discuss how we haven't quite fixed the problem but could with a few words of amemdment. See here. I think I have been persuaded that my one-word fix may fix the a constitutional problem and create an operational problem. So I have a different, five or six word fix that I presented to the committee here.)  This podcast also discusses new powers for CSIS to receive and analyze and retain information not tied only to threats to the security of Canada. (Feel free to shake your head should anyone claim that C-59 does not include substantial new powers for intelligence services).
  • Episode 8: The Legal Pile-One, the No-Fly Glitch, and the Police Probe: includes a discussion of Canada's creaky no-fly list and how C-59 fixes it in part, but still fails to resolve it in full.
  • Episode 9: Cyber-Cyber-Bang-Bang: discusses C-59's considerable expansion of CSE's mandate to include offensive and defensive cyber.  (Again, feel free to shake your head should anyone claim that C-59 does not include substantial new powers for intelligence services).
  • Episode 10: The first thing we do, let's disrupt all the lawyers: discusses C-59 and CSIS threat reduction powers and what changes and what doesn't.  And discusses new criminal immunity powers for CSIS sources (and officers) doing intelligence work and the checks and balances. (Please keep shaking that head if people try to tell you this bill doesn't offer anything to the security services).
  • Episode 12: The SCISA in the Limit (on Information-Sharing): C-59 and the Security of Canada Information Sharing Act, focusing on the tension between the ready flow of information and privacy.
  • Episode 14: Locking Them Up: We foocus on the Criminal Code amendments: the parts of C-59 that can involve locking people up or otherwise constraining their liberty. They discussing changes to the bill C-51 speech crime and also "preventive detention" and "peace bonds" as well as the terrorism group listing process.

Hope some of this helps!

Tuesday
Dec052017

Statement to House of Commons SECU on C-59

Statement

SECU Hearings on C-59

Craig Forcese

5 December 2017

I wish to extend my sincere thanks to the committee for inviting me to appear on bill C-59. It is always an honour to be asked to share my observations before this committee.

My colleague Kent Roach is appearing before you next week. He and I have divided-up C-59. Today, I shall be addressing the new Communications Security Establishment Act and the amendments to the CSIS Act.

I support most of the changes C-59 makes in these areas. I recognize the policy objectives they seek to address. I believe the statutory language is usually carefully considered and robust. But I do have one serious concern.

 

CSE Act

I begin with the CSE Act and make my single recommendation today. I respectfully submit that this committee should amend s.23(3) and (4) to indicate CSE may not, without ministerial authorization, contravene the reasonable expectation of privacy of any Canadian or person in Canada.

I have provided a brief describing the rationale for this change. (And I should disclose I have been an affiant in the current constitutional lawsuit brought by the BC Civil Liberties Association challenging CSE activities. But today I appear on my own behalf.)

To summarize my concern:

While engaged in foreign intelligence and cybersecurity activities, CSE incidentally collects information in which Canadians or persons in Canada have a reasonable expectation of privacy. Because this is done without advance authorization by an independent judicial officer, this likely violates section 8 of the Charter.

Bill C-59 attempts to cure this constitutional issue through a ministerial authorization process, one that involves vetting for reasonableness by an Intelligence Commissioner, a retired superior court judge.

This is a creative and novel solution. It preserves a considerable swath of ministerial discretion and responsibility. It is not a full warrant system. Still, given the unique nature of CSE activities, I believe it constitutionally-defensible.

But the new system will only resolve the constitutional problem if it steers all collection activities implicating constitutionally-protected information into the new authorization process.

The problem is this: C-59’s present drafting only triggers this authorization process where “an Act of Parliament” would otherwise be contravened. This is a constitutionally-underinclusive “trigger”. Some collection of information in which a Canadian has a constitutional interest does not violate an “Act of Parliament” (for example, some sorts of metadata).

The solution is simple. Expand the trigger to reads: “Activities carried out by the Establishment in furtherance of [the foreign intelligence or cybersecurity aspects] of its mandate must not contravene any other Act of Parliament or involve the acquisition of information in which a Canadian or person in Canada has a reasonable expectation of privacy unless they are carried out under an authorization”.

This may seem a lawyerly tweaking. But if we fail to cure the existing problem with CSE’s collection authorization process, a court may ultimately determine CSE has been collecting massive quantities of data in violation of the constitution. Such a finding would decimate relations with civil society actors, placing CSE squarely in the cross-hairs of a renewed controversy and making it very difficult for private sector enterprises to partner with CSE on cybersecurity without risking reputational fall-out themselves.

With C-59, we have a chance to minimize this kind of problem.

 

CSIS Act

I turn to the CSIS Act changes. C-59 does three things.  First, it permits CSIS new authority to collect and potentially retain so-called datasets.

Here, the tension lies in balancing the operational need for CSIS to be able to query and exploit information against the privacy imperative.

Rather than prescribe hard standards for datasets, C-59 opts for a system of in-advance oversight. The Intelligence Commissioner is charged with approving the classes of Canadian datasets that may be initially collected, and the Federal Court authorizes any retention of actual datasets.

While I am wary of the idea of datasets, I cannot dispute the rationale for it, and can find no fault with the system of checks and balances.

The second CSIS Act change relates to revisions to CSIS’s threat reduction powers, introduced in C-51 in 2015. These provisions were rightly controversial. For our part, Kent Roach and I did not dispute the idea of threat reduction. But we worried CSIS threat reduction done as a continuation of our awkward, siloed police and intelligence operations runs the risk of derailing later criminal investigations and prosecutions. This would be tragic from a security perspective.

From a rights perspective, C-51 lacked nuance. It opened the door to a violation of any Charter right, subject to an unappealable, secret Federal Court warrant. The regime was radical and, in my view, almost certainly unconstitutional. It was, therefore, unworkable, whatever the strength of the policy objectives that propelled it.

C-59 places the system on a more credible constitutional foundation. It ratchets tighter the outer limit on CSIS threat reduction powers. By barring detention – a power I sincerely doubt the service ever wished – it eliminates concerns about the many Charter violations for which detention is a necessary predicate.

And by legislating a closed list of activities that can be done when a warrant is sought, Parliament tells us what Charter interests are plausibly in play: essentially, free speech and mobility rights.

I believe that if threat reduction is to be retained, this new system reasonably reconciles policy and constitutional issues.

Last, the C-59 CSIS Act changes create new immunities for CSIS officers and sources engaged in intelligence functions who may violate law during those activities.

The breadth of Canada’s terrorism offences make is certain that a confidential source or undercover officer will commit a terrorism offence simply by participating with the terror group that they infiltrate. An immunity is necessary. The issue is whether there are sufficient checks and balances guarding against abuse of this immunity. Again, I think C-59 does a good job in festooning the immunity provisions with such checks.

I will end, though, with a caution. Our conventional manner of siloed police and CSIS parallel investigations lags best practices in other jurisdictions, which employ more blended investigations. As the Air India bombing inquiry observed, we struggle with what is known as intelligence-to-evidence.

The government is working on this matter. We should be conscious, however, that what CSIS does in its investigations, whether in terms of immunized criminal conduct or authorized threat reduction, could derail prosecutions if not done with a close eye to down-stream impacts.

This issue might usefully be a topic of inquiry for the new security and intelligence committee of parliamentarians.

Thank you for your attention and I look forward to any questions.