Green Papers, consultations, discussions, workshops, roundtables, hearings. There is a risk of overdose for a national security law and policy reform enthusiast. And an aching fear that all this is sound and fury that, in the end, will signify precisely nothing. For all the goodwill in the world, reform in this area (even more than most) is course-correcting an oil tanker. But I'm not sure that all of it has to be hard. A few thoughts on the Communications Security Establishment (CSE) and the post-Snowden concerns about oversight:
Put simply, the issue is this: CSE acquires information that enjoys constitutional protection, without going through the process (or anything approximating the process) that the constitution requires before the state acquires this information. That is, at core, the issue in the BCCLA's constitutional challenge. (In the interest of full disclosure: on behalf of BCCLA, I provided factual background information for use by the court in that proceeding).
At issue is information acquired as part of CSE's Mandate A (foreign intelligence) or Mandate B (information technology security) functions. In neither instance can CSE direct its activities at Canadians or persons inside Canada. But in truth, Canadian origin information will be swept up in its activities, simply because of the nature of electronic communications.
But our constitutional standards for search and seizure do not say you are "protected against unreasonable search and seizures, except when the search and seizure is simply a predictable, foreseen accident stemming from other activities". Put another way, the fact that information in which Canadians have a reasonable expectation of privacy is incidentally but forseeably (rather than intentionally) collected by the state should not abrogate the constitutional right (although I accept it may shape the precise protections that the Charter will then require, see below).
Perhaps the closest analogy: under a conventional wiretap warrant, a court would be expected to take into account the prospect of inadvertent police collection of communications conducted by third-party members of the public (that is, non-targets). See, e.g., R. v. Thomson. Members of the public have a reasonable expectation of privacy, even when they are not the target of the state. Likewise, all Canadians and all persons in Canada have a reasonable expectation of privacy in relation to their private communications and related information that may be inadvertently acquired by CSE.
More than this, the incidentally-collected information is then placed in circulation by CSE internationally and domestically. Canadian identifying information is "minimized" (redacted), but the redactions can be lifted on request from a partner (and, unfortunately, some has been shared without minimization because of technical glitches).
The legal standards for this lifting are unclear. I have reviewed transcripts and reviewed the CSE Commissioner reports. From the information on the record that I have seen, it sounds like they are lifted when there is a Privacy Act justification for doing so. It is still not clear (to me), however, whether the lifting done for CSIS or federal law enforcement is prefaced by a warrant. In the result, CSE may be administratively sharing information that other agencies could only themselves collect pursuant to a warrant.
For the video version on all this, see here.
To be clear, there is no malice in any of this. There is no intent to do an end-run. There is no dastardly plot. What has happened is that the technology has outstripped rules and procedures designed for a simpler technological era, and a different threat environment.
In its 2015 election platform, the Liberal Party promised to "limit Communications Security Establishment’s powers by requiring a warrant to engage in the surveillance of Canadians". Now, this was an awkwardly worded promise. CSE does not surveille Canadians per se under Mandate A or B: it incidentally sucks up Canadian information. But that nuance aside, the Liberal promise does suggest something will be done about the problem above.
Except: there has been no follow up. The issue is absent from the government's national security consultation Green Paper.
But this issue is not going to go away. Not least: the more integrated the security services, the more likely that the practices of one will be a poison pill to another.
Say, for instance, the seed for RCMP criminal charges in a terrorism case is information-sharing from CSE based on its metadata program, done under its "Mandate A" foreign intelligence activities. And the trial court learns that CSE's collection of Canadian metadata, although done incidentally, was never authorized by a court (it never is, at present). And more than that, the subsequent de-minimization of the Canadian identifying information by CSE was done on request of the RCMP pursuant to a Privacy Act exception. That is, all this information ends up with the RCMP administratively, and not supported by a warrant. Because this does not line up constitutionally, these practices could collapse the criminal trial, and a dangerous person could walk free.
So cleaning up the procedure should be a priority for public safety as much as for principled constitutional reasons.
The most straightforward solution is to look to how the Americans have reformed their Foreign Intelligence Surveillance Court. Advance judicial authorization, overseeing potentially quite general search activities by a signals intelligence service, is doable.
In Canada, we know from the Atwal case ( 1 F.C. 107), that the Charter does not require cookie cutter warrants for all forms of search and seizure. As the Federal Court of Appeal decided (in applying different criteria to a CSIS warrant than to a police wiretap): "To conclude, as Hunter v Southam anticipated, that a different standard should apply where national security is involved is not necessarily to apply a lower standard but rather one which takes account of reality" (emphasis mine). And so in that case, it made no sense to require CSIS to show it was investigating a criminal offence -- its mandate is to investigate threats to the security of Canada.
So there is at least some flexibility in design, so long as we preserve the core essentials of the section 8 jurisprudence: advance authorization by an independent judicial officer. To some large degree, that was what Joyce Murray's private member's bill, C-622, was trying to do.
In truth, that bill conceded the classic concept that searches could only be authorized on reasonable and probable grounds -- but that seemed a defensible concession since CSE was not being authorized to search for Canadian origin information, just directed by a judge on what to do about incidental acquisition. Put another way, this is roughly analogous to the process a judge must undertake in issuing a police wiretap authorization to minimize and control the intercept of third-party communications.
Adding that sort of judicial supervision is, in my view, much more likely than the status quo to bring CSE into the constitutional tent. And I remain unpersuaded that this would degrade CSE's role or functions. Again, this issue has been managed in the United States.
On the other hand, a government determined to defend the status quo on the basis that "CSE's national security function is constitutionally special" risks losing that argument in court. It's a foolish game trying to predict court rulings. But much like the Supreme Court's Spencer decision did with basic subscriber data, the terms of a court loss may shackle the government's range of options.
And so, it makes much more sense for the government to legislate a fix first, rather than to run the risk of a court imposing a fix developed in the narrow confines of adversarial litigation.
At the very least, the present situation creates uncertainty, and also prolongs the lingering after-effects of the Snowden revelations. CSE remains subject to civil society doubts (which then trickle over to private sector service providers in too close proximity to CSE). And it does this at a time when we badly need a widely-credible CSE to help spearhead cyber-security.
And so, in all the sound and fury of changing Canadians security laws, this change should be low hanging fruit.