About this Project

This blog comments on Canadian (and occasionally comparative) national security law to update my National Security Law textbook and now also my 2015 book, False Security: The Radicalization of Anti-terrorism, co-authored with Kent Roach.

Please also see www.antiterrorlaw.ca for Bill C-51-related analyses by Craig Forcese and Kent Roach.

For narrated lectures on various topics in national security law, please visit my 2017 "national security nutshell" series, available through iTunes.

 

For a continuing conversation on Canadian national security law and policy, please join Stephanie Carvin and me at A Podcast Called INTREPID.

 

Please also visit my archive of "secret law" in the security area.

By Craig Forcese

Full Professor
Faculty of Law

Email: cforcese[at]uottawa.ca

Twitter: @cforcese

 

National Security Law Blog Search
Subscribe to National Security Law Blog

Best Law School/
Law Professor Blog Award

 

Most Recent Blog Postings
« The Future of Privacy: Rules for Needles in Machine Readable Haystacks | Main | Peering through a Prism, Darkly: Trying to Understand the Implications of the US NSA’s Intercepts for Canada »
Wednesday
Jun122013

Metastasized Metadata: More on the CSEC Ministerial Authorization

I wrote yesterday in the Globe & Mail on some of the basic legal rules that govern surveillance (spying) by Communications Security Establishment Canada.  I thought it worth posting a second discussion, this one focused on the specific ministerial authorization reported by Colin Freeze in that same paper [addendum correction of my initial misread: ministerial directive, with a few other documents thrown in].  To their credit, the Globe has posted the actual document, albeit in the deeply redacted form in which it was released under Access to Information.

What Can We Know?

There is very little that can be gleaned from this document.  It is clear that CSEC has a metadata collection program.  It is clear that this program is conducted under its foreign intelligence mandate.  It is clear that the agency's watchdog, the CSEC Commissioner, is aware of the program.  It (seems) clear from the commissioner's annual reports that to date he has detected no transgressions of law and policy under other ministerial directives (or ministerial authorizations), although we appear not have any public pronouncement by the commissioner on this particular directive.

On assumption that CSEC has not ignored the law, it follows that the metadata program does not target Canadians or persons in Canada.  It cannot and remain compliant with CSEC governing legislation.  Any collection of personal communication information from Canadians would, therefore, be incidental and would be subject to what the CSEC documents call its "existing policy and procedure related to the protection of the privacy of Canadians".

For instance, in his 2010-11 report, the Commissioner made the following findings on activities conducted under all the then-extant ministerial authorizations (apparently for the 2008-9 period):

  • "Within this context [that is, "identifying and understanding significant changes to the foreign signals intelligence collection programs"], and based on information reviewed and interviews conducted, I found that the activities were authorized under the National Defence Act and there was no indication of unlawful activity by CSECCSEC met ministerial requirements, and has effective policies and procedures in place to guide its activities.
  • There are positive trends in policy development and in the clarity and consistency of the requests for ministerial authorizations. Within the overall amount of communications intercepted by CSEC, I found that the proportion of recognized private communications that had been unintentionally intercepted remained very small.
  • Overall, the foreign signals intelligence collection programs did not change significantly, and as a result, I determined that it is not necessary at this time to conduct an in-depth review of any of these programs.
  • With regard to the sample of private communications, based on the information reviewed and interviews conducted, I found that CSEC retained only those private communications essential to Canada's international affairs, defence, or security, as required by law."

The commissioner made no new findings or recommendation for the 2009-2010 period in his subsequent annual report.  The commissioner has not yet released his annual report covering 2010-2011 or later, and therefore the period in which the metadata directive was introduced.

What Has Been Inferred?

The Globe reports that the current commissioner's predecessor expressed concern with an earlier version of the metadata directive: "Justice Gonthier’s broad concern was that CSEC’s metadata-mining efforts could be used as an end run around lawful warrants. ... He wrote in a 2008 memo that ironing out such rules was important, since they set up “the legal requirement (e.g. ministerial authorization vs. a court warrant) in cases where activities may be ‘directed at’ a Canadian.”  Perhaps the search engine has failed me, but I have not been able to find such a report on the CSEC website, and so assume that this was a report obtained by the Globe under access to information and not otherwise public.

If CSEC is, however, passing Canadian-related information collected under its foreign intelligence to other agencies administratively, where those other agencies lack a judicial warrant, we do have a serious issue.  Data-mining under the relaxed standards applied to a foreign intelligence operation cannot be used as an end-run around the Charter.  See, e.g., R. v. Colarusso, [1994] 1 S.C.R. 20 at para. 93 (rejecting an approach where “property is seized by one state agent for a purpose for which the prerequisites for search may not be as demanding, and another state agent, one forming part of the law enforcement apparatus of the state, is permitted to claim the fruits of the search (the resulting information) for use for law enforcement purposes without regard to the rightly stringent prerequisites of searches for those purposes.")

On the other hand, I have seen no documents and no actual reporting suggesting that is what is happening in practice.  It is not clear to me what the factual support is for the Globe editorial board's assertion that "the so-called metadata that are attached to every phone call and every Internet-based communication carried out by a Canadian are subject to collection and analysis by Communications Security Establishment Canada (CSEC) in the Department of National Defence." 

If CSEC is intercepting every "Internet-based communication carried out by a Canadian" it is very difficult to see how this would lie within CSEC's foreign intelligence mandate and therefore be permissible under its governing legislation.  To do this, it would need to be acting in assistance of a domestic security agency, which in turn would need a warrant, which in turn would be difficult to get: warrants for indiscriminate data-mining fly in the face of conventional requirements of specificity in search warrants.

The Unanswered Questions

With all that said, here is what I would like to know. 

  • Has the new metadata directive actually been reviewed by the commissioner and what was the result of that review? 
  • What is the scope of the metadata directive -- does it truly relate to "every phone call and every Internet-based communication carried out by a Canadian"?  If so, then it is almost certainly ultra vires the competence of CSEC, and there is a big problem. 
  • What are the "metadata"?  The definition of this concept is excised from the government documents posted by the Globe.  The Globe describes the metadata program as "collecting a log of every phone call made, and of the activities associated with Internet Protocol addresses, in a search for patterns that might point toward a threat to national security".  Assuming this is true, the government may be prepared to argue that it is not collecting data in which someone has a reasonable expectation of privacy, triggering Charter protections.  As the Globe also notes, however, metadata is revealing of personal behaviour and the person behind a phone number of IP address is easily determined.  All of this is to say that I would not like to be the poor government lawyer left to argue in court that Canadians have no expectation of privacy in who they call from where for how long or what they search on the internet from the comfort of their home or office.  That's the kind of legal argument that is answered by asking the judge whether he or she would content with his or her own personal searching and calling patterns being subject to government search without judicial blessing.  I am not betting on a favourable outcome for the government.
  • If the government does believe that metadata is not communication, why would it get a "ministerial directive" at all?  After all, that permission is only required for "private communications", defined in keeping with the Criminal Code definition as: "any oral communication, or any telecommunication, that is made by an originator who is in Canada or is intended by the originator to be received by a person who is in Canada and that is made under circumstances in which it is reasonable for the originator to expect that it will not be intercepted by any person other than the person intended by the originator to receive it, and includes any radio-based telephone communication that is treated electronically or otherwise for the purpose of preventing intelligible reception by any person other than the person intended by the originator to receive it".  So the government obviously believes that its metadata project does (or at least risks) collecting actual communications.

ADDENDUM [5 pm]: My colleague Wesley Wark has correctly pointed out to me after I wrote the above that I have misread the source documents and that the metadata directive is in fact not a ministerial authorization of the sort that CSEC must obtain where it may intercept personal communucations.  It is instead a command-control document of the sort that the Act permits the Minister to issue.

And so this prompts another question: Does that mean that the government is taking the view that a ministerial authorization is unnecessary, or that there is a ministerial authorization that we are unaware of to date?  I can't believe it is the former -- if there is no ministerial authorization, the government is firmly of the view that what they are collecting is not "private communication".  If they are wrong about that, then the absence of the authorization means they are not exonerated from violation of the Criminal Code, Part VI.  (See s.273.69 of the National Defence Act.)  Put another way, someone would be betting criminal culpability on their narrow understanding of metadata.

I imagine these are busy days for the CSEC commissioner, especially with the newest annual report pending.  I hope he can shed some light on these issues, since the government appears unwilling to do so.