Last week, I emerged from a months-long cocoon of grading, administration and writing things (other than this blog) to discover that the airport WiFi I was using to access the CBC's newest story on CSEC might be telling CSEC more about me than it was telling me about CSEC.
To summarize the CBC's claims (authored by Greg Weston, Glenn Greenwald and Ryan Gallagher): "Canada's electronic spy agency used information from the free internet service at a major Canadian airport to track the wireless devices of thousands of ordinary airline passengers for days after they left the terminal." The source for this claim is this document.
A number of assertions have since been made about the "airport WiFi scandal" (as I shall label it for ease of reference). Bill Robinson helpfully compiles many of these observations on his instructive CSEC-watching blog. For instance, Ron Deibert, a renowned cyber security expert, has reviewed the document and concluded that it describes a “ubiquitous surveillance programs clearly directed at Canadians, involving data associated with Canadian airports, hotels, wi-fi cafes, enterprises and other domestic locations.”
The government, for its part, has downplayed the revelations and persistently asserted their legality, including before a senate committee yesterday. To summarize the government position, as I understand it:
- CSEC statement: "In order to fulfill this key foreign intelligence role for the country, CSE is legally authorized to collect and analyze metadata. In simple terms, metadata is technical information used to route communications, and not the contents of a communication. ... It is important to note that no Canadian or foreign travellers were tracked. No Canadian communications were, or are, targeted, collected or used."
- National Security Advisor Rigby: [reported as saying] "collection of metadata has been 'confirmed as being legal' and that CSEC had not broken the law."
- CSEC director John Forster: [reported as saying] "This exercise involved a snapshot of historic metadata collected from the global internet. There was no data collected through any monitoring of the operations of any airport. Just a part of our normal global collection ... We weren't targeting or trying to find anyone or monitoring individuals' movements in real time. The purpose of it was to build an analytical model of typical patterns of network activity around a public access mode".
Much of the commentary circles around the question of (il)legality of the "airport WiFi scandal". Some of this discussion boils down to a debate about "metadata" and its relationship with conventional search and seizure and privacy rules. Notably, metadata is a much bigger issue than what has been raised by this latest revelation. CSEC and its metadata programs have been in the public eye for a number of months, largely because of the persistent investigative reporting of Colin Freeze of the Globe and Mail.
I am presently writing an article CSEC, metadata and the law. It is not ready for prime time, but the moment seems ripe to weigh in on at least one issue.
Mandate vs Privacy
Specifically, I detect some conflation in the discussions on this latest scandal between what I would call CSEC “mandate” issues and the broader privacy preoccupations. Mandate relates to CSEC’s legally prescribed roles and responsibilities (in practice, under the National Defence Act). If it strays from those roles and responsibilities, then it acts without legal authority. Acting without legal authority is damning behaviour in any system based on the rule of law. And so every government agency (and every government lawyer who advises them) needs to find a lawful basis for its every activity.
Privacy is a separate legal issue. In most discussions, the key privacy issue is whether metadata is “private communication” under Part VI of the Criminal Code (and incorporated by reference into CSEC’s governing Act). A quite distinct issue is compliance with the Charter, and its section 8 search and seizure requirements.
An agency can be within its mandate, and still violate privacy rules. The vice versa may also be true, although is harder to imagine without raising all sorts of additional legal issues. Indeed, the relationship between mandate and privacy works reasonably well as a simple matrix:
A. Lawful Mandate
B. Unlawful Mandate
1. Lawful Privacy
Agency acts within its lawful mandate and meets all applicable privacy standards
e.g., CSEC acquires information from the global information infrastructure in order to provide foreign intelligence, while not directing its activities at Canadians or persons in Canada and receives a ministerial authorization to intercept “private communication” in relation to a specified class of activities.
(We shall assume for our purposes here that ministerial authorizations passes s.8 constitutional muster. Personally, I have doubts about that.)
Agency acts outside its lawful mandate but meets all applicable privacy standards
e.g., CSEC acquires information from the global information infrastructure in order to provide foreign intelligence, but does direct its activities at Canadians or persons in Canada, and receives a ministerial authorization to intercept “private communication” in relation to a specified class of activities.
(Of course, this is a bit of false example, in the sense that if CSEC directed its activities at Canadians or persons within Canada, then the minister would not have the authority to issue the ministerial authorization – s. 273.65(1). So the minister would himself be acting unlawfully.)
2. Unlawful Privacy
Agency acts within its lawful mandate but fails to meet all applicable privacy standards
e.g., CSEC acquires information from the global information infrastructure in order to provide foreign intelligence, while not directing its activities at Canadians or persons in Canada and has no ministerial authorization to intercept “private communication” in relation to a specified class of activities.
Agency acts outside its lawful mandate and fails to meet all applicable privacy standards
e.g., CSEC acquires information from the global information infrastructure in order to provide foreign intelligence, while directing its activities at Canadians or persons in Canada and has no ministerial authorization to intercept “private communication” in relation to a specified class of activities.
The best-case scenario is cell A1. The worst-case scenario is cell B2. The other cells are bad, but in different ways. For instance, in cell A2, CSEC is within its mandate, but because it collects private communications without ministerial authorization, it is not exonerated from criminal culpability under Part VI of the Criminal Code.
In cell B1, there may be no crime (although the minister was wrong to issue the ministerial authorization, creating an interesting issue as to the validity of the authorization). But CSEC is clearly acting without lawful authority under its governing Act.
So how then to situate the "airport WiFi scandal"? Most non-government commentary seems to have suggested that we are in cell B1 and possibly in cell B2. But to be honest, I think this is a much more complicated legal issue. And so I feel the need to continue plugging my theme of “in the area of reconciling privacy with security, the law is an outdated ass and that needs a down-to-the-studs renovation”.
The Mandate Problem
I will address the “mandate” issue here. The “private communication” matter is even more complicated, and is the subject of my aforementioned article. I will post on it when time permits. (For our immediate purposes, it suffices to say: whether metadata is protected by privacy rules under the Charter or because it is “private communication” under Part VI of the Criminal Code is entirely irrelevant to the mandate issue. They are separate questions.)
The only conceivable mandate at play in the “airport WiFi scandal” is the so-called Mandate A, found in s.273.64(1)(a) of the National Defence Act:
273.64(1) The mandate of the Communications Security Establishment is … (a) to acquire and use information from the global information infrastructure for the purpose of providing foreign intelligence, in accordance with Government of Canada intelligence priorities.
Notably, activities carried out under Mandate A “shall not be directed at Canadians or any person in Canada” (and also should be subject to measures to protect the privacy of Canadians in the use and retention of intercepted information).
This reference to “directed at” Canadians or persons in Canada is fundamental. Any person at a Canadian airport is either a Canadian or a person within Canada. There is no alternative. And yet, according to the Snowden document CSEC’s metadata collection project was unambiguously directed as a Canadian airport (and more).
A cynic might claim that the government now seems to be playing footsie with the language – CSEC’s statement says that “no Canadian or foreign travellers were tracked. No Canadian communications were, or are, targeted, collected or used.”
That is all well and good, but “tracked”, “targeted”, “collected” or “used” is not the legal threshold in deciding the Mandate issue. “Directed” is. The online version of the Merriam Webster dictionary defined the verb “to direct” as meaning:
: to cause (someone or something) to turn, move, or point in a particular way
: to cause (someone's attention, thoughts, emotions, etc.) to relate to a particular person, thing, goal, etc.
: to say (something) to a particular person or group
The first two definitions are obviously the important ones, in this context. Singling out Canadian airports for a data collection enterprise is “to turn, move, or point in a particular way” and “to cause someone’s attention [CSEC] to relate to a particular person, thing, goal”.
Where It Gets More Complicated
But let me not rush to join the pile-on in terms of a quick conclusion of illegality. Let me propose what legal advice from the Department of Justice might point to: The French equivalent of the governing law says that CSEC’s activities “ne peuvent viser des Canadiens ou toute personne au Canada”. The on-line Larousee dictionary defines “viser” as “diriger son tir vers un objet, un but, une personne à atteindre”. Put simply, it means “target” or “aim for”. It is, therefore, narrower than the English “direct”, and is exactly the expression upon which the government appears to have now hung its (mandate) legal hat.
And so because of this inconsistency between French and English legislative text, we are invited to wander even further down the rabbit hole into the dissatisfying area known as “statutory interpretation”. This is a realm where one can be enormously creative. Statutory interpretation is a maze of maxims that can be used (and often are so used) to reach a range of results.
Under one such “rule,” we are charged with finding a meaning that is common to both versions of the statute (that is, a common ground between English and French versions). R. v. Daoust, 2004 SCC 6.
And so the government’s legal advice may be: “aim for” or “target” is a subset of “direct” and so is the common area shared by both the French and English texts. The “target” concept is, therefore, the proper construal of CSEC’s Mandate A.
Of course, this being statutory interpretation, I might counter with this little jab: “the principle of preferring the interpretation that leads to a shared meaning is, in any event, not absolute. The Court can reject that meaning if it seems contrary to the legislature's intention in light of the other principles of interpretation.” Doré v. Verdun (City),  2 S.C.R. 862 at para. 25. Put another way, sometimes we prefer the broader version.
And then I would follow up with: human rights protecting legislation is given “a liberal and purposive interpretation. Protected rights receive a board interpretation, while exceptions and defences are narrowly construed”. Quebec v. Montreal, 2000 SCC 27 at para. 29. Surely the provisions in CSEC’s governing law that guard privacy – an amply recognized right – are to be read broadly. And so we should prefer the English version of the statute, with its focus on “direct”.
The inevitable result is a clash of lawyerly positions. In most places, this tiff could be adjudicated in front of a judge. But to date, it has not been possible to do so in relation to CSEC activities (although some related questions are now before the BC Supreme Court in a case brought by the BC Civil Liberties Association).
There is, of course, the secondary issue of whether what CSEC did in the "airport WiFi scandal" amounted to “targeting” Canadians or persons within Canada. CSEC says not – the project was not aimed at Canadians and therefore was within Mandate A.
At the risk of being trite, this position can be analogized to similar concepts in the laws of war, which also hinge largely on questions of targeting. To wit, combatants can be targeted; non-combatants cannot be. But the latter can still be killed so long as not targeted (and subject to other considerations around the use of kinetic force, such as proportionality). The colloquial expression for people killed in this manner is “collateral casualties”.
Likewise, the current government position means that the metadata of Canadians can be collected as a sort of information “collateral casualty” in legitimate CSEC Mandate A operations.
Given the extent to which metadata now reveals conduct, I’m not much appeased by the argument that the information swept up in this manner is merely metadata, and not the actual content of communications. I think "content" and "metadata" is an increasingly false dichotomy, and will so argue with reference to caselaw etc in my article. (This is not say I am completely decided on the privacy vs. security aspect of this debate. But what I am clear on is that the debate needs to be much more acute, much more overt and much more driven by publicly available understandings of the relevant legal positions.)
So my take away: if you don’t think CSEC’s mandate should include treating your metadata as a “collateral casualty”, then write to your parliamentarian. Right now, the law is sufficiently indefinite that simply accusing CSEC of playing offside invites a mugs game of lawyerly dispute. Indeed, this is not the first time that lawyerly disputes have arisen in relation to metadata: the CSEC commissioner (CSEC’s review body) had differences with CSEC and Justice on mandate issues several years ago. Access documents disclose CSEC’s view that Justice legal opinions trump, although CSEC did end up modifying its program to an unknown degree.
As a final point: I am left to wonder why review bodies such as the Commissioner don’t use their ability to refer legal questions to the Federal Court for resolution, when confronted with a battle of legal memos. See s.18.3 of the Federal Courts Acts. As enormous past practice with security certificates, Canada Evidence Act proceedings and CSIS warrants suggests, the Federal Court is amply equipped to deal with sensitive security issues. Amici could be brought in to assist the court. Intervenors could participate in the public phases of the proceeding.
And we would have many minds considering important questions of national security and rights. That would be an enormous improvement over the government’s present, uninterrupted monopoly over the construal of CSEC's surveillance rules.
As an addendum on the factual question of whether the airport WiFi project amounted to "targetting" Canadians or persons in Canada, the technical overview provided by Top Level Communications is quite interesting and instructive. So too is Bruce Schneier's assessment. I am still too much of a techno-illiterate to really be able to decide whether what is described amounts to "targetting", on assumption that is the legal standard being applied by CSEC. These discussions sound like the program was an effort to test means to create a "haystack". But the question of targetting becomes more acute when you start seeking the needle. At the very least, the needle can't be a Canadian or a person in Canada under Mandate A. That begs the question: why even bother building a haystack of data derived from Canadians or persons within Canada? As soon as you start seeking the Canadian located needle in this Canadian haystack, you have legal problems. Was the assumption that foreign haystacks can be built in the same way, and this was a field test of technology? Are haystacks to be shared between Five Eyes partners? Is the CSEC Commissioner asking these questions?
It is worth noting also that the CSEC statement says "no Canadian or foreign travellers were tracked. No Canadian communications were, or are, targeted, collected or used." "Targetted" is in reference to "communications". But the CSEC Mandate A issue does not depend on "communications" -- rather it is tied to information. "Communications" may be important for deciding privacy rules. But on mandate, the Act speaks of "information". And so to be in Mandate, the correct response (even conceeding the legal question that "target" is the right standard) would have to be: "no information on Canadians or persons in Canada was targetted". Not sure that's a claim that can be made on the facts, as I understand them. Whatever else it might be, metadata is information.