The Book

 

 

 

 

This blog comments on Canadian (and occasionally comparative) national security law to update my National Security Law textbook and now also my 2015 book, False Security: The Radicalization of Anti-terrorism, co-authored with Kent Roach.

Please also see www.antiterrorlaw.ca for Bill C-51-related analyses by Craig Forcese and Kent Roach.

For narrated lectures on various topics in national security law, please visit my 2017 "national security nutshell" series, available through iTunes.

Please also visit my archive of "secret law" in the security area.

By Craig Forcese

Full Professor
Faculty of Law

Email: cforcese[at]uottawa.ca

Twitter: @cforcese

 

Subscribe to National Security Law Blog
National Security Law Blog Search

Best Law School/
Law Professor Blog Award

 

Most Recent Blog Postings
Monday
Nov072016

CSIS and the Metadata Muddle Pt 2: On Secret Law, Courts and the Rule of Law

This is the second of a series of blog entries on Noël J’s recent Federal Court judgment on CSIS’s retention of metadata from its warranted threat investigations. In my first entry, I tried to explain what this case is about.

In this blog entry, I begin to explore its implications, as I see them. First up: what a tangled web our legal system has weaved.

Secret Laws

Readers of this blog will know that I have developed an allergy to a commonplace practice in Canadian national security law: secret law.  As I have noted before, Justice Canada legal opinions construing the scope of vague, open-textured statutory powers have the de facto effect of legislating the practical reach of those powers.

These opinions are clothed in solicitor-client privilege -- with the end effect of allowing a tool permitting frank advice between lawyer and client to be used to deny the public access to a true understanding of how the government interprets its legal powers. That may happen also in other areas, but in this one, the Justice Canada legal advice often is the last say: the covert nature of national security activities means that no one may be aware of how these powers are being used, and in a position to adjudicate the true scope of the law in front of an impartial magistrate.

In the hot-house of internal government deliberations, legal positions that might not withstand a thorough vetting become sacrosanct. And subsequent construals of powers build on earlier, undisclosed legal positions, producing outcomes that are very difficult to understand.

Examples I have encountered in my wanderings include:

  • a conclusion that the actual physical amalgamation of information does not amount to collection in a legal sense (CSIS; and possibly also CSE) (either a variation of the issue in play in the Federal Court case, or the very issue at stake – I don’t know);
  • a conclusion that the compilation and analysis of metadata from travellers at a Canadian airport is not (as a legal matter) "acquisition and use" of information in a manner "directed" at Canadians or any person in Canada (CSE);
  • creative theories in the Re X case about CSIS extraterritorial warrants;
  • a conclusion that CSIS’s new Bill C-51 threat reduction powers, done in violation of the Charter, can be constitutional if done pursuant to Federal Court warrant;
  • a conclusion (or at least implication) that somehow, and despite its (admittedly tortured) wording, the new bill C-51 Security of Canada Information Sharing Act is lawful authority effectively trumping the Privacy Act;
  • a conclusion that the exception to the definition of “undermining the security of Canada” in that same Act does not exclude violent protest, advocacy or dissent (a reasonable policy position, but the “violence” qualifier is not in the Act);
  • a conclusion that narrows the textual reading of the bill C-51 “advocacy or promotion of terrorism offences in general” (again, a welcome policy position, but not the way the offence reads).

These are all conclusions that are difficult to view as guided by the law Parliament has enacted.

The CSIS Metadata Case

Enter the CSIS metadata case. As described in my prior post, this case turns on whether retaining “associated data” (that is, non-threat related information) collected in warranted intercepts of communications by targets was lawful.  The Federal Court concluded it was not. And it reasoning on this point is awfully compelling.

Less compelling is the argument offered by the Department of Justice in defending this practice.  And these arguments have knock on implications if they govern the legal advice given in other contexts.

Argument 1: The statutory limitations on CSIS’s intelligence gathering in section 12 are relieved by a Federal Court warrant.

That is, once a Federal Court warrant issues, then Parliament’s constraints on CSIS’s section 12 mandate do not matter any more.

Now, as someone who teaches public and constitutional law, and defends basic constitutional norms of parliamentary supremacy, and contests the delusion that (except in rare instances inapplicable here) the executive has powers beyond those granted by Parliament, this argument struck me as astonishing.  Here, the Justice Department is arguing that, in a secret hearing not subject to appeal in which only it is represented, it may negotiate a warrant with a court having the effect of superseding Parliament’s instructions on the powers CSIS is to have.

Let’s extend the Justice Department’s argument to the powers CSIS has after Bill C-51: it may do anything to reduce broadly defined “threats to the security of Canada” under section 12.1, so long as proportionate to the threat. Under section 12.2, it must not, however, engage in bodily harm, violate sexual integrity or obstruct justice.  In other words, Parliament sets an out limit (albeit a ridiculously undemanding one that we believe needs to be made more robust).

But, under the Justice Department legal reasoning, if CSIS goes to Federal Court and obtains a warrant (as it may do so under s.21.1), these limits could be superseded by the warrant.  And so, under the Justice Department logic, the Federal Court could authorize CSIS to, say, engage in targeted killing (remember, the C-51 changes also say that CSIS may, with Federal Court warrant, violate the Charter).

I have yet to meet the Federal Court judge that would authorize such a thing.  But that is not my point.  My point is that under the Justice Department logic, the basic constraints on CSIS’s powers legislated by Parliament in Bill C-51 can be negotiated out of existence in a secret, one-sided court proceeding, with no appeal.

Fortunately, Justice Noël rejects this Justice Department argument. But it is a bit terrifying it was ever made.

Argument 2: Metadata and the privacy issue. 

In a second argument, the Justice Department seemed to advance the view that metadata do not trigger privacy concerns under the Charter at the collection stage.  Instead, as I follow the discussion, that threshold is crossed when they are amalgamated and searched. 

The court did not resolve this matter, it seems to me. But it is another distressing position with ramifications across government (including in relation to the infamous CSE incidental collection of Canadian metadata in its foreign intelligence and information technology security functions). 

If accepted, this argument allows the accrual of vast pools of metadata, undisciplined by Charter collection rules.  Under Bill C-51’s Security of Canada Information Sharing Act, that information could then start sloshing about government.  At some point, the amalgamation and analysis of it would cross the Charter threshold, even according to the Justice argument.  But what happens then?  Are we to expect that government departments will come to Federal Court proactively seeking a warrant as they run algorithms through these databases?  Absent legislated structures, I don’t see this happening.

So, again, this is another unhelpful legal theory.

Argument 3: CSIS and its lawyers didn’t need to tell the Federal Court about the metadata retention. 

And now we get to the fireworks in this case: the duty of candour issue.  I shall do a separate blog entry on this issue in particular.  But among the other astonishing issues: the government lawyers apparently took the view that they did not need to tell the court how data collected under court warrant was being used, because the court did not have supervisory authority. This is a gobsmacking position, which basically confirms experience with other cases (like Re X): once the warrant walks out the door, the government does as it wills with it.  It is a legal position that court itself discards with some energy: the government legal view reflected a “worrisome lack of understanding”.

And so I can only expect at this point that every single Federal Court warrant will have a “return and report” clause affixed to them.  And the Federal Court will now move in the direction of the US FISA court in terms of auditing performance.

Which is fine, as far as it goes.  But what about all the other doubtful legal positions that never get in front of court – and they are likely legion.

Well, one of the most important aspects of the national security and intelligence committee of parliamentarians anticipated by C-22 is that they will have access to information that is protected by solicitor-client privilege.  If I was in charge, the first thing I’d do: an audit of national security legal opinions, done with the assistance of a small bevy of special advocates.

Monday
Nov072016

CSIS and the Metadata Muddle Pt 1: What is this case really about?

I have prepared a series of blog entries on Noël J’s recent Federal Court judgment on CSIS’s retention of metadata from its warranted threat investigations. In this first entry, I try to articulate what this case is about.

It may be useful to start with an analogy (however imperfect): this case is about CSIS fishing in the sea for sharks. When it uses certain sorts of intrusive nets to sweep up sharks, that net use must be authorized by the court. But technology being what it is, the nets also sweep up other fish – a by-catch. The court accepted that by-catch can happen, but did not actually know what CSIS was doing with the by-catch. In fact, CSIS was keeping a fin from each fish caught in the by-catch. The court learned about this after 10 years of CSIS fin-collection. And then when it learned about it, the court concludes that the law governing CSIS obliged “catch-and-release”: the by-catch fish should have been released unmolested once identified as by-catch and not sharks. Because CSIS did not do this, it acted unlawfully. Plus in failing to tell the court, it violated very strong duties that it do so.

I will deal with the by-catch issue in this blog entry, and the duty of candour in a subsequent entry. I also have entries on the policy issues – which I think are significant on a number of grounds and perhaps more sweeping that seems apparent given the scope of the actual legal issues.

Basic Legal Background

Under its “section 12” mandate, CSIS collects, to the extent it is strictly necessary, and analyzes and retains information and intelligence on activities it has reasonable grounds to suspect constitute threats to the security of Canada. 

This passage has several “magic words”: “to the extent that it is strictly necessary”; “reasonable grounds to suspect”; and, “threats to the security of Canada”.

“Threats to the security of Canada” is the only passage actually defined in the CSIS Act (in section 2). Suffice for our purposes to say it is broad.

“Reasonable grounds to suspect” has a generally well-understood meaning (although I still struggle to imagine how it is applied in practice): “suspects on reasonable grounds” is a suspicion based on objectively articulable grounds that may be lower in quantity or content than the requirement of  reasonable belief, but must be more than a subjective hunch. R v Kang-Brown, 2008 SCC 18.

“Strictly necessary” has a fairly intuitive meaning. Less intuitive is whether this necessity standard qualifies merely collection, or also applies to analyze and retain. I will return to this below.

Under section 12, CSIS collects information. Where the means of that collection are sufficiently intrusive to trigger section 8 of the Charter (the protection against “unreasonable” searches and seizures) or the Part VI Criminal Code prohibition against unauthorized intercept of private communications (typically, a wiretap), it must get a Federal Court warrant. A judge will only issue a warrant if persuaded that CSIS has reasonable grounds to believe that it is required to investigate threats to the security of Canada.

"Reasonable grounds to believe" is a higher standards than the reasonable grounds to suspect standard that must be met for CSIS to begin an information collection investigation under section 12. Sometimes called “reasonable and probable grounds” in the constitutional caselaw, reasonable grounds to believe is much lower than the criminal trial standard of “beyond a reasonable doubt.” Instead, it is defined as a “credibly-based probability” or “reasonable probability.” R v Debot, [1989] 2 SCR 1140. In the administrative law context, courts have described it as a bona fide belief of a serious possibility, based on credible evidence. Chiau v Canada (Minister of Citizenship and Immigration), [2001] 2 FC 297 (FCA).

CSIS obtains warrants in a closed-court (aka secret) process in which only the government side is represented.  The warrants can, and often do, impose conditions on CSIS investigations.  There are templates for standard warrant applications. These templates are occasionally updated, a process that requires CSIS to apply to the Federal Court. This case came about through a belated updating process.

Operational Data Analysis Centre (ODAC)

CSIS collects many data in the course of its section 12 investigations. Not unreasonably, it wants to keep these data in order to pool them in a manner that it can then search to further investigations in the future. And so it created ODAC in 2006. It turns out it did not tell the Federal Court about ODAC, at least not in any real concrete manner.

This is important, because ODAC was pooling information collected via warrant. And that information included not only content and metadata produced by an investigative target’s own communications (the collection of which was authorized by warrant), but also so-called “associated data”. As the Court defined it, “associated data” are data “collected through the operation of the warrants from which the content was assessed as unrelated to threats and of no use to an investigation, prosecution, national defence, or international affairs”. In our analogy, we would call this "by-catch". Presumably a lot of these would be data from third-parties; that is, communication-related information involving non-targets, swept into the CSIS surveillance net. For telephony, this might include the speech of the person on the other end of a conversation, or the accompanying metadata (e.g., telephone number; geolocation of a cell phone, etc.)

For email, this could be a heck of a lot of content and metadata totally unrelated to the target’s communication. Email travels in packets across the internet, and packets bundle unrelated segments of individual emails. And so intercepting a target’s emails generally means intercepting all the packets, and the accompanying content and metadata of other people’s communications bundled with them.

CSIS chose, in the ODAC, to retain some of this “associated data”; and specifically, the metadata, although not the actual content of the communication.

This is a privacy issue. These metadata have been compared to “data on data” — that is, they constitute the contextual information that surrounds the content of an Internet transaction or communication. In a 2013 report, the Privacy Commissioner of Ontario compared metadata to “digital crumbs” that reveal “time and duration of a communication, the particular devices, addresses, or numbers contacted, which kinds of communications services we use, and at what geolocations.”[1]  And pooling metadata and applying “Big Data” analytics can paint an intimate portrait of people – which is exactly why it might be of interest to an intelligence service.

But the retention of these metadata is also a legal issue. For one thing, it now seems pretty clear after the Supreme Court’s Spencer decision that metadata are protected by section 8 of the Charter. For another thing, the CSIS Act determines what CSIS can do with the information it collects.

The Legal Issue

The Court did not reach the section 8 issue, although it acknowledged that the matter had been argued before it. Instead it focused on the CSIS Act issue. And there, the key consideration is whether CSIS can retain the information it collects through its investigations.

On this point, there are now two answers. 

First, as per the Supreme Court’s holdings in Charkaoui II, CSIS actually has a constitutional duty to retain information related to its targets, or to threats to the security of Canada. As the Federal Court summarized this rule: “information that is indeed linked to threats to the security of Canada or to the target of a warrant must be retained in its original state by the CSIS to comply with the protected rights under section 7 of the Charter”. 

Or put in more lay terms: CSIS can’t destroy information collected on targets/threats, because people implicated in those threats may subsequently be subject to legal proceedings that oblige full government disclosure in order to allow for a fair trial. And if CSIS has destroyed the original collected information (and, the argument would go) simply kept a cheery-picking summary, then no fair trial can be had.

But, second, this Charkaoui II rule does not apply to information unrelated to the target or threats – that is “associated data”. Charkaoui II was not about “associated data”. And so the Federal Court looked to the CSIS Act, and basically concluded as follows: associated data, by definition, is non-threat related. It is not, therefore, something that is “strictly necessary” to the investigation of threats to the security of Canada. Collecting it is, therefore, something CSIS should not be in the business of doing. Now, technology means it can’t help but collect it while undertaking its bona fide “strictly necessary” collection of threat-related information (remember the concept of “by-catch"). And so, court warrants allow for this incidental collection. But authorizing incidental collection does not bless indefinite retention. And indeed, indefinite retention is not something any court could authorize without effectively usurping the “strictly necessary” standard found in section 12.

And so CSIS retention of the “associated” metadata was illegal.

In my next entry, I’ll begin talking about the broader implications of this case.

 


[1]           Ann Cavoukian, A Primer on Metadata: Separating Fact from Fiction (Toronto: Information and Privacy Commissioner Ontario, 2013) at 3.

Monday
Oct312016

Functions of parliamentary accountability in national security

Bill C-22, creating a National Security and Intelligence Committee of Parliamentarians is before the Commons committee for study this week. In prior posts, I have evaluated the pros and cons on this bill in writing and in video form. For a list of these and other resources, see here.

Oversight vs Review

One of the most confounding, recurring issues is whether this body should do real-time operational "oversight" (in the sense of command/control of the security services) or will be limited to ex post facto auditing of service conduct (what we call "review" in Canadian practice). The terms "oversight" and "review" are sometimes used interchangeably, but in Canadian practice they mean different things.

in conventional Canadian practice “oversight” has traditionally meant operational control and coordination of security and intelligence services, something that is very different than “review”. There is much misunderstanding, therefore, over who does or should do actual “oversight” in this classic sense. The general rule is: the executive. There is also a role for the courts to control security agency conduct through the warrant process. 

We do have serious structural problems in terms of oversight in Canada -- see ch 11 of False Security. But reform here means reforming the role of the courts and the executive.

Parliament and "oversight"

It does not mean giving Parliament an "oversight" role. Legislatures do not really do full oversight, in the command/control sense. And there are some good reasons for this. First, they would likely not be good at it -- a committee of parliamentarians signing-off on realtime operational decisions would create an unwieldy process at best. It would also risk politicizing the process. And indeed, in relation to police operations, it would trench on a concept that in Canada has possible constitutional imprimatur: police independence.We have intentionally created legal distance between police operational decisions and politicians for one key reason: avoiding a political police.

But more than that: if parliamentarians become part of the operational chain of command, they then become useless as reviewers. Their conduct becomes part of what must be reviewed. They will be hopelessly compromised in terms of holding the executive to account. This, in my view, is the single greatest reason to avoid true parliamentary oversight (in the command/control sense).

What about other countries?

It is very important to understand that these terms of “review” and “oversight” have different meanings in different places. When other countries talk about “oversight” they are often talking about what we in Canada would call “review”. And when people talk about the US Congress having an “oversight” role, they refer to bundle of functions performed by Congress and congressional committees quite different from what happens in many other countries, and also different from "oversight" in the Canadian sense. The congressional role includes classic legislative activities, such as passing laws governing the S&I community and approving expenditures. Congressional committees also review, in the sense of probing past conduct. And the US executive also gives some congressional committees advance notification of certain sensitive covert foreign operations by US agencies, which leads some to regard Congress as performing a sort of supervisory function. But in fact, this is still quite different from true operational command and control and coordination.

What about C-22?

The C-22 committee is intended as a review body. And that is entirely proper. Now, to be clear, this does not mean that operations have to be complete before a review commences. Review is capable of being close to real time, and I see the language of clause 8(b) as permitting review touching on on-going operations (which is probably why the government inserted a ministerial veto in this provision -- something that deserves debate).  (The language of "activities" in clause 8 is the common style in Canadian statutes of describing operations by, e.g., CSIS and CSE).

But this examination by the Committee, however real-time or close to real-time, will still be review: scrutiny of activities, not approval or control of them.

The key issue, in my opinion, is whether the Committee will have enough access to information to perform even this function effectively.

And that is where the debate on C-22 should focus. I think, personally, that the strictures on information will make the proposed committee an inadequate review body of operational activities. I could live with that if persuaded that existing expert review bodies will be recrafted to fill long-standing gaps in the Canadian review system. But if all we're going to end up with is the parliamentary committee and we persist with the sort of information limitations found in C-22, we should have modest expectations. I would then worry about the value-added on the C-22 committee in relation to any sort of review touching on operational activities.