About this Project

This blog comments on Canadian (and occasionally comparative) national security law to update my National Security Law textbook and now also my 2015 book, False Security: The Radicalization of Anti-terrorism, co-authored with Kent Roach.

Please also see www.antiterrorlaw.ca for Bill C-51-related analyses by Craig Forcese and Kent Roach.

For narrated lectures on various topics in national security law, please visit my 2017 "national security nutshell" series, available through iTunes.

 

For a continuing conversation on Canadian national security law and policy, please join Stephanie Carvin and me at A Podcast Called INTREPID.

 

Please also visit my archive of "secret law" in the security area.

By Craig Forcese

Full Professor
Faculty of Law

Email: cforcese[at]uottawa.ca

Twitter: @cforcese

 

National Security Law Blog Search
Subscribe to National Security Law Blog

Best Law School/
Law Professor Blog Award

 

Most Recent Blog Postings

Latest Book: Available from Irwin Law in April 2018.

Wednesday
Jan312018

C-59 and collection of all that is in the eye of the beholder?

A number of really interesting briefs have been prepared by various stakeholders, going into the next round of House of Commons legislative hearings on bill C-59.  Many seek to ratchet tighter the accountability structures in the bill, especially for CSE and CSIS (where they don’t call for the outright abandonment of these agencies’ proposed new powers).

I haven’t had chance to review all the specific ideas, but two of these sets of recommendations stand out for me in this area.  Let me address the first in this post, and a second in one to follow.

Stakeholders have expressed a recurring concern about “publicly available” information.  Both CSE and (to a slightly lesser extent CSIS, in relation to datasets) are exempted from the special oversight accountability structures imposed on information collection, where the information is said to be “public”.  Indeed, in relation “publically available information”, CSE is relieved of its obligation not to direct its activities at Canadians. Neither the CSE nor the CSIS dataset rules include a truly meaningful definition of public information, raising concerns about the fuzzy line between public and not-so-public.  The phone book (does it still exist?) is one thing. Hacked information now spilled out on the web and technically publicly available "at the time of its collection" (the CSIS definition), is another. Should there be safeguards on its collection, retention and use by intelligence agencies?  The CSIS amendments provide rules on the retention, querying and exploitation of public information, yes, but exempt it from the more thorough independent vetting system for other sorts of datasets.

On the one hand, it would be naïve and prejudicial to ask intelligence agencies to turn a blind eye to any source of information within legal mandate and contributing to their mission.  On the other hand, it would be pernicious to create a nudge-nudge-wink-wink intelligence service market for unlawfully acquired information.  Or even, possibly, lawfully released information revealing personal information in unexpected ways.  Given the Supreme Court’s trajectory, it is possible it will ultimately conclude that a person retains a constitutional privacy interest in even public information (at least of a certain character). 

But even if Charter s.8 does not go this far, there may be policy reasons to treat the state’s acquisition of “public” information differently than similar private sector activities. For one thing, the private sector is not generally equipped with guns and jails and the coercive apparatus of the state.  Nor does it have access to the full panoply of information we are all compelled to provide to the state, in our interaction with its regulatory function (think tax info). So the state has unparalleled capacity to scrape public information and combine it with both closed intelligence and other state-acquired information.  That gives “public” information a qualitatively different significance in the hands of the state.  Predicting in advance what implications this has is impossible, which is an argument in favour of an independent oversight function even where “public” information is at issue.  (Back-end review seems insufficient, especially since review bodies have powers of recommendation, only. And in some instances in the past, issues raised by these bodies have taken years to redress. Independent pre-authorization, required to undertake the activity, is a more robust way to oblige careful consideration of the dilemmas, and if section 8 were ever engaged, is likely required anyway.)

All of this is to say that these concerns are worth redressing, at minimum by plugging even public information acquisition into the independent vetting systems anticipated for both CSIS datasets and CSE foreign intelligence and cybersecurity mandates.  I fear that otherwise, this issue will become a festering source of unease about the good faith of the security services, and perhaps a source of future controversy.

Friday
Dec152017

A Warrant for All Seasons: Four New Charter Section 8 Cases

And on the fourth day of Christmas, federally-appointed judges gave to us…four new Charter s.8 cases.  There are two Federal Court cases involving CSIS intercept of IMSI information and seeking access to subscriber data. And two Supreme Court cases involving text messages received by the recipient and stored by the service provider.

Here’s the one-paragraph (often one long-run-on sentence) summaries:

  • In the Matter of Islamist Terrorism (2017 FC 1047): In the course of targeted investigations under s.12 of the CSIS Act, CSIS may intercept International Mobile Subscriber Identity (IMSI) and International Mobile Equipment Identity (IMEI) numbers emitted by mobile devices communications connecting to cellular networks without warrant, even though the privacy interest protected by section 8 applies, where CSIS does so in a minimally intrusive manner without seeking means of identifying the individual (in practice, because they already know who it is), does not capture communications content, does not geo-locate, does not interfere with 9/11 and emergency communications, and destroys all incidentally collected, non-target information.  Bulk collection would be a different story (which is why this case is, in net, bad for CSE and its incidental collection of private communications and metadata).
  • In the Matter of XXXX Threat-Related Activities (2017 FC 1048): CSIS cannot obtain a general court authorization allowing it to obtain basic identifying information from communications service providers for individuals whose identities are not yet known, but who may come to CSIS’s attention in the future, and the court cannot delegate such an authorization function when persons do come to CSIS’s attention to a designated CSIS official.  But CSIS may obtain such authorization from the court for individuals and, indeed, classes of individuals where the court can understand the nexus between that class and the investigation, on a reasonable grounds to believe standard.
  • R v. Marakah (2017 SCC 59): A sender retains a reasonable expectation of privacy in the communication, and inferences that can be drawn from it, stemming from text messages sent to a recipient and the diminishment of this control because the text message passes through a service provider and could be shared by the recipient does not change this and a warrantless search of the recipient’s phone to obtain these messages in circumstances where there was no plausible “search incident to arrest” breaches section 8 of the Charter.
  • R v. Jones (2017 SCC 60): A service provider may properly intercept text messages for service delivery purposes, but this does not negate the sender’s reasonable expectation of privacy and the police must generally have court authorization to then obtain these text messages. Historical text messages may be obtained through the general production order in s.487.014 of the Criminal Code (on a reasonable grounds to believe standard) and need not receive a wiretap authorization under Part VI of the Criminal Code, unless the intercept will involve prospective communications, as opposed to historic communications.

These cases, combined with the federal Privacy Commissioner’s decision on a complaint about RCMP IMSI collection activities, create, well, a maze.  The Privacy Commissioner concluded in September that RCMP warrantless collection was unconstitutional.  This is hard to square with the new Federal Court’s decision on CSIS, but the Privacy Commissioner would probably say that the RCMP offered no specifics on what they were doing of the sort that led the Federal Court to conclude that CSIS’s warrantless intercepts were still reasonable, although done warrantlessly.

So here’s a brief scenario.

Hans, the scheming villain from a famous holiday classic, is working for the Chinese government, and conducting himself in a manner that constitutes a threat to the security of Canada under the CSIS Act and a violation of the criminal provisions found in the Security of Information Act (SOIA).  So both CSIS and police have investigations underway (and are doing all that difficult deconfliction work that is a Canadian thing).

CSIS knows that Hans has a cellphone and they want to figure out what the IMSI number is.  So they conduct a targeted intercept meeting the standards described In the Matter of Islamist Terrorism (above).  They do this without warrant.

RCMP also wants to know what Hans’s IMSI number is. So either CSIS gives it them through an advisory letter (which seems very, very unlikely).  Or they collect it themselves.  But they have to use s.492.2 of the Criminal Code to get a transmission data recorder order from a judge, on a reasonable grounds to suspect standard.

Now CSIS wants to know where Hans has been going and what he will saying.  So they need to go to Federal Court and obtain judicial authorization for an intercept under s.21 of the CSIS Act, on a reasonable grounds to believe standard.  Section 21 is a one-standard provision for all sorts of intercepts, so this same standard will apply for archived geolocational metadata (obtained from a service provider) and content (wiretapped).

And now the police also want to know where Hans has been going and what he will saying. To know what he is saying, they need a Part VI Criminal Code warrant, allowing a wiretap. This too is on a reasonable grounds to believe standard.  But for archived geolocational data, the police may be able to obtain a production order directed at the service provider, requiring that this sort of “transmission data” (metadata) be produced. Transmission data production orders may be obtained on a reasonable grounds to suspect standard.

So perhaps the police, who find it easier to share with CSIS than the vice versa, can share the transmission data with CSIS, obviating the need for CSIS to get their own metadata-related warrant?

Both CSIS and the police decide they should also figure out what Hans has been texting his friends in Beijing. Again, CSIS proceeds via Federal Court authorization under s.21 of the CSIS Act, for both archived texts and future intercepts.  This requires a reasonable grounds to believe standard.

As per Jones, the police for their part can obtain the archived text messages from the service provider using a general production order under s.487.014 of the Criminal Code, issued by a judge on a reasonable grounds to believe standard.  But to track his on-going texts, they need a Part VI wiretap order, on a reasonable grounds to believe standard.  (And even if they had Hans’ friend’s phone, Marakah establishes they would need a search warrant to search it for the text messages, on a reasonable grounds to believe standard.  Of course, if they arrested Hans they might be able to search his phone without warrant, as a search incident to arrest per Fearon.  But Hans would need to have left it unlocked.)

This is all getting rather complicated. A “cacophony of lawful access rules” joins “herd of bison”, “murder of crows” and “pack of wolves” as a Canadian thing.  It will be interesting to see if the government moves on lawful access reform in 2018. (So far this is a government showing real appetite to fix big things in the national security/public safety law space.)

Thursday
Dec072017

Updated: A listener's guide to C-59

The Parliamentary process on bill C-59, the largest overhaul of Canadian national security law since 1984, is well underway.  You can find the proceedings in front of the House of Commons Standing Committee on National Security and Public Safety here.

Lots of people have written primers. Kent Roach and I did a basic early assessment here.  And I posted a meditation here. I have posted two "decision-tree" schematics, one on the new CSE powers and other on CSIS datasets.  The written notes to my committee appearance are here.

But for those following along with A Podcast Called INTREPID, Stephanie Carvin and I have been getting into the weeds. And we finally got through the whole bill! So here is a Listener's Guide to Bill C-59:

  • Episode 3: The Challenge of Warching Watchers: bill C-59's new "review" body, the National Security and Intelligence Review Agency.
  • Episode 6: Commissioner, Minister, Lawyer, Spy: bill C-59's fix to CSE's current (very) constitutionally-suspect system of foreign intelligence and cybersecurity activities implicating Canadian private communication or metadata. (We did not discuss how we haven't quite fixed the problem but could with a few words of amemdment. See here. I think I have been persuaded that my one-word fix may fix the a constitutional problem and create an operational problem. So I have a different, five or six word fix that I presented to the committee here.)  This podcast also discusses new powers for CSIS to receive and analyze and retain information not tied only to threats to the security of Canada. (Feel free to shake your head should anyone claim that C-59 does not include substantial new powers for intelligence services).
  • Episode 8: The Legal Pile-One, the No-Fly Glitch, and the Police Probe: includes a discussion of Canada's creaky no-fly list and how C-59 fixes it in part, but still fails to resolve it in full.
  • Episode 9: Cyber-Cyber-Bang-Bang: discusses C-59's considerable expansion of CSE's mandate to include offensive and defensive cyber.  (Again, feel free to shake your head should anyone claim that C-59 does not include substantial new powers for intelligence services).
  • Episode 10: The first thing we do, let's disrupt all the lawyers: discusses C-59 and CSIS threat reduction powers and what changes and what doesn't.  And discusses new criminal immunity powers for CSIS sources (and officers) doing intelligence work and the checks and balances. (Please keep shaking that head if people try to tell you this bill doesn't offer anything to the security services).
  • Episode 12: The SCISA in the Limit (on Information-Sharing): C-59 and the Security of Canada Information Sharing Act, focusing on the tension between the ready flow of information and privacy.
  • Episode 14: Locking Them Up: We foocus on the Criminal Code amendments: the parts of C-59 that can involve locking people up or otherwise constraining their liberty. They discussing changes to the bill C-51 speech crime and also "preventive detention" and "peace bonds" as well as the terrorism group listing process.

Hope some of this helps!