About this Project

This blog comments on Canadian (and occasionally comparative) national security law to update my National Security Law textbook and now also my 2015 book, False Security: The Radicalization of Anti-terrorism, co-authored with Kent Roach.

Please also see www.antiterrorlaw.ca for Bill C-51-related analyses by Craig Forcese and Kent Roach.

For narrated lectures on various topics in national security law, please visit my 2017 "national security nutshell" series, available through iTunes.

 

For a continuing conversation on Canadian national security law and policy, please join Stephanie Carvin and me at A Podcast Called INTREPID.

 

Please also visit my archive of "secret law" in the security area.

By Craig Forcese

Full Professor
Faculty of Law

Email: cforcese[at]uottawa.ca

Twitter: @cforcese

 

Subscribe to National Security Law Blog
National Security Law Blog Search

Best Law School/
Law Professor Blog Award

 

Most Recent Blog Postings

Latest Book: Available from Irwin Law in April 2018.

Monday
Feb262018

Intelligence Swords and Shields in Canadian Law

Speaking Notes (February 2018)

(Posted with permission)

 “Caught between the Scylla and Charybdis…

 -          Sting, “Wrapped Around Your Finger”

What I’ve been asked to do is step back and imagine how intelligence intersects with evidence, producing swords and shields in Canadian law.

Let me start with two, high-level observations, providing a working definition of “evidence” and of “intelligence”.  First, evidence is legally-cognizable information material to the exercise of law enforcement powers and judicial decision-making. Intelligence, in comparison, is a more fluid category of information, designed to “extract certainty from uncertainty and to facilitate coherent decision in an incoherent environment.”[1]

Intelligence may include evidence, but it will also include information that is not evidence. There are two obvious reasons for this fact.

First, intelligence may cover matters that cannot be the subject matter of a legal proceeding, and therefore there need never be consideration of its evidential value. I would hazard that this is the traditional view of intelligence.

But second, increasingly, there are instances where the information collected as intelligence is probative of matters amenable to legal proceedings, but other things stand in the way of it being evidence.

For one thing, “intelligence” is a diffuse concept that can sit poorly with the concept of “evidence”. As the Ontario Court of Appeal noted, discussing intelligence supplied by foreign services, intelligence is often “unsourced, uncircumstanced,” and its provenance “unknown”.[i]  But not always.

And so I will focus mostly on this issue of how different sorts of intelligence overlay the concept of evidence and produce intelligence-to-evidence dilemmas.

I2E Issues

Intelligence-to-Evidence, or I2E, is the inelegant phrase we use to describe several discrete types of issues. This first is the movement of intelligence procured by intelligence services to police, to support law enforcement investigations. I shall call this the actionable-intelligence issue.

Ample actionable-intelligence is an ingredient of successful security – a point made in the 2010 Air India inquiry, by the 9/11 commission and recently affirmed in the UK context by David Anderson’s study of security services’ performance in relation to the 2017 terror attacks in that country.

But actionable-intelligence sharing is closely linked to a second, closely-related component of I2E: something that I shall call the evidentiary-intelligence issue. And evidentiary-intelligence has two aspects. This first I will call the evidentiary-intelligence sword. The evidentiary-intelligence sword problem relates to the use of intelligence in legal proceedings, to justify state action. The second, much better-canvassed issue in Canada is the evidentiary-intelligence shield problem. And here, I am talking about legal tools used to block disclosure of intelligence in court proceedings.

Typology of Intelligence

Before exploring this triumvirate of issues more fully, though, I need to propose a more detailed breakdown of intelligence.

 1.     Direct Surveillance or Raw Intelligence

Some raw intelligence should be easily cognizable as evidence, in principle. Communications metadata collected under a CSIS warrant should, in principle, be no different than that obtained by police under a transmission data order.

Still, even conventionally-collected intelligence may be difficult to use as evidence, not because of its nature but rather because of what its disclosure or deployment in a legal proceeding would do to the sources, means and methods used to collect it.

A second use issue may stem from the complicated provenance of some raw intelligence. For example, raw intelligence may be secured from the battlefield in Syria or Iraq. That information may be relevant and material to the participation of an accused in Daesh, as it has been in the UK. But use of records acquired through unorthodox intelligence channels raises issues of reliability, and especially concerns about whether they are genuine or not.

2.     Confidential Source Intelligence

Intelligence may be procured from confidential sources, including informants. Intelligence services balk at sources appearing in court and so some legal proceedings permit indirect use of confidential source intelligence.

In the immigration security certificate context, CSIS has used information acquired through confidential sources, communicated through the proxy of an intelligence officer. Even so, the Federal Court has affirmed it (and special advocates) must nevertheless be able “to effectively test the credibility and reliability of that information” and source.[ii]

3.     Processed Analytical Intelligence      

Some intelligence stems from the application of analytical judgment. An intelligence report may not include raw intercepts, but rather summaries of them. Or it may piece together different sources of raw information to draw intelligence conclusions.

Whether with primary materials referenced or conclusions left to stand on their own and omitting these primary sources, analytical workproduct of this sort may be very hard to use as evidence of the facts it asserts. It necessarily raises concerns about probative value, opinion evidence and hearsay.

This is especially true if the processed intelligence amounts to stacked hearsay: a report summarizing information supplied in other, shared reports (especially by another service), that in turn summarize information supplied in other reports, and so on.

Use of this sort of information is permissible in some legal proceedings. For example, the affidavits sworn to obtain both CSIS and Criminal Code warrants may include hearsay,[iii] including intelligence-based allegations.[iv]

Hearsay may also be used in immigration security certificate proceedings, if the Federal Court judge regards it as “reliable and appropriate”.[v] But even in administrative proceedings, hearsay may diminish the weight given to this processed analytical intelligence, and raise questions about procedural fairness.[vi]

4.     Torture Intelligence

Whether in raw or processed form, it is not possible to use as evidence in any proceeding over which Parliament has jurisdiction “any statement obtained as a result” of torture criminalized in section 269.1 of the Criminal Code.[vii] The Charter, international law and ministerial directions issued to CSIS and other security and intelligence services also preclude such use.

5.     Caveated Intelligence

Intelligence shared between services include caveats, limiting the use to which the shared intelligence can be put. Honouring these caveats often means declining to disclose it, including disclose it in legal proceedings. Caveats are not a legal rule, but are an essential intelligence practice, and therefore are frequently at issue in evidentiary-intelligence shield disputes.

Caveats are especially important as between foreign partners, because of the risk that failure to honour a caveat will jeopardize future information-sharing.

I2E Dilemmas

All this brings me to the practical I2E dilemmas. The short version: CSIS is acutely concerned that disclosure in judicial proceedings of its intelligence will prejudice its sources, means and methods and impair its intelligence-sharing relationship with foreign partners. The government responds in three manners, two legal and one operational.

1. Legal Swords in Closed Courts

As suggested above, intelligence may be used as evidence in special, closed-court proceedings. And that list may expand: the government has proposed the use of classified information in closed civil proceedings, modelled on the UK system devised in the Justice and Security Act, 2013.

2. Legal Shields in Open Courts

Legally, the evidentiary-intelligence shield problem drives special procedures used to protect intelligence from disclosure in legal proceedings, most notably section 38 of the Canada Evidence Act. Section 38 questions concern sensitive intelligence that might be subject to disclosure in proceedings, if not for successful invocation of this national security privilege.

3. Operational Shields

Operationally, the evidentiary-intelligence shield issue provokes complicated choreography between police and CSIS, designed to minimize the prospect that CSIS will be subjected to full Stinchcombe disclosure in any trial, and/or will need to resort to the Canada Evidence Act. To this end, CSIS stays at arm’s length from police investigations, taking advantage of O’Connor third-party status rules. It also meters out the intelligence it shares with police, using carefully-crafted disclosure and advisory letters.  This minimizes disclosure risk, but at the cost of close inter-agency collaboration and potentially nimble responses to terrorism risks.

In this manner, evidentiary-intelligence shield problems are in acute tension with the needs of actionable intelligence sharing. They reinforce a relationship between police and CSIS that strives to maintain investigative arm’s-length, dependent on separate, parallel investigations touching gently through deconfliction protocols.

This is dangerous security. Kent Roach at the University of Toronto and I have argued that safeguards provoked by evidentiary-intelligence shield concerns are suboptimal in terms of ensuring actionable-intelligence sharing, and therefore public safety.

Reform

One response, detailed in a forthcoming paper by Leah West Sherriff, is to minimize the amount of intelligence that needs to be shielded. In its consultation document, the government proposed codifying an O’Connor process for a CSIS third party status. The would provide legislative certainty and predictability. But of course, it can only be done constitutionally if CSIS remains a third party. And so, the effect would be to entrench the parallel investigation, with its consequences for actionable-intelligence sharing.

Maintaining third-party status becomes less essential if CSIS is more comfortable with disclosure.  And so on the operational side, in my paper, I have pointed to MI5’s practice in the United Kingdom to urge CSIS should be collecting intelligence to “evidential standards” in counter-terrorism investigations.

The core idea behind “collection to evidential standards” is not to convert CSIS into the police, whose purpose becomes law enforcement. “Collection to evidential standards” should instead be regarded as short-hand for “collection of intelligence in a manner that facilitates actionable-intelligence sharing and minimizes reliance on evidentiary-intelligence shields”.

I am engaged in a slow motion thought experiment about what this might mean in practice, one that is terribly disconnected from the real world because I have no access to classified information. And I have also started working through a list of more particular I2E solutions responsive to different policy challenges in a longer paper.  

For my purposes today, I shall end my initial remarks with the simple observations: collecting to evidential standards obliges careful, forward-thinking choreography so that pursuing intelligence objectives does not end up trenching on the evidential prospects in the case.  That is an organizational challenge, and the degree to which it is being met is something I cannot judge from the outside.  My sense is, however, that most recognize it as an unresolved challenge.

 


 


[1]              Richard Betts, Enemies of Intelligence: Knowledge and Power in American National Security (Columbia, NY: Columbia University Press, 2007) at 30.

[i]               France v. Diab, 2014 ONCA 374 at para. 205.

[ii]               Harkat (Re), 2009 FC 1050 at para 48. See also Canada (Citizenship and Immigration) v. Harkat, 2014 SCC 37 at para. 88 (“The Minister has no obligation to produce CSIS human sources as witnesses, although the failure to do so may weaken the probative value of his evidence”) and para. 90 (noting that “the designated judge's weighing of the relevant [source] evidence took into account the fact that it was hearsay”).

[iii]              See Eccles v Bourque, [1975] 2 SCR 739 at 746 (“That this information was hearsay does not exclude it from establishing probable cause”, in an arrest context); R. v. Morris (1999), 134 C.C.C. (3d) 539 at 549 (NS CA) (“Hearsay statements of an informant can provide reasonable and probable grounds to justify a search.”; R. v. Philpott, 2002 CanLII 25164 (ON SC) at para. 40 (“The [warrant] issuing court may consider hearsay evidence obtained by the affiant from other officers or informants.”).

[iv]              For instance, the CSIS affidavit sworn as Federal Court file CSIS 15-12 (sworn in relation to Raed Jasser) specifies at para 6: “The information in this affidavit has been conveyed to me by employees of the Service who are, or were, involved in the Service’s investigation of international Islamist terrorism and through a review of relevant records maintained by the Service. The information was obtained through various sources including government agencies, open information, as well as [redacted] associated with international Islamist terrorism.” (The affidavit is supported by exhibits, fully redacted.) Likewise, the affidavit PPSC Number 1-12-073 (concerning Raed Jaser) relies on information conveyed in, e.g., letters from the FBI.

[v]               IRPA, s. 83(1)(h). Almrei (Re), 2009 FC 3 at para. 53 (This section “permits the reception of hearsay evidence such as that which may be provided by a confidential informant or a foreign intelligence service.”). See also Harkat, 2014 SCC 37 at para. 75.

[vi]              See, eg, Harkat, 2014 SCC 37 at paras 76 and 235 (suggesting judges are able under the security certificate process to “exclude not only evidence that he or she finds, after a searching review, to be unreliable, but also evidence whose probative value is outweighed by its prejudicial effect against the named person.”); Mahjoub (Re), 2013 FC 1097 at para. 130 et seq. (concluding that hearsay evidence may be admissible in security certificates, but must be tested for reliability and appropriateness); Zundel (Re), 2004 CF 1308 at para. 25 (indicating in a security certificate context that “hearsay evidence is given less weight”).

[vii]             Criminal Code, s.269.1(4). This requirement is supplemented in the immigration security certificate context: “reliable and appropriate evidence does not include information that is believed on reasonable grounds to have been obtained as a result of the use of torture within the meaning of section 269.1 of the Criminal Code, or cruel, inhuman or degrading treatment or punishment within the meaning of the Convention Against Torture.” IRPA, s. 83(1.1).

 

Monday
Feb262018

The Judicialization of Bulk Powers for Intelligence Agencies

Personal Speaking Notes (February 2018)

(posted publicly with permission)        

I have been asked to reflect on common trans-Atlantic intelligence dilemmas, and then a variation on our traditional trans-Atlantic search for solutions.  To that end, I’ll say a few words about both the UK Investigatory Powers Act and some of the proposed aspects of bill C-59. 

In some large measure, both the UK IPA (Investigatory Powers Act) and C-59 constitute what former CSIS director Jim Judd once called “the judicialization of intelligence”. Mr Judd raised concerns about this development.  Intelligence has traditionally operated in a manner obliquely governed by law, if at all. There is a disconnect between a covert intelligence function – and its requirements – and the more overt culture of law and lawyers and judges. Intelligence needs are fluid.  Law is rigid. Intelligence needs are immediate and exigent. Law can be laborious.

But law has inevitably encroached on intelligence. An academic colleague – Dennis Molinero – has uncovered a trove of documents from the 1950s.  At that time, these documents show, national security domestic intercept warrants were issued by Prime Minister Louis St Laurent as an exercise of discretionary power under something called the Emergency Powers Act. There was the vaguest of statutory imprimaturs, and certainly no independent judicial oversight in the form of preauthorization.

We abandoned that approach in 1974, and the original iteration of the what is now Part VI of the Criminal Code.  And in 1984, we built CSIS search and seizure around a judicial warrant process – and the next year, the Supreme Court decided Hunter v Southam. Since then, in cases like the Federal Court of Appeal’s decision in Atwal, through to Justice Crompton’s recent decision in the In the Matter of Islamist Terrorism case, the domestic intelligence search and seizure expectations have been placed on a constitutional footing largely indistinguishable from that of criminal law.

In the IPA, the UK has moved considerably closer to our model than had been the case before. Once the purview of ministers, executive warrantry is now supplemented by review by judicial commissioners.  The shorthand is: double-lock (executive approval of a warrant supplemented by judicial review, prior to execution).

But in Canada, we have yet to address two dilemmas also at issue in the IPA. Both fall in the realm of what in the UK context is called “bulk powers”.  And since in bill C-59 we moving in this area, and judicializing, it is on this topic I wish to focus a few remarks.

So first, let me define bulk powers: a bulk power is one that allows intelligence agencies access to a large quantity of data, most of which is not associated with existing targets of investigation. It is the mass access, in other words, to data from a population not itself suspected of threat-related activity. The commonplace example, since Snowden, is internet or telephony metadata for entire populations of communications users.  But bulk powers can also involve content, and not just the metadata surrounding that content.

Bulk powers are controversial – they are the heart of the post-Snowden preoccupations. They inevitably raise new questions around privacy, and in the Canadian context, Charter rights.  Not least: bulk powers are irreconcilable with the requirements of classic warrants. There is no specificity. By definition, bulk powers are not targeted; they are indiscriminate.

In the IPA context, the world of bulk powers can be divided into bulk interception; bulk equipment interference; bulk acquisition; and bulk personal datasets.  Of these, I want to focus on bulk interception and bulk personal datasets.

Bulk interception is what is sounds like: the collection of transiting communications passing through communications providers or otherwise through the ether. 

Canadian law permits bulk collection by the Communications Security Established, our signals intelligence service. It is subject to the caveat that acting under its foreign intelligence or cyber security mandate, CSE may not direct its activities at Canadians or persons in Canada. But in practice, bulk interception cannot be limited to foreigners, even if the objective is foreign intelligence. The way communications transit the internet and other communications systems creates a certainty that bulk intercept directed outside the country will intercept the communications of Canadians and persons in Canada.  This is known as incidental collection.

In Canada, we have struggled with this issue. Part of the answer is in Part VI Criminal Code. As you know, it outlaws unauthorized intercept of private communications. A private communication is one with at least one end in Canada. Since in bulk interception, at least some private communications would be captured in a manner meeting this definition of intercept in Part VI, CSE must be exempted from its reach.  And that is what the National Defence Act does, where CSE acquires a defence minister authorization in advance for at least the class of foreign intelligence or cybersecurity activities that might capture this private communication.

The constitutional issue is more fraught. Not least, the defence minister is not the independent judicial officer invoked as the gold standard under Hunter v Southam for Charter section 8.  The consequence has been the constitutional lawsuit brought against CSE by the BCCLA associations and now efforts at refinement in C-59.  And specifically, C-59 anticipates a quasi-judicial intelligence commissioner who will review the ministerial authorization before its execution. This past week, representatives of the CSE testifying before the Commons committee accepted the underlying constitutional expectation: They said under C-59, CSE will seek ministerial authorization (which in term triggers review by the intelligence commissioner) for any activity that would interfere with the reasonable expectation of privacy of a Canadian or a person in Canada, or contravene an Act of Parliament.

I am hoping that signals a willingness to amend the bill to say just that, on its face, but for our part my key point is this: C-59 clearly accepts the underlying premise: judicialization of bulk intelligence interception. In this respect, C-59 emulates the IPA.

But I wish to be clear, again: this is not a warrant. It will lack specificity. It will be issued for classes of activities, not specific activities or operations. It is review on reasonableness of a ministerial authorization, not the more hands-on warrant process. Does that meet Hunter’s standards?  I am inclined to suggest, yes, because the warrant cookie cutter cannot possibly apply to a form of bulk intercept in which intercept of s.8 rights-bearer communications is entirely incidental, and not targeted.

Before leaving CSE, I will say a word about another C-59 change.

We have also gone one step further than the IPA in giving CSE a specific offensive cyber mandate – called active cyber.  This could and almost certainly would implicate equipment interference, but interference untied to information acquisition and instead done “on or through the global information infrastructure to degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security.” 

At present, there is considerable debate in Parliament about whether the intelligence commissioner should have advance oversight responsibilities in relation to this mandate.  Currently, he or she will not.  I am of two views on whether judicialization in this area would be wise or not.

Turning to domestic-facing bulk powers, I need to switch agencies and talk about CSIS.  And here we have drawn clear inspiration from the IPA in the area of bulk personal datasets.  The UK understanding of this expression is an apt descriptor of what is now also in play in Canada:

"A bulk personal dataset includes personal data relating to a number of individuals, and the nature of that set is such that the majority of individuals contained within it are not, and are unlikely to become, of interest to the intelligence services in the exercise of their statutory functions. Typically these datasets are very large, and of a size which means they cannot be processed manually."

Why have such things? The C-59 changes are a response, yes, to the Federal Court’s 2016 decision on what was known as ODAC.  But it also responds to a broader concern about the ambit of the Service’s threat investigation mandate. That mandate is anchored in s.12 of the CSIS Act. As interpreted by the courts, it permits the Service to collect, and analyse and retain information and intelligence respecting activities that may on reasonable grounds be suspected of constituting threats to the security of Canada, to the extent strictly necessary.  As Justice Noel and Justice Crampton concluded in both the ODAC case and the more recent In the Matter of Islamist Terrorism decision, this is a significant fetter on CSIS. It ties information collection, retention and analysis to a narrow band of threat investigations.  It also makes it difficult for CSIS to change the frequency of its fish radar and expand its reach to search other parts of the ocean for fish that have not already come to its attention.

A spy service fishing in more ocean is, in some eyes, the stuff of Big Brother and nightmares. On the other hand, an intelligence service that cannot have access to the ocean in performing its function is also likely unable to perform its functions very well.  And there is a lot of ocean out there in the digital era.  So how can we reconcile oceans full of data generated by innocents with the intelligence function of clearing the fog of uncertainty and revealing not just the known threats but also the unknown threats?

The solution in both the UK and Canadian context is to judicialize the fish detecting radar. And the model is again a double lock: ministerial approval for ingestion of datasets and judicial commissioner approval.

The result, in the Canadian context, is enormous complexity. Broadly speaking, there are a set of legislated rules in C-59 for the ingestion of datasets, and then a more demanding set of rules for the digestion. (I credit a Department of Justice lawyer for this ingestion/digestion analogy, which is quite apt).  So for Canadian datasets – datasets primarily comprising Canadian information – there is approval of classes of datasets that may be ingested by CSIS by both the minister and the quasi-judicial intelligence commissioner.  Once ingested, there is a limited vetting by CSIS.  And then any subsequent retention for actual use – that is digestion -- must be approved by the Federal Court, which is empowered to impose conditions on that subsequent use.  There is also a requirement that querying generally be done only where strictly necessary in performance of CSIS’s mandates.

I have included charts in the materials. (See also here).

Those charts show why some intelligence operators complain that C-59 is a gift to lawyers.  I suppose it is no surprise, then, that I think this is a clever regime.  Not least, it short circuits inevitable frontier s.8 issues; to wit, does s.8 attach to the big data analysis of information, the individual bits of which triggers no reasonable expectation of privacy. It seems almost certain that the jurisprudence will get there. C-59 heads this issue off at the pass by superimposing independent judicial authorization guiding and conditioning that big data analysis.

So, on that happy note, I shall end there.

Thank you.

Friday
Feb022018

Does CSE risk a Re X moment with the current drafting in C-59?

This is a third quick posting on some of issues I have been wondering about in the CSE Act, proposed by bill C-59. I have not reviewed all the submissions to the Commons national security committee (which have been often excellent and thoughtful).  But I am not aware of any discussion so far on today’s topic: lining the CSE Act up with international law.

Here, my preoccupation is with active and defensive cyber operations, and not foreign intelligence collection.  The latter raises arguably similar international law issues, but I have canvassed those elsewhere, in other contexts. (See here and here). (On this issue, I am in receipt of a new article from European colleagues examining this same question – which I look very much forward to reading.)

Nor do my remarks relate to CSE’s (cyber) participation in an armed conflict. Such involvement would, I assume, arise in an exercise of the CSE’s assistance mandate, in relation to the Canadian Armed Forces. There, an obvious concern is with CSE’s direct participation in hostilities, while an unprivileged belligerent (that is, something other than an armed force). This prospect raises real concerns under the laws of armed conflict.  Not least: participating CSE employees could be targeted and prosecuted for their conduct, enjoying neither protected status or combatant’s immunity. But I hope to able to point readers to an excellent digest of those issues by a more expert analyst soon.

My focus here is on CSE’s autonomous active/defensive cyber mandate, anticipated in sections 19 and 20 of the proposed Act. And so, active cyber may involve activities on or through the global information infrastructure to degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security.

That is a vast mandate, constrained by a caveat that the activities be outward facing from Canada and not cause (intentionally or by criminal negligence) death or bodily harm or willfully attempt in any manner to obstruct, pervert or defeat the course of justice or democracy.

CSE is exempted from a narrow range of law

Cyber ops must be authorized by the defence minister (in the case of active cyber, blessed or requested by the foreign affairs minister). But the activity itself need not comply with “any other Act of Parliament or of any foreign state” (s.31; 30).  As far as I can tell, this is the only carve-out pertaining to other legal regimes applicable to cyber ops.  (If I am missing something, happy to be disabused.)

And the modest scope of this carve-out is what gives me pause. If it enacts this provision, Parliament authorizes violations of federal and foreign “Acts”, something it is free to do in a system based on parliamentary sovereignty.

CSE is not exempted from international law

Parliament is also free to authorize violations of Canada’s international law obligations. This does not relieve Canada of state responsibility in international law for such violations.  But it does make it legally possible in domestic law to violate international law.  But herein lies the rub. The Supreme Court has made it abundantly clear that Parliament is assumed to legislate in compliance with Canada’s international obligations, and that deviations from this presumption cannot be presumed. Instead, there must be “unequivocal legislative intent to default on an international obligation”.  See Hape, para. 53.

This was the exact issue that ensnarled CSIS in the Re X decision on extraterritorial invasive surveillance. Parliament corrected that problem in bill C-44 (2015), by permitting the Federal Court to authorize warrants even in violation of foreign or “other” law. “Other” in the context might reasonably be construed as “international”, although it might be argued otherwise.

Strangely, the CSE Act does not do this. It does not replicate the CSIS bill C-44 formula of “foreign and other laws”. It reaches, at best, foreign “Acts” (that is, primary legislation). I do not see how this reference to “Acts” can be read to empower CSE to violate international law. (Indeed, I do not see it as unambiguously authorizing violations of other possible sources of foreign law – for instance, constitutional, common law or regulations or equivalents. But the international law issue is the big question, since it binds Canada). There is much international law indisputably applicable to Canada that is not codified or covered in foreign “Acts”.  Indeed, it would be incongruous, indeed patently ridiculous, to assert that foreign “Acts” constitute the sum total of international obligations binding on Canada.

International law precludes extraterritorial exercise of enforcement jurisdiction

Accordingly, were I giving legal advice in relation to an active cyber operation, I would conclude that CSE cannot act, unless that cyber operation complies with international law. And that raises the big issue: international law precludes the exercise by a state of “enforcement jurisdiction” on the territory of another states, without its consent or some other permissive rule of international law. I have discussed here the application of the “enforcement jurisdiction” in a cyber context. Where it might exist will be debated, on the margins. But the more kinetic the impact of the active cyber, the more likely the violation of this norm.

(And I’d add that the permission to breach “Acts of Parliament” offers no different answer on this question.  As Hape notes, customary international law – of which the bar on extraterritorial enforcement jurisdiction is a part – is considered part of the common law of Canada – and that is only displaced by statute. The CSE Act does not displace it. It does not displace any Canadian law other than “Acts of Parliament”.)

The result should be a real and significant fetter on exactly what sort of activity CSE can perform as part of its unilateral active/defensive cyber mandate.

I have no real issue with this as a policy choice – by disposition I am not tremendously keen on a state doing an end-run around established doctrines of international law using data streams where it cannot use corporeal bodies.

Was this a policy choice or a drafting issue?

My concern is, however, that the government may not have fully turned its mind to this issue in designing the CSE Act. Put another way, it may have drafted an outcome it does not intend to honour. If it really does think it has exempted CSE from the considerable strictures of international law, and CSE acts accordingly, CSE may have its own Re X moment. If its policy objective is a muscular cyber ops capacity, the government may wish to have Parliament speak on the international law issue in an amendment – because silence retains the full international law fetter.

(And if that weren’t enough, we need to look over our shoulders at this throw-away line from the Supreme Court in Hape: “Neither Parliament nor the provincial legislatures have the power to authorize the enforcement of Canada’s laws over matters in the exclusive territorial jurisdiction of another state.” We’ll assume that the Supreme Court did not mean to suggest that Parliament lacks jurisdiction – period – to authorize invasions of a foreign state’s sovereignty.) 

It is true this kind of esoteric legal issue may never be adjudicated. But people have been saying things like that for years. I am still waiting for it to be true.

Page 1 ... 4 5 6 7 8 ... 93 Next 3 Entries »