About this Project

This blog comments on Canadian (and occasionally comparative) national security law to update my National Security Law textbook and now also my 2015 book, False Security: The Radicalization of Anti-terrorism, co-authored with Kent Roach.

Please also see www.antiterrorlaw.ca for Bill C-51-related analyses by Craig Forcese and Kent Roach.

For narrated lectures on various topics in national security law, please visit my 2017 "national security nutshell" series, available through iTunes.

 

For a continuing conversation on Canadian national security law and policy, please join Stephanie Carvin and me at A Podcast Called INTREPID.

 

Please also visit my archive of "secret law" in the security area.

By Craig Forcese

Full Professor
Faculty of Law

Email: cforcese[at]uottawa.ca

Twitter: @cforcese

 

Subscribe to National Security Law Blog
National Security Law Blog Search

Best Law School/
Law Professor Blog Award

 

Most Recent Blog Postings

Latest Book: Available from Irwin Law in April 2018.

Wednesday
Jan312018

The (Quasi) Judicialization of CSE Cyber Operations (Active & Defensive)

 

As noted in my prior post, there are a number of really interesting briefs prepared by various stakeholders, going into the next round of House of Commons legislative hearings on bill C-59.  Many seek to ratchet tighter the accountability structures in the bill, especially for CSE and CSIS (where they don’t call for the outright abandonment of these agencies’ proposed new powers).

I haven’t had chance to review all the specific ideas, but two of these sets of recommendations stand out for me in this area.  In my last post, I addressed the question of “publicly available information”.  In this one, I want to noodle through the extremely complex question of whether the Intelligence Commissioner should have oversight jurisdiction to vet and approve, in advance, and on a reasonableness standard CSE’s proposed active and defensive operations (“cyber ops”).

Citizen Lab and the current CSE commissioner have both urged this role for the new Intelligence Commissioner, supplementing that official’s responsibility to vet ministerial authorizations issued for foreign intelligence (FI) and cybersecurity (CS).  (As an aside: for my part, I have suggested that the ministerial authorizations for FI and CS do not meet constitutional standards, because they are only required where CSE violates an “Act” through its collection.  So if at issue was “private communication”, intercept without authorization would violate the Criminal Code.  But the government has argued that private communication does not include metadata.  In fact, there is no Act of Parliament violated by the foreign collection of metadata, including the incidental collection of Canadian metadata -- if there was, CSE would have been violating it for years. And so, under the current drafting of C-59, there is no requirement to seek a ministerial authorization vetted by the IC.  And yet, there is a clear constitutional privacy interest in that metadata. There is *nothing* in either the current CSE law or the proposed CSE Act that meets the standards in the jurisprudence permitting “warrantless” intercepts -- or could meet that standard, in my view, given the nature of CSE’s bulk activities. End result: a new constitutional lawsuit, scandal, acrimony, disaster. Please, please fix this! Make sure the authorization process is triggered by all collection activities or classes of activities that engage information in which a Canadian or person in Canada has a reasonable expectation of privacy.)

The CSE Act Structures Cyber Ops MAs and FI/CS MAs Differently

But back to the proposal to extend the IC function to cyber-ops.  First observation: for cyber-ops, ministerial authorizations are required for all cyber-ops (s. 23(2)(b)).  This isn’t like FI and CS, where there is a trigger obliging some activities to go for approval and not others (s.23(3) and (4)). In my comment above, I suggest the FI/CS MA trigger is too narrow. I *want* to steer FI and CS activities that implicate Charter rights into the MA and then the IC process. But I am not proposing steering those that *do not* otherwise violate Canadian law through this process.  I do not think, for instance, that a CSE targeted intercept that collected the telephone call of a foreign person in a foreign state, with no prospect of any nexus to Canada, attracts Charter rights. Without embarking in a discussion of the Supreme Court’s (unclear) Hape decision, it would be unlikely that the Charter applies, and that the target has any section 8 rights. And I am not among those inclined to think international law imposes meaningful privacy obligations on Canada in these circumstances – and certainly not a judicial pre-authorization requirement.  I do think there could be extraterritorial enforcement jurisdiction violations in international law, but in the area of spying it is a close call; international law is, as I have said, creatively ambiguous in this area. So I would not embark on the “judicialization of intelligence” in such a manner, again assuming there was no prospect of a Canadian nexus.  I make these sorts of points in greater detail in this article.

So my initial point: To simply superimpose IC oversight on cyber ops MA means, under the current architecture, asking the IC to approve all CSE cyber ops activities. (ss. 30 and 31). 

Would this be a good thing?

That may sound like a good idea right out of the gate.  But I have been going around in circles because I find it complex. I thought I’d memorialize my struggles.

  • First, cyber ops should not, if the Act is applied properly, implicate the collection of information, except as properly authorized by a FI/CS authorization (s.35(4)).  Right away, this makes it unlawful under the statute to use cyber ops as a stalking horse for some sort of autonomous information collection activity (on top of likely unconstitutional to the extent that information collected does attract s.8 protections). So the privacy issues should be muted here, even if the activities authorized by the cyber op authorization may involve some of the same techniques/practices.
  • Second, some cyber ops may implicate other Charter rights and Canadian law. At first blush, this may be rare (even very rare) because those rights and laws are usually confined to the territory of Canada. That said, the “real and substantial connection” test may make things like criminal mischief commenced here and remotely conducted against a foreign computer a crime with a sufficient nexus to Canada. But I am not sure that superimposing the IC into the approval process for such actions is an *obligation*.  We do allow our security services to break statute law in pursuing aspects of their mandate and we don’t always require pre-authorization by a judicial officer.  For example, Criminal Code, s.25.1 for the police allows law-breaking through administrative approvals within the police services.  On the other hand, CSIS threat reduction power does oblige judicial pre-authorization for breaches of Canadian law, which would presumably include overseas conduct that, on a real and substantial connection to Canada basis, violates Canadian law (or in some other manner where the Canadian law applies extraterritorially).  The CSE Commissioner, in his brief, points to this CSIS precedent to justify his view that cyber ops should be subjected to IC oversight. It is hard to argue against this parallel.
  • Third, international law may be breached by cyber ops.  (And indeed, international law is likely breached by CSIS extraterritorial threat reduction and perhaps intrusive surveillance done in violation of a foreign state’s laws, and thus its sovereignty.  That is a violation in the area of extraterritorial enforcement jurisdiction.  I have argued that this international law breach would require pre-authorization by the Federal Court, under the current CSIS Act. See here.) Invasive cyber conduct and international law is an issue I have discussed here, in the context of covert action.

This third argument is a strong justification for an IC involvement in cyber op authorizations.  But it depends on a final supposition: that either international law or domestic law or good policy is served by having an independent judicial officer scrutinize Canada’s international conduct and bless (or not) breaches of it. There are many, many areas where Canada’s international obligations are engaged where we do not involve pre-vetting by judges. The overseas conduct of the Canadian Armed Forces is an example.  When the Canadian Armed Forces chooses to bombard an enemy, say in Afghanistan, it is reviewed for legality under international law, most notably by the JAG team.  But they do not seek the blessing of a judge. Our system expects (and under the terms of the Baker decision of the Supreme Court, I would argue, obliges) members of the executive to observe Canada’s international obligations in exercising their discretion.  But we do not then submit that judgment to advance approval by a judge – indeed, it is near impossible to subject it to any form of judicial review, as many of these matters are considered non-justiciable (if they do not raise Charter issues, which as suggested above they rarely do).

CSE cyber ops are the sort of activity that would typically be considered an exercise of defence or foreign policy, and absent some statutory displacement, governed by the royal prerogative.  That is why the military could hack away and turn off lights and never need to meet a statutorily-prescribed approval regime.  But because CSE only has statutory powers (since 2001), it must look to its statute to find the power for cyber ops. Hence, C-59.  So the question is: because CSE is a statutory creature, should the once relatively unfettered powers to engage in defence and international affairs now implicate judicial pre-authorization?

This provokes additional questions: would we be best served by an IC looking at all cyber ops to establish the reasonableness of them?  If so, would the IC be empowered to assess the inevitable political dimension of the minister’s authorization – his or her judgment, for example, that the security risk posed by a malignant server justifies CSE reaching out and turning it off? Or would we craft language confining the role of the IC to indisputably legal issues? If so, would the IC be better equipped to assess Canada’s compliance with international law than the executive?  Which raises a question: then why stop with IC involvement in the cyber world? Should the artillery officer's orders also be pre-vetted by a Combat Commissioner for compliance with IHL (international humanitarian law)?

The bottom line: I am torn on this issue. I worry about giving the IC too global a role in areas of high policy where he or she would not be equipped to apply rules, but rather second guess political judgment.  For one thing: the IC then ends up wearing whatever they approve.  And if they dispute, without clear legal standards to ground that dispute, then we have a clash of responsibilities. Who should be responsible for these decisions of high policy: a minister accountable to Parliament or an appointed quasi-judicial officer?

On the other hand, if you agree that judicial pre-authorization is required for extraterritorial CSIS threat reduction (at minimum), what’s good for CSIS under threat reduction should probably also be good for CSE under cyber ops. I must say, in both cases, I wonder a lot about what a court (or the IC, if its remit is extended) would say in response to an op that violates, say, the sovereignty interest of a foreign state.  This is a whole lot of novel territory.  Which makes it interesting, but also worthy of close consideration.

I am probably missing much and wrong on other issue, but heck, it’s my blog.  This is probably one of this entries that will soon be supplemented with a lot of supplemental additions.

 

Wednesday
Jan312018

C-59 and collection of all that is in the eye of the beholder?

A number of really interesting briefs have been prepared by various stakeholders, going into the next round of House of Commons legislative hearings on bill C-59.  Many seek to ratchet tighter the accountability structures in the bill, especially for CSE and CSIS (where they don’t call for the outright abandonment of these agencies’ proposed new powers).

I haven’t had chance to review all the specific ideas, but two of these sets of recommendations stand out for me in this area.  Let me address the first in this post, and a second in one to follow.

Stakeholders have expressed a recurring concern about “publicly available” information.  Both CSE and (to a slightly lesser extent CSIS, in relation to datasets) are exempted from the special oversight accountability structures imposed on information collection, where the information is said to be “public”.  Indeed, in relation “publically available information”, CSE is relieved of its obligation not to direct its activities at Canadians. Neither the CSE nor the CSIS dataset rules include a truly meaningful definition of public information, raising concerns about the fuzzy line between public and not-so-public.  The phone book (does it still exist?) is one thing. Hacked information now spilled out on the web and technically publicly available "at the time of its collection" (the CSIS definition), is another. Should there be safeguards on its collection, retention and use by intelligence agencies?  The CSIS amendments provide rules on the retention, querying and exploitation of public information, yes, but exempt it from the more thorough independent vetting system for other sorts of datasets.

On the one hand, it would be naïve and prejudicial to ask intelligence agencies to turn a blind eye to any source of information within legal mandate and contributing to their mission.  On the other hand, it would be pernicious to create a nudge-nudge-wink-wink intelligence service market for unlawfully acquired information.  Or even, possibly, lawfully released information revealing personal information in unexpected ways.  Given the Supreme Court’s trajectory, it is possible it will ultimately conclude that a person retains a constitutional privacy interest in even public information (at least of a certain character). 

But even if Charter s.8 does not go this far, there may be policy reasons to treat the state’s acquisition of “public” information differently than similar private sector activities. For one thing, the private sector is not generally equipped with guns and jails and the coercive apparatus of the state.  Nor does it have access to the full panoply of information we are all compelled to provide to the state, in our interaction with its regulatory function (think tax info). So the state has unparalleled capacity to scrape public information and combine it with both closed intelligence and other state-acquired information.  That gives “public” information a qualitatively different significance in the hands of the state.  Predicting in advance what implications this has is impossible, which is an argument in favour of an independent oversight function even where “public” information is at issue.  (Back-end review seems insufficient, especially since review bodies have powers of recommendation, only. And in some instances in the past, issues raised by these bodies have taken years to redress. Independent pre-authorization, required to undertake the activity, is a more robust way to oblige careful consideration of the dilemmas, and if section 8 were ever engaged, is likely required anyway.)

All of this is to say that these concerns are worth redressing, at minimum by plugging even public information acquisition into the independent vetting systems anticipated for both CSIS datasets and CSE foreign intelligence and cybersecurity mandates.  I fear that otherwise, this issue will become a festering source of unease about the good faith of the security services, and perhaps a source of future controversy.

Friday
Dec152017

A Warrant for All Seasons: Four New Charter Section 8 Cases

And on the fourth day of Christmas, federally-appointed judges gave to us…four new Charter s.8 cases.  There are two Federal Court cases involving CSIS intercept of IMSI information and seeking access to subscriber data. And two Supreme Court cases involving text messages received by the recipient and stored by the service provider.

Here’s the one-paragraph (often one long-run-on sentence) summaries:

  • In the Matter of Islamist Terrorism (2017 FC 1047): In the course of targeted investigations under s.12 of the CSIS Act, CSIS may intercept International Mobile Subscriber Identity (IMSI) and International Mobile Equipment Identity (IMEI) numbers emitted by mobile devices communications connecting to cellular networks without warrant, even though the privacy interest protected by section 8 applies, where CSIS does so in a minimally intrusive manner without seeking means of identifying the individual (in practice, because they already know who it is), does not capture communications content, does not geo-locate, does not interfere with 9/11 and emergency communications, and destroys all incidentally collected, non-target information.  Bulk collection would be a different story (which is why this case is, in net, bad for CSE and its incidental collection of private communications and metadata).
  • In the Matter of XXXX Threat-Related Activities (2017 FC 1048): CSIS cannot obtain a general court authorization allowing it to obtain basic identifying information from communications service providers for individuals whose identities are not yet known, but who may come to CSIS’s attention in the future, and the court cannot delegate such an authorization function when persons do come to CSIS’s attention to a designated CSIS official.  But CSIS may obtain such authorization from the court for individuals and, indeed, classes of individuals where the court can understand the nexus between that class and the investigation, on a reasonable grounds to believe standard.
  • R v. Marakah (2017 SCC 59): A sender retains a reasonable expectation of privacy in the communication, and inferences that can be drawn from it, stemming from text messages sent to a recipient and the diminishment of this control because the text message passes through a service provider and could be shared by the recipient does not change this and a warrantless search of the recipient’s phone to obtain these messages in circumstances where there was no plausible “search incident to arrest” breaches section 8 of the Charter.
  • R v. Jones (2017 SCC 60): A service provider may properly intercept text messages for service delivery purposes, but this does not negate the sender’s reasonable expectation of privacy and the police must generally have court authorization to then obtain these text messages. Historical text messages may be obtained through the general production order in s.487.014 of the Criminal Code (on a reasonable grounds to believe standard) and need not receive a wiretap authorization under Part VI of the Criminal Code, unless the intercept will involve prospective communications, as opposed to historic communications.

These cases, combined with the federal Privacy Commissioner’s decision on a complaint about RCMP IMSI collection activities, create, well, a maze.  The Privacy Commissioner concluded in September that RCMP warrantless collection was unconstitutional.  This is hard to square with the new Federal Court’s decision on CSIS, but the Privacy Commissioner would probably say that the RCMP offered no specifics on what they were doing of the sort that led the Federal Court to conclude that CSIS’s warrantless intercepts were still reasonable, although done warrantlessly.

So here’s a brief scenario.

Hans, the scheming villain from a famous holiday classic, is working for the Chinese government, and conducting himself in a manner that constitutes a threat to the security of Canada under the CSIS Act and a violation of the criminal provisions found in the Security of Information Act (SOIA).  So both CSIS and police have investigations underway (and are doing all that difficult deconfliction work that is a Canadian thing).

CSIS knows that Hans has a cellphone and they want to figure out what the IMSI number is.  So they conduct a targeted intercept meeting the standards described In the Matter of Islamist Terrorism (above).  They do this without warrant.

RCMP also wants to know what Hans’s IMSI number is. So either CSIS gives it them through an advisory letter (which seems very, very unlikely).  Or they collect it themselves.  But they have to use s.492.2 of the Criminal Code to get a transmission data recorder order from a judge, on a reasonable grounds to suspect standard.

Now CSIS wants to know where Hans has been going and what he will saying.  So they need to go to Federal Court and obtain judicial authorization for an intercept under s.21 of the CSIS Act, on a reasonable grounds to believe standard.  Section 21 is a one-standard provision for all sorts of intercepts, so this same standard will apply for archived geolocational metadata (obtained from a service provider) and content (wiretapped).

And now the police also want to know where Hans has been going and what he will saying. To know what he is saying, they need a Part VI Criminal Code warrant, allowing a wiretap. This too is on a reasonable grounds to believe standard.  But for archived geolocational data, the police may be able to obtain a production order directed at the service provider, requiring that this sort of “transmission data” (metadata) be produced. Transmission data production orders may be obtained on a reasonable grounds to suspect standard.

So perhaps the police, who find it easier to share with CSIS than the vice versa, can share the transmission data with CSIS, obviating the need for CSIS to get their own metadata-related warrant?

Both CSIS and the police decide they should also figure out what Hans has been texting his friends in Beijing. Again, CSIS proceeds via Federal Court authorization under s.21 of the CSIS Act, for both archived texts and future intercepts.  This requires a reasonable grounds to believe standard.

As per Jones, the police for their part can obtain the archived text messages from the service provider using a general production order under s.487.014 of the Criminal Code, issued by a judge on a reasonable grounds to believe standard.  But to track his on-going texts, they need a Part VI wiretap order, on a reasonable grounds to believe standard.  (And even if they had Hans’ friend’s phone, Marakah establishes they would need a search warrant to search it for the text messages, on a reasonable grounds to believe standard.  Of course, if they arrested Hans they might be able to search his phone without warrant, as a search incident to arrest per Fearon.  But Hans would need to have left it unlocked.)

This is all getting rather complicated. A “cacophony of lawful access rules” joins “herd of bison”, “murder of crows” and “pack of wolves” as a Canadian thing.  It will be interesting to see if the government moves on lawful access reform in 2018. (So far this is a government showing real appetite to fix big things in the national security/public safety law space.)

Page 1 ... 5 6 7 8 9 ... 93 Next 3 Entries »