Published by The Lawfare Institute
in Cooperation With
In this second post in our series about Canada’s national security law reform, we begin a discussion of changes proposed for the Communications Security Establishment (CSE), Canada’s primary signals intelligence and cybersecurity agency. We focus specifically on how Canada will address an issue that has also arisen in allied states: oversight of bulk collection that may incidentally include communications involving nationals.
The CSE is Canada’s best financed—but least known—intelligence agency, and is Canada’s equivalent to the U.S. National Security Agency and the U.K. Government Communications Headquarters (GCHQ). With these agencies and their Australian and New Zealand counterparts, CSE participates in the Five Eyes signals-intelligence alliance. And with these agencies, CSE confronts the new legal complications stemming from the evolution of technology.
At present, CSE has three mandates: to gather signals intelligence; to provide cybersecurity advice and guidance, and to provide technical assistance to federal law enforcement and security agencies. Under the first mandate, CSE acquires foreign intelligence from the “global information infrastructure”; that is, electronic emissions and information from other technology networks (such as the internet). The cybersecurity mandate involves providing “advice, guidance and services to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada.” However, these mandates have created conundrums.
CSE Activities in a World of Webbed Communications
In conducting its foreign intelligence and cybersecurity functions, CSE casts its eyes outward: It cannot direct its activities at Canadians or any person in Canada. It also takes steps to protect the privacy of Canadians because of the inevitability of incidental acquisition of Canadian information. In acquiring information from the global information infrastructure or performing its cybersecurity role, the CSE cannot know in advance whether Canadian or data of Canadian origin will be swept up within its acquisition activities.
In the current National Defence Act, therefore, CSE may (and does) obtain special “ministerial authorizations” when it might inadvertently sweep in Canadian “private communications” within the meaning of Part VI of the Canadian Criminal Code—“telecommunications” with a nexus to Canada. There are presently three classified authorizations for foreign intelligence and one for cybersecurity. Authorizations endure for no more than a year and are broad—involving classes of activities and not individual activities.
The current rules suffer from two problems. First, technology has evolved considerably since the original enactment of CSE’s powers in 2001. Now, the focus is on “metadata”—the information that surrounds a communication, such as email addresses, routing information, duration and place of calls. The government’s view has been that these metadata are not a component of a private communication for which a ministerial authorization must be sought.
But second, whether CSE obtains a ministerial authorization or not, there are evident constitutional issues under Section 8 of the Canadian Charter of Rights and Freedoms, Canada’s constitutionalized bill of rights. Section 8 protects against unreasonable searches and seizures. In practice, that usually means that authorities may only interfere with a reasonable expectation of privacy under a warrant authorized in advance by an independent judicial officer; that is, someone able to act judicially. Wiretaps, for instance, must be authorized by judicial warrant in almost all circumstances. Ministers of national defence are not independent judicial officers, and yet under the current Act, their authorization is what permits CSE’s collection of private communication.
For their part, metadata do not include the content of a communication. But pieced together, and sometimes alone, they can be revealing of a person’s habits, beliefs and conduct. Metadata are often information in which there is a reasonable expectation of privacy, especially when compiled as a mosaic. While its decision was focused on a specific sort of metadata, this conclusion is supported by the Supreme Court of Canada’s 2014 holding in R. v. Spencer. There, the court held that even the most innocuous of nameplate information tied to a digital trail—subscriber information associated with an IP address—attracts constitutional protection. (Canada has not followed the U.S. “third party” doctrine; in practice, in cases like Spencer and those before and since, it has not mattered that the electronic communication transits through—or is stored by—a service provider.)
The risk, therefore, is that CSE now acquires information that enjoys constitutional protection without going through the independent judicial officer process (or anything approximating the process) required by the constitution. That is, at core, the issue in a constitutional challenge brought by the British Columbia Civil Liberties Association to CSE’s law and metadata practices.
The reform challenge lies in creating a regime that meets constitutional standards while recognizing that CSE’s collection activities are very different from conventional surveillance activities by police or Canada’s human intelligence agency, the Canadian Security Intelligence Service. The latter agency invades privacy under warrants that meet strict specificity standards, identifying targets and the scope and nature of the intrusion. CSE, by comparison, does not target Canadians and persons in Canada under its foreign intelligence and cybersecurity mandates. An authorization regime must, therefore, take into account the “foreseeable but incidental” nature of the collection.
These challenges have similarly been addressed in the U.K. Investigatory Powers Act and the American FISA Section 702 process. Canada’s proposed solution in bill C-59, currently before Parliament, emulates the approaches taken in these countries, and especially that of the United Kingdom.
Institutionally, C-59 creates a new office—the intelligence commissioner, who would be a retired superior court judge. The intent is to create an office occupied by an “independent judicial officer.” Among their functions, commissioners will be charged with reviewing “Foreign Intelligence Authorizations” and “Cybersecurity Authorizations” issued by the minister of national defence. To be clear, these will not be target-specific authorizations, but as in the current system, ones that authorize “activities or classes of activities.”
The difference between C-59 and the existing regime is the requirement that any ministerial authorization be vetted and approved, in writing, by the commissioner before it is valid. This is not after the fact review, but advance oversight by the intelligence commissioner—a judicial officer. This is the “warrant-like” feature of the proposed C-59 regime, although the authorization will lack the specificity of a conventional warrant and amounts only to review on a reasonableness standard.
Whether this system satisfies the Charter of Rights and Freedoms will depend on a court being persuaded of the constitutionality of a novel authorization system that approves activities and classes of activities lacking the specificity of a regular warrant. My own view is that it should, as there is no other obvious alternative when the collection of constitutionally protected information is incidental rather than intended. There is also some Canadian jurisprudence suggesting that the requirements under Section 8 of the Charter may apply differently in response to the different nature of national security, as opposed to police investigations. (Even in its most famous Charter Section 8 case, the Supreme Court of Canada suggested “[w]here the state’s interest is not simply law enforcement as, for instance, where state security is involved, … the relevant standard [for a judicial authorization] might well be a different one” than the usual reasonable and probable grounds tied to a specific crime.)
Not every commentator will agree with the new system or agree that the intelligence commissioner is adequately empowered or independent in the current drafting of the bill. But as C-59 is debated in Parliament, there appears to be little opposition to the commissioner playing an oversight role over foreign intelligence and cybersecurity.
I end this post, therefore, with a very specific concern about the proposed reform: The C-59 changes will only cure constitutional preoccupations if they steer each and every activity that might implicate constitutionally protected information through the commissioner-vetted ministerial authorization process. At present, there is no clear obligation to seek authorization for the type of information now generating the greatest constitutional controversy—Canadian-origin metadata. Certainly, as a policy matter, the government clearly takes the view that all information collection implicating Section 8 rights should be steered through the intelligence commissioner process. It remains to be seen, however, whether Parliament will go one step further and entrench in the statute a commissioner oversight role in relation to all information raising constitutional concerns.