National Security

Highlights from NSIRA’s 2022 Annual Report

/ Christopher Parsons

The National Security and Intelligence Review Agency (NSIRA) tabled its annual report on October 30, 2023. NSIRA is responsible for conducting national security reviews of Canadian federal agencies, and its annual report summarises activities that have been undertaken in 2022. The report also discusses new policies and capacities concerning its review activities.

In this post, I summarise and discuss many of the central items in the annual report. This includes the Agency’s approach to developing themes and categorising recommendations, aspects of particular the reviews, how NSIRA’s technology directorate is developing, the ways in which NSIRA is maturing how it measures engagements with reviewed agencies and associated confidence ratings, and its international engagements.

Significantly, this annual report includes several explicit calls for legislative review as pertain to complaints investigations. It is, also, possible that the Agency may be building an evidence-based argument for why law reform may be needed to ensure that NSIRA can obtain adequate access to information or materials to conduct reviews of some government agencies.

Themes and Categorisation of Recommendations

NSIRA has been developing and issuing recommendations to government institutions for multiple years. The result is that the Agency can begin to categorise the kinds of recommendations that it is issuing. Categorisation is helpful because it can start to reveal trends within and across reviewed institutions and, then, enable those institutions to better focus their efforts to update organisational practices. Moveover, with this information NSIRA may generally be able to monitor for substantive changes in common problem areas both within and across reviewed agencies.

The following table re-creates the categorisation descriptions in NSIRA’s annual report(see: page 3).

Theme Topics
Governance
  • Policies, procedures, framework and other authorities
  • Internal oversight
  • Risk management, assessment and practices
  • Decision-making and accountability, including ministerial accountability and direction
  • Training, tools and staffing resources
Propriety
  • Reasonableness, necessity, efficacy and proportionality
  • Legal thresholds and advice, compliance and privacy interests
Information management and sharing
  • Collection, documentation, tracking, implementing, reporting, monitoring and safeguarding
  • Information sharing and disclosure
  • Keeping and providing accurate and up-to-date information, timeliness

This tripartite division lets NSIRA categorise all of the different recommendations it has made in its 2020, 2021, and 2022 annual reports, which has the effect of showcasing trends over the years. I have republished NSIRA’s chart denoting these trends, below.

Graph image: Trends in finding and recommendations - Text version follows

Analysis of Themes and Categorisation of Recommendations

I can’t immediately think of items that do not fit in the categories that NSIRA has developed, though it will be interesting to observe over time whether this categorisation will continue to capture all possible types of recommendations. Further, with this categorisation schema now in hand, will this affect the crafting of recommendations so that they clearly ‘fit’ within each of these categories?  Will single recommendations sometimes fit within multiple categories?  Or is it possible that additional categories may be developed based on future recommendations?

I can see the strong utility of this, generally, for organisations — be they government or non-government — to track the kinds of recommendations they are making. It could both assist with internal tracking and governance measures while, also, focusing in on the core classes of issues that are being found within and across organisations that are under review, or otherwise subject to external examinational or critique.

Reviews

The reviews section of NSIRA’s annual report summarises the reviews that the Agency has undertaken over the past year, with those full reports generally available on NSIRA’s website.1

Reviews of CSIS Activities

NSIRA provides a range of different statistics concerning CSIS’ activities, including those concerning:

  • Warrants that are sought
  • Threat Reduction Measures (TRMs)
  • CSIS targets
  • Dataset evaluation and retention
  • Justified commissions of activities that otherwise would involve committing or directing the committing of unlawful acts
  • Compliance incidents

In what follows I identify noteworthy aspects of the statistics and associated narratives provided. First, warrants sought by CSIS may be used “to intercept communications, enter a location, or obtain information, records or documents. Each individual warrant application could include multiple individuals or request the use of multiple intrusive powers.” It is worth highlighting that NSIRA has explicitly stated in footnote 15 that:

A number of warrants issued during this period reflected the development of innovative new authorities and collection techniques, which required close collaboration between collectors, technology operators, policy analysts and legal counsel.2

Warranted authorisations were granted under section 12,3 16,4 and 21 5 of the CSIS Act as well as two authorisations under section 11.13 6. The total number of warrants that have been sought and approved are in line with previous years’ statistics, standing at 28, with 6 being new, 14 being replacements, and 8 being supplemental.

TRMs can be sought and exercised without requiring judicial authorisation, so long as the activity in question does not “limit a right or freedom protected by the Canadian Charter of Rights and Freedoms or would otherwise be contrary to Canadian law”.  Warrants are required when an activity would conflict with Charter rights or Canadian law. The number of authorisation sought (16) was about in the middle of the lower (10) and upper (24) bounds of requested authorisations in previous years, and executed TRMs (12) is similarly in the middle of the lower (8) and upper (19) bounds of past years’ statistics.

CSIS targets have declined over the past 5 years, moving from 430 targets in 2018 to 340 in 2022. However, this number can be misleading on the basis that a target could be for an individual or a group composing many people.

CSIS continues to notify NSIRA about judicial authorisations or ministerial authorisations to collect Canadian or foreign datasets, in excess of what the Service is required to do under the law. Generally, the statistics show that evaluated datasets tend to be retained and neither the Federal Court, Minister, or Intelligence Commissioner have denied CSIS the ability to retain evaluated datasets.

There have been considerable increases in the number of authorizations to CSIS personnel to undertake activities that involve “committing an act or omission themselves (commissions by employees)” or directing “another person to commit an act or omission (directions to commit) as a part of their duties and functions.” Relatedly, there have also been more commissions/directions to commit that have been recorded. Statistics are denoted in the below table, which was produced by NSIRA.

Finally, the compliance information provided by NSIRA shows a growing breakdown of the ways in which CSIS activates can found to be non-compliant with either Canadian law, the Charter, warrant conditions, or CSIS governance practices.

Analysis of CSIS Activities

A few things clearly drew my attention.

  1. It is unclear what the new warranted authorities or collection activities have involved, but the listing of parties involved in developing these suggest that there may be a notable expansion in CSIS capabilities.
  2. It might be helpful in future reports to have a footnote explaining the difference between new, replacement, and supplemental warrants. The last item, in particular, is a term that I’m not familiar with, which suggests that many others reading these reports who are not national security insiders or legal experts may have similar questions.
  3. That no judicially supervised TRMs have been undertaken is notable and suggests that these measures may not yet have risen to concerns raised by some civil society and other actors. In particular, past concerns have focused on how how these techniques could affect residents of Canada and their Charter rights.
  4. We still lack clear an understanding of what, precisely, is being evaluated or retained by CSIS when it collects datasets and subsequently analyses them. This remains a significant blindspot and prevents the public or legislators from clearly understanding what, exactly, CSIS can do (or is doing) with retained datasets.
  5. The justifications framework makes clear that more and more activities are being undertaken which would, otherwise, be unlawful. It is an open question whether these activities may impede the ability of federal law enforcement, or other parties, to use the Criminal Code (or other legislation) to take action against individuals or groups in Canada who have been targeted by CSIS.  Specifically, what (if any) relationship is there between these justified activities undertaken by CSIS and the One Vision 3.0 framework between the RCMP and CSIS?

Communications Security Establishment

NSIRA undertook two reviews of CSE activities, including about Active Cyber Operations (ACO) and Defensive Cyber Operations (DCO), and of an undisclosed foreign intelligence activity.

NSIRA found that “ACOs and DCOs that CSE planned or conducted during the period of review were lawful and noted improvements in GAC’s assessments for foreign policy risk and international law” and as well as that “CSE developed and improved its processes for the planning and conduct of ACOs and DCOs in a way that reflected some of NSIRA’s observations from the governance review.” However, “NSIRA faced significant challenges in accessing CSE information on this review. These access challenges had a negative impact on the review. As a result, NSIRA could not be confident in the completeness of information provided by CSE.7

The CSE collection activity is not described in any detail, though NSIRA “identified several instances where the program’s activities were not adequately captured within CSE’s applications for certain ministerial authorizations.”

NSIRA has had challenges with its reviews of CSE’s operations since the Agency’s establishment. In 2022, this led to NSIRA’s Chair meeting with the Minister of National Defence “to discuss ongoing issues and challenges related to NSIRA reviews of CSE activities.”

The NSIRA annual report includes an extensive set of statistics about the CSE’s activities. To begin, there has been an additional cybersecurity as well as active cyber operations authorisation in 2022 versus 2021, with the effect that there are now:

  • 3 foreign intelligence authorisations
  • 3 cybersecurity — federal and non-federal — authorisations
  • 1 DCO authorisation
  • 3 ACO authorisations

We can expect that at least some of these may be linked to the Canadian government’s (and CSE’s) efforts to help Ukraine in its fight against Russia’s illegal war of aggression. However, the general breadth of Ministerial Authorisations are such that any new ones will cover off large categories of activities which could be undertaken in a variety of situations or locations.

My colleague, Bill Robinson, may be pleased to see that CSE is authorising NSIRA to identify the number of reports CSE is releasing (3,185 in 2022), to the number of agencies/departments (26 in 2022), and the number of clients within departments/agencies (1,761 in 2022). He will likely be less pleased to see (as am I) that CSE refuses to release statistics concerning:

  • The regularity at which information relating to a Canadian or a person in Canada, or “Canadian-collected information” is included in CSE’s end-product reporting
  • The regularity at which Canadian identifying information (CII) is suppressed in CSE foreign intelligence or cyber security reporting
  • The number of DCOs or ACOs which were approved, and carried out, in 2022

The regularity at which CII information was released, however, was provided for Government of Canada requests (657) and Five Eyes requests (62). There was an aggregate decrease from 831 requests in 2021 to 719 requests in 2022, with CSE denying 65 of the 2022 requests and 51 of the requests still being processed.

There were more privacy incidents registered by CSE itself (114 in 2022 versus 96 in 2021) and a reduction in second-party incidents (23 in 2022 versus 33 in 2021). No specific information about the nature of the incidents are provided.

There was a large number of cyber incidents that were opened by the Canadian Centre for Cyber Security. This included 1,070 affecting federal institutions and 1,575 affecting critical infrastructure.

While not as detailed as past work by Canadian reporters, which once identified how many times CSE provided assistance to specific federal partners, NSIRA’s 2022 annual report does continue to disclose how frequently CSE receives requests for assistance. In 2022 it received 62 requests (up from 35 in 2021), with 1 cancelled and 2 denied, resulting in 59 being approved.

Analysis of CSE Activities

There are numerous things that are of note in the section of CSE.

  1. Despite having reviewed ACO and DCO activities, NSIRA was unable to be confident of the information it had been provided when conducting the review. Put differently, we should take the outputs of the review with a grain of salt, and this matters both on a governance level as well as because ACOs and DCOs have the potential to be extremely impactful to individuals’ Charter or human rights.8
  2. Issues between NSIRA and CSE have risen to the level that the Chair of NSIRA and Minister of National Defence are meeting. This is suggestive that issues could not be resolved at the senior staff level despite years of effort to do so. Escalating this to the Minister is about as high-level a complaint or concern that NSIRA can raise within the government hierarchy.
  3. A mainline privacy concern is how frequently CII is being collected and, subsequently, included in reporting. That CSE continues to refuse to provide statistics on how often it is being suppressed impedes the public’s and politicians’ abilities to understand how much ‘incidental’ collection of CII occurs in the course of the CSE’s activities. A similar complaint can be made concerning CSE’s refusal to release statistics about the regularity at which information related to a Canadian or person in Canada, or “Canadian-collected information” is included in end-product reporting. This issue has even greater salience given that Bill C-26, which addresses critical infrastructure and cybersecurity, is currently at Committee. If passed into law, even more CII or information related to Canadian persons could be obtained by CSE.
  4. It is unclear whether critical infrastructure incidents opened with the Cyber Centre included just federally regulated institutions or all critical infrastructure providers (including those under provincial jurisdiction). The effect is to impair an understanding of how much work CSE is undertaking on behalf of provinces (or to support provinces in protecting infrastructure) .
  5. There has been an explosion in how frequently CSE is providing assistance to other federal partners, but it is unclear who specifically is receiving the assistance or to what effect. While the expansion may be linked to the war between Ukraine and Russia, there may be other factors at play which are hidden from the reader due to how NSIRA is permitted to disclose information in its annual report.

Other Departments

NSIRA also conducted reviews of the Department of National Defence and the Canadian Armed Forces (DND/CAF), Canadian Border Services Agency (CBSA), and mandated annual reviews under the Security of Canada Information Disclosure Act (SCIDA) and Avoiding Complicity in Mistreatment by Foreign Entities Act (ACA). Key points include:

  • The DND/CAF review saw NSIRA conclude that DND/CAF’s human source handling actives may be being undertaken in ways that are, in NSIRA’s opinion, potentially unlawful. The Minister disagreed, with NSIRA believing that the Minister’s conclusion was a result of applying an inappropriately narrow interpretation of the facts and the law. Further work will continue on this file.
  • CBSA’s air passenger targeting review found areas needing improvement, including surrounding documentation practices, and demonstrating adequate justification for its selection of indicators as signals for increased risk.
  • GAC was found to need to improve on its disclosure policies under SCIDA, on the basis that GAC “did not meet the two-part threshold requirements of the SCIDA before disclosing the information, which was not compliant with the SCIDA.”
  • The definition of “significant risk” related to avoiding complicity in mistreatment by foreign entities does not exist in legislation, which continues to create challenges. NSIRA is calling for this to be addressed in future legislative reform. Moreover, neither the CBSA or Public Safety Canada have fully implemented a framework under the ACA.
  • NSIRA has moved to begin closing certain ongoing work or not ultimately produce a final report to a Minister. Other work–including a NSIRA review of how the RCMP handles encryption in the interception of privacy communications in national security criminal investigations–has been deconflicted, given the activities of other review and oversight bodies such as the National Security and Intelligence Committee Of Parliamentarians (NSICOP).

Analysis of Other Departments

  1. This is not the first time that the activities undertaken by DND/CAF have been subject to critique, such as NSIRA’s assessment of the Canadian Forces National Counter-Intelligence Unit. NSIRA’s ability to examine some of these activities continues to showcase the importance of having a review agency that can comprehensively undertake review across all national security bodies. Moreover, that it is flagging review areas (e.g., the 2020 annual report noted that additional reviews had been initiated/planned, including on DND/CAF’s HUMINT capabilities) and following through speaks well to NSIRA’s ability to meet its commitments.
  2. There are real risks to individuals when agencies inadequately comply with the ACA. As I have written previously, without adequate frameworks there is a concern that “some agencies will continue to obtain information from, or disclose it to, foreign states which are known to either use information to facilitate abuses, or that use torture or other mistreatment to obtain the information that is sent to Canadian agencies. Which agencies continue to support information sharing with these kinds or states, and their rationales for doing so, should be on the record so that they and the government more broadly can be held accountable for such decision making.”
  3. It’s worth highlighting that NSIRA is calling for legislative reform to create the definition of “significant risk” concerning the ACA.
  4. Decisions to close certain reviews–or at least not issue a report to a relevant Minister–reveals a growing maturity within NSIRA as it develops policies and procedures on how to advance its work. I am curious as to whether a decision to not issue a report to a Minister may, still, result in functional improvements in how government agencies undertake select national security activities. Further, the NSICOP report on the RCMP’s handling of encryption will be important to read once it is published given the longstanding debate in Canada over encryption and encryption policies.

Technology Directorate

NSIRA continues to build up its internal technical capabilites, with its team now including engineers, computer scientists, technologists and technology review professionals. The mandate of the Directorate is expansive, and includes:

  • Lead the review of Information Technology (IT) systems and capabilities
  • Assess a reviewed entity’s IT compliance with applicable laws, ministerial direction and policy
  • Conduct independent technical investigations
  • Recommend IT system and data safeguards to minimize the risk of legal non-compliance
  • Produce reports explaining and interpreting technical subjects
  • Lead the integration of technology themes into yearly NSIRA review plans
  • Leverage external expertise in the understanding and assessment of IT risks
  • Support assigned NSIRA members in the investigation of complaints against CSIS, CSE or the RCMP when technical expertise is required to assess the evidence

The Directorate has 3 employees, as well as a cooperative education student and 2 external researchers. It has also built out links with academic researchers. In the coming year, it will continue to grow the number of employees, support ongoing education, and engage external researchers to build capacity. Curiously, the Directorate also intends to “prioritize unclassified research on a number of topics, including open-source intelligence, advertising technologies and metadata (content versus non-content data).”

Analysis of Technology Directorate

Generally, I am interested in how this Directorate is being developed and the processes that are being established for it to succeed. Specifically, how are external researchers are identified and leveraged? How has the external academic network been (or is being) developed? Answers to these questions could provide lessons for other regulators with different areas of responsibility but which possess (or are building) comparable technology teams.

The specifically stated areas of non-classified research is worth paying attention to. OSINT is a growing focus for national security and has been an area of invite-only meetings amongst Canadian national security practitioners over the past years. The topic area is, also, complicated by some guidance from the Privacy Commissioner of Canada, Treasury Board’s Privacy Implementation Notice 2023-03, and more generally by the United States’ Office of the Director of National Intelligence’s report on Commercially Available Information. This same report may, also, have overlaps with why NSIRA is interested in unclassified work concerning advertising technologies.9

Engagements with Reviewees and Confidence Statements

NSIRA tracks a number of variables that are used to understand the nature of its relationships with reviewed agencies and, also, due to some challenges with particular reviewed agencies has had to develop confidence ratings. These ratings are used to assess how confident NSIRA is in the comprehensiveness and accuracy of the materials it receives from reviewed bodies. The annual report serves to summarise the state of things during 2022.

When discussing engagements with reviewees, NSIRA has adopted a common text-template while, also, adding narrative text that contextualises whether the Agency is experiencing challenges with reviewed bodies. The variables that NSIRA reports on include:

  • Access to on-site office space
  • Whether lack of on-site access is an issue
  • Direct access to network resources or files of reviewed bodies
  • Whether there is an issue associated with how access to network resources or files is performed by a reviewed body
  • Whether information is produced to NSIRA in a timely manner
  • Overall whether the engagements are good, improving, or bad.10

I try to summarise the state of engagements with reviewed bodies in the below table.

Agency Office Space Space Issue? Network Access Access Issue? Timeliness Good / Improving / Bad
CSIS Y N Y N Y Good
CSE Y ? Partial Y/? Partial Improving from bad
DND/CAF Y N Y N Partial Good and improving
RCMP Y N N N Partial Improving
GAC N N N N Y Good
CBSA N N(?) N N Partial Good

NSIRA is now tracking delays when it requests information from reviewed bodies and has a three-part process of sending advisory letters to senior bureaucrats and, ultimately, Ministers when delays persist. Advisory letters were used 5 times in 2022, with 3 having been sent to CSE and 2 to RCMP. There is no explicit indication as to whether these letters were to senior bureaucrats or to the Minister.11

Moreover, NSIRA has expanded the criteria to assess the responsiveness and ability to verify information. These include the following criteria:

  • Timeliness of responses to requests for information
  • Quality of responses to requests for information
  • Access to systems
  • Access to people
  • Access to facilities
  • Professionalism
  • Proactiveness

Analysis of Engagements with Reviewees and Confidence Statements

While I appreciate that there may be sensitivities in presenting a table that summarises the nature of NSIRA’s engagements with reviewed agencies, it might be helpful to consider including in the future as more data is accumulated so that NSIRA can provide year-over-year comparisons. Information in this format may be particularly useful to identify areas of improvement for Ministers or their deputies.

NSIRA is, also, clearly trying to mature its confidence statement process. We have moved from what was a ‘tripwire system’ in the 2020 report to a much more robust way to collect, and present, information about the behaviour of reviewed bodies. How this affects confidence statements may be the next step in this maturity process.

Other Items

Complaints Investigations

NSIRA discusses that it is developing processes to more quickly address complaints that it receives. There are two particular calls for law reform around investigations.

  1. [A]n allowance for NSIRA members to have jurisdiction to complete any complaint investigation files they have begun, even if their appointment term expires.
  2. Broadened rights of access to individuals and premises of reviewed organizations to enhance verification activities.

Notably, NSIRA is calling for enhanced education–not new powers–with regards to increasing awareness of its mandate around complaints. The Agency writes that,

… members do not have the ability to make remedial orders, such as compensation, or to order a government department to pay damages to complainants. NSIRA continues to make improvements to its public website to raise this awareness and better inform the public and complainants on the investigations mandate and investigative procedures it follows.

Analysis of Complaints Investigations

First, the calls for legislative reform suggest that there has been an issue with a retiring member not being able to complete a file, which added to the transaction costs of handling an investigation, as well as challenges in being able to verify information or activities.

Second, that education and awareness is being called for with regards to members’ abilities and powers, as opposed to calling for new powers, may be indicative of where NSIRA is prioritising its present legislative law reforms. It may, also, speak to NSIRA not wanting to expand its mandate with regards to complaint processes at the present moment in time.

NSIRA Partnerships

NSIRA continues to develop international partnerships and meet with other review bodies, including: the Five Eyes Intelligence Oversight and Review Council, the UK’s Investigatory Powers Commissioner’s Office, Australia’s Inspector-General of Intelligence and Security, the International Intelligence Oversight forum, as well as visiting with the Norwegian Parliamentary Oversight Committee on Intelligence and Security Services, Danish Intelligence Oversight Board, the Netherlands’ Review Committee on the Intelligence and Security Services, and the Swiss Independent Oversight Authority for Intelligence Activities.

NSIRA is also engaging with NSICOP, the Civilian Review and Complaints Commissioner for the RCMP, and the Office of the Intelligence Commissioner, along with legal professionals who are members of other agents of Parliament.

On a technology front, NSIRA has engaged the Privacy Commissioner’s Technology Analysis Directorate, AI technology team at the Treasury Board’s Office of the Chief Information Officer, and the Canadian Digital Service. Finally, the Technology Directorate is specifically identified as responsible for continuing to develop “domestic and international partnerships, including expanding its network with academics, civil society and commercial leaders to ensure key technological issues factor into its approaches.”

Analysis of NSIRA Partnerships

NSIRA is clearly engaging internationally and domestically to learn about, and potentially share, best practices and techniques for engaging with regulated entities. That NSIRA began to host international meetings in the fall of 2023 speaks well to its growing capacity and involvement amongst its peers.

Conclusion

NSIRA has produced another helpful annual report that explains a great deal to the public, and especially to those who have read and assessed many of the annual reports over the years. In particular, the continuing focus on process–how much access NSIRA has to reviewed agencies’ materials, the timeliness of that access, and quality of the engagements–is important should the Government of Canada move forward to consider law reform.

Law reform should, generally, be seen as a last-step measure when it comes to addressing issues between different government agencies. However, should NSIRA continue to suffer challenges in fulfilling its mandate due to lack of access to relevant review materials then changes should likely be considered when the government moves to introduce national security-related law reform.

Footnotes:

  1. Reviews which have not completed a declassification process, or for which there are no plans to declassify, are not available on NSIRA’s webpage. ↩︎
  2. Boldface not in original. ↩︎
  3. Per Public Safety Canada, “Section 12 of the CSIS Act mandates CSIS to collect and analyse intelligence on threats to the security of Canada, and, in relation to those threats, report to, and advise the Government of Canada. These threats are defined in the CSIS Act as espionage or sabotage; foreign influenced activities that are detrimental to the interests of Canada; activities directed toward the threat or use of acts of serious violence; and, activities directed toward undermining the system of government in Canada.” ↩︎
  4. Per Public Safety Canada, “Section 16 of the CSIS Act authorizes CSIS to collect, within Canada, foreign intelligence relating to the capabilities, intentions or activities of any foreign state or group of foreign states, subject to the restriction that its activities cannot be directed at Canadian citizens, permanent residents, or corporations.” ↩︎
  5. (Per Public Safety Canada, “Section 21 of the CSIS Act authorizes CSIS to apply for a warrant to conduct activities where there are reasonable grounds to believe that a warrant is required to enable CSIS to investigate a threat to the security of Canada or perform its duties and functions pursuant to Section 16 of the CSIS Act. The CSIS Act requires that the Minister of Public Safety approve warrant applications before they are submitted to the Federal Court.” ↩︎
  6. Judicial authorisation to retain a Canadian dataset ↩︎
  7. Emphasis not in original. ↩︎
  8. For more, see: “Analysis of the Communications Security Establishment Act and Related Provisions in Bill C-59 (An Act respecting national security matters), First Reading (December 18, 2017)“, pages 27-31 ↩︎
  9. In the United States, Senator Ron Wyden has continued to raise the alarm that commercial advertising and surveillance networks could endanger American national security. I fully expect the same threat to exist to Canadians as well. ↩︎
  10. Note: on this last item, I am taking liberties in reading between the lines to some extent in how I am categorising the nature of the engagements. NSIRA does not make such a blunt assessment of the status of their engagements. ↩︎
  11. Given that a meeting did take place between the Minister of National Defence and the Chair of NSIRA, this suggest at least one of the letters to CSE may have been to the Minister. ↩︎

NSICOP’s 2022 Annual Report

/ Christopher Parsons
Photo by Pixabay on Pexels.com

On July 19, 2023 the National Security and Intelligence Committee of Parliamentarians (NSICOP) released its annual report. The report continues the committee’s work of providing transparency around a number of the national security activities which are undertaken by the Government of Canada. This report assumes heightened importance because NSICOP’s authorizing legislation is now expected to undergo a 5-year review; this report is helpful in understanding what kinds of legislative reforms the Committee, itself, believes are important so as to maintain or enhance Canadian residents’ trust in the country’s national security agencies.

In this post I summarize the challenges that NSICOP believes face it, its proposed legislative reforms, and then briefly itemize notable aspects of reviews that are either underway or which have been concluded. Ultimately I believe that we can firmly state that NSICOP’s work has revealed important aspects of the Canadian national security community’s operations that were hitherto secret and, as such, the Committee’s members and staff are to be congratulated on their efforts over the past five years.

Challenges Facing NSICOP

NSICOP is reporting two key challenges.

First the government is not legislatively required to reply to the recommendations that are included in NSICOP’s reports. These recommendations are issued with the intent of “strengthening the policies, operations and accountability of the security and intelligence community.” While they may sometimes require the federal government to undertake additional activities NSICOP is hardly a ‘gotcha’ review body.

To its credit the government has begun to respond to some recommendations but the majority of those made by NSICOP have yet to be publicly taken up. Beyond indicating the effectiveness of NSICOP’s work—and thus ensuring that the public knows that NSICOP isn’t a paper tiger—responses from the government are important for unmasking some of the secrecy surrounding national security activities. Residents of Canada largely lack insight into the government’s national security policies. NSICOP’s recommendations, and how the government responds to them, provide some degree of light into an otherwise very dark and shadowy world.

Second the Committee is warning (again) that there is a serious issue around obtaining information to which the Committee is lawfully entitled. There are three stated situations where information is not being disclosed to NSICOP:

  1. Some departments have cited reasons outside the statutory exceptions found in the National Security and Intelligence Committee of Parliamentarians Act for not providing information that the Committee requested in past reviews
  2. Some departments selectively refused to provide relevant information, such as a departmental study, despite the Committee’s right of access under its enabling legislation
  3. The Committee is concerned that an overbroad legal definition of what constitutes a Cabinet confidence has had an impact on the Committee’s reviews

For any review agency to function it requires access to information that it is lawfully entitled to obtain, so as to assess agencies’ activities and provide meaningful recommendations or take other actions under its mandate. It is concerning that, in at least some cases, NSICOP reports that information it sought directly from organizations was only discovered through different sources, be they indirectly from third-party organizations or even from records released publicly under the federal Access to Information and Privacy regime.

Readers would be advised to consider the implications of the challenges facing NSICOP, and then place them alongside recent efforts by the National Security Intelligence Review Agency (NSIRA) to include a confidence statement with its recent reports due to NSIRA’s own challenges in sometimes obtaining the information it required to undertake its legislatively-mandated review functions. That both agencies have reported challenges in accessing documents raises questions about the review maturity of organizations which are now subject to national security review.

Proposed Legislative Reform

From a legislative reform standpoint, NSICOP is indicating that it will make two central submissions when called to discuss reforms to the NSICOP Act.

First, it will ask that the NSICOP Act be reformed to confirm that the Committee and its members can get improved access to information and, also, be able to better exchange information with other review bodies. This latter call—improved exchange of information—is notable and worth considering: where regulated agencies can coordinate amongst themselves it is imperative that their review agencies can, similarly, coordinate and exchange information. Such exchanges between review agencies serve multiple purposes, including:

  • sharing information relevant to a review
  • enabling better deconfliction processes
  • letting review agencies better coordinate when they are simultaneously examining the same subject from the slightly different perspectives associated with their respective mandates.

Second, NSICOP is stating that it will request legislative changes to better align its composition with the United Kingdom’s Intelligence and Security Committee (ISC). Specifically, NSICOP believes that becoming a body of Parliament (and not of the executive branch) would “enhance the independence and efficiency of the Committee.”

For clarity, the UK’s ISC is a committee of Parliament with a statutory responsibility for the oversight of the UK intelligence community. In shifting to this model NSICOP would no longer operate within the executive branch—and, thus, perceived as being subject to executive capture—and enable members of the public as well as parliamentarians to recognize that the Committee’s members were not being gagged or otherwise manipulated by merit of NSICOP being housed within the executive branch.

The decision to create NSICOP as an executive branch body was seen at the time as a way to slowly develop trust and capacity between parliamentarians and reviewed intelligence agencies, as well as guaranteeing that parliamentarians did not inappropriately handle information. Some who once called for NSICOP to be within the executive have, since, shifted perspectives and believe it should be turned into a parliamentary body. It remains unclear, however, whether the federal government similarly believes this would be an appropriate modification to NSICOP.

Both of these reforms would constitute significant shifts in the ability of the Committee to undertake its activities and will deserve careful and close thought, and assessments of the extents to which these reforms would genuinely enhance NSICOP’s capacity to fulfill its mandate.

Recent and Underway Reviews

2022 saw NSICOP complete or initiate a number of notable reviews. These include:

  • A Special Report on the Government of Canada’s Framework to and Activities to Defend its Systems and Networks from Cyber Attack (Completed)1
  • A Special Report on the National Security and Intelligence Activities of Global Affairs Canada (Completed)
  • A review of the lawful interception of communications of security and intelligence organizations and the “going dark” challenge (Ongoing)
  • A review of the RCMP’s Federal Policing mandate (Ongoing)

None of NSICOP’s proposed reviews in 2022 were deemed injurious to national security, nor was information denied to the Committee based on these grounds. Twelve agencies were required to provide a copy of their annual reports as required under the Avoiding Complicity in Mistreatment by Foreign Entities Act. Twelve provided them to NSICOP, though they are not reviewed or assessed in the annual report.

NSICOP did not receive any referrals by minister of the Crown to undertake a review of a national security or intelligence matter.

A Special Report on the National Security and Intelligence Activities of Global Affairs Canada

This special report was tabled in November 2022. The annual report notes that “significant weaknesses” were found around Global Affairs Canada’s (GAC) internal governance of its foreign policy coherence role. Namely, this included a lack of “policies and few oversight committees” which NSICOP worried “may introduce weaknesses into the government’s assessment of foreign policy risk.” There were, also, concerns around the lack of Ministerial direction about how GAC collected intelligence around the world. There was also no formal process by which GAC informed its Minister of how it plays a role in relation to CSIS’ collection of intelligence. Relatedly, NSICOP was concerned by “the near total absence of governance and formalized reporting to the minister regarding GAC’s facilitator role.”

One of GAC’s key roles is to coordinate the government’s response to terrorist hostage taking. However, NSICOP found that:

GAC has a three-person team that supports an interdepartmental task force, but in twenty years the Department has done little to prepare for these incidents: there is no policy framework, no training, and no routine tabletop simulation exercises for the task force.

At best, GAC convenes implicated departments with much greater operational roles and specific accountabilities, and works to build a coherent approach without authority to direct a whole-of-government response. Part of the challenge is one of the Department’s own making: over the past 10 years, it has not developed the necessary policy, operational and training mechanisms for implicated government organizations to respond to such events coherently. Notwithstanding these gaps, the most significant problem is political: successive governments have failed to provide direction for a framework to address such critical incidents or provide specific direction on individual cases. Together, these challenges undermine the ability of the Department and its security and intelligence partners to respond effectively to hostage-takings.

Upon receiving the review GAC committed to reforms to respond to the issues identified by NSICOP.

Summaries and Recommendations of Prior Reviews

NSICOP’s annual report helpfully provides a listing of past reports that it has undertaken and allocates a page to each review. These summarize the issues taken up in a given report, identify the associated recommendations, and clarify the extent to which the government has (or has not) responded to each of them. The summaries, also, go so far as to indicate when legislation overtook particular recommendations, such as NSICOP’s proposal that the National Security and Intelligence Review Agency (NSIRA) be mandated to issue an annual report pertaining to the Department of National Defence/Canadian Armed Forces activities related to national security or intelligence.

Many of these reviews have drawn significant attention since they were released, such as NSICOP’s report on foreign interference (and which included the recommendation that combatting foreign interference include establishing “regular mechanisms to work with sub-national levels of government and law enforcement organizations, including to provide necessary security clearances”), but the summarization of these reviews is helpful for simply remembering all of the work that the Committee and its members have undertaken since its inception. It would be helpful for all review agencies to develop public timelines to include in their annual reports and on their websites; such timelines could just denote and link to all of the reports the review agency has completed (or begun) so that readers could better appreciate (and remember) their past and ongoing work.

I think that it’s important to highlight that, just one decade ago, these summaries alone would have been considered an amazing amount of detail that pulled the veil back on Canada’s national security activities. That we can read the summaries, as well as the redacted reports that are posted on the Committee’s website, is astounding when considering where Canada was in terms of national security transparency and accountability ten years ago. When combined with other reporting from NSIRA and the Intelligence Commissioner it is apparent that the public and parliamentarians alike are in a remarkably better situation to understand, assess, interrogate, and approve of (or call for the cessation of) the actions carried out by Canada’s national security agencies.

Conclusion

NSICOP has sometimes been on the receiving end of critiques or complaints, some of which have arguably been deserved and others less so. It is a body that has been severely tested by some public and political pressures. And it has been challenged in fulfilling elements of its mandate for reasons described in its 2022 annual report.

Nevertheless, the Committee and its members are to be congratulated for their efforts. They have worked to release information that hitherto has been kept secret from the public and parliamentarians. There remain challenges to overcome and more must be done to further enhance the public’s and parliamentarians’ understanding of national security agencies, challenges and threats facing Canadians institutions and organizations, and responses that the government has undertaken in response. Still, NSICOP has done much to educate the public since its inception and, if its legislation is reformed per its requests, I suspect the Committee could be even better situated to undertaking reviews while further raising the levels of awareness of national security issues.

  1. For my previous analysis of this report, see: “Unpacking NSICOP’s Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack↩︎

The Utility of Secret Intelligence in Secret-Intelligence Resistant Political and Bureaucratic Cultures

/ Christopher Parsons

Dan Lomas’ recent RUSI essay, “The Death of Secret Intelligence? Think Again,” is a good and fair assessment of the value of secret intelligence and open source intelligence. Lomas clearly and forcefully explains the real benefits of secret intelligence for a subset of policymakers and decision makers. You should read it.

To truly take advantage of secret intelligence, however, policymakers and decision makers must want to read and use it. Secret intelligence-resistant (SI-resistant) bureaucratic or political cultures that have seemingly managed—and still do—without substantive amounts of secret intelligence to guide policy analysis or decision making may be dubious of the value of secret intelligence. Members of these cultures may see open source intelligence as either sufficient or ‘good enough’ for their purposes.1

Those who attempt to reform SI-resistant cultures must grapple with what may be conflicting long-term perceptions of the value (or lack thereof) of this intelligence. Members of this resistant culture can sometimes become even more avoidant of state secrets by merit of fearing the consequences of knowing or having access to them: when knowing secret intelligence is perceived as being linked to an inability to do much with it, for fear of burning sources and methods and then suffering untold professional or political harms, there are good political and bureaucratic reasons to do without the secret stuff. In these kinds of cultures, there is a risk (real or imagined) that secret intelligence can be toxic to one’s career or future ambitions.

It is in this kind of toxic environment that knowing state secrets may be seen as a problem calling for solutions. Decision makers might have to undertake parallel construction to develop secret intelligence-adjacent fact patterns to justify the conclusions at which they arrived, when those conclusions were in fact guided by secret intelligence. And integrating useful state secrets into policy advice could prevent the circulation of that advice within the government, with the effect of barring uncleared colleagues and managers from the secret intelligence-enhanced (and potentially career enhancing) insights. Not circulating one’s work could mean that a highly capable policy analyst cannot catch the attention of their uncleared managers or directors who may be helpful for lifting the analyst and their career to the next bureaucratic height. Members of the SI-resistant class might wonder whether secrets are really all that they’re cracked up to be.2

This gulf of doubt, the questions of utility, and the practical ‘do we really need to change questions’ are challenging issues to overcome in SI-resistant cultures. Perhaps one way forward, though one which somewhat comically requires overcoming certain preferences for government secrecy around access to documents, is to open the vaults (or Archives) of historical secret information.

In cultures which value secret information we can read and watch insider and expert (and…not so expert) explanations, movies, and valourizations of the merit of secret intelligence in transforming a country’s position in the world. This kind of storytelling may be a key ingredient in developing a political and bureaucratic culture that recognizes the value of incorporating secret intelligence more regularly into routine government affairs. Just pointing at bureaucratic and political cultures that are more open to using secret intelligence, however, and saying ‘mimic them!’ is unlikely to drive much change in a culture that has long been secret intelligence-resistant.

Thus, while the RUSI article does an excellent job trumpeting the value of secret and open source intelligence, the advice and findings really may principally apply to countries with high numbers of security cleared decision makers and where the public—and thus elected politicians—acknowledge the value of secret intelligence amongst the oceans of open source materials that exists around them. And even when there is an appetite for secret intelligence it must be practical to access it.

In some secret intelligence-resistant cultures, there have long been processes where secret intelligence-laden analyst reports have been deposited on non-experts’ desks. Those same non-expects know that if they read the materials they may face possible jeopardy. On the one hand, they largely cannot disclose what they learn but, on the other, if they do not read the materials and that becomes public knowledge then they may be seen as poor stewards of the realm. The responsible ones will dutifully read their briefing books and ensure they never accidentally reveal their secret knowledge to anyone who isn’t in the secret intelligence tribe. Those less responsible might, instead, expect that they wouldn’t be able to use the secret intelligence anyways and ultimately have more hours in their weeks to guide the realm and her interests when they exclusively rely on non-classified information.

As should be obvious, the aforementioned method of circulating secret intelligence does not present a particularly efficacious way of incorporating secret intelligence into government activities. Another way must be found that ideally is developed in at least marginally public settings and in tandem with genuine efforts to open up historical secret archives to historians, academics, and public policy makers to come to their own conclusions about what the value of secret intelligence has actually been. Only once, and if, the SI-resistant culture comes to realize it truly has been missing something are broader cultural changes likely to ensue where that culture’s secret-intelligence resistance at least shifts to secret intelligence-ambivalence. Such would be a small step along a long road towards truly accepting and regularly integrating secret intelligence into the realm’s public affairs.

  1. They may even, largely, be correct. ↩︎
  2. Of course, holding a contrary view are members of invite-only events where a great gnashing of teeth can arise over the ‘secrecy and OSINT problem.’ In these, at least some of the secrecy-indoctrinated participants may even discuss the very question of whether OSINT is truly useful while, ultimately, the room broadly reaches a muttering agreement that the secret intelligence many have spent their careers collecting and enriching really adds a lot of value for decision makers. Even if the same decision makers rarely make use of the information due to their secret intelligence-resistant cultures. Indeed, the gnashing can be enough that a concerned participant might worry that dentists should be on hand to issue mouthguards to some attending participants. ↩︎

Relaunch of the SIGINT Summaries

/ Christopher Parsons
Photo by Brett Sayles on Pexels.com

In 2013, journalists began revealing secrets associated with members of the Five Eyes (FVEY) intelligence alliance. These secrets were disclosed by Edward Snowden, a US intelligence contractor. The journalists who published about the documents did so after carefully assessing their content and removing information that was identified as unduly injurious to national security interests or that threatened to reveal individuals’ identities.

During my tenure at the Citizen Lab I provided expert advice to journalists about the newsworthiness of different documents and, also, when content should be redacted as its release was not in the public interest. In some cases documents that were incredibly interesting were never published on the basis that doing so would be injurious to national security, notwithstanding the potential newsworthiness of the documents in question. As an element of my work, I identified and summarized published documents and covernames which were associated with Canada’s signals intelligence agency, the Communications Security Establishment (CSE).

I am happy to announce a re-launching of the SIGINT summaries but with far more content. Content, today, includes:

In all cases the materials which are summarised on my website have been published, in open-source, by professional news organizations or other publishers. None of the material that I summarise or host is new and none of it has been leaked or provided to me by government or non-government bodies. No current or former intelligence officer has provided me with details about any of the covernames or underlying documents. This said, researchers associated with the Citizen Lab and other academic institutions have, in the past, contributed to some of the materials published on this website.

As a caveat, all descriptions of what the covernames mean or refer to, and what are contained in individual documents leaked by Edward Snowden, are provided on a best-effort basis. Entries will be updated periodically as time is available to analyse further documents or materials.

How Were Documents Summarized?

In assessing any document I have undertaken the following steps:

  1. Re-created my template for all Snowden documents, which includes information about the title, metadata associated with the document (e.g., when it was made public and in what news story, when it was created, which agency created it), and a listing of the covernames listed in the document.
  2. When searching documents for covernames, I moved slowly through the document and, often, zoomed into charts, figures, or other materials in order to decipher both covernames which are prominent in the given document as well as covernames in much smaller fonts. The result of this is that in some cases my analyses of documents have indicated more covernames being present than in other public repositories which have relied on OCR-based methods to extract covernames from texts.
  3. I read carefully through the text of the document, sometimes several times, to try and provide a summary of the highlights in a given document. Note that this is based on my own background and, as such, it is possible that the summaries which are generated may miss items that other readers find notable or interesting. These summaries try and avoid editorialising to the best of my ability.
  4. In a separate file, I have a listing of the given agency’s covernames. Using the listed covernames in the summary, I worked through the document in question to assess what, if anything, was said about a covername and whether what was said is new or expanded my understanding of a covername. Where it did, I added additional sentences to the covername in the listing of the relevant agency’s covernames along with a page reference to source the new information. The intent, here, was to both develop a kind of partial covername decoder and, also, to enable other experts to assess how I have reached conclusions about what covernames mean. This enables them to more easily assess the covername descriptions I have provided.
  5. There is sometimes an editorial process which involved rough third-party copyediting and expert peer review. Both of these, however, have been reliant on external parties having the time and expertise to provide these services. While many of the summaries and covername listings have been copyedited or reviewed, this is not the case for all of them.
  6. Finally, the new entries have been published on this website.

Also, as part of my assessment process I have normalized the names of documents. This has meant I’ve often re-named original documents and, in some cases, split conjoined documents which were published by news organizations into individual documents (e.g., a news organization may have published a series of documents linked to AURORAGOLD as a single .pdf instead of publishing each document or slide deck as its own .pdf). The result is that some of the materials which are published on this website may appear new—it may seem as though there are no other sources on the Internet that appear to host a given document—but, in fact, these are just smaller parts of larger conjoined .pdfs.

Commonly Asked Questions

Why isn’t XXX document included in your list of summarised documents? It’s one of the important ones!

There are a lot of documents to work through and, to some extent, my review of them has been motivated either by specific projects or based on a listing of documents that I have time to assess over the past many years. Documents have not been processed based on when they were published. It can take anywhere from 10 minutes to 5 hours or more to process a given document, and at times I have chosen to focus on documents based on the time available to me or by research projects I have undertaken.

Why haven’t you talked about the legal or ethical dimensions of these documents?

There are any number of venues where I have professionally discussed the activities which have been carried out by, and continue to be carried out by, Western signals intelligence agencies. The purpose of these summaries is to provide a maximally unbiased explanation of what is actually in the documents, instead of injecting my own views of what they describe.

A core problem in discussing the Snowden documents is a blurring of what the documents actually say versus what people think they say, and the appropriateness or legality of what is described in them. This project is an effort to provide a more robust foundation to understand the documents, themselves, and then from there other scholars and experts may have more robust assessments of their content.

Aren’t you endangering national security by publishing this material?

No, I don’t believe that I am. Documents which I summarise and the covernames which I summarise have been public for many, many years. These are, functionally, now historical texts.

Any professional intelligence service worth its salt will have already mined all of these documents and performed an equivalent level of analysis some time ago. Scholars, the public, and other experts however have not had the same resources to similarly analyse and derive value from the documents. In the spirit of open scholarship I am sharing these summaries. I also hope that it is helpful for policymakers so that they can better assess and understand the historical capabilities of some of the most influential and powerful signals intelligence agencies in the world.

Finally, all of the documents, and covernames, which are summarised have been public for a considerable period of time. Programs will have since been further developed or been terminated, and covernames rotated.

What is the narrative across the documents and covernames?

I regard the content published here as a kind of repository that can help the public and researchers undertake their own processes of discovery, based on their own interests. Are you interested in how the FVEY agencies have assessed VPNs, encryption, smartphones, or other topics? Then you could do a search on agencies’ summary lists or covernames to find content of interest. More broadly, however, I think that there is a substantial amount of material which has been synthesised by journalists or academics; these summaries can be helpful to assess their accuracy in discussing the underlying material and, in most cases, the summaries of particular documents link to journalistic reporting that tries to provide a broader narrative to sets of documents.

Why haven’t you made this easier to understand?

I am aware that some of the material is still challenging to read. This was the case for me when I started reading the Snowden documents, and actually led to several revisions of reading/revising summaries as I and colleagues developed a deeper understanding for what the documents were trying to communicate.

To some extent, reading the Snowden documents parallels learning a novel language. As such, it is frustrating to engage with at first but, over time, you can develop an understanding of the structure and grammar of the language. The same is true as you read more of the summaries, underlying documents, and covername descriptions. My intent is that with the material assembled on this website the time to become fluent will be massively reduced.

Future Plans

Over time I hope to continue to add to the summaries, though this will continue as a personal historical project. As such, updates will be made only as I have time available to commit to the work.

  1. As of writing, no reviewed Snowden document explicitly discloses an ASD covername. ↩︎

Website Resource Updates

/ Christopher Parsons
Photo by Markus Winkler on Pexels.com

Over the past several months I’ve updated a number of the resources on this website and it’s time to make it a little more apparent to other scholars, experts, and members of the public.

ATIP Repository

As part of my day job at the Citizen Lab I’ve regularly relied on access to information legislation to better understand how the federal government is taking up, and addressing, national security-related issues. It can be difficult for other parties, however, to get access to the same documents given the federal government’s policy of not proactively releasing ATIPs after a year or two.

The result is that scholars and journalists regularly sift through documents that have been released to them for what interests them but they may miss other interesting, or even essential, information that is outside of their interests or expertise. To try and at least somewhat ameliorate that issue I’ve spent the past several months uploading a large number of ATIP releases that I have collected over the past decades. Some were filed by me but the majority were either provided by other scholars or journalists, or retroactively obtained as a re-released package.

The bulk of the ATIPs are associated with CSIS, CSE, and Public Safety Canada. Other agencies and departments include: Department of Justice; Department of National Defence; Employment and Social Development Canada; Global Affairs Canada; Immigration, Refugees and Citizen Canada; Innovation, Science and Economic Development Canada; Office of the Communications Security Establishment Commissioner; Office of the Privacy Commissioner of Canada; Privy Counsel Office; Royal Canadian Mounted Police; Shared Services Canada; Transport Canada; and Treasury Board of Canada.

In many cases I have provided some brief description of things I found notable in the ATIP packages though I have not done so in all cases.

Access ATIP Repository

Order Paper Responses

Under the Canadian parliamentary systems, members of parliament can issue order paper questions to the government. Such questions must be specific and pertain to public affairs. They are typically addressed to government Ministers. The purpose of such questions is to obtain precise or detailed answers and, as such, overly broad questions may be split or broken down to elicit such a response from government agencies. The government is expect to reply within 45 days though this norm is not enforceable by parliament. In the event of parliament being prorogued the Order Paper is cleared and any requests or questions are cancelled.

I have collected a set of Order Paper questions that address issues such as Facial Recognition Technology, mobile device surveillance, data collection by CSIS, disclosures of subscriber information, monitoring of protests, and government interception techniques. None of these Order Paper documents are accompanied by commentary.

Access Order Paper Repository

Canadian Electronic Surveillance Reports

Over the past several years I have undertaken research exploring how, how often, and for what reasons governments in Canada have accessed telecommunications data. As one facet of this line of research I worked with Dr. Adam Molnar and Benjamin Ballard to understand the regularity at which policing agencies across Canada have sought, and obtained, warrants to lawfully engage in real-time electronic surveillance. Such data is particularly important given the regularity at which law enforcement agencies call for new powers; how effective are historical methods of capturing communications data? How useful are the statistics which are tabled by governments?

I have collated the reports which have been published by the provincial and federal governments and, also, noted where provincial governments have failed to provide these reports despite being required to published them under the Criminal Code of Canada. I have not provided any analysis of these reports on this website, aside from a paper I wrote with Dr. Adam Molnar about lawful interception entitled, “Government Surveillance Accountability: The Failures of Contemporary Canadian Interception Reports.”

Access Canadian Electronic Surveillance Reports Repository

Miscellaneous

Finally, I’ve published documents that the RCMP provided to the ETHI Committee concerning its use of On Device Investigative Tools (ODITs), or the malware used by RCMP to gain access to personal devices. These documents were removed from the Committee’s website and so I’ve made them available here, as the were once publicly available materials and remain important for advancing public policy about how and when the RCMP can use these kinds of techniques.

Access ODIT Repository

Why Is(n’t) TikTok A National Security Risk?

/ Christopher Parsons
This image has an empty alt attribute; its file name is pexels-photo-8360440.jpeg
Photo by Ron Lach on Pexels.com

There have been grumblings about TikTok being a national security risk for many years and they’re getting louder with each passing month. Indeed, in the United States a bill has been presented to ban TikTok (“The ANTI-SOCIAL CCP ACT“) and a separate bill (“No TikTok on Government Devices Act“) has passed the Senate and would bar the application from being used on government devices. In Canada, the Prime Minister noted that the country’s signals intelligence agency, the Communications Security Establishment, is “watching very carefully.”

I recently provided commentary where I outlined some of the potential risks associated with TikTok and where it likely should fit into Canada’s national security priorities (spoiler: probably pretty low). Here I just want to expand on my comments a bit to provide some deeper context and reflections.

As with all things security-related you need to think through what assets you are attempting to protect, the sensitivity of what you’re trying to protect, and what measures are more or less likely to protect those assets. Further, in developing a protection strategy you need to think through how many resources you’re willing to invest to achieve the sought-after protection. This applies as much to national security policy makers as it does to individuals trying to secure devices or networks.

What Is Being Protected

Most public figures who talk about TikTok and national security are presently focused on one or two assets.

First, they worry that a large volume of data may be collected and used by Chinese government agencies, after these agencies receive it either voluntarily from TikTok or after compelling its disclosure. Commentators argue that Chinese companies are bound to obey the national security laws of China and, as such, may be forced to disclose data without any notice to users or non-Chinese government agencies. This information could be used to obtain information about specific individuals or communities, inclusive of what people are searching on the platform (e.g., medical information, financial information, sexual preference information), what they are themselves posting and could be embarrassing, or metadata which could be used for subsequent targeting.

Second, some commentators are adopting a somewhat odious language of ‘cognitive warfare’ in talking about TikTok.1 The argument is that the Chinese government might compel the company to modify its algorithms so as to influence what people are seeing on the platform. The intent of this modification would be to influence political preferences or social and cultural perceptions. Some worry this kind of influence could guide whom individuals are more likely to vote for (e.g., you see a number of videos that directly or indirectly encourage you to support particular political parties), cause generalised apathy (e.g., you see videos that suggest that all parties are bad and none worth voting for), or enhance societal tensions (e.g., work to inflame partisanship and impair the functioning of otherwise moderate democracies). Or, as likely, a combination of each of these kinds of influence operations. Moreover, the TikTok algorithm could be modified by government compulsion to prioritise videos that praise some countries or that suppress videos which negatively portray other countries.

What Is the Sensitivity of the Assets?

When we consider the sensitivity of the information and data which is collected by TikTok it can be potentially high but, in practice, possesses differing sensitivities based on the person(s) in question. Research conducted by the University of Toronto’s Citizen Lab found that while TikTok does collect a significant volume of information, that volume largely parallels what Facebook or other Western companies collect. To put this slightly differently, a lot of information is collected and the sensitivity is associated with whom it belongs to, who may have access to it, and what those parties do with it.

When we consider who is using TikTok and having their information uploaded to the company’s servers, then, the question becomes whether there is a particular national security risk linked with this activity. While some individuals may potentially be targets based on their political, business, or civil society bonafides this will not be the case with all (or most) users. However, in even assessing the national security risks linked to individuals (or associated groups) it’s helpful to do a little more thinking.

First, the amount of information that is collected by TikTok, when merged with other data which could theoretically be collected using other signals intelligence methods (e.g., extracting metadata and select content from middle-boxes, Internet platforms, open-source locations, etc) could be very revealing. Five Eyes countries (i.e., Australia, Canada, New Zealand, the United Kingdom, and the United States of America) collect large volumes of metadata on vast swathes of the world’s populations in order to develop patterns of life which, when added together, can be deeply revelatory. When and how those countries’ intelligence agencies actually use the collected information varies and is kept very secretive. Generally, however, only a small subset of individuals whose information is collected and retained for any period of time have actions taken towards them. Nonetheless, we know that there is a genuine concern about information from private companies being obtained by intelligence services in the Five Eyes and it’s reasonable to be concerned that similar activities might be undertaken by Chinese intelligence services.

Second, the kinds of content information which are retained by TikTok could be embarrassing at a future time, or used by state agencies in ways that users would not expect or prefer. Imagine a situation where a young person says or does something on TikTok which is deeply offensive. Fast forward 3-4 years and their parents are diplomats or significant members of the business community, and that offensive content is used by Chinese security services to embarrass or otherwise inconvenience the parents. Such influence operations might impede Canada’s ability to conduct its diplomacy abroad or undermine the a business’s ability to prosper.

Third, the TikTok algorithm is not well understood. There is a risk that the Chinese government might compel ByteDance, and through them the TikTok platform, to modify algorithms to amplify some content and not others. It is hard to assess how ‘sensitive’ a population’s general sense of the world is but, broadly, if a surreptitious foreign influence operation occurred it might potentially affect how a population behaves or sees the world. To be clear this kind of shift in behaviour would not follow from a single video but from a concerted effort over time that shifted social perceptions amongst at least some distinct social communities. The sensitivity of the information used to identify videos to play, then, could be quite high across a substantial swathe of the population using the platform.

It’s important to recognise that in the aforementioned examples there is no evidence that ByteDance, which owns TikTok, has been compelled by the Chinese government to perform these activities. But these are the kinds of sensitivities that are linked to using TikTok and are popularly discussed.

What Should Be Done To Protect Assets?

The threats which are posed by TikTok are, at the moment, specious: it could be used for any number of things. Why people are concerned are linked less to the algorithm or data that is collected but, instead, to ByteDance being a Chinese company that might be influenced by the Chinese government to share data or undertake activities which are deleterious to Western countries’ interests.

Bluntly: the issue raised by TikTok is not necessarily linked to the platform itself but to the geopolitical struggles between China and other advanced economies throughout the world. We don’t have a TikTok problem per se but, instead, have a Chinese national security and foreign policy problem. TikTok is just a very narrow lens through which concerns and fears are being channelled.

So in the absence of obvious and deliberate harmful activities being undertaken by ByteDance and TikTok at the behest of the Chinese government what should be done? At the outset it’s worth recognising that many of the concerns expressed by politicians–and especially those linked to surreptitious influence operations–would already run afoul of Canadian law. The CSIS Act bars clandestine foreign intelligence operations which are regarded as threatening the security of Canada. Specifically, threats to the security of Canada means:

(a) espionage or sabotage that is against Canada or is detrimental to the interests of Canada or activities directed toward or in support of such espionage or sabotage,

(b) foreign influenced activities within or relating to Canada that are detrimental to the interests of Canada and are clandestine or deceptive or involve a threat to any person,

(c) activities within or relating to Canada directed toward or in support of the threat or use of acts of serious violence against persons or property for the purpose of achieving a political, religious or ideological objective within Canada or a foreign state, and

(d) activities directed toward undermining by covert unlawful acts, or directed toward or intended ultimately to lead to the destruction or overthrow by violence of, the constitutionally established system of government in Canada,

CSIS is authorised to undertake measures which would reduce the threats to the security of Canada, perhaps in partnership with the Communications Security Establishment, should such a threat be identified and a warrant obtained from the federal court.

On the whole a general ban on TikTok is almost certainly disproportionate and unreasonable at this point in time. There is no evidence of harm. There is no evidence of influence by the Chinese government. Rather than banning the platform generally I think that more focused legislation or policy could make sense.

First, I think that legislation or (preferably) policies precluding at least some members of government and senior civil servants from using TikTok has some merit. In these cases a risk analysis should be conducted to determine if collected information would undermine the Government of Canada’s ability to secure confidential information or if the collected information could be used for intelligence operations against the government officials. Advice might, also, be issued by the Canadian Security Intelligence Service so that private organisations are aware of their risks. In exceptional situations some kind of security requirements might also be imposed on private organisations and individuals, such as those who are involved in especially sensitive roles managing critical infrastructure systems. Ultimately, I suspect the number of people who should fall under this ban would, and should, be pretty small.

Second, what makes sense is legislation that requires social media companies writ large–not just TikTok–to make their algorithms and data flows legible to regulators. Moreover, individual users should be able to learn, and understand, why certain content is being prioritised or shown to them. Should platforms decline to comply with such a the law then sanctions may be merited. Similarly, should algorithmic legibility showcase that platforms are being manipulated or developed in ways that deliberately undermine social cohesion then some sanctions might be merited, though with the caveat that “social cohesion” should be understood as referring to platforms being deliberately designed to incite rage or other strong emotions with the effect of continually, and artificially, weakening social cohesion and amplifying social cleavages. The term should not, however, be seen as a kind of code for creating exclusionary social environments where underprivileged groups continue to be treated in discriminatory ways.

So Is TikTok ‘Dangerous’ From A National Security Perspective?

Based on open source information2 there is no reason to think that TikTok is currently a national security threat. Are there any risks associated with the platform? Sure, but they need to be juxtaposed against equivalent or more serious threats and priorities. We only have so many resources to direct towards the growing legion of legitimate national security risks and issues; funnelling a limited set of resources towards TikTok may not be the best kind of prioritisation.

Consider that while the Chinese government could compel TikTok to disclose information about its users to intelligence and security services…the same government could also use business cutouts and purchase much of the same information from data brokers operating in the United States and other jurisdictions. There would be no need to secretly force a company to do something when, instead, it could just lawfully acquire equivalent (or more extensive!) information. This is a pressing and real national security (and privacy!) issue and is deserving of legislative scrutiny and attention.

Further, while there is a risk that TikTok could be used to manipulate social values…the same is true of other social networking services. Indeed, academic and journalistic research over the past 5-7 years has drawn attention to how popular social media services are designed to deliver dopamine hits and keep us on them. We know that various private companies and public organisations around the world work tirelessly to ‘hack’ those algorithms and manipulate social values. Of course this broader manipulation doesn’t mean that we shouldn’t care but, also, makes clear that TikTok isn’t the sole vector of these efforts. Moreover, there are real questions about the how well social influence campaigns work: do they influence behaviour–are they supplying change?–or is the efficaciousness of any campaign representative of an attentive and interested pre-existing audience–is demand for the content the problem?

The nice thing about banning, blocking, or censoring material, or undertaking some other kind of binary decision, is that you feel like you’ve done something. Bans, blocks, and censors are typically designed for a black and white world. We, however, live in a world that is actually shrouded in greys. We only have so much legislative time, so much policy capacity, so much enforcement ability: it should all be directed efficiently to understanding, appreciating, and addressing the fulness of the challenges facing states and society. This time and effort should not be spent on performative politics that is great for providing a dopamine hit but which fails to address the real underlying issues.

  1. I have previously talked about the broader risks of correlating national security and information security.
  2. Open source information means information which you or I can find, and read, without requiring a security clearance.