CSIS

Highlights from NSIRA’s 2022 Annual Report

/ Christopher Parsons

The National Security and Intelligence Review Agency (NSIRA) tabled its annual report on October 30, 2023. NSIRA is responsible for conducting national security reviews of Canadian federal agencies, and its annual report summarises activities that have been undertaken in 2022. The report also discusses new policies and capacities concerning its review activities.

In this post, I summarise and discuss many of the central items in the annual report. This includes the Agency’s approach to developing themes and categorising recommendations, aspects of particular the reviews, how NSIRA’s technology directorate is developing, the ways in which NSIRA is maturing how it measures engagements with reviewed agencies and associated confidence ratings, and its international engagements.

Significantly, this annual report includes several explicit calls for legislative review as pertain to complaints investigations. It is, also, possible that the Agency may be building an evidence-based argument for why law reform may be needed to ensure that NSIRA can obtain adequate access to information or materials to conduct reviews of some government agencies.

Themes and Categorisation of Recommendations

NSIRA has been developing and issuing recommendations to government institutions for multiple years. The result is that the Agency can begin to categorise the kinds of recommendations that it is issuing. Categorisation is helpful because it can start to reveal trends within and across reviewed institutions and, then, enable those institutions to better focus their efforts to update organisational practices. Moveover, with this information NSIRA may generally be able to monitor for substantive changes in common problem areas both within and across reviewed agencies.

The following table re-creates the categorisation descriptions in NSIRA’s annual report(see: page 3).

Theme Topics
Governance
  • Policies, procedures, framework and other authorities
  • Internal oversight
  • Risk management, assessment and practices
  • Decision-making and accountability, including ministerial accountability and direction
  • Training, tools and staffing resources
Propriety
  • Reasonableness, necessity, efficacy and proportionality
  • Legal thresholds and advice, compliance and privacy interests
Information management and sharing
  • Collection, documentation, tracking, implementing, reporting, monitoring and safeguarding
  • Information sharing and disclosure
  • Keeping and providing accurate and up-to-date information, timeliness

This tripartite division lets NSIRA categorise all of the different recommendations it has made in its 2020, 2021, and 2022 annual reports, which has the effect of showcasing trends over the years. I have republished NSIRA’s chart denoting these trends, below.

Graph image: Trends in finding and recommendations - Text version follows

Analysis of Themes and Categorisation of Recommendations

I can’t immediately think of items that do not fit in the categories that NSIRA has developed, though it will be interesting to observe over time whether this categorisation will continue to capture all possible types of recommendations. Further, with this categorisation schema now in hand, will this affect the crafting of recommendations so that they clearly ‘fit’ within each of these categories?  Will single recommendations sometimes fit within multiple categories?  Or is it possible that additional categories may be developed based on future recommendations?

I can see the strong utility of this, generally, for organisations — be they government or non-government — to track the kinds of recommendations they are making. It could both assist with internal tracking and governance measures while, also, focusing in on the core classes of issues that are being found within and across organisations that are under review, or otherwise subject to external examinational or critique.

Reviews

The reviews section of NSIRA’s annual report summarises the reviews that the Agency has undertaken over the past year, with those full reports generally available on NSIRA’s website.1

Reviews of CSIS Activities

NSIRA provides a range of different statistics concerning CSIS’ activities, including those concerning:

  • Warrants that are sought
  • Threat Reduction Measures (TRMs)
  • CSIS targets
  • Dataset evaluation and retention
  • Justified commissions of activities that otherwise would involve committing or directing the committing of unlawful acts
  • Compliance incidents

In what follows I identify noteworthy aspects of the statistics and associated narratives provided. First, warrants sought by CSIS may be used “to intercept communications, enter a location, or obtain information, records or documents. Each individual warrant application could include multiple individuals or request the use of multiple intrusive powers.” It is worth highlighting that NSIRA has explicitly stated in footnote 15 that:

A number of warrants issued during this period reflected the development of innovative new authorities and collection techniques, which required close collaboration between collectors, technology operators, policy analysts and legal counsel.2

Warranted authorisations were granted under section 12,3 16,4 and 21 5 of the CSIS Act as well as two authorisations under section 11.13 6. The total number of warrants that have been sought and approved are in line with previous years’ statistics, standing at 28, with 6 being new, 14 being replacements, and 8 being supplemental.

TRMs can be sought and exercised without requiring judicial authorisation, so long as the activity in question does not “limit a right or freedom protected by the Canadian Charter of Rights and Freedoms or would otherwise be contrary to Canadian law”.  Warrants are required when an activity would conflict with Charter rights or Canadian law. The number of authorisation sought (16) was about in the middle of the lower (10) and upper (24) bounds of requested authorisations in previous years, and executed TRMs (12) is similarly in the middle of the lower (8) and upper (19) bounds of past years’ statistics.

CSIS targets have declined over the past 5 years, moving from 430 targets in 2018 to 340 in 2022. However, this number can be misleading on the basis that a target could be for an individual or a group composing many people.

CSIS continues to notify NSIRA about judicial authorisations or ministerial authorisations to collect Canadian or foreign datasets, in excess of what the Service is required to do under the law. Generally, the statistics show that evaluated datasets tend to be retained and neither the Federal Court, Minister, or Intelligence Commissioner have denied CSIS the ability to retain evaluated datasets.

There have been considerable increases in the number of authorizations to CSIS personnel to undertake activities that involve “committing an act or omission themselves (commissions by employees)” or directing “another person to commit an act or omission (directions to commit) as a part of their duties and functions.” Relatedly, there have also been more commissions/directions to commit that have been recorded. Statistics are denoted in the below table, which was produced by NSIRA.

Finally, the compliance information provided by NSIRA shows a growing breakdown of the ways in which CSIS activates can found to be non-compliant with either Canadian law, the Charter, warrant conditions, or CSIS governance practices.

Analysis of CSIS Activities

A few things clearly drew my attention.

  1. It is unclear what the new warranted authorities or collection activities have involved, but the listing of parties involved in developing these suggest that there may be a notable expansion in CSIS capabilities.
  2. It might be helpful in future reports to have a footnote explaining the difference between new, replacement, and supplemental warrants. The last item, in particular, is a term that I’m not familiar with, which suggests that many others reading these reports who are not national security insiders or legal experts may have similar questions.
  3. That no judicially supervised TRMs have been undertaken is notable and suggests that these measures may not yet have risen to concerns raised by some civil society and other actors. In particular, past concerns have focused on how how these techniques could affect residents of Canada and their Charter rights.
  4. We still lack clear an understanding of what, precisely, is being evaluated or retained by CSIS when it collects datasets and subsequently analyses them. This remains a significant blindspot and prevents the public or legislators from clearly understanding what, exactly, CSIS can do (or is doing) with retained datasets.
  5. The justifications framework makes clear that more and more activities are being undertaken which would, otherwise, be unlawful. It is an open question whether these activities may impede the ability of federal law enforcement, or other parties, to use the Criminal Code (or other legislation) to take action against individuals or groups in Canada who have been targeted by CSIS.  Specifically, what (if any) relationship is there between these justified activities undertaken by CSIS and the One Vision 3.0 framework between the RCMP and CSIS?

Communications Security Establishment

NSIRA undertook two reviews of CSE activities, including about Active Cyber Operations (ACO) and Defensive Cyber Operations (DCO), and of an undisclosed foreign intelligence activity.

NSIRA found that “ACOs and DCOs that CSE planned or conducted during the period of review were lawful and noted improvements in GAC’s assessments for foreign policy risk and international law” and as well as that “CSE developed and improved its processes for the planning and conduct of ACOs and DCOs in a way that reflected some of NSIRA’s observations from the governance review.” However, “NSIRA faced significant challenges in accessing CSE information on this review. These access challenges had a negative impact on the review. As a result, NSIRA could not be confident in the completeness of information provided by CSE.7

The CSE collection activity is not described in any detail, though NSIRA “identified several instances where the program’s activities were not adequately captured within CSE’s applications for certain ministerial authorizations.”

NSIRA has had challenges with its reviews of CSE’s operations since the Agency’s establishment. In 2022, this led to NSIRA’s Chair meeting with the Minister of National Defence “to discuss ongoing issues and challenges related to NSIRA reviews of CSE activities.”

The NSIRA annual report includes an extensive set of statistics about the CSE’s activities. To begin, there has been an additional cybersecurity as well as active cyber operations authorisation in 2022 versus 2021, with the effect that there are now:

  • 3 foreign intelligence authorisations
  • 3 cybersecurity — federal and non-federal — authorisations
  • 1 DCO authorisation
  • 3 ACO authorisations

We can expect that at least some of these may be linked to the Canadian government’s (and CSE’s) efforts to help Ukraine in its fight against Russia’s illegal war of aggression. However, the general breadth of Ministerial Authorisations are such that any new ones will cover off large categories of activities which could be undertaken in a variety of situations or locations.

My colleague, Bill Robinson, may be pleased to see that CSE is authorising NSIRA to identify the number of reports CSE is releasing (3,185 in 2022), to the number of agencies/departments (26 in 2022), and the number of clients within departments/agencies (1,761 in 2022). He will likely be less pleased to see (as am I) that CSE refuses to release statistics concerning:

  • The regularity at which information relating to a Canadian or a person in Canada, or “Canadian-collected information” is included in CSE’s end-product reporting
  • The regularity at which Canadian identifying information (CII) is suppressed in CSE foreign intelligence or cyber security reporting
  • The number of DCOs or ACOs which were approved, and carried out, in 2022

The regularity at which CII information was released, however, was provided for Government of Canada requests (657) and Five Eyes requests (62). There was an aggregate decrease from 831 requests in 2021 to 719 requests in 2022, with CSE denying 65 of the 2022 requests and 51 of the requests still being processed.

There were more privacy incidents registered by CSE itself (114 in 2022 versus 96 in 2021) and a reduction in second-party incidents (23 in 2022 versus 33 in 2021). No specific information about the nature of the incidents are provided.

There was a large number of cyber incidents that were opened by the Canadian Centre for Cyber Security. This included 1,070 affecting federal institutions and 1,575 affecting critical infrastructure.

While not as detailed as past work by Canadian reporters, which once identified how many times CSE provided assistance to specific federal partners, NSIRA’s 2022 annual report does continue to disclose how frequently CSE receives requests for assistance. In 2022 it received 62 requests (up from 35 in 2021), with 1 cancelled and 2 denied, resulting in 59 being approved.

Analysis of CSE Activities

There are numerous things that are of note in the section of CSE.

  1. Despite having reviewed ACO and DCO activities, NSIRA was unable to be confident of the information it had been provided when conducting the review. Put differently, we should take the outputs of the review with a grain of salt, and this matters both on a governance level as well as because ACOs and DCOs have the potential to be extremely impactful to individuals’ Charter or human rights.8
  2. Issues between NSIRA and CSE have risen to the level that the Chair of NSIRA and Minister of National Defence are meeting. This is suggestive that issues could not be resolved at the senior staff level despite years of effort to do so. Escalating this to the Minister is about as high-level a complaint or concern that NSIRA can raise within the government hierarchy.
  3. A mainline privacy concern is how frequently CII is being collected and, subsequently, included in reporting. That CSE continues to refuse to provide statistics on how often it is being suppressed impedes the public’s and politicians’ abilities to understand how much ‘incidental’ collection of CII occurs in the course of the CSE’s activities. A similar complaint can be made concerning CSE’s refusal to release statistics about the regularity at which information related to a Canadian or person in Canada, or “Canadian-collected information” is included in end-product reporting. This issue has even greater salience given that Bill C-26, which addresses critical infrastructure and cybersecurity, is currently at Committee. If passed into law, even more CII or information related to Canadian persons could be obtained by CSE.
  4. It is unclear whether critical infrastructure incidents opened with the Cyber Centre included just federally regulated institutions or all critical infrastructure providers (including those under provincial jurisdiction). The effect is to impair an understanding of how much work CSE is undertaking on behalf of provinces (or to support provinces in protecting infrastructure) .
  5. There has been an explosion in how frequently CSE is providing assistance to other federal partners, but it is unclear who specifically is receiving the assistance or to what effect. While the expansion may be linked to the war between Ukraine and Russia, there may be other factors at play which are hidden from the reader due to how NSIRA is permitted to disclose information in its annual report.

Other Departments

NSIRA also conducted reviews of the Department of National Defence and the Canadian Armed Forces (DND/CAF), Canadian Border Services Agency (CBSA), and mandated annual reviews under the Security of Canada Information Disclosure Act (SCIDA) and Avoiding Complicity in Mistreatment by Foreign Entities Act (ACA). Key points include:

  • The DND/CAF review saw NSIRA conclude that DND/CAF’s human source handling actives may be being undertaken in ways that are, in NSIRA’s opinion, potentially unlawful. The Minister disagreed, with NSIRA believing that the Minister’s conclusion was a result of applying an inappropriately narrow interpretation of the facts and the law. Further work will continue on this file.
  • CBSA’s air passenger targeting review found areas needing improvement, including surrounding documentation practices, and demonstrating adequate justification for its selection of indicators as signals for increased risk.
  • GAC was found to need to improve on its disclosure policies under SCIDA, on the basis that GAC “did not meet the two-part threshold requirements of the SCIDA before disclosing the information, which was not compliant with the SCIDA.”
  • The definition of “significant risk” related to avoiding complicity in mistreatment by foreign entities does not exist in legislation, which continues to create challenges. NSIRA is calling for this to be addressed in future legislative reform. Moreover, neither the CBSA or Public Safety Canada have fully implemented a framework under the ACA.
  • NSIRA has moved to begin closing certain ongoing work or not ultimately produce a final report to a Minister. Other work–including a NSIRA review of how the RCMP handles encryption in the interception of privacy communications in national security criminal investigations–has been deconflicted, given the activities of other review and oversight bodies such as the National Security and Intelligence Committee Of Parliamentarians (NSICOP).

Analysis of Other Departments

  1. This is not the first time that the activities undertaken by DND/CAF have been subject to critique, such as NSIRA’s assessment of the Canadian Forces National Counter-Intelligence Unit. NSIRA’s ability to examine some of these activities continues to showcase the importance of having a review agency that can comprehensively undertake review across all national security bodies. Moreover, that it is flagging review areas (e.g., the 2020 annual report noted that additional reviews had been initiated/planned, including on DND/CAF’s HUMINT capabilities) and following through speaks well to NSIRA’s ability to meet its commitments.
  2. There are real risks to individuals when agencies inadequately comply with the ACA. As I have written previously, without adequate frameworks there is a concern that “some agencies will continue to obtain information from, or disclose it to, foreign states which are known to either use information to facilitate abuses, or that use torture or other mistreatment to obtain the information that is sent to Canadian agencies. Which agencies continue to support information sharing with these kinds or states, and their rationales for doing so, should be on the record so that they and the government more broadly can be held accountable for such decision making.”
  3. It’s worth highlighting that NSIRA is calling for legislative reform to create the definition of “significant risk” concerning the ACA.
  4. Decisions to close certain reviews–or at least not issue a report to a relevant Minister–reveals a growing maturity within NSIRA as it develops policies and procedures on how to advance its work. I am curious as to whether a decision to not issue a report to a Minister may, still, result in functional improvements in how government agencies undertake select national security activities. Further, the NSICOP report on the RCMP’s handling of encryption will be important to read once it is published given the longstanding debate in Canada over encryption and encryption policies.

Technology Directorate

NSIRA continues to build up its internal technical capabilites, with its team now including engineers, computer scientists, technologists and technology review professionals. The mandate of the Directorate is expansive, and includes:

  • Lead the review of Information Technology (IT) systems and capabilities
  • Assess a reviewed entity’s IT compliance with applicable laws, ministerial direction and policy
  • Conduct independent technical investigations
  • Recommend IT system and data safeguards to minimize the risk of legal non-compliance
  • Produce reports explaining and interpreting technical subjects
  • Lead the integration of technology themes into yearly NSIRA review plans
  • Leverage external expertise in the understanding and assessment of IT risks
  • Support assigned NSIRA members in the investigation of complaints against CSIS, CSE or the RCMP when technical expertise is required to assess the evidence

The Directorate has 3 employees, as well as a cooperative education student and 2 external researchers. It has also built out links with academic researchers. In the coming year, it will continue to grow the number of employees, support ongoing education, and engage external researchers to build capacity. Curiously, the Directorate also intends to “prioritize unclassified research on a number of topics, including open-source intelligence, advertising technologies and metadata (content versus non-content data).”

Analysis of Technology Directorate

Generally, I am interested in how this Directorate is being developed and the processes that are being established for it to succeed. Specifically, how are external researchers are identified and leveraged? How has the external academic network been (or is being) developed? Answers to these questions could provide lessons for other regulators with different areas of responsibility but which possess (or are building) comparable technology teams.

The specifically stated areas of non-classified research is worth paying attention to. OSINT is a growing focus for national security and has been an area of invite-only meetings amongst Canadian national security practitioners over the past years. The topic area is, also, complicated by some guidance from the Privacy Commissioner of Canada, Treasury Board’s Privacy Implementation Notice 2023-03, and more generally by the United States’ Office of the Director of National Intelligence’s report on Commercially Available Information. This same report may, also, have overlaps with why NSIRA is interested in unclassified work concerning advertising technologies.9

Engagements with Reviewees and Confidence Statements

NSIRA tracks a number of variables that are used to understand the nature of its relationships with reviewed agencies and, also, due to some challenges with particular reviewed agencies has had to develop confidence ratings. These ratings are used to assess how confident NSIRA is in the comprehensiveness and accuracy of the materials it receives from reviewed bodies. The annual report serves to summarise the state of things during 2022.

When discussing engagements with reviewees, NSIRA has adopted a common text-template while, also, adding narrative text that contextualises whether the Agency is experiencing challenges with reviewed bodies. The variables that NSIRA reports on include:

  • Access to on-site office space
  • Whether lack of on-site access is an issue
  • Direct access to network resources or files of reviewed bodies
  • Whether there is an issue associated with how access to network resources or files is performed by a reviewed body
  • Whether information is produced to NSIRA in a timely manner
  • Overall whether the engagements are good, improving, or bad.10

I try to summarise the state of engagements with reviewed bodies in the below table.

Agency Office Space Space Issue? Network Access Access Issue? Timeliness Good / Improving / Bad
CSIS Y N Y N Y Good
CSE Y ? Partial Y/? Partial Improving from bad
DND/CAF Y N Y N Partial Good and improving
RCMP Y N N N Partial Improving
GAC N N N N Y Good
CBSA N N(?) N N Partial Good

NSIRA is now tracking delays when it requests information from reviewed bodies and has a three-part process of sending advisory letters to senior bureaucrats and, ultimately, Ministers when delays persist. Advisory letters were used 5 times in 2022, with 3 having been sent to CSE and 2 to RCMP. There is no explicit indication as to whether these letters were to senior bureaucrats or to the Minister.11

Moreover, NSIRA has expanded the criteria to assess the responsiveness and ability to verify information. These include the following criteria:

  • Timeliness of responses to requests for information
  • Quality of responses to requests for information
  • Access to systems
  • Access to people
  • Access to facilities
  • Professionalism
  • Proactiveness

Analysis of Engagements with Reviewees and Confidence Statements

While I appreciate that there may be sensitivities in presenting a table that summarises the nature of NSIRA’s engagements with reviewed agencies, it might be helpful to consider including in the future as more data is accumulated so that NSIRA can provide year-over-year comparisons. Information in this format may be particularly useful to identify areas of improvement for Ministers or their deputies.

NSIRA is, also, clearly trying to mature its confidence statement process. We have moved from what was a ‘tripwire system’ in the 2020 report to a much more robust way to collect, and present, information about the behaviour of reviewed bodies. How this affects confidence statements may be the next step in this maturity process.

Other Items

Complaints Investigations

NSIRA discusses that it is developing processes to more quickly address complaints that it receives. There are two particular calls for law reform around investigations.

  1. [A]n allowance for NSIRA members to have jurisdiction to complete any complaint investigation files they have begun, even if their appointment term expires.
  2. Broadened rights of access to individuals and premises of reviewed organizations to enhance verification activities.

Notably, NSIRA is calling for enhanced education–not new powers–with regards to increasing awareness of its mandate around complaints. The Agency writes that,

… members do not have the ability to make remedial orders, such as compensation, or to order a government department to pay damages to complainants. NSIRA continues to make improvements to its public website to raise this awareness and better inform the public and complainants on the investigations mandate and investigative procedures it follows.

Analysis of Complaints Investigations

First, the calls for legislative reform suggest that there has been an issue with a retiring member not being able to complete a file, which added to the transaction costs of handling an investigation, as well as challenges in being able to verify information or activities.

Second, that education and awareness is being called for with regards to members’ abilities and powers, as opposed to calling for new powers, may be indicative of where NSIRA is prioritising its present legislative law reforms. It may, also, speak to NSIRA not wanting to expand its mandate with regards to complaint processes at the present moment in time.

NSIRA Partnerships

NSIRA continues to develop international partnerships and meet with other review bodies, including: the Five Eyes Intelligence Oversight and Review Council, the UK’s Investigatory Powers Commissioner’s Office, Australia’s Inspector-General of Intelligence and Security, the International Intelligence Oversight forum, as well as visiting with the Norwegian Parliamentary Oversight Committee on Intelligence and Security Services, Danish Intelligence Oversight Board, the Netherlands’ Review Committee on the Intelligence and Security Services, and the Swiss Independent Oversight Authority for Intelligence Activities.

NSIRA is also engaging with NSICOP, the Civilian Review and Complaints Commissioner for the RCMP, and the Office of the Intelligence Commissioner, along with legal professionals who are members of other agents of Parliament.

On a technology front, NSIRA has engaged the Privacy Commissioner’s Technology Analysis Directorate, AI technology team at the Treasury Board’s Office of the Chief Information Officer, and the Canadian Digital Service. Finally, the Technology Directorate is specifically identified as responsible for continuing to develop “domestic and international partnerships, including expanding its network with academics, civil society and commercial leaders to ensure key technological issues factor into its approaches.”

Analysis of NSIRA Partnerships

NSIRA is clearly engaging internationally and domestically to learn about, and potentially share, best practices and techniques for engaging with regulated entities. That NSIRA began to host international meetings in the fall of 2023 speaks well to its growing capacity and involvement amongst its peers.

Conclusion

NSIRA has produced another helpful annual report that explains a great deal to the public, and especially to those who have read and assessed many of the annual reports over the years. In particular, the continuing focus on process–how much access NSIRA has to reviewed agencies’ materials, the timeliness of that access, and quality of the engagements–is important should the Government of Canada move forward to consider law reform.

Law reform should, generally, be seen as a last-step measure when it comes to addressing issues between different government agencies. However, should NSIRA continue to suffer challenges in fulfilling its mandate due to lack of access to relevant review materials then changes should likely be considered when the government moves to introduce national security-related law reform.

Footnotes:

  1. Reviews which have not completed a declassification process, or for which there are no plans to declassify, are not available on NSIRA’s webpage. ↩︎
  2. Boldface not in original. ↩︎
  3. Per Public Safety Canada, “Section 12 of the CSIS Act mandates CSIS to collect and analyse intelligence on threats to the security of Canada, and, in relation to those threats, report to, and advise the Government of Canada. These threats are defined in the CSIS Act as espionage or sabotage; foreign influenced activities that are detrimental to the interests of Canada; activities directed toward the threat or use of acts of serious violence; and, activities directed toward undermining the system of government in Canada.” ↩︎
  4. Per Public Safety Canada, “Section 16 of the CSIS Act authorizes CSIS to collect, within Canada, foreign intelligence relating to the capabilities, intentions or activities of any foreign state or group of foreign states, subject to the restriction that its activities cannot be directed at Canadian citizens, permanent residents, or corporations.” ↩︎
  5. (Per Public Safety Canada, “Section 21 of the CSIS Act authorizes CSIS to apply for a warrant to conduct activities where there are reasonable grounds to believe that a warrant is required to enable CSIS to investigate a threat to the security of Canada or perform its duties and functions pursuant to Section 16 of the CSIS Act. The CSIS Act requires that the Minister of Public Safety approve warrant applications before they are submitted to the Federal Court.” ↩︎
  6. Judicial authorisation to retain a Canadian dataset ↩︎
  7. Emphasis not in original. ↩︎
  8. For more, see: “Analysis of the Communications Security Establishment Act and Related Provisions in Bill C-59 (An Act respecting national security matters), First Reading (December 18, 2017)“, pages 27-31 ↩︎
  9. In the United States, Senator Ron Wyden has continued to raise the alarm that commercial advertising and surveillance networks could endanger American national security. I fully expect the same threat to exist to Canadians as well. ↩︎
  10. Note: on this last item, I am taking liberties in reading between the lines to some extent in how I am categorising the nature of the engagements. NSIRA does not make such a blunt assessment of the status of their engagements. ↩︎
  11. Given that a meeting did take place between the Minister of National Defence and the Chair of NSIRA, this suggest at least one of the letters to CSE may have been to the Minister. ↩︎

Why Is(n’t) TikTok A National Security Risk?

/ Christopher Parsons
This image has an empty alt attribute; its file name is pexels-photo-8360440.jpeg
Photo by Ron Lach on Pexels.com

There have been grumblings about TikTok being a national security risk for many years and they’re getting louder with each passing month. Indeed, in the United States a bill has been presented to ban TikTok (“The ANTI-SOCIAL CCP ACT“) and a separate bill (“No TikTok on Government Devices Act“) has passed the Senate and would bar the application from being used on government devices. In Canada, the Prime Minister noted that the country’s signals intelligence agency, the Communications Security Establishment, is “watching very carefully.”

I recently provided commentary where I outlined some of the potential risks associated with TikTok and where it likely should fit into Canada’s national security priorities (spoiler: probably pretty low). Here I just want to expand on my comments a bit to provide some deeper context and reflections.

As with all things security-related you need to think through what assets you are attempting to protect, the sensitivity of what you’re trying to protect, and what measures are more or less likely to protect those assets. Further, in developing a protection strategy you need to think through how many resources you’re willing to invest to achieve the sought-after protection. This applies as much to national security policy makers as it does to individuals trying to secure devices or networks.

What Is Being Protected

Most public figures who talk about TikTok and national security are presently focused on one or two assets.

First, they worry that a large volume of data may be collected and used by Chinese government agencies, after these agencies receive it either voluntarily from TikTok or after compelling its disclosure. Commentators argue that Chinese companies are bound to obey the national security laws of China and, as such, may be forced to disclose data without any notice to users or non-Chinese government agencies. This information could be used to obtain information about specific individuals or communities, inclusive of what people are searching on the platform (e.g., medical information, financial information, sexual preference information), what they are themselves posting and could be embarrassing, or metadata which could be used for subsequent targeting.

Second, some commentators are adopting a somewhat odious language of ‘cognitive warfare’ in talking about TikTok.1 The argument is that the Chinese government might compel the company to modify its algorithms so as to influence what people are seeing on the platform. The intent of this modification would be to influence political preferences or social and cultural perceptions. Some worry this kind of influence could guide whom individuals are more likely to vote for (e.g., you see a number of videos that directly or indirectly encourage you to support particular political parties), cause generalised apathy (e.g., you see videos that suggest that all parties are bad and none worth voting for), or enhance societal tensions (e.g., work to inflame partisanship and impair the functioning of otherwise moderate democracies). Or, as likely, a combination of each of these kinds of influence operations. Moreover, the TikTok algorithm could be modified by government compulsion to prioritise videos that praise some countries or that suppress videos which negatively portray other countries.

What Is the Sensitivity of the Assets?

When we consider the sensitivity of the information and data which is collected by TikTok it can be potentially high but, in practice, possesses differing sensitivities based on the person(s) in question. Research conducted by the University of Toronto’s Citizen Lab found that while TikTok does collect a significant volume of information, that volume largely parallels what Facebook or other Western companies collect. To put this slightly differently, a lot of information is collected and the sensitivity is associated with whom it belongs to, who may have access to it, and what those parties do with it.

When we consider who is using TikTok and having their information uploaded to the company’s servers, then, the question becomes whether there is a particular national security risk linked with this activity. While some individuals may potentially be targets based on their political, business, or civil society bonafides this will not be the case with all (or most) users. However, in even assessing the national security risks linked to individuals (or associated groups) it’s helpful to do a little more thinking.

First, the amount of information that is collected by TikTok, when merged with other data which could theoretically be collected using other signals intelligence methods (e.g., extracting metadata and select content from middle-boxes, Internet platforms, open-source locations, etc) could be very revealing. Five Eyes countries (i.e., Australia, Canada, New Zealand, the United Kingdom, and the United States of America) collect large volumes of metadata on vast swathes of the world’s populations in order to develop patterns of life which, when added together, can be deeply revelatory. When and how those countries’ intelligence agencies actually use the collected information varies and is kept very secretive. Generally, however, only a small subset of individuals whose information is collected and retained for any period of time have actions taken towards them. Nonetheless, we know that there is a genuine concern about information from private companies being obtained by intelligence services in the Five Eyes and it’s reasonable to be concerned that similar activities might be undertaken by Chinese intelligence services.

Second, the kinds of content information which are retained by TikTok could be embarrassing at a future time, or used by state agencies in ways that users would not expect or prefer. Imagine a situation where a young person says or does something on TikTok which is deeply offensive. Fast forward 3-4 years and their parents are diplomats or significant members of the business community, and that offensive content is used by Chinese security services to embarrass or otherwise inconvenience the parents. Such influence operations might impede Canada’s ability to conduct its diplomacy abroad or undermine the a business’s ability to prosper.

Third, the TikTok algorithm is not well understood. There is a risk that the Chinese government might compel ByteDance, and through them the TikTok platform, to modify algorithms to amplify some content and not others. It is hard to assess how ‘sensitive’ a population’s general sense of the world is but, broadly, if a surreptitious foreign influence operation occurred it might potentially affect how a population behaves or sees the world. To be clear this kind of shift in behaviour would not follow from a single video but from a concerted effort over time that shifted social perceptions amongst at least some distinct social communities. The sensitivity of the information used to identify videos to play, then, could be quite high across a substantial swathe of the population using the platform.

It’s important to recognise that in the aforementioned examples there is no evidence that ByteDance, which owns TikTok, has been compelled by the Chinese government to perform these activities. But these are the kinds of sensitivities that are linked to using TikTok and are popularly discussed.

What Should Be Done To Protect Assets?

The threats which are posed by TikTok are, at the moment, specious: it could be used for any number of things. Why people are concerned are linked less to the algorithm or data that is collected but, instead, to ByteDance being a Chinese company that might be influenced by the Chinese government to share data or undertake activities which are deleterious to Western countries’ interests.

Bluntly: the issue raised by TikTok is not necessarily linked to the platform itself but to the geopolitical struggles between China and other advanced economies throughout the world. We don’t have a TikTok problem per se but, instead, have a Chinese national security and foreign policy problem. TikTok is just a very narrow lens through which concerns and fears are being channelled.

So in the absence of obvious and deliberate harmful activities being undertaken by ByteDance and TikTok at the behest of the Chinese government what should be done? At the outset it’s worth recognising that many of the concerns expressed by politicians–and especially those linked to surreptitious influence operations–would already run afoul of Canadian law. The CSIS Act bars clandestine foreign intelligence operations which are regarded as threatening the security of Canada. Specifically, threats to the security of Canada means:

(a) espionage or sabotage that is against Canada or is detrimental to the interests of Canada or activities directed toward or in support of such espionage or sabotage,

(b) foreign influenced activities within or relating to Canada that are detrimental to the interests of Canada and are clandestine or deceptive or involve a threat to any person,

(c) activities within or relating to Canada directed toward or in support of the threat or use of acts of serious violence against persons or property for the purpose of achieving a political, religious or ideological objective within Canada or a foreign state, and

(d) activities directed toward undermining by covert unlawful acts, or directed toward or intended ultimately to lead to the destruction or overthrow by violence of, the constitutionally established system of government in Canada,

CSIS is authorised to undertake measures which would reduce the threats to the security of Canada, perhaps in partnership with the Communications Security Establishment, should such a threat be identified and a warrant obtained from the federal court.

On the whole a general ban on TikTok is almost certainly disproportionate and unreasonable at this point in time. There is no evidence of harm. There is no evidence of influence by the Chinese government. Rather than banning the platform generally I think that more focused legislation or policy could make sense.

First, I think that legislation or (preferably) policies precluding at least some members of government and senior civil servants from using TikTok has some merit. In these cases a risk analysis should be conducted to determine if collected information would undermine the Government of Canada’s ability to secure confidential information or if the collected information could be used for intelligence operations against the government officials. Advice might, also, be issued by the Canadian Security Intelligence Service so that private organisations are aware of their risks. In exceptional situations some kind of security requirements might also be imposed on private organisations and individuals, such as those who are involved in especially sensitive roles managing critical infrastructure systems. Ultimately, I suspect the number of people who should fall under this ban would, and should, be pretty small.

Second, what makes sense is legislation that requires social media companies writ large–not just TikTok–to make their algorithms and data flows legible to regulators. Moreover, individual users should be able to learn, and understand, why certain content is being prioritised or shown to them. Should platforms decline to comply with such a the law then sanctions may be merited. Similarly, should algorithmic legibility showcase that platforms are being manipulated or developed in ways that deliberately undermine social cohesion then some sanctions might be merited, though with the caveat that “social cohesion” should be understood as referring to platforms being deliberately designed to incite rage or other strong emotions with the effect of continually, and artificially, weakening social cohesion and amplifying social cleavages. The term should not, however, be seen as a kind of code for creating exclusionary social environments where underprivileged groups continue to be treated in discriminatory ways.

So Is TikTok ‘Dangerous’ From A National Security Perspective?

Based on open source information2 there is no reason to think that TikTok is currently a national security threat. Are there any risks associated with the platform? Sure, but they need to be juxtaposed against equivalent or more serious threats and priorities. We only have so many resources to direct towards the growing legion of legitimate national security risks and issues; funnelling a limited set of resources towards TikTok may not be the best kind of prioritisation.

Consider that while the Chinese government could compel TikTok to disclose information about its users to intelligence and security services…the same government could also use business cutouts and purchase much of the same information from data brokers operating in the United States and other jurisdictions. There would be no need to secretly force a company to do something when, instead, it could just lawfully acquire equivalent (or more extensive!) information. This is a pressing and real national security (and privacy!) issue and is deserving of legislative scrutiny and attention.

Further, while there is a risk that TikTok could be used to manipulate social values…the same is true of other social networking services. Indeed, academic and journalistic research over the past 5-7 years has drawn attention to how popular social media services are designed to deliver dopamine hits and keep us on them. We know that various private companies and public organisations around the world work tirelessly to ‘hack’ those algorithms and manipulate social values. Of course this broader manipulation doesn’t mean that we shouldn’t care but, also, makes clear that TikTok isn’t the sole vector of these efforts. Moreover, there are real questions about the how well social influence campaigns work: do they influence behaviour–are they supplying change?–or is the efficaciousness of any campaign representative of an attentive and interested pre-existing audience–is demand for the content the problem?

The nice thing about banning, blocking, or censoring material, or undertaking some other kind of binary decision, is that you feel like you’ve done something. Bans, blocks, and censors are typically designed for a black and white world. We, however, live in a world that is actually shrouded in greys. We only have so much legislative time, so much policy capacity, so much enforcement ability: it should all be directed efficiently to understanding, appreciating, and addressing the fulness of the challenges facing states and society. This time and effort should not be spent on performative politics that is great for providing a dopamine hit but which fails to address the real underlying issues.

  1. I have previously talked about the broader risks of correlating national security and information security.
  2. Open source information means information which you or I can find, and read, without requiring a security clearance.

Unpacking NSIRA’s 2020 Annual Report

/ Christopher Parsons
black and white typewriter on table
Photo by Markus Winkler on Pexels.com

On December 13, 2021, the National Security Intelligence Review Agency (NSIRA) released its 2020 Annual Report. NSIRA is responsible for conducting national security reviews of Canadian federal agencies, and their annual report summarizes activities that have been undertaken in 2020 and also indicates NSIRA’s plans for future work.

I want to highlight three points that emerge from my reading of report:

  1. NSIRA has generally been able to obtain the information it required to carry out its reviews. The exception to this, however, is that NSIRA has experienced challenges obtaining information from the Communications Security Establishment (CSE). It is not entirely clear why this has been the case.
  2. While most of NSIRA’s reviews have been completed in spite of the pandemic, this is not the case with CSE reviews where several remain outstanding.
  3. NSIRA has spent time in the annual report laying out tripwires that, if activated, will alert Canadians and their elected officials to problems that the review agency may be experiencing in fulfilling its mandate. It is imperative that observers pay close attention to these tripwires in future reviews. However, while these tripwires are likely meant to demonstrate the robustness of NSIRA reviews they run the risk of undermining review conclusions if not carefully managed.

In this post, I proceed in the order of the annual review and highlight key items that stood out. The headings used in this post, save for analysis headings, are correlated with the headings of the same name in the annual report itself.

Continue reading

Reflections on “Foreign Interference: Threats to Canada’s Democratic Process”

/ Christopher Parsons
crop hacker typing on laptop with data on screen
Photo by Sora Shimazaki on Pexels.com

It is widely expected that Canadians will be going to the polls in the next few months. In advance of the election the Canadian Security Intelligence Service (CSIS) has published an unclassified report entitled, “Foreign Interference: Threats to Canada’s Democratic Process.”1 

In this post I briefly discuss some of the highlights of the report and offer some productive criticism concerning who the report and its guidance is directed at, and the ability for individuals to act on the provided guidance. The report ultimately represents a valuable contribution to efforts to increase the awareness of national security issues in Canada and, on that basis alone, I hope that CSIS and other members of Canada’s intelligence and security community continue to publish these kinds of reports.

Summary

The report generally outlines a series of foreign interference-related threats that face Canada, and Canadians. Foreign interference includes, “attempts to covertly influence, intimidate, manipulate, interfere, corrupt or discredit individuals, organizations and governments to further the interests of a foreign country” and are, “carried out by both state and non-state actors” towards, “Canadian entities both inside and outside of Canada, and directly threaten national security” (Page 5). The report is divided into sections which explain why Canada and Canadians are targets of foreign interference, the types of foreign states’ goals, who might be targeted, and the techniques that might be adopted to apply foreign interference and how to detect and avoid such interference. The report concludes by discussing some of the election-specific mechanisms that have been adopted by the Government of Canada to mitigate the effects and effectiveness of foreign interference operations.

On the whole this is a pretty good overview document. It makes a good academic teaching resource, insofar as it provides a high-level overview of what foreign interference can entail and would probably serve as a nice kick off to discuss the topic of foreign interference more broadly.2

Continue reading

NSIRA Calls CSE’s Lawfulness Into Question

/ Christopher Parsons
photo of cryptic character codes and magnifying glass on table top
Photo by cottonbro on Pexels.com

On June 18, 2021, the National Security Intelligence Review Agency (NSIRA) released a review of how the Communications Security Establishment (CSE) disclosed Canadian Identifying Information (CII) to domestic Canadian agencies. I draw three central conclusions to the review.

  1. CSE potentially violated the Privacy Act, which governs how federal government institutions handle personal information.
  2. The CSE’s assistance to the Canadian Security Intelligence Service (CSIS) was concealed from the Federal Court. The Court was responsible for authorizing warrants for CSIS operations that the CSE was assisting with.
  3. CSE officials may have misled Parliament in explaining how the assistance element of its mandate was operationalized in the course of debates meant to extend CSE’s capabilities and mandate.

In this post I describe the elements of the review, a few key parts of CSE’s response it, and conclude with a series of issues that the review and response raise.

Background

Under the National Defence Act, CSE would incidentally collect CII in the course of conducting foreign signals intelligence, cybersecurity and information assurance, and assistance operations. From all of those operations, it would produce reports that were sent to clients within the Government of Canada. By default, Canadians’ information is expected to be suppressed but agencies can subsequently request CSE to re-identify suppressed information.

NSIRA examined disclosures of CII which took place between July 1, 2015 – July 31, 2019 from CSE to all recipient government departments; this meant that all the disclosures took place when the CSE was guided by the National Defense Act and the Privacy Act.1 In conducting their review NSIRA looked at, “electronic records, correspondence, intelligence reports, legal opinions, policies, procedures, documents pertaining to judicial proceedings, Ministerial Authorizations, and Ministerial Directives of relevance to CSE’s CII disclosure regime” (p. 2). Over the course of its review, NSIRA engaged a range of government agencies that requested disclosures of CII, such as the Royal Canadian Mounted Police (RCMP) and Innovation Science and Economic Development Canada (ISED). NSIRA also assessed the disclosures of CII to CSIS and relevant CSIS’ affidavits to the Federal Court.

Continue reading

Dissecting CSIS’ Statement Concerning Indefinite Metadata Retention

/ Christopher Parsons

PR? by Ged Carrol (CC BY 2.0) https://flic.kr/p/6jshtz

PR? by Ged Carrol (CC BY 2.0) https://flic.kr/p/6jshtz

In this brief post I debunk the language used by CSIS Director Michel Coulombe in his justification of CSIS’s indefinite data retention program. That program involved CSIS obtaining warrants to collect communications and then, unlawfully, retaining the metadata of non-targeted persons indefinitely. This program was operated out of the Operational Data Analysis Centre (ODAC). A Federal Court judge found that CSIS’ and the Department of Justice’s theories for why the program was legal were incorrect: CSIS had been retaining the metadata, unlawfully, since the program’s inception in 2006. More generally, the judge found that CSIS had failed to meet its duty of candour to the court by failing to explain the program, and detail its existence, to the Court.

The public reactions to the Federal Court’s decision has been powerful, with the Minister of Public Safety being challenged on CSIS’s activities and numerous mainstream newspapers publishing stories that criticize CSIS’ activities. CSIS issued a public statement from its Director on the weekend following the Court’s decision, which is available at CSIS’ website. The Federal Court’s decision concerning this program is being hosted on this website, and is also available from the Federal Court’s website. In what follows I comprehensively quote from the Director’s statement and then provide context that, in many cases, reveals the extent to which the Director’s statement is designed to mislead the public.

Continue reading