I want to highlight three points that emerge from my reading of report:
NSIRA has generally been able to obtain the information it required to carry out its reviews. The exception to this, however, is that NSIRA has experienced challenges obtaining information from the Communications Security Establishment (CSE). It is not entirely clear why this has been the case.
While most of NSIRA’s reviews have been completed in spite of the pandemic, this is not the case with CSE reviews where several remain outstanding.
NSIRA has spent time in the annual report laying out tripwires that, if activated, will alert Canadians and their elected officials to problems that the review agency may be experiencing in fulfilling its mandate. It is imperative that observers pay close attention to these tripwires in future reviews. However, while these tripwires are likely meant to demonstrate the robustness of NSIRA reviews they run the risk of undermining review conclusions if not carefully managed.
In this post, I proceed in the order of the annual review and highlight key items that stood out. The headings used in this post, save for analysis headings, are correlated with the headings of the same name in the annual report itself.
In this post I briefly discuss some of the highlights of the report and offer some productive criticism concerning who the report and its guidance is directed at, and the ability for individuals to act on the provided guidance. The report ultimately represents a valuable contribution to efforts to increase the awareness of national security issues in Canada and, on that basis alone, I hope that CSIS and other members of Canada’s intelligence and security community continue to publish these kinds of reports.
The report generally outlines a series of foreign interference-related threats that face Canada, and Canadians. Foreign interference includes, “attempts to covertly influence, intimidate, manipulate, interfere, corrupt or discredit individuals, organizations and governments to further the interests of a foreign country” and are, “carried out by both state and non-state actors” towards, “Canadian entities both inside and outside of Canada, and directly threaten national security” (Page 5). The report is divided into sections which explain why Canada and Canadians are targets of foreign interference, the types of foreign states’ goals, who might be targeted, and the techniques that might be adopted to apply foreign interference and how to detect and avoid such interference. The report concludes by discussing some of the election-specific mechanisms that have been adopted by the Government of Canada to mitigate the effects and effectiveness of foreign interference operations.
On the whole this is a pretty good overview document. It makes a good academic teaching resource, insofar as it provides a high-level overview of what foreign interference can entail and would probably serve as a nice kick off to discuss the topic of foreign interference more broadly.2
CSE potentially violated the Privacy Act, which governs how federal government institutions handle personal information.
The CSE’s assistance to the Canadian Security Intelligence Service (CSIS) was concealed from the Federal Court. The Court was responsible for authorizing warrants for CSIS operations that the CSE was assisting with.
CSE officials may have misled Parliament in explaining how the assistance element of its mandate was operationalized in the course of debates meant to extend CSE’s capabilities and mandate.
In this post I describe the elements of the review, a few key parts of CSE’s response it, and conclude with a series of issues that the review and response raise.
Under the National Defence Act, CSE would incidentally collect CII in the course of conducting foreign signals intelligence, cybersecurity and information assurance, and assistance operations. From all of those operations, it would produce reports that were sent to clients within the Government of Canada. By default, Canadians’ information is expected to be suppressed but agencies can subsequently request CSE to re-identify suppressed information.
NSIRA examined disclosures of CII which took place between July 1, 2015 – July 31, 2019 from CSE to all recipient government departments; this meant that all the disclosures took place when the CSE was guided by the National Defense Act and the Privacy Act.1 In conducting their review NSIRA looked at, “electronic records, correspondence, intelligence reports, legal opinions, policies, procedures, documents pertaining to judicial proceedings, Ministerial Authorizations, and Ministerial Directives of relevance to CSE’s CII disclosure regime” (p. 2). Over the course of its review, NSIRA engaged a range of government agencies that requested disclosures of CII, such as the Royal Canadian Mounted Police (RCMP) and Innovation Science and Economic Development Canada (ISED). NSIRA also assessed the disclosures of CII to CSIS and relevant CSIS’ affidavits to the Federal Court.
In this brief post I debunk the language used by CSIS Director Michel Coulombe in his justification of CSIS’s indefinite data retention program. That program involved CSIS obtaining warrants to collect communications and then, unlawfully, retaining the metadata of non-targeted persons indefinitely. This program was operated out of the Operational Data Analysis Centre (ODAC). A Federal Court judge found that CSIS’ and the Department of Justice’s theories for why the program was legal were incorrect: CSIS had been retaining the metadata, unlawfully, since the program’s inception in 2006. More generally, the judge found that CSIS had failed to meet its duty of candour to the court by failing to explain the program, and detail its existence, to the Court.
The public reactions to the Federal Court’s decision has been powerful, with the Minister of Public Safety being challenged on CSIS’s activities and numerous mainstream newspapers publishing stories that criticize CSIS’ activities. CSIS issued a public statement from its Director on the weekend following the Court’s decision, which is available at CSIS’ website. The Federal Court’s decision concerning this program is being hosted on this website, and is also available from the Federal Court’s website. In what follows I comprehensively quote from the Director’s statement and then provide context that, in many cases, reveals the extent to which the Director’s statement is designed to mislead the public.
In our recent report, “The Governance of Telecommunications Surveillance: How Opaque and Unaccountable Practices and Policies Threaten Canadians,” we discussed how the Communications Security Establishment (CSE) developed and deployed a sensor network within domestic and foreign telecommunications networks. While our report highlighted some of the concerns linked to this EONBLUE sensor network, including the dangers of secretly extending government surveillance capacity without any public debate about the extensions, as well as how EONBLUE or other CSE programs programs collect information about Canadians’ communications, we did not engage in a comparison of how Canada and its closest allies monitor domestic network traffic. This post briefly describes the EONBLUE sensor program, what may be equivalent domestic programs in the United States, and the questions that emerge from contrasting what we know about the Canadian and American sensor networks.
What is EONBLUE?
EONBLUE was developed and deployed by the CSE. The CSE is Canada’s premier signals intelligence agency. The EONBLUE sensor network “is a passive SIGINT system that was used to collect ‘full-take’ data, as well as conduct signature and anomaly based detections on network traffic.” Prior Snowden documents showcased plans to integrate EONBLUE into government networks; the network has already been integrated into private companies’ networks. Figure one outlines the different ‘shades of blue’, or variations of the EONBLUE sensors:
The report examines how contemporary telecommunications surveillance is governed in Canada. In it, we ask how much telecommunications surveillance is occurring in Canada, what actors are enabling the surveillance, to what degree those actors disclose their involvement in (and the magnitude of) surveillance, and what degree of oversight is given to the federal governments’ surveillance practices. We conclude that serious failures in transparency and accountability indicate that corporations are failing to manage Canadians’ personal information responsibly and that government irresponsibility surrounding accountability strains its credibility and aggravates citizens’ cynicism about the political process. In aggregate, these failings endanger both the development of Canada’s digital economy and aggravate the democratic deficit between citizens and their governments.