Transparency

NSICOP’s 2022 Annual Report

/ Christopher Parsons
Photo by Pixabay on Pexels.com

On July 19, 2023 the National Security and Intelligence Committee of Parliamentarians (NSICOP) released its annual report. The report continues the committee’s work of providing transparency around a number of the national security activities which are undertaken by the Government of Canada. This report assumes heightened importance because NSICOP’s authorizing legislation is now expected to undergo a 5-year review; this report is helpful in understanding what kinds of legislative reforms the Committee, itself, believes are important so as to maintain or enhance Canadian residents’ trust in the country’s national security agencies.

In this post I summarize the challenges that NSICOP believes face it, its proposed legislative reforms, and then briefly itemize notable aspects of reviews that are either underway or which have been concluded. Ultimately I believe that we can firmly state that NSICOP’s work has revealed important aspects of the Canadian national security community’s operations that were hitherto secret and, as such, the Committee’s members and staff are to be congratulated on their efforts over the past five years.

Challenges Facing NSICOP

NSICOP is reporting two key challenges.

First the government is not legislatively required to reply to the recommendations that are included in NSICOP’s reports. These recommendations are issued with the intent of “strengthening the policies, operations and accountability of the security and intelligence community.” While they may sometimes require the federal government to undertake additional activities NSICOP is hardly a ‘gotcha’ review body.

To its credit the government has begun to respond to some recommendations but the majority of those made by NSICOP have yet to be publicly taken up. Beyond indicating the effectiveness of NSICOP’s work—and thus ensuring that the public knows that NSICOP isn’t a paper tiger—responses from the government are important for unmasking some of the secrecy surrounding national security activities. Residents of Canada largely lack insight into the government’s national security policies. NSICOP’s recommendations, and how the government responds to them, provide some degree of light into an otherwise very dark and shadowy world.

Second the Committee is warning (again) that there is a serious issue around obtaining information to which the Committee is lawfully entitled. There are three stated situations where information is not being disclosed to NSICOP:

  1. Some departments have cited reasons outside the statutory exceptions found in the National Security and Intelligence Committee of Parliamentarians Act for not providing information that the Committee requested in past reviews
  2. Some departments selectively refused to provide relevant information, such as a departmental study, despite the Committee’s right of access under its enabling legislation
  3. The Committee is concerned that an overbroad legal definition of what constitutes a Cabinet confidence has had an impact on the Committee’s reviews

For any review agency to function it requires access to information that it is lawfully entitled to obtain, so as to assess agencies’ activities and provide meaningful recommendations or take other actions under its mandate. It is concerning that, in at least some cases, NSICOP reports that information it sought directly from organizations was only discovered through different sources, be they indirectly from third-party organizations or even from records released publicly under the federal Access to Information and Privacy regime.

Readers would be advised to consider the implications of the challenges facing NSICOP, and then place them alongside recent efforts by the National Security Intelligence Review Agency (NSIRA) to include a confidence statement with its recent reports due to NSIRA’s own challenges in sometimes obtaining the information it required to undertake its legislatively-mandated review functions. That both agencies have reported challenges in accessing documents raises questions about the review maturity of organizations which are now subject to national security review.

Proposed Legislative Reform

From a legislative reform standpoint, NSICOP is indicating that it will make two central submissions when called to discuss reforms to the NSICOP Act.

First, it will ask that the NSICOP Act be reformed to confirm that the Committee and its members can get improved access to information and, also, be able to better exchange information with other review bodies. This latter call—improved exchange of information—is notable and worth considering: where regulated agencies can coordinate amongst themselves it is imperative that their review agencies can, similarly, coordinate and exchange information. Such exchanges between review agencies serve multiple purposes, including:

  • sharing information relevant to a review
  • enabling better deconfliction processes
  • letting review agencies better coordinate when they are simultaneously examining the same subject from the slightly different perspectives associated with their respective mandates.

Second, NSICOP is stating that it will request legislative changes to better align its composition with the United Kingdom’s Intelligence and Security Committee (ISC). Specifically, NSICOP believes that becoming a body of Parliament (and not of the executive branch) would “enhance the independence and efficiency of the Committee.”

For clarity, the UK’s ISC is a committee of Parliament with a statutory responsibility for the oversight of the UK intelligence community. In shifting to this model NSICOP would no longer operate within the executive branch—and, thus, perceived as being subject to executive capture—and enable members of the public as well as parliamentarians to recognize that the Committee’s members were not being gagged or otherwise manipulated by merit of NSICOP being housed within the executive branch.

The decision to create NSICOP as an executive branch body was seen at the time as a way to slowly develop trust and capacity between parliamentarians and reviewed intelligence agencies, as well as guaranteeing that parliamentarians did not inappropriately handle information. Some who once called for NSICOP to be within the executive have, since, shifted perspectives and believe it should be turned into a parliamentary body. It remains unclear, however, whether the federal government similarly believes this would be an appropriate modification to NSICOP.

Both of these reforms would constitute significant shifts in the ability of the Committee to undertake its activities and will deserve careful and close thought, and assessments of the extents to which these reforms would genuinely enhance NSICOP’s capacity to fulfill its mandate.

Recent and Underway Reviews

2022 saw NSICOP complete or initiate a number of notable reviews. These include:

  • A Special Report on the Government of Canada’s Framework to and Activities to Defend its Systems and Networks from Cyber Attack (Completed)1
  • A Special Report on the National Security and Intelligence Activities of Global Affairs Canada (Completed)
  • A review of the lawful interception of communications of security and intelligence organizations and the “going dark” challenge (Ongoing)
  • A review of the RCMP’s Federal Policing mandate (Ongoing)

None of NSICOP’s proposed reviews in 2022 were deemed injurious to national security, nor was information denied to the Committee based on these grounds. Twelve agencies were required to provide a copy of their annual reports as required under the Avoiding Complicity in Mistreatment by Foreign Entities Act. Twelve provided them to NSICOP, though they are not reviewed or assessed in the annual report.

NSICOP did not receive any referrals by minister of the Crown to undertake a review of a national security or intelligence matter.

A Special Report on the National Security and Intelligence Activities of Global Affairs Canada

This special report was tabled in November 2022. The annual report notes that “significant weaknesses” were found around Global Affairs Canada’s (GAC) internal governance of its foreign policy coherence role. Namely, this included a lack of “policies and few oversight committees” which NSICOP worried “may introduce weaknesses into the government’s assessment of foreign policy risk.” There were, also, concerns around the lack of Ministerial direction about how GAC collected intelligence around the world. There was also no formal process by which GAC informed its Minister of how it plays a role in relation to CSIS’ collection of intelligence. Relatedly, NSICOP was concerned by “the near total absence of governance and formalized reporting to the minister regarding GAC’s facilitator role.”

One of GAC’s key roles is to coordinate the government’s response to terrorist hostage taking. However, NSICOP found that:

GAC has a three-person team that supports an interdepartmental task force, but in twenty years the Department has done little to prepare for these incidents: there is no policy framework, no training, and no routine tabletop simulation exercises for the task force.

At best, GAC convenes implicated departments with much greater operational roles and specific accountabilities, and works to build a coherent approach without authority to direct a whole-of-government response. Part of the challenge is one of the Department’s own making: over the past 10 years, it has not developed the necessary policy, operational and training mechanisms for implicated government organizations to respond to such events coherently. Notwithstanding these gaps, the most significant problem is political: successive governments have failed to provide direction for a framework to address such critical incidents or provide specific direction on individual cases. Together, these challenges undermine the ability of the Department and its security and intelligence partners to respond effectively to hostage-takings.

Upon receiving the review GAC committed to reforms to respond to the issues identified by NSICOP.

Summaries and Recommendations of Prior Reviews

NSICOP’s annual report helpfully provides a listing of past reports that it has undertaken and allocates a page to each review. These summarize the issues taken up in a given report, identify the associated recommendations, and clarify the extent to which the government has (or has not) responded to each of them. The summaries, also, go so far as to indicate when legislation overtook particular recommendations, such as NSICOP’s proposal that the National Security and Intelligence Review Agency (NSIRA) be mandated to issue an annual report pertaining to the Department of National Defence/Canadian Armed Forces activities related to national security or intelligence.

Many of these reviews have drawn significant attention since they were released, such as NSICOP’s report on foreign interference (and which included the recommendation that combatting foreign interference include establishing “regular mechanisms to work with sub-national levels of government and law enforcement organizations, including to provide necessary security clearances”), but the summarization of these reviews is helpful for simply remembering all of the work that the Committee and its members have undertaken since its inception. It would be helpful for all review agencies to develop public timelines to include in their annual reports and on their websites; such timelines could just denote and link to all of the reports the review agency has completed (or begun) so that readers could better appreciate (and remember) their past and ongoing work.

I think that it’s important to highlight that, just one decade ago, these summaries alone would have been considered an amazing amount of detail that pulled the veil back on Canada’s national security activities. That we can read the summaries, as well as the redacted reports that are posted on the Committee’s website, is astounding when considering where Canada was in terms of national security transparency and accountability ten years ago. When combined with other reporting from NSIRA and the Intelligence Commissioner it is apparent that the public and parliamentarians alike are in a remarkably better situation to understand, assess, interrogate, and approve of (or call for the cessation of) the actions carried out by Canada’s national security agencies.

Conclusion

NSICOP has sometimes been on the receiving end of critiques or complaints, some of which have arguably been deserved and others less so. It is a body that has been severely tested by some public and political pressures. And it has been challenged in fulfilling elements of its mandate for reasons described in its 2022 annual report.

Nevertheless, the Committee and its members are to be congratulated for their efforts. They have worked to release information that hitherto has been kept secret from the public and parliamentarians. There remain challenges to overcome and more must be done to further enhance the public’s and parliamentarians’ understanding of national security agencies, challenges and threats facing Canadians institutions and organizations, and responses that the government has undertaken in response. Still, NSICOP has done much to educate the public since its inception and, if its legislation is reformed per its requests, I suspect the Committee could be even better situated to undertaking reviews while further raising the levels of awareness of national security issues.

  1. For my previous analysis of this report, see: “Unpacking NSICOP’s Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack↩︎

Questions Surrounding NSIRA’s ‘Cyber Incident’

/ Christopher Parsons
wood dirty writing abstract
Photo by alleksana on Pexels.com

On April 16, 2021 the National Security Intelligence Review Agency (NSIRA) published a statement on their website that declared they had experienced a ‘cyber incident’ that involved an unauthorized party accessing the Agency’s external network. This network was not used for Secret or Top Secret information. 

NSIRA is responsible for conducting national security reviews of Canadian federal agencies, inclusive of “the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security and intelligence activities of all other federal departments and agencies.” The expanded list of departments and agencies includes the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CBSA), the Department of National Defence (DND), Global Affairs Canada (GAC), and the Department of Justice (DoJ). As a result of their expansive mandate, the Agency has access to broad swathes of information about the activities which are undertaken by Canada’s national security and intelligence community. 

Despite the potential significance of this breach, little has been publicly written about the possible implications of the unauthorized access. This post acts as an early round of analysis of the potential significance of the access by, first, outlining the kinds of information which may have been accessed by the unauthorized party and, then, raising a series of questions that remain unanswered in NSIRA’s statement. The answers to these questions may dictate the actual seriousness and severity of the cyber-incident.

What is Protected Information?

NSIRA’s unclassified information includes Protected information. Information is classified as Protected when, if compromised, it “could reasonably be expected to cause injury to a non-national interest—that is, an individual interest such as a person or an organization.” There are three classes of protected information that are applied based on the sensitivity of the information. Protected A could, if compromised, “cause injury to an individual, organization or government,” whereas compromising Protect B information could “cause serious injury.” Compromising Protected C information could “cause extremely grave injury”. Protected C information is safeguarded in the same manner as Confidential or Secret material which, respectively, could cause injury or could cause serious injury to “the national interest, defence and maintenance of the social, political, and economic wellbeing of Canada” in the case of either being compromised.

Intrusion into protected networks brings with it potentially significant concerns based on the information which may be obtained. Per Veterans Affairs, employee information associated with Protected A information could include ‘tombstone’ information such as name, home address, telephone numbers or date of birth, personal record identifiers, language test results, or views which if made public would cause embarrassment to the individual or organization. Protected B could include medical records (e.g., physical, psychiatric, or psychological descriptions), performance reviews, tax returns, an individual’s financial information, character assessments, or other files or information that are composed of a significant amount of personal information. 

More broadly, Protected A information can include third-party business information that has been provided in confidence, contracts, or tenders. Protected B information in excess of staff information might include that which, if disclosed, could cause a loss of competitive advantage to a Canadian company or could impede the development of government policies such as by revealing Treasury Board submissions. 

In short, information classified as Protected could be manipulated for a number of ends depending on the specifics of what information is in a computer network. Theoretically, and assuming that an expansive amount of protected information were present, the information might be used by third-parties to attempt to recruit or target government staff or could give insights into activities that NSIRA was interested in reviewing, or is actively reviewing. Further, were NSIRA either reviewing non-classified government policies or preparing such policies for the Treasury Board, the revelation of such information might advantage unauthorized parties by enabling them to predict or respond to those policies in advance of their being put in place.

Continue reading

The (In)effectiveness of Voluntarily Produced Transparency Reports

/ Christopher Parsons

Payphones by Christopher Parsons (All Rights Reserved)

I have a paper on telecommunications transparency reports which has been accepted for publication in Business and Society for later this year.

Centrally, the paper finds that companies will not necessarily produce easily comparable reports in relatively calm political waters and that, even should reports become comparable, they may conceal as much as they reveal. Using a model for evaluating transparency reporting used by Fung, Graham, and Weil in their 2007 book, Full Disclosure: The Perils and Promises of Transparency, I find that the reports issued by telecommunications companies are somewhat effective because they have led to changes in corporate behaviour and stakeholder interest, but have have been largely ineffective in prodding governments to behave more accountably. Moreover, reports issued by Canadian companies routinely omit how companies themselves are involved in facilitating government surveillance efforts when not legally required to do so. In effect, transparency reporting — even if comparable across industry partners — risks treating the symptom — the secrecy of surveillance — without getting to the cause — how surveillance is facilitated by firms themselves.

A pre-copyedited version of the paper, titled, “The (In)effectiveness of Voluntarily Produced Transparency Reports,” is available at the Social Sciences Research Network.

Beyond ATIP: New Methods for Researching State Surveillance Practices

/ Christopher Parsons

9781894037679I’ve had a book chapter, titled “Beyond ATIP: New Methods for Researching State Surveillance,” published in Access To Information And Social Justice: Critical Research Strategies for Journalists, Scholars, and Activists. The book was edited by Jamie Brownlee and Kevin Walby and is available for purchase at a variety of brick and mortar, as well as online, book vendors. The book combines political and practical aspects of Access to Information and Privacy (ATIP) research in a single volume. In addition to exposing how ATIP-related documents have led to major, nation-affecting, news stories the book helps Canadian citizens use and navigate the federal access to information processes.

My contribution argued the ATIP process must be supplemented when  investigating particularly secretive government practices. I drew from work that I conducted at the Citizen Lab as part of the Telecommunications Transparency Project, specifically focusing on activities undertaken between January-August 2014.

Full Abstract

This chapter focuses on the challenges of studying the difficult and often obscure issues of Canadian state and corporate surveillance. Researchers routinely turn to Access to Information and Privacy (ATIP) requests to cut through this obscurity, but the laws are often too weak, too poorly enforced, or too full of deliberate loopholes and blind spots to provide comprehensive awareness about surveillance. Thus, additional methodological techniques are needed to pierce the veil of government secrecy. But what kinds of techniques can be successful, what are their limitations, and how effective are they? How can researchers better understand the kinds of surveillance programs that the federal government is conducting now, and has conducted in the past? I begin by discussing the merits and drawbacks of federal ATIP legislation, a legal tool that is routinely used to learn about the scope and dimensions of state surveillance. In light of the ATIP regime’s relative limits in revealing the contours of federal surveillance, I discuss how researchers can use a variety of political, regulatory, and legal techniques to increase government accountability and corporate transparency. Importantly, the methodological proposals I assess have the effect of adding as opposed to replacing data received under ATIP. By adopting an expanded set of methodological techniques, researchers can better fill out and make sense of the often limited revelations that emerge from the ATIP process.

Purchase the book from Amazon.ca // Pre-order from Amazon.com

Image credit: Book cover from Jamie Brownlee and Kevin Walby (Eds.). http://arpbooks.org/books/detail/access-to-information-and-social-justice

Canadian Transparency Publications

/ Christopher Parsons

stack by hobvias sudoneighm (CC BY 2.0) https://flic.kr/p/Fecq6

Academics, private companies, journalists, non-government organizations, and government agencies have all made significant contributions to the telecommunications transparency debate in Canada since the beginning of this year. This post briefly describes the most significant contributions along with links to the relevant publications.

Academic Transparency Publications

Several academic groups published reports addressing telecommunications privacy and transparency issues. The Telecom Transparency Project published “The Governance of Telecommunications Surveillance: How Opaque and Unaccountable Practices and Policies Threaten Canadians,” which explored how much telecommunications surveillance occurs in Canada, what actors enable the surveillance, to what degree those actors disclose their involvement in (and the magnitude of) surveillance, and what degree of oversight is given to the federal governments’ surveillance practices. Two other reports, “Keeping Internet Users in the Know or in the Dark: 2014 Report on Data Privacy Transparency of Canadian Internet Service Providers” and “The 3+3 Project: Evaluating Canada’s Wireless Carriers’ Data Privacy Transparency,” analyzed the privacy practices of major Canadian telecommunications providers. The former report evaluated the data privacy transparency of the most significant forty-three Internet carriers serving the Canadian public and ranked the carriers against ten questions. In contrast, the latter report used 10 criteria to evaluate Canada’s three largest wireless carriers and their extension brands to establish how transparent they were about their privacy practices and how they treated subscribers’ personal information.

Corporate Reports and Guidance

A trio of telecommunications companies also released transparency reports in the first half of 2015. WIND Mobile’s Mobile Transparency (2014) revealed a significant decrease in requests for customer name and address information, and a modest increase of emergency response requests combined with an explosion of court ordered/legislative demands requests. TELUS and Rogers also released transparency reports; overall TELUS’ report shows a small decrease in government requests whereas Rogers’ report shows a significant decrease of roughly 60,000 fewer requests. The relative merits of companies’ transparency reports were discussed in the Telecom Transparency Project’s report, mentioned previously. Industry Canada also released transparency reporting guidelines to “help private organizations be open with their customers, regarding the management and sharing of their personal information with government, while respecting the work of law enforcement, national security agencies, and regulatory authorities.” Some thoughts on those guidelines were published by Michael Geist as well as by the Telecom Transparency Project.

Government Investigations into Domestic Data Collection

During this time the Office of the Privacy Commissioner of Canada also audited how the Royal Canadian Mounted Police (RCMP) collected and used subscriber data. This data was obtained from Canadian telecommunications companies. The Office found that, “the RCMP’s information management systems were not designed to identify files which contained warrantless access requests to subscriber information, we were unable to select a representative sample of files to review. Consequently, we were unable to assess the sufficiency of controls that may exist or if the collection of warrantless requests from TSPs was, or was not in compliance with the collection requirements of the Privacy Act.” The challenges experienced by the Office of the Privacy Commissioner of Canada were perhaps unsurprising, given that the RCMP stated in 2014 that they did not have a way of tracking subscriber data requests in response to questions from MP Charmaine Borg.

Signals Intelligence-Related Publications

There have also been a series of contributions that have focused prominently on Canada’s foreign signals intelligence organization, the Communications Security Establishment. Michael Geist’s edited collection, Law, Privacy and Surveillance in the Post-Snowden Era, contains nine contributions grouped into three parts: understanding surveillance in Canada, legal issues, and prospects for reform. In addition to Geist’s collection, two Canadian archives have been created to host Snowden documents. The first, “The Snowden Archives,” is hosted by the Canadian Journalists for Free Expression. The Snowden Archives contain approximately 400 documents and were compiled “to provide a tool that would facilitate citizen and researcher access to these important documents.” The second is the “Canadian SIGINT Summaries” which collate leaked documents that are exclusively linked to CSE’s operations. The SIGINT Summaries identify when the documents were created, provide a summary of the documents themselves, and also include metadata such as length, codenames, and news stories linked with the documents’ publication. Finally, the Canadian Broadcasting Corporation and the Globe and Mail have both published stories based on Snowden documents.

Summary

Overall, there has been an exceptional amount written on telecom transparency issues in Canada. Several transparency reports are expected later this year from Sasktel, MTS Allstream, and TekSavvy. And the Canadian Internet Registration Authority, though its Community Investment Program, is funding projects which will help Canadians request their personal information from public and private organizations alike as well as to help companies develop transparency reports. The coming months promise to continue being busy for transparency in Canada!

Photo Credit: stack by hobvias sudoneighm (CC BY 2.0) https://flic.kr/p/Fecq6

This post first appeared at the Telecom Transparency Project website.

Industry Canada Transparency Report Guidelines Intensely Problematic

/ Christopher Parsons

5548494699_47f9267020_o-300x200Industry Canada has published guidelines for telecommunications companies to provide transparency reports. The guidelines are ostensibly meant to help companies that want to disclose the regularity, rationale, and extent of Canadian governmental requests for private telecommunications data. The guidelines may actually, however, establish government-sanctioned flaws in transparency reporting and prevent companies from meaningfully informing their customers about government telecommunications surveillance.

We begin this post by briefly summarizing the importance and value of transparency reporting and why Canadian companies should adopt and publish transparency reports. Second, we outline how Industry Canada’s guidelines may enhance transparency reporting. Third, we summarize the significant deficits linked to the guidelines and conclude by discussing how the guidelines could be improved to bring about meaningful and holistic corporate telecommunications transparency reporting.

Background to Transparency Reporting

We discussed the importance of transparency reporting in our recent report, “The Governance of Telecommunications Surveillance: How Opaque and Unaccountable Practices and Policies Threaten Canadians.” Transparency reporting involves companies publicly disclosing data that holds a public interest; telecommunications transparency reports are generally meant to provide complex information in an accessible and factual manner so that subscribers can subsequently make reasonable judgements based on the disclosures. Canadian telecommunications transparency reports have largely focused on policing and security issues to date, and have been released by Rogers, TELUS, Sasktel, TekSavvy, MTS Allstream, and Wind Mobile.

The Citizen Lab and the Telecom Transparency Project have actively encouraged telecommunications companies to release transparency reports. Together, these organizations have written public letters to telecommunications service providers, developed and launched a tool so that Canadians can learn about providers’ data retention and disclosure policies, conducted interviews concerning transparency and surveillance issues in Canada, and filed access to information and privacy requests to understand government surveillance practices. The result of our efforts to date are captured in a report that we released in June 2015, as are a series of recommendations for how members of the telecommunications industry could improve their transparency reports. In the following sections we examine the extent to which Industry Canada’s recently issued guidance aligns with our policy recommendations.

Continue reading