A revised version of this piece is forthcoming in After the Paris Attacks: Responses from Canada, Europe, and Around the Globe edited by Edward M. Iacobucci and Stephen J. Toope (University of Toronto Press, 2015).
Charlie Hebdo. Ottawa. Peshawar. Westgate. Mumbai. Acts of terror such as these have become an unfortunate by-product of the hypermedia world in which we now live. Governments worldwide have responded to these incidents with a sense of urgency: new anti-terrorism laws and expanded law enforcement and intelligence capabilities.
Canada’s version is now before us as Bill C-51, an omnibus crime and anti-terrorism bill that introduces two new security laws and amends 15 existing laws, including the Criminal Code and the CSIS Act. C-51 sets out to counter not just “terrorism” but the vast undefined expanse C-51 describes as “threats to the security of Canada.” The Harper government has pushed variations of these laws unsuccessfully over years. But it was the Ottawa attacks, followed quickly by those in Paris, which created a window of political opportunity prior to federal elections to throw together the package. These measures are the most sweeping change of Canadian national security laws since the 2001 terror attacks on the United States (9/11). As the law is being debated, it is important that Canadians understand the full implications.
Many stakeholders and experts have weighed in on various aspects of C-51 as the proposed legislation has touched off a vigorous public debate. I am going to focus on issues around the role of Canada’s Communications Security Establishment (CSE), our country’s main signals intelligence (SIGINT) agency and the subject of significant media coverage since June 2013 and the disclosures of former National Security Agency (NSA) contractor Edward Snowden.
As one of Canada’s principal security and intelligence agencies, CSE would factor into C-51 in a substantial way. One of the most contentious parts of C-51, the Information Sharing Act, would relax rules on information sharing among at least 17 government agencies, CSE included. As the lead agency charged with gathering intelligence from the global information infrastructure (i.e. the Internet and all Internet-connected systems), protecting Canadian networks from threats abroad, and providing “technical assistance” to Canada’s other security agencies, CSE will be front and centre around the “big data” analysis opened up by C-51 and would take on an even more prominent role than it has today around our security, foreign intelligence, and law enforcement. In order to make an informed opinion, it is imperative that Canadians understand how this highly classified agency operates, what are the statutory limits to its authority, and how it will change should C-51 pass into law.
What is CSE?
Little is known about CSE because of secrecy. Just about everything regarding CSE and its operations are among the most highly classified in the Canadian government. Although CSE traces its origins to World War II, it was not officially acknowledged as existing until 1974, when a CBC investigative news program disclosed details about the agency that led to questions in the House of Commons. Even so, public officials rarely publicly mentioned its name or acknowledged its existence before 9/11. It was only once Snowden’s disclosures opened up a steady stream of media reporting about the CSE did many Canadians even hear about the agency. Even now, CSE remains a mystery to most citizens and many policymakers.
What should Canadians know? First, CSE is a very large agency with an enormous budget that continues to grow. CSE holds the largest operational budget of all of Canada’s intelligence and security agencies. Its annual budget has grown from roughly $100 million annually prior to 2001 to about $600 million today. It has a new billion dollar-plus headquarters in Ottawa that is enormous — roughly 88,700-89,300 square metres, or about 960,000 square feet — that some government insiders have referred to tongue-in-cheek as the “Taj Mahal.” One of the reasons the new headquarters facility is so large is because of the space required to house the supercomputers and data storage equipment, and to ensure a reliable stream of power and water to keep them all running and cool.
It was only once Snowden’s disclosures opened up a steady stream of media reporting about the CSE did many Canadians even hear about the agency
Second, CSE possesses extraordinary capabilities that have been transformed since 9/11. Part of the transformation has to do with increased financial and other resources outlined above. But the more important part of the transformation is a function of the “Big Data” universe in which we now live and a corresponding philosophical change in the orientation of SIGINT agencies that occurred after 9/11 towards collecting as much of that Big Data universe as possible. Former NSA Director Keith Alexander infamously summed up this approach as “collecting the entire haystack.” Practically speaking, “collecting the entire haystack” translates into gathering as much data from as many possible sources of the digital exhaust we leave behind us as we go about our daily lives, from the code to the satellites and everything in between.
Like all Western SIGINT agencies, CSE collects unimaginably huge quantities of data, as much as it is legally allowed to collect (which, as I will explain below, is a very large window). It also has truly global reach: this is not a passive SIGINT agency scanning the horizon for stray radio signals, as we might nostalgically recall from the Cold War. CSE is actively engaged across the globe, tapping into undersea cables, insecure routers, Internet Service Providers (ISPs), telecommunications companies, computers, and even mobile devices in dozens of countries and regions. One slide-deck from the Snowden disclosures, for example, shows that CSE operates a global data mining operation code-named EONBLUE that collects data at “backbone Internet speeds” from “200 sensor points around the globe.”
Third, part of CSE’s extraordinary capabilities and global reach comes from the fact that it is part of the “Five Eyes” (FVEY) alliance and is thus closely integrated with the operations and data collection activities of not only the NSA, but the United Kingdom’s Government Communications Headquarters (GCHQ), and the SIGINT agencies of New Zealand and Australia. The FVEY partnership goes back to World War II and has been increasingly integrated after 9/11. The FVEY agencies convene regularly to share tradecraft and best practices, to benefit from each other’s data collection efforts, and to improve their access to and integration between the massive databases each agency develops and maintains. In many respects, it is more accurate to conceive of CSE as part of a single FVEY machine than it is a stand-alone national agency. When CSE’s analysts conduct intelligence gathering operations or target specific individuals or groups they routinely access NSA and GCHQ databases as part of that exercise.
Oversight, Public Accountability, and Review
By widespread acknowledgement, Canada’s signals intelligence program has the least rigorous oversight, review, and public accountability system of all of the FVEYs. First, there is no “independent oversight” in the proper definition of the term. CSE does not have any outside, independent body double checking its operations or looking over its shoulders. Nor does it have meaningful public accountability, meaning that it does not officially report to Parliament. There are no security-cleared MPs who can compel CSE to testify before them, and unlike in the United States or United Kingdom, Canada has no standing committees designated to scrutinize CSE’s activities or budgetary allocations. Instead, there is only a system of annual “review” undertaken by the Office of the CSE Commissioner to ensure that CSE is operating lawfully. That review is delivered in classified form to the Minister of Defense, with a redacted version delivered to Parliament. The CSE Commissioner’s office is staffed by a retired judge who is assisted by 11 employees (at the time of writing). While it may be tempting to focus on the “single retired judge” part as the questionable aspect of the setup, more important than the person, his age, or his present employment status is the structure, power, independence (or lack thereof), and culture of the review mechanism itself.
A little digging throws up some dubious characteristics. Although the Commissioner emphasizes his office can review anything concerning CSE, the CSE Commissioner has admitted it does not review everything that CSE does to ensure compliance … only a selection of activities. Of that selection, Commissioners have noted that records essential to determining compliance are missing or not properly recorded by CSE. But rather than asserting that such poor record-keeping indicates non-compliance with the law the Commissioner instead shelves the issue for “further discussions” between CSE and the Commissioner. Even on the rare occasions when concerns around potential non-compliance have been tepidly broached, the government is given wide latitude to correct the issue -- in some cases, many years. But by far the biggest problem is that the CSE Commissioner does not act as a court of law or make legal determinations; instead, the Commissioner only confirms that the CSE follows its own secret interpretations of secret laws. While, in theory, a retired judge can disagree with CSE's interpretation of the law, in practice it does not because the deck is stacked against it. As one CSE Commissioner noted: "With respect to my reviews of CSE activities carried out under ministerial authorization, I note that I concluded on their lawfulness in light of the Department of Justice interpretation of the applicable legislative provisions." The CSE Commissioner is, in other words, basing assessments of legality on the government's own interpretation of the law. Should it come as any surprise, then, that in all of the years the Commissioner has undertaken reviews, there has been not a single finding of non-compliance with the law? This arrangement is highly convenient for CSE, of course, but terribly misleading for Canadians and the rest of the world, who are routinely assured by repeated public pronouncements from the Government of Canada that CSE is and always has been in compliance with the law.
And what about those secret interpretations of secret laws themselves? It is on this basis of friendly “review” that Prime Ministers, CSE spokespeople, and Commissioners can say on the one hand that CSE is prohibited by law from spying on the communications of Canadian citizens while at the same time routinely collecting limitless amounts of metadata of those very Canadians (metadata being a record of IP addresses, phone numbers, email addresses, websites visited, timestamps and geolocation information, social media identifiers, cookies, and more). Why? Because according to the government’s own legal definition, metadata are not “private communications,” and what the government is doing when it collects all of that Canadian metadata is not “targeted” or “directed at” Canadians. Never mind that according to common sense and most English language dictionaries, that is precisely what they are doing. The government gets to use its own vocabulary according to its own legal interpretations, and the CSE commissioner affirms year in and year out they are, well, compliant. One feels compelled to ask: under such a setup, what else could CSE be but compliant?
Many who have commented about C-51 have noted concerns about boosting the powers and information sharing among 17 security agencies when only three of those agencies have any type of oversight or review and the three that do (CSE, CSIS, and RCMP) are “stove-piped” (meaning they do not share or coordinate with each other). While I share those concerns, it is also important to understand that when it comes to oversight, review, and accountability of arguably the most well-resourced and powerful of those security agencies (CSE), we have in the CSE Commissioner what is clearly a deferential, inherently limited, and thus fatally flawed “review” body. Given that C-51 will mean an expansion of CSE’s activities, these flaws are deeply disturbing and a sure recipe for abuse.
The Information-Sharing Black Hole
As mentioned above, one of the more controversial aspects of C-51 is the Information Sharing Act, which would permit sharing of information among 17 security agencies, including CSE. CSE already provides technical assistance under its “Mandate C” to domestic federal agencies when the latter are acting under their lawful mandate, such as possessing a warrant to collect a targeted person’s or group’s communications traffic. C-51 would amplify this assistance mandate in light of the broad “threats to national security” that could justify intelligence gathering on the part of law enforcement and other security services. The other 16 agencies will find CSE to be an irresistible source to which to turn given its formidable collection powers and links to the FVEY resources. Should other agencies make more requests of CSE then the Establishment will likely request – and receive – more federal dollars to enhance its already enormous spying capabilities.
Even notwithstanding C-51, there are aspects of how information is acquired and shared by CSE now that are a mystery, and what little we do know already raises some disturbing questions.
First, even under existing law and practice, there have been concerns raised about how often, when, and how CSE provides this type of technical assistance. In one landmark case, Canadian Justice Mosley reprimanded CSIS and CSE when he discovered a warrant he gave CSIS to seek technical assistance from CSE led in practice to CSE tasking its FVEY allies with the job. The only problem was that neither CSIS nor CSE told Justice Mosley they would be doing that. Records obtained by The Globe and Mail under freedom of information requests revealed that CSE has received hundreds of such requests for technical assistance from CSIS, the RCMP and other agencies over the years. CSE tried (unsuccessfully) to block the release, which ended up being highly redacted leaving Canadians with only a vague sense of what type of “technical assistance” is provided and how often.
Second, CSE operates in close coordination with the other FVEY agencies, to the point of CSE analysts routinely accessing databases operated by the GCHQ and NSA and vice versa. Whatever limitations there are on CSE’s collection of Canadian communications (and recall how questionable these controls are) they do not apply to CSE’s allies. As a result, should Canada share data with allies then the information about Canadian citizens could be used by our allies to target Canadians. In plain terms, such sharing could put Canadian citizens or permanent residents at bodily risk as they travel abroad and pass into our allies’ sovereign territories (see the Maher Arar case). Moreover, CSE also receives data from allied SIGINT agencies and this data might be provided to domestic authorities acting in their legal mandates; what the NSA collects about Canadians, in other words, could be provided to the RCMP, CSIS, or other agencies CSE supports. It could even mean that RCMP, CSIS, and other security agencies, through CSE’s assistance, directly access databases operated by the NSA, GCHQ, and other allied SIGINT agencies. Even the CSE Commissioner (not normally inclined to worries) has raised concerns about such arrangements, warning that beyond "certain general statements and assurances" between CSEC and the FVEYs, the commissioner's office was "unable to assess the extent" to which the four partners "follow the agreements with CSEC and protect private communications and information about Canadians in what CSEC shares with the partners." The review agency for CSIS, SIRC, recently raised the same sort of concerns. Clearly, information sharing among the FVEYs is extensive but the full extent of that sharing is shrouded in secrecy, even from the review bodies themselves, and thus largely takes place without public accountability.
Third, while CSE (and other security agencies) have long operated their own eavesdropping and wiretapping equipment, these days most of what they acquire comes from the private sector: the telecommunications, mobile, Internet, social media, advertising, and search engine companies that own and operate cyberspace and are the frontline sensors of our digital exhaust. Probably the most infamous of such arrangements is the PRISM program, outlined in one of the first Snowden disclosures and showing how the NSA and FBI had acquired direct access to data clouds of major US Internet companies, like Google, Yahoo!, Facebook, and others. A glance through many of the CSE-related slides reveals similar arrangements are in place for Canadian operations, though no details about specific companies are given outside of the oblique reference to “Special Source” (intelligence parlance for a compliant telecommunications company). How often and under what legal authority these Canadian “Special Source” companies share data with security agencies is a mystery. What little evidence has emerged has been shocking. A recent confidential report undertaken by the law firm Gowlings and involving the participation of several Canadian telcos, acquired through a freedom of information act request by Ottawa Law Professor Michael Geist, estimated that Canadian security agencies request user data from telcos on the order of millions of times a year … allwithout a warrant. Reports like these strongly suggest that a culture of informal sharing between at least some Canadian telcos and government agencies is common. Given how much data we routinely share with the private sector on an hourly basis as we go about our daily lives, these revelations should be alarming.
Before further enhancing inter-agency information sharing between agencies, we need to first clarify what information is allowed to be shared, and how, with whom, and from where, in the first place. With respect to existing CSE’s practices in this respect, we are in a big black hole.
Digitally Enabled Disruption
Part of C-51 includes new proposed new powers to “disrupt” threats to national security, including preventing individuals from travelling abroad, interfering with money transfers and financing, disruption of websites, manipulation and removal of content on computers, and countering of propaganda and social media messaging. As the lead agency with the most advanced capabilities of disruption in cyberspace, CSE would be a principal player when it comes to these disruptions. Here, it is essential to grasp CSE’s already formidable offensive capabilities to appreciate just what type of operations could be unleashed were these type of powers exercised by CSE at the behest of domestic agencies.
If Canadians believe that our SIGINT agency only passively scans the digital horizon looking to vacuum up data, they are sorely mistaken
SIGINT agencies like CSE typically have responsibilities that cover a broad spectrum of activities in cyberspace from defence at one end to computer network exploitation, attack, and sabotage at the other. The offensive parts of the toolkit are easily among the most highly classified since they routinely involve operations that can violate other country’s local laws or involve the manipulation of the normal operations of computers and devices. As the U.S.-Israeli “Stuxnet” on Iran’s nuclear enrichment facilities demonstrated, computer network attacks like these can even bring about real physical damage to critical infrastructure.
If Canadians believe that our SIGINT agency only passively scans the digital horizon looking to vacuum up data, they are sorely mistaken. The Snowden disclosures have shown CSE possesses an impressive arsenal of offensive weapons, and a willingness to use them. For example, an August 2014 report on the Snowden disclosures provided a detailed list of FVEY offensive capabilities that included previously classified slides from a CSE presentation on a program called “Landmark.” Landmark is the codename for CSE’s massive covert global botnet of thousands of compromised computers, which it calls “Operational Relay Boxes” or ORBs. Why does it need ORBs? To disguise whatever computer network exploitation and attacks CSE and its allies may be engaged in. Whose computers are compromised? Hard to say from the slides, but it appears these are the computers of whatever unwitting individuals outside of the FVEYs alliance CSE’s clever hackers can manage to infiltrate and take over — in "as many non 5-Eyes countries as possible.” Another Snowden disclosure shows that while the Canadian government publicly chastises China-based cyber espionage as a major threat to security, intellectual property, and a violation of international norms, CSE covertly “piggy backs” on those very same cyber espionage networks behind the backs of the Chinese operators, making their own copies of the same data exfiltrated by China. SeveralSnowdendisclosures show that CSE has fashioned a suite of tools designed to infiltrate and take over mobile phones, under the codename WARRIOR PRIDE, a federated project among the FVEYs. Some of these tools were invaluable in GCHQ’s hack of Belgium’s main telecommunications network (a NATO ally) and are integrated into NSA data collection efforts. As part of its collaboration with the NSA and GCHQ, CSE has helped subvert encryption standards worldwide to make the job of signals intelligence collection easier (while weakening everyone else’s security), and likely hoards known computer vulnerabilities as exploits (instead of disclosing them in the public interest). Another slide deck suggests Canada is familiar with and may use a powerful technique called “QUANTUM” known to be used by NSA and GCHQ in which agents insert malicious packets into data streams at national scales which then allow them to take effective control of any device that happens to connect to unencrypted content on the Internet.
Given Canada's long-term interest in an 'open and secure cyberspace,' Canadians must deliberate about whether our goals would be better served by the promotion of norms of mutual restraint instead
These examples are just a sample of the offensive toolkit that CSE now controls and which will be available to the RCMP, CSIS, and several other Canadian security agencies as part of their legal mandate to “disrupt.” Considering C-51’s broad definition of “threats to national security,” it seems logical to conclude that these tools will be used more frequently, against more targets, and with many unintended side-effects. Such a pronounced emphasis on “offensive” measures such as this will inevitably result in an escalating arms race in cyberspace as Russia, China, and other adversaries work to catch up and a litany of grey market companies profit on lucrative defence contracts for computer network attack and exploitation products and services. It would mean more covert efforts to weaken the security of information systems in the interest of national security. Given Canada’s long-term interest in an “open and secure cyberspace” for commerce, communications, and human rights, Canadians must deliberate about whether our goals would be better served by the promotion of norms of mutual restraint in cyberspace instead. At the very least, we should fully appreciate just what “disruption” will mean in practice.
Notwithstanding C-51, Canadians are long overdue for a serious discussion about the proper legal limits of powerful security agencies like CSE in the era of Big Data. In a short span of a few years we have fundamentally transformed our communications environment, turning our digital lives inside out and leaving a trail of highly revealing personal information around us where ever we go. Meanwhile, CSE and other signals intelligence agencies have reoriented their mission and capabilities to “collect it all” without public debate, and without any corresponding adjustment in the Cold War-era limitations that ostensibly safeguard citizens from potential abuse.
C-51 takes us in a dramatically different direction than we need to go: more covert collection and disruption against a broader range of targets at the behest of a larger number of security agencies; looser information sharing practices among a broader range of domestic and foreign intelligence agencies; less, rather than more, rigorous checks and balances, oversight, and public accountability. We are entrenching 1950s-era oversight of a 21st century security service machine.
To be sure, societies face serious threats and need properly trained and equipped state security services to deal with them. But without proper checks and balances we lose sight of what those services are ostensibly designed to secure in the first place. And we open up the potential for enormous abuse of power. Twenty first century SIGINT agencies, like CSE, are massive electronic omnivores. They are extraordinarily powerful arms of the state. C-51 will boost CSE’s resources, reach, and interaction with other domestic security agencies without any corresponding investment in political restraints that can properly assure Canadians such awesome powers will not be abused.
What evils lurk in the shadows? Who really knows.