Surveillance in Canada: Who are the watchers?

By:
Michael Petrou

RCMP crest RCMP
Royal Canadian Mounted Police
est. 1920
Employees: 29,188 (2016)
Budget: 2.7B (2017-2018)

CSIS crest CSIS
Canadian Security Intelligence Service
est. 1984
Employees: 3299 (2016)
Budget: 536M (2015-2016)

CSEC crest CSE
Communications Security Establishment
est. 1946
Employees: 2200 (2015)
Budget: 538M (2015-2016)

The Trudeau government announced new security legislation last month, including the creation of a “super” watchdog that will oversee existing agencies. But do we still lack an understanding of what these agencies do? Michael Petrou runs through the evolution — and surveillance capabilities — of the RCMP, CSIS and CSE. 

In January 1937, as the Great Depression drove increasing numbers of young men into desperate unemployment and, often, political radicalization, the Royal Canadian Mounted Police tasked informers with hanging around the bathroom of Manor Hall in Winnipeg, an informal gathering place for the city’s unemployed.

The RCMP was worried about Communists, especially immigrant ones. And it was worried those foreign Communists were making plans to secretly send recruits to fight in Spain, where a civil war had broken out the previous July between a left-leaning government and fascist rebels. Manor Hall’s bathroom was where such plans were discussed.

“Both toilets are used for this purpose,” a dispatch from Winnipeg concludes. “The doors are closed and no sound may be heard outside. Conversation is carried on in subdued tones.”

The RCMP’s surveillance was widespread, resource-heavy, and ultimately resulted in no criminal charges being laid. But when the government of the day decided not to prosecute Canadians who fought fascism in Spain, the RCMP instead attempted to publicly discredit them. In June 1938, RCMP Assistant Commissioner Stuart Taylor Wood suggested to a colleague that the RCMP might “discreetly” give “some reliable newspaper” the home address of a Canadian who had returned from Spain and was supposedly bitter about his experiences there, so that his views might be made public.

The RCMP continued to monitor the Canadian volunteers who fought in Spain for more than 40 years, reporting in a 1980 memorandum that of the 150 volunteers still living, most did not belong to the Communist Party, “however their political motivations are more in keeping with [New Democratic Party] philosophies.”

The mostly immigrant Canadians who fought in Spain during the 1930s were not the first or the last to be subjected to surveillance by state security and intelligence agencies in Canada. Covert policing dates to at least the aftermath of the 1837 and 1838 rebellions in Upper and Lower Canada, and later targeted Irish Republican Fenians who believed they could hurt Britain by attacking Canada. It continues today.

But the case of the RCMP’s surveillance of the Canadian volunteers for Spain is in many ways emblematic of much of the surveillance carried out by Canadian agencies since.

It highlights the central issue of state surveillance in a democracy: recognizing and respecting the difference between lawful dissent and activities that are illegal or that threaten national security.

It underscores, too, how difficult it can be for an intelligence or security agency to understand the real threat posed by those they are watching — especially when the targets of surveillance come from communities with whom police or spies have no connection, and toward which security agents bring their own prejudices and biases.

In the 1930s, for example, the RCMP took at face value reports from “loyal spirited foreigners” who told the force that volunteers were going to Spain to train for a revolution in Canada. A decade later, in 1946, the RCMP spied on a gathering of civil war veterans getting drunk and reported testimony from an unnamed informer who said such meetings were part of a traitorous movement preparing for war between Canada and Russia.

It also reflects issues of transparency and oversight. In democracies, security agencies must abide by the law, answer to citizens and to the governments those citizens elect, and operate in an open and transparent fashion. But it took decades, and the persistent research of academics and journalists, to reveal the extent of the surveillance of Spanish Civil War veterans, and many other supposed political dissidents, especially during the Cold War. 

"There is a perceived need for security agencies to be secretive in order to be effective."

Security agencies have always worked in the shadows, and in Canada they have not been consistently and forcefully challenged to operate under brighter lights. There is a perceived need for security agencies to be secretive in order to be effective. Governments are reluctant to legislate or even openly discuss matters of surveillance. And surveillance technology is evolving so quickly as to outstrip regulations meant to govern its use.

Today, Canadian security agencies have the ability to monitor Canadians to a degree the RCMP in the 1930s could scarcely have imagined. Human sources and physical observation are still important. But now we leave digital footprints everywhere that can be tracked, collected and stored. 

Canada, like many other countries, has become a “surveillance society,” says Wesley Wark, a visiting professor in the University of Ottawa’s Graduate School of Public and International Affairs and a long-time scholar of Canadian intelligence agencies. And yet we have only tentatively wrestled with what that means. Canadians in general have not loudly demanded accountability on surveillance from the government, which in turn has shown little desire to provide it.

Bill C-59, tabled earlier this month, is a welcome check on this trend. The bill creates a new watchdog, called the National Security and Intelligence Review Agency, that will oversee the work of all national security agencies, including the big three surveillance organizations in Canada: the RCMP; the Canadian Security Intelligence Service (CSIS); and the Communications Security Establishment (CSE). 

The granular merits and shortcomings of the bill will no doubt be discussed and debated at length elsewhere going forward. But as the security landscape evolves and expands, it’s worth taking stock of surveillance in the country as it exists today. 

                                                                                ***

ONE MORNING in 2013, shortly after reports based on leaks by former National Security Agency contractor Edward Snowden revealed the extent of global surveillance carried out by the American agency, which specializes in signals intelligence, an employee of CSE, a Canadian agency roughly analogous to the NSA, drove to work.

Snowden’s disclosures had aroused interest in CSE, especially given the extremely close relationship between intelligence agencies in Canada, the United States and the other members of the so-called Five Eyes alliance: Britain, Australia and New Zealand. Journalists were on CSE property in Ottawa, filming or taking photos. The employee, seeing this, stopped his car, got out, and told the journalists that if they were going to take pictures, they needed to do it away from public land. The journalists complied and the CSE employee thought nothing of it — until he entered the building and, as he puts it, was “interrogated” by his bosses who wanted to know why he had been talking to journalists.

CSE has always been secretive. Its existence, under a different name, wasn’t even publicly acknowledged until 1974, thanks to a CBC documentary that forced an admission in the House of Commons. But its roots go back to the Second World War and Canadian military interception of enemy communication regarding troop movements, or of messages from the collaborationist government of Vichy France, according to a history of the organization on CSE’s website. 

First known as the Communications Branch of the National Research Council, CSE was officially established in 1946, and during its early years was mostly concerned with the Soviet Union and other members of the Eastern Bloc. The end of the Cold War gave the Canadian public what CSE describes as a “false sense of relief,” at odds with what CSE says were in fact new and at times greater threats to national and economic security.

The Anti-terrorism Act, ratified in December 2001, only months after the 9/11 terrorist attacks, officially recognized CSE’s three-part mandate: acquiring foreign signals intelligence; protecting Canadian government computer systems and networks; and assisting federal law enforcement and security agencies (such as the RCMP and CSIS). The number of people working for CSE has at least doubled since 2001. In 2015, it employed 2,200 people. 

CSE is mandated to direct its signals intelligence monitoring at foreign targets outside Canada — someone in Iran emailing someone in Russia, for example. It cannot target Canadians, even Canadians abroad, for surveillance unless it is doing so to assist an investigation by CSIS or the RCMP, for which the agencies have lawful authority (usually warrants) to conduct surveillance. But the line between foreign and domestic signals intelligence can be blurry.

“Because of the complexity of global telecommunications, it is impossible to know if a foreign target will send or receive communications to or from a person in Canada. Thus, there is a risk that CSE could incidentally intercept a private communication,” CSE says on its website.

CSE might be targeting a non-Canadian member of ISIS in Syria, for example, but if that person is sending emails or text messages to a Canadian in, say, Hamilton, the Canadian’s communications would be “incidentally” swept up in CSE’s surveillance of the Syrian ISIS member. 

The key question for CSE, and for Canadians concerned about their privacy, is what the agency does with that information. The short answer is it doesn’t immediately delete it.

CSE says it may choose to keep records of Canadians’ private communications if they are “essential to the understanding of foreign intelligence related to international affairs, defence or security,” or “essential to identify, isolate or prevent harm to the Government of Canada systems or networks,” CSE says.  

The agency says it takes measures to protect Canadians’ privacy, including suppressing information about Canadians in the intelligence reports it writes (an individual’s name might be replaced with a generic description such as “a Canadian person,” for example), and limiting access to systems and databases that contain private information. It says the private communications it uses are “subject to strict retention limits” — though what these limits are is not revealed. And CSE says its practices are regularly reviewed both internally and by the CSE Commissioner’s Office, which is independent of the CSE and reports to the minister of national defence.

Bill C-59 establishes clear guidelines regarding what Canada’s security agencies can do with data they collect on Canadians. The government likely saw such measures as necessary in part because CSE’s reassuring narrative about safeguarding Canadians’ privacy had been tarnished.

A confidential 2015 report by CSE Commissioner Jean-Pierre Plouffe revealed that CSE accidentally shared with allies information on Canadians that was supposed to have been private. It happened because software that should have removed identifying information on Canadians failed.   

Plouffe said this unlawful sharing of Canadians’ private information might have been going on since the mid-2000s, and it was unclear exactly how much data had been shared. He concluded that CSE’s failure was not wilful, and he said CSE had cooperated with his study and taken corrective steps. The incident nevertheless showed that as technology expands the capacity of the state to monitor its citizens, it brings concomitant risks that the privacy of those citizens may be violated.

If CSE’s apparently unwitting leakage of Canadians’ personal information to foreign countries could be described as an honest mistake, another revelation that came to light as a result of Snowden’s disclosures was a little more difficult to explain away. A document made public in 2014 showed that CSE used free Internet service at a major Canadian airport to track the wireless devices of passengers for days after they left the airport, as their devices were picked up by Wi-Fi hotspots throughout Canada and at American airports.

CSE is prohibited from targeting Canadians and people in Canada without lawful authority. The Canadian airport operation was carried out so CSE could test technology it was developing with NSA help to track targets abroad. “Canada is a small actor, but it is regarded as a world-class player in these kinds of things,” says Stephanie Carvin, a former national security analyst with the Canadian government and now an assistant professor of international affairs at Carleton University. 

CSE defended its actions to CBC, saying it is “mandated to collect foreign signals intelligence to protect Canada and Canadians. And in order to fulfill that key foreign intelligence role for the country, [CSE] is legally authorized to collect and analyze metadata.”

Metadata describes things such as the sender and recipient of an email or phone call, its duration, and when it occurred, rather than a message’s content. Carvin says it can be useful to establish a target’s “pattern of life,” including his daily habits and network of contacts.

CSE’s explanation as to why it collected and kept metadata at a Canadian airport didn’t sit well with some privacy and security experts at the time, including Ronald Deibert of the University of Toronto’s Munk School of Global Affairs’ Citizen Lab, who told CBC the operation was likely illegal. 

“The challenges for agencies is to navigate between two poles. One is technical ability: what they can do. The other is to understand the legal limits of what they actually do do.”

“The challenges for agencies like CSE is to navigate between two poles. One is technical ability: what they can do. The other is to understand the legal limits of what they actually do do,” says Wark. “Both are complex issues, and I don’t think there’s any magical formula for it.” 

Craig Forcese, a law professor at the University of Ottawa specializing in intelligence and security, is more concerned about the lack of transparency regarding the use of metadata than the fact that security agencies are collecting it in the first place.

“If we’re going to be having the security services collecting metadata, then the rules for that collection and the safeguards should be publicly debated and should be articulated in public legislation, so we have clear signals of what we as a society expect of our security services,” he says.

“There’s not a lot of transparency about the pure quantity of surveillance that’s underway, and a lot of the stuff is highly technical. And even when we get little glimpses, we’re not sure what it means in practice,” Forcese adds.

“We’ve delegated the responsibility for determining what the standards should be to a bunch of justice lawyers in the services themselves, in a manner that means we’ll never see what those standards are, because it’s so deeply covered in solicitor-client privilege and national security confidentiality. I think that’s a huge problem. It means we can never have a mature debate.” 

                                                                                    ***

ANYONE who hasn’t joined ISIS or other jihadist groups and is worried CSIS might be following them can take some unlikely comfort in the fact that Canada’s domestic spy agency probably has its hands too full to bother.

If CSE is supposed to keep its eyes focused outside Canada’s borders, CSIS and the RCMP look inward. CSIS, Canada’s civilian intelligence agency, is mandated to collect and analyze threats to Canada’s national security. Those threats can originate outside Canada, meaning CSIS can operate abroad, but only with the goal of defending Canadian security. CSIS can investigate a potential terrorist attack against Canada being planned abroad, for example, but it does not try to recruit agents in foreign governments. 

CSIS was created by an Act of Parliament in 1984. It took over responsibility for security intelligence that had previously belonged to the RCMP, following revelations of apparently illegal activities on the part of the RCMP and a subsequent Royal Commission, known as the McDonald Commission, that recommended the formation of a separate civilian security agency.

The RCMP, as its name implies, is a police force, and as such is focused on crime rather than national security. Its interests overlap with CSIS, but the two agencies do not closely cooperate. If CISIS is watching someone who appears to be engaged in criminal behaviour, it might alert the RCMP but will not share evidence. CSIS doesn’t want to risk compromising sources, and the RCMP doesn’t want its investigation tainted by evidence that might not have been collected in a manner that would stand up in court.

These days, many of the people CSIS is watching have fought overseas with groups such as ISIS, and then come home. “My guess is that when intelligence exists that a foreign fighter has returned, it’s all hands on deck,” says Phil Gurski, a former CSIS analyst and CSE employee who has recently published a book on Western foreign fighters. 

CSIS estimates about 60 Canadians who have joined terrorist groups overseas have now come back to Canada. “It’s not a given that every returnee is going to blow shit up. The only way you can find out is to monitor them,” Gurski says. But doing so takes 20 to 40 officers. “The problem with security intelligence law enforcement is you have way more cases than you have resources.”

This, says Carvin, points to one of the paradoxes of surveillance in Canada. “The power of the state against the individual is incredible, and it needs to be actively monitored and kept in check by our policy makers,” she says. “But the second issue is that we sometimes get carried away with the potential of that power without thinking of the bureaucratic things that can actually interfere with the state carrying out those powers to their full responsibility.” 

In other words, according to Carvin, even if CSIS wanted to watch everyone, it can’t. It picks its targets, and must do so selectively. There are too many genuine security threats that CSIS cannot spend time and resources on targets that don’t appear to meet that definition. And security agencies, she says, focus their surveillance on individuals rather than groups or institutions. She says mosques, for example, whatever opinions people within them promote, are not monitored.

“One of the key things about national security is that you’re allowed to be an asshole. You can have terrible views. But that’s not a national security threat until you want to violently act on them. So even if there are religious institutions that put out conservative ideas that I would personally disagree with, that’s not a national security threat at all. So there’s no reason to monitor a mosque at all. It’s a huge waste of resources and time, and if anything, I would consider it to be counter-productive, because you want to work with institutions that may have insight into a community and what’s happening,” she says. 

But Canadian security and law enforcement agencies do have a history of watching some groups more closely than others.

Steve Hewitt, a senior lecturer in the Department of History and the American and Canadian Studies Centre at the University of Birmingham in Britain who has researched the RCMP’s extensive surveillance on Canadian universities, says those monitored tend to be people who are socially and politically marginalized for reasons such as their ethnicity and beliefs. 

"Even if CSIS wanted to watch everyone, it can’t."

In the past this has included immigrants and leftists. Today, he suspects Canadian Muslims are disproportionately watched. “The idea that we’re all going to equally experience the effects of that surveillance is wrong,” he says, “and we need to pay more attention to that.”

And CSIS, too, has allowed advances in surveillance technology to expand its surveillance net and, it would appear, erode Canadians’ privacy in the process.  

CSIS, like CSE, can gather communications data from people associated with those it is targeting for surveillance. If it is monitoring the emails of one individual, it will inevitably collect information on those to whom that individual is writing.

Warrants stipulate that CSIS must destroy information unrelated to a perceived security threat. But in 2006 CSIS created the Operations Data Analysis Centre to store such associated metadata — including email addresses, phone numbers and call times — and retained that information for up to a decade.

Last fall, Federal Court Judge Simon Noël ruled this was illegal, and that CSIS had not fulfilled it “duty of candour” to the court. 

These are not comforting words for Canadians who worry that CSIS is prone to stretching its mandate. But Forcese doesn’t think CSIS was motivated by malice or intentional deception. Institutional safeguards and checks and balances are probably not as strong as they should be, he said — before the recent bill was tabled.  

That may be the case, in part, because Canadians — in and out of government — have been slow to robustly debate exactly what sort of state surveillance of Canadians is desirable, and when that surveillance unacceptably infringes on the privacy of the Canadians this country’s security and intelligence agencies ultimately serve.

There are no easy answers. State surveillance can be an effective tactic in the law enforcement and intelligence gathering needed to guard national security and protect citizens. It can also function as a tool that undermines liberty and ultimately weakens a country’s democracy. Balancing these outcomes is difficult and requires thoughtful discussion and vigilance from lawmakers and citizens.