Thursday, June 13, 2013

Spying on Canadians - A Fleeting Illusion of Privacy

Updated January 2015

Canadians have their own version of the U.S.-based National Security Agency (NSA), the little-discussed Communications Security Establishment Canada or CSEC.  CSEC, Canada's national cryptologic agency, supplies the Government of Canada with SIGINT (signals intelligence) which supports Canada's foreign, security and national defence policies and IT or information technology security, enabling various government departments and agencies to secure their electronic information systems (excluding, of course, those dastardly hard drives and portable flash drives containing private government/taxpayer information that seem to sprout legs and go for a walk every so often).

CSEC was formally established as the Communications Branch, National Research Council in 1946.  In 1975, it was renamed the Communications Security Establishment and was moved under the National Defence portfolio.  CSEC collects foreign intelligence through its monitoring of SIGINT and relies on its foreign intelligence allies to share the burden of collecting and analyzing the data, sharing the results and responsibilities with the following countries through the UKUSA Agreement first signed in 1946:

1.) The United States through the National Security Agency.

2.) The United Kingdom through the Government Communications Headquarters.

3.) Australia through the Defence Signals Directorate.

4.) New Zealand through the Government Communications Security Bureau.

Each of these organizations functions under legislation that allegedly protects the privacy of the citizens of the organization's home country.

CSEC provides foreign intelligence to a growing number of senior clients in the Canadian federal government, primarily focussing on protecting the safety of Canadians from acts of terrorism.

Since November 2011, CSEC's Chief reports directly to the Minister of National Defence.  Prior to that, CSEC reported through two Deputy Ministers; the National Security Advisor on policy and operational issues and the Deputy Minister of National Defence on financial and administrative matters.  Interestingly, the Minister of National Defence now provides the direction to CSEC and guidance on how it carries out its mandate.  That's what I call political control at the highest level!

Currently, the Chief of CSEC is John Forster, formerly the Associate Deputy Minister of Infrastructure from 2009 to 2012 (obviously, a political appointment) where he led the Harper government's infrastructure stimulus under the ubiquitous Economic Action Plan.  Interestingly, unlike the leadership requirements to head the NSA, the current Chief of CSEC has absolutely no military experience, rather, he is a career bureaucrat with a Bachelor of Science from the University of Toronto and a Master of Business Administration from York University.  As of January 2012, there were 1900 employees working under Mr. Forster, most working out of CSEC's headquarters in Ottawa.

CSEC claims that it operates within the Canadian Charter of Rights and Freedoms and the Canadian Privacy Act.  The Department of Justice has staff on-site that review CSEC's operations to ensure that they do not operate outside the law.  Here are the key excerpts from the National Defence Act that provide the operating mandate for CSEC:

"273.64 (1) The mandate of the Communications Security Establishment Canada is
a. to acquire and use information from the global information infrastructure for the purpose of providing foreign intelligence, in accordance with Government of Canada intelligence priorities;
b. to provide advice, guidance and services to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada; and
c. to provide technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties.

Protection of Canadians
(2) Activities carried out under paragraphs (1)(a) and (b)
a. shall not be directed at Canadians or any person in Canada; and
b. shall be subject to measures to protect the privacy of Canadians in the use and retention of intercepted information.

Limitations imposed by law
(3) Activities carried out under paragraph (1)(c) are subject to any limitations imposed by law on federal law enforcement and security agencies in the performance of their duties.

Ministerial authorization
273.65 (1) The Minister may, for the sole purpose of obtaining foreign intelligence, authorize the Communications Security Establishment Canada in writing to intercept private communications in relation to an activity or class of activities specified in the authorization.

Conditions for authorization
(2) The Minister may only issue an authorization under subsection (1) if satisfied that
a. the interception will be directed at foreign entities located outside Canada;
b. the information to be obtained could not reasonably be obtained by other means;
c. the expected foreign intelligence value of the information that would be derived from the interception justifies it; and
d. satisfactory measures are in place to protect the privacy of Canadians and to ensure that private communications will only be used or retained if they are essential to international affairs, defence or security. (my bold)

Notice that according to law, CSEC may not direct its "snooping" at Canadians or any person in Canada and that measures must be taken to protect the privacy of Canadians, however, CSEC must  "ensure that private communications will only be used or retained if they are essential to international affairs, defence or security.".  In other words, data collected on Canadians can be retained if it is deemed "essential".  That has all the appearance of a loophole to me, particularly since the Minister of Defence may authorize CSEC to intercept private communications in relation to an activity or class of activities or to protect the computer systems or networks of the Canadian government from mischief, unauthorized use or interference.  Basically, it appears that CSEC can broadly gather the data and then deal with it under Ministerial discretion later.  CSEC simply has no way of guaranteeing that  it will not intercept signals from Canadians (think of Canadian citizens as collateral damage), rather, we have to trust that it will not share this data with our Allies or the Harper government for that matter.  We do know, however, that CSEC was authorized in 2011 by Peter MacKay to eavesdrop and collect metadata, the data that we generate every day when we send a tweet or make a phone call.  In case you were wondering, from the Guardian, this is what information can be gleaned from a tweet:

There goes that fleeting illusion of privacy and anonymity!

Fortunately, CSEC is subject to independent reviews, conducted by the Office of the CSE Commissioner.  These reviews are to ensure that CSEC is operating within the law, to inform the Minister of National Defence about any non-compliance and to respond to any complaints.  The Commissioner, currently Robert Decary, a former Queen's Counsel and special assistant to the Secretary of State for External Affairs in the 19702.  The Commissioner is given access to all of CSEC's employees, operations and documents which are then reviewed and reported to the Minister of National Defence.  Unfortunately for Canadians, because these reviews contain classified information, other than the Annual Reports, they are not released to the public. Basically, we have to trust the Commissioner, the Chief and the Minister of Defence that CSEC is operating in the best interest of Canadians.

How much does all of this cost Canadian taxpayers?  In fiscal 2012 - 2013, CSEC's budget was approximately $350 million  This has grown to a whopping $829 million in fiscal 2014 - 2015, an 88 percent increase from the $444 million it received in 2013 - 2014.  This is largely due to a one-time increase of $300 million to pay for delivery of the spay agency's new "palace" and $100 million related to ongoing maintenance of the complex which was build through a public-private partnership.  It seems ironic to note that, under  the Harper government's Budget 2012, CSEC's planned savings were $7.9 million for fiscal 2012 - 2013 and $13.7 million for each fiscal year thereafter.  One thing that we don't know about CSEC is how much staff are spending on travel and hospitality, unlike all other government departments.  Here's a quote from the CSEC website:

"For national security reasons, the Communications Security Establishment Canada (CSEC) is exempt from the proactive disclosure of financial and human resources-related information. This exemption extends to the disclosure of travel and hospitality expenses, contracts entered into by CSEC, the reclassification of positions, and grants and contributions."

Let's go back to CSEC's mandate of not directing its "snooping" capabilities at Canadians.  As I noted near the beginning of this posting, Canada shares its data with four other nations and vice versa.  Since Australia, New Zealand, the United States and the United Kingdom have no legislative provisions that would prevent them from snooping on Canadians, one would have to assume that all four countries are/could be snooping on Canadians and sharing that data with CSEC or, even worse, Canada's Minister of Defence.  

In any case, it is unfortunate that we have to trust our politicians that they have our best interests at heart and that our personal privacy is of utmost concern to them.  Even more unfortunate is that we simply cannot afford to trust them with our privacy since that is the last thing that they really want us to have.

No comments:

Post a Comment