Tag Archives: Lux Ex Umbra

CSEC's LANDMARK tool for CNE operations - Lux Ex Umbra 20140817

CSEC's LANDMARK tool for CNE operations - Lux Ex Umbra 20140817

The recent c't Magazin article about Five Eyes methods of detecting computer devices vulnerable to exploitation (Julian Kirsch, Christian Grothoff, Monika Ermert, Jacob Appelbaum, Laura Poitras & Henrik Moltke, "NSA/GCHQ: The HACIENDA Program for Internet Colonization," c't Magazin, 15 August 2014) contains several slides from a CSEC presentation, apparently from 2010 or perhaps 2011, concerning a tool or program called LANDMARK:

As the first two slides indicate, LANDMARK is a tradecraft method or program used to identify "Operational Relay Boxes" (ORBs), computers that can be commandeered for use as "covert infrastructure" in Computer Network Exploitation (CNE) operations. ORBs are used to "provide an additional layer of non-attribution" (i.e., to make it more difficult to identify the perpetrator) for hacking operations to penetrate ("exploit") other computer networks, probably normally in a third country, and steal ("exfiltrate") data.

ORBs are sought in "as many non 5-Eyes countries as possible".

Other slides indicate that LANDMARK operations are at least partially automated and incorporated into CSEC's OLYMPIA "network knowledge engine" (further discussed here).

The slides also indicate that LANDMARK operations draw, at least sometimes, on information collected by GCHQ's HACIENDA tool, which searches for and compiles data on the vulnerabilities of computer devices, covering in many cases the computer infrastructure of entire countries. (See more on HACIENDA in the c't article.)

The description on the slide above notes that a February 2010 LANDMARK operation "encompasse[d] the whole of LONGRUN", possibly meaning that an entire country's infrastructure was examined. Twenty-four CSEC "network exploitation analysts" managed to identify more than 3000 potential ORBs in just a few hours.

This slide appears to show some of the HACIENDA data used in the February 2010 operation (the data is mainly from 2009, but it includes some items as recent as February 2010). You will probably need to go to this PDF version of the documents if you want to read the fine print for yourself. Interestingly, the computer screen capture, from CSEC's OLYMPIA tool, indicates that all the data shown pertained to Kenya. Is Kenya LONGRUN?

The slide notes that "network analysis" was "still manual" at this time.

By contrast, this slide suggests that, by the date of the presentation, "network analysis tradecraft to identify vulnerable devices" had become more automated within the OLYMPIA tool.

The final slide, which appears to refer to a more recent case involving a GSM provider that NSA's Tailored Access Operations directorate wanted to access, reports that an automated search for vulnerable devices using OLYMPIA took less than five minutes to perform.

The full set of slides that were published by c't Magazin, including excerpts from NSA and GCHQ documents as well as those from the CSEC document, is available here.

Update 25 August 2014:

Colin Freeze, "The Landmark file: Inside Canadian cyber-security agency’s 'target the world' strategy," Globe and Mail, 25 August 2014. Note the very interesting and previously unpublished comments by former CSEC Chief John Adams:

“We’ve got some bright young kids,” retired spymaster John Adams once told The Globe in an interview. “Virtually everything – 90 per cent of what they do – is CNO [Computer Network Operations] now. It opens it up to where they can literally go out and target the world.”

Update 27 August 2014

Patrick McGuire, "Canada’s Cyberspy Agency, CSEC, Hijacks Computers Worldwide to Build Their Spynet," Vice, 26 August 2014

CSE Commissioner: CSE violated law - Lux Ex Umbra 20160128

CSE Commissioner: CSE violated law - Lux Ex Umbra 20160128

The CSE Commissioner's 2014-15 Annual Report was finally tabled today, nearly 10 months after the end of the fiscal year covered by the document.

There is a lot that's interesting in the report, but the big news—which was actually in the press release from the Commissioner's office that accompanied the report rather than in the report itself—is that the Commissioner has declared that "CSE's failure to minimize certain Canadian identity information prior to it being shared with its partners did not comply with paragraph 273.64(2)(b) and section 273.66 of the [National Defence Act], and, as a consequence, did not comply with section 8 of the Privacy Act. The Commissioner therefore exercised his legal duty under paragraph 273.63(2)(c) of the NDA and informed the Minister of National Defence and the Attorney General of Canada of this non-compliance with the law."

In plain language, the Commissioner declared that CSE had failed to comply with the law.

In the 20 years since the office was first created, no CSE Commissioner has ever made such a declaration before.

The Canadian Identity Information in question was contained in "certain types of metadata" that "were not being minimized properly before being shared with CSE's partners in the United States, the United Kingdom, Australia and New Zealand", presumably throughGLOBALREACH. The exact nature of the metadata involved has not been revealed.

According to the Commissioner and CSE, CSE identified the problem in late 2013, reported it to the Commissioner, and suspended the data transfers pending a solution to the problem, which Defence Minister Sajjan described today as being caused by "technical deficiencies in CSE systems". These deficiencies must be quite fundamental, however, as it is now 2016 and the problem remains unresolved.

The press release from the Commissioner's office also reports that, "while the Commissioner stated he believes the actions of CSE [in transferring the unminimized metadata] were not intentional, it did not, however, act with due diligence when it failed to ensure that the Canadian identity information was properly minimized." This seems to be the basis of the Commissioner's conclusion that, in this instance, CSE did not comply with the law, whereas in earlier casesunintentional violations of the law have not been characterized as non-compliance.

Perhaps the Commissioner was especially annoyed in this case because in 2013 his predecessor had assured Canadians that "in its reports, and in other information [e.g., metadata] CSE shares with its domestic and international partners, CSE must render impossible the identification of Canadians, and I verify that this is done. As noted in my report last year, I have found that CSE does take measures to protect the privacy of Canadians in what it shares with its domestic and international partners." [Quotation updated 29 January 2016 for reasons of terminological exactitude. HT to WG.]

The Commissioner's declaration that CSE did not comply with the law brings to an abrupt and welcome end the nearly 20-year-old Ottawa tradition of deflecting all questions about CSE activities with the refrain that "the independent CSE Commissioner has always found CSE to be in compliance with the law". (It looks like this blog post is going to need some revision.)

I'll comment on some of the other interesting and significant elements in the 2014-15 report in future posts.

Related coverage and commentary:

- Jim Bronskill, "Canada’s electronic spy agency broke privacy law by sharing metadata, watchdog says," Canadian Press, 28 January 2016
- Robert Fife & Colin Freeze, "Canada's spy agencies broke surveillance laws, watchdogs reveal," Globe and Mail, 28 January 2016
- Justin Ling, "Canadian Spies Get Spanked Again For Sharing Citizens' Data With the NSA," Vice News, 28 January 2016
- "Canada's electronic spy agency stops sharing some metadata with partners," CBC News, 28 January 2016
- "Electronic spy agency stops sharing information with partners over privacy concerns," CTV News, 28 January 2016
- Monique Muise, "Watchdog says electronic spy agency shared info about Canadians," Global News, 28 January 2016
- "Canadian intelligence agency stops sharing metadata with foreign intelligence agencies following revelations that shared information was not being sufficiently protected," OpenMedia news release, 28 January 2016

Update 29 January 2016:

- Alex Boutilier, "Canada’s electronic spy agency broke privacy laws, watchdog says," Toronto Star, 28 January 2016. Note the discussion of CSE's accompanying "technical briefing": "A high-ranking CSE official, who Thursday gave a technical briefing on the condition they not be named, described the issue as a technical glitch discovered in late 2013.... While CSE downplayed the severity of the breach — saying the privacy impact was “low” — it was significant enough to prompt the first press briefing in the agency’s 70-year history." A good point.

As for CSE's insistence on no use of names, if I had to guess, I'd say the speaker was probably Shelly Bruce. After all, what "high-ranking" CSE official would be better for speaking to this issue than the Deputy Chief who is in charge of the SIGINT program at the agency? (It might also explain why the Toronto Star used "they" as the pronoun in this instance.) But if it was Bruce, why insist on non-attribution? As the link shows, Bruce's name and position are not in any way secret. Maybe it wasn't Bruce, in which case the non-attribution might make some minimal amount of sense.

Update 31 January 2016:

Here are the speaking notes for high-ranking CSE official They Who Must Not Be Named. Minor quibble: CSE will be celebrating its 70th birthday on 1 September 2016. It's a bit premature, therefore, to declare in January 2016 that "CSE has been at work, protecting Canada and Canadians, for over 70 years."

Update 1 February 2016:

- Wesley Wark, "Canada’s spy watchdogs: Good, but not good enough," Globe and Mail, 1 February 2016
- Tim Harper, "A privacy breach and a country left in the dark,"Toronto Star, 29 January 2016

Update 4 February 2016:

- Tamir Israel & Christopher Parsons, "Why We Need to Reevaluate How We Share Intelligence Data With Allies," Just Security, 3 February 2016

CSE commissioner's annual report released - Lux Ex Umbra 20140820

CSE commissioner's annual report released - Lux Ex Umbra 20140820

The CSE commissioner's annual report was released today (PDF;HTML).

There is a lot of interesting information in the report, but the big news is that the commissioner was permitted to put a number on the use or retention of private communications (communications with at least one end in Canada) in the foreign intelligence part of CSEC's activities during 2012-13.

And that number is 66:

Overall, in 2012–2013, the volume of communications collected through CSEC’s foreign signals intelligence activities increased. However, the number of recognized private communications unintentionally intercepted and retained by CSEC was small enough that I could review each of them individually. At the end of the 2012–2013 ministerial authorization period, CSEC retained 66 of the recognized private communications that it collected. Of these, 41 private communications were used in CSEC reports (with any Canadian identities suppressed in the reports) and 25 were retained by CSEC for future use. All other recognized private communications unintentionally intercepted by CSEC were destroyed.

Sixty-six is a reassuringly small number, and the number of Canadians or other persons in Canada (hereafter "Canadian persons") involved in those communications could be even smaller, as some may have participated in more than one communication. (On the other hand, in theory a single communication involving a foreign target could go to a mailing list with dozens of Canadian persons on it, so the total number of Canadian persons implicated could be much larger.)

There are several other facts worth noting about this number.

First, it does not include any reporting, retention, or provision of private communications collected by CSEC under the cyber protection (Mandate B) or support to domestic law enforcement and security agencies (Mandate C) parts of its mandate.

[Update 19 November 2014: As shown here, the number of private communications used or retained by the cyber defence program (Mandate B) during the 1 December 2012 to 30 November 2013 reporting year was almost certainly in the low thousands, 15 to 60 times greater than the number reported for the foreign intelligence program by the CSE Commissioner.]

Second, it does not include any reporting or retention of private communications obtained by CSEC through its SIGINT partners. The report does acknowledge CSEC's "receipt from the Second Parties of intercepted communications and other foreign signals intelligence information, particularly private communications and information about Canadians." However, according to the commissioner, "The unintentional interception of a private communication by CSEC is a different situation than the unintentional acquisition by CSEC from a second party source of a one-end Canadian communication."

I have some difficulty understanding this point, as the Criminal Codedefinition of intercept includes to "listen to, record or acquire a communication or acquire the substance, meaning or purport thereof", which would seem to me to include acquiring it from Second Parties. But I'm no lawyer. Past commissioners have suggested that a definition of "intercept" ought to be included in those National Defence Act amendments that the government never bothers to get around to, and maybe that's why that suggestion was made. Does CSEC have its own definition of intercept that differs from the one in the Criminal Code?

Third, it does not include any reporting or retention of communications that are not considered private communications even though they do involve one or more Canadian citizens. An example would be a communication by a Canadian in which both ends of the communication are outside Canada (e.g., you're visiting France and you phone a business associate in Germany). CSEC is still not permitted to target Canadians under its Mandate A under such circumstances, but any such communication collected incidentally that met the relevant criteria could be reported or retained and would not appear in the 66 figure quoted by the commissioner.

Fourth, the figure includes only those private communications that were reported or retained. As the commissioner himself notes, "CSEC deletes almost all of the small number of recognized foreign signals intelligence private communications unintentionally intercepted by its collection programs" (emphasis added). Logically, this means that the 66 that were used or retained (i.e., not deleted) represent almost none of the total that were actually intercepted. How large is the latter number? The commissioner does say that the number intercepted is itself a "small number". But in comparison to the billions of private communications that Canadians participate in every year, some pretty large numbers might be characterizable as small.

None of this is to suggest that a massive program designed to monitor all Canadians lurks beneath that innocuous-sounding 66 number. But it's worth recognizing that 66 is far from the whole picture.

Another point: I really have a hard time with this term "unintentional" that the commissioners use. There are cases when CSEC is trying to collect a foreign communication and by mistake it pulls in a Canadian communication. Those could fairly be described as "unintentional" or, as CSEC seems to prefer, "inadvertent".

The cases that CSEC describes as "incidental" are a separate type. If CSEC collects a bunch of communications to or from one of its foreign targets, let's call him Osama, and one of those communications turns out to involve a Canadian, the collection of that Canadian's communication is termed "incidental" by CSEC. It wasn't collected by mistake. And it wasn't collected unintentionally either. It was done on purpose. The Canadian wasn't specifically targeted for collection, but CSEC certainly did want to know the identity of the people Osama was talking to and the content of those communications, and, as you might expect, they were especially interested in the Canadian angle. In fact, the law was changed in 2001 specifically to ensure that it is legal for CSEC to collect, use, and retain those targeted foreign communications that turn out to have one end in Canada.

I get that the commissioners are trying to distinguish between targeting specific Canadians and not targeting specific Canadians. But there is nothing "unintentional" about the fact that CSEC collects—and pays particular attention to—the communications of Canadians and persons in Canada when those communications are with one of CSEC's foreign targets. Even the term "incidental" is somewhat misleading, in my view, as it carries the implication that CSEC isn't really interested in the Canadian end.

They're interested.

Criticisms and comments notwithstanding, it' s nice to see the increase in transparency in this year's report by the commissioner.

There is a lot more of interest in this year's report, but that's all for now...

Media coverage:

- Colin Freeze, "Spy agency intercepted, kept communications of 66 Canadians," Globe and Mail, 20 August 2014
- Jim Bronskill, "Spy agency improperly kept Canadian info," Canadian Press, 20 August 2014
- David Pugliese, "Communications Security Establishment kept private communications of Canadians in violation of internal policies," Defence Watch blog, 20 August 2014
- Tonda MacCharles, "Canada’s electronic spy agency gets passing grade from watchdog," Toronto Star, 20 August 2014
- Kady O'Malley, "CSEC kept 66 'unintentionally' obtained private communications," CBC News, 20 August 2014

Update 21 August 2014:

- Editorial, "A glimpse into the iceberg that is CSEC," Globe and Mail, 21 August 2014
- Wesley Wark, "Canadian spy agency watchdog strikes a new pose,"Ottawa Citizen, 21 August 2014. Excellent commentary by Canada's leading academic expert on intelligence issues.

Update 22 August 2014:

- Justin Ling, "Canada's Spy Agency Recorded Citizens' Calls, Internal Audit Reveals," Motherboard, 22 August 2014

Update 25 August 2014:

- Dan Leger, "Spies, guard dogs duck oversight," Chronicle Herald, 25 August 2014

SIRC 2014-15 Annual Report: The watchdog shows his teeth - Lux Ex Umbra 20160203

SIRC 2014-15 Annual Report: The watchdog shows his teeth - Lux Ex Umbra 20160203

As I noted here, there is a lot of interesting news in the CSE Commissioner's 2014-15 Annual Report, which was finally made public on 28 January 2016. (The Commissioner's reports are normally tabled in the June to August timeframe; the previous record for tardiness was the 2003-04 report, which was released on 8 October 2004. It is evident that the Harper government did not want the information that was in the report to be available to Canadians during an election campaign.)

The big news in the report was that, for the first time, the CSE Commissioner was holding out the possibility that CSE might be found in non-compliance with the law. The final answer to that question was left open in the report itself, which stated that the Commissioner was still examining the legal implications of the issue. By the time the report was finally tabled, however, Commissioner Plouffe had completed his review of the issue and concluded that CSE had failed to exercise due diligence and thus had violated the law. (For further details, see here.)

I see this decision as a very positive development. As I argued here, it was beginning to look as though CSE Commissioners would never find CSE in breach of the law for anything—or at least nothing short of admitted, unrepentant, and on-going illegality of the most brazen kind.

The danger of always letting CSE off the hook in the kinds of cases that actually do come up was two-fold: First, Canadians might come to see the Commissioner's annual assurances as largely meaningless, undermining one of the primary purposes of having the office. Second, CSE might come to see prevention of compliance lapses as relatively unimportant, since problems subsequently identified could always be fixed at some later time without consequences. By demonstrating that consequences are possible, at least in cases where CSE failed to exercise due diligence, the agency has been reminded that legal compliance has to be first on its priorities list at all times: it can never be left as an afterthought.

Another benefit of finally wielding the hammer of compliance judgement is that the level of attention paid to the Commissioner's recommendations at the political/ministerial level cannot fail to be dramatically elevated. Maybe now—finally—going on fifteen years after the mandate of the Communications Security Establishment was enacted into law, we will see action on the clarifying amendments that successive Commissioners have sought from the beginning. (More on potential amendments below.)

Last year I lamented the continuing failure of successive Commissioners to "pick up the hammer"; it's good to see a more Thor-like Commissioner in action.

There were also many other noteworthy items in this year's report.

Use and retention of private communications

The big news in the2013-14 report was that the Commissioner had finally been permitted to specify the number of "private communications" (communications with at least one end in Canada) used in intelligence reports or retained by CSE for possible future use during the agency's Mandate A (foreign intelligence) operations. That year the number was 66; this year the number is a mere 16.

Sixteen is a very small number, and it is useful that the CSE Commissioner is able to report it.

But, as I noted last year, it does not represent anywhere near a complete accounting of the Canadian communications intercepted or otherwise acquired and examined by CSE during the course of the year. It does not include communications of Canadians that do not fall into the definition of private communications, such as calls involving Canadians in which neither communicant is physically in Canada at the time. It does not include private communications intercepted and forwarded to CSE by Canada's SIGINT allies. It does not include private communications obtained during CSE's Mandate B (cyber security) operations. (This year's report has some interesting comments on those intercepts, however.) It also does not include private communications obtained during CSE's Mandate C (support to federal law enforcement and security agencies) operations. Finally, most importantly, it does not include the much larger number of Canadian communications intercepted or otherwise acquired by CSE that ultimately are neither used nor retained by the agency, but are simply assessed and deleted. How much larger that number is (and the scale of the even larger number of communications that receive preliminary monitoring of some sort but are never sent to an analyst to be "recognized" as private communications because automatic filters decide that they are not likely to be of interest) has never been revealed.

This is not to say there's a secret program to monitor everything Canadians say and do hiding under that almost inconsequential-looking sixteen number. Just a reminder that it is far from the whole story.

A useful innovation discussed in this year's report is the series of "spot checks" that the Commissioner has begun conducting on the larger set of private communications intercepted during CSE's Mandate A operations. These reviews cover all private communications "intercepted and recognized", not just those used or retained—but only those intercepted by CSE itself under its Mandate A. This year's spot checks covered the periods of 1 April 2014 to 20 June 2014 and 1 September 2014 to 15 October 2014", which together comprise 126 days, or 34.5% of the year.

Unfortunately, the Commissioner doesn't tell us how many Canadian private communications were intercepted and recognized during these review periods. This limits the reassurance value of his report.

I suspect that he would have been quite happy to publish this number, which would provide at least some, albeit partial, basis for assessing the scale at which CSE examines Canadian communications. Most probably CSE refused to declassify the figure. Elsewhere in his report, the Commissioner works hard to emphasize that the Minister of National Defence and CSE itself are not allowed to censor his public reporting. This is true, and of very great importance. They can't, for example, prevent him from reporting that CSE failed to comply with the law. But by controlling the power of declassification, they can and do reduce much of the Commissioner's reporting to generalities and often incomprehensibility. This has been an on-going problem for CSE Commissioners.

To their credit, the Commissioners have been gradually increasing the amount of hard information they are able to report, and this year's report contains some valuable new numbers (see below)—which also serve as important evidence that 16 private communications is far from the whole truth of CSE's interactions with Canadians.

Disclosures of Canadian Identity Information

When CSE issues a report that refers to a Canadian individual/corporation/organization etc. in some way, it "suppresses" the information that identifies that Canadian, replacing it with an expression such as "a named Canadian". CSE's customers can request this Canadian Identity Information (CII), however, and CSE will provide it if it assesses that the request is appropriate. (The RCMP might wish to know the actual name or contact information of a Canadian planning to import large quantities of illegal drugs, for example.)

This year, the Commissioner was able, for the first time, to provide statistics on the number of requests for CII made by Government of Canada clients during a portion of the year under review.

According to the report, CSE received 710 requests from Canadian government clients over a six-month period, or about 3.9 requests per day, for CII related to its Mandate A and Mandate B reporting, with the number of actual identities requested being even greater (a single request can involve multiple identities). This suggests that probably something on the order of 1500 requests were made during the entire year.

Not reported, however, was the percentage of times suppressed CII was requested or the percentage of times CSE acceded to those requests and provided the information sought. The report does state that some requests were refused, however.

Thinking about this in a back-of-the-envelope kind of way, the "sweet spot" to shoot for, it seems to me, would be a low request rate (CII requests in no more than say 10% of cases and possibly much lower than that) in combination with a high (say 90-95%) approval rate. A high approval rate would be desirable (when combined with a low request rate) because it would suggest that CSE's clients understand the rules surrounding the information and request it only when it is reasonably clear that they need it. A less than 100% approval rate, on the other hand, would also be desirable as it would suggest that approval is not granted as a matter of routine but is actually considered on a case-by-case basis.

By contrast, a high request rate combined with a high approval rate would suggest that the suppression of Canadian Identity Information in the original reports is more pro forma than a real privacy protection measure. A low approval rate would suggest, on the other hand, that CSE's clients are consistently seeking information about Canadians for which they have no justifiable need and/or that CSE's rules for access are incomprehensible or arbitrary and that its clients have no clear idea what sorts of requests may be approved.

Perhaps the Commissioner can provide some data on request and approval rates in future reports to help Canadians judge these possibilities for themselves.

It would also be helpful to know a bit more about the approval system itself in order to draw firm conclusions about its usefulness. Is it little more than a series of check boxes on an electronic form asking the requester to affirm that the identity information sought is essential to a full understanding of the intelligence in question and that such intelligence falls within the mandate of the agency requesting it? Do refusals only happen when some clown can't be bothered to read the form carefully enough to check the right boxes? A high but not perfect approval rate under those circumstances would not be much to celebrate. It would be nice if we had some basis for judging between these possibilities.

Getting back to the data that the Commissioner did provide, an annual rate of 1500 or so requests for Canadian Identity Information—which could imply (and here I'm guessing wildly) a grand total of something like 15,000 reports containing CII—presents a considerably different picture than that evoked by the Commissioner's affirmation that only 16 private communications were featured in reports in the same general timeframe.

The two measures address different things, of course. As noted above, CSE has access to many more Canadian communications than just those that it intercepts itself during Mandate A operations. More importantly, many of the references to Canadian identities that appear in CSE's reports are likely to have originated in communications that did not themselves involve Canadians. A foreign diplomatic communication might report, for example, that "named Canadian corporation" produces a particular kind of widget that would be useful for that country's prohibited ballistic missile program and that it might be possible to acquire these items through a front company based in the Bahamas. Few people would object to CSE reporting on such a communication, or to CSIS or the RCMP requesting the actual name of the company in order to prevent illicit technology transfers.

Still, the possibility that many thousands of CSE reports refer to Canadians every year, and that in hundreds of those cases the identities and other related information concerning those Canadians is ultimately released to other government agencies, highlights the extent to which CSE's activities really do impinge on or overlap with the personal lives of Canadians.

The Commissioner also reported that an unspecified number of requests for Canadian Identity Information were made by Canada's SIGINT allies (U.S., U.K., Australia, and New Zealand) during the year—and that approximately half of those requests were denied.
Such a large percentage of denials would seem to indicate that CSE places a high priority on protecting Canadian privacy in such exchanges. However, as I suggested above, it might also indicate that the Second Parties have been seeking Canadian information for which they have no justifiable need and/or that they do not understand the rules that govern access to Canadian information. Either explanation is cause for some concern.

The Commissioner also recorded that "Six requests were made for disclosure of Canadian identity information to non-Five Eyes recipients. Five of these requests were made by a Government of Canada client and one was made by a Second Party partner. None were denied."

Since 2011, CSE has been obliged to conduct a "mistreatment risk assessment" before permitting the disclosure of Canadian identity information to non-Five Eyes recipients. I fervently hope but can't say I'm at all confident that this process is considerably more rigorous than the one that governs Canadian arms sales to countries such as Saudi Arabia. The Commissioner's report notes that he reviewed "some of the corresponding mistreatment risk assessments", but it doesn't say what he made of them.

One wonders why certain Five Eyes countries that have been known to conduct extra-judicial executions, cross-border kidnapping, detention without trial, and "enhanced interrogation" are not also subject to such assessments. One might even consider it a legal obligation to perform such due diligence under certain international conventions to which Canada is a party.

Another NDA amendment recommended

Another important bit of news in the 2014-15 report is that the Commissioner has added an additional item to his list of recommended amendments to the section of the National Defence Actthat spells out CSE's mandate and powers.

Successive Commissioners have recommended that clarifying amendments be made to the NDA since shortly after the CSE-related sections were passed in 2001. The Commissioners have sought amendments related to the nature of the Ministerial Authorizations that govern the interception of private communications, the definition of the terms "intercept" and "interception", and other aspects of the law.

In 2007, the Harper government promised to proceed with amendments addressing these issues, but in fact it did nothing on any of them.

The Commissioner's new recommendation concerns the rules governing CSE's IT Security activities:

The National Defence Act was modified by the Anti-Terrorism Act in 2001 to, among other things, legislate CSE as well as its activities. Regarding IT security ministerial authorizations, it was established that the Minister of National Defence could authorize CSE to intercept private communications for the sole purpose of protecting Government of Canada computer systems or networks from mischief, unauthorized use or interference, in the circumstances specified in paragraph 184(2)(c) of theCriminal Code.

Subsection 184(1) of the Code establishes the offence of intercepting a private communication and subsection 184(2) sets out circumstances where the interception is not an offence. Paragraph 184(2)(c) applies to persons engaged in providing a telephone, telegraph or other communication service to the public who intercept private communications while providing the service.

I believe subsection 273.65(3) of the National Defence Actdoes not accurately reflect CSE’s activities because CSE undertakes activities beyond those considered in “the circumstances specified in paragraph 184(2)(c) of the Criminal Code.” I therefore recommended that subsection 273.65(3) of the National Defence Act be amended as soon as practicable to remove any ambiguities respecting CSE’s authority to conduct IT security activities that risk the interception of private communications.

According to the Commissioner's report, this new recommendation was also accepted by Harper government, although we will never know how sincere that acceptance may have been.

More importantly, the current government's Minister of National Defence has announced his support for the recommendations in this year's report, including the recommendation to amend the NDA.

If the government lives up to that commitment—and takes the opportunity to enact the other recommended amendments as well—we may finally see the end of the legal interpretation issues concerning CSE's mandate that, in the words of one Commissioner, "have bedevilled this office since December 2001."

Because it's 2016, and about time.

Commissioner's mandate and privacy

And while we're on the subject of amendments to the NDA, let's talk about the CSE Commissioner's mandate to promote privacy.

Successive Commissioners have made privacy protection an important part of their activities, but as far as I can see the only basis for that in legislation is their mandate to assess compliance with the law, which enables them to assess compliance with, for example, the privacy protections provided to Canadians in the Charter of Rights and Freedoms.

The privacy protections that exist in law (to the extent that jurisprudence has made them clear) do provide a minimum level of protection—a floor—beneath which CSE must not be permitted to sink.

But it seems to me that Canadians could also benefit from having an active advocate for greater and continuously updated protections—a constant effort to raise the ceiling—so as to adapt to changing technology and circumstances.

Commissioners do seem to have tried to push the envelope on privacy questions. The current Commissioner describes his mandate as not only to assess compliance with the law, but also "to promote the development and effective application of satisfactory measures to protect the privacy of Canadians in all the operational activities CSE undertakes."

Wouldn't it be great if the government wrote this mission explicitly into the NDA when it proceeds with those other amendments?

CFIOG Cyber Support Detachments

On a totally different topic, one of the more interesting reviews conducted by the Commissioner during the past year was an examination of the SIGINT activities of the Canadian Forces Information Operations Group (CFIOG) Cyber Support Detachments.

These small military units, formerly known as SIGINT Support Elements, are located at major headquarters in Halifax, Victoria, Winnipeg, and presumably Ottawa.

CFIOG Cyber Support Detachments act as the go-between to provide CSE reports on foreign signals intelligence to clients within the [Canadian Armed Forces (CAF)]. The CFIOG Cyber Support Detachments provide foreign signals intelligence support to select CAF commanders for a spectrum of activities, ranging from planning to direct support to combat operations. The Detachments are not involved in either the collection of foreign signals intelligence or the production of related reports; they primarily provide situational awareness to their respective intelligence and operational staff.

The Commissioner's review "concluded that the Cyber Support Detachment activities conducted under the authority of Part V.1 of the National Defence Act were in compliance with the law, ministerial direction, and CSE policies and procedures." No recommendations were made for changes in any CSD activitities. Nothing too interesting there.

What was more interesting about the review was that it featured another challenge to the CSE Commissioner's authority to review what he sees fit:

At the outset, my authority under the National Defence Act to review the CFIOG-controlled Cyber Support Detachments was questioned. After a six-month delay and many discussions between my office, CSE and the CAF, I exercised my authority and was provided direct access to Detachment staff and premises to ensure that their foreign signals intelligence activities conducted under Part V.1 of the National Defence Act complied with the law, ministerial direction, and CSE policy and procedures.

Now this is what I like to see!

Last year, it was CSE arguing that the Commissioner had no authority to examine the protection of information shared with the Second Parties, other years it has been other things, and my question has always been, why doesn't the Commissioner just point to his powers under the National Defence Act and start kicking ass and taking names? It is written right into the NDA: he has the power to investigate anything he sees as relevant to his mandate.

This time, the report says, he "exercised [his] authority".

That may just be a dramatic way of saying he managed to negotiate permission to go in, but it sounds more like he swung the hammer around a little bit first.

More of this please!

Also of interest: the Commissioner's report notes that the SIGINT reports accessed by the CSDs

may contain Canadian identity information that has been suppressed, that is, replaced by a generic reference such as “a named Canadian.” In the event that there would be a request for the disclosure of suppressed information, the Detachments would follow an established process and pass the request to CSE for action. To date, however, there has never been a request for the disclosure of suppressed Canadian identity information [through the CSDs].

At least somebody's minding their own business!

But it does leave me wondering how the SIGINT system's support to search and rescue operations fits in. SIGINT radio direction-finding stations are often used to help pinpoint the location of aircraft and ships in distress and to relay information about the occupants to the Rescue Coordination Centre.

Does such information not pass through the CSDs?

Maybe it's just that identity information is not suppressed in the first place in emergency situations where it may be necessary to help save lives, so the question of requesting its disclosure under such circumstances doesn't arise.

There is more to discuss in the 2014-15 report, but that's all I'm going to write about for now. More to come in a later installment!

In the meantime, as a partial antidote to all the rosieness in the comments above, be sure to read Wesley Wark's commentary on the CSE Commissioner and SIRC: "Canada’s spy watchdogs: Good, but not good enough," Globe and Mail, 1 February 2016.