FYI.

This story is over 5 years old.

Tech

The New CSEC Spy Report Tells Canadians Nothing

A new annual report came out on Canada's favourite signals intelligence agency. Unsurprisingly, it's evasive.
Justin Ling
Montreal, CA
Edward Drake Building. Image: Wikimedia Commons

The watchdog for the Communications Security Establishment Canada, known officially as the CSEC Commissioner, has released his annual report, and you'll be happy to hear that Canada's top secret intelligence collection agency has received great reviews, even after quite the controversial year.

An ex-judge, the Honourable Jean-Pierre Plouffe, is the country's fresh-faced commissioner. He's been on the job for nearly a year now, and decided not to break with tradition by publishing another very vague overview of CSEC's good work.

Advertisement

The mostly positive report comes on the heels of a year filled with scandal. In the summer of 2013 the agency was accused of spying on Brazil, followed by allegations in the fall of an airport surveillance operation targeting Canadians. CSEC was also believed to be among a group of law enforcement agencies the former interim privacy commissioner accused of allegedly requesting the internet user data of Canadians with impunity.

While the report is vague in its, Plouffe did offer several recommendations on how CSEC could improve its operations.

Plouffe kicked off the report with some good news—CSEC has or is working to implement 93 percent of recommendations made since the Commissioner's job was created in 1996.

The last few months of privacy-related chatter has shown pretty clearly that nobody can agree on a definition of metadata

Mind you, that statistic doesn't identify which are the 'in progress' recommendations, of which there are supposedly three. (The other ten, of course, are from this week's report.)

Following up on a recommendation from last year, proposed by Plouffe's predecessor, the Commissioner notes, "CSEC has promulgated updated policy guidance respecting how to clearly and consistently communicate with its partners about what entity its activities are being directed at."

What Plouffe is trying to get at is that last year's report identified communications between it and CSIS—the spy agency that is allowed to spy on Canadian citizens—to be "unclear," and recommended that CSEC better train its analysts to ensure that they know what constitutes the "foreign status of an entity."

Advertisement

But on that point, Plouffe says everything's been fixed. Training and information sessions are being held to ensure that CSEC isn't collecting Canadians' data for CSIS.

Plouffe makes a point to acknowledge the usefulness of his office, and his sister watchdog, Security Intelligence Review Committee, which oversees CSIS (and, unlike the CSEC Commissioner, is actually independent).

In 2009, a federal court gave permission for CSEC to capture Canadians' data, so long as the capturing was being done within Canada and the Canadians were abroad. The Commissioner of the day advised the Minister of National Defence to have CSEC ask CSIS to tell the courts if CSEC shared that information with, or requested help from, any foreign allies.

In other words: if CSEC obtained Canadians' data for CSIS, and CSEC collaborated with the Americans on the operation, CSEC would ask CSIS nicely to proactively tell the courts.

Judge Richard Mosley dragged the two spy agencies into court to ask a few questions. He called the scheme "a deliberate decision to keep the Court in the dark."

While one might conclude that the whole thing exemplifies just why the CSEC Commissioner job is compromised, given that they report directly to the Minister of National Defence, Plouffe had a different opinion.

"Some have suggested that this matter points to a failure of the review bodies to help control the intelligence agencies. On the contrary, these events demonstrate how review works, as Justice Mosley was alerted to this following [the Commissioner's] recommendations," Plouffe writes.

Advertisement

The last few months of privacy-related chatter has shown pretty clearly that nobody can agree on a definition of metadata—with Members of Parliament who are tasked with overseeing this stuffstill using decades-old definitions that really only apply to landline phones.

In his report, Plouffe went and offered his own definition.

"Metadata is information associated with a communication that is used to identify, describe, manage or route that communication. It includes, but is not limited to, a telephone number, an e-mail or an IP (Internet protocol) address, and network and location information. Metadata excludes the content of a communication," he writes.

Of course, metadata can also include the subject line of an email, search and browser history, usernames and passwords, cookies and a timeline of everywhere you've been.

But CSEC isn't capturing metadata for nefarious purposes, Plouffe says, it's all in the name of privacy.

"CSEC uses metadata, for example, to determine the location of a communication, to target the communications of foreign entities outside Canada, and to avoid targeting a Canadian or a person in Canada," he writes.

Plouffe noted that there are some privacy concerns with metadata, but didn't elaborate. Without offering any detail whatsoever, Plouffe said that the Office of Counter-Terrorism (OCT), located within CSEC, did have a few problems with metadata.

"Parts of CSEC policy related to this metadata activity did not reflect standard practices. I recommended that CSEC modify its policy for these activities to reflect its current practices, specifically for record keeping," he wrote.

Advertisement

While, at one time, we may have believed that our spy alliance, known as the Five Eyes, offered us protection from the other four eyeballs, that theory has essentially been dispensed.

One of the CSEC Commissioners' preoccupations has been to try and figure out just how often our allies are spying on us. And CSEC wasn't helping.

"During the conduct of this review, CSEC declined to provide the Commissioner's office with a description of or a copy of relevant extracts of second party policies on the handling of this information," Plouffe notes of his predecessor's efforts. "CSEC also declined at that time to identify for the Commissioner's office any specific differences—large or small—between respective partners' laws, policies and practices and how this may affect the partners' protection of the privacy of Canadians."

But things changed. When new CSEC head honcho John Forester took the job, he called the allies and gave the Commissioner a report about the other eyes' policy when it comes to spying on Canadians. Plouffe lauded Forester's transparency and leadership.

Of course, the public will never see that report, but Plouffe and his predecessor both made recommendations to the Minister, asking that CSEC be required to report information about Canada's allies spying on Canadians. As of yet, there's been no word on that request.

Plouffe also did an incredible thing this year—he told us just how often CSEC obtained Canadians private communications.

Advertisement

This year, it's a modest 66. Well, that's the number of private communications that CSEC actually cited in its reports, or kept on its servers. CSEC, of course, isn't allowed to capture Canadians' data—unless, Plouffe vaguely notes later, "if it is essential to understanding the intelligence."

In one instance, a private communication was recognized but, contrary to policy, that communication was incorrectly marked for retention

While Plouffe doesn't say exactly what the files were, he does say that he and his staff "tested the contents of CSEC systems and databases and listened to the intercepted voice recordings, read the written contents, or examined the associated transcripts of the communications."

Plouffe concluded that the Canadian data captured by the signals intelligence agency was "incidental." Even so, he singled out the fact that the communications were stored by CSEC when they, evidently, should not have been.

"In one instance, a private communication was recognized but, contrary to policy, that communication was incorrectly marked for retention even though it had not been assessed as essential to international affairs, defence or security," he writes. "In another situation, CSEC identified several private communications, but did not mark them for retention or deletion until several weeks after they were identified."

He goes on to note that some files that were kept long after they were necessary, which contradicts CSEC's requirement to delete those communications.

Advertisement

When it comes to disclosure, Plouffe's office gets to review about 20 percent of the requests sent to CSEC from Canadian agencies or other countries. Plouffe said that everything was above board, and that Canadians' privacy rights were protected.

Except for the instances when they weren't.

There were two Canadians, though Plouffe says that CSEC didn't knew they were Canadians at the time, who were mentioned in reports shared between Canada and a Five Eyes partner. Plouffe says CSEC put the issue in its Privacy Incidents File (which it apparently has) and that everything has been settled.

He also says there were other instances where "records of the disclosures were not in accordance with best practices." But, as is his style, he doesn't elaborate.

It appears that a second party partner unintentionally included Canadian identity information in those reports, that is, Canadian identity information was not initially suppressed in those reports as required by CSEC and second party policies.

I am concerned that commentators are raising fears that are based, not on fact, but rather, on partial and sometimes incorrect information regarding certain CSEC activities

Plouffe, unsurprisingly, says he was "contacted by a growing number of individuals who were seeking information or expressing concern about CSEC activities." The CSEC Commissioner, of course, has the ability to vet complaints. But, despite that high volume, Plouffe says "no complaints about CSEC activities warranted investigation."

While Plouffe, in his opening salvo before the report, says he took the job because he does not "wish to live in a society where the state makes unjustified intrusions into its citizens' privacy," he also has some strong words for you privacy minded types who are listening to that NSA contractor in Russia.

"I am concerned that commentators are raising fears that are based, not on fact, but rather, on partial and sometimes incorrect information regarding certain CSEC activities. I want to reassure Canadians, especially those who are skeptical about the effectiveness of review of intelligence agencies, that I am scrupulously investigating those CSEC activities that present the greatest risks to compliance with the law and to privacy," Plouffe writes.

It's worth noting, again, that Plouffe's office is not actually an independent watchdog, but more of an internal reviewer. The Commissioner is an employee of the Minister unlike, say, the Auditor General, who is entirely free from political influence.

Now, renegade soon-to-be-ex-Senators Hugh Segal and Romeo Dallaire proposed a Parliamentary oversight committee that would review CSEC and CSIS's actions. But that idea, so far, has been ignored by the government.

In other words, the vague details and hidden meanings in this commissioner's report are par for the course when it comes to information on Canada's shadowy signals intelligence agency.