Several days ago, the U.K. Guardian and Washington Post newspapers reported on U.S. surveillance programs involving the massive intercept of electronic and voice communication data. The most notable of these, called "PRISM", is described by the Guardian as allowing U.S. intelligence officials (and specifically the National Security Agency or NSA) "to collect material including search history, the content of e-mails, file transfers and live chats". The focus is on foreign communications that take place outside of the U.S. but transit through the systems of U.S. internet firms. Meanwhile, the same report noted that U.S. intelligence services may be compelling at least one large telecommunications firm to "turn over the telephone records of millions of U.S. customers," pursuant to a warrant issued by a special U.S. national security court.
These revelations have fuelled speculation about whether similar surveillance programs exist in Canada. Since by definition, such programs are secret, it is not possible to answer this question. It is, however, worth understanding the legal landscape in which national security surveillance operates in Canada, focusing specifically on Communications Security Establishment Canada (CSEC). CSEC is Canada's equivalent to the National Security Agency, and performs similar functions.
What Does CSEC Do?
By law, CSEC mandate includes: acquiring and using "information from the global information infrastructure for the purpose of providing foreign intelligence" and providing "technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties." In other words, it spies.
When and on Whom Can CSEC Spy?
CSEC can spy on foreigners and on Canadians, but the rules that apply to each of these scenarios are radically different.
Spying as part of collecting foreign intelligence:
First, under its mandate, CSEC can collect "foreign intelligence". Much (probably most) of this foreign intelligence is just that: foreign. There is no Canadian person or person in Canada involved in the communication being intercepted. With this kind of communication, there are no legally prescribed authorizations that must be obtained prior to intercept.
Still, in a world whose telecommunications systems are webbed together, even "foreign intelligence" may have a Canadian nexus – for instance, it may be that a telephone call sent to or originating in Canada might be intercepted. Or the communication of a Canadian located overseas might be captured. Meanwhile, CSEC's rules insist that its foreign intelligence activities "not be directed at Canadians or any person in Canada; and ... shall be subject to measures to protect the privacy of Canadian in the use and retention of intercepted information." Squaring this expectation with the reality of webbed communication can be tricky.
For this reason, special authorization is obtained where CSEC's foreign intelligence activities might capture communications with a Canadian nexus: a "ministerial authorization" must be issued by the Minister of National Defence. And this authorization can only be made where the minister is satisfied, among other things, that the interception is directed at foreign entities outside of Canada and privacy protecting measures are in place in the event that Canadian communications are captured.
In practice, ministerial authorizations have been issued on a "just in case" basis – that is, because one can never be sure that the communications intercepted will lack a Canadian nexus, authorizations are sought regularly to make sure CSEC remains on-side the law. As described by the commissioner charged with review of CSEC in his most recent annual report, ministerial authorizations "relate to an 'activity' or 'class of activities' specified in the authorizations ... the authorizations do not relate to a specific individual or subject (the whom or the what). (The CSEC commissioner is historically a former senior judge who operates at arm's length from CSEC in reviewing the agency's conduct.)
As of last year, there were six authorizations in place.
Spying as a technological appendage to CSIS or the RCMP:
In addition, CSEC may also assist CSIS or the RCMP in intercepting communications, providing technological wherewithal that other agencies may not have. Given the mandate of the latter agencies, these communications would almost always involve Canadians or communications within Canada. To be clear, however, these domestic intercepts would only be legal if a judge pre-authorizes the intercept by judicial warrant. CSEC, in other words, would only spy on Canadians on behalf of CSIS or the RCMP where these agencies had obtained regular warrants allowing this surveillance.
Could Canada Have a PRISM-like intercept program?
Yes. PRISM is apparently focused on foreign communications passing through U.S. internet firms. With a ministerial authorization, CSEC could (in principle) collect analogous communications flowing through Canadian internet providers (although it seems unlikely that it could compel these providers to co-operate, especially in a "dragnet" like sweep).
Could communications by Canadians be swept up in such a program?
Yes, potentially – that is one of the reasons a ministerial authorization would be necessary. Canadian communication could not legally be targeted, but it is possible (even probable) it would be swept up in such a hypothetical intercept program.
What could happen to Canadian communications caught by a hypothetical Canadian PRISM-like program?
According to the CSEC commissioner, Canadian communications inadvertently collected by CSEC in its foreign intelligence operations must be destroyed, except in a number of circumstances. For instance, it need not be destroyed if it consists of "foreign intelligence". CSEC must report intercept of any Canadian communications to the minister of national defence on the expiry of the ministerial authorization (which can last one year) and these reports are examined by the commissioner.
All of this is to say that while CSEC cannot target Canadian communications, it can keep such communications swept up in its searches for certain limited reasons.
Could Canadian communications captured by CSEC as part of its foreign intelligence operations be shared by CSEC with other agencies?
Potentially. However, as the CSEC commissioner puts it in his annual report, "the reference to an identified Canadian must be suppressed and replaced by a generic reference such as 'a named Canadian' person or company." If the other government agencies wants more, 'CSEC must verify that the requesting government department or agency has both the authority and the operational justification for obtaining the Canadian identity information.'" What this means may vary. However, if would be highly suspect (and probably unconstitutional under Supreme Court jurisprudence) if the police were to obtain personal communication information through an administrative arrangement with CSEC, without a judicial warrant.
Could Canada collaborate with allies so that each allied agency spies on the citizens of the other state?
There are many stories about collaboration of this sort, especially among the so-called "five eye" intelligence agencies (those from the U.S., U.K., Canada, Australia and New Zealand). Note, however, the strong words of the CSEC commissioner : "CSEC and its closest international partners ... respect each other's laws by pledging not to target one another's citizens' communications. CSEC is prohibited from requesting an international partner to undertake activities that CSEC itself is legally prohibited from conducting. My reviews examine CSEC's cooperation with its allies to ensure compliance with the law."
Could information nevertheless flow between allies?
Yes – that is the nature of intelligence sharing (now quite extensive). A considerable amount of Canadian communications (telephone and electronic) is routed via the United States at any given time. There, it is presumably subject to PRISM and analogous intercept programs. If the U.S. NSA were to discern in this intercepted information intelligence of national security significance to Canada or some other ally, it could well be that the information (or an intelligence report drawn from it) would be shared with allies through intelligence sharing protocols.
No law would be violated – the U.S. agency would collect the information in a manner lawful under its rules. The Canadian agency is not stopped from receiving the information (although the use it could then put it to would be governed by Canadian law).
Matters would quickly become more difficult if the Canadian agency actually tasked the allied body with collecting the information, or otherwise requested it. That behaviour could be critiqued as an outsourcing of intelligence collection that does an end-run around Canadian privacy rules. However, as noted, the CSEC commissioner reviews CSEC activities to ensure compliance with a prohibition on this sort of nefarious collaboration.
What about the telephone related information subject to collection in the U.S? Could that happen in Canada?
At issue in the United States is apparently domestic U.S. telephone-related "metadata" – phone numbers; call duration; call location etc. It is possible to debate the extent to which metadata triggers privacy rights. But simply calling something "metadata" doesn't mean it is exempted from legal rules on intercept. Not all data are the same. And while the matter may remain unsettled, it seems very likely that who you called from where and for how long is personal information of a sort in which you have a reasonable expectation of privacy. In those circumstances, it could only be collected in Canada pursuant to a judicial warrant.
This is not a circumstance where CSEC could rely on its foreign intelligence mandate – collecting data on Canadian telephone calls means targeting Canadians and people in Canada. And so any collection would have to involve CSEC assisting another agency, probably CSIS, acting pursuant to a warrant.
It seems unlikely CSIS could persuade a Federal Court judge to issue a warrant allowing the collection of metadata on millions of phone calls. Judges look for particularity in warrant applications: they are supposed to be reasonably narrowly tailored. In the most recent judgment released in a warrant case, the judge emphasized the importance of identifying with the precision the person targeted by the warrant, and limiting the intercept to places named in the warrant. In 1997, the Federal Court dismissed as overbroad a warrant application that allowed CSIS to target a general class of persons at its discretion.
What's the take away lesson from all this?
Watchdogs matter. The technology of intercept means that what is technologically possible now far exceeds what is legally permissible and socially desirable. It must be tempting to push the legal envelope to serve a higher purpose of protecting Canadian security interests. We are, therefore, immensely dependent on measured and prudent use of the technologies at the government's disposal and very thorough and careful review and oversight by the bodies that examine government conduct. This is a system of "trust, but verify". And therefore, those review bodies should never be an afterthought and should always be well-staffed and well-funded. On balance, the staffing and funding of these bodies has not kept pace with the growth of the intelligence agencies they review. Indeed, in the case of CSIS, one tier of review (the inspector general) was recently eliminated, possibly resulting in a net reduction in the degree of close scrutiny of CSIS.
Carefully enhancing review body capacity should be a priority.
Craig Forcese is Associate Professor, Faculty of Law, University of Ottawa