Security and Privacy Conference - British Columbia

Security and Privacy Conference

Panel: Intelligence vs privacy: a false dichotomy?

https://www.rebootcommunications.com/events/privsec2014/

Victoria, B.C.  Friday, February 7, 2014

11 a.m. – 12:15 p.m.  Salon A/B

Remarks by J. William Galbraith, Executive Director, Office of the CSE Commissioner

Thank you.  I am pleased to be here, to contribute to this important discussion.  

What struck me when I listened to Dr. Cavoukian [Information and Privacy Commissioner of Ontario] yesterday was the number of points she made that are familiar to the work we do at the CSE Commissioner's office and the approach we take.

The importance of privacy cannot be over-estimated, especially where intrusive capabilities are concerned.    

In these brief remarks, I will address our panel title question, describe the mandates of Communications Security Establishment (CSE or CSE) and the CSE Commissioner, and clarify some misconceptions currently heard in the public discourse.

I want to start, however, by noting that Commissioner Plouffe's concern, as that of his immediate predecessor, in dealing with this charged environment, is that public dialogue must be based on fact and reason; which is what one would expect from someone who has had a long career as a judge of a superior court.  There is, however, in the public domain, not a little information that is misrepresented, misunderstood, or wrong. 

We have put up on the Commissioner's office website, Questions and Answers to help address some of these.

“Intelligence VS privacy”  Is it a false dichotomy?   It is.  The two have been inseparable, not counter-poised, from the legislative beginnings of the two principal intelligence agencies in Canada – CSE and the Canadian Security Intelligence Service (or CSIS). 

If the intelligence agency had a focus only on its collection mandate, with no or minimal consideration for privacy, there would be very serious cause for concern.  

Intelligence and privacy are integrated in legislation that provides direction for intelligence activities and expectations for the protection of privacy.  This reflects the importance that Parliament and our law-makers, who represent Canadians, attached to both. 

CSE's mandate is three-fold. In short: collect, protect, and assist.

First:

- CSE collects foreign signals intelligence, or SIGINT for short. However the intelligence priorities are not determined by CSE itself but are set by the Government of Canada;

Second:

- CSE provides advice and services to help ensure the protection of computers and communications systems of importance to the Government of Canada.  This is its information technology (or IT) security mandate and is in fact critical to ensuring that personal information Canadians submit to different government departments and agencies is secure from hackers, for example, and others who would misuse that information;   

And third:

- CSE may provide assistance to federal law enforcement and security agencies, for example CSIS and the RCMP, in the lawful conduct of their duties.

The Commissioner's mandate is to:

The late Commissioner Gonthier, former justice of the Supreme Court of Canada, articulated the role of the CSE Commissioner:

CSE has to operate largely in secret.  Therefore, the role of my office is to represent the public interest in accountability  – but in a way that does not compromise the important work that CSE does.

And there are limitations on what CSE does.

It is evident in CSE's enabling legislation  – Part V.1 of the National Defence Act – that privacy was not forgotten by the lawmakers.  The legislation imposes explicit privacy protection obligations on CSE.  I will describe three.

First, the law requires that CSE's foreign signals intelligence collection and information technology security activities “not be directed at Canadians or any person in Canada”.  There has been some confused public comment recently that this does not cover the communications of a foreigner in Canada or two Canadians abroad.  It does, in both cases.   

Second, CSE's SIGINT and IT security activities “shall be subject to measures to protect the privacy of Canadians in the use and retention of intercepted information.”  

The third privacy obligation involves ministerial authorizations, or MAs, for either SIGINT or IT security activities.  I will focus on the SIGINT MAs which are the subject of much misconception.  The CSE Commissioner must, by law, examine activities under Ministerial Authorization, and there are key points he looks to verify.

CSE must target foreign entities that are outside of Canada and that are included in the intelligence priorities of the Government of Canada.  That foreign entity or person may be communicating with a Canadian or a person in Canada, which makes it a “private communication” as defined by the Criminal Code and as noted in the National Defence Act

Prior to the legislation passed in December 2001 and the ministerial authorization clause, CSE was not allowed to intercept a “private communication” even if, for example, CSE had been targeting a terrorist in a foreign country who was communicating with someone in Toronto or Victoria.  

I doubt there is anyone here who would not want this “private communication” being intercepted and analysed for foreign intelligence value, and if appropriate included in reports to other government agencies that could act on it. 

The law states that CSE may only use or retain a “private communication” if it is essential to international affairs, defence or security.  The law also states that “satisfactory measures” must be in place to protect the privacy of Canadians.  Commissioners examine the activities under MAs to ensure that ALL the requirements, limitations and conditions imposed by law are respected.

The point about “private communications” intercepted by CSE under ministerial authorization is that CSE does not know who the foreign entities they are directing their activities at will be communicating withCSE therefore could not seek a warrant for a specific, Canadian individual because that essential fact cannot be known.  There can be no intention on CSE's part in acquiring the communication of a Canadian or a communication with a Canadian end; that Canadian end must be incidental to CSE's legislatively mandated intentional targeting of the foreign entity outside Canada.  If CSE were intentionally directing its activities at a communication with a known Canadian end, this would be illegal.  This is what the Commissioner verifies in reviewing CSE's activities under ministerial authorization. 

Despite intelligence and privacy being included in the same law, is it enough?  Is it enough to follow the letter of the law? 

Again, I quote from former Commissioner Gonthier:

Individual and organizational respect for fundamental democratic values within CSE is critically important. … We [the office of the Commissioner] must see ourselves as strengthening the culture of compliance and respect for privacy in CSE.  By doing our job well … we will in fact contribute to the efficiency and effectiveness of CSE.

Cultivating a “culture of compliance” is the best assurance against breaches of privacy. 

Now let me turn briefly to clarify some other misconceptions.     

I will focus on two for now; others may come up during discussion.

First, the independence of the CSE Commissioner.

The question about the Commissioner's independence is one that is addressed on our website and that Dr. Cavoukian raised yesterday and, with respect, I must take issue with any suggestion the CSE Commissioner is not independent.  I will add here, to re-emphasize, that the CSE Commissioner does not “report to” the Minister of National Defence and the Minister cannot alter anything in any report of a Commissioner. You can be sure that a judge whose career has been spent in a field that is at the base of our democratic society, and based on the concept of judicial independence, would not broke any interference in his work as an independent Commissioner.

The Commissioner's classified reports are submitted to the Minister because he is responsible for the intelligence agency and can therefore order it to implement the Commissioner's recommendations, which is something that has occurred in the past when a Commissioner's recommendation was initially rejected. 

The Commissioner's public annual report, prepared for Parliament, is submitted to the Minister who must, by law, table it in Parliament within a set timeframe.  Again, the Minister cannot alter that report.

The second point I would like to clarify concerns the review process and methodology.

Some people suspect that because they cannot see or know what happens behind “the secret door” that the worst happens.  That trust is not enough.  The Commissioner would agree “trust is not enough”. 

Here, let me remark that the methodology and process we follow is adapted from standard and accepted audit practices, which includes the Auditor General of Canada. 

During a review, we do not just accept information that CSE gives us, say “thanks” and go away. Reviewers must be skeptical, rigorous and tough, but also fair in their approach.  If there is cause to suspect that CSE is not being forthcoming on any particular review, that is where we get tough.  Commissioners have the power of subpoena if it is required.   

The Commissioner has full access to CSE.  It is not limited in any way, as suggested yesterday by Dr. Cavoukian.  I can provide you with details later Dr. Cavoukian.

Currently, we would say that there is “good faith” on the part of CSE. It is transparent in its dealings with the Commissioner's office.  They understand how important this is, particularly in the current environment.

There have been times, however, of real tension; ultimately if an issue cannot be resolved between the Commissioner and CSE, it goes to the Minister.  I can tell you it does not hurt, in these rare cases, that the Commissioner is a former judge of a superior court – including three who were former justices of the Supreme Court of Canada.   

A fundamental concept of standard and accepted audit and review methodologies is to test data.  Documents or interviews with personnel involved in particular activities will yield certain data.  We may and do, as part of our process, request to access the origin of that data, for example in a computer system.  We may also access a system to do spot checks.

Let me finish by noting that if there are concerns about what the law permits, or what the government directs, those are questions to be directed at the political level and for Parliament to consider.  I have a job to do for the Commissioner and that is to ensure his mandate – as currently set out in law – is fulfilled in as comprehensive, tough but fair manner as possible.   

I look forward to the discussion.  Thank you.

Date modified: