Watching the Watchers

<b>Mass electronic surveillance has gotten way out of hand. Effective oversight is needed now <br/> <br/>By George Takach</b> <br/> <br/>OVER THE PAST number of months, Canadians have come to learn an unprecedented amount about CSEC, the acronym for Communications Security Establishment Canada. This is one of our spy agencies, the other main one being CSIS, the Canadian Security Intelligence Service. <br/> <br/>Broadly speaking, the role of CSIS is to collect human-based intelligence abroad — that is, operate a spy service centred on human agents. By contrast, CSEC's job is to collect “signals information outside of Canada,” which today means principally electronic surveillance. In an age when so much of our lives unfolds on computer screens, including smartphones, it's worth asking some important questions about CSEC and the nature of legal and other oversight we have in place ...
Watching the Watchers
Mass electronic surveillance has gotten way out of hand. Effective oversight is needed now

By George Takach


OVER THE PAST number of months, Canadians have come to learn an unprecedented amount about CSEC, the acronym for Communications Security Establishment Canada. This is one of our spy agencies, the other main one being CSIS, the Canadian Security Intelligence Service.

Broadly speaking, the role of CSIS is to collect human-based intelligence abroad — that is, operate a spy service centred on human agents. By contrast, CSEC's job is to collect “signals information outside of Canada,” which today means principally electronic surveillance. In an age when so much of our lives unfolds on computer screens, including smartphones, it's worth asking some important questions about CSEC and the nature of legal and other oversight we have in place for this agency.

> No Discretion after Wikileaks
The general public has come to learn about CSEC and its American counterpart, the National Security Agency (NSA), through the unauthorized disclosures of NSA information by Edward Snowden, a contractor who used to work there. Snowden took it upon himself to leak large volumes of classified information, Wikileaks style. Whether you think Snowden is a deceitful traitor or a whistle-blowing hero, the fact is that the Wikileaks culture is not going away anytime soon, and will continue to have a profound impact on how spy agencies go about doing what they do, because it is now virtually impossible to avoid the glare of public disclosure.

The Snowden revelations tell us that CSEC appears to be eavesdropping on businesses and governments of friendly states, such as in Brazil. Equally, information has come to light regarding NSA spying friendly West European governments, including the personal cellphone of German Chancellor Angela Merkel.

What's also become public knowledge is that the electronic surveillance agencies of the US, Canada, UK, Australia and New Zealand – the so-called “Five Eyes” – routinely share the surveillance data they harvest. An example of that appears to be the assistance given by CSEC to the NSA in the latter's spying activities around Toronto's G-20 summit a few years ago.

> Government Surveillance Policy
When Ottawa is asked about the CSEC revelations, the relevant minister typically replies that he or she cannot provide any substantive answers because “we cannot comment due to national security. But rest assured, CSEC by law is not permitted to direct its activities at Canadians.”

This response, in 2013, is wholly inadequate, for a number of reasons. First, CSEC is a lot bigger today than it ever was. In 1999, it had a budget of about $100 million and 900 staff. CSEC got a big boost after the Sept. 11 attacks, when Canada passed the Anti-Terrorism Act. This statute codified the legislative pillars of CSEC, through amendments to the National Defence Act, where the legislative underpinnings for CSEC lie today.

Now housed in a gleaming billion-dollar facility, CSEC has an annual operating budget of roughly $500 million, with staff numbering around 2,100 (and CSIS has grown as well — from $180 million annually to $535 million). To simply shroud them both under a cloak of secrecy by arguing “national security” doesn't cut it. Not in a modern democracy.

Another reason we need a more effective oversight mechanism for CSEC (and CSIS) is because, in the est of our information dealings throughout society – whether we are active in e‑commerce, online education, or accessing online services – we are taking great pains to implement more rigorous privacy and security standards. For example, the federal government and a number of provinces have enacted privacy and access-to-information legislation. The former is aimed at implementing a legally based code of conduct, which would apply to the private and public sector, for the handling of personal information.

Access-to-information legislation exists because governments in democracies recognize that allowing people to see the information that is created by the public sector is an important part of our free and open culture — and it makes for a better informed citizenry, thereby improving decision-making. Privacy laws and access-to-information regimes have become key elements of modern Canadian democracy. This makes the current lack of espionage oversight less and less tenable.

The third driver for greater scrutiny is the massive growth of information in electronic form. So much of our lives is now lived online. And even when lived offline, it is at least planned, documented, memorialized and celebrated over the Internet and other networks, very often in circumstances where the relevant person had a reasonable expectation of privacy. The concern is that virtually everything that you email, text, send or speak over a cellphone or IP-enabled landline is either being recorded or is capable of being recorded by spy agencies, whether foreign or domestic. And so it matters if governments can access data without the protections of privacy and access-to-information laws helping circumscribe, or at least supervise, their behaviour, like a brooding conscience.

A final rationale for greater vigilance around spy agencies is that the technology now exists to conduct mass surveillance on a gargantuan scale. A recent report describes how the NSA can track five billion (that's right, billion) cellphone records a day. Essentially, your cellphone emits your geo location, and this information allows the NSA to map relationships between individuals on a scale never before imagined.

In effect, the SMAC (Social, Mobile, Analytics, Cloud) features of our new Internet 2.0 world, which are revolutionizing so much of our online behaviour, are permitting governments to undertake surveillance in ways never previously contemplated. To think that Canadians are not impacted by these new surveillance developments would be naive in the extreme.

> Active Oversight Required
Oversight of CSEC today is provided by the Office of the CSE Commissioner, a single official, assisted by a staff of fewer than 10 people. One of the Commissioner's key roles is to make sure that CSEC's activities are not aimed at Canadians.

With all due respect to the current Commissioner, we need a more thorough system of review and supervision of CSEC. The scope of the mandate for review also ought to be broadened. Oversight, for instance, should also be directed at the overall direction and methods used by CSEC. How much non-security-related eavesdropping is appropriate; that is, how much economic espionage should we participate in, especially against our most active trading partners? In 2013, is it really appropriate that a democratic country place a listening device in the cellphone of a president or prime minister of a friendly nation?

Put another way, are some of these practices helping, or actually hurting, our diplomatic efforts? Again, not a trivial question. And will the supposed benefits of that type of spying pale in comparison to the fallout when it comes to light (as seems fairly likely in this age of Wikileaks disclosures)?

Moreover, once an appropriate target for surveillance is identified, should the question be asked: “How much surveillance is going to be authorized? Do we collect everything, just because now we actually can?” Under Canadian domestic privacy law, we ask questions around “proportionality” and “potential overreach” — do these legal concepts have any role in the world of CSEC?

As for the requirement that CSEC resources not be directed at Canadians, how exactly, in our current digital world, does CSEC honour that rule? Before 9/11, under the Criminal Code, CSEC was not permitted to intercept any private communication that originated or terminated in Canada. Under the 9/11-related changes to the National Defence Act brought in by the Anti-Terrorism Act, CSEC is able to collect the communications of foreign targets that go into or out of Canada — so long as the interception activity is aimed at foreign entities outside of Canada.

How is this achieved in the real world? The Internet thumbs its nose at geography — so what does CSEC do about that dynamic? These questions certainly could be canvassed without compromising national security. And if we answer them well, our security, and defence generally, will be stronger rather weaker, because we will have a set of procedures firmly grounded in popular support.

A further rationale for active oversight revolves around the question of value for money. We spend $500 million annually on CSEC, and another $500 million for CSIS. Are we getting real value for this sizable expenditure? We should not simply sweep under the national security carpet this area of scrutiny.

What could this active oversight look like? In both the US and the UK, elected federal representatives serve this role. Canada should look carefully at this model. Ultimately, Parliament approves all expenditures of the Canadian federal government. The cost of our spying activities should not sidestep the usual processes. And the rule of law requires nothing less.

Another area of operations that certainly requires oversight is how arrangements like the Five Eyes work in the real world. The Parliamentary committee would need to get comfortable that, through such arrangements, CSEC is not doing indirectly what it cannot do directly.

The question of “who shall govern the governors” has bedeviled democracies for several centuries. It is not a trivial question. It is one, however, that deserves a better answer than we currently give it in the context of CSEC and CSIS.

George Takach is a senior partner at McCarthy Tétrault LLP, the author of Computer Law, and an Adjunct Professor in Computer Law at Osgoode Hall Law School.