Highlights from NSIRA’s 2022 Annual Report

/ Christopher Parsons

The National Security and Intelligence Review Agency (NSIRA) tabled its annual report on October 30, 2023. NSIRA is responsible for conducting national security reviews of Canadian federal agencies, and its annual report summarises activities that have been undertaken in 2022. The report also discusses new policies and capacities concerning its review activities.

In this post, I summarise and discuss many of the central items in the annual report. This includes the Agency’s approach to developing themes and categorising recommendations, aspects of particular the reviews, how NSIRA’s technology directorate is developing, the ways in which NSIRA is maturing how it measures engagements with reviewed agencies and associated confidence ratings, and its international engagements.

Significantly, this annual report includes several explicit calls for legislative review as pertain to complaints investigations. It is, also, possible that the Agency may be building an evidence-based argument for why law reform may be needed to ensure that NSIRA can obtain adequate access to information or materials to conduct reviews of some government agencies.

Themes and Categorisation of Recommendations

NSIRA has been developing and issuing recommendations to government institutions for multiple years. The result is that the Agency can begin to categorise the kinds of recommendations that it is issuing. Categorisation is helpful because it can start to reveal trends within and across reviewed institutions and, then, enable those institutions to better focus their efforts to update organisational practices. Moveover, with this information NSIRA may generally be able to monitor for substantive changes in common problem areas both within and across reviewed agencies.

The following table re-creates the categorisation descriptions in NSIRA’s annual report(see: page 3).

Theme Topics
Governance
  • Policies, procedures, framework and other authorities
  • Internal oversight
  • Risk management, assessment and practices
  • Decision-making and accountability, including ministerial accountability and direction
  • Training, tools and staffing resources
Propriety
  • Reasonableness, necessity, efficacy and proportionality
  • Legal thresholds and advice, compliance and privacy interests
Information management and sharing
  • Collection, documentation, tracking, implementing, reporting, monitoring and safeguarding
  • Information sharing and disclosure
  • Keeping and providing accurate and up-to-date information, timeliness

This tripartite division lets NSIRA categorise all of the different recommendations it has made in its 2020, 2021, and 2022 annual reports, which has the effect of showcasing trends over the years. I have republished NSIRA’s chart denoting these trends, below.

Graph image: Trends in finding and recommendations - Text version follows

Analysis of Themes and Categorisation of Recommendations

I can’t immediately think of items that do not fit in the categories that NSIRA has developed, though it will be interesting to observe over time whether this categorisation will continue to capture all possible types of recommendations. Further, with this categorisation schema now in hand, will this affect the crafting of recommendations so that they clearly ‘fit’ within each of these categories?  Will single recommendations sometimes fit within multiple categories?  Or is it possible that additional categories may be developed based on future recommendations?

I can see the strong utility of this, generally, for organisations — be they government or non-government — to track the kinds of recommendations they are making. It could both assist with internal tracking and governance measures while, also, focusing in on the core classes of issues that are being found within and across organisations that are under review, or otherwise subject to external examinational or critique.

Reviews

The reviews section of NSIRA’s annual report summarises the reviews that the Agency has undertaken over the past year, with those full reports generally available on NSIRA’s website.1

Reviews of CSIS Activities

NSIRA provides a range of different statistics concerning CSIS’ activities, including those concerning:

  • Warrants that are sought
  • Threat Reduction Measures (TRMs)
  • CSIS targets
  • Dataset evaluation and retention
  • Justified commissions of activities that otherwise would involve committing or directing the committing of unlawful acts
  • Compliance incidents

In what follows I identify noteworthy aspects of the statistics and associated narratives provided. First, warrants sought by CSIS may be used “to intercept communications, enter a location, or obtain information, records or documents. Each individual warrant application could include multiple individuals or request the use of multiple intrusive powers.” It is worth highlighting that NSIRA has explicitly stated in footnote 15 that:

A number of warrants issued during this period reflected the development of innovative new authorities and collection techniques, which required close collaboration between collectors, technology operators, policy analysts and legal counsel.2

Warranted authorisations were granted under section 12,3 16,4 and 21 5 of the CSIS Act as well as two authorisations under section 11.13 6. The total number of warrants that have been sought and approved are in line with previous years’ statistics, standing at 28, with 6 being new, 14 being replacements, and 8 being supplemental.

TRMs can be sought and exercised without requiring judicial authorisation, so long as the activity in question does not “limit a right or freedom protected by the Canadian Charter of Rights and Freedoms or would otherwise be contrary to Canadian law”.  Warrants are required when an activity would conflict with Charter rights or Canadian law. The number of authorisation sought (16) was about in the middle of the lower (10) and upper (24) bounds of requested authorisations in previous years, and executed TRMs (12) is similarly in the middle of the lower (8) and upper (19) bounds of past years’ statistics.

CSIS targets have declined over the past 5 years, moving from 430 targets in 2018 to 340 in 2022. However, this number can be misleading on the basis that a target could be for an individual or a group composing many people.

CSIS continues to notify NSIRA about judicial authorisations or ministerial authorisations to collect Canadian or foreign datasets, in excess of what the Service is required to do under the law. Generally, the statistics show that evaluated datasets tend to be retained and neither the Federal Court, Minister, or Intelligence Commissioner have denied CSIS the ability to retain evaluated datasets.

There have been considerable increases in the number of authorizations to CSIS personnel to undertake activities that involve “committing an act or omission themselves (commissions by employees)” or directing “another person to commit an act or omission (directions to commit) as a part of their duties and functions.” Relatedly, there have also been more commissions/directions to commit that have been recorded. Statistics are denoted in the below table, which was produced by NSIRA.

Finally, the compliance information provided by NSIRA shows a growing breakdown of the ways in which CSIS activates can found to be non-compliant with either Canadian law, the Charter, warrant conditions, or CSIS governance practices.

Analysis of CSIS Activities

A few things clearly drew my attention.

  1. It is unclear what the new warranted authorities or collection activities have involved, but the listing of parties involved in developing these suggest that there may be a notable expansion in CSIS capabilities.
  2. It might be helpful in future reports to have a footnote explaining the difference between new, replacement, and supplemental warrants. The last item, in particular, is a term that I’m not familiar with, which suggests that many others reading these reports who are not national security insiders or legal experts may have similar questions.
  3. That no judicially supervised TRMs have been undertaken is notable and suggests that these measures may not yet have risen to concerns raised by some civil society and other actors. In particular, past concerns have focused on how how these techniques could affect residents of Canada and their Charter rights.
  4. We still lack clear an understanding of what, precisely, is being evaluated or retained by CSIS when it collects datasets and subsequently analyses them. This remains a significant blindspot and prevents the public or legislators from clearly understanding what, exactly, CSIS can do (or is doing) with retained datasets.
  5. The justifications framework makes clear that more and more activities are being undertaken which would, otherwise, be unlawful. It is an open question whether these activities may impede the ability of federal law enforcement, or other parties, to use the Criminal Code (or other legislation) to take action against individuals or groups in Canada who have been targeted by CSIS.  Specifically, what (if any) relationship is there between these justified activities undertaken by CSIS and the One Vision 3.0 framework between the RCMP and CSIS?

Communications Security Establishment

NSIRA undertook two reviews of CSE activities, including about Active Cyber Operations (ACO) and Defensive Cyber Operations (DCO), and of an undisclosed foreign intelligence activity.

NSIRA found that “ACOs and DCOs that CSE planned or conducted during the period of review were lawful and noted improvements in GAC’s assessments for foreign policy risk and international law” and as well as that “CSE developed and improved its processes for the planning and conduct of ACOs and DCOs in a way that reflected some of NSIRA’s observations from the governance review.” However, “NSIRA faced significant challenges in accessing CSE information on this review. These access challenges had a negative impact on the review. As a result, NSIRA could not be confident in the completeness of information provided by CSE.7

The CSE collection activity is not described in any detail, though NSIRA “identified several instances where the program’s activities were not adequately captured within CSE’s applications for certain ministerial authorizations.”

NSIRA has had challenges with its reviews of CSE’s operations since the Agency’s establishment. In 2022, this led to NSIRA’s Chair meeting with the Minister of National Defence “to discuss ongoing issues and challenges related to NSIRA reviews of CSE activities.”

The NSIRA annual report includes an extensive set of statistics about the CSE’s activities. To begin, there has been an additional cybersecurity as well as active cyber operations authorisation in 2022 versus 2021, with the effect that there are now:

  • 3 foreign intelligence authorisations
  • 3 cybersecurity — federal and non-federal — authorisations
  • 1 DCO authorisation
  • 3 ACO authorisations

We can expect that at least some of these may be linked to the Canadian government’s (and CSE’s) efforts to help Ukraine in its fight against Russia’s illegal war of aggression. However, the general breadth of Ministerial Authorisations are such that any new ones will cover off large categories of activities which could be undertaken in a variety of situations or locations.

My colleague, Bill Robinson, may be pleased to see that CSE is authorising NSIRA to identify the number of reports CSE is releasing (3,185 in 2022), to the number of agencies/departments (26 in 2022), and the number of clients within departments/agencies (1,761 in 2022). He will likely be less pleased to see (as am I) that CSE refuses to release statistics concerning:

  • The regularity at which information relating to a Canadian or a person in Canada, or “Canadian-collected information” is included in CSE’s end-product reporting
  • The regularity at which Canadian identifying information (CII) is suppressed in CSE foreign intelligence or cyber security reporting
  • The number of DCOs or ACOs which were approved, and carried out, in 2022

The regularity at which CII information was released, however, was provided for Government of Canada requests (657) and Five Eyes requests (62). There was an aggregate decrease from 831 requests in 2021 to 719 requests in 2022, with CSE denying 65 of the 2022 requests and 51 of the requests still being processed.

There were more privacy incidents registered by CSE itself (114 in 2022 versus 96 in 2021) and a reduction in second-party incidents (23 in 2022 versus 33 in 2021). No specific information about the nature of the incidents are provided.

There was a large number of cyber incidents that were opened by the Canadian Centre for Cyber Security. This included 1,070 affecting federal institutions and 1,575 affecting critical infrastructure.

While not as detailed as past work by Canadian reporters, which once identified how many times CSE provided assistance to specific federal partners, NSIRA’s 2022 annual report does continue to disclose how frequently CSE receives requests for assistance. In 2022 it received 62 requests (up from 35 in 2021), with 1 cancelled and 2 denied, resulting in 59 being approved.

Analysis of CSE Activities

There are numerous things that are of note in the section of CSE.

  1. Despite having reviewed ACO and DCO activities, NSIRA was unable to be confident of the information it had been provided when conducting the review. Put differently, we should take the outputs of the review with a grain of salt, and this matters both on a governance level as well as because ACOs and DCOs have the potential to be extremely impactful to individuals’ Charter or human rights.8
  2. Issues between NSIRA and CSE have risen to the level that the Chair of NSIRA and Minister of National Defence are meeting. This is suggestive that issues could not be resolved at the senior staff level despite years of effort to do so. Escalating this to the Minister is about as high-level a complaint or concern that NSIRA can raise within the government hierarchy.
  3. A mainline privacy concern is how frequently CII is being collected and, subsequently, included in reporting. That CSE continues to refuse to provide statistics on how often it is being suppressed impedes the public’s and politicians’ abilities to understand how much ‘incidental’ collection of CII occurs in the course of the CSE’s activities. A similar complaint can be made concerning CSE’s refusal to release statistics about the regularity at which information related to a Canadian or person in Canada, or “Canadian-collected information” is included in end-product reporting. This issue has even greater salience given that Bill C-26, which addresses critical infrastructure and cybersecurity, is currently at Committee. If passed into law, even more CII or information related to Canadian persons could be obtained by CSE.
  4. It is unclear whether critical infrastructure incidents opened with the Cyber Centre included just federally regulated institutions or all critical infrastructure providers (including those under provincial jurisdiction). The effect is to impair an understanding of how much work CSE is undertaking on behalf of provinces (or to support provinces in protecting infrastructure) .
  5. There has been an explosion in how frequently CSE is providing assistance to other federal partners, but it is unclear who specifically is receiving the assistance or to what effect. While the expansion may be linked to the war between Ukraine and Russia, there may be other factors at play which are hidden from the reader due to how NSIRA is permitted to disclose information in its annual report.

Other Departments

NSIRA also conducted reviews of the Department of National Defence and the Canadian Armed Forces (DND/CAF), Canadian Border Services Agency (CBSA), and mandated annual reviews under the Security of Canada Information Disclosure Act (SCIDA) and Avoiding Complicity in Mistreatment by Foreign Entities Act (ACA). Key points include:

  • The DND/CAF review saw NSIRA conclude that DND/CAF’s human source handling actives may be being undertaken in ways that are, in NSIRA’s opinion, potentially unlawful. The Minister disagreed, with NSIRA believing that the Minister’s conclusion was a result of applying an inappropriately narrow interpretation of the facts and the law. Further work will continue on this file.
  • CBSA’s air passenger targeting review found areas needing improvement, including surrounding documentation practices, and demonstrating adequate justification for its selection of indicators as signals for increased risk.
  • GAC was found to need to improve on its disclosure policies under SCIDA, on the basis that GAC “did not meet the two-part threshold requirements of the SCIDA before disclosing the information, which was not compliant with the SCIDA.”
  • The definition of “significant risk” related to avoiding complicity in mistreatment by foreign entities does not exist in legislation, which continues to create challenges. NSIRA is calling for this to be addressed in future legislative reform. Moreover, neither the CBSA or Public Safety Canada have fully implemented a framework under the ACA.
  • NSIRA has moved to begin closing certain ongoing work or not ultimately produce a final report to a Minister. Other work–including a NSIRA review of how the RCMP handles encryption in the interception of privacy communications in national security criminal investigations–has been deconflicted, given the activities of other review and oversight bodies such as the National Security and Intelligence Committee Of Parliamentarians (NSICOP).

Analysis of Other Departments

  1. This is not the first time that the activities undertaken by DND/CAF have been subject to critique, such as NSIRA’s assessment of the Canadian Forces National Counter-Intelligence Unit. NSIRA’s ability to examine some of these activities continues to showcase the importance of having a review agency that can comprehensively undertake review across all national security bodies. Moreover, that it is flagging review areas (e.g., the 2020 annual report noted that additional reviews had been initiated/planned, including on DND/CAF’s HUMINT capabilities) and following through speaks well to NSIRA’s ability to meet its commitments.
  2. There are real risks to individuals when agencies inadequately comply with the ACA. As I have written previously, without adequate frameworks there is a concern that “some agencies will continue to obtain information from, or disclose it to, foreign states which are known to either use information to facilitate abuses, or that use torture or other mistreatment to obtain the information that is sent to Canadian agencies. Which agencies continue to support information sharing with these kinds or states, and their rationales for doing so, should be on the record so that they and the government more broadly can be held accountable for such decision making.”
  3. It’s worth highlighting that NSIRA is calling for legislative reform to create the definition of “significant risk” concerning the ACA.
  4. Decisions to close certain reviews–or at least not issue a report to a relevant Minister–reveals a growing maturity within NSIRA as it develops policies and procedures on how to advance its work. I am curious as to whether a decision to not issue a report to a Minister may, still, result in functional improvements in how government agencies undertake select national security activities. Further, the NSICOP report on the RCMP’s handling of encryption will be important to read once it is published given the longstanding debate in Canada over encryption and encryption policies.

Technology Directorate

NSIRA continues to build up its internal technical capabilites, with its team now including engineers, computer scientists, technologists and technology review professionals. The mandate of the Directorate is expansive, and includes:

  • Lead the review of Information Technology (IT) systems and capabilities
  • Assess a reviewed entity’s IT compliance with applicable laws, ministerial direction and policy
  • Conduct independent technical investigations
  • Recommend IT system and data safeguards to minimize the risk of legal non-compliance
  • Produce reports explaining and interpreting technical subjects
  • Lead the integration of technology themes into yearly NSIRA review plans
  • Leverage external expertise in the understanding and assessment of IT risks
  • Support assigned NSIRA members in the investigation of complaints against CSIS, CSE or the RCMP when technical expertise is required to assess the evidence

The Directorate has 3 employees, as well as a cooperative education student and 2 external researchers. It has also built out links with academic researchers. In the coming year, it will continue to grow the number of employees, support ongoing education, and engage external researchers to build capacity. Curiously, the Directorate also intends to “prioritize unclassified research on a number of topics, including open-source intelligence, advertising technologies and metadata (content versus non-content data).”

Analysis of Technology Directorate

Generally, I am interested in how this Directorate is being developed and the processes that are being established for it to succeed. Specifically, how are external researchers are identified and leveraged? How has the external academic network been (or is being) developed? Answers to these questions could provide lessons for other regulators with different areas of responsibility but which possess (or are building) comparable technology teams.

The specifically stated areas of non-classified research is worth paying attention to. OSINT is a growing focus for national security and has been an area of invite-only meetings amongst Canadian national security practitioners over the past years. The topic area is, also, complicated by some guidance from the Privacy Commissioner of Canada, Treasury Board’s Privacy Implementation Notice 2023-03, and more generally by the United States’ Office of the Director of National Intelligence’s report on Commercially Available Information. This same report may, also, have overlaps with why NSIRA is interested in unclassified work concerning advertising technologies.9

Engagements with Reviewees and Confidence Statements

NSIRA tracks a number of variables that are used to understand the nature of its relationships with reviewed agencies and, also, due to some challenges with particular reviewed agencies has had to develop confidence ratings. These ratings are used to assess how confident NSIRA is in the comprehensiveness and accuracy of the materials it receives from reviewed bodies. The annual report serves to summarise the state of things during 2022.

When discussing engagements with reviewees, NSIRA has adopted a common text-template while, also, adding narrative text that contextualises whether the Agency is experiencing challenges with reviewed bodies. The variables that NSIRA reports on include:

  • Access to on-site office space
  • Whether lack of on-site access is an issue
  • Direct access to network resources or files of reviewed bodies
  • Whether there is an issue associated with how access to network resources or files is performed by a reviewed body
  • Whether information is produced to NSIRA in a timely manner
  • Overall whether the engagements are good, improving, or bad.10

I try to summarise the state of engagements with reviewed bodies in the below table.

Agency Office Space Space Issue? Network Access Access Issue? Timeliness Good / Improving / Bad
CSIS Y N Y N Y Good
CSE Y ? Partial Y/? Partial Improving from bad
DND/CAF Y N Y N Partial Good and improving
RCMP Y N N N Partial Improving
GAC N N N N Y Good
CBSA N N(?) N N Partial Good

NSIRA is now tracking delays when it requests information from reviewed bodies and has a three-part process of sending advisory letters to senior bureaucrats and, ultimately, Ministers when delays persist. Advisory letters were used 5 times in 2022, with 3 having been sent to CSE and 2 to RCMP. There is no explicit indication as to whether these letters were to senior bureaucrats or to the Minister.11

Moreover, NSIRA has expanded the criteria to assess the responsiveness and ability to verify information. These include the following criteria:

  • Timeliness of responses to requests for information
  • Quality of responses to requests for information
  • Access to systems
  • Access to people
  • Access to facilities
  • Professionalism
  • Proactiveness

Analysis of Engagements with Reviewees and Confidence Statements

While I appreciate that there may be sensitivities in presenting a table that summarises the nature of NSIRA’s engagements with reviewed agencies, it might be helpful to consider including in the future as more data is accumulated so that NSIRA can provide year-over-year comparisons. Information in this format may be particularly useful to identify areas of improvement for Ministers or their deputies.

NSIRA is, also, clearly trying to mature its confidence statement process. We have moved from what was a ‘tripwire system’ in the 2020 report to a much more robust way to collect, and present, information about the behaviour of reviewed bodies. How this affects confidence statements may be the next step in this maturity process.

Other Items

Complaints Investigations

NSIRA discusses that it is developing processes to more quickly address complaints that it receives. There are two particular calls for law reform around investigations.

  1. [A]n allowance for NSIRA members to have jurisdiction to complete any complaint investigation files they have begun, even if their appointment term expires.
  2. Broadened rights of access to individuals and premises of reviewed organizations to enhance verification activities.

Notably, NSIRA is calling for enhanced education–not new powers–with regards to increasing awareness of its mandate around complaints. The Agency writes that,

… members do not have the ability to make remedial orders, such as compensation, or to order a government department to pay damages to complainants. NSIRA continues to make improvements to its public website to raise this awareness and better inform the public and complainants on the investigations mandate and investigative procedures it follows.

Analysis of Complaints Investigations

First, the calls for legislative reform suggest that there has been an issue with a retiring member not being able to complete a file, which added to the transaction costs of handling an investigation, as well as challenges in being able to verify information or activities.

Second, that education and awareness is being called for with regards to members’ abilities and powers, as opposed to calling for new powers, may be indicative of where NSIRA is prioritising its present legislative law reforms. It may, also, speak to NSIRA not wanting to expand its mandate with regards to complaint processes at the present moment in time.

NSIRA Partnerships

NSIRA continues to develop international partnerships and meet with other review bodies, including: the Five Eyes Intelligence Oversight and Review Council, the UK’s Investigatory Powers Commissioner’s Office, Australia’s Inspector-General of Intelligence and Security, the International Intelligence Oversight forum, as well as visiting with the Norwegian Parliamentary Oversight Committee on Intelligence and Security Services, Danish Intelligence Oversight Board, the Netherlands’ Review Committee on the Intelligence and Security Services, and the Swiss Independent Oversight Authority for Intelligence Activities.

NSIRA is also engaging with NSICOP, the Civilian Review and Complaints Commissioner for the RCMP, and the Office of the Intelligence Commissioner, along with legal professionals who are members of other agents of Parliament.

On a technology front, NSIRA has engaged the Privacy Commissioner’s Technology Analysis Directorate, AI technology team at the Treasury Board’s Office of the Chief Information Officer, and the Canadian Digital Service. Finally, the Technology Directorate is specifically identified as responsible for continuing to develop “domestic and international partnerships, including expanding its network with academics, civil society and commercial leaders to ensure key technological issues factor into its approaches.”

Analysis of NSIRA Partnerships

NSIRA is clearly engaging internationally and domestically to learn about, and potentially share, best practices and techniques for engaging with regulated entities. That NSIRA began to host international meetings in the fall of 2023 speaks well to its growing capacity and involvement amongst its peers.

Conclusion

NSIRA has produced another helpful annual report that explains a great deal to the public, and especially to those who have read and assessed many of the annual reports over the years. In particular, the continuing focus on process–how much access NSIRA has to reviewed agencies’ materials, the timeliness of that access, and quality of the engagements–is important should the Government of Canada move forward to consider law reform.

Law reform should, generally, be seen as a last-step measure when it comes to addressing issues between different government agencies. However, should NSIRA continue to suffer challenges in fulfilling its mandate due to lack of access to relevant review materials then changes should likely be considered when the government moves to introduce national security-related law reform.

Footnotes:

  1. Reviews which have not completed a declassification process, or for which there are no plans to declassify, are not available on NSIRA’s webpage. ↩︎
  2. Boldface not in original. ↩︎
  3. Per Public Safety Canada, “Section 12 of the CSIS Act mandates CSIS to collect and analyse intelligence on threats to the security of Canada, and, in relation to those threats, report to, and advise the Government of Canada. These threats are defined in the CSIS Act as espionage or sabotage; foreign influenced activities that are detrimental to the interests of Canada; activities directed toward the threat or use of acts of serious violence; and, activities directed toward undermining the system of government in Canada.” ↩︎
  4. Per Public Safety Canada, “Section 16 of the CSIS Act authorizes CSIS to collect, within Canada, foreign intelligence relating to the capabilities, intentions or activities of any foreign state or group of foreign states, subject to the restriction that its activities cannot be directed at Canadian citizens, permanent residents, or corporations.” ↩︎
  5. (Per Public Safety Canada, “Section 21 of the CSIS Act authorizes CSIS to apply for a warrant to conduct activities where there are reasonable grounds to believe that a warrant is required to enable CSIS to investigate a threat to the security of Canada or perform its duties and functions pursuant to Section 16 of the CSIS Act. The CSIS Act requires that the Minister of Public Safety approve warrant applications before they are submitted to the Federal Court.” ↩︎
  6. Judicial authorisation to retain a Canadian dataset ↩︎
  7. Emphasis not in original. ↩︎
  8. For more, see: “Analysis of the Communications Security Establishment Act and Related Provisions in Bill C-59 (An Act respecting national security matters), First Reading (December 18, 2017)“, pages 27-31 ↩︎
  9. In the United States, Senator Ron Wyden has continued to raise the alarm that commercial advertising and surveillance networks could endanger American national security. I fully expect the same threat to exist to Canadians as well. ↩︎
  10. Note: on this last item, I am taking liberties in reading between the lines to some extent in how I am categorising the nature of the engagements. NSIRA does not make such a blunt assessment of the status of their engagements. ↩︎
  11. Given that a meeting did take place between the Minister of National Defence and the Chair of NSIRA, this suggest at least one of the letters to CSE may have been to the Minister. ↩︎

Finding You: The Network Effect of Telecommunications Vulnerabilities for Location Disclosure

/ Christopher Parsons

Last week, I published a report with Gary Miller and the Citizen Lab entitled, “Finding You: The Network Effect of Telecommunications Vulnerabilities for Location Disclosure.” I undertook this research while still employed by the Citizen Lab and was delighted to see it available to the public. In it, we discuss how the configuration and vulnerabilities of contemporary telecommunications networks enables surveillance actors to surreptitiously monitor the location of mobile phone users.

The report provides a high-level overview of the geolocation-related threats associated with contemporary networks that depend on the protocols used by 3G, 4G, and 5G network operators, followed by evidence of the proliferation of these threats. Part 1 provides the historical context of unauthorized location disclosures in mobile networks and the importance of the target identifiers used by surveillance actors. Part 2 explains how mobile networks are made vulnerable by signaling protocols used for international roaming, and how networks are made available to surveillance actors to carry out attacks. An overview of the mobile ecosystem lays the foundation for the technical details of domestic versus international network surveillance, while the vectors of active versus passive surveillance techniques with evidence of attacks shows how location information is presented to the actor. Part 3 provides details of a case study from a media report that shows evidence of widespread state-sponsored surveillance, followed by threat intelligence data revealing network sources attributed to attacks detected in 2023. These case studies underscore the significance and relevance of undertaking these kinds of surveillance operations.

Deficiencies in oversight and accountability of network security are discussed in Part 4. This includes outlining the incentives and enablers that are provided to surveillance actors from industry organizations and government regulatory agencies. Part 5 makes clear that the adoption of 5G technologies will not mitigate future surveillance risks unless policymakers quickly move to compel telecommunications providers to adopt the security features that are available in 5G standards and equipment. If policymakers do not move swiftly then surveillance actors may continue to prey upon mobile phone users by tracking their physical location. Such a future paints a bleak picture of user privacy and must be avoided.

Download a ,pdf version of “Finding You: The Network Effect of Telecommunications Vulnerabilities for Location Disclosure

NSICOP’s 2022 Annual Report

/ Christopher Parsons
Photo by Pixabay on Pexels.com

On July 19, 2023 the National Security and Intelligence Committee of Parliamentarians (NSICOP) released its annual report. The report continues the committee’s work of providing transparency around a number of the national security activities which are undertaken by the Government of Canada. This report assumes heightened importance because NSICOP’s authorizing legislation is now expected to undergo a 5-year review; this report is helpful in understanding what kinds of legislative reforms the Committee, itself, believes are important so as to maintain or enhance Canadian residents’ trust in the country’s national security agencies.

In this post I summarize the challenges that NSICOP believes face it, its proposed legislative reforms, and then briefly itemize notable aspects of reviews that are either underway or which have been concluded. Ultimately I believe that we can firmly state that NSICOP’s work has revealed important aspects of the Canadian national security community’s operations that were hitherto secret and, as such, the Committee’s members and staff are to be congratulated on their efforts over the past five years.

Challenges Facing NSICOP

NSICOP is reporting two key challenges.

First the government is not legislatively required to reply to the recommendations that are included in NSICOP’s reports. These recommendations are issued with the intent of “strengthening the policies, operations and accountability of the security and intelligence community.” While they may sometimes require the federal government to undertake additional activities NSICOP is hardly a ‘gotcha’ review body.

To its credit the government has begun to respond to some recommendations but the majority of those made by NSICOP have yet to be publicly taken up. Beyond indicating the effectiveness of NSICOP’s work—and thus ensuring that the public knows that NSICOP isn’t a paper tiger—responses from the government are important for unmasking some of the secrecy surrounding national security activities. Residents of Canada largely lack insight into the government’s national security policies. NSICOP’s recommendations, and how the government responds to them, provide some degree of light into an otherwise very dark and shadowy world.

Second the Committee is warning (again) that there is a serious issue around obtaining information to which the Committee is lawfully entitled. There are three stated situations where information is not being disclosed to NSICOP:

  1. Some departments have cited reasons outside the statutory exceptions found in the National Security and Intelligence Committee of Parliamentarians Act for not providing information that the Committee requested in past reviews
  2. Some departments selectively refused to provide relevant information, such as a departmental study, despite the Committee’s right of access under its enabling legislation
  3. The Committee is concerned that an overbroad legal definition of what constitutes a Cabinet confidence has had an impact on the Committee’s reviews

For any review agency to function it requires access to information that it is lawfully entitled to obtain, so as to assess agencies’ activities and provide meaningful recommendations or take other actions under its mandate. It is concerning that, in at least some cases, NSICOP reports that information it sought directly from organizations was only discovered through different sources, be they indirectly from third-party organizations or even from records released publicly under the federal Access to Information and Privacy regime.

Readers would be advised to consider the implications of the challenges facing NSICOP, and then place them alongside recent efforts by the National Security Intelligence Review Agency (NSIRA) to include a confidence statement with its recent reports due to NSIRA’s own challenges in sometimes obtaining the information it required to undertake its legislatively-mandated review functions. That both agencies have reported challenges in accessing documents raises questions about the review maturity of organizations which are now subject to national security review.

Proposed Legislative Reform

From a legislative reform standpoint, NSICOP is indicating that it will make two central submissions when called to discuss reforms to the NSICOP Act.

First, it will ask that the NSICOP Act be reformed to confirm that the Committee and its members can get improved access to information and, also, be able to better exchange information with other review bodies. This latter call—improved exchange of information—is notable and worth considering: where regulated agencies can coordinate amongst themselves it is imperative that their review agencies can, similarly, coordinate and exchange information. Such exchanges between review agencies serve multiple purposes, including:

  • sharing information relevant to a review
  • enabling better deconfliction processes
  • letting review agencies better coordinate when they are simultaneously examining the same subject from the slightly different perspectives associated with their respective mandates.

Second, NSICOP is stating that it will request legislative changes to better align its composition with the United Kingdom’s Intelligence and Security Committee (ISC). Specifically, NSICOP believes that becoming a body of Parliament (and not of the executive branch) would “enhance the independence and efficiency of the Committee.”

For clarity, the UK’s ISC is a committee of Parliament with a statutory responsibility for the oversight of the UK intelligence community. In shifting to this model NSICOP would no longer operate within the executive branch—and, thus, perceived as being subject to executive capture—and enable members of the public as well as parliamentarians to recognize that the Committee’s members were not being gagged or otherwise manipulated by merit of NSICOP being housed within the executive branch.

The decision to create NSICOP as an executive branch body was seen at the time as a way to slowly develop trust and capacity between parliamentarians and reviewed intelligence agencies, as well as guaranteeing that parliamentarians did not inappropriately handle information. Some who once called for NSICOP to be within the executive have, since, shifted perspectives and believe it should be turned into a parliamentary body. It remains unclear, however, whether the federal government similarly believes this would be an appropriate modification to NSICOP.

Both of these reforms would constitute significant shifts in the ability of the Committee to undertake its activities and will deserve careful and close thought, and assessments of the extents to which these reforms would genuinely enhance NSICOP’s capacity to fulfill its mandate.

Recent and Underway Reviews

2022 saw NSICOP complete or initiate a number of notable reviews. These include:

  • A Special Report on the Government of Canada’s Framework to and Activities to Defend its Systems and Networks from Cyber Attack (Completed)1
  • A Special Report on the National Security and Intelligence Activities of Global Affairs Canada (Completed)
  • A review of the lawful interception of communications of security and intelligence organizations and the “going dark” challenge (Ongoing)
  • A review of the RCMP’s Federal Policing mandate (Ongoing)

None of NSICOP’s proposed reviews in 2022 were deemed injurious to national security, nor was information denied to the Committee based on these grounds. Twelve agencies were required to provide a copy of their annual reports as required under the Avoiding Complicity in Mistreatment by Foreign Entities Act. Twelve provided them to NSICOP, though they are not reviewed or assessed in the annual report.

NSICOP did not receive any referrals by minister of the Crown to undertake a review of a national security or intelligence matter.

A Special Report on the National Security and Intelligence Activities of Global Affairs Canada

This special report was tabled in November 2022. The annual report notes that “significant weaknesses” were found around Global Affairs Canada’s (GAC) internal governance of its foreign policy coherence role. Namely, this included a lack of “policies and few oversight committees” which NSICOP worried “may introduce weaknesses into the government’s assessment of foreign policy risk.” There were, also, concerns around the lack of Ministerial direction about how GAC collected intelligence around the world. There was also no formal process by which GAC informed its Minister of how it plays a role in relation to CSIS’ collection of intelligence. Relatedly, NSICOP was concerned by “the near total absence of governance and formalized reporting to the minister regarding GAC’s facilitator role.”

One of GAC’s key roles is to coordinate the government’s response to terrorist hostage taking. However, NSICOP found that:

GAC has a three-person team that supports an interdepartmental task force, but in twenty years the Department has done little to prepare for these incidents: there is no policy framework, no training, and no routine tabletop simulation exercises for the task force.

At best, GAC convenes implicated departments with much greater operational roles and specific accountabilities, and works to build a coherent approach without authority to direct a whole-of-government response. Part of the challenge is one of the Department’s own making: over the past 10 years, it has not developed the necessary policy, operational and training mechanisms for implicated government organizations to respond to such events coherently. Notwithstanding these gaps, the most significant problem is political: successive governments have failed to provide direction for a framework to address such critical incidents or provide specific direction on individual cases. Together, these challenges undermine the ability of the Department and its security and intelligence partners to respond effectively to hostage-takings.

Upon receiving the review GAC committed to reforms to respond to the issues identified by NSICOP.

Summaries and Recommendations of Prior Reviews

NSICOP’s annual report helpfully provides a listing of past reports that it has undertaken and allocates a page to each review. These summarize the issues taken up in a given report, identify the associated recommendations, and clarify the extent to which the government has (or has not) responded to each of them. The summaries, also, go so far as to indicate when legislation overtook particular recommendations, such as NSICOP’s proposal that the National Security and Intelligence Review Agency (NSIRA) be mandated to issue an annual report pertaining to the Department of National Defence/Canadian Armed Forces activities related to national security or intelligence.

Many of these reviews have drawn significant attention since they were released, such as NSICOP’s report on foreign interference (and which included the recommendation that combatting foreign interference include establishing “regular mechanisms to work with sub-national levels of government and law enforcement organizations, including to provide necessary security clearances”), but the summarization of these reviews is helpful for simply remembering all of the work that the Committee and its members have undertaken since its inception. It would be helpful for all review agencies to develop public timelines to include in their annual reports and on their websites; such timelines could just denote and link to all of the reports the review agency has completed (or begun) so that readers could better appreciate (and remember) their past and ongoing work.

I think that it’s important to highlight that, just one decade ago, these summaries alone would have been considered an amazing amount of detail that pulled the veil back on Canada’s national security activities. That we can read the summaries, as well as the redacted reports that are posted on the Committee’s website, is astounding when considering where Canada was in terms of national security transparency and accountability ten years ago. When combined with other reporting from NSIRA and the Intelligence Commissioner it is apparent that the public and parliamentarians alike are in a remarkably better situation to understand, assess, interrogate, and approve of (or call for the cessation of) the actions carried out by Canada’s national security agencies.

Conclusion

NSICOP has sometimes been on the receiving end of critiques or complaints, some of which have arguably been deserved and others less so. It is a body that has been severely tested by some public and political pressures. And it has been challenged in fulfilling elements of its mandate for reasons described in its 2022 annual report.

Nevertheless, the Committee and its members are to be congratulated for their efforts. They have worked to release information that hitherto has been kept secret from the public and parliamentarians. There remain challenges to overcome and more must be done to further enhance the public’s and parliamentarians’ understanding of national security agencies, challenges and threats facing Canadians institutions and organizations, and responses that the government has undertaken in response. Still, NSICOP has done much to educate the public since its inception and, if its legislation is reformed per its requests, I suspect the Committee could be even better situated to undertaking reviews while further raising the levels of awareness of national security issues.

  1. For my previous analysis of this report, see: “Unpacking NSICOP’s Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack↩︎

The Utility of Secret Intelligence in Secret-Intelligence Resistant Political and Bureaucratic Cultures

/ Christopher Parsons

Dan Lomas’ recent RUSI essay, “The Death of Secret Intelligence? Think Again,” is a good and fair assessment of the value of secret intelligence and open source intelligence. Lomas clearly and forcefully explains the real benefits of secret intelligence for a subset of policymakers and decision makers. You should read it.

To truly take advantage of secret intelligence, however, policymakers and decision makers must want to read and use it. Secret intelligence-resistant (SI-resistant) bureaucratic or political cultures that have seemingly managed—and still do—without substantive amounts of secret intelligence to guide policy analysis or decision making may be dubious of the value of secret intelligence. Members of these cultures may see open source intelligence as either sufficient or ‘good enough’ for their purposes.1

Those who attempt to reform SI-resistant cultures must grapple with what may be conflicting long-term perceptions of the value (or lack thereof) of this intelligence. Members of this resistant culture can sometimes become even more avoidant of state secrets by merit of fearing the consequences of knowing or having access to them: when knowing secret intelligence is perceived as being linked to an inability to do much with it, for fear of burning sources and methods and then suffering untold professional or political harms, there are good political and bureaucratic reasons to do without the secret stuff. In these kinds of cultures, there is a risk (real or imagined) that secret intelligence can be toxic to one’s career or future ambitions.

It is in this kind of toxic environment that knowing state secrets may be seen as a problem calling for solutions. Decision makers might have to undertake parallel construction to develop secret intelligence-adjacent fact patterns to justify the conclusions at which they arrived, when those conclusions were in fact guided by secret intelligence. And integrating useful state secrets into policy advice could prevent the circulation of that advice within the government, with the effect of barring uncleared colleagues and managers from the secret intelligence-enhanced (and potentially career enhancing) insights. Not circulating one’s work could mean that a highly capable policy analyst cannot catch the attention of their uncleared managers or directors who may be helpful for lifting the analyst and their career to the next bureaucratic height. Members of the SI-resistant class might wonder whether secrets are really all that they’re cracked up to be.2

This gulf of doubt, the questions of utility, and the practical ‘do we really need to change questions’ are challenging issues to overcome in SI-resistant cultures. Perhaps one way forward, though one which somewhat comically requires overcoming certain preferences for government secrecy around access to documents, is to open the vaults (or Archives) of historical secret information.

In cultures which value secret information we can read and watch insider and expert (and…not so expert) explanations, movies, and valourizations of the merit of secret intelligence in transforming a country’s position in the world. This kind of storytelling may be a key ingredient in developing a political and bureaucratic culture that recognizes the value of incorporating secret intelligence more regularly into routine government affairs. Just pointing at bureaucratic and political cultures that are more open to using secret intelligence, however, and saying ‘mimic them!’ is unlikely to drive much change in a culture that has long been secret intelligence-resistant.

Thus, while the RUSI article does an excellent job trumpeting the value of secret and open source intelligence, the advice and findings really may principally apply to countries with high numbers of security cleared decision makers and where the public—and thus elected politicians—acknowledge the value of secret intelligence amongst the oceans of open source materials that exists around them. And even when there is an appetite for secret intelligence it must be practical to access it.

In some secret intelligence-resistant cultures, there have long been processes where secret intelligence-laden analyst reports have been deposited on non-experts’ desks. Those same non-expects know that if they read the materials they may face possible jeopardy. On the one hand, they largely cannot disclose what they learn but, on the other, if they do not read the materials and that becomes public knowledge then they may be seen as poor stewards of the realm. The responsible ones will dutifully read their briefing books and ensure they never accidentally reveal their secret knowledge to anyone who isn’t in the secret intelligence tribe. Those less responsible might, instead, expect that they wouldn’t be able to use the secret intelligence anyways and ultimately have more hours in their weeks to guide the realm and her interests when they exclusively rely on non-classified information.

As should be obvious, the aforementioned method of circulating secret intelligence does not present a particularly efficacious way of incorporating secret intelligence into government activities. Another way must be found that ideally is developed in at least marginally public settings and in tandem with genuine efforts to open up historical secret archives to historians, academics, and public policy makers to come to their own conclusions about what the value of secret intelligence has actually been. Only once, and if, the SI-resistant culture comes to realize it truly has been missing something are broader cultural changes likely to ensue where that culture’s secret-intelligence resistance at least shifts to secret intelligence-ambivalence. Such would be a small step along a long road towards truly accepting and regularly integrating secret intelligence into the realm’s public affairs.

  1. They may even, largely, be correct. ↩︎
  2. Of course, holding a contrary view are members of invite-only events where a great gnashing of teeth can arise over the ‘secrecy and OSINT problem.’ In these, at least some of the secrecy-indoctrinated participants may even discuss the very question of whether OSINT is truly useful while, ultimately, the room broadly reaches a muttering agreement that the secret intelligence many have spent their careers collecting and enriching really adds a lot of value for decision makers. Even if the same decision makers rarely make use of the information due to their secret intelligence-resistant cultures. Indeed, the gnashing can be enough that a concerned participant might worry that dentists should be on hand to issue mouthguards to some attending participants. ↩︎

Statement About the Attack in the University of Waterloo’s Gender Issues Philosophy Course

/ Christopher Parsons

My personal career is significantly defined by the feminist philosophy classes that I took as an undergraduate and graduate student. That education taught me essential critiques about scientific objectivity and the standpoints of knowledge creators, offered broader critical thinking skills, and revealed how power structures have historically been architected to silence or appropriate women’s contributions to Western scientific and political development. To this day those classes inform all of the personal and professional activities in which I am involved.

It is with this explicitly in mind that I am horrified by the hateful attack that recently took place at the University of Waterloo, where junior faculty and students alike were violently assaulted because they cared about learning about gender and philosophy. This could have been myself or many of my friends or supervising faculty in years past.

CSIS has identified non-religious extremism as one of the most significant threats to Canada’s national security. And faculty and students at the University of Waterloo have experienced this first-hand after being attacked and made to experience fear for simply wanting to learn about the relationship between gender and the formation of power, knowledge, or socially constructed reality.

Misogyny, oppression, and racism are realities in Canada, and Canadians need to talk more openly and frequently about it. These cannot be fixed overnight but, instead, are challenges that require sustained and often inglorious work to correct. At its core, this work demands critically assessing institutions’ and organizations’ pasts, recognizing and righting historical wrongs, and adjusting power and social structures to reflect a more just and fair present and future.

I would encourage our leaders to take these threats and issues seriously, and to continue to meaningfully work to combat the hateful underlying ideology that lies behind these violent and malevolent actions. Some leaders in politics, workplaces, and social groups are clearly acting to address these issues, but they must be joined by all leaders at every level of society. Doing anything else betrays all who live in Canada while exhibiting a failure of leadership, and ceding the moral gravitas that is required to lead our businesses, institutions, agencies, and communities.

The G7 Communique and Artificial Intelligence

/ Christopher Parsons

The G7 Communique which was issued on May 20 included discussions of AI technology and governance. While comments are high-level they are worth paying attention to since they may indicate where ongoing strategic pressure will be placed when developing AI policies.

The G7’s end goals around AI are to ensure that trustworthy AI is developed that is aligned with democratic values. The specific values called out include:

  • fairness;
  • accountability;
  • transparency;
  • safety;
  • protection from online harassment, hate, and abuse; and
  • respect for privacy and human rights, fundamental freedoms, and the protection of personal data.

While not surprising, the core values stated do underscore the role for privacy regulators and advocates in the development of AI governance policies and practices.

Three other highlights include:

  1. The need to work with private parties to promote responsible AI, with the caveat that platforms are singled out for the needing to address child sexual exploitation and abuse while upholding the children’s rights to safety and privacy online.
  2. A strong emphasis on developing interoperable international governance and technical standards to promote responsible AI governance and technologies.
  3. A commitment by the G7, in collaboration with the OECD and GPAI, to launch discussions on generative AI technologies by end of the year.

The first point, concerning child sexual exploitation, either suggests a new front on the discussions of technology policy and online child abuse images or is just another reference to ongoing pressure on large internet platforms. Only time will tell us how to interpret this aspect of the G7’s messaging. Monitoring other Five Eyes meetings and G7 outputs maybe help with this interpretation.

The second point, on international governance, raises the question of whether federal governments will link national regulations to international standards. Should that occur then it will be interesting to see the extent to which regulations in Canada’s Artificial Intelligence and Data Act ultimately refer to, or integrate, such standards. Assuming, of course, that that the Act is passed into law in its present format.

The third point underscores how generative AI technologies are attracting attention on prominent and important national and international agendas. It remains to be seen, however, whether such attention persists and, also, whether we see ongoing and significant concerns continue to percolate as the public and politicians become used to the technology and it’s increasing integration with failing computing functions. For my money I don’t see emerging uses of AI systems to fall off the agenda anytime in the near future.

If you’re curious in assessing the AI-related aspects of the Communique yourself, you can find them in the Preamble at 1, as well as in Digital at 38