At long last working my way through all of NSIRA’s annual report and I am saddened by the lack of uptake by journalists.
There are some 🚨🚨🚨 ringing, at different part of the report, and not major response or reaction.
The report is available at: nsira-ossnr.gc.ca/tabling-of-the…
There are some 🚨🚨🚨 ringing, at different part of the report, and not major response or reaction.
The report is available at: nsira-ossnr.gc.ca/tabling-of-the…
In this 🧵 I highlight some interesting and some alarming things. (Warning: I will likely make typos. They will bother me more than you. I am sorry in advance.)
🚨 1) NSIRA is pushing CSIS to disclose when it is adopts “a novel authority, technique or technology is used”. 🚨
🚨 1) NSIRA is pushing CSIS to disclose when it is adopts “a novel authority, technique or technology is used”. 🚨
This is what you want a review agency to be alerted to! It’d help keep NSIRA ahead of the next ODAC as an example
2) The federal court, not just the Minister, should get full and unredacted copies of technical reports. Also, the sorta thing you’d want judges overseeing warrants to have when assessing what they’re authorizing.
🚨 3) CSIS sometimes lacks documentation on Threat Reduction Measures (TRMs), with the result being neither CSIS or anyone else can assess their efficacy or outcomes when actions are performed by CSIS or external partners 🚨
🚨 4) CSIS isn’t seeking judicial authorization when it provides information to external parties, which then undertake TRMs that could detrimentally affect an individual’s Charter rights. NSIRA recommends warrants be adopted. 🚨
5) There are a lot more warrant applications this year (31 for 2021 vs 15 for 2020) that I expect reflects more mobility in Canada, and so CSIS is back to work as normal(ish). This is, also, more warrants sought than in 2019 (23) or 2018 (24).
None of these warrants are for threat reduction measures.
This said, there were 23 approved TRMs, and 17 were executed.
CSIS targets are still below norm, with 352 targets in 2021. Compares to 360 in 2020, 467 in 2019, and 430 in 2018.
This said, there were 23 approved TRMs, and 17 were executed.
CSIS targets are still below norm, with 352 targets in 2021. Compares to 360 in 2020, 467 in 2019, and 430 in 2018.
6) Lest you think everything is concerning, it’s not (really). In addition to CSIS generally being pretty good in making information available to NSIRA, they also are proactively advising NSIRA of judicial/ministerial authorisations to collect Cnd + foreign datasets. Win!
On the dataset front, well, see NSIRA’s own table for full details. 
7) I…don’t quite know what NSIRA is communicating about CSIS reporting Charter violations as ‘operational non-compliance’ in annual reports to the Minister of Public Safety. I’m not anything like a CSIS expert so, maybe an alarm? Maybe not?
So….over to CSE where there are a lot more flashing lights but also some good stuff.
1) The policy review of active and defensive cyber operations found gaps that need addressing.
🚨In particular, the broad and generalised classes of activities, techniques, and targets could capture “unintended higher-risk activities and targets.”🚨
🚨In particular, the broad and generalised classes of activities, techniques, and targets could capture “unintended higher-risk activities and targets.”🚨
(These kinds of concerns—that CSE powers could have unintended consequences—were issues that @citizenlab and @cippic raised in their report analysing C-59 oh so many years ago. See: citizenlab.ca/wp-content/upl…. No legislation was harmed/amended as a result of those warnings.)
🚨 2) There’s also a risk that pre-emptive DCOs are, functionally, just ACOs by another name. This could lead to “insufficient engagement of GAC.” 🚨
The next review stage will be to go beyond policy and NSIRA has a review on deck of how operations are actually conducted.
The next review stage will be to go beyond policy and NSIRA has a review on deck of how operations are actually conducted.
3) One of the major reveals from the Snowden documents was how CSE’s mandate can sometimes fit together. This was, also, of concern in the report @citizenlab and @cippic released.
NSIRA looked into this and found that, save for one case, the Chief appropriate informed the Minister about how retained Canadian person data was used to support a different aspect of the mandate it was collected under.
4) So, about mandates. And authorisations. How can we actually add them up? I guess the word to use is ‘awkwardly’ based on the note NSIRA attaches to the relevant table.
4) And, lest you think that the Minister is checking in on all the things CSE is doing by doing oversight-by-Ministerial Order….you’d (still) be very wrong. These authorise classes of actions as denoted in the associated table.
We now move to some somewhat 🌶️ material.
🚨 6) CSE was asked to report on the regularity at which ‘in relation to Canadians’ or “Canadian-collected information” was in the 3,050 foreign intelligence reports it issued to clients.
🚨 6) CSE was asked to report on the regularity at which ‘in relation to Canadians’ or “Canadian-collected information” was in the 3,050 foreign intelligence reports it issued to clients.
CSE made the decision that this is gonna take time. Result? There’s just no information that CSE has collected about their actions, or that they deign to let NSIRA report on.🚨
🚨 7) When it comes to how often Canadian identifying information is suppressed in foreign intelligence/cybersecurity reporting, CSE took the same approach. Because they haven’t done it before they need to assess impact and can’t resolve this in time for NSIRA’s annual report. 🚨
CSE tracks (and lets NSIRA report) how often domestic, FVEY, and non-FVEY parties made requests for Canadian identifying information. This happens when a report is received with suppressed information, and the requesting party has legal authority to request its revelation.
8) CSE’s business is, well, collecting and analysing a lot on the ‘global information infrastructure’ and sometimes there are privacy indigents (that’s normal for all FVEY SIGINT agencies). NSIRA does report on this. I’d like to see year-over-year comparisons in future reports.
9) CSE—and, really, CCCS—is leading a lot of Canada’s cybersecurity efforts. When it came to getting statistics characterizing these activities CSE used a lot of words to say “no comment.”
🚨 10) When it comes to active/defensive cyber operations...CSE also said it wasn't "in a position to provide this information for publication by NSIRA, as doing so would be injurious" to 🇨🇦's international relations, national defense, or national security.
Now...this despite Canada having laid out how cyber applies to international law (see: international.gc.ca/world-monde/is…) and thus opening up a lotta room for CSE to operate. With great power, and legal/legislative authority that could be used problematically, comes even greater secrecy 🤷♂️
11) We do see, again, how many times CSE has provided assistance under its mandate. We do NOT know which agencies it's assisting however. That information was once released under ATIP to @Colinfreeze but never again has it been disclosed AFAIK.
5 underway reviews include: CSE's internal security program, cybersecurity network-based solutions, ACO/DCO operations, some program conducted under the FORINT mandate, and CSE-CSIS collaboration.
Future reviews? 1) annual compliance of CSE; 2) SIGINT retention practices; 3) A collection program conducted under a ministerial authorization (why this one in particular, I wonder 🧐); 4) CSE's equities management framework (i.e., the Canadian VEP)
(More to follow, later!)
So, what are the very real, very significant 🚨🚨🚨 as it pertains to CSE review?
Last year, NSIRA warned they were having challenges in accessing + independently verifying CSE information. Check out the 'CSE reviews' section of this blog for background christopher-parsons.com/2021/12/21/unp…
Last year, NSIRA warned they were having challenges in accessing + independently verifying CSE information. Check out the 'CSE reviews' section of this blog for background christopher-parsons.com/2021/12/21/unp…
🚨12a) Can NSIRA better access CSE information. In short, it looks like the answer is that "[I]n 2021, this challenge persisted...NSIRA and CSE have been unable to achieve a workable trust-but-verify model for any reviews of CSE to date"🚨
So what's happening? NSIRA asks for data, and then CSE gets what *it* thinks pertains to the request and then provides it.
NSIRA goes so far as to state:
"CSE's predetermination of relevance of information undercuts NSIRA's authority to decide whether information relates to its reviews and contributes to significant delays in the provision of information to NSIRA staff."
"CSE's predetermination of relevance of information undercuts NSIRA's authority to decide whether information relates to its reviews and contributes to significant delays in the provision of information to NSIRA staff."
🚨🚨12b) It is particularly worrying that NSIRA explicitly states that, under its authorising legislation, it must be provided "highly classified or Exceptionally Controlled Information (ECI)" in a timely manner.
🚨🚨
🚨🚨
Based on the specific phrasing I can't tell if there are instances where such information is not disclosed, or merely that it isn't disclosed in a timely fashion. Regardless there is a major problem.
We are now at a structural level problem. This is important and needs attention
We are now at a structural level problem. This is important and needs attention
What else is in the report?
On DND:
1) There are 180 independent electronic repositories assoc with information collection & storage. Procedures for them vary across the organization. This could cause a problem for future reviews and DND/NSIRA are working on it.
On DND:
1) There are 180 independent electronic repositories assoc with information collection & storage. Procedures for them vary across the organization. This could cause a problem for future reviews and DND/NSIRA are working on it.
🚨2) IT searches undertaken by the 🇨🇦 Forces National Counter-Intel Unit (CFNCIU) have issues. There's some inappropriate reliance on lawful authority for them, inappropriate metadata definitions, and insufficient legal oversight. Seems notable. 🚨
3) Expect future reviews on DND about their use of HUMINT as well as domestic open-source collection activities. Yes, I did say 'domestic.'
4) DND/CAF is huge which means it's hard to access its information. For an ongoing review NSIRA has direct access & is working on a "proxy model" for future reviews. Given the realities of DND/CAF NSIRA expects different ways of accessing data and isn't complaining things now
On RCMP:
1) expect a lotta reviews. About HUMINT. About bypassing encryption when intercepting communications in national security investigations. About RCMP's access and use of security intelligence.
1) expect a lotta reviews. About HUMINT. About bypassing encryption when intercepting communications in national security investigations. About RCMP's access and use of security intelligence.
2) On the 'can NSIRA access the data' front, things are mixed. NSIRA lacks direct access to RCMP IT systems. The proxy model--through the NatSec External Reviews & Compliance Team--seems to be working, but NSIRA wants either direct access or a way to verify what it gets by proxy
On CBSA:
1) expect reviews on using predictive analytics to guide targeting of air passenger travellers as well as one on CBSA's use of confidential sources
2) No mention of issues (or lack thereof) of obtaining access to CBSA information. I wish this was more standardised.
1) expect reviews on using predictive analytics to guide targeting of air passenger travellers as well as one on CBSA's use of confidential sources
2) No mention of issues (or lack thereof) of obtaining access to CBSA information. I wish this was more standardised.
On FINTRAC:
1) The first review is ongoing, and examines FINTRAC's existing regime "for sharing information with its domestic and international partners by looking at queries and disclosures to foreign financial intelligence units". I suspect that @JessMarinDavis will be watching
1) The first review is ongoing, and examines FINTRAC's existing regime "for sharing information with its domestic and international partners by looking at queries and disclosures to foreign financial intelligence units". I suspect that @JessMarinDavis will be watching
2) No information, as of the date this was written, about whether there are issues accessing FINTRAC's information, or what model is being adopted.
On Multi-department Reviews
1) There was a major assessment of how CBSA, IRCC, and Transport Canada (with a bit of RCMP) use biometrics at the "border continuum" (note: love that phrase. Might steal it...)
1) There was a major assessment of how CBSA, IRCC, and Transport Canada (with a bit of RCMP) use biometrics at the "border continuum" (note: love that phrase. Might steal it...)
The objective was to map the "nature and scope" of biometric activities. That led to 9 themes (see pages 37-38 for them). Curiously, in paragraph 176 NSIRA almost seems to justify its attention to this issue.
2) on SCIDA (see: laws-lois.justice.gc.ca/eng/acts/S-6.9/) we get some numbers on how many disclosures occurred. Only 3/215 didn't meet the disclosure test and all linked with "proactive disclosures by the RCMP." One included a disclosure of 2,900 identities/biometric info to CAF.
There was also a case where there seemed to have been a kind of end-run around the authority to disclose records. I don't get the sense this is intentional, though, at least based on the language used.
CSE and IRCC are also told they should get into a formal information-sharing arrangement based on their patterns of information disclosure. GAC and CSIS should update their info sharing arrangement to incorporate SCIDA's principles*
* I do wonder the extent to this is reflective of issues in CSIS generally updating its policies, as has been discussed in previous NSIRA reviews of CSIS. But maybe this is just as much a GAC issue? 🤷♂️
Finally, while 16/17 agencies in SCIDA have policies to support compliance with information sharing, the Canadian Food Inspection Agency doesn't. NSIRA's report rightly note they should get on that!
3) Avoiding Complicity in Mistreatment by Foreign Entities
Not a lot to report here beyond there were 0 cases under the ACA that were issued to deputy heads in any department.
CBSA & Public Safety have yet to finalise directions received under the ACA w/in the review period. 😮💨
Not a lot to report here beyond there were 0 cases under the ACA that were issued to deputy heads in any department.
CBSA & Public Safety have yet to finalise directions received under the ACA w/in the review period. 😮💨
4) Future Multi-Department Reviews. Expect to see reviews on how CSIS & RCMP manage threats posed by IMVE, as well as one on the relationship between CSE and CSIS on operational activities
Technology in Review
I am *very* excited to see NSIRA talking about their Technology Directorate (and crazy excited to see what their staff get up to!). This is super important, as it'll give NSIRA the ability to really peer into how agencies' technologies operate.
I am *very* excited to see NSIRA talking about their Technology Directorate (and crazy excited to see what their staff get up to!). This is super important, as it'll give NSIRA the ability to really peer into how agencies' technologies operate.
It will also, confusingly, give NSIRA a "unique opportunity" to build a review model that "will put us on equal footing"amongst FVEY review bodies. Do other review agencies lack technical review teams? Or do they and, if so, how does this make NSIRA unique?
Notwithstanding my challenges in reading, in-house technical expertise is gonna be key for NSIRA to keep abreast of national security legal and compliance issues or risks.
The team will do a lot of things:
a) lead review of IT systems
b) conduct independent technical investigations 🤯 (how to do this when CSE refuses direct access to systems should be exciting to watch)
a) lead review of IT systems
b) conduct independent technical investigations 🤯 (how to do this when CSE refuses direct access to systems should be exciting to watch)
c) support NSIRA members in investigations against CSIS, RCMP, or CSE that require technical expertise to assess evidence
d) explain/interpret some technical subjects
e) assess risk of reviewed entity's IT compliance with law/policy
d) explain/interpret some technical subjects
e) assess risk of reviewed entity's IT compliance with law/policy
f) recommend safeguards to minimise risk of legal non-compliance
g) lead integration of technology themes into NSIRA reviews
h) leverage expertise in assessing IT risks
This team has a LOT to do. I'm excited to see what they get up to!
g) lead integration of technology themes into NSIRA reviews
h) leverage expertise in assessing IT risks
This team has a LOT to do. I'm excited to see what they get up to!
So, most immediately, this team will be looking into: technology-focused reviews of CSIS information collected pursuant to a Federal Court warrant and, in 2023, CSE's SIGINT retention practices
They might also be looking at dual-use tech, data warehousing and bulk data and data analytics, and automated decision making. Further, NSIRA plans to do a bunch of outreach with academics/private orgs/civil society to capture tech issues in its technical review processes.
Review Policies and Processes
1) NSIRA has a whole section dedicated to how it will regularise & assess timeliness in reviews and its access to information from agencies. You do that when you're professionalizing (good) and/or when dealing with recalcitrant departments (bad)
1) NSIRA has a whole section dedicated to how it will regularise & assess timeliness in reviews and its access to information from agencies. You do that when you're professionalizing (good) and/or when dealing with recalcitrant departments (bad)
Future annual reports are going to track timelines, and NSIRA is going to be using *its* discretion for when agencies indicate they cannot meet the 15 or 30 day timeline. Notably it will be review teams making this assessment (makes sense, they're closest to the ground).
Departments that fail to provide information will see letters sent to ADMs, DMs, or the Minister (in sequence) as/if information is not disclosed about a given review. Such letters will be attached as an appendix to any relevant reviews.
2) NSIRA things (probably rightly) that after 2 years of issuing recommendations it's time to see how well they've been put into practice. So NSIRA is going to start tracking and evaluating implementations.
This is important because, as agencies respond positively to recommendations it will showcase their interest in being reviewed and not just reading the recommendations, but making chances based on what is there.
🚨3) Once more, we see NSIRA repeating that it is "entitled to receive all information it deems relevant, except for Cabinet confidences." The agency then lists a pair of things that should be done when there is a proxy-model that's been adopted.
I absolutely do not believe those examples would be provided unless NSIRA is experiencing these issues. Again, this is a SERIOUS issue as the point of NSIRA is to lend confidence in national security activities.
If NSIRA is prevented in conducting its lawful activities then it cannot assist in legitimising national security agencies' activities or giving confidence to Canadians of the lawfulness of their activities.
Complaints Investigations
1) NSIRA is seeing more and more complaints with the effect that it is impacting its "overall management" of the cases. It aims to address this by standardising procedures, such as for adjournments and extensions.
1) NSIRA is seeing more and more complaints with the effect that it is impacting its "overall management" of the cases. It aims to address this by standardising procedures, such as for adjournments and extensions.
2) There is now, after consultation, a new rules of procedure which is believed will "provide greater accessibility as well as greater efficiency in NSIRA's investigation mandate."
3) there are also a pair of investigative summaries. One finds that CSIS breached an individuals' Charter rights (section 8) and, another, reexamined a SIRC decision and found that SIRC's prior report and findings were correct.
Administrative Related Things
1) NSIRA is growing -- up to 73 people!--but facing a hard labour market that isn't helped by employees needing to spend some time in secure facilities. This has made it hard to retain talent once acquired.
1) NSIRA is growing -- up to 73 people!--but facing a hard labour market that isn't helped by employees needing to spend some time in secure facilities. This has made it hard to retain talent once acquired.
2) NSIRA's 'cyber incident' in March 2021 is long resolved though it did "exacerbate delays NSIRA was already dealing with because of the pandemic." (I wonder if this was technical, because of reduced trust in NSIRA's ability to secure information by reviewed agencies, or...?)
Review Findings and Recommendations
I'm not going through these but you can see NSIRA's recommendations + truncated responses from agencies on a by-review basis. Super helpful!
Endnote 45 is interesting. Can an enterprising...someone else?...request these reports' summaries?
I'm not going through these but you can see NSIRA's recommendations + truncated responses from agencies on a by-review basis. Super helpful!
Endnote 45 is interesting. Can an enterprising...someone else?...request these reports' summaries?
Endnotes of Interest
As always, read NSIRA's endnotes if only to clarify all the things you didn't know or incorrectly thought you did (at least that's how they work for me). Endnotes 8, 20, and 32--ESPECIALLY 32--are of particular importance.
As always, read NSIRA's endnotes if only to clarify all the things you didn't know or incorrectly thought you did (at least that's how they work for me). Endnotes 8, 20, and 32--ESPECIALLY 32--are of particular importance.
My summary thought: the serious challenges that NSIRA seems to be having accessing information, in particular from CSE, is worrying and disturbing. Unlike in other nations NSIRA is having to negotiate with CSE despite having the lawful mandate to compel disclosure of information.
This is something that journalists and others REALLY need to be making a LOT more public. While CSE is important for national security, that importance doesn't mean it gets to ignore/set its own special rules for compliance with review.
</fin>
</fin>
• • •
Missing some Tweet in this thread? You can try to
force a refresh
