Just under a decade ago, in 2013, the BCCLA filed lawsuits challenging secret spying programs operated by the Communications Security Establishment (“CSE”), the Canadian version of the U.S. National Security Agency (“NSA”). CSE is responsible for collecting intelligence from communications and computer systems (“signals intelligence” or “SIGINT”) and for securing Canadian government and associated computer systems and networks (“cybersecurity”). Since 2019, it has also been mandated to conduct cyberwarfare activities (“active and defensive cyber operations“). The BCCLA challenged CSE’s bulk surveillance of metadata about Canadians’ telephone and internet communications. The BCCLA alleged that CSE’s bulk collection of metadata and collection of private communications violated Canadians’ Charter rights to privacy.
After years of secret hearings, the case is over. The BCCLA’s litigation ended with the government making sweeping changes to how Canada’s spy agencies operate, including an entirely new review body that can receive public complaints, and new policies restricting how the identities of individuals can be reported. The BCCLA also secured the release of documents that were previously secret, providing a greater understanding of how Canada’s spy programs operate and who is targeted by them.
This is the first of two posts on the BCCLA’s litigation over secret spying by the CSE. This post will provide background on the litigation and the new legislative framework, while the next post will release the new documents detailing the CSE’s surveillance practices.
The CSE has a long history of operating in the shadows and without appropriate oversight or review. Despite being formed at the beginning of the Cold War, its intelligence-gathering role was only officially acknowledged by the government in 1983. Its mandate was codified in the Anti-Terrorism Act in 2001, marking the first time it was set out in statute, and in 2011, CSE became an official government agency.1
The CSE’s mandate has two main parts: signals intelligence and cybersecurity. CSE was granted its spying authority by secret “ministerial authorizations” and “ministerial directives” issued by the Minister of National Defence. These authorizations set out a broad scope for CSE to obtain and store communications, metadata about communications, and other electronic data.
The Snowden Leaks
Midway through 2013, an anonymous leaker – later revealed to be Edward Snowden – provided journalists with documents proving a vast surveillance program operated by the NSA. The documents provided by Snowden revealed the indiscriminate harvesting of the metadata attached to every phone call made or email sent within the United States, surveillance programs within major internet companies, and sharing of records internationally within the Five Eyes alliance of the US, United Kingdom, Australia, New Zealand, and Canada.
Metadata is information about information. It includes things like the to and from fields of an email, call, or text, the subject line of emails, IP addresses, and so on. Individual pieces of metadata are not particularly sensitive, but they can be seen as pieces of a puzzle. With enough metadata, patterns start to emerge: networks of family and friends, or sensitive personal details like political affiliation, religious beliefs, sexual orientation, and so on. The bulk surveillance described in the Snowden leaks suggested that intelligence agencies, including Canada’s CSE, could be developing intimate profiles of anyone who used the internet or telephone.
Soon after the first Snowden leaks, the Harper government was forced to comment on CSE’s own bulk metadata collection, offering the misleading excuse that Canadians’ information was not “targeted.”2 However, as the documents produced in the litigation will reveal, this denial was largely meaningless. The CSE has its own unique vocabulary, so while Canadians may not be “targeted” by CSE, their information can still be obtained by CSE and, in some cases, shared with other countries.
A Decade of Secret Hearings
Although the public picture of CSE’s spying programs was not complete, there were enough pieces in place to allow the BCCLA to bring lawsuits challenging the sections of the National Defence Act that enabled the CSE’s secret spying programs. One case sought a declaration that the programs were a violation of Canadians’ Charter rights and orders preventing the operation of the secret spying programs. The other was a proposed class action seeking damages for these Charter violations.
Like the programs it challenged, the BCCLA’s litigation was shrouded in secrecy by the government. The claims were not allowed to proceed under the usual principles of open court. Canada insisted that public hearings would compromise national security, so the Federal Court ordered closed-door hearings and imposed confidentiality on document production. Even then, the documents that were produced were heavily redacted.
New National Security Intelligence Framework
The BCCLA’s litigation pushed the government to introduce Bill C-59, legislation that would create a new framework for national security and intelligence activities in Canada. Bill C-59 became law in 2019, bringing significant changes to how CSE operates:
- The CSE was brought under a new statutory framework with publicly defined mandates, as set out in the new Communications Security Establishment Act.
- The signals intelligence mandate allows CSE to obtain information from various communications and computer systems.
- The cybersecurity mandate allows it to assist other government and non-government entities with cybersecurity matters and obtain information required to do so.
- The new law also includes controversial provisions that go beyond intelligence-gathering and protecting Canadian communications systems, allowing CSE to conduct cyberwarfare in certain circumstances. (CSE Act, s 18-19)
- Ministerial authorizations for surveillance require written requests from the CSE and can only be approved if a set of criteria are met. (CSE Act, s 34(1))
- Ministerial authorizations are overseen by the Intelligence Commissioner, a new office created by the Intelligence Commissioner Act, and can only come into effect if the Commissioner concludes the Minister’s approval was “reasonable.”
- CSE activities cannot “[interfere] with the reasonable expectation of privacy of a Canadian or a person in Canada” unless specifically authorized to do so. (CSE Act, s 22(3)). The CSE Act does not specify whether Canadians have a reasonable expectation of privacy in metadata about their communications.
- CSE activities cannot violate other laws unless they are specifically authorized to do so (CSE Act, s 22(4)).
- A new review body, the National Security and Intelligence Review Agency (“NSIRA”), reviews the operations of CSE and can take complaints from the public, pursuant to the National Security and Intelligence Review Agency Act.
The new system is far from perfect. The powers given to Canada’s intelligence agencies are still incredibly broad, and the oversight and review bodies have limited authority and resources to do their jobs. However, it is still a vast improvement over the secrecy and unaccountable ministerial authorizations that were in place, and NSIRA has the potential to serve as a meaningful watchdog. The BCCLA will continue to push for additional limits and oversight on the broad spying powers available to CSE.
End of the Litigation and Public Release of Documents
The new legislation replaced the sections of the National Defence Act challenged by the BCCLA. Since the goals of the litigation had broadly been achieved, BCCLA withdrew the claims.
In addition to encouraging the government to reform its unaccountable surveillance regime, the BCCLA litigation will give Canadians a close look at what CSE has been doing in secret. Thanks to an access to information request by researcher Bill Robinson, almost all the documents produced by the government in the litigation can now be made public. The documents cover a wide range of subjects, from CSE operational handbooks to previously secret reports on breaches of privacy by the CSE. We will be releasing these never-before-seen documents in the coming weeks, along with another blog post providing context and highlighting some of the more interesting things we learned from the documents.
The BCCLA was represented by David Martin of Martin & Associates, Sebastian Ennis of Iris Legal, and Neil Abraham of Olthuis van Ert. The BCCLA was also represented by Joseph Arvay, O.C., O.B.C., Q.C.
Bill Robinson and Greg McMullen served as experts on the case.