The government has launched a process of public consultations on revising the Canadian Security Intelligence Service (CSIS) Act. The original legislation is now forty years old and is in desperate need of an overhaul. Post 9/11, it has been treated to some targeted amendments, including the introduction of threat reduction measures in 2015 and the creation of a complex data mining regime in 2019. But the CSIS Act has never been subjected to a full root-and-branch overhaul.
The consultation paper now available on the government website recognizes the need for change, but in some cases reaches for low-hanging fruit and certainly does not contemplate a major overhaul. This lack of imagination and boldness may fit the legislative agenda of a minority government, but will ultimately not meet the needs of a CSIS Act for the 21st century.
https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/2023-nhncng-frgn-nflnc-mnd-csis/index-en.aspx
Proposed changes to the CSIS Act also come at an unpropitious moment for the Service in terms of public perceptions, struggling as it is to deal with workforce problems around sexual harassment and racial discrimination, apparently unable to stem serious leaks of classified information, and under the gun in terms of its handling of foreign interference allegations. There may be more problems in store for CSIS’s reputation when the reports from the National Security and Intelligence Review Agency and the National Security and Intelligence Committee of Parliamentarians on foreign interference are released, which we can expect to happen in the next month or so.
The public consultation paper on the CSIS Act identifies five issues.
Two of the five I would class as relatively simple and clearly necessary amendments to the legislation. One would provide CSIS with a mandate to share intelligence selectively with partners outside the federal government. These partners might include provincial, territorial and municipal governments, indigenous governing bodies, the university research community, and the private sector. How to do this is likely more complicated than giving CSIS the legislative authority, but one step at a time.
The other piece of very low-hanging fruit is the suggestion that the CSIS Act should not be subject to 40-year reviews but tied to something on a more regular basis to ensure it remains fit for purpose. Yes, of course. Five-year review cycles should do it.
That leaves three other issues set out in the consultation paper. One is pretty lawyerly; one highly technical; and one is just a sideways move to sustain a CSIS power that needs to be re-thought.
The lawyerly question involves details of CSIS warrant applications and proposed revisions to allow for more streamlined processes. Embedded in this issue are questions about data preservation and production orders. National security lawyers out there—please fill your boots. It might also be important to hear from telecom and internet service providers about the practicalities of preservation orders and responses to production orders.
The highly technical issue, that actually takes up a lot of room in the current CSIS Act, involves what is called the “dataset” regime, or for commoners like you and me, CSIS data mining. This regime was established only in 2019 through national security legislation, so is both highly complex and relatively new. It gives CSIS the ability to collect and retain data for future investigative and intelligence purposes without the need to demonstrate any imminent requirement.
Those of us who studied and commented on Bill C-59, the national security framework legislation introduced by the government in 2017, have scratched our heads about the dataset system, but real expertise on how it works resides mostly within government, in CSIS, and in the quasi-judicial body established to oversee aspects of its implementation—the Intelligence Commissioner’s Office (ICO), now headed by Justice Simon Noel. Annual reports from the ICO provide us with some useful statistics and a sense that the dataset regime has only been very cautiously applied by CSIS, but beyond this it is very difficult to understand its strengths and weaknesses.
For the most recent ICO annual report, see:
https://www.canada.ca/en/intelligence-commissioner/annualreport.html
The complexity of the dataset regime resides in the way it creates three separate streams of data, with different handling and authorization requirements. The three streams are defined as:
Public datasets (with no privacy protection concerns)
Canadian (content) datasets
Foreign (e.g. non Canadian content) datasets
At the very least, the consultation paper suggests that there are some significant problems with the new system. They include too-tight timelines for evaluating the contents of a dataset to determine whether it can be kept by CSIS (90 days, or destroy); the effort involved in trying to establish separate pathways for Canadian and foreign datasets; the apparent mandate inability to allow CSIS to use datasets for security screening (a puzzle to me, that one) and restrictions on the sharing of datasets by CSIS with partner departments and with allies.
It strikes me that the problems with the dataset regime call out for something more than tinkering, but tinkering appears the order of the day.
And finally, what I call the “sideways” move. This involves a concern arising from a recent Federal court decision that has impeded CSIS’s ability under its statute to collect foreign intelligence, which it is only allowed to do “within Canada.” This power you can find at s16 of the CSIS Act, and it is unchanged since 1984.
For readers unfamiliar with the CSIS Act, s16 reads, in part, as follows:
“the Service may, in relation to the defence of Canada or the conduct of the international affairs of Canada, assist the Minister of National Defence or the Minister of Foreign Affairs, within Canada, in the collection of information or intelligence relating to the capabilities, intentions or activities of
(a) any foreign state or group of foreign states; or
(b) any person other than
(i) a Canadian citizen,
(ii) a permanent resident within the meaning of subsection 2(1) of the Immigration and Refugee Protection Act, or
(iii) a corporation incorporated by or under an Act of Parliament or of the legislature of a province.
The consultation paper notes the challenge now represented by the fact that foreign intelligence that the Service might want to collect against a target within Canada (say a foreign embassy) may be stored electronically outside Canada. So, it wonders how to amend the legislation to take account of this.
In reality, the bigger move would be to do away altogether with the artificial distinction in the CSIS Act between foreign intelligence that can only be collected within Canada, and ‘security intelligence’ (intelligence about threats to the security of Canada) that can be collected anywhere in the world (s12 mandate). This is one of the mustiest parts of the 1984 Act.
Had the government opened the consultation process to a more ambitious set of goals there would be no need to tinker with s16.
Where does this leave Canadians who might want to take part in the public consultation process but feel they lack the requisite legal or technical expertise? If one reads to the very end of the consultation paper there is a small window that beckons. It asks:
“Do you have any other views to share regarding the development and possible amendments to the CSIS Act.”
For my part, I would have hoped that the government would engage in a real discussion about the need to amend the fundamental definition of threats to the security of Canada, at s2. The definition, again unchanged since 1984 (a different world of threats, surely) is a four-part one.
It reads as follows:
“threats to the security of Canada means
(a) espionage or sabotage that is against Canada or is detrimental to the interests of Canada or activities directed toward or in support of such espionage or sabotage,
(b) foreign influenced activities within or relating to Canada that are detrimental to the interests of Canada and are clandestine or deceptive or involve a threat to any person,
(c) activities within or relating to Canada directed toward or in support of the threat or use of acts of serious violence against persons or property for the purpose of achieving a political, religious or ideological objective within Canada or a foreign state, and
(d) activities directed toward undermining by covert unlawful acts, or directed toward or intended ultimately to lead to the destruction or overthrow by violence of, the constitutionally established system of government in Canada,
but does not include lawful advocacy, protest or dissent, unless carried on in conjunction with any of the activities
The 1984 definition needs re-opening to allow for a more expansive definition of espionage; to remove the Cold War concern about sabotage; to better reflect the reality of foreign interference including disinformation; to introduce the need for critical infrastructure protection; and capture contemporary concerns about serious threats to political order and politicians of all stripes. Some parts of the definition were shown to be out of synch with the times during the freedom convoy protests.
A revised definition of national security threats could also be accompanied by a statement, similar to that in the CSE Act, that CSIS should conduct its intelligence activities in accordance with Government of Canada intelligence priorities (which themselves should be made public in an appropriate form).
Legislators in 1984, reacting to scandal, threw in a provision in the CSIS Act about it conducting its investigations under a “strictly necessary” rule (s12). We need to ask about the value, other than symbolic, of such a phrase.
I also find it disappointing that no effort was made in the consultation paper to address the current limits placed on the use of open-source intelligence by CSIS, a critical intelligence tool that has changed out of all recognition in importance and nature since 1984.
I hope that readers of this substack will have their own views and will take advantage of the final, more open-ended, question in the consultation paper to raise them.
Here is the consultation portal:
https://csdpsc.qualtrics.com/jfe/form/SV_cI9zPpPYmVmJxTo
Have a go! Help the government think BIG, or bigger.
Thank you for your thoughts on this consultation process. Very much appreciated!
CSIS should be able to use any and all information to defend the security of Canada.
The security of Canada should be of the highest importance.
There should be very few restrictions to the access and use of information by CSIS to safeguard Canada.
However with the greatly reduced restrictions on CSIS acquisition and use of information there needs to be greater oversight of CSIS, with a body/board that reports not just to the Minister but also to Parliament.