NSIRA's long-awaited first report is finally out, and overall the new review agency seems to be off to a pretty good start. But I do have some serious concerns related to reporting on CSE. 1/x https://twitter.com/nsiracanada/status/1337518790540668936
We do learn (on p. 49) that ministerial authorizations (MAs) have been signed for both offensive and defensive cyber operations. I think this is the first time this has been confirmed. But CSE refused to allow NSIRA to report the number of such MAs. 2/x
These cyber operations powers, which mark a fundamental change in CSE's role, were only granted to CSE in 2019, and knowing the MA numbers would provide some minimal sense of how much CSE is ramping up those activities. NSIRA, to its credit, disagrees with CSE's refusal. 2/x
CSE also prevented NSIRA from reporting the number of foreign intelligence and cybersecurity MAs granted in 2019. These MAs are also new, but the numbers of similar MAs were reported by OCSEC, NSIRA's predecessor, in each of the prior 6 years. Not any more, says CSE. 3/x
A whole lot of other items of information previously reported by OCSEC are also missing from this report, notably data on CSE's use of private communications (PCs), i.e. communications with at least one end in Canada. 4/x
Missing data includes:
- The # of recognized PCs retained for possible use under CSE's foreign intelligence program.
- The # of those PCs used in CSE SIGINT reporting.
- The # of reports PCs were used in.
- The # of PCs retained by CSE at the end of the review period. 5/x
- The % change in the total # of recognized PCs intercepted by CSE's foreign intellligence program.
- The # of PCs "with substantive content" used or retained by CSE's cybersecurity program.
All gone. 6/x
Also missing:
- The # of requests made by Canadian government clients for disclosure of Canadian Identity Information (CII) cited in reports by CSE or Five Eyes partners.
- The # of requests for CII made by Five Eyes partners.
- The # of requests made by other states. 7/x
The NSIRA report does tell us the number of incidents in CSE's Privacy Incidents File in 2019 (123). But it doesn't explain why this is nearly 3x as many as the 44 reported in the last OCSEC report. Nor do we get the number in the Second Party [Privacy] Incidents File. 8/x
We also learn nothing of the status of the 10 OCSEC recommendations that CSE was said to be working on in the last OCSEC report.

So, all in all, there's a LOT of information about CSE that used to appear in the OCSEC annual report that is not in this successor report. 9/x
Some of this info may appear through the year as NSIRA releases specific reports about its individual reviews. Or maybe it won't.

Unless CSE's minister, @HarjitSajjan, turns his past rhetorical support for transparency into action, we probably won't see MA data any more. 10/x
If we get much more of CSE's kind of transparency, the agency will eventually be completely invisible. 11/11
You can follow @NewmanRobinson.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.