Highlights of the Six Reviews Submitted to the Minister in 2012–2013

1. Review of certain foreign signals intelligence activities

Background

I examined CSEC's acquisition, use and exchange of information relating to certain foreign intelligence activities that occurred a number of years ago.

Findings and recommendations

I had no concern with respect to the majority of the CSEC activities reviewed. However, a small number of records suggested the possibility that some activities may have been directed at Canadians, contrary to law. A number of CSEC records relating to these activities were unclear or incomplete. After in-depth and lengthy review, I was unable to reach a definitive conclusion about compliance or non-compliance with the law.

In the process of review, I found that a number of CSEC records relating to exchanges of information with CSIS were sometimes unclear, which led me to recommend that CSEC promulgate policy guidance respecting how to clearly and consistently communicate with its partners about what entity the activities are being directed at. As well, I recommended that CSEC ensure that its foreign intelligence analysts are knowledgeable about and follow existing policy guidance, introduced since the period under review, respecting their responsibilities for determining the foreign status of an entity and the justifications for directing activities at that entity. Following the completion of my review, I forwarded to the Chair of SIRC, for information, certain general points relating to CSIS that arose out of the recommendations I made.  

At my direction, my office has started a review of other more recent foreign intelligence activities that includes follow-up on matters raised in this review, and will seek to determine whether developments in CSEC policies and procedures since the period under review have led to an improvement in the clarity of language in CSEC information exchanges with CSIS.

Conclusion

As of the end of the 2012–2013 reporting period, March 31, 2013, I am awaiting the Minister's response to the two recommendations. The responses will be noted in next year's annual report.

2. CSEC assistance to CSIS under part (c) of CSEC's mandate and sections 12 and 21 of the CSIS Act

Background

In 2007, CSIS sought from the Federal Court of Canada a warrant to assist in the investigation of threat-related activities that, it was believed, individuals would engage in while travelling outside of Canada. The Honourable Justice Edmond Blanchard held that the Court lacked the jurisdiction to authorize intrusive investigative activities by CSIS employees outside of Canada (Re CSIS Act, 2008 FC 301).

In 2009, in X(Re), 2009 FC 1058, the Court was asked to revisit the question of jurisdiction and to distinguish Justice Blanchard's reasoning on the basis of a more complete description of the facts relating to the activities necessary to permit the interception and a different legal argument concerning how the method of interception was relevant to the jurisdiction of the Court. The Honourable Justice Richard Mosley was satisfied that there were sufficient factual and legal grounds to distinguish the application from that which was before Justice Blanchard and he issued the first warrant permitting CSIS to intercept the communications of Canadians located outside Canada using the interception capabilities of CSEC. The application was supported by the affidavit evidence of an employee of CSEC that described the agency's interception capabilities and how communications would be intercepted from within Canada.

Paragraph 273.64(1)(c) of the National Defence Act authorizes CSEC to provide technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties. This assistance includes CSEC supporting CSIS with the interception of Canadians' communications if CSIS has a judicially authorized warrant issued under section 21 of the CSIS Act. Pursuant to subsection 273.64(3) of the National Defence Act, CSEC is subject to any limitations imposed by law on the agency to which it is providing assistance — for example, any conditions imposed by a judge in a warrant. When CSEC provides operational assistance to CSIS, CSEC becomes the agent of CSIS. CSIS is de jure the owner of the information and the intercepted communications relating to the subject of the warrant.

In X(Re), Justice Mosley stated:

Canada has given CSE[C] a mandate to collect foreign intelligence including information from communications and information technology systems and networks abroad. It [CSEC] is restricted as a matter of legislative policy from directing its activities against Canadians or at any person within Canada, but it is not constrained from providing assistance to security and law enforcement agencies acting under lawful authority such as a judicial warrant. CSIS is authorized to collect threat-related information about Canadian persons and others and, as discussed above, is not subject to territorial limitation.

Where the statutory prerequisites of a warrant are met, including prior judicial review, reasonable grounds and particularization of the targets, the collection of the information by CSIS with CSE[C] assistance, as proposed, falls within the legislative scheme approved by Parliament and does not offend the Charter. (X(Re) at paragraphs 75–76)   

The objectives of my review were to acquire detailed knowledge of and to document CSEC's assistance to CSIS and to assess whether CSEC activities complied with the law, including with the terms of the warrants issued to CSIS, and any privacy protections found therein. CSEC's assistance to CSIS under the warrants may include use of Canadian identity information and the interception of the communications of Canadians. CSEC's collection, as defined in the warrant, may impact on the privacy of Canadians.

I examined CSEC assistance to CSIS in support of a number of the first warrants of this kind relating to counter-terrorism. Specifically, as part of assessing compliance with the law and privacy protection, for the warrants examined, I verified that:

Findings and recommendations

During the period under review, CSEC responded appropriately to two related privacy incidents it identified involving the unintentional release of Canadian identity information of some of the subjects of the warrants. In fact, CSEC has already clarified appropriate internal processes for the conduct of certain activities and reminded its employees of their information stewardship responsibilities. This should help prevent similar incidents.

I questioned CSEC about another incident involving the interception of communications for CSIS for a small number of days after a particular warrant had expired. I accepted CSEC's explanation for this incident, which was that it resulted from unintentional human error. CSEC also confirmed that these intercepted communications were destroyed and that CSIS did not receive them. I am satisfied that CSEC documented this incident and reminded its employees of proper process to help prevent similar errors.    

During the period under review, operational policies and procedures of general application to CSEC's assistance in support of these warrants and related activities were in place and provided direction to CSEC employees respecting compliance with the law and the protection of the privacy of Canadians. Subsequent to the period under review, CSEC issued specific guidance for the conduct of this assistance and activities. Generally, CSEC employees interviewed were well aware of the policies and procedures and demonstrated knowledge of their respective responsibilities. Interviews with CSEC managers, team leaders and other employees showed that managers routinely monitored the assistance and related activities for compliance with governing authorities.

In addition to a detailed examination of CSEC activities under the warrants, I considered and consulted my independent counsel, who is also a privacy law expert, on general questions of law relating to this subject. I made two recommendations to the Minister to help ensure CSEC assistance to CSIS is consistent with the authorities and limitations of the warrants, and to enhance the measures in place to protect the privacy of Canadians. Specifically, I recommended that:

  1. CSEC discuss with CSIS the expansion of an existing practice to protect privacy to other circumstances; and
  2. CSEC advise CSIS to provide the Federal Court of Canada with certain additional evidence about the nature and extent of the assistance CSEC may provide to CSIS.

I found that CSEC practices relating to its assistance to CSIS and related activities were consistent with the general requirements in the "Accountability Framework" and "Privacy of Canadians" ministerial directives to CSEC, specifically to comply with the law and to take measures to ensure that information was lawfully obtained and handled in a manner consistent with the Canadian Charter of Rights and Freedoms and the Privacy Act.

Conclusion

While I made two recommendations to the Minister to help ensure CSEC assistance to CSIS is consistent with the law and to enhance privacy protection, I concluded that CSEC conducted its activities in accordance with the law and ministerial direction, and in a manner that included measures to protect the privacy of Canadians. The Minister accepted and CSEC has addressed the recommendations.

Following the completion of my review, I forwarded to the SIRC Chair, for information, certain general points relating to CSIS that arose out of the two recommendations I made and that SIRC may wish to examine as it deems appropriate. Subsequently, CSEC advised me that it raised the recommendations — which relate to matters that are controlled by CSIS, or require agreement from CSIS — with CSIS.

3. Review of CSEC IT security activities not conducted under a ministerial authorization

Background

The National Defence Act mandates CSEC to provide advice, guidance and services to Government of Canada departments and agencies as well as to other owners of IT systems to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada (paragraph 273.64(1)(b)).

During the period under review, the Government of Canada reorganized its cyber defence efforts. CSEC became the primary point of contact for cyber incidents faced by Government of Canada departments and agencies. Public Safety Canada is the primary point of contact for cyber incidents affecting non-Government of Canada critical infrastructure sectors. A further distinction is that CSEC is responsible for sophisticated cyber threats, such as those stemming from foreign state actors, while Public Safety Canada responds to less sophisticated threats, for example, those relating to known vulnerabilities in commercially available computer software.

I examined certain IT security activities conducted by CSEC to detect, analyse and mitigate cyber threats. CSEC does not undertake these activities under a ministerial authorization as it does not intercept communications. Rather, CSEC uses information acquired by the system owners — under their Criminal Code authorities and, for Government of Canada system owners, also under their Financial Administration Act authorities — and disclosed to CSEC. These authorities permit the interception of private communications by authorized persons when the interception is reasonably necessary to protect computer systems from mischief and unauthorized use.

The objectives of my review were to assess whether CSEC complied with the law and the extent to which CSEC protected the privacy of Canadians in carrying out the activities. In addition to acquiring detailed knowledge about the activities, I examined:

Private Communication: "any oral communication, or any telecommunication, that is made by an originator who is in Canada or is intended by the originator to be received by a person who is in Canada and that is made under circumstances in which it is reasonable for the originator to expect that it will not be intercepted by any person other than the person intended by the originator to receive it, and includes any radio-based telephone communication that is treated electronically or otherwise for the purpose of preventing intelligible reception by any person other than the person intended by the originator to receive it" (section 183 of the Criminal Code).

I examined activities conducted between April 1, 2009, and March 31, 2011, including a more detailed examination of activities and associated reporting for a number of the departments and agencies assisted by CSEC during that time. Additionally, records were examined to verify that system owner information retained by CSEC was done so under an appropriate legal authority. My review also included an examination of CSEC's responses to areas for follow-up identified in a 2009 study by former Commissioner Gonthier.

Findings

I found that CSEC conducted its activities in accordance with the law and ministerial direction and I had no questions about the reporting and retained information examined.

I suggested that CSEC could enhance its ability to demonstrate that it has measures to protect the privacy of Canadians by recording the return or deletion of irrelevant information acquired by a system owner and shared with CSEC. Notwithstanding this suggestion, I found that these IT security activities contained satisfactory measures to protect the privacy of Canadians.

During the period under review, operational policies and procedures of general application were in place to provide general direction respecting compliance with the law and the protection of privacy of Canadians. However, there was no specific operational guidance in place for these activities. It is a positive development that, subsequent to the period under review, CSEC issued a specific policy for the conduct of these activities.

Some CSEC employees who were interviewed were unable to cite certain policies, but were aware of the rules governing their activities. In addition, CSEC managers who were interviewed routinely and closely monitored the activities to ensure that their employees complied with governing authorities. Based on the records examined, the answers provided to questions during interviews and CSEC's policy compliance validation activities, the activities reviewed complied with relevant policies and procedures.

Conclusion

My review report contained no recommendations. However, regular in-depth reviews will continue to be conducted of IT security activities not conducted under a ministerial authorization to verify compliance with the law, and the extent to which CSEC protects the privacy of Canadians in carrying out the activities.  

4. Review of CSEC's 2010–2011 and 2011–2012 foreign signals intelligence ministerial authorizations

Background

Subsection 273.65(8) of the National Defence Act requires the Commissioner to review CSEC activities carried out under ministerial authorizations "to ensure they are authorized and report annually to the Minister [of National Defence] on the review." A regular combined review of the foreign signals intelligence ministerial authorizations is one way that Commissioners fulfill this part of their mandate. This year's review covered two fiscal years: I examined the five foreign signals intelligence ministerial authorizations in effect from December 1, 2010, to November 30, 2011, relating to five activities or classes of activities, as well as the six foreign signals intelligence ministerial authorizations in effect from December 1, 2011, to November 30, 2012, relating to six activities or classes of activities. The purpose of this review was to:

  1. ensure that the activities conducted under the ministerial authorizations were authorized and that the Minister was satisfied that the four conditions for authorization required by paragraphs 273.65(2)(a) to (d) of the National Defence Act were met;
  2. identify any significant changes to the ministerial authorization documents themselves or to CSEC's activities described in the ministerial authorizations;
  3. assess the impact, if any, of these changes on the risk of non-compliance and on the risk to privacy, and, as a result, identify any subjects requiring follow-up review; and
  4. examine, for compliance with the law, a sample of my choosing of any resulting private communications unintentionally intercepted by CSEC while conducting foreign signals intelligence collection activities under the ministerial authorizations.

Private communications

The Commissioner monitors the number of private communications unintentionally intercepted and verifies how CSEC treated and used these communications. The Commissioner is able to review all of the private communications that CSEC uses and retains.

Findings

I found that the activities conducted under the 2010–2011 and the 2011–2012 foreign signals intelligence ministerial authorizations were authorized.

For each of the 11 foreign signals intelligence collection activities, I examined certain key information relating to interception and to the privacy of Canadians, to permit comparison of the activities and to identify any significant changes or trends over time. I found no significant changes to the scope or operation of any of the activities to require a follow-up in-depth review of specific activities. The 2010–2011 and 2011–2012 foreign signals intelligence ministerial authorizations did not contain any significant changes from the previous year and CSEC did not make any significant changes to the technologies used for these activities.

Changes made by CSEC in 2010–2011 and in 2011–2012 to its operational policies for foreign signals intelligence collection activities clarified authorities and practices and enhanced the protection of the privacy of Canadians.

I also reviewed a sample of unintentionally intercepted private communications that CSEC recognized and retained, and that CSEC did not use in its reports. I found that in both 2010–2011 and 2011–2012, CSEC retained only those private communications essential to international affairs, defence or security, as required by paragraph 273.65(2)(d) of the National Defence Act. Again this year, the proportion of these communications remained very small and CSEC destroyed most of them. In addition, a new tool is being developed that will assist CSEC analysts in identifying intercepted communications that might be private communications. The Commissioner's office will examine the impact of this new tool on compliance and privacy protection in a future review.

In last year's report, I indicated that certain information about intercepted communications involving CSEC's international partners was not readily available. It is positive that, while not a requirement in the ministerial authorizations, CSEC has recognized the importance of reporting this information to the Minister. The Commissioner's office will monitor developments.

It is also a positive development that, while not a requirement of a particular ministerial authorization, CSEC has agreed to report to the Minister certain information relating to privacy. This measure to protect the privacy of Canadians will support the Minister in his accountability for CSEC. It also satisfies an outstanding recommendation I made in 2010–2011. The Minister had initially supported CSEC's rejection of this recommendation. However, after further examination, I maintained my recommendation and so informed the Minister. CSEC reconsidered its initial position and advised the Minister that it would undertake to implement the recommendation.

Conclusion

I made no recommendations.

5. Annual review of a sample of disclosures of Canadian identity information to Government of Canada clients

Background

Canadian identity information may be included in CSEC's foreign signals intelligence reports if it is required to understand or use the foreign intelligence. However, any information that identifies a Canadian must be suppressed in the reports — that is, replaced by a generic reference such as "a named Canadian." When receiving a subsequent request for disclosure of the details of the suppressed information, CSEC must verify that the requesting client has both the authority and operational justification for obtaining the Canadian identity information. Only then may CSEC provide that information.

My officials selected and examined a sample of approximately 20 percent of the total number of disclosures by CSEC to Government of Canada agencies or departments during the period October 2011 to June 2012. The sample included disclosures made to all of the departments that had requested Canadian identity information during the period under review. My officials examined: the requests documenting the clients' authority and justification for obtaining the Canadian identity information; associated CSEC foreign signals intelligence reports; and the actual disclosures of Canadian identity information. 

Findings

Based on my assessment of the information reviewed and the interviews conducted, CSEC conducted its disclosure activities in compliance with the law. Operational policies and procedures are in place and provide sufficient direction to CSEC employees respecting the protection of the privacy of Canadians. CSEC employees were knowledgeable about, and acted in accordance with, the policies and procedures.

In addition, in response to a recommendation made by former Commissioner Cory in his 2010 report, in 2012, CSEC started using a new on-line secure system to process requests for and disclosures of Canadian identity information. CSEC provided my employees with a demonstration of the system, which is currently used with CSEC's principal clients. CSEC intends to extend its use to other partners starting in the coming fiscal year. According to CSEC, the system has improved the timeliness of responses and resulted in better service to its clients. It enhances accountability by improving the tracking and retrieval of requests for and disclosures of Canadian identity information and it contains a number of features to help ensure the protection of the privacy of Canadians.

Conclusion

My review did not result in any recommendations. CSEC conducted its disclosure activities in a thorough manner; all of the requests reviewed were authorized, justified and well documented.

Should there be an instance of non-compliance in CSEC disclosure of Canadian identity information, the potential impact on the privacy of Canadians could be significant. For this reason, annual reviews of a sample of disclosures will continue. Next year's sample will include a detailed examination of the use of the new system, as well as a sample of disclosures of Canadian identity information to CSEC's international partners.

6. Annual review of incidents and procedural errors identified by CSEC in 2012 that affected or had the potential to affect the privacy of Canadians and measures taken by CSEC to address them

Background

CSEC maintains a central file describing any operational incidents that did or could have an impact on the privacy of Canadians. CSEC records in this file any incidents it identifies that put at risk the privacy of a Canadian in a manner that runs counter to or is not provided for in its operational policies. CSEC policy requires its foreign signals intelligence and IT security employees to report and document privacy incidents in order to demonstrate compliance with legal requirements and CSEC policies, and to prevent further incidents. Incidents could include, for example, the inadvertent inclusion of Canadian identity information in a report, or mistakenly sharing a report with the wrong recipient.

Horizontal and in-depth reviews of CSEC activities include an examination of any privacy incidents and procedural errors relating to the subject under review and, where appropriate, are reported in the summaries of those reviews. My employees are vigilant during reviews about identifying these types of incidents, so we can confirm whether CSEC also identified and addressed them.

The objectives of this annual review are to: acquire knowledge of the incidents and procedural errors in 2012 and associated actions; and inform development of the Commissioner's work plan, by determining if there are any systemic issues or issues about compliance with the law or the protection of the privacy of Canadians that should be the subject of follow-up review. The review of these privacy incidents and procedural errors also assists in evaluating how CSEC monitors and validates that its activities adhere to its operational policies.

Findings

I examined all foreign signals intelligence and IT security privacy incidents and procedural errors recorded by CSEC in calendar year 2012, and the subsequent actions taken by CSEC to correct them.

There was a very small number of procedural errors and I agreed with CSEC's assessment that these occurrences were minor and did not amount to privacy incidents.

Based my review of CSEC's records as well as independent verification by my office of reports in a CSEC database, I am satisfied that CSEC took appropriate corrective actions in response to the small number of privacy incidents it recorded.

I was particularly pleased with certain remedial actions taken by CSEC to prevent future similar privacy incidents. For example, CSEC is now conducting a monthly review of its central file to ensure that all required remedial activities have been completed or are being pursued. As well, CSEC reminded its employees of the requirement to report an incident immediately. CSEC also established a process to send reminders to its employees to make sure that certain information in its systems is up to date and compliant with existing authorities.

Conclusion

My review of the privacy incidents and procedural errors identified by CSEC in 2012 did not result in any recommendations. My review did not reveal any systemic deficiencies or issues that require follow-up review. Annual reviews will continue to be conducted of the privacy incidents and procedural errors identified by CSEC.

Date modified: