Overview of 2014—2015 Findings and Recommendations

During the 2014—2015 reporting year, I submitted nine classified reports to the Minister of National Defence on my review of CSE activities. Three reports – one on foreign signals intelligence ministerial authorizations and two spot checks of intercepted, used and retained private communications under those authorizations – are combined into one since the private communications reviewed in the spot checks are those intercepted under the ministerial authorizations.

The reviews last year were conducted under my mandate:

• to ensure CSE activities are in compliance with the law – as set out in paragraph 273.63(2)(a) of the National Defence Act; and
• to ensure CSE activities carried out under a ministerial authorization are authorized – as set out in subsection 273.65(8) of the National Defence Act.

The first review examined metadata activities related to CSE's foreign signals intelligence activities. This review was the first in an ongoing comprehensive review of CSE's metadata activities.

One review examined CSE assistance to the Canadian Security Intelligence Service (CSIS) related to section 16 of the CSIS Act. Two other reviews looked at specific activities: CSE's IT security activities to protect Government of Canada computer systems and networks; and CSE's relationship with the Canadian Forces Information Operations Group Cyber Support Detachments.

As in previous years, my office conducted its annual review of ministerial authorizations for foreign signals intelligence. However, because the ministerial authorizations gave CSE the authority to unintentionally intercept a foreign communication with a Canadian end, making it a “private communication” as defined in the Criminal Code, this is an activity that needs continual scrutiny to ensure lawfulness and protection of privacy. Therefore, as a follow-up, to ensure that recommendations made last year were being implemented, my office also conducted spot checks this year on the private communications intercepted, used, retained, and destroyed, by CSE.

The remaining two reviews are also ones that I conduct every year because they concern areas that pose high risks to privacy: CSE disclosures of Canadian identity information and CSE incidents and procedural errors related to privacy.

The results

Each year, I provide an overall statement on my findings about the lawfulness of CSE activities. With the exception of one review related to metadata for which I am still examining the legal implications, all of the activities of CSE reviewed this past year complied with the law.

As well, this year, I made eight recommendations to promote compliance with the law and strengthen privacy protection, as well as to clarify the National Defence Act. The recommendations relate to reinforcing ministerial and policy guidance, as well as clarifying CSE's relationships with other organizations, including Second Party partners.

Five recommendations related to processes. The first recommendation stated that CSE use its existing centralized records system to record decisions and actions taken regarding new and updated collection systems, as well as decisions and actions taken regarding minimization of metadata. Two recommendations related to updating governing documentation for processes related to section 16 of the CSIS Act. One recommendation was to update or create memoranda of understanding between CSIS and CSE, related to CSE's assistance to CSIS under part (c) of its mandate. The fifth process-related recommendation was for the attachment of caveats to certain material shared with CSE partners to ensure the material would not be used without the express authorization of CSE.

Two recommendations involved updating and clarifying certain instruments. The first recommendation was to update the ministerial directive for metadata activities, last revised in 2011, to address the evolution of practices in this field as well as to clarify terminology that has changed over time. The second recommendation calls for an amendment of the National Defence Act to remove an ambiguity regarding CSE information technology (IT) security activities carried out under ministerial authorization.

The final recommendation relates to reporting to the Minister on private communications unintentionally intercepted by CSE in conducting its cyber defence activities. Such reporting should highlight important differences between private communications intercepted under the IT security ministerial authorization versus those intercepted under foreign signals intelligence ministerial authorizations. Under the IT security ministerial authorization, CSE intercepts many one-end-in-Canada e-mails containing malicious code, which have a lower expectation of privacy attached to them.