Update on CSE Efforts to Address Recommendations

CSE has accepted and implemented, or is working to address, 95 percent (161) of the 170 recommendations made since 1997, including the four recommendations in reports this year. Commissioners track how CSE addresses recommendations and responds to negative findings as well as areas for follow-up identified in reviews. The Commissioner is monitoring nine recommendations that CSE is working to address – six outstanding recommendations from previous years and three from this year.

This past year, CSE advised the office that work had been completed in response to 11 past recommendations. CSE has already addressed one recommendation from this year.

In the Commissioner's 2008–2009 annual report, Commissioner Gonthier reported on his review of CSE activities, conducted under a ministerial directive, in support of its foreign signals intelligence collection mandate. In this review, he recommended that CSE reconcile certain discrepancies between ministerial expectations and its own practices. He also recommended that CSE review, update and finalize key policy documents respecting these activities, and that it clarify certain terms used in the documents. CSE approved an updated version of the relevant operational policy in May 2017 to clarify guidelines pertaining to the program.

In the 2015–2016 cyber defence ministerial authorization review, the Commissioner recommended that CSE promulgate guidance on the consistent annotation and counting of what constitutes a cyber defence private communication. CSE has implemented new guidance and training, as well as instituted upgrades to automate the identification of potential private communications and standardize the counting of cyber defence private communications.

CSE has also taken steps to respond to the Commissioner's recommendation from the review of a specific CSE foreign signals intelligence method of collection conducted under ministerial authorization (summarized in the 2015–2016 annual report). The Commissioner recommended that CSE reconcile the discrepancies between its practices and the administrative requirements in the ministerial directive. In September 2017, CSE introduced a foreign signals intelligence operational risk framework that establishes a risk assessment process that considers legal, reputational, partnership and operational risks associated with foreign signals intelligence operations. The collection program now has comprehensive procedures that are accessible to all staff that may be required to engage in activities in support of that program.

In last year's review of CSE information sharing with foreign entities, the Commissioner made three recommendations, two of which CSE fulfilled in July 2017. In response to the recommendation that caveats be applied consistently to all exchanges between CSE and foreign entities and that CSE use appropriate systems to keep a record of all information released, CSE standardized the process of information sharing with foreign entities. In response to the recommendation that CSE issue overarching policy guidance for information exchanges with foreign entities, CSE issued guidelines that incorporate the foreign signals intelligence operational risk framework, as well as new policy.

In last year's review of CSE's foreign signals intelligence activities conducted under ministerial authorization, the Commissioner recommended that CSE reporting to the Minister on private communications describe the private communications better and explain the extent of privacy invasion. Certain communications technology were creating a distorted view of the number of Canadians or persons in Canada that are involved in (i.e., are the other end of) these CSE interceptions. For the first time this year, CSE reported additional information to the Minister explaining the reason for the substantial increase in the number of recognized private communications.

Another recommendation CSE addressed from the Commissioner's 2016–2017 annual report pertained to intercepted solicitor-client privileged communications. CSE modified its policy to describe what is expected of CSE employees when handling solicitor-client communications collected under CSE's foreign signals intelligence mandate.

CSE has also responded to one recommendation made this year in the office's review of 2015–2016 CSE disclosures of Canadian identity information. In that review, the Commissioner recommended that CSE take measures to ensure that all requests for the release of suppressed Canadian identity information stipulate both the lawful authority under which the information is being requested and a robust operational justification of the need to acquire that information, consistent with the requesting agency's mandate. CSE has adjusted its processes to ensure that the requesting agency's legal authority is explicit and the operational justification is robust and clear before CSE considers the disclosure of Canadian identity information.

Finally, the Commissioner recommended, in two past reviews, that amendments be made to the National Defence Act. In the office's review of CSE information technology security activities conducted under ministerial authorization (reported in the Commissioner's 2014–2015 annual report), the Commissioner recommended that subsection 273.65(3) of the National Defence Act be amended to remove any ambiguities respecting CSE's authority to conduct information technology security activities that risk the interception of private communications. Also, as a result of a review of CSE foreign signals intelligence metadata activities, where the Commissioner found that CSE had failed to minimize certain Canadian identity information prior to sharing it with CSE's Second Party partners, the Commissioner recommended that the National Defence Act be amended to provide an explicit authority and a clear framework for CSE metadata activities. On June 20, 2017, the government tabled Bill C-59, an Act respecting national security matters. Part 3 of this Bill enacts the Communications Security Establishment Act, which includes clarified provisions pertaining to information technology security authorities as well as provisions pertaining to authorities to collect and use metadata.

Legal interpretation issues have bedeviled this office since 2001 when CSE was first legislated following the terrorist attacks in the United States. Since then, past and present Commissioners have made various recommendations to amend the National Defence Act. The Commissioner is pleased that the government has taken action that responds to these recommendations.