2006-2007 Review Highlights
Review of CSE's foreign intelligence collection in support of the RCMP
Background
In January 2005, my office submitted a report to the Minister of National Defence examining the technical and operational assistance CSE provided to the RCMP under paragraph 273.64(1)(c) of the National Defence Act, also known as mandate (c). [17] The second and final phase of the review was completed and in June 2006, my predecessor submitted a follow-up report reviewing CSE's foreign signals intelligence collection activities in support of the RCMP under pararagraph 273.64(1)(a) of the National Defence Act, also known as mandate (a). Further details on the first phase of the review may be obtained in the 2004-2005 Annual Report of this office.
Under mandate (a), CSE provides two kinds of foreign intelligence information to its government clients, including the RCMP. Most of its reports address general areas of interest that complement and support the client's own mandated responsibilities. In addition to this proactive support, CSE provides reactive support by responding to specific requests by the client for intelligence-related information.
Methodology
OCSEC staff examined CSE's mandate (a) activities in support of the RCMP for the period January 1 to December 31, 2003. They received briefings and answers to both verbal and written questions that were posed to CSE officials. They also obtained a listing of the agency's requests for intelligence-related information and chose several to examine in detail. As part of this in-depth examination, two separate demonstrations illustrating the activities under review were provided to OCSEC staff by those CSE officials who had been directly involved in responding to the requests.
Findings
Many of the findings and recommendations made in my office's first report also applied to this second-phase review of assistance provided under mandate (a). For example, it was recommended CSE amend and/or update the instruments that guide its support activities to the RCMP. My predecessor was pleased to report that, for the most part, CSE had accepted these recommendations and is working to implement them.
CSE has advised that high priority has been given to the development and implementation of a corporate records management system.
CSE also acknowledged the need to implement a formal system of record keeping. This is a continuing concern, as was noted in my office's 2006-2007 Annual Report. CSE has advised that high priority has been given to the development and implementation of a corporate records management system that will deal with their hard-copy and electronic records requirements.
During the second phase of the review, a detailed examination of CSE's response to RCMP requests for intelligence-related information identified two issues of concern that required further legal study by CSE. The first was whether mandate (a) was the appropriate authority in all instances for CSE to provide intelligence support to the RCMP in the pursuit of its domestic criminal investigations. Pending a re-examination of this issue by CSE, no assessment was made of the lawfulness of CSE's activities in support of this agency under mandate (a) as currently interpreted and applied by CSE. My staff is monitoring the issue.
The second issue related to CSE's policies and practices as they relate to the disclosure of Canadian personal information to its clients. When collecting foreign intelligence, CSE may incidentally acquire personal information about Canadians. This information may be retained if assessed as essential to the understanding of the foreign intelligence, and it may be included in foreign intelligence reporting if it is suppressed (i.e. replaced by a generic reference such as "a Canadian person"). When receiving a subsequent request for disclosure of the full details of Canadian personal information, CSE requires its clients, including the RCMP, to justify their authority to collect this information under their own respective mandates and provide an operational justification of their need to know this information. If these conditions are met, CSE releases the information.
An in-depth examination of relevant sections of the National Defence Act and the Privacy Act raised questions as to CSE's conformance with the various authorities that govern disclosure. Thus, my office recommended that CSE also re-examine its authority to collect, use and disclose personal information to certain federal government departments and agencies. In addition, my office has recommended that CSE establish agreements with client agencies to formalize the circumstances when such information may be disclosed while providing assistance under its (c) mandate.
CSE acknowledged that the report "raises a number of issues that, from a policy/legal perspective, will generate further in-depth analysis by CSE and Department of Justice legal counsel." I anticipate that this analysis will include a discussion and perhaps even a formal articulation by CSE of its position regarding the application of the National Defence Act as it relates to the provision of foreign intelligence in accordance with the Government of Canada intelligence priorities.
Review of information technology security activities at a government department
Background
This review examined information technology security activities conducted by CSE under ministerial authorization in 2004-2005 at a government department. The objective was to assess and verify compliance with the law and with the provisions of the ministerial authorization for these activities.
Individuals conducting personal and business affairs with the Government of Canada have a reasonable expectation of privacy.
Individuals conducting personal and business affairs with the Government of Canada have a reasonable expectation of privacy. However, when the security of government computer systems and networks is being tested, personal information or private communications can be inadvertently intercepted with certain types of necessary testing. Subsection 273.65(3) of the National Defence Act provides that:
The Minister may, for the sole purpose of protecting the computer systems or networks of the Government of Canada from mischief, unauthorized use or interference, in the circumstances specified in paragraph 184(2)(c) of the Criminal Code, authorize the Communications Security Establishment in writing to intercept private communications in relation to an activity or class of activities specified in the authorization.
In such cases, CSE is responsible for seeking authorization on behalf of the department or agency requesting the activity to be covered. This ministerial authorization enables CSE to undertake a complete assessment of a department's computer systems and networks.
Methodology
The review was conducted initially through examination of documents and files related to the ministerial authorization and the conditions imposed by it. Fact-finding and verification interviews were then held with CSE and selected client representatives who were identified as having direct involvement in the authorization process or ensuing activities.
Findings
With the qualification set out below regarding one of the conditions of the ministerial authorization, this review found that CSE's work at the department was in compliance with the law and with the ministerial authorization.
The review found that the process by which CSE acquired the information technology security ministerial authorization for its activities at the department was found to be in accordance with the requirements of the National Defence Act. It was also determined that four of the five conditions set out in subsection 273.65(4) of the Act were complied with satisfactorily. However, with respect to one of the conditions, the review found that certain information was retained even though its retention was not essential. While CSE personnel acted in a manner that was consistent with the direction they were given, there were aspects that could be improved upon, and CSE has undertaken to do so. CSE has also indicated that future Memoranda of Understanding with client departments where information technology security activities under ministerial authorizations are to be conducted will reflect these improvements.
Other recommendations from the review included ensuring that future policy and practice promote conformance with CSE's legislated authorities as they relate to staff activities during information technology security exercises.
Review of the roles of CSE's client relations officers and the Operational Policy Section in the release of personal information
Background
The objective of this review was to assess the lawfulness of the activities of both the CSE client relations officers and the Operational Policy Section, as they relate to the request for and release of personal information about Canadians that has been suppressed in CSE foreign intelligence reports, as referred to previously. This information is made available to authorized Government of Canada clients, only under certain conditions.
CSE has provided foreign intelligence reports based on signals intelligence to officials in government departments since its formal establishment in 1946. Reports were delivered by hand until the creation of the on-site client relations officer programme in 1985. Client relations officers provide intelligence reports, explain to individual clients and potential clients the role of CSE and signals intelligence, and assist in determining client needs based on Government of Canada intelligence priorities.
To protect privacy, CSE suppresses personal information about Canadians in foreign intelligence reports.
To protect privacy, CSE suppresses personal information about Canadians in foreign intelligence reports. If a client has both the authority and the need to know the information, it must make a formal request and provide justification. Requests for release of this information are centralized in CSE's Operational Policy Section.
The majority of requests are now made via a secure communication network directly to CSE. Client relations officers play a role in the release of Canadian identities in CSE foreign intelligence reports because they continue to deal with requests from clients who do not have access to this secure network.
Methodology
This review examined relevant documentation, including the authorities that govern the activities of client relations officers and the CSE unit authorized to release this information. All requests for and releases of suppressed information during a six-month period were reviewed in detail to ensure compliance with law and policy. Interviews were conducted with client relations officers, their managers, and the manager of the Operational Policy Section.
Findings
The review concluded that the activities of the CSE client relations officers and the Operational Policy Section were in compliance with the National Defence Act and with CSE's related policies. There were some inconsistencies in requests and releases, as well as areas where both policy and practice could be improved to enhance the protection of privacy, as required by the Privacy Act. Recommendations included more comprehensive training for clients who make requests, and providing more clients with secure, electronic access to CSE as a means of reducing errors and enhancing control over the process. I was pleased to note that since the period of review there has also been increased training for and supervision of personnel in the Operational Policy Section at CSE as regards the release of suppressed information.
Review of CSE signals intelligence collection activities conducted under ministerial authorizations
Background
Certain foreign intelligence collection activities were conducted under three ministerial authorizations that were in effect from March 2004 to December 2006. These ministerial authorizations focused on acquiring communications of foreign intelligence value from the global information infrastructure.[18]
The characteristics of contemporary communications technology mean that the interception of communications by CSE, directed at foreign entities outside Canada, runs the inherent risk of acquiring the private communications of Canadians. It is for this reason that a ministerial authorization is sought for this collection. In addition to the conditions set out in subsection 273.65(2) of the National Defence Act, a ministerial directive established other conditions for managing the collection.
My office is undertaking a two-part review of the activities under these ministerial authorizations, as the law is interpreted by the Department of Justice, a point which is discussed below. The objective of this first phase was to provide background to, and criteria for, the detailed review of these complex activities. I provided the Minister of National Defence with a brief report on this study phase in February 2007.
Methodology
In order to establish an understanding of this foreign intelligence collection and the unique challenges it presents, this first phase of the review: studied the authorities given to and the conditions imposed upon CSE by the ministerial authorizations, ministerial directive and related articles; and examined how CSE has responded in terms of the policies and procedures that it has developed, and the management framework that has been put in place to oversee these activities.
Findings
This study phase developed an historical perspective and appreciation of the rationale for this collection activity. It also provided an appreciation of the organizational complexities, the authorities under which it operates, the conditions imposed and the programs in place to implement the authorities while respecting the conditions. Finally, it established the review criteria for the second and final phase, which is now underway.
Overview of 2006-2007 findings
I am able to report that, overall, the activities of CSE examined during this reporting period complied with the law, with one qualification. It concerned a condition of an information technology security ministerial authorization, which CSE has already undertaken to rectify. A report of CSE's assistance to the RCMP did not provide an assessment of the lawfulness of the activities reviewed, pending a re-examination by CSE of the legal issues raised.
With respect to the review of CSE's signals intelligence collection activities conducted under ministerial authorization, I would highlight once again my disagreement with the Department of Justice's interpretation of the ministerial authorization provisions of the National Defence Act. When assessing the lawfulness of activities conducted under ministerial authorizations, I have agreed to use the Department of Justice's interpretation for the present pending amendments to the legislation, which I have already urged be made at the earliest opportunity. I commend the Chief of CSE for supporting this initiative.
Reviews underway / future reporting
Reviews currently underway that I will be reporting on in the next fiscal year include examinations of CSE's activities related to counter-terrorism, its use of metadata, its support to CSIS, its use of technology to protect the privacy of Canadians, and its activities under a number of foreign intelligence collection and information technology security ministerial authorizations. In addition, my office will begin a number of other reviews, under both my general mandate and my duties under the ministerial authorization provisions.
Complaints about CSE activities
My mandate includes undertaking any investigation I deem necessary in response to a complaint, to determine whether CSE engaged, or is engaging in unlawful activity.
During the 2006-2007 reporting year my office received no complaints that warranted formal investigation. However, OCSEC did complete one investigation in spring 2006 in response to a complaint that was received in the previous reporting year. A full report was delivered to the Minister of National Defence outlining the facts of the complaint and the findings resulting from the investigation.
I am able to report that the investigation found no unlawful activity on the part of CSE.
While the substance of the complaint is classified, I am able to report that the investigation found no unlawful activity on the part of CSE. My office made recommendations that were accepted by CSE, and would strengthen compliance.
Duties under the Security of Information Act
I have a duty under the Security of Information Act to receive information from persons who are permanently bound to secrecy if they wish to claim a "public interest" defence for divulging classified information. No such matters were referred to my office in 2006-2007.
[17] CSE's mandate is described in Annex E of this report.
[18] "Global information infrastructure" includes electromagnetic emissions, communications systems, information technology systems and networks, and any data or technical information carried on, contained in, or relating to those emissions, systems or networks. (National Defence Act, section 273.61)
- Date modified: