Highlights of the Six Review Reports Submitted To the Minister in 2010-2011

1. Review of CSEC information technology security activities conducted under ministerial authorization (Activity 1)

Background

The National Defence Act mandates CSEC to provide advice, guidance and services to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada.

This review examined certain information technology security activities conducted by CSEC under ministerial authorization in 2008–2009 at two Government of Canada departments. The activities examined help protect computer systems by detecting, analyzing, and mitigating sophisticated cyber attacks aimed at covertly accessing sensitive government computer networks.

My review followed-up on an operational issue that came to light in late 2006 and which had the potential for non-compliance. The Commissioner's 2007–2008 Annual Report commended the Chief of CSEC for his handling of this issue and for keeping the Commissioner informed of corrective steps.

The review also included an examination of CSEC's responses to the findings and recommendations of a previous review of information technology security activities at a specific Government of Canada department. These previous findings and recommendations related to ambiguities in policy, corporate record keeping and CSEC employees' awareness of their responsibilities for the activities. My review included examining a 2007 CSEC internal audit report relating to these activities.

Review rationale

Specific controls are placed on these information technology security activities to ensure they comply with legal, ministerial and policy requirements. Major changes to certain practices and to CSEC's policies and procedures relating to these activities recently occurred. This is the first review since CSEC restructured these activities. Past Commissioners have also made findings and recommendations on these activities.

Findings

Recommendations

I made no recommendations.

2. Review of CSEC information technology security activities conducted under ministerial authorization (Activity 2)

Background

This review examined other information technology security activities, conducted for two Government of Canada departments in 2007–2008 and 2008–2009, under ministerial authorizations pursuant to the National Defence Act.

The activities at the two departments involved CSEC efforts to penetrate the departments' computer systems (under controlled circumstances) to demonstrate potential vulnerabilities and to test the departments' reactions to such attacks.

My examination included changes to the scope of these activities and to the technology used by CSEC. I assessed these changes in terms of their potential impact on the risk to compliance with the law and on the risk to privacy.

Review rationale

Major changes to certain practices, technologies and CSEC policies and procedures relating to these activities have recently occurred. Specific controls are placed on these activities to ensure compliance with legal, ministerial and policy requirements, while protecting the privacy of Canadians. Past Commissioners had also made findings and recommendations concerning these activities. This is the first review since CSEC restructured these activities.

Findings

Recommendations

I made no recommendations.

3. Combined annual review of CSEC foreign signals intelligence collection activities conducted under ministerial authorizations

Background

This was the first combined annual review of all foreign signals intelligence collection programs. I am required by the National Defence Act to review activities under ministerial authorization. The 2009–2010 Annual Report that I submitted to the Minister describes the recent introduction of the office's horizontal review approach, which involves a thorough examination of processes common to all CSEC foreign intelligence collection activities under ministerial authorization. For example, common to all collection methods are the processes by which CSEC: identifies, selects and directs its activities at entities of foreign intelligence interest; uses, shares, reports, retains or disposes of intercepted information; and takes measures to protect private communications and information about Canadians. My review included examining a CSEC internal audit report relating to these activities.

Review rationale

The horizontal review approach led to a re-assessment of how my office reviews ministerial authorizations. Given that common processes are examined in horizontal reviews, it was determined that this combined annual review of foreign signals intelligence ministerial authorizations would focus on any significant changes and on any private communications unintentionally intercepted by CSEC.

I looked for changes to the authorities and scope of the programs, to the technology used by CSEC, and to the associated management control frameworks. I assessed any changes in terms of their impact on the risk to compliance with the law and on the risk to privacy.

I examined certain metrics relating to interception and the privacy of Canadians. The purpose was to establish a baseline of key information, to examine trends and to allow identification of any significant changes over time. These metrics will also inform the risk assessment process and the development of my review work plan.

Another objective of this review was to examine a sample of private communications intercepted by CSEC under foreign intelligence ministerial authorizations but which had not been used in CSEC reporting. The purpose was to assess whether this sample contained foreign intelligence essential to international affairs, defence or security, as required by the National Defence Act.

Findings

The extent to which I assessed CSEC's compliance with the law was determined by this review's focus on identifying and understanding significant changes to the foreign signals intelligence collection programs.

Recommendations

I made three recommendations. Two of the recommendations dealt with reporting to the Minister of National Defence certain information relating to privacy, and including in the ministerial authorizations a requirement to report this information. This information is necessary to provide the Minister with a complete picture of CSEC's collection activities and to support the Minister in his accountability for CSEC, including for the measures CSEC takes to protect the privacy of Canadians.

I also recommended that, given the importance of ensuring legal compliance and the protection of Canadians' privacy, CSEC should accelerate the timeline for implementation of an improved policy for the active monitoring of activities under foreign signals intelligence ministerial authorizations.

As of the end of the 2010-2011 reporting period, March 31, 2011, I am awaiting the Minister's response to these recommendations and will note them in next year's annual report.

4. Review of CSEC activities carried out under a ministerial directive and used by CSEC to identify new foreign entities believed to be of foreign intelligence interest

Background

The National Defence Act mandates CSEC to acquire and use information from the global information infrastructure for the purpose of providing foreign intelligence, in accordance with Government of Canada intelligence priorities.

CSEC conducts a number of activities for the purposes of locating new sources of foreign intelligence. When other means have been exhausted, CSEC may use information about Canadians when it has reasonable grounds to believe that using this information may assist in identifying and obtaining foreign intelligence. CSEC conducts these activities infrequently, but they can be a valuable tool in meeting Government of Canada intelligence priorities. CSEC does not require a ministerial authorization to conduct these activities because they do not involve interception of private communications. However, a ministerial directive provides guidance on the conduct of these activities.

In recent years, three reviews have involved some degree of examination of these activities: a Review of CSEC's foreign intelligence collection in support of the Royal Canadian Mounted Police (RCMP) (Phase II) (2006); a Review of CSEC's activities carried out under a (different) ministerial directive (2008); and a Review of CSEC's support to the Canadian Security Intelligence Service (CSIS) (2008).

In his 2006–2007 Annual Report, the late Commissioner Gonthier questioned whether the foreign signals intelligence part of CSEC's mandate (part (a) of its mandate) was the appropriate authority in all instances for CSEC to provide support to the RCMP in the pursuit of its domestic criminal investigations. In his 2007–2008 Annual Report, Commissioner Gonthier stated that pending a re-examination of the legal issues raised, no assessment would be made of the lawfulness of CSEC's activities in support of the RCMP under the foreign signals intelligence part of CSEC's mandate. He also noted that CSEC's support to CSIS raised similar issues. Commissioner Gonthier emphasized that although he was in agreement with the advice that the Department of Justice had provided to CSEC, he questioned which part of CSEC's mandate — part (a) or part (c), the assistance part of CSEC's mandate — should be used as the proper authority for conducting the activities.

Subsequent to these reviews and statements in the annual reports, the Chief of CSEC suspended these activities. CSEC then made significant changes to related policies, procedures and practices.

Review rationale

These activities involve CSEC's use and analysis of information about Canadians for foreign intelligence purposes. Specific controls are placed on these activities to ensure compliance with legal, ministerial and policy requirements. Major changes to certain policies, procedures and practices have recently occurred. This was the first review of these activities since the Chief of CSEC allowed their resumption under new policies and procedures. There were also related issues, findings and recommendations highlighted by my predecessors that required follow-up.

Findings

Recommendations

I made no recommendations. However, given that these activities involve CSEC's use and analysis of information about Canadians, and therefore have the potential to affect their privacy, I have directed my office to monitor these activities to ensure they continue to be conducted in accordance with the law, ministerial requirements and CSEC's policies and procedures.

5. Review of the process by which CSEC determines that entities of foreign intelligence interest are foreign entities located outside of Canada, as required by the National Defence Act

Background

CSEC must also be able to identify those one-end Canadian private communications it can lawfully intercept under a ministerial authorization on the basis that the acquisition of these communications is unintentional and the interception is directed at a foreign entity located outside Canada. This process must contain measures to protect the privacy of Canadians.

For the period of September 2008 to December 2010, I examined and tested the process and practices by which CSEC determines that entities of foreign intelligence interest are foreign entities located outside of Canada.  

Review rationale

These activities are the foundation of CSEC's foreign signals intelligence collection programs. Specific controls are placed on these activities to ensure they meet the legal, ministerial and policy requirements which are crucial to protecting Canadians' privacy.

Past Commissioners made findings and recommendations on these activities, which required follow-up. In addition, major changes to certain technologies and policies and procedures relating to these activities have recently occurred and others are in progress. This is one of the first in-depth horizontal reviews of a CSEC process common to all foreign intelligence collection methods.

Findings

Recommendations

CSEC's policies and procedures generally provide sufficient direction to CSEC employees in protecting Canadians' privacy while determining that entities of foreign intelligence interest are foreign entities located outside of Canada. However, policies and procedures applicable to a certain foreign signals intelligence collection program provide only limited direction on the process and practices for such activities. I therefore recommended that CSEC provide specific guidance for these activities.

As of the end of the reporting period, March 31, 2011, I am awaiting the Minister's response to this recommendation and will note it in next year's annual report.

6. Annual review of CSEC disclosures of information about Canadians to Government of Canada clients

Background

This review fulfills a commitment in the 2009–2010 Annual Report to conduct an annual review of a sample of disclosures of information about Canadians to Government of Canada departments and agencies. The purpose is to verify that CSEC complies with the law and maintains measures to protect the privacy of Canadians.

Information about Canadians may be included in CSEC's reports if it is essential to understanding foreign intelligence. However, any information that identifies a Canadian must be suppressed in reports disseminated to government departments and agencies ─ that is, replaced by a generic reference such as "a named Canadian".

See Annex G for more detailed information on legislative safeguards for private communications and measures to protect information about Canadians.

When receiving a subsequent request for disclosure of the details of the suppressed information, CSEC must verify that the requesting government department or agency has both the authority and operational justification for obtaining such information. Only then may CSEC provide this information.

This review encompassed a sample of approximately 20 percent of requests received by CSEC for disclosure of suppressed information about Canadians contained in foreign intelligence reports, from April to September 2010. The sample included disclosures made to all of the Government of Canada departments and agencies that requested, and were provided with, information about Canadians.

My office examined the forms that CSEC used to document the departments' and agencies' authorities and justifications of their need for information about Canadians, as well as the associated foreign intelligence reports.

Review rationale

CSEC's disclosure activities involve the sharing of information about Canadians. Should there be an instance of non-compliance while CSEC conducts these activities, the potential impact on the privacy of Canadians could be significant.

In addition, I assessed CSEC's activities in response to two recommendations in a February 2010 review report of my predecessor relating to: (a) providing tools to support the tracking of clients' requests for, and any associated disclosures of, suppressed information about Canadians; and, (b) improving the consistency and accuracy of CSEC reports to the Minister of National Defence about these activities.

Findings

Recommendations

I made no recommendations but will continue to conduct an annual review of these activities to verify that CSEC continues to comply with the law and maintains measures to protect the privacy of Canadians. I will also monitor CSEC efforts to implement the new system.

Date modified: