Notes for remarks to the Standing Senate Committee on National Security and Defence
By the Hon. Jean-Pierre Plouffe, Communications Security Establishment Commissioner - 22 February, 2016
Check Against Delivery
Chair, honourable Senators, I'm pleased to appear once again before this committee. I am accompanied by Bill Galbraith, the Executive Director of my office.
I welcome this opportunity to discuss the work of my office and how it contributes to effective governance and accountability of CSE's operational activities. It is especially important at this time when changes to intelligence review and oversight are being considered by the government and being discussed by academics and others of the interested public.
You have asked me to appear before you to discuss my annual report that was tabled in Parliament on January 28th. I will provide you with highlights from that report and the accompanying statement I issued regarding metadata and non-compliance, and then we would be pleased to answer questions.
I have previously given you detail about my mandate, so let me just recall what the National Defence Act provides me to carry out my mandate:
-
full independence — at arm's length from government — and a separate budget granted by Parliament;
- full access to all CSE facilities, files, systems and databases; and
- full access to CSE personnel, including the power of subpoena to compel individuals to answer questions.
My annual report tabled at the end of January summarizes nine classified reports that I submitted to the Minister of National Defence — who is the minister responsible for CSE — during the fiscal year 2014-2015. These reports included:
- a review of metadata activities relating to CSE's foreign signals intelligence program. I will speak to this in more detail shortly;
- a review of CSE information technology security activities conducted under ministerial authorization, that included a recommendation for an amendment to the legislation to remove an ambiguity, adding to the list of amendments required;
- a review of foreign signals intelligence activities of the Canadian Armed Forces that are conducted under CSE authorities;
- a review of CSE assistance to the Canadian Security Intelligence Service relating to foreign intelligence collection activities, within Canada, at the end of which I referred information to SIRC that related to CSIS; and
- three annual reviews relating to privacy:
-
an annual review of foreign signals intelligence ministerial authorizations, which included two separate “spot checks” of intercepted private communications;
-
an annual review of disclosures of Canadian identity information; and finally
- an annual review of CSE's files of privacy incidents and procedural errors.
Why do I conduct these reviews?
By law, CSE is prohibited from directing its foreign signals intelligence collection and information technology security activities at Canadians — wherever they might be in the world — or at any person in Canada. My review of CSE activities includes determining whether CSE, in its use and retention of collected information, takes satisfactory measures to protect every Canadian's reasonable expectation of privacy. I examine CSE use, disclosure and retention of private communications. I verify that Canadian identity information is protected and only shared with authorized partners when needed for understanding foreign signals intelligence or IT security information. I also verify that metadata is used only to understand the global information infrastructure, to obtain foreign intelligence or to protect cyber systems, but not to obtain information about a Canadian.
This year, I made eight recommendations for CSE, to promote compliance with the law and strengthen privacy protection. The Minister of National Defence accepted all eight. And I will monitor CSE's efforts to implement the recommendations.
With the exception of the one review related to metadata, all of CSE's activities that I reviewed in 2014–2015 complied with the law.
While there are a number of important issues that arose in the reviews, I will focus on metadata and on my finding of CSE's non-compliance with the law.
The National Defence Act authorizes CSE to acquire and use information from the global information infrastructure — which includes metadata — to provide intelligence on foreign entities located outside of Canada, in accordance with priorities set by the government.
Metadata is information associated with a communication that is used to identify, describe, manage or route that communication. It includes, but is not limited to, a telephone number, an email or Internet Protocol (IP) address, and network and location information. Metadata does not include the content of a telecommunication.
Metadata is fundamental to CSE's activities. It helps CSE understand the networks it is targeting and helps it avoid targeting a Canadian.
Many reviews conducted by my office each year include examination of some metadata activities. Metadata helps my office verify, for example, that CSE is not directing its activities at a Canadian.
Both the National Defence Act and a ministerial directive on metadata require CSE to have in place measures to protect the privacy of Canadians in the conduct of its metadata activities.
One important measure to protect privacy is the minimization of any Canadian identity information contained within the metadata.
Minimization is the process by which information that could identify a Canadian is rendered unidentifiable before it is shared. It is this point that became a significant focus of my review.
Following the start of the review on metadata in November 2013, CSE discovered on its own that certain metadata containing Canadian identity information was not being properly minimized, prior to sharing. As a result, CSE shared some metadata that contained Canadian identity information with its Five-Eyes partners in the United States, United Kingdom, Australia and New Zealand.
After making this discovery, CSE proactively suspended the sharing of metadata with its partners and subsequently informed me about this incident. I directed my staff to investigate the metadata minimization deficiencies.
CSE cooperated fully with my investigation. The Chief of CSE assured me that the suspension will remain in effect until systems are in place to properly minimize any and all Canadian identity information in the metadata.
I concluded that CSE's failure to minimize certain Canadian identity information prior to it being shared with its partners did not comply with the National Defence Act and, as a consequence, did not comply with the Privacy Act.
I therefore exercised my legal duty under the National Defence Act and informed the Attorney General of Canada and the Minister of National Defence of this non-compliance with the law.
While I believe the actions of CSE were not intentional, it did not, however, act with due diligence when it failed to ensure that the Canadian identity information was properly minimized prior to sharing.
In this review of metadata, I made two recommendations to the Minister of National Defence who accepted them:
- 1st recommendation: that the Minister issue an updated directive to CSE to provide greater specificity and clarity to CSE's collection, use and disclosure of metadata in a foreign signals intelligence context;
- 2nd recommendation: that CSE use its existing records system to ensure decisions and actions taken are recorded regarding updated collection systems and regarding minimization of metadata involving Canadian identity information.
In my letter to the Attorney General and to the Minister of National Defence, I made an additional recommendation that the National Defence Act be amended to provide a clear framework for CSE's metadata activities. While the National Defence Act provides authority to CSE to conduct metadata activities, an explicit authority for these activities would strengthen overall accountability.
My predecessors and I have repeatedly stated that important provisions of Part V.1 of the National Defence Act are ambiguous and need to be amended. The last recommendation I made regarding metadata adds to the list of amendments. I sincerely hope that the government will seize the opportunity to act on these long overdue amendments as part of its stated objective of strengthening accountability of intelligence activities by government agencies and departments.
My decision to inform the Attorney General and the Minister was a duty under law and it had the consequences of prompting the Minister to issue a statement about the matter, and CSE to take the unprecedented step of holding a briefing for the media. I encourage CSE to continue to provide as much information as possible.
My office has challenged CSE to justify why certain information needs to be considered classified. Indeed, last year I included statistics related to unintentionally intercepted private communications collected through CSE's foreign signals intelligence activities; this year's report contains more statistics. I see these as important steps in helping to demystify the work of CSE and contributing to better-informed public discussion.
In concluding these remarks, I would like to touch briefly on some general points that relate to current discussions about intelligence review.
I support ongoing efforts to increase the accountability of security and intelligence activities within government agencies and departments. I welcome the greater frequency of interest in the work of my office than had been the case for my predecessors, and I welcome the opportunity to engage more closely with parliamentarians.
The work of my office forms an integral part of Canada's system of expert, independent review. I believe that expert review is effective, that is, that a single review body focusses on one intelligence agency. This allows for depth of review and investigation and for the accumulation of in-depth knowledge about the intelligence agency.
This is not to say there are no gaps. There are intelligence functions of certain government departments and agencies that are not currently subject to independent, external review. I believe efforts to enhance intelligence review should build on the strengths of the existing system. Expert review could, for example, help inform a committee of parliamentarians or of Parliament that is cleared to receive classified information.
I also believe it would be preferable to have an explicit authority for co-operation among review bodies in support of joint reviews of integrated operations by security and intelligence agencies. I have noted, as did my predecessor, that much can be done under the existing laws. Mr. Blais and I have spoken about enhancing co-operation.
For example, we may refer to each other questions or basic information regarding a matter that involves the agency under the other's mandate. My office and SIRC have consulted each other on a review of activities involving an area of co-operation between CSE and CSIS. My officials completed our review and briefed SIRC officials on the conclusions that implicated CSIS, to inform SIRC's review.
As a final point, I would re-state the offer in my letter to you Chair, last April, to provide an information session to the committee about the work of my office, how I select activities to review, how I conduct my reviews and the expertise in my office.
Thank you for this opportunity to appear before you today. My Executive Director and I would be pleased to answer your questions.
- Date modified: