Commissioner Plouffe's report is tabled in Parliament - 2014-2015

January 28, 2016 — Ottawa, ON — Office of the CSE Commissioner

Today, the 2014-15 Annual Report of the Communications Security Establishment Commissioner, the Honourable Jean-Pierre Plouffe, CD, was tabled in Parliament.

The Commissioner provides independent external review of the Communications Security Establishment's (CSE) operational activities to determine whether they complied with the law and protected the privacy of Canadians. Mr. Plouffe is a retired judge of the Superior Court of Quebec and the Court Martial Appeal Court of Canada. As CSE Commissioner, he has all the powers of a Commissioner under Part II of the Inquiries Act.

The Commissioner stated: “Each year, I have made public more information about my investigations, to be as transparent as possible.” He added: “I have encouraged CSE to be more forthcoming in what it communicates to the public.”

Report Highlights

With the exception of one review related to metadata, all of the activities of CSE reviewed in 2014–2015 complied with the law.

The Commissioner made eight recommendations, including:
 

• that the Minister of National Defence update the directive for metadata activities to address the evolution of practices in this field as well as to clarify terminology that has changed over time;

• that the National Defence Act (NDA) be amended to remove an ambiguity regarding CSE information technology security activities carried out under ministerial authorization;

• that interdepartmental arrangements related to section 16 of the Canadian Security Intelligence Service Act be updated or created in a timely manner. Given this implicates the Canadian Security Intelligence Service (CSIS), the Commissioner informed the former acting Chair of the Security Intelligence Review Committee (SIRC), which is one of the ways he is encouraging co-operation between review bodies; and

• that CSE highlight to the Minister of National Defence important differences between private communications intercepted under information technology security ministerial authorizations versus those intercepted under foreign signals intelligence ministerial authorizations; these differences relate to the lower expectation of privacy attached to an email containing malicious code.

CSE metadata activities

In his annual report, the Commissioner stated that certain CSE metadata activities raised legal questions that he continues to examine and assess. The Commissioner has since completed that legal assessment.

The annual report provides a detailed unclassified summary of the first part of the Commissioner's review on CSE foreign signals intelligence metadata activities. These activities must be carried out in accordance with the NDA, which requires CSE to take measures to protect the privacy of Canadians, and in accordance with the 2011 ministerial directive on CSE's collection and use of metadata.

At the start of the review, CSE discovered on its own that certain types of metadata containing Canadian identity information were not being minimized properly before being shared with CSE's partners in the United States, the United Kingdom, Australia and New Zealand. The former Chief of CSE informed the Commissioner, as well as the Minister of National Defence, about this matter.

After making this discovery, CSE proactively suspended the sharing of this metadata with its partners. The Chief of CSE assured the Commissioner that the suspension will remain in effect until systems are in place to properly minimize all Canadian identity information.

In his annual report, the Commissioner stated that he would carefully weigh the legal implications of the incidents. The Commissioner directed his staff to investigate this issue as part of the metadata review that was already under way. This included: an examination of relevant documentation and technical detail of systems involved; interviews with CSE operational, policy and technical staff and managers, and with senior CSE officials; and meetings with Justice Canada's legal counsel at CSE. In addition, the Commissioner received advice from both in-house legal counsel and external independent legal counsel.

The Commissioner stated: "CSE co-operated fully with this investigation, was forthcoming, provided in-depth written accounts of the metadata minimization deficiencies and has been providing updates on the status of corrective efforts."

After careful examination of all the information before him, the Commissioner concluded that CSE's failure to minimize certain Canadian identity information prior to it being shared with its partners did not comply with paragraph 273.64(2)(b) and section 273.66 of the NDA, and, as a consequence, did not comply with section 8 of the Privacy Act. The Commissioner therefore exercised his legal duty under paragraph 273.63(2)(c) of the NDA and informed the Minister of National Defence and the Attorney General of Canada of this non-compliance with the law. In this instance, while the Commissioner stated he believes the actions of CSE were not intentional, it did not, however, act with due diligence when it failed to ensure that the Canadian identity information was properly minimized.

The Commissioner stated: "During my mandate, I have echoed past Commissioners' longstanding calls to amend Part V.1 of the NDA because certain important provisions are ambiguous. I recently recommended to the Minister of National Defence that the NDA be amended to provide a clear framework for CSE's metadata activities." While paragraph 273.64(1)(a) of the NDA provides authority to CSE to conduct metadata activities, an explicit authority for these activities would strengthen overall accountability.

The Commissioner received a reply to his letter to the Minister of National Defence and the Attorney General of Canada and is pleased that they have accepted his recommendations related to metadata. He will continue to monitor developments.

Background on Metadata

• Paragraph 273.64(1)(a) of the NDA authorizes CSE to acquire and use information from the global information infrastructure for foreign intelligence purposes, including metadata. Metadata is information associated with a communication that is used to identify, describe, manage or route that communication. It includes, but is not limited to, a telephone number, an email or an Internet Protocol (IP) address, and network location information; metadata excludes the content of the communication. 

• Paragraph 273.64(2)(b) of the NDA requires CSE to take measures to protect the privacy of Canadians, one measure of which is minimization. Minimization is the process by which Canadian identity information contained in metadata is rendered unidentifiable prior to being shared.

• Section 273.66 of the NDA requires CSE to follow ministerial direction while undertaking its activities. A ministerial directive is a written document that provides additional requirements, conditions or limitations from the Minister of National Defence that CSE is to adhere to while conducting an activity already authorized by law.

• Section 8 of the Privacy Act relates to the disclosure of personal information.

Related Products

• The annual report is available at https://www.ocsec-bccst.gc.ca/s21/eng/annual-reports

Associated Links

• The Commissioner's website is: https://www.ocsec-bccst.gc.ca/

• CSE's website provides more information on its mandate and activities: CSE`s website" href="https://www.cse-cst.gc.ca/">www.cse-cst.gc.ca

Contacts

J. William Galbraith
Executive Director, Office of the CSE Commissioner
(613) 992-3044