Reviews

Overview

The Commissioner's mandate, as set out in the National Defence Act, is clear:

• to determine whether Communications Security Establishment (CSE) complies with the law and, if the Commissioner believes that it may not have complied, to report this to the Attorney General of Canada and to the Minister of National Defence. The Minister of National Defence is responsible for CSE and can direct CSE to implement the Commissioner's recommendations to help ensure compliance or enhance the protection of the privacy of Canadians;
• to determine whether CSE activities conducted under ministerial authorization are, in fact, those authorized by the Minister of National Defence, and to verify that the conditions for authorization required by the National Defence Act are met;
• to verify that CSE does not direct its foreign signals intelligence and IT security activities at Canadians; and
• to promote the development and effective application of satisfactory measures to protect the privacy of Canadians in all the operational activities CSE undertakes.

The Commissioner's powers, as set out in section 273.63 of the National Defence Act, are strong:

• the Commissioner has the full powers of a commissioner under Part II of the Inquiries Act, which means he and the staff of his office have complete access to CSE facilities, files, systems and personnel required to carry out reviews, including the power of subpoena to compel individuals to answer questions.

Logic Model

The following logic model provides a graphic description of how the review program functions.

What activities of CSE does the Commissioner review?

The Commissioner reviews the activities CSE conducts under its three-part mandate as set out in section 273.64 of the National Defence Act :

• part (a) authorizes CSE to acquire and use foreign signals intelligence (SIGINT) in accordance with the Government of Canada's intelligence priorities;
• part (b) authorizes CSE to help protect electronic information and information infrastructures of importance to the Government of Canada — activities that can be termed information technology (IT) security; and
• part (c) authorizes CSE to provide technical and operational assistance to federal law enforcement and security agencies, including helping them obtain and understand communications collected under those agencies' own lawful authorities.

CSE's website provides more information on its mandate and activities.

CSE is prohibited by law (section 273.64 of the NDA) from directing its SIGINT collection and IT security activities at Canadians — wherever they might be in the world — or at any person in Canada. However, should CSE obtain any information relating to a Canadian while conducting its mandated activities, CSE must take measures to protect the privacy of that Canadian.

The Commissioner's review of CSE activities includes determining whether CSE has in place, and applies, satisfactory measures to protect a Canadian's reasonable expectation of privacy in CSE use and retention of any collected communications or information, including metadata, such as a telephone number, e-mail or Internet address.

For example, the Commissioner examines CSE use, disclosure and retention of any private communication that CSE may unintentionally intercept while collecting foreign SIGINT or protecting Government of Canada computer systems.

The Commissioner verifies that any Canadian identity information is protected and only shared with authorized partners when needed for understanding the foreign SIGINT or cyber defence information.

The Commissioner also verifies that CSE assistance to federal law enforcement and security agencies is consistent with the same authorities and limitations that govern the agency it is assisting — such as the terms and conditions in a judicial authorization or warrant.

The Commissioner is required under the National Defence Act to report to the Attorney General of Canada and to the Minister of National Defence any activities that he believes may not be in compliance with the law, with a particular emphasis on how CSE activities affect the privacy of Canadians.

As the minister responsible for CSE, the Minister of National Defence can — and does — direct CSE to implement the Commissioner's recommendations to help ensure compliance or enhance the protection of the privacy of Canadians.

Our approach

Determining and reporting on CSE compliance with the law and the extent to which it protects the privacy of Canadians are central features of the Commissioner's review mandate.

Reviews generally include an examination of past activities conducted by CSE. The principal purpose of reviews is to determine whether CSE activities have respected the authorities that govern them, including legal, ministerial and policy requirements. Furthermore, reviews include an examination of CSE's reasons for conducting activities to confirm that its justifications for the activities are lawful and the activities fall within CSE's mandate.

The Commissioner is responsible for reporting to the Attorney General of Canada and to the Minister of National Defence any non-compliance by CSE, such as an unlawful interception of a private communication or sharing Canadian identity information with a partner without justification or adequate measures to protect the privacy of that Canadian. However, the Commissioner also takes a preventative approach to review, exploring ways to strengthen CSE practices that contribute to compliance and incorporate measures that protect the privacy of Canadians.

Prevention is an important part of the Commissioner's mandate. A number of Commissioners' reports have included recommendations aimed at prevention, addressing weaknesses in CSE practices, policies or procedures that, if not corrected, could potentially contribute to non-compliance. The implementation of the Commissioners' recommendations by CSE helps reduce the risk of non-compliance and strengthen privacy protection.

Review methodologies used by the Commissioner's office are based on accepted principles and practices of audit processes in Canada, including those of the Auditor General of Canada. These practices include, for example:

• freedom to select areas for review;
• thorough planning for reviews to be undertaken;
• sound documentation of the review;
• structured, factual and fair reporting;
• due care, objectivity and independence in carrying out the work;
• appropriate competence and training, knowledge, skills and experience of review employees;
• effective supervision of review employees; and
• sufficient appropriate evidence to support findings, conclusions and recommendations.

These practices are reflected in review staff training, as well as in the operational policies and procedures that guide the reviews the Commissioner's office undertakes. To ensure rigour in our approach, the Commissioner's review work has been subject to independent assessment by audit professionals intimately familiar with the work of intelligence review.

Selecting activities for review

The Commissioner uses a risk-based and preventative approach in selecting activities for review. He prioritizes CSE activities where risk is greatest for potential non-compliance with the law, including risks to the privacy of Canadians, by considering, among other factors:

• the controls placed by CSE on the activity to ensure compliance with legal, ministerial and policy requirements;
• whether the activity does, or has the potential to, involve private communications, the communications of Canadians outside Canada, Canadian identity information or other information about or relating to a Canadian;
• whether the activity is new, has changed significantly, or whether a lengthy period has elapsed since its last in-depth review;
• whether there have been significant changes to the authorities or technologies relating to the activity;
• whether the Commissioner has made findings or recommendations in the past relating to the activity that require follow-up;
• whether CSE has identified any privacy incidents relating to those activities; and
• issues arising in the public domain.

Ministerial Authorizations and Private Communications

The law also directs the Commissioner to review activities carried out under a ministerial authorization and to report to the Minister on the review. Each year, the Commissioner reviews all CSE foreign signals intelligence collection ministerial authorizations to ensure that the activities subsequently carried out are indeed authorized. The Commissioner examines whether any private communications intercepted were done so lawfully, whether any such communications that are used and retained are essential to international affairs, defence and security, and whether satisfactory measures are in place to protect the privacy of Canadians.

How Canadians' privacy is protected

Communications Security Establishment (CSE) activities related to the collection of foreign signals intelligence (SIGINT) and its information technology (IT) security activities to help protect electronic information and information infrastructures of importance to the Government of Canada are subject to three legislative limitations aimed at protecting Canadians' privacy:

1. CSE is prohibited from directing its SIGINT collection and IT security activities at Canadians, regardless of their location anywhere in the world, or at any person in Canada, regardless of their nationality;
2. In conducting activities under ministerial authorization, CSE may unintentionally intercept a communication that originates or terminates in Canada in which the originator has a reasonable expectation of privacy, which is a “private communication” as defined in section 183 of the Criminal Code CSE may use and retain a private communication obtained this way but only if it is essential to either international affairs, defence or security, or to identify, isolate or prevent harm to Government of Canada computer systems or networks; and
3. To provide a formal framework for the unintentional interception of private communications while conducting foreign SIGINT collection or IT security activities, the National Defence Act requires express authorization by the Minister of National Defence. These are known as ministerial authorizations. The Minister may authorize the activities once he or she is satisfied that specific conditions provided for in the Act have been met, which includes assurances of how such unintentional interceptions of private communications would be handled should they arise.

Purpose of ministerial authorizations

When CSE is conducting activities to acquire foreign SIGINT, it cannot know beforehand with whom a targeted foreign entity outside Canada may communicate. Similarly, when CSE is conducting activities to help protect Government of Canada computer systems, it cannot know beforehand who may communicate with or through that computer system.

Additionally, given the complexity and interconnectedness of the global information infrastructure, it is unavoidable that CSE will intercept a number of private communications.

It is for these reasons that the Minister of National Defence may provide CSE with a ministerial authorization for these activities — to shield CSE from the Criminal Code in cases where it may unintentionally intercept a communication coming to or originating from Canada and where a person has an expectation of privacy.

CSE ministerial authorizations relate to an “activity or class of activities” specified in the authorizations. This term is interpreted by Justice Canada as meaning a method of acquiring foreign SIGINT or of protecting computer systems (the how), the authorizations do not relate to a specific individual or subject (the whom or the what).

A ministerial authorization can be in effect for no longer than one year. In 2013–2014, there were three foreign SIGINT collection and one IT security ministerial authorizations in effect.

Conditions for ministerial authorizations

To issue a ministerial authorization for foreign SIGINT collection, the Minister must first be satisfied that:

• the interception will be directed at foreign entities located outside of Canada;
• the information could not reasonably be obtained by other means;
• the expected value of the interception would justify it; and
• satisfactory measures are in place to protect the privacy of Canadians and private communications will only be used or retained when essential to international affairs, defence or security.

To issue a ministerial authorization to protect the computer systems or networks of the Government of Canada, the Minister must be satisfied that:

• the interception is necessary;
• the information could not reasonably be obtained by other means;
• the consent of persons whose private communications may be intercepted could not reasonably be obtained;
• satisfactory measures are in place to ensure that only information essential to identify, isolate or prevent harm to Government of Canada computer systems or networks will be used or retained; and
• satisfactory measures are in place to protect the privacy of Canadians in the use and retention of that information.

Each year, the Commissioner reviews CSE ministerial authorizations — which may be in effect for a period of no longer than one year — to ensure that the activities are authorized and that the above conditions for authorization are met. He reports to the Minister of National Defence on his review.

Review methodology and criteria

In conducting a review, the Commissioner's office uses a number of tools and techniques, such as:

• examining CSE hard-copy and electronic information and records, including CSE policies and procedures and legal advice received from Justice Canada;
• receiving briefings and demonstrations from CSE;
• interviewing CSE managers and employees;
• testing information, obtained through document reviews and interviews, to confirm the information is complete and matches the information in CSE electronic tools, systems and databases;
• listening to intercepted voice recordings, reading written content or examining the associated transcripts of the communications;
• observing CSE operators and analysts first hand to understand and verify how they conduct their work; and
• conducting “spot checks” of CSE electronic tools, systems and databases to verify compliance.

Each review includes an assessment of CSE activities against a standard set of criteria:

• Legal requirements: The Commissioner expects CSE to conduct its activities in accordance with the National Defence Act, the Canadian Charter of Rights and Freedoms, the Privacy Act, the Criminal Code, and any other relevant legislation, and in accordance with Justice Canada legal advice.
• Ministerial requirements: The Commissioner expects CSE to conduct its activities in accordance with ministerial direction, following all requirements and limitations set out in a ministerial authorization or directive.
• Policies and procedures: The Commissioner expects CSE:
  • to establish appropriate policies and procedures to guide its activities and to provide sufficient direction on legal and ministerial requirements, including the protection of the privacy of Canadians;
  • to ensure its employees are knowledgeable about and comply with policies and procedures; and
  • to maintain the integrity of operational activities by applying an effective compliance validation framework to its activities, including appropriately accounting for important decisions and information relating to compliance and the protection of the privacy of Canadians.

Reviewers have specialized expertise relating to the technical, legal and privacy aspects of CSE activities. They also have security clearances at the level required to examine CSE records, systems and databases. They are bound by the Security of Information Act and cannot divulge to unauthorized persons the specific information they access.

Reporting on our findings

The Commissioner submits detailed classified reports on his reviews to the Minister of National Defence. These reports document CSE activities, contain findings relating to the review criteria, disclose the nature and significance of any deviations from the criteria, and include any resulting recommendations.

Following the standard audit practice of disclosure to the organization being reviewed, draft versions of review reports are presented to CSE for confirmation of factual accuracy. This is essential to the review process. If the facts are not substantiated, the findings, conclusions and any recommendations based on those facts would not be credible.

Where and when appropriate, the Commissioner makes recommendations to the Minister of National Defence who is responsible for CSE and can direct CSE to implement any recommendations. Recommendations are aimed at preventing possible non-compliance, improving privacy protections or correcting discrepancies between CSE activities and the Commissioner's expectations.

The Minister responds to the Commissioner and indicates whether the recommendations have been accepted. Since 1997, Commissioners have submitted to the Minister of National Defence 106 classified review reports. In total, the reports contained 166 recommendations. CSE has accepted and implemented or is working to address 95 percent (157) of these recommendations, including all 10 recommendations made in 2013–2014. The Commissioner publishes the titles of all review reports submitted to the Minister of National Defence (with any classified information removed) to demonstrate the depth and breadth of Commissioners' reviews.

The Commissioner summarizes his review activities in an annual report for Parliament, which is a public document. Consistent with the review model in Canada, CSE reviews the draft to verify that it does not contain any classified information according to the Security of Information Act. The report is provided to the Minister of National Defence, who cannot change it and must, by law, table it in Parliament.

The Commissioner alone determines the content of his reports, which are based on facts and conclusions drawn from those facts. The reports cannot be altered by CSE or any minister.