The Year in Review

Last year, I referred to the independent management review of the operations of my office, and to recommendations to improve our methodology. These matters have been thoroughly examined, and changes have been incorporated in new operational policies and procedures. My office has been implementing these changes in the conduct of reviews. One of the most notable is a new approach that involves examining processes which are common to several different CSEC activities. As a result, the review function is expected to be more effective in at least two ways: first, by avoiding a certain amount of duplication; and second, by creating a greater and readier understanding of underlying activities at the core of CSEC's mandate. CSEC has been kept informed throughout the process of implementing these changes, and specific issues of methodology that have a direct impact on that organization and on our working relationship have been discussed.

At my request, CSEC provided several briefings to my staff during the past year. Some of the briefings have become annual occurrences, such as those related to policy developments and updates, and also to the implementation of a new information management system. Other briefings have dealt with cyber-threat activities and with certain aspects of cooperation with CSIS. As is standard practice, and at our request, CSEC also provided briefings at the beginning of most reviews initiated during the year.

Workplan

A three-year workplan guides the activities of my office. It is an integral component of the review process as well as being a focal point in the relationship between my office and CSEC. It is updated on a regular basis. Each update involves a re-assessment of the priority of planned and potential review projects and incorporates new information that may have come to our attention. For example, a review that has just been completed may identify an area outside the scope of that review but which I believe needs to be examined further, perhaps to assess compliance with the law or to ensure the protection of the privacy of Canadians. In my report last year, I listed other criteria that contribute to determining what areas or topics will be included in the workplan. I must, however, always weigh what is reviewed against what is not, and be satisfied to the extent possible that those areas of greater risk to compliance with the law or to privacy are being examined.

CSEC is consulted on the workplan. There are several reasons for this. This is a standard practice in review to ensure that no one area of the organization is unduly burdened. There must be balance between my review mandate and CSEC's operational requirements mandated by the government. Another significant reason is that there is a need to ensure that the scheduling and scope of review projects is reasonable and can be carried out in a timely manner, taking into consideration the resources and mandates of both organizations.

An important initiative agreed upon by both CSEC and my office was to organize a roundtable discussion focussed on the working relationship. The objective was to optimize the review process, which as well means minimizing any adverse impact on the activities of CSEC. The meeting reviewed the business processes of both groups, identified points where improvement was desirable and proposed how to achieve those improvements. A number of issues related to the workplan were also identified and have been implemented. There was general agreement that this type of meeting was useful and served the interests of both organizations to keep open the lines of communication and to ensure that review works as intended.

Reviews undertaken of the activities of CSEC

My general review mandate is set out in paragraph 273.63(2)(a) of the National Defence Act.[6] Under subsection 273.65(8) of the Act, I also have an obligation to review and report to the Minister as to whether the activities carried out under a ministerial authorization are authorized.

Ministerial authorizations for foreign intelligence collection are issued under the authority of subsection 273.65(1) of the National Defence Act, whereas ministerial authorizations for information technology security activities are issued under subsection 273.65(3) of the Act. My reviews of CSEC's activities conducted under ministerial authorizations are undertaken after the ministerial authorization has expired.

As I noted in my Annual Report last year: "The characteristics of contemporary communications technology mean that the interception of communications by CSE, directed at foreign entities outside Canada, runs the inherent risk of acquiring the private communications of Canadians. It is for this reason that a ministerial authorization is sought for this collection."[7]

The ministerial authorization provisions do not allow CSEC to target Canadian communications. However, "for the sole purpose of obtaining foreign intelligence"[8], the Minister may authorize the interception of private communications of Canadians or persons in Canada as long as the interception was the result of CSEC's targeting a foreign entity located outside Canada. Ministerial authorizations for information technology security activities also authorize the interception of private communications that may be incidentally obtained by CSEC while protecting the systems and networks of a federal government department or agency.

Further, when collecting foreign intelligence, CSEC may also incidentally acquire information about Canadians. This information may only be retained if it is assessed as essential to the understanding of the foreign intelligence, and it may be included in foreign intelligence reporting if it is suppressed (i.e., replaced by a generic reference such as "a Canadian person"). When receiving a subsequent request for disclosure of the details of the suppressed information, CSEC requires federal government departments and agencies to explain their authority to collect this information under their own respective mandates and to provide an operational justification of their need to know this information. If these conditions are met, CSEC may release the suppressed information. This year, two of my reports included detailed reviews of such releases.

During 2007-2008, my office submitted to the Minister five classified reports based on reviews completed during the year. Two of the reviews dealt with CSEC's activities conducted under ministerial authorization; one of these pertained to foreign intelligence collection, while the other concerned information technology security. The other three reviews were conducted under my general mandate, to assess whether CSEC's activities were in compliance with the law, and the extent to which it protected the privacy of Canadians in carrying out the activities.

Methodology

Prior to beginning a review, my office provides CSEC with terms of reference that set out the objective, scope, criteria, a summary of the approach to be taken, and a timetable for the review. In conducting a review, OCSEC reviewers employ standard fact-finding tools and techniques to gather evidence, including examination of all relevant written and electronic records, and the associated authorities, policies and procedures. Reviewers also conduct extensive testing and sampling. Interviews are held with management and other personnel involved in the activities under review. Officials from other federal government departments and agencies may also be interviewed. In addition, legal opinions and advice are examined. CSEC provides briefs and demonstrations of activities as well as answers to written questions. At the conclusion of the review process, reviewers meet with CSEC officials prior to finalizing their report. The purpose of this meeting is to outline review findings and conclusions.

Overview of 2007-2008 findings

Although the five reviews reported on this year differed in subject, there were recurring themes, some of which are noted below. Overall, I am able to report that the activities of CSEC examined during the year complied with the law.

Interpretation of ministerial authorizations

As noted earlier, CSEC and my office are still on opposite pages as regards the interpretation of the provisions of the National Defence Act relating to ministerial authorizations. However, pending legislative amendments, I have continued my predecessor's practice of reviewing and reporting on whether CSEC's activities conducted under ministerial authorization comply with the Act as it has been interpreted by the Department of Justice. On this basis, I am able to report that the two reviews of activities conducted under ministerial authorizations complied with the National Defence Act as interpreted by the Department of Justice.

Information management

Inadequate information can impair my ability to conduct reviews.

The theme of weak document and information management has been a consistent one over time. Good information management ensures that all relevant information and documentation is entered into the corporate record. However, as I and my predecessors have noted in previous reports, inadequate or missing information in CSEC's corporate records can impair my ability to conduct reviews and to determine whether CSEC's activities comply with the law. This has left me, in some instances, in a position of providing only a negative assurance to the Minister that I have no evidence of non-compliance with the law, rather than providing positive assurance, supported by evidence of compliance. CSEC is well aware of my concerns in this regard, is committed to addressing this issue, and is making progress in implementing a corporate records management system. CSEC is keeping me informed of its efforts. Future reviews will continue to seek documentation that demonstrates compliance with authorities, provides a record of all activities conducted, and confirms that supervisors are monitoring the performance of their staff.

Interpretation of foreign intelligence mandate

In last year's Annual Report, I noted that one of the issues raised by my review of CSEC's foreign intelligence collection in support of the RCMP was "whether [the foreign intelligence part of CSEC's mandate] was the appropriate authority in all instances for CSE to provide intelligence support to the RCMP in the pursuit of its domestic criminal investigations."[9] Pending a re-examination of the legal issues raised, I decided that no assessment would be made of the lawfulness of CSEC's activities in support of the RCMP under the foreign intelligence part of CSEC's mandate as it is currently interpreted and applied. This issue remained unresolved as of March 31, 2008. My review of CSEC's support to CSIS, which is reported on below, raised similar issues. As I note in this instance, and unlike the matter of ministerial authorizations, I am in agreement with the advice that the Department of Justice has provided to CSEC. However, in certain cases, I question which part of CSEC's mandate should be used as the proper authority for conducting these activities. Discussions on these matters are ongoing.

---

[6] Please see Annex A for the text of the relevant sections of the National Defence Act.

[7] Supra, note 5 at p. 18.

[8] Subsection 273.65(1) of the National Defence Act.

[9] Supra, note 5 at p. 13.