Highlights of the Six Review Reports Submitted To the Minister in 2010-2011

1. Review of CSEC information technology security activities conducted under ministerial authorization (Activity 1)

Background

The National Defence Act mandates CSEC to provide advice, guidance and services to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada.

This review examined certain information technology security activities conducted by CSEC under ministerial authorization in 2008–2009 at two Government of Canada departments. The activities examined help protect computer systems by detecting, analyzing, and mitigating sophisticated cyber attacks aimed at covertly accessing sensitive government computer networks.

My review followed-up on an operational issue that came to light in late 2006 and which had the potential for non-compliance. The Commissioner's 2007–2008 Annual Report commended the Chief of CSEC for his handling of this issue and for keeping the Commissioner informed of corrective steps.

The review also included an examination of CSEC's responses to the findings and recommendations of a previous review of information technology security activities at a specific Government of Canada department. These previous findings and recommendations related to ambiguities in policy, corporate record keeping and CSEC employees' awareness of their responsibilities for the activities. My review included examining a 2007 CSEC internal audit report relating to these activities.

Review rationale

Specific controls are placed on these information technology security activities to ensure they comply with legal, ministerial and policy requirements. Major changes to certain practices and to CSEC's policies and procedures relating to these activities recently occurred. This is the first review since CSEC restructured these activities. Past Commissioners have also made findings and recommendations on these activities.

Findings

• Based on information reviewed and interviews conducted, I found that CSEC's activities were authorized and carried out in accordance with the law, ministerial requirements, and CSEC's policies and procedures.
• CSEC's use and retention of unintentionally intercepted private communications and information about Canadians complied with the law and CSEC policies.
• I am pleased to note that, in 2008–2009, CSEC made significant changes to the policies and procedures and to the accountability framework for these activities. I found the new policies and procedures to be comprehensive, containing satisfactory measures to protect the privacy of Canadians.
• CSEC also introduced processes that strengthen employee understanding of the compliance framework, policies and procedures. CSEC monitored the conduct of the activities to verify compliance with legal, ministerial and policy requirements, and retained a complete record of these activities.
• I am confident that the significant changes made to these information technology security activities address the previous findings and recommendations made in the Commissioner's 2006 review.
• Finally, this review included a follow-up examination of a principal CSEC information technology security software tool and database. I confirmed an observation made last year in this office's study of CSEC's information technology security activities not conducted under ministerial authorization: that a software tool used by CSEC has adequate functionality to restrict access to information in the system, to meet security and confidentiality requirements, and to protect the privacy of Canadians.

Recommendations

I made no recommendations.

2. Review of CSEC information technology security activities conducted under ministerial authorization (Activity 2)

Background

This review examined other information technology security activities, conducted for two Government of Canada departments in 2007–2008 and 2008–2009, under ministerial authorizations pursuant to the National Defence Act.

The activities at the two departments involved CSEC efforts to penetrate the departments' computer systems (under controlled circumstances) to demonstrate potential vulnerabilities and to test the departments' reactions to such attacks.

My examination included changes to the scope of these activities and to the technology used by CSEC. I assessed these changes in terms of their potential impact on the risk to compliance with the law and on the risk to privacy.

Review rationale

Major changes to certain practices, technologies and CSEC policies and procedures relating to these activities have recently occurred. Specific controls are placed on these activities to ensure compliance with legal, ministerial and policy requirements, while protecting the privacy of Canadians. Past Commissioners had also made findings and recommendations concerning these activities. This is the first review since CSEC restructured these activities.

Findings

• Based on information reviewed and interviews conducted, I found that CSEC's activities were authorized and carried out in accordance with the law, ministerial requirements and CSEC policies and procedures.
• I found that the new policies and procedures were comprehensive and contained satisfactory measures to protect the privacy of Canadians.
• The record of the activities demonstrated that CSEC's new management control framework provides strong monitoring and compliance validation tools, which help ensure compliance with the law and the protection of Canadian's privacy.
• Changes to the technology and its application by CSEC did not impact on the risk to compliance with the law or on the risk to privacy.

Recommendations

I made no recommendations.

3. Combined annual review of CSEC foreign signals intelligence collection activities conducted under ministerial authorizations

Background

This was the first combined annual review of all foreign signals intelligence collection programs. I am required by the National Defence Act to review activities under ministerial authorization. The 2009–2010 Annual Report that I submitted to the Minister describes the recent introduction of the office's horizontal review approach, which involves a thorough examination of processes common to all CSEC foreign intelligence collection activities under ministerial authorization. For example, common to all collection methods are the processes by which CSEC: identifies, selects and directs its activities at entities of foreign intelligence interest; uses, shares, reports, retains or disposes of intercepted information; and takes measures to protect private communications and information about Canadians. My review included examining a CSEC internal audit report relating to these activities.

Review rationale

The horizontal review approach led to a re-assessment of how my office reviews ministerial authorizations. Given that common processes are examined in horizontal reviews, it was determined that this combined annual review of foreign signals intelligence ministerial authorizations would focus on any significant changes and on any private communications unintentionally intercepted by CSEC.

I looked for changes to the authorities and scope of the programs, to the technology used by CSEC, and to the associated management control frameworks. I assessed any changes in terms of their impact on the risk to compliance with the law and on the risk to privacy.

I examined certain metrics relating to interception and the privacy of Canadians. The purpose was to establish a baseline of key information, to examine trends and to allow identification of any significant changes over time. These metrics will also inform the risk assessment process and the development of my review work plan.

Another objective of this review was to examine a sample of private communications intercepted by CSEC under foreign intelligence ministerial authorizations but which had not been used in CSEC reporting. The purpose was to assess whether this sample contained foreign intelligence essential to international affairs, defence or security, as required by the National Defence Act.

Findings

The extent to which I assessed CSEC's compliance with the law was determined by this review's focus on identifying and understanding significant changes to the foreign signals intelligence collection programs.

• Within this context, and based on information reviewed and interviews conducted, I found that the activities were authorized under the National Defence Act and there was no indication of unlawful activity by CSEC. CSEC met ministerial requirements, and has effective policies and procedures in place to guide its activities.
• There are positive trends in policy development and in the clarity and consistency of the requests for ministerial authorizations. Within the overall amount of communications intercepted by CSEC, I found that the proportion of recognized private communications that had been unintentionally intercepted remained very small.
• Overall, the foreign signals intelligence collection programs did not change significantly, and as a result, I determined that it is not necessary at this time to conduct an in-depth review of any of these programs.
• With regard to the sample of private communications, based on the information reviewed and interviews conducted, I found that CSEC retained only those private communications essential to Canada's international affairs, defence, or security, as required by law.

Recommendations

I made three recommendations. Two of the recommendations dealt with reporting to the Minister of National Defence certain information relating to privacy, and including in the ministerial authorizations a requirement to report this information. This information is necessary to provide the Minister with a complete picture of CSEC's collection activities and to support the Minister in his accountability for CSEC, including for the measures CSEC takes to protect the privacy of Canadians.

I also recommended that, given the importance of ensuring legal compliance and the protection of Canadians' privacy, CSEC should accelerate the timeline for implementation of an improved policy for the active monitoring of activities under foreign signals intelligence ministerial authorizations.

As of the end of the 2010-2011 reporting period, March 31, 2011, I am awaiting the Minister's response to these recommendations and will note them in next year's annual report.

4. Review of CSEC activities carried out under a ministerial directive and used by CSEC to identify new foreign entities believed to be of foreign intelligence interest

Background

The National Defence Act mandates CSEC to acquire and use information from the global information infrastructure for the purpose of providing foreign intelligence, in accordance with Government of Canada intelligence priorities.

CSEC conducts a number of activities for the purposes of locating new sources of foreign intelligence. When other means have been exhausted, CSEC may use information about Canadians when it has reasonable grounds to believe that using this information may assist in identifying and obtaining foreign intelligence. CSEC conducts these activities infrequently, but they can be a valuable tool in meeting Government of Canada intelligence priorities. CSEC does not require a ministerial authorization to conduct these activities because they do not involve interception of private communications. However, a ministerial directive provides guidance on the conduct of these activities.

In recent years, three reviews have involved some degree of examination of these activities: a Review of CSEC's foreign intelligence collection in support of the Royal Canadian Mounted Police (RCMP) (Phase II) (2006); a Review of CSEC's activities carried out under a (different) ministerial directive (2008); and a Review of CSEC's support to the Canadian Security Intelligence Service (CSIS) (2008).

In his 2006–2007 Annual Report, the late Commissioner Gonthier questioned whether the foreign signals intelligence part of CSEC's mandate (part (a) of its mandate) was the appropriate authority in all instances for CSEC to provide support to the RCMP in the pursuit of its domestic criminal investigations. In his 2007–2008 Annual Report, Commissioner Gonthier stated that pending a re-examination of the legal issues raised, no assessment would be made of the lawfulness of CSEC's activities in support of the RCMP under the foreign signals intelligence part of CSEC's mandate. He also noted that CSEC's support to CSIS raised similar issues. Commissioner Gonthier emphasized that although he was in agreement with the advice that the Department of Justice had provided to CSEC, he questioned which part of CSEC's mandate — part (a) or part (c), the assistance part of CSEC's mandate — should be used as the proper authority for conducting the activities.

Subsequent to these reviews and statements in the annual reports, the Chief of CSEC suspended these activities. CSEC then made significant changes to related policies, procedures and practices.

Review rationale

These activities involve CSEC's use and analysis of information about Canadians for foreign intelligence purposes. Specific controls are placed on these activities to ensure compliance with legal, ministerial and policy requirements. Major changes to certain policies, procedures and practices have recently occurred. This was the first review of these activities since the Chief of CSEC allowed their resumption under new policies and procedures. There were also related issues, findings and recommendations highlighted by my predecessors that required follow-up.

Findings

• Based on information reviewed and interviews conducted, I found that CSEC's activities were authorized and carried out in accordance with the law, ministerial requirements and CSEC's policies and procedures.
• I found that the new policies and procedures were comprehensive and contained satisfactory measures to protect the privacy of Canadians.
• Because of the significant changes made by CSEC to these activities and the positive results of this review, I am of the view that CSEC has addressed the previous findings and recommendations.
• I assessed that the new processes put in place by CSEC were consistent with part (a) of its mandate. I had no questions similar to those raised in previous years as to whether such activities would be more appropriately authorized under part (c) of CSEC's mandate.
• CSEC's new policies, guidelines and forms address findings and recommendations made by past Commissioners. CSEC managers and officials were knowledgeable about and complied with policies and procedures. CSEC managers routinely and closely monitored these activities to ensure they complied with the governing authorities.

Recommendations

I made no recommendations. However, given that these activities involve CSEC's use and analysis of information about Canadians, and therefore have the potential to affect their privacy, I have directed my office to monitor these activities to ensure they continue to be conducted in accordance with the law, ministerial requirements and CSEC's policies and procedures.

5. Review of the process by which CSEC determines that entities of foreign intelligence interest are foreign entities located outside of Canada, as required by the National Defence Act

Background

CSEC must also be able to identify those one-end Canadian private communications it can lawfully intercept under a ministerial authorization on the basis that the acquisition of these communications is unintentional and the interception is directed at a foreign entity located outside Canada. This process must contain measures to protect the privacy of Canadians.

For the period of September 2008 to December 2010, I examined and tested the process and practices by which CSEC determines that entities of foreign intelligence interest are foreign entities located outside of Canada.  

Review rationale

These activities are the foundation of CSEC's foreign signals intelligence collection programs. Specific controls are placed on these activities to ensure they meet the legal, ministerial and policy requirements which are crucial to protecting Canadians' privacy.

Past Commissioners made findings and recommendations on these activities, which required follow-up. In addition, major changes to certain technologies and policies and procedures relating to these activities have recently occurred and others are in progress. This is one of the first in-depth horizontal reviews of a CSEC process common to all foreign intelligence collection methods.

Findings

• Based on information reviewed and interviews conducted, I found that the process by which CSEC determines that entities of foreign intelligence interest are foreign entities located outside of Canada is in accordance with the law, ministerial requirements, and CSEC's policies and procedures.
• CSEC has sufficient policies and processes to satisfy the legal requirement not to direct foreign signals intelligence interception activities at a Canadian (anywhere) or at any person in Canada.
• CSEC employees who were interviewed and observed in their work were knowledgeable about relevant policies and procedures and were applying them in the conduct of the activities. CSEC managers routinely and closely monitor the activities to ensure they comply with governing authorities.
• CSEC takes measures in the design of associated systems and databases to promote compliance with the law and the protection of Canadians' privacy. I found that recent enhancements to these systems and databases assist in ensuring compliance with the law, ministerial requirements and policy. Additional planned enhancements will further improve compliance.
• I did find, however, certain deficiencies in some of the associated management systems and databases. I am pleased to note that CSEC is taking measures to address these deficiencies. I will monitor CSEC's efforts in this regard.

Recommendations

CSEC's policies and procedures generally provide sufficient direction to CSEC employees in protecting Canadians' privacy while determining that entities of foreign intelligence interest are foreign entities located outside of Canada. However, policies and procedures applicable to a certain foreign signals intelligence collection program provide only limited direction on the process and practices for such activities. I therefore recommended that CSEC provide specific guidance for these activities.

As of the end of the reporting period, March 31, 2011, I am awaiting the Minister's response to this recommendation and will note it in next year's annual report.

6. Annual review of CSEC disclosures of information about Canadians to Government of Canada clients

Background

This review fulfills a commitment in the 2009–2010 Annual Report to conduct an annual review of a sample of disclosures of information about Canadians to Government of Canada departments and agencies. The purpose is to verify that CSEC complies with the law and maintains measures to protect the privacy of Canadians.

Information about Canadians may be included in CSEC's reports if it is essential to understanding foreign intelligence. However, any information that identifies a Canadian must be suppressed in reports disseminated to government departments and agencies ─ that is, replaced by a generic reference such as "a named Canadian".

See Annex G for more detailed information on legislative safeguards for private communications and measures to protect information about Canadians.

When receiving a subsequent request for disclosure of the details of the suppressed information, CSEC must verify that the requesting government department or agency has both the authority and operational justification for obtaining such information. Only then may CSEC provide this information.

This review encompassed a sample of approximately 20 percent of requests received by CSEC for disclosure of suppressed information about Canadians contained in foreign intelligence reports, from April to September 2010. The sample included disclosures made to all of the Government of Canada departments and agencies that requested, and were provided with, information about Canadians.

My office examined the forms that CSEC used to document the departments' and agencies' authorities and justifications of their need for information about Canadians, as well as the associated foreign intelligence reports.

Review rationale

CSEC's disclosure activities involve the sharing of information about Canadians. Should there be an instance of non-compliance while CSEC conducts these activities, the potential impact on the privacy of Canadians could be significant.

In addition, I assessed CSEC's activities in response to two recommendations in a February 2010 review report of my predecessor relating to: (a) providing tools to support the tracking of clients' requests for, and any associated disclosures of, suppressed information about Canadians; and, (b) improving the consistency and accuracy of CSEC reports to the Minister of National Defence about these activities.

Findings

• Based on information reviewed and interviews conducted, I found that CSEC's disclosure of suppressed information about Canadians to Government of Canada clients was conducted in compliance with the law.
• Policies and procedures were in place to provide sufficient direction to CSEC employees on the protection of the privacy of Canadians.
• CSEC employees were knowledgeable about, and acted in accordance with, policies and procedures. CSEC managers monitored activities to ensure CSEC employees complied with governing authorities.
• I am satisfied that CSEC's practices and the planned implementation of a new system will address previous recommendations and permit CSEC to better track and produce accurate and consistent metrics on these activities.

Recommendations

I made no recommendations but will continue to conduct an annual review of these activities to verify that CSEC continues to comply with the law and maintains measures to protect the privacy of Canadians. I will also monitor CSEC efforts to implement the new system.