Commissioner's Message: A Summary at the End of My Term

When the Minister of National Defence tables this annual report before Parliament, I will have completed my three-year term as Communications Security Establishment (CSE) Commissioner. For personal reasons I declined an offer to renew my mandate. This message affords me an opportunity to reflect on my time as the head of the Office of the CSE Commissioner.

Reports and recommendations

During my tenure as Commissioner I submitted to the Minister of National Defence 19 review reports, covering almost every aspect of the activities of Communications Security Establishment Canada (CSEC), including those carried out under ministerial authorizations or at the request of law enforcement and security agencies. Among the activities reviewed were those relating to the collection of foreign signals intelligence, the protection of electronic information and information infrastructures considered important by the Government of Canada, and technical and operational assistance provided by CSEC, notably to the Canadian Security Intelligence Service (CSIS). My reports contained 12 recommendations.

The integrity of the review process and the credibility of the Commissioner's office depend in large part on the follow-up by the office of CSEC's implementation of Commissioners' recommendations. I am pleased to note that since 1997, fully 92 percent (127 of 138) of Commissioners' recommendations in 74 classified reports submitted to the Minister have been accepted and implemented, or are being addressed. This means, inter alia that measures to protect the privacy of Canadians are continually being adapted and refined to reflect the ever-changing technological and operational environment in which CSEC must work. Indeed, some Commissioners' recommendations have resulted in CSEC suspending certain activities to re-examine how the activities are conducted and, in other instances, have led to important improvements to CSEC policies and practices.

Maintaining healthy relations with CSEC

It strikes me as vital that an organization under independent review and the review body itself cultivate a relationship built on respect and good faith. By law, CSEC must take measures to protect the privacy of persons in Canada and Canadians, wherever in the world they may be. By law, the Commissioner must ensure that CSEC meets this obligation. The protection of privacy is therefore a shared objective of our two organizations. I also consider it essential that our relationship be one of complementarity rather than superiority. With my years of experience, I see the office more as CSEC's conscience than as a sword of Damocles, and I believe that CSEC increasingly sees it this way as well.

I can say with confidence that CSEC's Chiefs during my time as Commissioner, John Adams initially and then John Forster, have spared no effort to instill within CSEC a culture of respect for the law and for the privacy of Canadians. Both men have been honest in their dealings with me, sometimes tough, but always acting in good faith.

Transparency

From the start of my time as Commissioner, I have sought to demystify, within the unavoidable constraints of national security and public safety, the culture of secrecy pervading the activities of security and intelligence agencies. I believe I have succeeded to some degree, based on the feedback that my annual reports have been more informative, more understandable, and have brought clarity to many of the activities of my office and of CSEC. Much remains to be done, but I believe that the ice has been broken and that the security and intelligence agencies understand they can speak more openly about their work without betraying state secrets or compromising national security. The greater the transparency, the less sceptical and cynical the public will be.

It is in this context of transparency that the Commissioner's office organizes periodic luncheon meetings with outside experts in the fields of national security and privacy. This facilitates greater understanding on their part of how we go about our work, and we in turn learn about their perspectives and interests.

Review bodies working cooperatively

My office and the Security Intelligence Review Committee (SIRC) have similar functions but are subject to different legislation. CSEC and CSIS also have different legislation but their respective laws authorize cooperation between them, whereas the legislation governing my office and SIRC does not contain similar provisions. This means that where CSEC and CSIS cooperate and conduct joint activities, my office and SIRC do not have an equivalent authority to conduct joint reviews. Nonetheless, I believe a certain amount of collaboration among review bodies is possible under existing legislation. For example, where I have no mandate to follow-up, I may refer questions to SIRC that concern CSIS. Activities beyond this, such as the sharing of special operational information of the agencies, may require the intervention and approval of Cabinet, and possibly also legislative change. Ideally, the law should authorize, even encourage, such cooperation.

The creation of an over–arching structure that would group existing review bodies under a single umbrella, proposed in a past commission of inquiry report, does not strike me as a sensible solution at this point. Before we create an additional super-bureaucracy, with the associated burden and costs, we may be better advised to optimize existing review bodies and facilitate their collaboration.

Another form of cooperation among security and intelligence review bodies has occurred over the past few years. My office has provided an introductory training course for new employees of security and intelligence review bodies, to explain various review methods and to contribute to the development of more rigorous review practices.

Information sharing with international partners

The growth of international cooperation in the intelligence field has important implications for privacy. We want to ensure that the foreign countries and organizations with which Canada exchanges information protect privacy with as much rigour as Canada exercises. This is not an easy task. On the one hand, nations are sovereign and do not appreciate interference in their internal affairs, particularly not in the area of security. On the other hand, review bodies and mechanisms vary from country to country. In the absence of international intelligence review standards, I believe the best guarantee of the protection of the privacy of Canadians in information exchanged with international partners lies in promoting and ensuring strong and independent review bodies in those countries. We are, in fact, already doing this to some extent.

For the past 15 years, the review bodies of a dozen countries, including members of the "Five-Eyes" countries (Canada, the United States, the United Kingdom, Australia and New Zealand), have attended a biennial conference. These meetings have been a source of rewarding exchanges and new inspiration. The sharing of perspectives and best practices is a stimulating and enriching experience. As well, countries for which independent intelligence review is in its early stages may be invited to attend the conferences as observers and gain knowledge about what is happening elsewhere. Canada hosted this conference in May 2012.

On the bilateral level, my office meets with representatives of foreign review bodies and oversight committees. This past year, for example, I met with members of a delegation of French parliamentarians seeking information on the nature and methodology of Canadian review bodies. I have also met with members of the Belgian Standing Intelligence Agencies Review Committee and the British Intelligence and Security Committee. It is my wish that these kinds of beneficial meetings occur more frequently.

Cyber security and cyber attacks

One can no longer talk about security without mentioning cyber threats. Barely a week goes by without headlines dealing with the risk of breaches of public and private computer systems. CSEC, by its very mandate, is called on to play a leadership role in protecting electronic information and information infrastructures of importance to the Government of Canada. CSEC may also lend its experience to assist Public Safety Canada in its role of helping to protect critical infrastructure, that may involve the private sector.

It is unavoidable that CSEC may unintentionally intercept the private communications of Canadians while conducting certain information technology (IT) security activities. For this reason, in recent years, the Commissioner's office has increased its vigilance in this area, completing a number of reviews, while others have been initiated; I have no doubt that my successor will continue this work.

Proposals for legislative changes to the National Defence Act

I started my mandate with the expectation that the legislative amendments to the National Defence Act proposed by my predecessors would soon be introduced in Parliament, but this has yet to happen. I am deeply disappointed at the lack of action by the government, which is no longer in a minority situation, to address the ambiguities identified by my predecessors and myself. These amendments — as I have said many times before — would improve the provisions that were hastily enacted in the aftermath of September 11, 2001. The proposals to address the issues raised by Commissioners should not, in my opinion, be controversial.

The independence of the Office of the CSE Commissioner

The office attained its institutional and financial independence just over five years ago when it received its own funding approved by Parliament, and was no longer part of the budget of the Department of National Defence. To emphasize this independence, 2011 marked the first time the Commissioner issued his own news release to highlight the tabling in Parliament of his annual report by the Minister of National Defence. Financial independence, however, does have its drawbacks. As a result of having its own appropriation, the Commissioner's office, a micro-agency with a budget of roughly two million dollars, is subject to the same accounting and reporting requirements as all departments, each with their individual budgets, some into the billions. To my mind, this is an example of excessive bureaucracy that has resulted in a significant level of reporting that is of limited value to both the office and its stakeholders.