OTTAWA — June 13, 2013 — The Honourable Robert Décary, Q.C., Communications Security Establishment Commissioner, believes that public discussion would benefit from additional information about how he verifies whether CSE complies with the law and protects the privacy of Canadians in the conduct of its activities.
As Communications Security Establishment Commissioner, a position established under the National Defence Act, I strive to strike a balance between — on the one hand — the government’s need for foreign signals intelligence and IT security services, and — on the other hand — the need to ensure compliance with the law and the protection of the privacy of Canadians. Through the public annual reports, I also strive to provide assurance to Canadians with respect to their privacy.
Since my appointment, I have sought to clarify and explain more fully what my office and I do and how we do it, to help ensure that public discussion is based on fact. While it is not for me to disclose operational information of the Communications Security Establishment (CSE), I do encourage the government to be as transparent as possible. Every reasonable person recognizes, however, there are very real constraints imposed by national security and the Security of Information Act.
I am completely independent and operate at arms-length from the government. I have all the powers of a Commissioner under Part II of the Inquiries Act, including the power of subpoena, to access and review any information held by CSE. We have secure offices on-site at CSE. My employees have unobstructed access to CSE systems, observe CSE analysts first hand to verify how they conduct their work, interview them, and test information obtained against the contents of CSE’s databases.
Under the National Defence Act, CSE is specifically required to protect the privacy of Canadians in the execution of its duties. Similarly, it is required to protect the privacy of Canadians in accordance with other laws, including the Canadian Charter of Rights and Freedoms, the Privacy Act, and the Criminal Code. The Minister of National Defence has provided further specific direction to the Chief of CSE, regarding how he expects the agency will protect the privacy of Canadians in fulfilling its duties. The Chief has further elaborated and provided guidance to staff, through various internal policies, regarding the procedures and practices that must be followed.
When reviewing CSE’s activities — including any CSE use or retention of metadata — for compliance, I assess them against all three factors: legal requirements; ministerial expectations; and internal policy controls. If I believe a law, ministerial direction or policy is not adequate, I make a recommendation to the Minister to address the deficiency.
I verify that CSE does not direct its foreign signals intelligence collection and
IT security activities at Canadians — wherever they might be in the world — or at any person in Canada. CSE is prohibited from requesting an international partner to undertake activities that CSE itself is legally prohibited from conducting.
It is well understood that Canadian federal law enforcement and security agencies may lawfully investigate Canadians. When these organizations request the assistance of CSE, I verify that CSE complies with any limitations imposed by law on the agency to which CSE is providing assistance, for example, any conditions imposed by a judge in a warrant.
Given the structure of the international telecommunications environment, it is possible that CSE may, while targeting a foreign entity located outside Canada, with a ministerial authorization, unintentionally intercept a communication that originates or terminates in Canada, which is a “private communication” as defined by the
Criminal Code. I monitor and examine the small number of private communications unintentionally intercepted by CSE and verify how CSE treats these communications.
In the case of metadata, I verify that it is collected and used by CSE only for purposes of providing intelligence on foreign entities located outside Canada and to protect information infrastructures of importance to the government. I have reviewed CSE metadata activities and have found them to be in compliance with the law and to be subject to comprehensive and satisfactory measures to protect the privacy of Canadians. However, given that these activities may impact the privacy of Canadians, I had already approved, prior to recent events, the start of a specific review relating to these activities.
Additionally, in its reports, and in other information CSE shares with its domestic and international partners, CSE must render impossible the identification of Canadians, and I verify that this is done. As noted in my report last year, I have found that CSE does take measures to protect the privacy of Canadians in what it shares with its domestic and international partners. For example, CSE suppresses Canadian identity information in what is shared with its international partners. CSE applies the same privacy rules to information acquired from domestic and international partners, and I verify that these rules are followed. In addition, open and ongoing discussion between the partners helps to limit the potential to affect the privacy of Canadians.
Furthermore, I examine any operational incidents that did or could have an impact on the privacy of Canadians to ensure that CSE has addressed them and to identify any systemic issues about compliance with the law or the protection of the privacy of Canadians that should be the subject of follow-up review.
I provide the results of my reviews, in classified reports, to the Minister of
National Defence, who is accountable to Parliament for CSE. I am also required to submit an unclassified report to the Minister on my activities each year, which the Minister must then table in Parliament. My latest report is completed and I submitted it to the Minister.
A necessary element of my mandate also includes informing the Minister of any activities that I believe might present, or have the potential to present, a risk of non-compliance. If I find that CSE did not comply with the law, I have the authority and the duty to report it to the Minister and to the Attorney General of Canada.
A number of my reports have included recommendations aimed at strengthening CSE practices that contribute to compliance and incorporate measures that protect the privacy of Canadians. Some Commissioners’ recommendations have resulted in CSE suspending certain activities to re-examine how the activities are conducted. I closely monitor CSE’s implementation of my recommendations.
CSE has accepted and implemented or is working to address the vast majority of recommendations made by my predecessors and me. Recommendations are made to proactively prevent possible privacy risks. In the context of ongoing and future reviews, my office will continue to seek ways in which CSE compliance, and the privacy protections afforded to Canadians, can be further strengthened.
The Commissioner’s website is www.ocsec-bccst.gc.ca.
For more information, please contact:
J. William Galbraith
Office of the CSE Commissioner