Update on CSEC Efforts to Address Previous Recommendations

Since 1997, my predecessors and I have submitted to the Minister of National Defence 81 classified review reports. In total, the reports contained 148 recommendations. CSEC has accepted and implemented or is working to address 93 percent (137) of these recommendations, including all 10 recommendations this year.

Commissioners monitor how CSEC addresses recommendations and responds to negative findings as well as areas for follow-up identified in past reviews. This past year, CSEC advised my office that work had been completed in response to three past recommendations.

At the end of the 2012—2013 reporting period, the office was awaiting former Minister MacKay's response to two recommendations relating to my predecessor's review of certain foreign signals intelligence activities. Subsequently, the former Minister agreed with CSEC's management response and accepted the recommendations. Respecting the first recommendation, CSEC has promulgated updated policy guidance respecting how to clearly and consistently communicate with its partners about what entity its activities are being directed at. CSEC also provided training and awareness sessions to managers and analysts on the need for clarity of language in communications. With respect to the second recommendation, CSEC has taken a number of actions to ensure analysts have complete knowledge of existing policy guidance on their responsibilities for determining the foreign status of an entity and the justification for directing an activity at that entity, as well as actions for CSEC managers to verify that analysts follow this guidance. These actions include: specific policy guidance introduced since the period under review that provides clear instructions to analysts on targeting; policy compliance monitoring by a dedicated team; as well as mandatory classroom training, on-the-job training and a compulsory on-line test on protecting privacy.

CSEC implemented a third past recommendation by providing specific policy guidance for targeting for a particular method of foreign signals intelligence collection.

In addition, my office and I are monitoring 13 active recommendations that CSEC is working to address – three outstanding recommendations from previous years and 10 from this year.

Update on a review of CSEC assistance to the Canadian Security Intelligence Service (CSIS) under part (c) of CSEC's mandate and sections 12 and 21 of the CSIS Act

In last year's annual report, my predecessor reported on his findings and recommendations respecting his review of CSEC assistance to CSIS under part (c) of CSEC's mandate and sections 12 and 21 of the CSIS Act. Commissioner Décary examined CSEC assistance to CSIS following an October 2009 Federal Court order that authorized CSIS, with the assistance of CSEC, to obtain a warrant to collect intelligence on Canadians located outside Canada provided that the interception of the communications or seizure of information occurred from within Canada. One of Commissioner Décary's recommendations, implemented by CSEC, was that CSEC advise CSIS to provide the Court with certain additional evidence about the nature and extent of the assistance CSEC may provide to CSIS, namely respecting CSEC seeking assistance from and sharing information about the Canadian subjects of the warrants with its second party partners. Commissioner Décary shared with the Security Intelligence Review Committee (SIRC) certain general points relating to CSIS that arose out of the two recommendations, for SIRC to follow up on as it deemed appropriate. (SIRC also conducted a review on this subject, which was summarized in its 2012—2013 annual report.)

Subsequent to the tabling in August 2013 of Commissioner Décary's annual report, the Honourable Mr. Justice Mosley issued an order in September requiring that counsel for CSEC and CSIS appear before the Federal Court to speak to the matter raised in the report.

In November 2013, Justice Mosley delivered Redacted Amended Further Reasons for Order in this matter. He recognized "the hazards related to the lack of control over intelligence information once it has been shared" with foreign agencies that were highlighted in Commissioner Décary's and SIRC's reports (paragraph 115). Justice Mosley concluded that the Federal Court's "jurisdiction does not extend to the authority to empower the Service [CSIS] to request that foreign agencies intercept the communications of Canadian persons travelling abroad either directly or through the agency of CSEC under its assistance mandate" (paragraph 119). Justice Mosley also indicated: "[t]he failure to disclose that information [that CSIS would request assistance of the Second Parties through CSEC] was the result of a deliberate decision to keep the Court in the dark about the scope and extent of the foreign collection efforts that would flow from the Court's issuance of a warrant. This was a breach of the duty of candour owed by the Service [CSIS] and their legal advisors to the Court" (paragraphs 117 and 118).

Some have suggested that this matter points to a failure of the review bodies to help control the intelligence agencies. On the contrary, these events demonstrate how review works, as Justice Mosley was alerted to this following Commissioner Décary's recommendations. It also demonstrates how review bodies – in this case the Commissioner's office and SIRC – can cooperate and share information within existing legislative mandates.

Update on an ongoing review of CSEC use of metadata

The issue of metadata has served as the focal point for public discussion about CSEC, its activities and my review of those activities. In June 2013, in response to greater public demand for information in the wake of unauthorized disclosures of classified information on foreign signals intelligence, my predecessor issued a statement explaining CSEC use of metadata, the measures in place to protect the privacy of Canadians, the role of the office and past reviews. This statement was unprecedented and significant in that it contained information previously considered highly classified by government and had therefore never been released.

In January of this year, I confirmed that my office was aware of a particular metadata activity that was the subject of media reports alleging that CSEC illegally tracked the movements and on-line activities of persons at a Canadian airport. I stated that this activity did not involve "mass surveillance" or tracking of Canadians or persons in Canada as purported in some stories. (The statements are available on the office's website.)

What is metadata? Metadata is information associated with a communication that is used to identify, describe, manage or route that communication. It includes, but is not limited to, a telephone number, an e-mail or an IP (Internet protocol) address, and network and location information. Metadata excludes the content of a communication. CSEC is allowed to use metadata only to understand the global information infrastructure, to provide foreign intelligence on foreign entities located outside Canada or to protect computer systems of importance to the Government of Canada.

Paragraphs 273.64(1)(a) and (b) of the National Defence Act authorize CSEC to collect, use, share and retain metadata. A ministerial directive provides additional guidance and places limits on CSEC metadata activities. Thus far, I have confirmed that metadata remains fundamental to CSEC's mandated activities. CSEC uses metadata, for example, to determine the location of a communication, to target the communications of foreign entities outside Canada, and to avoid targeting a Canadian or a person in Canada.

As with any of its activities, CSEC is prohibited from directing its metadata activities at a Canadian or at any person in Canada. However, some metadata collected by CSEC is information about Canadians and CSEC must take measures to protect privacy in the use of that metadata. The Minister of National Defence has provided direction to the Chief of CSEC on metadata activities, including on the protection of the privacy of Canadians. The Chief has further elaborated and provided guidance to CSEC employees, through various internal policies, regarding the procedures and practices that must be followed for activities that may use metadata.

My office's first focused review on metadata began in 2006. Over the years, it has continued to examine and monitor CSEC use of metadata and Commissioners have made a number of recommendations relating to metadata. For example, in 2008, CSEC suspended certain activities involving information about Canadians and made significant changes to policies and practices before restarting those activities.

Planning for another comprehensive review of metadata was under way prior to the unauthorized disclosures by Edward Snowden last June. In light of the significant public interest in this issue, this ongoing review is a high priority. It provides an opportunity to once again examine CSEC's metadata activities, to assess changes to the activities and to determine compliance with the law and whether CSEC protects the privacy of Canadians. It will also follow up on observations of past Commissioners. For the first time, this review includes an in-depth examination of how CSEC uses metadata to identify cyber attacks and threats to Canada's critical information infrastructure. My review has identified some important questions, which I will continue to examine in the coming year, including: what are the vulnerabilities and risks to the privacy of Canadians imposed by new technologies that CSEC uses to collect and analyze metadata? How and to what extent can privacy protections be built directly into the technologies and processes used by CSEC for metadata collection and analysis? I will report on the results in my next public annual report.