2007-2008 Review Highlights

Review of CSEC signals intelligence collection activities conducted under ministerial authorizations (Phase II)

Background

This report is the second and final phase of a review of certain foreign intelligence collection activities conducted under three ministerial authorizations that were in effect from March 2004 to December 2006. The first phase, which I reported on in last year's Annual Report, established an understanding of this foreign intelligence collection. It also examined the authorities, policies, procedures and management framework put in place to oversee the activities, and established the review criteria for this second phase.

The objective of this second phase was to assess and verify whether the activities that were authorized under the ministerial authorizations complied with the law as well as with the expectations set out in a ministerial directive relating to these activities.

Findings

With respect to the conditions imposed by the ministerial authorizations, which are articulated in subsection 273.65(2) of the National Defence Act, and the conditions imposed by the Minister as part of the authorization process, I found no evidence of non-compliance with the law. For a number of conditions, however, a lack of information and documentation did not allow my office to verify compliance. The review also found that, in some instances, CSEC had not complied with expectations set out in the ministerial directive, and I have so advised the Minister.

Operational policies were found to be in place and to provide direction to CSEC in the protection of the privacy of Canadians. No information was found to indicate that the actions of CSEC staff were in contravention of the operational policies. However, the absence and incompleteness of recorded information limits me to providing only a negative assurance to the Minister. That is to say that I have found no evidence of non-compliance with the law.

Review of information technology security activities at a government department

Background

This review examined information technology security activities conducted by CSEC under ministerial authorization in 2004–2005 at a government department. The objective was to assess compliance with the law and with the provisions of the ministerial authorization.

The National Defence Act mandates CSEC to help protect the Government of Canada's computer systems and networks by analyzing the vulnerability of selected computing and telecommunications systems and by providing information technology security advice and services to government departments and agencies.

CSEC's information technology security activities may result in the inadvertent interception of private communications of Canadians or personal information about a Canadian. For this reason, subsection 273.65(3) of the National Defence Act provides that:

The Minister may, for the sole purpose of protecting the computer systems or networks of the Government of Canada from mischief, unauthorized use or interference, in the circumstances specified in paragraph 184(2)(c) of the Criminal Code, authorize the Communications Security Establishment in writing to intercept private communications in relation to an activity or class of activities specified in the authorization.

The CSEC Chief is responsible for seeking authorization on behalf of the department or agency requesting the activity to be covered. This ministerial authorization enables CSEC to undertake a complete security assessment of a department's networks.

Findings

The review found that CSEC's information technology security activities at the department were in compliance with the law and with the ministerial authorization. The process by which CSEC acquired the ministerial authorization was in accordance with the requirements of the National Defence Act and the processes outlined in CSEC's related policies. It was also determined that the five conditions set out in subsection 273.65(4) of the Act were complied with satisfactorily. Measures were in place to protect the privacy of Canadians, and CSEC's use and retention of personal information about Canadians was found to comply with the law and CSEC policy.

Review of CSEC's activities carried out under a ministerial directive

Background

This review focused on certain activities undertaken by CSEC under a ministerial directive and, in the context of ministerial authorizations, in support of its foreign intelligence mandate articulated in paragraph 273.64(1)(a) of the National Defence Act for the period of April 1, 2005 to March 31, 2006.

Technology and telecommunications networks continue to increase in complexity. In order to fulfill its legislative mandate, CSEC conducts activities for the purposes of understanding the global information infrastructure and of locating foreign intelligence, in accordance with the intelligence priorities of the Government of Canada.

The objective of this review was to increase my office's knowledge of these activities and the authorities under which the activities are conducted. The review assessed CSEC's compliance with the ministerial directive and with the laws of Canada, including the National Defence Act, the Charter, and the Privacy Act, which governs the collection, use and disclosure of personal information. The review also assessed whether the activities conformed to CSEC's policies and procedures.

Findings

This was my office's first examination of this activity, as governed by the ministerial directive. I am satisfied that CSEC takes measures to protect the privacy of Canadians in the use and retention of data obtained from this activity. However, I made a number of recommendations, as follows.

Staff that observe and handle private communications should be responsible for accounting for them.

First, I believe that CSEC should re-examine its practice that only those private communications recognized by certain staff be accounted for. I recommended that other staff that observe and handle private communications should also be responsible for accounting for them. Second, CSEC should re-assess which part of its legislative authority ought to be used to conduct certain of these activities, particularly those involving information provided by federal law enforcement and security agencies. Finally, I also believe that CSEC should augment its policy and procedures in order to better guide and support these activities.

My office has since been advised that CSEC is re-examining these activities and associated policies and procedures. I support CSEC's initiative, and will continue to monitor the issues raised during this review.

Review of CSEC's counter-terrorism activities

Background

This review examined the lawfulness of CSEC's counter-terrorism activities in the period from April 1 to July 31, 2005.

In early October 2001, CSEC centralized foreign intelligence efforts as they relate to threats from international terrorism. The activities involve research and analysis of foreign intelligence data in order to identify terrorist targets and their operational and support networks. The information may be shared with federal government departments and agencies involved in intelligence and security-related matters, as well as with Canada's principal intelligence partners.

The main objectives of the review were to examine data collection and reports from the review period to verify that the information was collected, used and retained in compliance with the law, and to identify and report on any other issue of concern that might impact on the ability of CSEC to conduct its activities lawfully and to safeguard the privacy of Canadians.

Findings

This review found that the activities conducted were in compliance with the law and with CSEC policy. Personnel who were interviewed during the course of this review were knowledgeable about the authorities governing their work. The report makes two recommendations. One would enhance accountability regarding linkages between CSEC reporting and the intelligence priorities of the Government of Canada, and the other would enhance accountability for the use and retention of private communications and information about Canadians.

Review of CSEC's support to CSIS

Background

The objective of this review was to assess the lawfulness of CSEC's activities in providing support to the Canadian Security Intelligence Service (CSIS) under CSEC's foreign intelligence mandate in the period from April 1, 2004 to March 31, 2005 and a sampling from November to December 2006.

CSEC provides regular foreign intelligence reporting to CSIS. Most of this reporting addresses general areas of interest that complement and support CSIS' own mandated responsibilities. CSEC also receives and responds to specific CSIS requests for intelligence-related information, provided that the requirement is consistent with documented Government of Canada intelligence priorities. A final aspect of CSEC's support to CSIS is that it responds to requests for the release of Canadian identities that have been suppressed in foreign intelligence reporting. Upon receipt of a formal request, CSEC must be satisfied with the justification and lawful authority for requiring the information.

Findings

Overall, I am of the opinion that CSEC acted within its mandate in conducting activities in support of CSIS. I am in accord with the advice and guidance provided by the Department of Justice to CSEC respecting this support. However, in some cases, I question which part of CSEC's mandate should be used as the proper authority for conducting these activities and I have recommended that CSEC re-examine this matter. As of March 31, 2008, this was the subject of ongoing discussions between my officials and CSEC.

In addition, my office identified concerns respecting requests for the release of suppressed information, and respecting the CSIS-CSE Memorandum of Understanding of 1990 that guides the agencies' cooperation. Many of my findings reinforced those of two previous reviews of CSEC's foreign intelligence collection in support of the RCMP and of the roles of CSEC's client relations officers and Operational Policy Section in the release of personal information, both of which are described in my 2006–2007 Annual Report.

I am pleased to note that since the period of review, CSEC continues to review its internal processes, policies and procedures, in order to make improvements in areas where deficiencies have been identified.

I have, however, recommended that CSEC re-visit the Memorandum of Understanding between CSIS and CSEC which is out of date and does not reflect current arrangements or practices between the two agencies. Given the international threat environment, it is my view that cooperation between security and intelligence agencies must be continually examined and the frameworks for cooperation kept up to date.

Reviews underway and planned

CSEC continues to make improvements in areas where deficiencies have been identified.

My office has several reviews underway that I will be reporting on to the Minister in the coming year and will include in my next Annual Report. The subjects of these reviews include: activities conducted by CSEC under several foreign intelligence ministerial authorizations; the disclosure of information about Canadians to federal government departments and agencies; an examination of certain common practices of CSEC related to its mandated activities, and a comprehensive study of its information technology security activities. Some reviews that will begin in the next fiscal year will carry through to 2009–2010. Last year I indicated that I would be reporting on CSEC's use of technology to protect the privacy of Canadians. At fiscal year-end, this review was being finalized, and therefore it will be reported on in next year's Annual Report.

Complaints about CSEC activities

My mandate includes undertaking any investigation I deem necessary in response to a complaint. During the 2007-2008 fiscal year my office received no complaints that warranted formal investigation.

Duties under the Security of Information Act

I have a duty under the Security of Information Act to receive information from persons who are permanently bound to secrecy and seek to defend the release of classified information about CSEC on the grounds that it is in the public interest. No such matters were reported to my office in the 2007-2008 fiscal year.