2008–2009 Review Highlights

During the 2008–2009 reporting period, my office completed seven reviews on different aspects of CSEC activities. The reviews were carried out under my authority as articulated in paragraph 273.63(2)(a) and subsection 273.65(8) of the NDA.

The primary objective of the reviews, consistent with my mandate, was to assess whether the activities complied with the law, including the extent to which CSEC has adequate measures in place to protect the privacy of Canadians. I am able to report that the activities examined in 2008–2009 complied with the law.

With respect to the first three of the reviews listed below, in which I have reviewed different foreign intelligence collection activities conducted under ministerial authorizations, I reiterate that, pending amendments to clarify the NDA, these reviews are based on legal interpretation provided to CSEC by Justice Canada.

Reviews of foreign intelligence activities under ministerial authorizations — Common elements

Paragraph 273.64(1)(a) of the NDA authorizes CSEC to collect foreign intelligence in accordance with the Government of Canada's intelligence priorities. In the case of each of the CSEC foreign intelligence collection activities reviewed by my office in 2008–2009, CSEC obtained the ministerial authorization pursuant to subsections 273.65(1) and (2) of the NDA because, in carrying out the activities, it was possible that CSEC might intercept communications that either originated or terminated in Canada, and which constituted "private communications", as defined in the Criminal Code.

The NDA requires that foreign intelligence collection activities not be directed at Canadians or any person in Canada (paragraph 273.64(2)(a)), and that they be subject to measures to protect the privacy of Canadians in the use and retention of intercepted information (paragraph 273.64(2)(b)).

Review of CSEC foreign intelligence collection activities conducted under ministerial authorizations (Activity 1) 

Background

This review examined certain CSEC foreign intelligence collection activities conducted under three successive ministerial authorizations in effect between 2004 and 2007. Two previous reviews of these same activities conducted by my office in 1999 and 2005 respectively were taken into consideration.

Findings

Based on the information reviewed and interviews conducted, I found that CSEC's activities were authorized and carried out in accordance with the law, ministerial requirements, and its operational policies and procedures.

However, the review found that additional information should be recorded and reported to the Minister in order to enhance accountability. This additional information concerns the foreign intelligence CSEC collects under this ministerial authorization and which it shares with its principal partners outside Canada. The sharing of information about Canadians is an area that my office will continue to examine.

The review also found that a memorandum of understanding between CSEC and a federal department respecting these activities should be updated to reflect current practices. In the meantime, CSEC agreed to continue to follow the terms of the existing agreement and to document any new understandings.

In addition, my staff identified certain deficiencies in CSEC policies and procedures related to the activities reviewed.

Recommendations

As a result of these findings, I recommended that CSEC adopt and publish additional written guidance respecting the process its analysts are to follow when making targeting decisions. I also recommended that CSEC amend its policy respecting the deletion of private communications recognized by analysts and found to have no foreign intelligence value. The NDA requires that an intercepted private communication shall be used or retained only if it is essential to international affairs, defence or security (paragraph 273.65(2)(d)).

I am pleased to note that CSEC accepted the recommendations, and is making improvements in areas where deficiencies were identified, including making changes to its systems.

Review of CSEC foreign intelligence collection activities conducted under ministerial authorizations (Activity 2) 

Background

This review examined certain other CSEC foreign intelligence collection activities conducted under four ministerial authorizations in effect from 2004 to 2007. The review included an examination of CSEC's reporting of the foreign intelligence to its partners in Canada and abroad.

Findings

Based on the information reviewed and interviews conducted, I found that the activities were authorized and complied with the law and with CSEC operational policies and procedures. Personnel responsible for the collection and management of intelligence activities were interviewed and found to be knowledgeable about the legislative authorities, policies and procedures that govern CSEC's collection.

However, the review also found that CSEC did not meet two of the expectations set out in the ministerial authorizations. In one instance, it was noted that CSEC did not meet a requirement to report in a timely manner to the Minister of National Defence following the expiration of the ministerial authorization. My staff found that the report was not received by the Minister's office until almost one year later.

Secondly, it was noted that in one instance CSEC did not report to the Minister an important increase in the number of private communications it inadvertently intercepted. CSEC subsequently provided my office with an explanation for this omission. Nevertheless, in reviewing this issue, I assessed that the information should have been reported in order to meet the ministerial expectation.

My report to the Minister of National Defence also suggested that CSEC introduce a greater degree of rigour in methodology applied to assessing the value of foreign intelligence reporting.

Recommendation

In addressing the expectation regarding private communications, I recommended that CSEC make an explicit statement to address each ministerial expectation separately in future reports to the Minister. I am pleased to note that CSEC accepted this recommendation.

Review of CSEC foreign intelligence collection activities conducted under a ministerial directive and ministerial authorizations (Activity 3)

Background

This review examined a third type of CSEC foreign intelligence collection activity conducted under three successive ministerial authorizations in effect from 2004 to 2007. In addition, the review examined CSEC's compliance with the expectations set out in a related ministerial directive, issued pursuant to subsection 273.62(3) of the NDA.

Findings

Based on the information reviewed and interviews conducted, I found that CSEC's activities were authorized and complied with the law. I did, however, set out specific findings and made recommendations that I believe would strengthen CSEC's practices and compliance with its policies and procedures.

The review also found that CSEC did not meet one expectation set out in the ministerial directive. However, practices at the working level resulted in the fulfilment of the intention of that expectation.

Rigorous business practices at the working level throughout the development, approval and execution of these activities give a high level of assurance that the activities are conducted as approved. The review did not find the same level of clarity, rigour and record keeping in some parts of the program management processes. As a consequence, I made three recommendations.

Recommendations

With respect to CSEC not meeting one expectation of the ministerial directive, and to ensure continuity of practice through time and any staff turnover, I recommended that CSEC include certain measures in its policies or procedures.

Second, while CSEC personnel demonstrated a clear understanding of associated policies and procedures, and there was no suggestion of non-compliance, I recommended that written guidelines be put in place to address certain deficiencies in policies and procedures.

Finally, the record of specific activities is comprehensively documented. In contrast, however, the record of decision related to the management of the program is incomplete. I recommended that both components be subject to the proper application of sound records management processes. As I observed previously, CSEC has been implementing a new records management system and is keeping my office informed of progress, which I am following with interest. I am pleased to note that CSEC has accepted these recommendations and is taking measures to address each of them.

Review of CSEC's acquisition and implementation of technologies as a means to protect the privacy of Canadians

Background

My office reviewed CSEC's acquisition and implementation of technologies as a means to protect the privacy of Canadians, in accordance with subsection 273.64(2) of the NDA.

Two types of technologies were studied in this review: a foreign intelligence acquisition system and an analytical tool. The foreign intelligence acquisition system is used to acquire, process and collect information from the global information infrastructure. The analytical tool is used to support CSEC's collection of foreign intelligence and to help ensure the protection of electronic information and information infrastructures of importance to the Government of Canada (IT security). My staff observed demonstrations of the two technologies and queried CSEC operators on various aspects of their use.

Findings

Based on the information reviewed and interviews conducted, I found that CSEC's activities were carried out in accordance with the law. CSEC uses these two technologies to fulfill its legislated mandate and demonstrated that it would modify its technologies, if required, to comply with its statutory obligations to protect the privacy of Canadians. The acquisition, implementation and use of these technologies helps CSEC protect the privacy of Canadians by identifying potential private communications as well as personal information about Canadians.

The review found that special attention should be brought to the development of IT security policy instruments so as to ensure that CSEC's guidance in this regard is up-to-date and formalized at the highest level. There was a difference in practices between CSEC's two business-lines (IT security and foreign intelligence collection) with regard to accounting for personal information identified through analysis. CSEC provided a reasonable explanation for this difference.

Recommendation

I made one recommendation regarding requests for foreign intelligence ministerial authorizations. Since there is a risk of intercepting private communications when using the foreign intelligence acquisition system reviewed, a ministerial authorization was required. I recommended that CSEC re-evaluate how it describes foreign intelligence activities in its requests for ministerial authorizations so as to be more precise about the activities the Minister of National Defence is authorizing. I am pleased to note that CSEC accepted the recommendation.

Review of Disclosure of Information about Canadians to Government of Canada Clients

Background

As part of its mandate to provide foreign intelligence in accordance with Government of Canada intelligence priorities, CSEC disseminates classified reports to federal government departments and agencies that have demonstrated requirements for the information, based on their respective mandates. These reports are authored by CSEC as well as allied agencies and may contain suppressed information about Canadians if it is essential to the understanding of the report (see: Information about Canadians — Did you know?).

Findings

Based on the information reviewed and interviews conducted, I found that CSEC's activities complied with the law and with its operational policies and procedures. I made no recommendations.

Follow-up to a recommendation in a 2007–2008 review of CSEC activities carried out under a ministerial directive

Background

Last year, I reported on certain activities undertaken by CSEC under a ministerial directive and in support of its foreign intelligence collection mandate. As indicated in my 2007–2008 Annual Report, I suggested that CSEC re-examine its practice that only those private communications recognized by certain staff be accounted for. I recommended that other staff who observe and handle private communications should also be responsible for accounting for them. CSEC did not accept this recommendation, and, as a result, I directed my staff to conduct a follow-up review of these activities.

This second, focussed review, with direction to probe this matter as deeply as necessary, aimed to acquire greater knowledge about this activity, to examine the risk to privacy, and to determine if CSEC's measures to protect the privacy of Canadians were sufficient in this instance.

The goal of this review was ultimately to determine whether my recommendation of 2007–2008 should be maintained, amended or retracted. Review methodology included first-hand observation of the activities of CSEC front-line personnel conducting this activity.

Findings

The review, based on detailed knowledge and understanding of activities observed by my staff, found that CSEC conducts these activities in accordance with the law and ministerial requirements, and in accordance with operational policies and procedures.

Based on the current practices, as observed in detail on two separate occasions, I assessed that the activities examined in this review involve only a low risk to privacy. CSEC staff conducting the activities have a different and lesser potential of affecting the privacy of Canadians than other staff conducting different activities and who are already required to account for private communications.

In addition, I assessed that CSEC has sufficient measures in place to protect the privacy of Canadians during its conduct of these activities. Personnel were aware of and followed operational policies and procedures that provide direction with respect to the protection of the privacy of Canadians.

I am pleased to note that CSEC recently revised its operational policy on this subject to include additional guidance respecting the protection of the privacy of Canadians. Managers routinely and closely monitor compliance with applicable policies and procedures. The people with whom my staff spoke were forthcoming and demonstrated a professional approach.

Therefore, in view of these findings, I retracted my previous recommendation and informed CSEC that I have no expectation of corrective action in regard to these activities.

Review of CSEC activities conducted under a ministerial directive and in support of its foreign intelligence collection mandate

Background

The specific objective of this review was to acquire knowledge of CSEC's activities conducted under a ministerial directive and in support of its foreign intelligence collection mandate. I examined CSEC's compliance with the expectations set out in the ministerial directive and associated policies and procedures. These expectations are administrative in nature and relate primarily to security and risk management.

Findings

Based on the information reviewed and interviews conducted, I found that CSEC's activities were consistent with the foreign intelligence priorities of the Government of Canada, and were carried out in accordance with the law and with CSEC operational policies and procedures. CSEC had also taken specific measures to protect the privacy of Canadians. I also found that, for the most part, CSEC conducted the activities in accordance with expectations set out in the ministerial directive and with associated policies and procedures.

Recommendations

I recommended, however, that CSEC reconcile certain discrepancies between ministerial expectations and its own practices. I also recommended that CSEC review, update and finalize certain key documents respecting these activities, and that it clarify certain terms used in the documents. I believe this will strengthen CSEC's ability to meet the ministerial expectations and therefore enhance accountability. I am awaiting CSEC's response to these recommendations.