2002-03 Activities

Classified Reports

Under the Orders in Council that set out my mandate from 19 June 1996 until 24 December 2001, my Office carried out a planned series of reviews of CSE's activities each year. These reviews were directed at areas where, in my opinion, the very nature of CSE's activities gave rise to risks relating to lawfulness. Because I was authorized to submit reports containing classified material to the Minister of National Defence at any time I considered advisable, I made it a practice to report the results of each of my reviews to the Minister in the form of a classified report.

The new legislation has introduced some important changes to my mandate. As described above, the Minister of National Defence may now authorize CSE to intercept the private communications of Canadians in some circumstances. Although I am still required to review CSE's activities generally to ensure that they are in compliance with the law, the legislation also directs me specifically to review CSE activities carried out under a ministerial authorization to ensure they are authorized, and to report annually to the Minister on the review.

In other words, I no longer have a completely free hand in choosing subjects for review. Nor does my new legislated mandate specifically authorize me to submit reports containing classified material to the Minister whenever I consider it advisable. Nevertheless, in cases where I do choose the subjects for review, I believe it is sensible to continue the reporting practices established under my earlier mandate, as they have served well in the past.

During 2002-03 I forwarded four classified reports to the Minister, and another was nearing completion at the end of the year. These included reports mandated under the new legislation as well as reports on reviews of my own choosing. Annex C provides a list of all my classified reports to the Minister since my appointment in 1996.

As I have pointed out in the past, submitting a classified report to the Minister does not mean that I have identified any lack of compliance with the law or ministerial authority. It indicates only that the report contains material that requires classified handling. Indeed, I am pleased to say that none of the reviews on which my 23 classified reports are based (including the four reviews completed in 2002-03) identified incidents of unlawfulness or unauthorized activity.

Reviews of Activities under Ministerial Authorizations

Under sub-sections 273.65 (1) and (3) of the National Defence Act, the Minister of National Defence has authorized CSE, in writing, to intercept private communications for the purposes of obtaining foreign intelligence and protecting the computer systems or networks of the government from mischief, unauthorized use or interference. Because many of the activities carried out under these authorizations were new to CSE, they gave rise to significant challenges relating not only to technology, but also to such matters as determining appropriate roles and responsibilities, developing policy and procedures to guide activities, and designing controls to ensure compliance with the conditions imposed by the legislation and the ministerial authorizations. CSE continues to address these challenges.

Information obtained from CSE indicates that the bulk of the communications intercepted under these authorizations are not in fact private communications (that is, they are not the communications of Canadians). Nevertheless, I believe that the unique focus of my review must be on private communications. Whatever else CSE may intercept, it is the interception of private communications that is specifically authorized by the Minister. Moreover, it is with respect to the interception, use and retention of private communications that issues of lawfulness and compliance with ministerial authority are most likely to arise. As a result, my Office devoted a significant part of its efforts during the past year to learning how CSE is acquiring, identifying, accessing, retaining and using such communications, as well as what kind of policy regime, procedures and management control framework it is putting in place. In doing so, my staff and I examined a variety of documents and correspondence, had several discussions with CSE officials, and attended briefings and information sessions. In addition, I asked CSE to take me through a specific tasking under one of the authorizations.

My Office completed a preliminary review of activities under one ministerial authorization. This authorized CSE to conduct activities from Canada relating to the interception of communications for the sole purpose of obtaining foreign intelligence and, in doing so, to intercept private communications subject to conditions defined in the legislation and in the ministerial authorization. As required by the legislation, I reported the findings of this preliminary review to the Minister. Because of the focus of the ministerial authorization, and because the review was a first for my Office, my preliminary report related more to process and to the class of activities authorized than to CSE's compliance with authority. I anticipate that in future annual reports to the Minister under paragraph 273.65 of Part V.1 of the National Defence Act, the Commissioner will be in a position to address compliance issues more directly.

My reviews of activities under other ministerial authorizations in effect during 2002-03 were continuing at the end of the year and will be the subject of reports to the Minister in the near future.

Other Reviews

CSE's operational support to the Canadian Security Intelligence Service. The Canadian Security Intelligence Service (CSIS) is authorized to assist the ministers of National Defence and Foreign Affairs in collecting foreign intelligence within Canada. In carrying out its duties and functions, CSIS may, in turn, seek operational assistance and support from other departments and agencies, including CSE.

In 2002-03 my staff completed an examination of CSE's policies and practices in the context of a specific case where it provided operational support to CSIS. This examination found no evidence of unlawful activity on the part of CSE or any of its employees. Indeed, all the activities examined complied with CSE policies as well as relevant legal authorities.

My report did, however, make a number of recommendations designed to address weaknesses in policy and practice that could lead to errors in handling sensitive information and to an inconsistent application of policy and law. CSE has started to take action to address the concerns I raised.

Information Technology Security. In earlier annual reports I discussed changes in the focus and complexity of activities undertaken by CSE under its Information Technology Security (ITS) program to protect government communications and communications systems. Among other things, the ITS program has shifted strategically toward a more open mode of doing business in the face of growing vulnerabilities as more and more government organizations adopt evolving technologies such as the Internet and electronic commerce.

To respond to a significantly expanded client base and greater demand for its services, the ITS program has actively sought cooperative partnerships and alliances with government and private sector organizations. These arrangements are usually formalized in written agreements between the parties. My Office reviewed formal agreements between the ITS program and external parties, as well as the policies, practices and procedures governing them, to identify issues and assess implications relating to lawfulness.

The review showed no evidence of unlawful activity on the part of CSE with respect to its arrangements with government and private sector organizations and the agreements arising from such arrangements. However, my report pointed to shortcomings in the administration of agreements as well as gaps in policy that created unnecessary risks in this regard. I have been informed that CSE is taking action to review and address my concerns and recommendations.

CSE's policies and procedures. One of my long-standing observations, based on several reviews carried out during my term as Commissioner, is that CSE's internal policies and procedures have not always provided clear and consistent definitions and uses of key terms. I have found that policies and associated documentation were confusing at times, especially in instances where certain terms have multiple definitions.

As a follow-up to these observations, my staff compiled a lexicon of definitions of key terms from a number of different instruments, and I made that report available to the Minister and to CSE. In the course of this work, I learned that CSE is giving a high priority to the development and articulation of policies and procedures to guide operations under its mandate in the National Defence Act. This effort includes establishing new policies and procedures where necessary, as well as reviewing existing policies and procedures to ensure they are current and that they use accurate and consistent terminology.

I am encouraged by these developments at a time of expanded security and intelligence activity when, among other things, there are clear needs for CSE to retrain existing staff and to train and guide an anticipated influx of new employees. In these circumstances it is vitally important to ensure clear and consistent understanding and application of policy and procedures ¯ including terminology used ¯ throughout the organization. My Office will continue to monitor CSE's progress in this regard closely.

2002-03 Findings

Each year in this report I provide an overall statement on my findings about the lawfulness of CSE's activities based on the results of reviews my staff carried out during the year. Because of my new mandate under the National Defence Act, this is the first time my statement extends beyond lawfulness to compliance with ministerial authority.

I am able to report that the activities of CSE that my Office reviewed during the year complied with law and ministerial authority. In particular, while I found no evidence that CSE directed its activities at Canadians or any person in Canada, I did see evidence that CSE has measures to protect the privacy of Canadians in the use and retention of intercepted information.

Complaints and Concerns about CSE Activities

Paragraph 273.63 (2)(b) of the National Defence Act requires me, in response to a complaint, to undertake any investigation I consider necessary. During 2002-03, I received no complaints about CSE activities from any source.

Neither were concerns about CSE activities addressed to me under the public interest defence provisions of the Security of Information Act.

Review Agencies Conference

The third International Intelligence Review Agencies Conference was held in London, England, from 12-15 May 2002. Representatives of review agencies from Australia, Belgium, Canada, New Zealand, Poland, Slovakia, South Africa, and the United States met their United Kingdom counterparts to exchange views on issues of common interest in the historical setting of Lancaster House.

In addition to discussing review arrangements in our respective jurisdictions, we examined the issue of review from the perspectives of the agency being reviewed and the public, as well as in relation to changes in technology. I remain grateful to our hosts for their outstanding hospitality.