Highlights of Reports Submitted to the Minister In 2018–2019

1. Review of CSE's Targeting Practices in the Context of a Particular Collection Program

Background

CSE conducts foreign signals intelligence collection activities under the authority of the National Defence Act. The Act requires that activities conducted under CSE's signals intelligence mandate, including methods of collection, be:

• consistent with Government of Canada intelligence priorities;
• not directed at Canadians or any person in Canada; and
• subject to measures to protect the privacy of Canadians in the use and retention of intercepted information.

To acquire information of potential foreign intelligence value to the government and to ensure that CSE directs its collection activities at foreign entities located outside of Canada, CSE must distinguish those communications that involve foreign entities – i.e., foreign persons, organizations, corporations or machines/networks – located outside Canada from those communications originating or terminating in Canada or involving Canadians. To that end, CSE uses strict criteria and parameters in “targeting” the communications of such foreign entities of interest and applies a number of control mechanisms to ensure compliance with the Act.

CSE conducts a particular intelligence collection program that provides unique access to foreign signals intelligence as well as to metadata in support of target and network analysis; the intelligence and the metadata, in turn, aid subsequent targeting and intelligence collection activities. This program is carried out under specific authorities and ministerial direction.

Certain risks and sensitivities associated with this program demand that its activities be reviewed periodically to verify whether, in fact, they were carried out in compliance with the law and with all applicable ministerial direction, and whether adequate measures were in place to protect the privacy of Canadians.

This review covered the period from April 1, 2015, to March 31, 2016; however, relevant developments since that timeframe were also taken into consideration. The review also followed up on certain issues raised in previous reviews that were relevant to the current review.

Findings and Recommendation

For the particular collection program that is the focus of this review as well as more generally, CSE has operational policies and procedures for its signals intelligence targeting activities that provide sufficient direction to CSE employees on the protection of the privacy of Canadians. Moreover, CSE employees display a high level of policy awareness pertaining to targeting and related activities.

CSE uses an automated rules-based approach to targeting, which helps ensure consistency in the application of its targeting criteria and adds rigour to the targeting process. Centralized validation of targeting requests, by a targeting authority outside the intelligence production chain, reduces the residual risk of inappropriate targeting and adds further rigour to the targeting process. CSE also maintains comprehensive records of its targeting history and has in place a compliance monitoring regime that includes, among other things, mandatory regular revalidation of targets to help ensure compliance as well as appropriate corrective action in the event of a targeting anomaly.

In following up on targeting-related issues that were raised in two previous reviews, the Commissioner found that CSE had addressed all but one. The single outstanding issue related to the ready availability of comprehensive statistics on a particular aspect of targeting that is carried out by CSE either on its own behalf or on the request of a Five Eyes collaborating agency. CSE had previously indicated an intention to enable its targeting management system to provide such statistics; however, the agency has since noted that it does not consider this capability a priority, and consequently nothing has materialized. CSE assured the Commissioner's office, however, that if such statistical information were needed, it could be generated manually. CSE also advised that it is developing a new system that is expected to address any statistical and reporting shortcomings previously identified, although the agency has not yet established a timeline for implementing this new system. The Commissioner's office will monitor progress in this area.

Another issue raised in two other previous reviews, and followed up on in the current review, involved specific long-standing discrepancies between CSE's practices and certain administrative risk-management measures stipulated in the ministerial directive for the intelligence collection program that was the focus of this review. The Commissioner found that these discrepancies continue to exist. The Commissioner recommended, once again, and as was also recommended by his predecessor, that CSE reconcile these discrepancies to comply with the ministerial directive by either fulfilling the stipulated administrative obligations or seeking an amendment to the applicable ministerial directive itself. The Commissioner was pleased to note, however, that the Chief of CSE committed in writing to rectify this situation in a timely manner.

Conclusion

As a result of this review, the Commissioner concluded that CSE's targeting activities during the period under review complied with the law and were directed at foreign targets in accordance with Government of Canada intelligence requirements. As well, CSE had satisfactory measures in place to protect the privacy of Canadians when conducting targeting activities. The Commissioner also concluded, however, that long-standing discrepancies remain between CSE's practices respecting the particular collection program that was the focus of the review and certain administrative obligations set out in a ministerial directive. The Chief of CSE subsequently committed to correcting this situation.

2. Review of CSE Assistance to the Canadian Security Intelligence Service for Warranted Target Activities

Background

Under its own authorities, CSE is prohibited from directing its foreign intelligence or information technology security activities at Canadians or at any person in Canada. CSE can, however, provide technical and operational assistance to federal law enforcement and security agencies in the performance of those agencies' lawful duties. In this context, the Canadian Security Intelligence Service (CSIS) may request CSE assistance to investigate or reduce a threat to the security of Canada using intrusive means, regardless of where that identified threat is situated in the world.

If CSIS has a judicially authorized warrant, issued under the Canadian Security Intelligence Service Act, CSE can support CSIS with the interception of Canadians' communications to investigate or reduce a threat to the security of Canada. When CSE provides operational assistance to CSIS, CSIS remains the owner of the information and of the intercepted communications relating to the subject of the warrant. Further, CSE is subject to any limitations imposed by law on the agency to which it is providing assistance.

Between 2008 and 2014, the Federal Court rendered several decisions that highlighted gaps in the statutory underpinnings of the domestic interception of foreign telecommunications and search warrant process, as well as issues concerning CSE assistance to CSIS in executing these warrants. In 2015, the CSIS Act was amended by the coming into force of Bill C-44, An Act to amend the Canadian Security Intelligence Service Act and other Acts, and of Bill C-51, Anti-terrorism Act. CSIS is now permitted by statute, when it has a validly obtained warrant, to investigate threats using intrusive means or to reduce threats to the security of Canada, within or outside Canada. To reflect the legislative changes, the term warranted target activities replaced the term domestic interception of foreign telecommunications and search.

Under this regime, CSIS requests for CSE assistance delineate the type of assistance requested and identify CSIS's rationale and authority to request the assistance. CSIS also provides CSE the relevant warrants issued by the Federal Court to demonstrate to CSE that CSIS has the legal standing to receive CSE assistance.

The Commissioner's office reviewed CSE assistance provided in support of all requests for assistance relating to CSIS warrants that were issued and expired between June 1, 2015, and June 1, 2017. The review also examined CSE's processes and practices concerning these activities. CSE provided the Commissioner's office with comprehensive briefings on its warranted target assistance activities. In addition, the office sent requests for information and received written responses from CSE. The Commissioner's office also examined applicable written and electronic records, files, correspondence and other documentation relevant to CSE assistance including policies and procedures, legal guidance, associated warrants, request for assistance documents, and internal correspondence. Furthermore, CSE employees involved in warranted target assistance activities were interviewed.

The Commissioner's office examined the contents of reporting databases to verify information provided by CSE and to ensure conformity with legal and ministerial requirements and associated policies and procedures. For that purpose, all reports and requests for CSE assistance to CSIS warranted target activities during the period under review were assessed. The office also assessed a sample representing over 20 percent of the total selectors used by CSE against various criteria to determine whether warrant conditions were respected.

Findings and Recommendations

During the period under review, CSE assisted CSIS in investigating threats to the security of Canada, but received no requests related to CSIS activities to reduce threats to the security of Canada.

First, the Commissioner's office assessed CSE's warranted target activities framework. It found that CSE reasonably interpreted the legal framework applicable to warranted target activities. CSE also accurately tracked and accounted for the required documents to conduct such activities. Further, to ensure that guidance was accurately put into practice, the office confirmed that requests for assistance and operational plans reflected legal guidance and warrant language.

Second, the Commissioner's office assessed whether CSE's practices followed the established guidance. It found that CSE respected warrant conditions when assisting CSIS. In addition, CSE's operational activities and handling of relevant data respected established control frameworks.

Third, the Commissioner's office assessed whether CSE adequately identified and managed compliance risks associated with legal, ministerial and policy requirements. It confirmed that CSE managers routinely and closely monitored the reviewed program activities to verify that CSE complied with governing authorities and that internal compliance monitoring and review of warranted target assistance activities by CSE contributed to the identification and mitigation of compliance risks.

Access to warrant-related decisions

The Commissioner's office noted that CSE was not always well apprised of the full scope of judicial decisions involving CSIS warrants. CSE's lack of direct access to minimally redacted warrant-related court decisions increased CSE's legal compliance risk given the fact that CSE may have less ability to form an independent opinion of CSIS's warrant authorities.

Before providing assistance, CSE must independently understand, in depth, the mandate of the organization for which it is approving assistance given that CSE will be acting under that organization's authority. To do so, CSE requires information such as court decisions that interpret CSIS activities. The Commissioner's office was advised that CSE's legal counsel, made up of Justice Canada employees acting in an advisory capacity, have access to unredacted court decisions pertaining to CSIS that are relevant to CSE and its operations. In practice, it is at the discretion of CSE's legal counsel when CSE employees are provided minimally redacted court decisions, or summaries of these decisions. Essentially, CSE employees do not directly receive court decisions relevant to CSIS activities. The fact that CSE is not directly provided general warrant-related decisions may hinder it from fully and independently assessing the risk of accepting requests to provide assistance to CSIS.

CSE would be in a better position to assess its own compliance risk if it was directly provided minimally redacted versions of the related CSIS warrant decisions. The Commissioner recommended that CSE develop, in collaboration with CSIS, a mecha­nism to provide CSE minimally redacted judicial decisions relevant to understanding CSIS's warrant authorities.

Changes in warrant language or interpretation

In addition, during the period of review, CSE did not benefit from a formal notification process of any change in warrant language or underlying interpretation from CSIS. The Commissioner's office believes that CSE should be informed by CSIS when there are changes in warrant language or underlying interpretations of what the language entails, particularly since CSE does not receive minimally redacted Federal Court decisions unless Justice Canada legal counsel at CSE deems them relevant to CSE activities.

While it is positive that CSE has identified both substantive and stylistic changes brought to requests for assistance and warrants over the course of the review period, legal compliance risks are heightened by relying on internal expertise to identify modifications in complex documents. The Commissioner therefore recommended that CSE develop, in collaboration with CSIS, a formal notification mechanism to inform CSE of any changes to the warrant template or of any changes to the underlying interpretations of CSIS warrants in the context of the warranted target activities program.

Access to CSE information

Lastly, the Commissioner's office relies on CSE to receive timely, accurate and complete responses to its inquiries in order to determine whether CSE's activities complied with the law. CSE is also expected to provide high-quality responses to other review bodies, such as the National Security and Intelligence Committee of Parliamentarians, and, in the event that Bill C-59 receives Royal Assent and comes into force, the National Security and Intelligence Review Agency.

Over the course of this review, the Commissioner's office noted one instance where internal access controls inhibited efforts by CSE review advisors to retrieve relevant records, leading to incomplete information being initially provided. CSE found that its review advisors had not been granted full access to CSE reporting databases and thus received inaccurate search results. The CSE review facilitation group did not know it lacked the necessary permissions to access the information. CSE ultimately provided the Commissioner's office the complete information. The Commissioner recommended that CSE take measures to ensure the identification and retrieval of all documentation relevant to a review request are accurate and complete.

In addition, the Commissioner encouraged CSE to evaluate whether its internal compliance groups have similar access constraints given that their access to information is structured in a similar manner to CSE's review facilitation group. Access to information for internal oversight and review facilitation groups is important. Groups at CSE charged with facilitating both internal and external oversight and review ought to be granted sufficient access to provide review bodies accurate and complete information.

Conclusion

In response to the issues identified in this review, CSE has already taken steps to address the recommendation pertaining to the establishment of a formal notification mechanism for changes to warrant language or interpretation. CSE has indicated that since the review period, it has developed a formal mechanism with CSIS to regularly update warrant language. The Commissioner's office will monitor this development.

The Commissioner concluded that CSE's warranted target assistance activities complied with the law, ministerial direction, and CSE's policies and procedures. Furthermore, CSE has satisfactory measures in place to protect the privacy of Canadians when conducting warranted target activities.

3. Annual Review of CSE Disclosures of Canadian Identity Information, 2017–2018

Background

This is the 10th annual review of a sample of CSE disclosures of Canadian identity information. This review's objective was to verify that CSE disclosures of Canadian identity information complied with the law, ministerial direction, and CSE policies and procedures, including assessing the extent to which CSE protected the privacy of Canadians.

The Commissioner's office selected and examined a sample of 22 percent (258 requests) of the 1,156 requests from CSE's Government of Canada clients for Canadian identity information contained in CSE and Second Party reports. The requests were received by CSE between July 1, 2017, and June 30, 2018. The sample included all government institutions that made a request during that period. A review of 2015–2016 requests for disclosure found that requests submitted by a particular Government of Canada client typically contained insufficient details. A summary of this review can be found in the Commissioner's 2017–2018 annual report. This sample included all requests submitted by that client.

Consistent with the approach last year, the office conducted a comparative analysis of requests from various Government of Canada clients. During this review, the Commissioner expected to see evidence of CSE's action on a recommendation made in January 2018 during the 2015–2016 review, that CSE strengthen its procedures to exercise a higher degree of diligence to ensure that all requests stipulate both the lawful authority under which the information is being requested, and a robust operational justification for the need to acquire that information, consistent with the requestor's mandate. The Minister accepted this recommendation and CSE advised it had been implemented.

Although CSE made progress in implementing this recommendation, the review of disclosures for the 2017–2018 period still found instances where the lawful authority and/or operational justification provided in certain client requests could be strengthened.

The office also examined all 102 requests from Second Party partners and the 24 requests made by two Government of Canada clients and CSE itself to share specified Canadian identity information with non-Five Eyes entities. When CSE releases such information to Second Party partners or non-Five Eyes recipients, CSE is responsible for determining if this sharing could result in a substantial risk of mistreatment of the Canadian whose information is being released. If CSE discloses the information to other Government of Canada institutions, however, those institutions must conduct the mistreatment risk assessment before they can release the information through their own channels.

Findings and Recommendation

The Commissioner found that:

• CSE disclosures of Canadian identity information complied with the law;
• the requesting Government of Canada clients or Second Party partners had the authority to obtain the information; however, some client requests did not always explicitly state the lawful authority or provide robust operational justification;
• there were four instances where CSE's disclosure of Canadian identity information was contrary to its operational policies and procedures; and
• CSE acted in accordance with ministerial direction for addressing risks in sharing information with foreign entities that could result in the mistreatment of an individual.

While the Commissioner found that the disclosure of Canadian identity information complied with the law, 7 percent of the requests analyzed did not stipulate a legislative authority, including a few from the client department whose requests were identified as deficient in the review of 2015–2016 disclosures.

In just over 80 percent of requests for disclosure of Canadian identity information, clients provided robust operational justification. In some instances, however, the Commissioner's office was unable to assess CSE's decision to disclose the Canadian identity information based solely on the written record provided, and had to rely on additional information provided by CSE. The Commissioner's office is of the view that the additional clarification from CSE constituted information that should have been included in the justifications provided in the requests for Canadian identity information or, alternatively, in CSE's records of the rationale for approving the disclosures.

In just under 20 percent of requests, clients provided operational justifications that were generic. CSE explained that generic justifications had been developed in discussion with clients and tested over time. CSE also explained that its analysts learn its clients' mandates, authorities and requirements. However, the Commissioner's office believes these generic requests could not be described as robust, as required by CSE policy, because they did not provide an important element required for approving a client's disclosure request: the requestor's specific reason for the Canadian identity information.

CSE believes these generic requests meet the minimum requirements of policy. However, because the requests contain generic justifications that did not sufficiently outline the requirement for the suppressed information, they failed to meet the Commissioner's office's expectations for justifications of Canadian identity information disclosures. The Commissioner's office will monitor this matter.

In two instances, the operational justifications were inadequate because they did not meet the policy requirements. These two requests came from within CSE itself. During the review, the Commissioner's office noted that these two releases were unproblematic and approved. However, information in CSE's 2017–2018 Minor Procedural Errors File specified that the released Canadian identity information in these cases was in fact subsequently “retracted.” Therefore, the CSE corporate records that had been examined by the Commissioner's office contained incomplete information as to the status of these releases.

In light of these findings, the Commissioner recommended that CSE take measures to ensure its corporate records regarding the disclosure of Canadian identity information contain detailed and complete information describing and documenting the disclosure, as well as the status of the disclosure.

It is positive that CSE identified these two releases proactively during routine monitoring, resulting in the identity information being retracted.

CSE's Five Eyes partners made 102 requests for disclosure of Canadian identity information in the period under review. The office raised issues with two of these requests. The first related to a request that resulted in Canadian identity information being mistakenly disclosed to a Second Party partner despite a decision that the disclosure was not authorized. Prior to the office's review, CSE was unaware of the disclosure to this agency. The incident was subsequently recorded in CSE's Privacy Incidents File.

The second issue concerned insufficient operational justification being provided by a requesting Five Eyes partner.

The Commissioner encouraged CSE to exercise enhanced diligence when disclosing Canadian identity information outside of Canada and to ensure all policy requirements are met.

Conclusion

This review found that CSE disclosures of Canadian identity information complied with the law but there were instances where CSE did not comply with its own policy to require the requesting agency to provide its lawful authority and sufficient operational justification to acquire the information.

The Commissioner recommended that CSE take measures to ensure its corporate records regarding the disclosure of Canadian identity information contain detailed and complete information describing and documenting the disclosure, as well as the status of the disclosure. Since the period under review, CSE has advised it has introduced a new tool for receiving, responding to and tracking requests for disclosure of Canadian identity information. This tool could possibly track the status of a disclosure, including situations where a disclosure decision is retracted. The Commissioner's office will monitor this development.

The integrity of the review process for both CSE and the Commissioner's office depends on the accuracy and completeness of the information provided by CSE. During this review, the Commissioner's office found that the identification and retrieval of some information relevant to the review was incomplete. The Commissioner identified a need for improvement in this area in his recommendation in the review of CSE's assistance to the Canadian Security Intelligence Service for warranted target activities (page 19).

The Commissioner's office will continue to conduct annual reviews of CSE disclosures of Canadian identity information to clients and partners to verify that CSE complies with the law and protects Canadians' privacy.

4. Annual Combined Review of CSE Foreign Signals Intelligence Ministerial Authorizations, 2017–2018 and 2018–2019, and a One-End Canadian Communications Spot Check

Background

This summary combines the findings of two reviews:

• The annual foreign signals intelligence ministerial authorizations review: The review of foreign signals intelligence ministerial authorizations was executed under the National Defence Act, which requires the Commissioner to review CSE activities under ministerial authorizations to ensure they were authorized and to report annually to the Minister on the results of the review. The Commissioner's office also reviewed the status, at the end of the ministerial authorization period, of private communications that were intercepted under these ministerial authorizations and retained or used by CSE.
• A spot check review of one-end Canadian communications: The spot check review was conducted under the Commissioner's main mandate to review CSE's activities to ensure that they were in compliance with the law. The review examined one-end Canadian communications retained, used or deleted by CSE during a two-month period in 2018. They included those intercepted by Second Party partners and transmitted to CSE.

CSE conducts foreign signals intelligence collection activities under its mandate to acquire and use information from the global information infrastructure for the purpose of providing foreign intelligence in accordance with Government of Canada intelligence priorities. These activities must not be directed at Canadians anywhere or at any person in Canada and must include measures to protect the privacy of Canadians in the use and retention of intercepted information.

The National Defence Act also permits the Minister to authorize CSE in writing, for the sole purpose of obtaining foreign intelligence, to intercept private communications in relation to an activity or class of activities specified in the ministerial authorization. Since foreign signals intelligence activities risk the unintentional interception of private communications, CSE must conduct these activities under the authority of a ministerial authorization. An intercepted private communication may be retained or used by CSE only if it is deemed essential to international affairs, defence or security. All collected information used in a foreign intelligence report is retained indefinitely by CSE.

During fiscal year 2018–2019, CSE conducted foreign signals intelligence collection activities under three ministerial authorizations. These were in effect July 1, 2017, to June 30, 2018, and were reissued for a one-year period: July 1, 2018, to June 30, 2019. The office reviewed these six ministerial authorizations.

The objectives of the review were:

• to ensure the ministerial authorizations were authorized, that is, that the conditions for authorization set out in the National Defence Act were satisfied;
• to identify any significant changes – for the years under review, compared with previous years – to the ministerial authorization documents themselves and to CSE activities or class of activities described in the ministerial authorizations; and
• to assess the impact, if any, of the changes on the risk of non-compliance with the law and on the risk to privacy.

The office examined the status, at the end of the 2017–2018 ministerial authorization period, of the recognized private communications that CSE had acquired, retained or used in carrying out its foreign signals intelligence activities. The office verified CSE's compliance with the law and with all applicable authorizations, ministerial directives and policies, and assessed the extent to which CSE protected the privacy of Canadians. In addition, the Commissioner's office conducted a spot check review – with no notice given to CSE – of all one-end Canadian communications (which include private communications) used or retained by CSE during a two-month period in 2018.

For both the private communications acquired under ministerial authorization and the one-end Canadian communications that were part of the spot check review, the office examined all foreign intelligence reports produced by CSE that were based in whole, or in part, on these communications. The office also received briefings on all of these communications that were retained, viewed a sample of them directly, and interviewed the foreign intelligence analysts and supervisors concerned – who were working on government intelligence priorities such as terrorism and supporting military operations – about their justification for retaining the communications.

Findings

The Commissioner found that the 2017–2018 and 2018–2019 foreign signals intelligence ministerial authorizations met the conditions for authorization set out in the National Defence Act, namely that:

• the interception was directed at foreign entities located outside Canada;
• the information could not have been reasonably obtained by other means;
• the expected foreign intelligence value of the information justified the interception;
• satisfactory measures were in place to protect the privacy of Canadians; and
• private communications were used or retained only if they were essential to international affairs, defence or security.

The 2018–2019 ministerial authorizations and associated request memoranda to the Minister incorporated changes arising from two recommendations that the Commissioner made last year. One recommendation stemmed from a noted reduction in technical and process-related detail that was provided in one of the request memoranda for 2017–2018 compared with previous years, which had resulted in a memorandum to the Minister that was not as informative as it could be. Consequently, the Commissioner had recommended that CSE ensure that future foreign signals intelligence request memoranda contain comprehensive information to describe and document the agency's contemplated activities in a thorough manner to better support the Minister's decision-making. CSE satisfactorily addressed this recommendation by including additional contextual information in all three of its 2018–2019 foreign signals intelligence request memoranda.

The Commissioner's second recommendation last year was that CSE clarify the language in the ministerial authorizations related to solicitor-client communications. One goal was to accurately reflect the legal protection for such communications recognized in Canadian law; the other goal was to ensure consistency in the definition of this term in policy and in how CSE determines if a communication is a solicitor-client communication in practice in both its information technology security and foreign signals intelligence activities. This recommendation was addressed by clarifying the language in the ministerial authorizations and including a definition of solicitor-client communication that reflects the legal protection afforded these types of communications. In ministerial authorizations, solicitor-client communication is now defined as “a communication relating to the seeking, formulating or giving of legal advice between a client and a person authorized to practice as an advocate or notary in Quebec or as a barrister or solicitor in any territory or other province in Canada, or any person employed in the office of such advocate, notary, barrister or solicitor.”

Over the course of the 2017–2018 ministerial authorization period, the number of recognized private communications unintentionally intercepted by CSE increased modestly (0.6 percent); however, the number of these private communications deemed essential to international affairs, defence or security, and hence retained, increased markedly, by close to 120 percent (from 954 in 2016–2017 to 2,093 in 2017–2018). Of these 2,093 private communications, 402 were used in 20 foreign intelligence reports produced during this period. These reports addressed valid intelligence priorities, and the retention and use of the private communications was found to be reasonable and justified.

The remaining 1,691 private communications were retained for ongoing analysis, and all but one was subsequently deleted. The one remaining private communication was retained for further analysis and possible use. None of the recognized private communications were identified as solicitor-client communications.

As part of the spot check review, the office examined all of the foreign intelligence reports produced by CSE that were based in whole, or in part, on one-end Canadian communications. The office also received briefings on all of the retained one-end Canadian communications, viewed them, and interviewed the CSE officials concerned. The office confirmed that all one-end Canadian communications that were not deemed essential had been deleted from CSE's systems.

Based on the information reviewed and the interviews conducted, the Commissioner found that CSE complied with the law and protected the privacy of Canadians. Specifically:

• CSE did not direct its foreign signals intelligence activities at Canadians or persons in Canada;
• one-end Canadian communications recognized by CSE were intercepted unintentionally;
• one-end Canadian communications used and retained by CSE were essential to international affairs, defence or security, as required by the National Defence Act;
• CSE deleted non-essential one-end Canadian communications; and
• CSE conducted its foreign signals intelligence activities in accordance with applicable ministerial authorizations and directives and treated one-end Canadian communications in accordance with its policies and procedures – CSE did not retain private communications beyond the retention and disposition periods prescribed by its policy.

Evolving Legal Landscape and its Impact on CSE Accounting

In last year's review of the ministerial authorizations for foreign signals intelligence activities, the Commissioner noted that the Supreme Court of Canada had considered two cases (R v Marakah, 2017 SCC 59 and R v Jones, 2017 SCC 60) that addressed the concepts of “intercept” and “search” in the context of evolving technology. These cases were of potential relevance to the treatment of one-end Canadian communications within the context of CSE's foreign intelligence program. Ultimately, they did not impact CSE's operations; however, the evolving legal landscape has prompted CSE to expand the scope of its accounting for, and reporting on, a particular type of one-end Canadian communication that it acquires during the course of its foreign signals intelligence collection activities, whether the communications are in transit or at rest. This type of one-end Canadian communication will now be counted as a private communication.

In February 2011, then CSE Commissioner Décary recommended that CSE report to the Minister the number of this particular type of one-end Canadian communication, in a manner similar to what CSE does for recognized private communications intercepted under the other foreign signals intelligence collection programs. Although this recommendation was accepted by the Minister, CSE has not undertaken this reporting consistently throughout the years. CSE's new approach should not only ensure consistency in how private communications are annotated and counted, but also provide better accountability to the Minister. The office will continue to monitor any legal developments and their possible effect on CSE activities.

Conclusion

The Commissioner concluded that both the 2017–2018 and 2018–2019 foreign signals intelligence ministerial authorizations met the conditions for authorization set out in the National Defence Act. CSE made no significant changes to the ministerial authorizations or conduct of its foreign intelligence collection activities that adversely affected the risk of non-compliance with the law or to privacy, and the Commissioner's office found no evidence that CSE conducted collection activities contrary to legislative, ministerial or policy requirements. With respect to the interception, use and retention of private communications, the Commissioner concluded that CSE complied with the law and protected the privacy of Canadians.

Two previous recommendations made by the Commissioner – one proposing the inclusion of more comprehensive technical and process-related information in CSE request memoranda for ministerial authorizations, and the other citing a need for clearer and more consistent language in defining solicitor-client communications – were satisfactorily addressed by CSE. No recommendations resulted from either this year's annual review of CSE's foreign signals intelligence ministerial authorizations or the spot check review.

The Commissioner's office will continue to conduct these reviews.

5. Annual Review of CSE Cyber Defence Activities Conducted Under Ministerial Authorization, 2017–2018

Background

CSE conducts cyber defence activities under the authority of the National Defence Act. CSE helps protect electronic information and information infrastructures of importance to the Government of Canada. These activities shall not be directed at Canadians anywhere or at any person in Canada, and shall be subject to measures to protect the privacy of Canadians in the use and retention of intercepted information.

To detect and protect against sophisticated cyber threats, CSE may, on receiving a written request from a Government of Canada institution to conduct cyber defence activities, deploy equipment to collect and analyze data from that client's system or network. Because cyber defence activities risk the interception of private communications, CSE must conduct these activities under the authority of a ministerial authorization. The Minister may authorize CSE in writing – for the sole purpose of protecting the computer systems or networks of the Government of Canada from cyber threats – to intercept private communications in relation to an activity or class of activities specified in a ministerial authorization. In cyber defence activities, data intercepted by CSE, including any private communications, may be used or retained only if it is relevant and essential to identify, isolate or prevent harm to Government of Canada computer systems or networks.

This review covered the cyber defence ministerial authorization in effect from July 1, 2017, to June 30, 2018. The purpose of the review was to assess whether CSE's cyber defence activities complied with the law and to assess the extent to which CSE protected the privacy of Canadians. In conducting this review, the Commissioner's office examined CSE's 2016–2017, 2017–2018 and 2018–2019 memoranda to the Minister of National Defence, the associated ministerial authorizations, as well as the 2017–2018 CSE Year-End Ministerial Authorization Report to the Minister. The office received onsite briefings, conducted interviews, reviewed CSE databases, systems and legal opinions, and examined various types of reports, both internal and external. The office examined a sample of cyber incidents that included private communications.

At the onset of this review, CSE advised of potential delays in responding to the Commissioner's office's questions as a result of the creation of the Canadian Centre for Cyber Security, which was officially launched in October 2018.

Findings

The Commissioner found that the 2017–2018 cyber defence ministerial authorization met the conditions for authorization set out in the National Defence Act. CSE made no significant changes to the ministerial authorization or conduct of cyber defence activities that affected the risk of non-compliance with the law or to privacy. There were no significant amendments to policy instruments for cyber defence activities conducted under ministerial authorization during this review period. However, in June 2018 CSE promulgated a new policy suite that consolidated all operational policies and instructions into a single instrument. The Commissioner's office found this to be a positive change, effectively reducing the complexity of CSE's policy framework.

The Commissioner found that CSE complied with the law and conducted its activities in accordance with legislative, ministerial and policy requirements. Based on an examination of recognized private communications, the Commissioner found that CSE did not direct its cyber defence activities at Canadians or any person in Canada. The recognized private communications examined were related to malicious traffic or activity and suspicious anomalies for cyber threat detection. The private communications retained and used in reports were essential to identify, isolate or prevent harm to Government of Canada computer systems or networks. There were no significant technology changes to cyber defence systems or the overall cyber defence program for this period.

In reviewing the ministerial authorizations, the Commissioner's office found some changes in terminology and reporting elements. CSE confirmed that during the 2017–2018 ministerial authorization period it defined cyber defence terms used in ministerial and operational reporting in a way that easily corresponds to counts generated by cyber defence tools. Specifically, the 2017–2018 ministerial authorization Year-End Report now reports on the number of events instead of incidents as was done in previous years. This change in terminology was to align more closely with that used in cyber threat reporting regularly released by CSE. Also, the 2017–2018 ministerial authorization request memorandum to the Minister now speaks to the number of malicious events detected by CSE, instead of the number of compromises, as used in previous requests. This change in terminology better aligns with a statistic that can be easily and consistently generated by CSE's systems for reporting. Both of these changes are positive developments that promote consistency in CSE's reporting.

Cyber Defence Private Communications

For the 2017–2018 review period, the Commissioner's office selected and examined a sample of cyber defence data, including private communications intercepted by CSE. To facilitate this examination, a number of queries were executed against CSE databases. This resulted in a smaller sample than the office's usual selection of 20 percent. The queries were, however, considered to provide a more representative sample than the usual selection method because under the latter, the majority of incidents are automatically retained and not likely to reveal the variety of circumstances under which a private communication could be acquired by CSE. An example of such a query was a selection of an on-the-spot sample of data with incidental private communications from both the 2016–2017 and 2017–2018 authorization periods to confirm whether or not data was still in CSE's systems after the retention period had expired. Last year the Commissioner's office first learned of the existence of incidental private communications, and committed to continue monitoring the handling of these files in its annual reviews. As expected for the 2016–2017 period, this query generated zero results because the 12-month retention limit had passed. Some results were returned for the 2017–2018 period. However, this was consistent with the permissible retention period.

Change in interpretation of a private communication and counting method

In March 2015, the Commissioner completed a review of CSE's 2009–2012 cyber defence operations conducted under ministerial authorization. He raised an issue relating to CSE's practice, while conducting authorized cyber defence operations under ministerial authorization, of treating all unintentionally intercepted one-end in Canada communications as private communications as defined in the Criminal Code.

At the time, and since then, the majority of private communications intercepted by CSE and examined by the Commissioner's office, consisted of unsolicited e-mails sent from a cyber threat actor to a Government of Canada employee that contain nothing more than malicious code and/or an element of social engineering, that is, there was no exchange of any personal or other consequential information between the cyber threat actor and the Government of Canada employee. The Commissioner believed then, and continues to believe, that a communication where it is reasonable to expect that the purpose of sending it is to compromise Government of Canada computer systems or networks by inserting malware within it, is not a private communication within the meaning of the Criminal Code, which is referred to in the National Defence Act.

Until this year, CSE counted every e-mail containing malicious code sent to a Government of Canada employee as a private communication because at least one end is in Canada. Those e-mails used or retained by CSE have been included in the number of private communications reported to the Minister in accordance with the cyber defence ministerial authorization, for accountability purposes. This results in a large number of communications that CSE treats as private communications, thus distorting the privacy risk implications of CSE's cyber defence activities. The Commissioner therefore recommended in March 2015 that CSE reporting to the Minister on private communications unintentionally intercepted under ministerial authorizations should highlight the important differences between one-end Canadian communications intercepted under cyber defence operations and private communications intercepted under foreign signals intelligence activities, including the lower expectation of privacy attached to the private communications intercepted under cyber defence operations.

This year, CSE clarified its interpretation of the definition of a private communication in a cyber security context, making it consistent with the Commissioner's 2015 legal interpretation. Based on this new analysis, CSE implemented a new method of counting intercepted private communications.

Throughout the 2017–2018 ministerial authorization period, CSE identified both the automatically generated number of retained private communications (which do not necessarily contain substantive content, such as spam) and the number of private communications manually recognized by an analyst based on the proposed new interpretation of a private communication (which do contain substantive content). Analysts conducting cyber defence ministerial authorization activities were manually tracking the number of private communications with substantive content that are opened (viewed or recognized) and subsequently used or retained. CSE reported there were no solicitor-client communications used or retained pursuant to this ministerial authorization and that there were 45 recognized private communications with substantive content. The Commissioner's office confirmed this based on the sample reviewed. All private communications with substantive content related to malicious cyber activity.

By the end of the 2017–2018 ministerial authorization period, analyst training was concluded, CSE's new interpretation of a private communication was reflected in its new policy suite, and technical changes had been implemented to support a new counting methodology. The Commissioner's office will examine these implemented changes in next year's review.

Cyber Defence Reports

The Commissioner's office selected and examined a sample of reports representing eight types of cyber defence reporting. The sample reviewed included reports containing recognized private communications with substantive content and a random selection of other reports. These were examined for three elements: private communications, report dissemination and approvals. Where private communications were used in reports, the office confirmed they were essential to identify, isolate or prevent harm to Government of Canada computer systems or networks. Dissemination was within Canada, predominantly to clients in the Government of Canada and among the Five Eyes partners, and approval levels were consistent with policy requirements.

CSE Compliance Monitoring

This year, the Commissioner's office examined CSE's compliance monitoring activities and found that they were being carried out regularly. CSE has established a compliance monitoring program in accordance with its policy, to assess the compliance of cyber security operational activities with policy and legal requirements and to ensure the protection of the privacy of Canadians. General compliance activities conducted over the period under review pertained to: data retention and disposition, conditions imposed by ministerial authorizations, and data handling requirements. The Commissioner's office found that CSE was consistent in its compliance activities and that follow-up remedial action is being taken where compliance incidents are observed. Remedial action included employee removal from an authorized access list for raw cyber defence data and the recording of non-compliance incidents where applicable.

Follow-Up in Relation to Past Reviews

Last year, the cyber defence ministerial authorization specified the measures to be taken when a CSE analyst recognized a communication between a client and a Canadian solicitor. The Commissioner believed that the inclusion of this qualifier was misleading. Upon examination, the Commissioner also believed that there were inconsistencies in the definition of solicitor-client communication found in the ministerial authorization, CSE policy and how CSE determines if a communication is a solicitor-client communication in practice. The Commissioner therefore recommended that CSE clarify the language in the cyber defence and foreign signals intelligence ministerial authorizations to accurately reflect the legal protection for solicitor-client communications recognized in Canadian law, and ensure consistency with language in policy and with practice. While CSE did address this recommendation to make consistent its definition of solicitor-client communications in this year's cyber defence ministerial authorization, the Commissioner's office noted the policy did not follow suit. The new CSE policy suite has some minor discrepancies in the definition and continues to use the Canadian qualifier. Despite CSE's explanation that the policy reference to the term ‘Canadian solicitor' is supported by a clear definition that is consistent with the definition found in the 2018–2019 ministerial authorization, the Commissioner found the reference should be removed for consistency and to avoid future misinterpretation. CSE was encouraged to do this for all relevant parts of its policy suite.

The Commissioner's office also noted last year a CSE internal use record that contained unsuppressed Canadian identity information. The office committed to monitor the inclusion of Canadian identity information in future internal use records. The Commissioner's office examined 17 incidents that included internal use records. The Commissioner's office concluded that none of the selected sample had any private communications and that the inclusion of Canadian identity information, where applicable, was relevant to the protection of Government of Canada systems.

Conclusion

The Canadian Centre for Cyber Security established in 2018 amalgamates three distinct organizations with cyber security functions (Public Safety Canada's Canadian Cyber Incident Response Centre, Shared Services Canada's Government of Canada Security Operations Centre and CSE's own Information Technology Security group) under a single centre within CSE. This represents a significant change for cyber defence activities in Canada. The centre's impact to CSE cyber defence activities conducted under ministerial authorization will be examined in next year's review.

This year's annual review encountered significant delays. In explaining these delays, CSE noted competing priorities including the implementation of the new centre and various other high-profile initiatives such as activities involving the upcoming federal election. As a result of these delays, and despite CSE's best efforts, the review process was hindered because the Commissioner's office was pressed for time to conclude its review and limited in its follow-up and validation activities. However, the Commissioner's office acknowledges that the establishment of the Canadian Centre for Cyber Security is exceptional and it is expected that CSE will soon resume its timely support of the Commissioner's review function.

The Commissioner made no recommendations.

6. Annual Review of Privacy Incidents and Minor Procedural Errors Files

Background

CSE reports and documents any incidents that are associated with its operational activities, or those of its Second Party partners, where the privacy of a Canadian may have been put at risk contrary to CSE operational policy or to procedures on protecting the privacy of Canadians or any person in Canada.

Such incidents, along with corrective actions taken, are recorded in one of three files, depending on where the incident occurred and its potential to cause harm. These are CSE's Privacy Incidents File (PIF), Second Party Incidents File (SPIF) and Minor Procedural Errors File (MPEF).

The PIF is a record of incidents attributable to CSE involving information about a Canadian or any person in Canada that was handled in a manner counter to CSE privacy policy and exposed to external parties that ought not to have received it. This type of mishandling is labelled a “privacy incident.” The SPIF is a record of privacy incidents that are attributable to Second Party partners. These incidents may have been identified by the partners themselves, or by CSE. The MPEF is a record of instances where CSE improperly handled information about a Canadian but the information was contained within CSE and not exposed to external parties.

The office's annual review of the PIF, SPIF and MPEF focuses on incidents not examined in detail in the course of other reviews. The review is an opportunity to identify trends or systemic weaknesses that might suggest a need for corrective action, changes to CSE's procedures or policies, or an in-depth review of a specific incident or activity. For example, the office could challenge whether or not one of the incidents constituted an operational “material privacy breach,” which government-wide policy defines as a breach that involves sensitive personal information and could reasonably be expected to cause serious injury or harm to the individual and/or involves a large number of affected individuals.

Besides reviewing the procedural errors, incidents and subsequent actions taken by CSE to correct the incidents or mitigate the consequences, the objectives of the review were:

• to examine any CSE operational material privacy breaches and CSE's associated corrective actions;
• to determine if any incidents raise questions about compliance with the law or the protection of the privacy of Canadians; and
• to evaluate CSE's policy compliance validation framework and monitoring activities in this context.

The period under review was from July 1, 2017, to June 30, 2018.

The office examined all 75 privacy incidents in the PIF (44) and SPIF (31) and subsequent corrective actions taken by CSE to address them. The office also examined all minor procedural errors (11) documented by CSE during the period under review.

Findings

The privacy incidents in both the PIF and SPIF included, for example, the inadvertent sharing or inclusion in a report of Canadian identity information without suppressing the information in accordance with CSE policy, as well as the unintentional targeting of, or database searches for information relating to, individuals not previously known to be Canadian or persons in Canada. In all instances, the reports were cancelled or corrected with the identities properly suppressed, the relevant entities no longer targeted, and any associated intercepted communications and reporting deleted.

However, one targeting incident reported in this year's PIF caused the Commissioner sufficient concern that it was examined in depth. CSE supported the office in the examination of this matter and the Commissioner's findings regarding this specific incident were issued separately and follow, under Review of a Targeting Privacy Incident.

With regard to the minor procedural errors entered in the MPEF, the Commissioner agreed with CSE that all entries were minor and did not constitute “privacy incidents.” These procedural errors included, for example: unopened files that may have contained Canadian identity information that were kept beyond the allowed retention period; a list that controlled access to certain types of information that technically malfunctioned and temporarily did not disable access to persons whose credentials were no longer valid; and a misconfigured routing tool that risked making Canadian Eyes Only information temporarily accessible to Second Party partners. The privacy impact of these incidents is considered less severe since they were contained internally and addressed prior to the information being accessed by anyone outside CSE.

Based on a review of the three files, answers to questions posed to CSE and an examination of the associated CSE records, the Commissioner found that in all instances CSE took appropriate corrective action, including, where feasible, measures to preclude similar occurrences in the future.

The Commissioner also found that CSE did not always follow a consistent approach to counting and categorizing incidents. According to CSE, the inconsistencies stem mainly from two issues: first, multiple teams may report various aspects of privacy incidents anchored in the same factual scenario, at different times; second, responsibility for the PIF, SPIF and MPEF files has changed within CSE over the past year. The Commissioner encouraged CSE to standardize its methodology for logging PIF, SPIF or MPEF entries and will monitor developments.

According to government-wide policy, it is a department's or agency's responsibility to identify material privacy breaches. CSE did not identify any operational material privacy breaches as having occurred during the period under review. The Commissioner agreed that the incidents listed in the PIF and SPIF for this period under review did not constitute material privacy breaches.

Conclusion

This review did not identify any material privacy breaches or systemic deficiencies. According to CSE, it did not become aware of any adverse impact on the Canadian subjects of any of the privacy incidents. The Commissioner was satisfied that CSE responded appropriately to privacy incidents and minor procedural errors identified during the period under review.

The recording and reporting of privacy incidents and minor procedural errors continue to be one effective means used by CSE to promote compliance with legal and ministerial requirements, and with operational policies and procedures, as well as to enhance the protection of the privacy of Canadians.

While the Commissioner made no recommendations and was satisfied that the contents and form of the PIF, SPIF and MPEF records contained sufficient details, he encouraged CSE to standardize its methodology for logging PIF, SPIF or MPEF entries and will monitor developments.

7. Review of a Targeting Privacy Incident

Background

In reviewing CSE's 2017–2018 privacy incidents and procedural errors files, the Commissioner indicated that there was one targeting incident reported in CSE's Privacy Incidents File that had caused him sufficient concern that he decided to examine it in-depth in order to determine whether CSE complied with the law. CSE was forthcoming in providing information and supporting the Commissioner's office as it examined this matter.

Findings

According to CSE, a privacy incident occurs when the privacy of a Canadian is put at risk in a manner that runs counter to, or is not provided for, in its operational policies. Typically, reporting of privacy incidents does not amount to findings of non-compliance with the law given the importance of encouraging proactive disclosure and mitigation of privacy incidents. Since the Commissioner's office began reviewing privacy incidents in 2011, the Commissioner made no non-compliance findings relating to Privacy Incidents File reviews given that CSE has typically adequately mitigated any privacy incident within a reasonable timeframe after the incident was discovered and reported.

In this particular instance, the Commissioner's office questioned whether CSE's targeting, for several years, of a possible Canadian who was ultimately confirmed to hold Canadian citizenship constituted a breach of CSE's policies and of the law because the incident was not adequately mitigated at the time it was discovered. Following the Commissioner's examination of the facts, he concluded that CSE complied with the law.

The law prohibits CSE from directing its activities against Canadians anywhere in the world and imposes on CSE the duty to establish measures to protect the privacy of Canadians in the use and retention of intercepted information. The law does not impose on CSE the obligation to avoid directing its activities at possible Canadians or to protect the privacy of possible Canadians. However, even if it is not required, it is CSE's practice to protect entities identified as possibly Canadian in the same manner as entities whose Canadian citizenship is confirmed. In such cases, CSE will apply privacy protection measures such as: cancelling or correcting reports with identities properly suppressed, no longer targeting the relevant entities, deleting any associated intercepted communications and reporting, and identifying the entity as “protected” in CSE's targeting database to prevent future targeting.

In this incident, a foreign national identified as possibly holding Canadian citizenship in 2010 remained targeted by CSE from 2010 to 2015. The incident was discovered, reported and fully mitigated in 2018, when a Second Party inquiry drew CSE's attention to the fact that this issue had not been fully addressed in 2010, when the person's possible Canadian citizenship was first discovered. In 2018, CSE obtained the necessary information to confirm that the targeted person was indeed Canadian.

Given that the identity of the targeted entity was only confirmed to be Canadian in 2018, the Commissioner was satisfied that CSE's mitigative actions following the confirmation of the entity's citizenship were adequate and undertaken in a timely mannor, like other matters in CSE's Privacy Incidents File.

The Commissioner found that CSE analysts did not knowingly target the Canadian while the entity's status remained unconfirmed and that a series of factors led to CSE not appropriately protecting the Canadian's privacy in 2010. Some contributing factors identified included that the incident was discovered over a holiday; that separate targeting teams responsible for different technical aspects of collection did not properly coordinate their response to the incident; and that CSE failed to identify the possible Canadian as such in CSE's targeting database.

Although the Commissioner concluded that CSE's conduct in this instance complied with the law, this incident highlighted gaps in CSE's information management, entity protection procedures and policy guidance relating to targets that may be Canadian but whose status has not been confirmed.

Conclusion

Since this incident occurred, CSE introduced a number of measures to enhance the protection of the privacy of Canadians and to reduce the risk of inadvertently targeting Canadians. The risk of such an error re-occurring is low given that CSE has adopted new targeting tools, redeveloped policies and procedures, updated its organizational structure to further reduce compliance risks, improved how it manages information storage and knowledge sharing, and improved its incident handling systems and protocols.

In addition, CSE has committed to implementing other improvements to its policies and procedures to further reduce the risk of inadvertently targeting a Canadian, notably by creating clear operational policy requirements for protecting entities identified as possibly Canadian; by consolidating accountability for de-targeting in one area; and by conducting an internal evaluation of the coordination between key stakeholders to ensure that necessary actions are taken in response to privacy incidents and to identify other potential gaps in procedures.

The Commissioner was satisfied with CSE's response to the incident and made no recommendations.