Frequently Asked Questions
- Is the Commissioner independent?
- What access does the Commissioner have to the Communications Security Establishment (CSE) to be able to conduct his reviews effectively?
- What impact has review had on CSE?
- How can an agency the size of the Commissioner's office effectively review the activities of an organization the size of CSE?
- How does the Commissioner ensure that his office maintains sufficient resources to effectively review CSE's activities and respond to this dynamic environment?
- What happens to reports written after conducting reviews of an intelligence agency's activities?
- Can the minister or the intelligence agency remove embarrassing information or influence the contents of a report of the review body?
- Is the Commissioner's mandate appropriate?
- Does the Commissioner challenge the intelligence priorities of CSE?
- What is the difference between a ministerial directive (MD) and a ministerial authorization (MA)?
- Has the Commissioner examined CSE's metadata activity referred to in the January 30, 2014, CBC story?
Yes. As with similar review bodies, the Commissioner is independent of the government and of the intelligence agency being reviewed, and his office is independently funded by its own budgetary appropriation from Parliament. As an independent statutory officer, the Commissioner does not take direction from any minister of the crown or from CSE.
An additional point is that the National Defence Act requires the CSE Commissioner to be a retired or supernumerary judge of a superior court. A fundamental tenet of our democracy is the independence of the judiciary. A judge's career is based on independence and impartiality, with a practice of determining conclusions based on facts and tough probing questions.
What access does the Commissioner have to the Communications Security Establishment (CSE) to be able to conduct his reviews effectively?
The National Defence Act grants the Commissioner all the powers of a Commissioner under Part II of the Inquiries Act for the purposes of an investigation, including the power of subpoena to compel individuals to answer questions, to enter any facilities, to examine any records or systems, and to question any CSE personnel.
Additionally, Parliament legislated the review model such that the principal intelligence review bodies in Canada – the CSE Commissioner and the Security Intelligence Review Committee (SIRC) – are within the “security fence”. That means the review personnel hold security clearances to allow full access to the classified holdings, facilities and personnel of the intelligence agency being reviewed. This also allows review personnel to acquire expertise about CSE activities. This review model was the explicit intention of legislators when the Canadian Security Intelligence Service Act was passed in 1984, creating the Canadian Security Intelligence Service (CSIS) and its review agency SIRC. This was following recommendations of a royal commission that examined illegal activities of the Security Service of the Royal Canadian Mounted Police (antecedent to CSIS). The same model was used when the CSE Commissioner's office was established in 1996 by order in council and then formalized in the National Defence Act in December 2001.
When given this access, the review body is under the legal obligation to protect the information in its possession. The Security of Information Act and government security policies bind all individuals handling classified information.
What impact has review had on CSE?
Review has had a significant impact on CSE. Since the creation of the Office of the CSE Commissioner in 1996, over 90 percent of Commissioners' recommendations have been accepted, resulting in, for example:
- new and changed policies, procedures and practices to strengthen compliance with the law and privacy protection;
- the reporting by CSE of additional information relating to privacy to support the Minister of National Defence in his responsibility for CSE; and
- clarifying the authority under which certain CSE activities are conducted.
In 2013, a Commissioner's recommendation resulted in the Federal Court of Canada receiving additional evidence about certain CSIS warrants to intercept foreign telecommunications and the nature and extent of CSE's assistance to CSIS under those warrants.
http://www.canlii.org/en/ca/fca/doc/2014/2014fca249/2014fca249.html (Federal Court of Appeal) and
http://www.canlii.org/en/ca/fct/doc/2013/2013fc1275/2013fc1275.html (Federal Court of Canada)
Commissioners' reviews and questions have resulted in CSE stopping certain activities, a decision not taken lightly. The Commissioner's review process also encourages CSE to be proactively transparent. For example, there has been an instance when CSE decided to suspend activities of its own accord while it conducted an internal review and made improvements to certain activities. The Commissioner was kept informed throughout the process.
Commissioners have found a lack of clarity in certain information exchanges between CSE and CSIS. In one instance, due to the lack of clarity, a Commissioner was unable to reach a definitive conclusion about compliance or non-compliance with the law and therefore made recommendations to correct this situation. A follow-up review was undertaken. Also related to this instance, questions relating to CSIS were raised in the Commissioner's review. The Commissioner referred these questions to SIRC, who has the mandate to review CSIS, and therefore could follow-up on these questions as it deemed appropriate. This is an example of how review bodies can co-operate under existing legislation.
How can an agency the size of the Commissioner's office effectively review the activities of an organization the size of CSE?
Effective and rigorous review of CSE's activities is possible for the following reasons:
- the Commissioner's mandate is clear – it is focused solely on CSE and whether its operational activities comply with the law and include sufficient measures to protect the privacy of Canadians;
- as CSE has grown, so has the Commissioner's office, doubling its budget and increasing review staff capacity by more than a third over the past seven years;
- not all 2100 CSE employees conduct operations (many perform corporate and administrative functions) – those who conduct operations are split between foreign signals intelligence (SIGINT) and information technology (IT) security activities;
- a process of risk analysis helps determine review priorities by identifying CSE activities that present higher risks to non-compliance or to privacy;
- the focus of CSE's signals intelligence collection is foreign entities located outside Canada, and each year the Commissioner reviews a sample of these activities. The number of communications with a Canadian end (a “private communication”) that are unintentionally intercepted, and used or retained by CSE under SIGINT ministerial authorizations, is small; in 2013-2014 there were 66 and the Commissioner's office reviewed all of them;
- CSE's processes are increasingly automated, with privacy protections being built into them. Although this diminishes the possibilities of error or privacy violations, the Commissioner's office nevertheless examines and verifies CSE's use of technology, making recommendations where appropriate to strengthen compliance and privacy protection;
- the size of the Commissioner's office relative to CSE is similar to the other principal intelligence review body in Canada, SIRC, and has a much higher ratio of reviewers to staff in the reviewed organization than some comparable bodies in other countries. For example, the Inspector General of Intelligence and Security (IGIS) in Australia has a staff of similar size to the CSE Commissioner's office but is responsible for reviewing six intelligence agencies, including the Australian Signals Directorate, the CSE equivalent in that country; and in the United Kingdom, the Interception of Communications Commissioner, who is a former high court judge supported by a staff of eight, reviews ten agencies that use powers of interception.
How does the Commissioner ensure that his office maintains sufficient resources to effectively review CSE's activities and respond to this dynamic environment?
The Commissioner frequently asks if he has sufficient resources to effectively review the activities of CSE. Capacity review is an annual exercise that examines resource needs based on the current and planned workload of reviews, taking into consideration growth in the volume and scope of CSE's activities. Recruitment, retention and succession planning in the Commissioner's office are regularly examined to ensure appropriate size and skills of staff. Existing personnel are afforded training and development to support the continuous improvement in their skill sets.
Should the Commissioner determine that his existing resource base is inadequate to effectively review the activities of CSE as it grows and evolves, then he will request an increase to his appropriation from Parliament to expand his resource base, as has been done in the past.
What happens to reports written after conducting reviews of an intelligence agency's activities?
Reporting by the independent review bodies is done through the minister responsible for the intelligence agency, a basic principle of our form of government. Classified reports resulting from reviews of CSE activities are forwarded to the Minister of National Defence. These reports may contain recommendations. Since the Minister is responsible for CSE, he can order CSE to implement recommendations from the Commissioner; the Minister has done this in the past when CSE initially rejected a recommendation.
Unclassified summaries of the classified review reports are included in a public annual report sent to the responsible minister who must table the report in Parliament within a specified time, as required by law.
Can the minister or the intelligence agency remove embarrassing information or influence the contents of a report of the review body?
No – not for classified review reports and not for public annual reports.
The Commissioner bases his review reports on facts and draws conclusions from those facts. He would not permit any interference in that process, if any were attempted, which to date has never been the case. As is standard and accepted practice in audit or review processes in Canada, the agency being audited or reviewed has the opportunity to comment on a draft report for its factual accuracy. If the facts were not substantiated, any findings, conclusions or recommendations based on those facts would not be credible.
A draft of the public annual report is provided to the agency being reviewed for comment only as to security, guided by the Security of Information Act. Subsequently, the responsible minister must table the report in Parliament, as required by legislation.
Is the Commissioner's mandate appropriate?
This is ultimately a question for Parliament to determine. If the mandate were changed, the Commissioner would have to re-assess whether his resources were adequate.
Does the Commissioner challenge the intelligence priorities of CSE?
No. Establishing intelligence priorities is a prerogative of the executive arm of government. The National Defence Act requires CSE to collect foreign intelligence “in accordance with the Government of Canada intelligence priorities.” The Commissioner reviews CSE's foreign intelligence collection activities to verify that they are indeed in accordance with the government's intelligence priorities.
What is the difference between a ministerial directive (MD) and a ministerial authorization (MA)?
A ministerial directive (MD)(National Defence Act 273.62(3)) is a written document that provides additional requirements, conditions or limitations that the Minister of National Defence expects CSE to adhere to while conducting an activity already authorized by law. An MD does not authorize an activity. There are ministerial directives on: the protection of privacy of Canadians; accountability framework that includes requirements for reporting to the minister, expectations for compliance with law and for cooperation agreements with domestic and foreign entities; collection and use of metadata; and, for specific foreign signals intelligence collection (SIGINT) and information technology (IT) security activities. Ministerial Directives remain in effect until such time as they are amended or rescinded by the Minister. During the course of his reviews, the Commissioner verifies whether CSE has complied with ministerial directives that apply to the activity being reviewed.
A ministerial authorization (MA)(National Defence Act 273.65) does authorize an activity. It is a written document by which the Minister of National Defence authorizes CSE to engage in activity that risks the unintentional interception of a communication of which one end is in Canada – that is, a “private communication” — without criminal liability, provided that specific legal conditions are met. An authorization may be issued for CSE's SIGINT or its IT security activities. Without this authorization, CSE could not use or retain a “private communication” regardless of its importance for foreign intelligence or for protecting Government of Canada computer systems.
Since SIGINT and IT security activities conducted under MA may result in the unintentional interception of a “private communication”, legislators required that certain conditions be met, including:
- for SIGINT activities:
- that CSE must target foreign entities located outside Canada;
- if one end of that communication is in Canada, making it a “private communication”, it can only be used or retained if it is essential to international affairs, defence or security; and,
- that there are satisfactory measures in place to protect the privacy of Canadians;
- for IT security activities:
- that the interception of a “private communication”, must be necessary for identifying, isolating or preventing harm to computer systems;
- that the consent of the person whose communications may be intercepted cannot reasonably be obtained;
- that satisfactory measures are in place to ensure that the information will be used or retained only if it is essential to identify, isolate or prevent harm to Government of Canada computer systems; and
- that satisfactory measures are in place to protect the privacy of Canadians in the use or retention of the information.
As the law is interpreted by Justice Canada, MAs relate to a specific method of acquiring foreign signals intelligence or of protecting Government of Canada computer systems (the how); MAs do not relate to a specific individual or entity (the who or what). Ministerial authorizations are valid for a year and may be renewed.
The Commissioner is required by legislation to examine activities under an MA to determine if the activities are those authorized. He also verifies that all the requirements and conditions imposed by law on CSE have been respected and that any additional limitations or requirements, whether set out in MAs or MDs, are applied.
Has the Commissioner examined CSE's metadata activity referred to in the January 30, 2014, CBC story?
The Commissioner's office has been briefed by CSE about the metadata activity referred to in the CBC story. This activity is used by CSE to understand global communications networks. We questioned CSE employees involved in the activity and who prepared the presentation, and we examined results of the activity.
Based on our inquiry and on our accumulated knowledge and expertise from reviewing CSE's metadata and network analysis activities over a period of eight years, we concluded that this CSE activity does not involve “mass surveillance” or tracking of Canadians or persons in Canada; no CSE activity was directed at Canadians or persons in Canada.
We are also satisfied that the details and explanation that the Chief of CSE provided on February 3, 2014, before the Senate Committee on National Security and Defence are accurate.
If CSE were tracking the movements, on-line or other activities of persons at a Canadian airport, that would be illegal.
- Date modified: