Language selection

Government of Canada / Gouvernement du Canada

Search


Review of Information Sharing Across Aspects of CSE’s Mandate

Date of Publishing:

GAC Minister letter to NSIRA To Follow

This report has been modified slightly from the final version which was provided to the Minister. An error in the language of Finding 4, wherein two different versions were presented within the report and the summary, has been corrected for publication. The correct language was always represented in the body of the final report. The incorrect language has been replaced with the correct language for publication.

Executive Summary

(U) This review examined the Communications Security Establishment’s (CSE) legal authority for sharing information obtained in the course of one aspect of its mandate (“aspect”) for the purposes of fulfilling another aspect of its mandate. Specifically, the review focused on internal information sharing within CSE between the foreign intelligence (FI), and the cybersecurity and information assurance (cybersecurity) aspects of its mandate.

(U) NSIRA examined whether CSE’s internal sharing of information relating to a Canadian or a person in Canada (IRTC) is consistent with the Privacy Act, which limits how collected personal information can be used by a federal institution, and the CSE Act, which applies to CSE’s incidental collection and use of IRTC. NSIRA concluded that from the descriptions of the aspects in sections 16 and 17 of the CSE Act, there may be instances where information acquired under one aspect can be used for the same, or a consistent purpose, as another. This would satisfy Privacy Act requirements for sharing information internally. However, this cannot simply be assumed as the purposes of the aspects differ within the CSE Act. CSE must conduct case-by- case compliance analysis that considers the purpose of the collection and sharing.

(U) NSIRA considers it necessary for the Chief of CSE’s application for a Ministerial Authorization to fully inform the Minister of how IRTC might be used and analysed by CSE, including the sharing of IRTC to another aspect, and for what purpose. With one exception, the Chief’s applications for the period of review appropriately informed the Minister of National Defence that retained IRTC might be used to support a different aspect. Moreover, the foreign intelligence applications appropriately informed the Minister how CSE assessed “essentiality” for IRTC collected under the FI aspect.

(U) Under CSE policy, an assessment of IRTC’s relevance, essentiality, or necessity to each aspect is required for sharing information across the aspects. CSE policy offers definitions and criteria for assessing and applying these thresholds to the information. NSIRA found that CSE’s policy framework with regards to the internal sharing of information between the foreign intelligence and cybersecurity aspects of the mandate is compliant with the CSE Act.

(U) The information provided by CSE has not been independently verified by NSIRA. Work is underway to establish effective policies and best practices for the independent verification of various kinds of information, in keeping with NSIRA’s commitment to a ‘trust but verify’ approach.

Authorities

(U) This review was conducted under the authority of paragraph 8(1)(a) of the National Security and Intelligence Review Agency Act (NSIRA Act).

Introduction

(U) This review examined the Communications Security Establishment’s (CSE) legal authority for sharing information obtained in the course of one aspect of its mandate (“aspect”) for the purposes of fulfilling another aspect of its mandate. Specifically, the review focused on internal information sharing within CSE between the foreign intelligence (FI), and the cybersecurity and information assurance (cybersecurity) aspects of its mandate. Broadly, this review also documented activities pertaining to the internal sharing of information relating to a Canadian or a person in Canada between the foreign intelligence and cybersecurity aspects, in order to inform future reviews by NSIRA.

(TS) The Office of the Communications Security Establishment Commissioner (OCSEC) previously studied the sharing of, and access to, cyber threat information between CSE’s SIGINT and IT Security Branches. OCSEC’s review found that CSE’s cyber threat information sharing and accessing activities between CSE’s SIGINT and IT Security were consistent with National Defence Act and Privacy Act authorities, and that information shared between the branches posed a minimal risk to the privacy of Canadians.

(U) With the coming into force of the CSE Act, on August 1, 2019, CSE’s legal authorities for conducting its activities have changed since OCSEC’s review. In light of this change of legal authority for CSE, NSIRA decided to re-assess and evaluate whether CSE’s internal information sharing activities between the FI and cybersecurity aspects are consistent with the CSE Act and the Privacy Act.

(U) NSIRA expects that CSE’s internal sharing of IRTC complies with the CSE Act and the Privacy Act. As such, the focus of this review was to examine the legal authority that allows for CSE to share IRTC between the FI and cybersecurity aspects.

(U) The Communications Security Establishment Act (CSE Act), creates five distinct aspects to CSE’s mandate. The CSE Act distinguishes between each aspect and its associated activities, as listed below: Foreign intelligence (FI) (section 16): to acquire information from the global information infrastructure (GII), and to use, analyse and disseminate the information for the purpose of providing foreign intelligence;

  • Foreign intelligence (FI) (section 16): to acquire information from the global information infrastructure (GII), and to use, analyse and disseminate the information for the purpose of providing foreign intelligence;
  • Cybersecurity and information assurance (cybersecurity) (section 17): to provide advice, guidance and services to help protect electronic information and information infrastructures of federal institutions or those designated under subsection 21(1) of the CSE Act, and to acquire, use and analyse information to do so;
  • Defensive cyber operations (section 18): to carry out activities on the GII to help protect electronic information and information infrastructures of federal institutions or those designated under subsection 21(1) of the CSE Act;
  • Active cyber operations (section 19): to carry out activities on the GII to degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of foreign entities; and
  • Technical and operational assistance (section 20): to provide technical and operational assistance to federal law enforcement, security agencies, the Canadian Armed Forces and the Department of National Defence.

(U) The CSE Act also distinguishes between the aspects by requiring different Ministerial Authorizations (MAs) for CSE’s activities, except for assistance activities (s. 20). Under the CSE Act, and with the exception of assistance activities, CSE’s activities must not be directed at a Canadian or any person in Canada, and must not infringe the Canadian Charter of Rights and Freedoms. Under the FI and cybersecurity aspects, CSE’s activities must not contravene any other Act of Parliament or involve the acquisition of information on or through the GII that interferes with the reasonable expectation of privacy of a Canadian or a person in Canada, unless carried out under a MA.

(U) The Minister of National Defence may issue a MA that permits CSE to conduct activities or classes of activities that may contravene any other Acts of Parliament, and, in the case of FI and cybersecurity, would involve the acquisition of information that would interfere with the reasonable expectation of privacy of a Canadian or a person in Canada. FI and cybersecurity MAs must be approved by the Intelligence Commissioner (IC), who must review whether the conclusions made by the Minister in issuing the authorization are reasonable.

(U) Thus, CSE is permitted to incidentally acquire information relating to a Canadian or a person in Canada in the course of carrying out activities that are authorized by an FI (s. 26(1)), cybersecurity (s. 27(1) or 27(2)), or emergency (s. 40) MA. CSE refers to this information as information relating to a Canadian or a person in Canada (IRTC). In order to issue an authorization, the Minister must be satisfied that CSE will only use, analyse or retain IRTC when it meets the “essentiality” conditions in section 34 of the CSE Act, which are different for the FI and cybersecurity aspects. For FI, “essentiality” means an assessment of whether the information is essential to international affairs, defence or security. For cybersecurity, “essentiality” means an assessment of whether the information is essential to identify, isolate, prevent or mitigate harm to (i) federal institutions’ electronic information or information infrastructures, or (ii) electronic information or information infrastructures designated under subsection 21(1) of the CSE Act.

(U) As the CSE Act distinguishes between the aspects and the corresponding MAs, NSIRA examined CSE’s legal authority for sharing IRTC between the FI and cybersecurity aspects.

(U) Due to operational and access-related challenges, including due to the COVID-19 pandemic, this review was not able to independently assess and verify CSE’s compliance with the law or compliance with the restrictions and authorities in place when internally sharing and using information between aspects. Additionally, NSIRA was not able to independently observe, investigate or validate the systems used when sharing data between aspects (consult Annex F for a description of processes and methods used by CSE to share information between the two aspects). These data sharing systems may be examined in future NSIRA reviews.

(U) NSIRA also intended to review the internal sharing of information with the active (ACO) and defensive (DCO) cyber operations aspects of CSE’s mandate, including compliance with the requirements in subsection 34(4) of the CSE Act on acquiring information while conducting ACO and DCO cyber operations. Among other things, this subsection stipulates that no information may be acquired pursuant to ACO and DCO authorizations unless done in accordance with an FI (CSE Act, s. 26(1)), cybersecurity (CSE Act, ss. 27(1) & 27(2)), or emergency (CSE Act, s. 40(1)) authorization. This facet of the review was instead covered in NSIRA’s review of CSE’s Active Cyber Operations and Defensive Cyber Operations – Governance, and will be further examined in NSIRA’s second review of ACO and DCO activities later in 2021.

(U) Importantly, this review did not examine the disclosure of Canadian identifying information (CII) outside of CSE.

Background

What is IRTC?

(U) While the CSE Act mentions IRTC several times, it is not clearly defined. In practice, IRTC is the information about Canadians or persons in Canada that may be incidentally collected by CSE while conducting FI or cybersecurity activities under the authority of an MA. According to CSE policy, IRTC is any information recognized as having reference to a Canadian or person in Canada, regardless of whether that information could be used to identify that Canadian or person in Canada.

(U) There is a distinction to be made between IRTC and Canadian identifying information (CII). For example, the CSE Act uses both IRTC and CII throughout the Act to describe types of information. Where IRTC is any information recognized as having reference to a Canadian or a person in Canada, CII is information that could be used to identify a Canadian or a person in Canada and that has been used, analyzed or retained under a FI or emergency authorization. CSE describes CII as a subset of IRTC. CII may be disclosed by CSE to designated persons under section 43 of the CSE Act.

Internal Sharing of IRTC at CSE

(TS) In some circumstances, CSE policy allows for IRTC collected under the authority of one aspect to be shared for use under another aspect (see Annex D for a description of the other types of information that is shared between the FI and cybersecurity aspects). CSE policy permits FI to be used internally to fulfill cybersecurity requirements. Information retained under the cybersecurity aspect may be used by CSE personnel operating under the FI aspect, unless the information is subject to any conditions imposed on it by external clients or disclosing entities. According to CSE, sharing information across aspects of the mandate enables CSE to carry out its activities in support of Government of Canada priorities.

(TS) In the cybersecurity context, CSE explained that any IRTC shared internally in support of the FI aspect [redacted description of CSE operations]

(TS//SI) An example that CSE provided [redacted example of CSE operations]. Sharing this information across the aspects of the mandate enabled CSE to help protect GC information and information infrastructures as well as those of Systems of Importance (SOI), by identifying, isolating and mitigating the threat, and provided GC decision- makers with a comprehensive view of the foreign threats targeting Canada.

(TS) After reviewing a random selection of reports, in addition to receiving information by CSE and interviewing analysts familiar with working on both FI and cybersecurity, NSIRA learned that the IRTC shared between the FI and cybersecurity aspects generally included: [redacted list of operational utilized in the system]. CSE policy permits [redacted].

(U) CSE asserts that although IRTC is shared across the aspects, activities will not be directed at Canadians or persons in Canada. As previously mentioned, CSE must not direct its activities at a Canadian or any person in Canada.

Findings and recommendations

Compliance with the CSE Act and the Privacy Act

What Acts Apply to the Internal Sharing of Information?

(S) The relevant statutes that apply to CSE’s internal information sharing are CSE’s enabling statute, the CSE Act, and the Privacy Act. The CSE Act does not provide a clear authority to share IRTC between the aspects. Likewise, the CSE Act disclosure provisions for CII in sections 43–45 do not prima facie contemplate internal sharing of IRTC, as to disclose information under these provisions, the Minister would need to authorize CSE to collect and disclose CII to itself. Additionally, CSE is not a designated entity under section 45 of the CSE Act for the purposes of receiving disclosed information under sections 43 and 44.

(U) IRTC could constitute personal information as defined in section 3 of the Privacy Act, which is information about an identifiable individual that is recorded in any form. For example, Canadian IP addresses, may constitute both IRTC for the purposes of the CSE Act and personal information under the Privacy Act. Pursuant to section 4 of the Privacy Act, the collection of personal information must relate directly to an operating program or activity of the institution, which includes CSE’s mandated activities in the CSE Act.

(U) The Privacy Act also requires that personal information be used and disclosed in manner consistent with sections 7 and 8 of the Privacy Act. For reference, Section 7 of the Privacy Act states:

Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be used by the institution except

  • For the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose; or
  • For a purpose for which the information may be disclosed to the institution under subsection 8(2).

(U) NSIRA examined whether CSE’s internal sharing of IRTC is consistent with the Privacy Act, which limits how collected personal information can be used by a federal institution. NSIRA concluded that in some circumstances, as described later in the report, internal sharing of IRTC that constitutes personal information between the FI and cybersecurity aspects might satisfy Privacy Act requirements. This compliance assessment requires a case-by-case analysis.

(Protected B//Solicitor-Client Privilege) NSIRA examined CSE DLS’s legal analysis, provided by Department of Justice (DOJ) lawyers, [redacted legal opinion or advice].

(Protected B//Solicitor-Client Privilege) In DOJ’s opinion, [redacted legal opinion or advice].

(Protected B//Solicitor-Client Privilege) According to DOJ, [redacted legal opinion or advice].

Compliance with the Privacy Act

(U) NSIRA observes that, in assessing compliance with section 7 of the Privacy Act, CSE emphasizes compliance with paragraphs 34(2)(c) and 34(3)(d) of the CSE Act to support the internal sharing of personal information across the various aspects of the mandate.

(U) As noted, section 7 of the Privacy Act requires that personal information under the control of a government institution shall not be used without the consent of an individual, except for two purposes: (1) the purpose for which it was obtained, or for a use consistent with that purpose; or (2) for a purpose for which the information may be disclosed to the institution under subsection 8(2) of the Act. Importantly, a use of information need not be identical to the purpose for which information was obtained; it must only be consistent with that purpose.

(U) CSE’s reliance on section 34 of the CSE Act poses a challenge for compliance with the Privacy Act because section 34 does not identify the actual purpose of the incidental collection of the IRTC, or provide an authority for internal sharing. Rather, section 34 conditions the Minister’s authority to issue an MA on prerequisites. Paragraphs 34(2)(c) and 34(3)(d) of the CSE Act specify that the Minister must be satisfied that the privacy protection measures in section 24 of the Act will ensure that IRTC will be used, analysed, and retained only if it complies with the respective essentiality requirements for FI and cybersecurity, as the case may be. These conditions establish a required threshold for the use, analysis and retention of IRTC collected under a MA, and not an authority for internal sharing of IRTC.

(U) Depending on the factual circumstances in which the IRTC is shared, CSE’s sharing of IRTC that constitutes personal information between the FI and cybersecurity aspects could be supported by the CSE Act and the Privacy Act when the information is shared for the purpose for which it was obtained, or for a use consistent with that purpose. This would require a case-by- case assessment to ensure that the purpose for which the IRTC is shared internally is for the same purpose for which it was collected, a purpose consistent with that original purpose for collection, or as permitted by section 7(b), that the sharing is permitted for one of the reasons identified by Parliament in subsection 8(2) of the Privacy Act. As mentioned, CSE does not consider internal sharing a disclosure of information. NSIRA notes that the issue of whether internal sharing in this way constitutes a “use” or a “disclosure”, under the Privacy Act is unclear. Regardless, NSIRA observes that in relying solely on the “essentiality” criteria in section 34, CSE is not assuring itself that it has lawful authority for internal sharing.

(U) A justification under section 7(a) or paragraph 8(2)(a) of the Privacy Act requires CSE to identify the purpose of the incidental collection and internal sharing, which is found in the corresponding aspect of CSE’s mandate. CSE’s purpose for collecting, and authority to collect, personal information comes from the CSE Act. Sections 16 and 17 of the Act identify FI and cybersecurity as operating programs and activities of the institution, and provide the authority to collect information for those purposes. As noted, MAs must authorize collection when activities might contravene any other Act of Parliament, or involve the acquisition of information from or through the GII that interferes with a reasonable expectation of privacy of a Canadian or a person in Canada. From the descriptions of the aspects in sections 16 and 17 of the CSE Act, there may be instances where information acquired under one aspect can be used for the same, or a consistent purpose, as exists for another, thus satisfying Privacy Act requirements for sharing information internally. However, this cannot simply be assumed as the purposes of the aspects are described differently within the Act.

(U) Section 16 of the CSE Act authorizes CSE to acquire information from or through the GII, and to use, analyse and disseminate the information for the purpose of providing foreign intelligence in accordance with Government of Canada (GC) priorities. Section 17 of the CSE Act, in turn, authorizes CSE to provide advice, guidance and services to help protect the electronic information or information infrastructures of federal institutions and designated systems of importance, and to acquire, use and analyse information, from the GII or from other sources, in order to provide such advice, guidance and services.

(TS//SI) When sharing FI-acquired IRTC to support CSE’s cybersecurity aspect, there is arguably no shift in purpose if cybersecurity is among the purposes for which the FI is obtained, used, analysed and disseminated. For the period of this review, [redacted related to GC priorities]. Sharing FI information to fulfill CSE’s section 17 cybersecurity objectives of providing advice, guidance and services to help protect federal and designated electronic information and infrastructures could be considered as the same purpose, or consistent with the purpose, for which the IRTC was originally obtained. Where the FI is used in the section 17 aspect to protect federal and designated electronic information and infrastructures, the purpose of collection and the subsequent use of that information could remain the same.

(U) For cybersecurity-acquired IRTC, sharing information to the FI aspect could be permissible if the FI purpose is the same as, or consistent with, the purpose for which the information was initially acquired, i.e., for the purpose of providing advice, guidance and services to help protect federal and designated information infrastructures or electronic information. Thus, sharing cybersecurity IRTC to the FI aspect would be permissible under the Privacy Act if the internal sharing ultimately serves the purpose of helping to protect federal and designated information infrastructures or electronic information.

(U) In sum, if the purpose of CSE’s acquisition of personal information is for the purpose of, or consistent with, delivering on the foreign intelligence and/or cybersecurity aspects, CSE’s internal sharing of IRTC can be consistent with section 7(a) or paragraph 8(2)(a) of the Privacy Act, provided that purpose of the information collection and sharing is identified and justified. CSE must also always satisfy any conditions from the CSE Act and relevant MAs on the collection and use of IRTC. To support internal sharing of personal information between the aspects, further analysis is required based on the factual circumstances of each case.

Finding no. 1: CSE’s internal sharing of information between the FI and cybersecurity aspects of the mandate has not been sufficiently examined for compliance with the Privacy Act.

Recommendation no. 1: CSE should obtain additional legal advice on its internal sharing of information between the foreign intelligence and cybersecurity aspects of the mandate, explicitly in relation to compliance with the Privacy Act, which thoroughly addresses the following two issues:

  1. Whether the internal sharing of information between the foreign intelligence and cybersecurity aspects of the mandate is a use or a disclosure of information for the purposes of the Privacy Act; and
  2. Whether uses and disclosures are done in accordance with sections 7 and 8 of the Privacy Act.

The Ministerial Authorizations

(U) The CSE Act does not allow the Minister to authorize internal sharing of IRTC, as MAs may only authorize, in the case of FI, the activities or classes of activities listed in subsection 26(2), or for cybersecurity, access and acquisition of the information referred to in subsections 27(1) and 27(2). Any internal sharing of IRTC that constitutes personal information must be done in accordance with the Privacy Act.

(U) As mentioned, section 24 of the CSE Act requires CSE to have measures in place to protect the privacy of Canadians and of persons in Canada in the use, analysis, retention and disclosure of IRTC. When issuing a MA, the Minister must conclude that these measures will ensure that any acquired IRTC will only be used, analysed or retained if it meets the essentiality thresholds in paragraphs 34(2)(c) or 34(3)(d). The Minister may issue these authorizations if they are of the view that such activities would be “reasonable and proportionate, having regard to the nature of the objective to be achieved and the nature of the activities.” As the Minister considers the reasonableness of the activities proposed against either an FI or cybersecurity purpose, it is conceivable that some activities might be reasonable and proportionate in one context, but not in the other. As activities authorized under subsection 26(2) might acquire a broader range of information than what is contemplated in subsections 27(1) and 27(2), the sharing of FI to cybersecurity might allow for CSE to use more information for a cybersecurity purpose than what is permitted under cybersecurity authorizations alone, and may require different privacy protection measures when using such information.

(U) To issue an MA, the Chief of CSE must set out the facts in an application that would allow the Minister to conclude that there are reasonable grounds to believe that the authorization is necessary, and that the conditions for issuing it are met. NSIRA considers it necessary for the Chief’s application to fully inform the Minister of how IRTC might be used and analysed by CSE, including the sharing of IRTC to another aspect, and for what purpose. This information would also allow for the Minister to make a determination under section 35 whether any other terms, conditions, or restrictions are advisable to protect the privacy of Canadians when issuing a FI or cybersecurity authorization.

(TS//SI) For the authorizations issued during 2020, most of the Chief of CSE’s applications indicated that collected and retained information might be used under a different aspect, while the text of most of the corresponding MAs did not mention use under a different aspect. This situation was reversed in one instance: [redacted example of CSE operations].

(TS//SI) Moreover, the 2020 FI applications and authorizations indicate that in order to meet the essentiality condition for retention of IRTC under subsection 34(2)(c) of the CSE Act, IRTC will be retained if it is assessed as essential to cybersecurity. In these instances, cybersecurity is included under the concept of “essential to security”, thus providing the Minister with additional context as to how the essentiality conditions are assessed and met by CSE. NSIRA considers this information necessary for the Minister to assess whether the conditions listed in section 34 of the CSE Act for issuing the authorization are met.

Finding no. 2: With one exception, the Chief of CSE’s applications for Ministerial Authorizations issued in 2020 informed the Minister of National Defence that retained information might be used to support a different aspect.

Finding no. 3: The applications for foreign intelligence authorizations by the Chief of CSE for the period of review appropriately informed the Minister of National Defence how the essentiality condition in paragraph 34(2)(c) is met for IRTC collected under the FI aspect.

Recommendation no. 2: All foreign intelligence and cybersecurity applications from the Chief of CSE should appropriately inform the Minister of National Defence that retained information might be used to support a different aspect.

Assessment of Essentiality, Necessity, and Relevancy

(U) Under CSE policy, an assessment of IRTC’s relevance, essentiality, or necessity to each aspect is required for sharing information across the aspects (see Annex G for CSE’s policy thresholds and definitions used to assess IRTC when shared between the aspects). These terms come from the CSE Act, but are not defined in the Act. CSE policy offers definitions and criteria for assessing and applying these thresholds to the information. NSIRA did not assess these policy thresholds or definitions for lawfulness, or how these requirements are satisfied by CSE when internally sharing IRTC. This may be examined in future reviews.

(TS) CSE policy also sets forth the criteria by which to authorize the sharing of IRTC across aspects (see Annex E for the approval processes at CSE for sharing information). Before any IRTC may be shared across aspects of the mandate, the information must be assessed for essentiality to the aspect for which it was acquired. If it does not pass this initial essentiality threshold, the information must be deleted.

(Protected B//Solicitor-Client Privilege) According to CSE, [redacted legal opinion or advice]

(U) NSIRA agrees that the CSE Act does not require that internally shared IRTC between the FI and cybersecurity aspects meet both of the essentiality conditions of paragraphs 34(2)(c) and 34(3)(d) of the CSE Act. Subsections 22(3) and 22(4) of the CSE Act require an FI or cybersecurity MA when the activities carried out in furtherance of either aspect involve acquiring information from the GII that may interfere with a reasonable expectation of privacy, or for activities that might contravene an Act of Parliament. MAs may only authorize the activities or classes of activities listed in subsection 26(2) for FI, or to access information infrastructures and acquire the information referred to in subsections 27(1) and 27(2). As mentioned, the “essentiality” thresholds in section 34 condition the Minister’s authority to issue an MA on the prerequisite of the privacy protection measures in section 24. Such a requirement can be understood as applying to use, analysis and retention of IRTC collected by CSE under the authority of a MA and within the confines of a single aspect. Therefore, there is no legal requirement within the CSE Act that CSE observe the essentiality threshold of the aspect of which the IRTC is internally shared. IRTC must only meet the original essentiality condition of either paragraph 34(2)(c) or 34(3)(d) when IRTC is acquired, as required by the MA authorizing its actual incidental collection.

Finding no. 4: CSE’s position that they do not need to assess “essentiality” twice when sharing information between the foreign intelligence and cybersecurity aspects of the mandate is compliant with paragraphs 34(2)(c) and 34(3)(d) of the CSE Act.

Conclusion

(U) As the CSE Act distinguishes between the aspects and the corresponding MAs, NSIRA examined CSE’s legal authority for sharing IRTC between the FI and cybersecurity aspects of its mandate. NSIRA concludes that internal sharing may be consistent with the Privacy Act in some circumstances. However, CSE must give further consideration to the purpose of the collection of the IRTC to justify any internal sharing of IRTC.

(U) This review also established a foundational understanding of some of the processes, systems, and compliance measures applied by CSE when sharing IRTC across aspects. Although NSIRA was not able to independently verify this information, NSIRA intends to build upon this information in future reviews.

Annexes

ANNEX A: Objectives, Scope, and Methodology

(U) Initially, NSIRA intended to examine the internal sharing of IRTC between aspects of CSE’s mandate in a thematic manner that covered several operational areas and several aspects. The review intended to examine the sharing of information between aspects of CSE’s mandate for the period of August 1, 2019 to August 1, 2020, with the objective to independently assess and evaluate:

  • Compliance with legal, ministerial, and policy requirements, including adequate management of compliance risks when conducting information sharing activities between aspects of CSE’s mandate; and,
  • CSE’s policies, procedures and practices on the internal sharing of information between aspects of the mandate.

(U) Due to operational realities, including COVID-19 related disruptions and access challenges, the objectives, scope, and methodology of this review were significantly reduced from the original Terms of Reference (sent to CSE on August 28, 2020), to focus mainly on the legal authority for sharing of information between the FI and cybersecurity aspects.

(U) For this review, NSIRA examined documents and records relevant to the sharing of information between aspects of CSE’s mandate, from the coming into force of the CSE Act on August 1, 2019, until August 1, 2020.

(U) Two interviews were conducted with CSE employees involved with information sharing across CSE’s aspects, and an interview was conducted with a Department of Justice lawyer in CSE’s Directorate of Legal Services familiar with the legal framework of such activities.

(U) NSIRA also completed a foundational description of some of the processes, systems, and compliance measures in place when sharing such information, in order to establish a baseline of knowledge to inform future reviews.

ANNEX B: Meetings and Briefings

Briefing. “Information Sharing: Sharing information for use across aspects of the CSE Mandate”, NSIRA Briefing, February 7, 2020.

NSIRA meeting with counsel from the Department of Justice at CSE DLS, October 13, 2020.

NSIRA meeting with CSE analysts, October 20, 2020.

ANNEX C: Findings and Recommendations

Finding no. 1: CSE’s internal sharing of information between the FI and cybersecurity aspects of the mandate has not been sufficiently examined for compliance with the Privacy Act.

Recommendation no. 1: CSE should obtain additional legal advice on its internal sharing of information between the foreign intelligence and cybersecurity aspects of the mandate, explicitly in relation to compliance with the Privacy Act, which thoroughly addresses the following two issues:

  • Whether the internal sharing of information between the foreign intelligence and cybersecurity aspects of the mandate is a use or a disclosure of information for the purposes of the Privacy Act; and
  • Whether uses and disclosures are done in accordance with sections 7 and 8 of the Privacy Act.

Finding no. 2: With one exception, the Chief of CSE’s applications for Ministerial Authorizations issued in 2020 appropriately informed the Minister of National Defence that retained information might be used to support a different aspect.

Finding no. 3: The applications for foreign intelligence authorizations by the Chief of CSE for the period of review appropriately informed the Minister of National Defence how the essentiality condition in paragraph 34(2)(c) is met for IRTC collected under the FI aspect.

Recommendation no. 2: All foreign intelligence and cybersecurity applications from the Chief of CSE should appropriately inform the Minister of National Defence that retained information might be used to support a different aspect.

Finding no. 4: CSE’s position that they do not need to assess “essentiality” twice when sharing information between the foreign intelligence and cybersecurity aspects of the mandate is compliant with paragraphs 34(2)(c) and 34(3)(d) of the CSE Act.

ANNEX D: Partner and client information and publicly available information shared between the fi and cybersecurity aspects

(Protected B) Under the cybersecurity aspect, federal and non-federal clients may disclose cyber threat information to CSE as Canada’s lead agency for cybersecurity, or when seeking CSE services to analyse and mitigate known or suspected cyber incidents. Disclosed information may be used for FI purposes provided that it is done so for the purposes of identifying, isolating, preventing or mitigating harm to federal systems or systems of importance to the GC.

(Protected B) The documentation that governs CSE’s arrangements with GC and non- federal clients specifies that information obtained by CSE from a given client’s network or system that is relevant to the cybersecurity aspect may be shared with partners [redacted CSE operational information] or internal partners for GC clients) involved in cybersecurity for the purposes of identifying, isolating, preventing or mitigating harm to federal systems or systems of importance to the GC. However, this type of documentation does not explicitly mention that clients’ information might be used for FI purposes. For the purposes of obtaining the informed consent of disclosing entities, NSIRA considers it appropriate for CSE to be fully transparent with how clients’ information might be used by CSE.

(Protected B) When client information is shared with [redacted CSE operational information] partners, the information is anonymized and identifiable information is omitted. Any releasable cybersecurity products created from client information must only contain information necessary to mitigate a cyber compromise. Additionally, disclosing entities may also impose specific restrictions on the use and sharing of their data at the time of disclosure.

(TS) As per subsection 21(1) of the CSE Act, CSE is permitted to acquire and use publicly available information without seeking a MA. Currently, [redacted related to legal opinion or advice].

ANNEX E: Approval Process and Sharing Release Approvals

Approval Processes for Sharing IRTC

(TS//SI) The appropriate approval authority for sharing information is outlined in CSE internal policy, where the nature of the information dictates the release authority. CSE policy requires management approval (known as the release authorities) before sharing unsuppressed IRTC between aspects. However, policy does not stipulate the actual process for approval; this is determined by the relevant operational areas in accordance with their business practices. The Mission Policy Suite (MPS) requires all management decisions to be documented and retained in a central repository for transparency and accountability purposes. Those records must be accessible for review purposes. However, for this review, NSIRA was unable to independently verify and assess the approval process for internally shared IRTC.

(TS) Generally, CSE requires management approval for sharing information contained within a report for use across aspects of the mandate, and will elevate the appropriate release authority when the information contains IRTC. The appropriate release authority and conditions for release are outlined in policy (discussed below). The release authority is responsible for the information exchange, and must be informed if any changes are made to the data that result in a change in the type of privacy-related information to be shared.

(TS) Automated sharing techniques [redacted related to GC priorities].

Cybersecurity IRTC to Foreign Intelligence

(U) Retained IRTC under the cybersecurity aspect can be shared to FI as a Releasable Cybersecurity Product (RCP), which must meet the requirements listed below. The release authority is determined by the privacy impact that the release of information may have on an individual or entity, which is in turn determined by the level of sensitivity and privacy impact of the IRTC. Depending on the level of sensitivity of the IRTC, operational managers or supervisors from the Canadian Centre for Cyber Security (CCCS, or Cyber Centre) must approve RCPs containing IRTC.

(U) The requirements for a RCP as per CSE policy include the following:

Requirement When and How the Requirement is Applied
Purpose is to provide advice, guidance, and services At the time of sharing – why am I sharing this information?
Product only contains retained information The decision to use and retain information is made at the time the raw data is assessed for relevance and necessity (and in the case of IRTC, essentiality) to the cybersecurity aspect of the mandate.
Privacy Protection

At the time of sharing, as appropriate (e.g., being shared back with the system owner/administrator who already has access to the information on their own systems; or to a broader audience with strict limits on the use of the information).

No suppression is required if the IRTC is shared for use under the FI aspect of the mandate when the sharing is for the purposes of supporting activities to help protect the electronic information and information infrastructures of the GC or SOI to the GC

Classification and limitations on use and handling

Either at the time of sharing, or applied at a later stage to the onward use and dissemination of the information by FI. Can include pre-approved uses and conditions, as well as limitations placed by the data/system owner if applicable.

Can be applied by report-authoring platforms to End Product Reports (EPRs), restrict the use and dissemination of CSE information.

Auditable At the time of acquisition, applied automatically by CSE systems.
All data entering CSE is automatically tagged with a unique identifier, as well as information regarding origin (e.g., MA vs non-MA, disclosing client if applicable etc.), access restrictions if applicable, aspect of the mandate under which the data was acquired, date and time of acquisition, use and handling requirements.
Approved for release

At the time of sharing.

The approval authority depends on the nature of the information. See table in s. 25.2 in the MPS cybersecurity chapter.

Foreign Intelligence IRTC to Cybersecurity

(TS) IRTC under the FI aspect can be released to CCCS as a Releasable SIGINT Product (RSP). RSPs that contain information with a recognized Canadian privacy interest, or based on material with a Canadian privacy interest, require DC SIGINT approval for release, which can be delegated.

(TS) In order to create a RSP to share information for use under the cybersecurity aspect, the following table summarizes how the criteria required in policy must be met:

Requirement When and How the Requirement is Applied
Information is relevant to FI At the time of assessment. Must be met prior to use.
Privacy protection e.g., suppression of IRTC

At the time of sharing, if necessary.

Suppression is mandatory for IRTC included in an EPR shared outside CSE. CCCS clients that receive these EPRs may request this CII through the regular Action-On process.

Otherwise, no suppression required if IRTC is necessary for cybersecurity purposes, but other measures to protect privacy are used, for example, restricting the audience for the information.

Sanitization Either at the time of sharing, or to be applied if/when cybersecurity use requires the information be sanitized to protect CSE equities.
Serialization

At the time of acquisition, applied automatically by CSE systems.

All data entering CSE is automatically tagged with a unique identifier, as well as information regarding origin [redacted example of CSE operations] access restrictions if applicable, aspect of the mandate under which the data was acquired, date and time of acquisition, use and handling requirements.

Caveats

Either at the time of sharing, or applied at a later stage to the onward use and dissemination of the information by cybersecurity. Can include pre- approved actions-on.

Automatically applied by report-authoring platforms to EPRs, limit the use and dissemination of CSE information.

Approved for release

At the time of sharing.

The approval authority depends on the nature of the information. See table in s. 27.8 of MPS FI chapter.

Internal Reviews of Information Sharing

(TS) Internal sharing of information between the aspects is subject to CSE internal review, for both automated sharing and data-based queries. SIGINT Compliance, the group responsible for internal compliance activities under the FI aspect, reviewed CSE-originated queries for 2019 and 2020, and found that query activity was complaint. The CCCS’ Internal Program for Operational Compliance (IPOC) did not prioritize compliance monitoring reviews for the past two fiscal years in order to monitor other activities that posed a higher-risk to compliance.

(TS) Automated sharing techniques are also subject to review. SIGINT Compliance is required to revalidate all instances of automated sharing between the FI and cybersecurity aspects every 12 months. The most recent review for the period of July 2019 to September 2020 found that the [redacted number] of automated sharing were compliant with policy requirements, except for [redacted number] that CSE was unable to assess.

ANNEX F: Methods and processes of sharing

(TS) This section describes the methods and processes used by CSE to share information between the FI and cybersecurity aspects. There is a multitude of systems, methods, and processes that enable information sharing between these aspects, both suppressed and unsuppressed. Note that the processes described below are not static, and that CSE’s systems, methods, and processes can change anytime.

(TS) Generally, access to information for each aspect is restricted by [redacted related to legal opinion or advice]

(TS//SI) For examples, [redacted description of CSE operations].

(U) As required by section 24 of the CSE Act, CSE must have measures in place to protect the privacy of Canadians and persons in Canada in the use of information related to them acquired in furtherance of the FI or cybersecurity aspects.

(TS) Suppression and minimization of IRTC is not required by CSE policy when sharing information internally; it is a default practice to share IRTC unsuppressed across the FI and cybersecurity aspects. According to CSE, although not mandated by policy, analysts are encouraged to anonymize or remove privacy-related information where it is not essential for the person using the information to understand the context and value. CSE recognizes that suppression and minimization are a best effort practice, and is of the opinion that CSE is not in contravention of the law should suppression, minimization, anonymization not occur when sharing information between the aspects.

Cross-Aspect Access to both SIGINT and Cyber Centre Raw Data

(TS) When accessing data from another aspect that is not within a reporting product (i.e., RSPs or RCPs), analysts are subject to the policy requirements of the data they are accessing.

(TS//SI) Under the FI aspect, [redacted description of CSE operations].

(TS//SI) For examples, [redacted description of CSE].

(TS//SI) While analysing raw FI data, Cyber Centre personnel must follow all applicable foreign intelligence authorities and policy requirements. The use, handling, and retention of this information is further subject to any restrictions applied to the foreign intelligence data.

(TS//SI) SIGINT personnel may access and use Cyber Centre systems if they meet the requirements in section 26.1 of the MPS Cybersecurity. Access to Cyber Centre systems and raw cybersecurity data is similarly restricted [redacted] to individuals with an operational need-to-know and mandatory annual policy and compliance training and knowledge testing. [description of CSE operations].

Reporting – RCPs and RSPs

(U) Retained information is internally shared through formal reporting processes in the form of either RSPs, which includes EPRs, or RCPs.

(TS//SI) Cyber Centre personnel operating under cybersecurity requirements may also be internal clients without access to raw FI data. Foreign intelligence information is shared to some cybersecurity personnel as an RSP, meaning that the information has met the requirements for release in CSE policy, including suppression and approval, and is subject to any restrictions on the intelligence data. For the period of review, there [redacted number] RSPs approved for release from the FI aspect that were made available to personnel operating under the cybersecurity aspect.

(TS//SI) Cybersecurity information can be reported and released to SIGINT personnel for subsequent use under the FI aspect via RCPs. Information released through RCPs must meet the requirements for release within CSE policy, and the use must be consistent with the cybersecurity aspect of CSE’s mandate and used for a subsequent use related to relevant GC priorities. For the period of review, [redacted number] RCPs were disseminated to authorized recipients in SIGINT.

Receiving Suppressed Identifiers from Reporting

(TS) Suppressed IRTC in EPRs disseminated through SLINGSHOT can be requested by internal CSE clients through the existing CII external disclosures process. This is the only mechanism by which suppressed identities can be accessed and released. Supressed IRTC can be requested by submitting a request to the Action-On team (D2A). The requestor must provide the legal authority and operational justification to receive the unsuppressed information. Between August 1, 2019 and August 1, 2020, [redacted description of CSE operations].

(TS) Although the mechanism for releasing this information is the same as the external disclosures process, it is not considered a “disclosure” of information but an internal “use” of information. As such, the disclosure regime requirements of sections 43 to 46 of the CSE Act do not need to be met in order for supressed information to be released to internal CSE clients.

Joint-Reporting

(TS//SI) Information may also be shared between the foreign intelligence and cybersecurity aspects for the purposes of disseminating foreign intelligence under cybersecurity authorities. This foreign intelligence information must first be used for foreign intelligence purposes, and then may be shared to CCCS personnel use under the cybersecurity aspect and only then released under their authorities.

(TS//SI) Approval for sharing of foreign intelligence information under the cybersecurity aspect of the mandate must abide by the appropriate release approval authorities for both aspects.  [redacted description of CSE operations]

Automated Sharing (forms of RSP or RCP)

(TS) Automated sharing is defined in CSE policy as “the use of automated techniques or processes to expedite the dissemination of [redacted releasable reporting products]”.

(TS//SI) There are various automated feeds used at CSE to exchange information between the aspects. [redacted description of CSE operations].

(TS//SI) [redacted description of CSE operations and systems]

(TS//SI) [redacted description of CSE operations and systems]

(TS//SI) [redacted description of CSE operations and systems]

(TS//SI) [redacted description of CSE operations and systems]

(TS//SI) [redacted description of CSE operations and systems]

(TS//SI) [redacted description of CSE operations and systems]

(TS//SI) [redacted description of CSE operations and systems]

(TS//SI) [redacted description of CSE operations and systems]

(TS//SI) [redacted description of CSE operations and systems]

(TS//SI) [redacted description of CSE operations and systems]

(TS//SI) [redacted]

(TS//SI) [redacted description of CSE operations and systems]

(TS//SI) [redacted description of CSE operations and systems]

Other Methods of Sharing

(TS) More informal methods of information exchange may occur between the two aspects. As CSE teams work closely together, analysts might gain knowledge of information that can be useful for either aspect of the mandate. Analysts may exchange general knowledge without any formal reporting. CSE policy provides for analytic exchanges whereby analysts may engage with partners working under a different aspect to work on common objectives by exchanging information. However, any data exchange must meet the requirements of issuing a RCP or RSP, although the data need not be released through the formal product dissemination systems.

ANNEX G: Policy Thresholds for Internal Sharing

(U) Generally, CSE policy provides that IRTC may be shared internally according to the thresholds outlined below. As mentioned, NSIRA did not assess these thresholds or definitions for lawfulness, but may do so in future reviews. Additionally, NSIRA did not assess how these policy requirements are satisfied in practice.

Foreign Intelligence Aspect to Cybersecurity Aspect

(TS) Under the FI aspect, IRTC must be essential and relevant to the FI aspect prior to sharing, as per the essentiality condition in 34(2)(c) of the CSE Act. According to CSE policy, the information must be considered essential to international affairs, defence or security, including cybersecurity. Essential is not defined in CSE policy, though policy provides criteria by which to assess the IRTC as it relates to protecting the lives or safety of individuals, or to serious criminal activity relating to the security of Canada.

(TS) To share FI IRTC information for use under the cybersecurity aspect of the mandate, the IRTC information must be relevant to the cybersecurity aspect. IRTC must further be assessed for necessity to the cybersecurity aspect, meaning whether the information is necessary to help protect GC systems and designated systems of importance. It is a policy decision to apply the threshold of necessity from subsection 44(1) of the CSE Act.

(TS) CSE policy requires the standard of necessity, [redacted description of CSE operations]. This information is necessary to fulfill the cybersecurity mandate as it enables activities that protect GC systems and designated SOIs (such as by blocking traffic). However, the identifiable individual or entity is not the focus of the activity.104 Therefore, CSE is of the opinion that since there is a lower risk to the reasonable expectation of privacy of the individual in the cybersecurity context, the threshold of necessity is sufficient for sharing FI-acquired IRTC to the cybersecurity aspect.

Cybersecurity Aspect to Foreign Intelligence aspect

(TS//SI) Under the cybersecurity aspect, IRTC acquired under a MA must be both relevant and essential prior to sharing, as per the essentiality condition under paragraph 34(3)(d) of the CSE Act. In CSE policy, IRTC is considered essential when without the information, CSE would be unable to protect federal systems or SOIs and the electronic information on those systems. However, non-MA acquired IRTC, such as client information, must only be necessary.

(TS) The shared IRTC is also assessed for essentiality to the FI aspect (that is, essential to international affairs, defence or security), for both MA and non-MA cybersecurity information. It is a policy decision to further assess cybersecurity-acquired IRTC for essentiality under the FI criteria, [redacted description of CSE operations].

(TS//SI) As explained by CSE, the cybersecurity-acquired IRTC shared internally in support of the FI aspect is for the purposes of protecting federal institutions or SOIs and the electronic information they contain. This IRTC is used to identify foreign threats to Canadian systems, which aligns with the [redacted related to GC priorities].

ANNEX H: Internal Sharing of IRTC at CSE

Figure: Process Diagram of Internal Sharing of IRTC at CSE

Share this page
Date Modified:

Review of Global Affairs Canada’s Global Security Reporting Program

Backgrounder

This review focused on Global Affairs Canada’s (GAC) Global Security Reporting Program (GSRP, or the Program). The review was selected given that the GSRP is a key component to GAC’s security and intelligence footprint overseas, with approximately thirty officers posted around the world dedicated and funded to collect overt security-related information.  GSRP clients have reported that the Program is both unique and valuable to the Government of Canada. This review is the first external review of GSRP and NSIRA’s inaugural review of GAC.

Many of the receiving states where GSRP officers work have poor human rights records and/or are environments where surveillance of foreigners and citizens is commonplace. As such, receiving state perceptions of GSRP activities have direct implications on reputational risk to Canada and its allies, to other Canadian departments and agencies (like the Canadian Security Intelligence Service (CSIS), for example), to GSRP officers, and finally, on the local contacts used to help collect the Program’s information.

The review found a number of areas where the Program can improve, including more robust governance and accountability structures, additional oversight and attention to information management best practices.

Date of Publishing:

GAC Minister letter to NSIRA To Follow

Executive Summary

This review focused on Global Affairs Canada’s (GAC) Global Security Reporting Program (GSRP, or the Program). The review was selected given that the GSRP is a key component to GAC’s security and intelligence footprint overseas, with approximately thirty officers posted around the world dedicated and funded to collect overt security-related information. GSRP clients have reported that the Program is both unique and valuable to the Government of Canada. This review is the first external review of GSRP and NSIRA’s inaugural review of GAC.

Many of the receiving states where GSRP officers work have poor human rights records and/or are environments where surveillance of foreigners and citizens is commonplace. As such, receiving state perceptions of GSRP activities have direct implications on reputational risk to Canada and its allies, to other Canadian departments and agencies (like the Canadian Security Intelligence Service (CSIS), for example), to GSRP officers, and finally, on the local contacts used to help collect the Program’s information.

The review found a number of areas where the Program can improve, including more robust governance and accountability structures, additional oversight and attention to information management best practices.

More significantly, the review found that although the GSRP operates under the Vienna Convention on Diplomatic Relations (VCDR), it does so without legal guidance assessing the activities of the Program. Likewise, GSRP officers do not receive adequate training regarding their legal obligations. In particular, the activities of certain GSRP officers abroad raised concern that some activities may not be in accordance with the duties and functions under the VCDR.

Although GSRP officers rely on the VCDR as a shield for their actions, some officers did not appear to appreciate the limitations of this immunity nor understand the true scope of their duties and functions. In addition, it was not clear if all officers understood that once they are no longer afforded diplomatic immunity, a receiving state may seek retaliatory measures against them. The review found an absence of risk assessments, security protocols, and legal guidance specific to the increased scrutiny that GSRP officers may attract due to the nature of their reporting priorities.

As government partners overseas, CSIS and GSRP frequently interact with each other, with overlap between these respective mandates. Insufficient deconfliction at Mission and Headquarters between CSIS and GAC exists, which results in inconsistent governance [redacted].

The review also found that the Program does not have appropriate safeguards in place regarding the safety of contacts overseas. Although most interactions between officers and contacts are innocuous, the Program does not appear to appreciate the associated risks of these exchanges. Significantly, the review identified some possible concerns related to how recommended that GAC Canadian identity information is managed, and therefore conduct a privacy impact assessment of the Program.

The creation of a foreign intelligence entity within GAC, or the allowance of mission creep by the GSRP into covert collection would run against the principles of the VCDR. Therefore, NSIRA believes it is important that the Government consider the implications stemming from this review and decide on the most appropriate means of collecting this kind of information. NSIRA acknowledges that this is a topic that goes beyond our remit, and therefore may require consideration by the National Security and Intelligence Committee of Parliamentarians. We intend to share this review with our review counterpart in order to commence such deliberations.

Authorities

This review was conducted under the authority of subsections 8(1)(a) and 8(1)(b) of the National Security and Intelligence Review Agency Act.

Introduction

Global Affairs Canada’s (GAC) Global Security Reporting Program (GSRP) collects and disseminates information in support of Canada’s intelligence priorities. As the program has matured during its nearly twenty years of existence, GSRP products have received attention from Government of Canada (GoC) departments and agencies, as well as allied nations.

This was the National Security and Intelligence Review Agency’s (NSIRA) first standalone review of GAC. As such, NSIRA familiarized itself with GAC’s mandate, policies, and legal authorities while simultaneously reviewing the GSRP as a unique and complex program.

NSIRA assessed whether GSRP activities were conducted in accordance with the law, relevant policies and procedures, and whether the activities were reasonable and necessary. Additionally, NSIRA examined whether the Program’s policies and procedures were sufficiently comprehensive to support overseas activities.

The core review period for this study was from January 1, 2017, to December 31, 2019, however, NSIRA reviewed information outside of this period in order to conduct a complete assessment. NSIRA also examined a significant sample of GSRP Missions that provided diverse perspectives on the nature and scope of the Program’s activities.

Given the unique circumstances of NSIRA’s recent establishment and the various logistical and procedural challenges associated with this transition, this review was only possible with the support of GAC staff, especially those within its External Review Liaison Unit. Additionally, NSIRA thanks CSIS and its External Review and Compliance team for its help in facilitating this review. This report was scheduled to be completed in the summer of 2020, but was delayed due to the COVID-19 pandemic that began when the review was in its initial scoping stages.

History of the GSRP

During the Cold War, security reporting was integrated into political reporting by Canadian diplomats abroad. The Canadian security and intelligence (S&l) community largely relied on this foreign security reporting to meet its information needs. Following the end of the Cold War, security reporting was no longer routinely incorporated into political reporting by Canadian diplomats. The change was reflective of:

“an evolving world order, in which different, non-traditional security challenges arose; new and changing national and departmental priorities; the loss of subject matter expertise as diplomats and managers both moved on and retired; and significant public service cuts and budget restraints in the 1990s influenced GAC activities and priorities.”

GSRP was created soon after the events of 9/11. The contemporary Program has a unit of approximately 30 diplomatic personnel dedicated to overt single source* reporting — from a network of primarily “non-traditional” contacts — on issues pertinent to the Canadian security, intelligence, defence, and foreign policy community. GSRP. officers (or officers) operate within and outside of host country capitals and regularly travel to areas less frequented by most diplomats. Since 2009, these reports (which inform both Canadian and allied decision-makers), have been anchored in the GoC intelligence priorities.

GSRP officers report to the Intelligence Assessments and Reporting Division (INA) under the Intelligence Bureau which falls under the ADM of International Security and Political Affairs.” The GSRP adheres to a matrix management structure: at mission, GSRP officers report to the Foreign Policy and Diplomacy Service (FPDS) manager or Head of Mission (HoM), while GSRP Headquarters (HQ) primarily determines officer collection priorities. In addition, GSRP HQ defines the expectations for the Program.

Findings and recommendations

Utility of GSRP

The GSRP is the only Canadian diplomatic program that is dedicated and funded to collect overt security-related information. GSRP functions as a fenced resource wherein the majority of an officer’s time (90%) is devoted to the production of single- source reports. No other GAC program devotes similar resource allocation to “pure collection”.

GSRP’s clients repeatedly stated that the reports provide pertinent information consistent with their department/agency’s collection requirements. Specifically, GSRP reporting provides “on-the-ground” perspectives from a diverse group of individuals, which is unique in comparison to other GoC collection streams. Recipients mentioned the reports provide useful information on broader threats and trends in areas of emerging interest.

Clients reported that one of the greatest assets of the GSRP is the priority placed on language training. This includes, in some cases, over a year of training, including immersive in-country exposure.’ GSRP clients have noted that language fluency is a key value of the Program.

Moreover, clients commended the Program’s ability to rapidly deploy officers to cover a specific area, event, or issue that is of significant value to the GoC. Despite these benefits, review of GSRP documentation indicates the need for improved product feedback mechanisms to help determine whether reports meet client needs”.

Duties and Functions under the Vienna Convention on Diplomatic Relations

The lawful functions of a diplomatic mission and the duties owed by diplomats who enjoy privileges and immunities in a receiving state are articulated in the Vienna Convention on Diplomatic Relations (VCDR). The VCDR is generally accepted as a codification of diplomatic law, rules and practices under customary international law. According to GAC, the GSRP falls within the functions of a diplomatic mission, as listed in Article 3 of the VCDR. As outlined under Article 3(1)(d), it forms part of the function of a diplomatic mission to ascertain, by all lawful means, the conditions and developments in the host state and report on them to the government of the sending state. Article 3(1)(d) specifically requires diplomatic reporting to be “by lawful means.”

Under Article 41(1) of the VCDR, it is the duty of diplomats exercising the functions listed under Article 3 and who enjoy privileges and immunities in the receiving state “to respect the laws and regulations of the receiving state” and “not to interfere in the internal affairs of that state”. Breaches of these duties constitute abuses of privileges and immunities (also referred to as abuses of diplomatic functions).

Remedies for abuse of diplomatic privileges and immunities

Remedy for abuse of diplomatic privileges and immunities, as outlined in the VCDR, includes notifying the sending state that a diplomat in question is declared persona non grata (Article 9 of the VCDR) and, in the most exceptional circumstances, breaking off diplomatic relations, which are established by mutual consent as articulated in Article 2 of the VCDR.

Importantly, these remedies do not require the host state to give reasons for the remedial action. The result is that the perception of abuse can be as likely a cause for expelling a diplomat or even breaking off diplomatic relations as an actual abuse. The International Court of Justice in the Tehran Hostages Case explained the discretion built into this regime as follows:

Article 9 of the [VCDR]… take[s] account of the difficulty that may be experienced in practice of proving such abuses in every case or, indeed, of determining exactly when exercise of the diplomatic function”…”may be considered as involving such acts as “espionage” or “interference in internal affairs”. The way in which Article 9 paragraph 1, takes account of any such difficulty is by providing expressly in its opening sentence that the receiving state may “at any time and without having to explain its decision” notify the sending state that any particular member of its diplomatic mission is “persona non grata” or “not acceptable”… Beyond that remedy for dealing with abuses of the diplomatic function by individual members of a mission, a receiving state has in its hands a more radical remedy if abuses of their functions by members of a mission reach serious proportions. This is the power which every receiving state has, at its own discretion, to break off diplomatic relations with a sending state and to call for the immediate closure of the offending mission. (emphasis NSIRA’S).

The personal immunity enjoyed by diplomats will normally cease when the functions of the diplomat have come to an end and “at the moment when he leaves the country, or on expiry of a reasonable period in which to do so. There are circumstances wherein the receiving state may prosecute a diplomat for those breaches that contravene their domestic law where the personal diplomatic immunity enjoyed by the diplomat has ceased.

Acts performed by a diplomat “in the exercise of his functions as a member of the mission” will continue to be covered by immunity despite the diplomat’s personal immunity having ended. However, acts falling outside of a diplomat’s legitimate functions will not continue to be covered by immunity, and the diplomat may be liable to prosecution for illegal acts they performed during the mission if they later re-enter the receiving state without the protection of diplomatic immunity or where they fail to leave the receiving state within a reasonable time.

There are of course other less severe means at the receiving state’s disposal to respond to a diplomat’s abuse of functions, both legal and political. Aside from the more unlikely risks of expulsion or severing of diplomatic relations, there is a wide spectrum of reputational harm that may result from perceived breaches of the VCDR. NSIRA emphasizes that GSRP officers should be wary of placing a receiving state in the position to seek remedy.

Where the GSRP activities depart from the legal framework for diplomatic functions in international law, attention should also be turned to whether these activities are lawful under Canadian law. Diplomatic relations are conducted under the authority of Crown Prerogative over foreign relations, which is constrained, to some extent, by international law. Prohibitive rules of customary international law, which would include prohibitive rules of diplomatic law, are considered to be incorporated into Canadian common law unless there is legislation to suggest the contrary. Crown Prerogative is likewise part of our common law. Consideration must be given as to how the exercise of Crown Prerogative reconciles with these prohibitive rules.

Perceptions

Diplomatic vs. Intelligence Functions

Existing within GAC’s intelligence bureau, the GSRP’s reporting directions are derived from Canada’s intelligence priorities. Nonetheless, GAC characterized the Program to NSIRA as being consistent with regular diplomatic reporting. Effectively, NSIRA views the Program as existing within a grey zone between these two dichotomies.

GSRP officers are posted to countries to collect information relevant to the GoC’s intelligence priorities. These countries are often characterised by poor human rights records; a high degree of mistrust for outsiders; often take a hard line on internal security matters; and, tend to deploy mass surveillance on foreigners and citizens. This is why the perception of GSRP activities by receiving states is a relevant consideration for the Program.

When NSIRA asked how the Program accounts for disparities between what are legally permitted activities and the laws of the receiving state, GSRP officers were insistent that they operate under the VCDR.”’ Although officers acknowledged that they have a right under diplomatic law to fulfill their duties, they also understood that the receiving state might perceive their role differently. To help mitigate this risk, some officers indicated that they avoid reporting on sensitive topics.

Although the GSRP reports on intelligence priorities and obtains information from human contacts, officers believe they are distinct from intelligence practitioners given that they operate overtly as accredited members of a diplomatic mission, and do not pay or task their contacts. Despite these assertions, whether the actions of the GSRP officer are “overt” or “covert”, and whether or not they task or pay contacts, is not determinative when assessing for an abuse of privileges and immunities under the VCDR. In fact, many cases where interference activities have attracted the attention of receiving states were clearly overt.

Risk

GSRP officers must be alert to any activity that may be perceived by receiving states as falling outside of the functions of a diplomatic mission. This portion of the review briefly outlines some of the attendant risks.

Risk to the Government of Canada and its Allies

NSIRA expected to find a GSRP governance framework that articulates internal policies and provides guidance to GSRP officers on how to perform their diplomatic reporting functions. Such a governance framework does not exist.

When questioned on the absence of a governance framework, GSRP indicated that a policy suite was unnecessary given that officers “are doing what diplomats have always done.” Although GSRP management noted that they are working towards professionalizing the Program, policy is currently:

established by the Head of the GSRP, exercising their judgement and discretion, and drawing on specialized expertise, including support from legal, human resources and finance divisions, and seeking formal or informal approval from senior executives as required and when appropriate.

Policy guidance provided by the Head of GSRP is disseminated to officers via email. There is no central repository to organize this information. In addition to a lack of information management structures, there are information management weaknesses in other areas, including multiple incompatible systems and various security accreditations across missions. Additionally, some information is solely held at mission, limiting HQ’s visibility and oversight of mission developments.

As a result of the absence of a sufficient governance structure, information management challenges and limited oversight of mission developments, there have been instances where the Program has not managed risk appropriately.

For example, the review observed instances in which Canada’s allies misidentified GSRP officers as Canadian intelligence representatives.

Although NSIRA did not observe any instances where GSRP officers intentionally mislead receiving states, in one case, the lack of understanding of the Program’s mandate [redacted].

Some recipients of GSRP reports also indicated that other recipients (particularly those with limited security and intelligence backgrounds) do not fully understand that these products are single-source, unvalidated, or uncorroborated. This is particularly relevant given that GSRP officers have in the past unwittingly reported information that turned out to be misinformation and disinformation. Of note, GSRP produced just over five thousand reports over the review period, with two significant instances of confirmed disinformation in ten reports. Moreover, recipients repeatedly referred to misinformation in GSRP reports, yet NSIRA was unable to independently corroborate all of the Program’s reports over the review period.

As already noted, one of the challenges facing the Program is the absence of sufficient oversight. Four full time employees at HQ are responsible for the management of approximately thirty officers, the vetting of approximately two thousand reports per year, for providing informal policy guidance, and conducting outreach with relevant stakeholders. This deprives HQ of the capacity to perform adequate quality control of officer activities.

Finding no. 1: NSIRA found that GSRP’s governance and accountability structures are insufficiently developed.

Finding no. 2: NSIRA found that GSRP activities have the potential to cause unnecessary reputational and political harm to the Government of Canada.

Finding no. 3: NSIRA found that GSRP does not adequately maintain central repositories or follow information management best practices.

Recommendation no. 1: NSIRA recommends GSRP prioritize the development of a governance framework.

Recommendation no. 2: NSIRA recommends that GAC enforce data retention and information management practices as laid out in already-existing GoC policies.

GAC-CSIS Operational Partnership

CSIS has a framework that outlines host country expectations, both politically and operationally. The CS/S Act specifies, under section 17, how these arrangements are to be governed. In addition, there is Ministerial Direction that further guides CSIS’ conduct abroad. This governance framework structures CSIS’ operations to be consistent with domestic and international law. In most cases, CSIS prefers to be the primary interlocutor with foreign security or intelligence partners, just as GAC prefers to be the primary contact with diplomatic representatives.

In at least one instance, GSRP was a primary contact with a foreign intelligence agency instead of CSIS. In this instance, GAC refused to approve a Section 17 relationship between CSIS and [redacted] due to an ongoing sensitive diplomatic case. However, NSIRA did not observe anything to indicate these same relationship prohibitions were extended to RCMP or GSRP. Regardless of the circumstances, in cases where CSIS is prohibited from engaging a foreign entity due to restrictions on the foreign arrangement, GAC does not have the same restrictions.

Moreover, where CSIS and GAC have identical legal obligations under the Avoiding Complicity in Mistreatment by Foreign Entities Act (ACMFEA), these obligations risk being applied differently. For example, where CSIS has controls on who they can and cannot liaise with as derived from Ministerial direction (i.e. s.17, CS/S Act), GAC does not have comparable restrictions. Rather, GAC relies on internal mitigation processes when sharing information with foreign entities, which for CSIS, are only relevant if the Minister permits the Service to engage with that entity to start with.

Although GSRP management stated that it is not the role of officers to liaise with foreign security and intelligence agencies, GSRP officers did not consistently articulate this to NSIRA. For instance, some officers interacted with members of local intelligence agencies, while others mentioned that they consider this to be outside their mandate.

In several instances, CSIS was asked by receiving states to clarify what was perceived to be inappropriate activities by GSRP officers. In these cases, CSIS. attempted to reassure these partners that the GSRP was not a covert collection program. NSIRA also observed coordination challenges in regions where CSIS and GSRP activities overlap (e.g. contact pools).

NSIRA heard from multiple GSRP officers that they generally found CSIS partners at missions collegial and forthcoming with security advice.” In one other instance, the GSRP officer reported a hostile relationship with their CSIS counterpart.

NSIRA also observed numerous cases where it did not appear that GSRP officers had adequately productive relationships with CSIS at mission. In these instances, although individuals were cordial, there was minimal interaction, with CSIS officers often keeping to themselves. Although NSIRA understands the legal protections pertaining to CSIS information sharing, there appeared to be a lack of consistent deconfliction and interaction between GSRP and CSIS in the field.

When NSIRA raised the issue of deconfliction overseas, GSRP management maintained that such mechanisms were unnecessary given that CSIS is a client, and not a partner, of the Program Although CSIS is indeed a client of GSRP reporting, the above also clearly indicates that the GSRP and CSIS operate in close proximity to each other overseas, with attendant relationship complexities that must be managed.

CSIS and GAC both participate in a Joint Management Team (JMT), which convenes at the Director General and Deputy Minister levels. NSIRA observed that although there is potential for the JMT to serve as an effective deconfliction mechanism, there was no evidence that key takeaways concerning GSRP and CSIS collaboration were acted upon. Further, the JMT convenes too infrequently to have a lasting or substantive impact.

Finding no. 4: NSIRA found that there is insufficient deconfliction between CSIS and GSRP, which results in inconsistent governance when engaging foreign entities.

Recommendation no. 3: NSIRA recommends the development of clear deconfliction guidelines between CSIS and GSRP and that there must be a consistent approach by CSIS and GSRP when engaging with foreign entities overseas.

Risk to Officers

GAC advised that they have no legal opinions on the legal framework for the GSRP. NSIRA observes that not enough attention has been turned to ascertaining the scope of the functions of a diplomatic mission as described by Article 3(1)(d) and the duties outlined in Article 41(1) of the VCDR, as well as the types of activities that may expose GSRP officers to being declared persona non grata by the receiving state. One area of particular ambiguity is the broad concept of diplomatic interference under Article 41(1) which is not clearly defined under diplomatic law and requires further consideration. The more sensitive a GSRP officer’s conduct, the more likely a receiving state may perceive interference. In addition, thresholds for interference will likely differ between states.

Similarly, where GSRP activity takes on the perceived attributes of espionage, there is increased risk of exceeding the GSRP mandate, violating the receiving state’s domestic law, and exceeding the GSRP officer’s legal diplomatic functions. These risks require further consideration by GAC’s legal and policy team, as outlined further below.

The risks of not creating a legal and policy framework could result in reputational harm to Canada and its diplomatic relations, and presents risks to the individual GSRP officers. NSIRA observed that many GSRP officers routinely relied on the VCDR as a shield for their actions. Indeed, officers did not appear to appreciate that a breach of their obligations under the VCDR amounts to an abuse of their diplomatic privileges and immunities. Article 3(1)(d) of the VCDR recognizes reporting information ascertained through lawful means. Any departure from this requirement would mean that a GSRP officer runs a risk of not being protected by immunity once the GSRP officer’s personal immunity ceases at the end of the individual’s diplomatic posting.

GAC’s Conduct Abroad Code explicitly acknowledges that host country local norms are to be followed by Canadian representatives and that perceptions of Canadian representatives may have a negative effect on Canada’s reputation. Additionally, the activities of GSRP officers are governed by other protocols, which cover the risk of natural disasters, local health concerns, crime, and the physical security of the mission.

In order to collect pertinent information, GSRP officers often travel to dangerous regions not regularly frequented by other diplomats. In addition, GSRP officers also engage with contacts who may hold viewpoints that are considered sensitive by receiving states. Obviously, these contacts would be of little value to the Program if the information/perspective they possess could be collected anywhere. Although all diplomats can attract attention of local authorities, given the nature of the GSRP’s mandate, officers are at particular risk of scrutiny by receiving states.

There also appears to be a disconnect between GSRP HQ and mission management. Namely, there does not appear to be a shared accountability structure. As a result, this undermines the primacy of any one of the managing parties. For example, NSIRA observed multiple instances in which the reporting structure was not clear either for Program partners or for GAC management. For example, the time lag for receiving critical guidance placed one officer at risk of continuing activities which could have been perceived as non-compliant with the VCDR.

GSRP officers do not receive adequate training or briefings on the parameters of diplomatic privileges and immunities. This lack of knowledge may have serious consequences on the GSRP officer’s ability to conduct themselves in accordance with their diplomatic duties. In addition, once a GSRP officer is no longer afforded diplomatic immunity, a receiving state may seek retaliatory measures.

Case Study: Accepting and reporting on classified information

During the course of the review, NSIRA observed many instances where GSRP officers claimed to have a good understanding of their legal boundaries. However, an instance that occurred in [redacted] highlighted the need to ensure that GSRP officers are properly aware of their legal obligations. In this case, a GSRP officer received what appeared to be classified [redacted] from a contact.

Like Canada, [redacted] has laws prohibiting the disclosure of classified information. The GSRP officer’s actions must comply with [redacted]. In addition, Article 41 of the VCDR is clear that diplomats are required to respect the laws and regulations of the receiving state. NSIRA did not see any indication that consultation with legal counsel occurred in this particular case.

In another case, a GSRP officer [redacted] requested and received what was likely classified information from a contact. The information received included [redacted].

In both of the cases examined above, the two GSRP officers appeared to believe that their actions were distinguishable from the activities of an intelligence officer because they did not pay for the information. As noted previously, this is not pertinent when considering compliance with the VCDR; moreover, the aforementioned cases raise concerns related to abuses of diplomatic privileges.

GSRP officers do not have clear guidelines on how to proceed when exposed to information that falls outside the limits of diplomatic collection. NSIRA did observe one instance in which a GSRP officer was given suspected classified information and appropriately returned it to the contact. However, this result was a consequence of the good judgment exhibited by the officer, rather than derived from explicit direction.

Finding no. 5: NSIRA found there was an absence of risk assessments and security protocols specific to the increased scrutiny that GSRP officers may attract because of the nature of their reporting priorities.

Finding no. 6: NSIRA found that although the GSRP operates under the VCDR, it does so without adequate legal guidance assessing the activities of the Program.

Finding no. 7: NSIRA found that GSRP officers do not receive adequate training regarding their legal obligations.

Recommendation no. 4: NSIRA recommends that GSRP develop risk protocols and security guidelines specific to the GSRP.

Recommendation no. 5: NSIRA recommends that GAC complete a thorough legal assessment of GSRP activities. GSRP officers should receive applicable training based on the result of the assessment.

Risk to Contacts

As already explained above, the more sensitive a GSRP officer’s conduct, the more likely a receiving state will perceive interference. This is particularly true with respect to officer interactions with contacts. It is important to underscore that the assumed diplomatic protections granted to the GSRP officer do not apply to contacts. As such, everything depends on a) the degree to which the contact is genuinely free to share such information with a foreign state and b) the degree to which the GSRP officer’s activities do not raise unnecessary suspicion about this interaction.

GSRP officers reported many different experiences regarding risk and security for their contacts, consistent with the diverse environments in which they operate. Most GSRP officers believed that there was little reason to be concerned for contacts, irrespective of the environment, given the overt nature of the collection. In cases where officers acknowledged that certain regions and/or circumstances created a higher risk to the contact, these situations were often mitigated by following the lead of the contact. In other words, given that the contact was most familiar with the environment, the GSRP officer paid close attention to these sensitivities.

In some instances however, GSRP officers mentioned concern for the security of their contacts, which could not be easily mitigated. One GSRP officer noted in an interview that his contact informed him that their interactions would garner unwanted attention by local authorities. Similarly, another GSRP contact was detained by the local authorities and questioned about his interaction with a GSRP officer. In other instances, GSRP officers reported political turmoil or increased security as reasons why contacts suddenly stopped talking to them.’”

Throughout the course of this review, the implications of the differences between overt contacts and clandestine sources were ever-present. In many respects, GSRP. management’s contention that a contact cannot be perceived in the same manner as an intelligence source is accurate. Certainly, most GSRP officers’ interactions with contacts are innocuous. However, given the very nature of the reporting requirements for the Program, there were cases where the contact’s interactions with the officer were high risk. Such examples include GSRP [redacted] speaking with various individuals in [redacted].

These topics and regions are not only widely known as highly sensitive to the receiving states, but also align closely with what a covert source may be tasked to collect information on.

The problem facing the Program from a “contact management” perspective is that anything that takes on the trappings of a “source management” program lends itself to appropriate criticism of being too closely affiliated to non-diplomatic reporting. For example, although the Program would benefit from some of the best practices of HUMINT management, discerning precisely which aspects would be most beneficial, while remaining a diplomatic program, is a key challenge.

In the absence of a “contact management” governance structure, it is therefore left to the best judgment of individual officers on how these interactions are to transpire. This includes the officer determining who to meet, where to meet, and what security protocols are most appropriate in the given circumstances.

In some cases, the officer took it upon themselves to try to enhance security for the contact, including setting up meeting venues minutes before in order to decrease the likelihood of third parties discovering the meeting location. In another example, the officer attempted to obscure mobile device tracking with a faraday bag.

Although these measures were undertaken with the best interest of the contact at hand, intelligence services observing these behaviours could draw an alternative perspective about the intent of such behaviours. Most notably, this could run the risk that GSRP contacts would be perceived by receiving states as assets of a hostile intelligence service.

Irrespective of the environment, or the comfort of the contact, there was also inconsistency in how GSRP officers provided assurances to contacts. For example, while some officers reassured contacts that there is anonymity or confidentiality in GSRP reports, others did not. There was no evidence of a consistent understanding among officers on what assurances could be offered to contacts, or if contacts fully understood what would be done with the information they provided.

Recipients of GSRP reports repeatedly mentioned the ease at which they were able to identify contacts from the descriptions in the reports. Significantly, the majority of officers mentioned that they also report on meetings with Canadian contacts. The anonymization of Canadians is particularly important with regard to ensuring that GAC is meeting its obligations under the Privacy Act and other pertinent legislation. NSIRA will examine the issue of the GSRP meeting their information-sharing obligations with regard to Canadian contacts in the future.

Finding no. 8: NSIRA found that the GSRP does not have appropriate safeguards for interactions with contacts overseas.

Recommendation no. 6: NSIRA recommends that GSRP develop best practices for interactions with contacts based on consultation with GAC legal advisors.

Recommendation no. 7: NSIRA recommends that GAC conduct a Privacy Impact Assessment of the GSRP.

Conclusion

GSRP operates in a distinctly grey zone; GSRP’s vision for the Program includes “greater integration of intelligence community standards and best practices into the GSRP, while maintaining its diplomatic ethos”. Reconciling what this means, in practice, is the most pressing challenge facing the Program.

Reciprocity is an important element of diplomacy. The activities of certain GSRP officers abroad raises concerns that Canada’s diplomats are at times not conducting themselves in accordance with their duties and functions under the VCDR, and of consequence, this may inadvertently influence how these states conduct activities in Canada.

There is a strong appetite for foreign intelligence collected by Canadians. Academics and senior officials from various departments have made clear that Canada’s allies are also eager for Canada to be more involved.

The creation of a foreign intelligence entity within GAC, or the allowance of mission creep by the GSRP into this area of collection, would run against the principles of the VCDR. Therefore, it is important that the GoC consider the implications stemming from this review and decide on the most appropriate means of collecting this kind of information. NSIRA appreciates that issues raised in this review necessarily evoke a renewed conversation on a dedicated Canadian foreign intelligence agency. This is, however, beyond the remit of NSIRA and may require consideration by the NSICoP.

Annex A: Findings and Recommendations

Finding no. 1: NSIRA found that GSRP’s governance and accountability structures are insufficiently developed.

Finding no. 2: NSIRA found that GSRP activities have the potential to cause reputational and political harm to the Government of Canada.

Finding no. 3: NSIRA found that GSRP does not adequately maintain central repositories or follow information management best practices.

Finding no. 4: NSIRA found that there is insufficient deconfliction between CSIS and GSRP which results in inconsistent governance when engaging foreign entities.

Finding no. 5: NSIRA found there was an absence of risk assessments and security protocols specific to the increased scrutiny that GSRP officers may attract because of the nature of their reporting priorities.

Finding no. 6: NSIRA found that although the GSRP operates under the VCDR, it does so without adequate legal guidance assessing the activities of the Program.

Finding no. 7: NSIRA found that GSRP officers do not receive adequate training regarding their legal obligations.

Finding 8: NSIRA found that the GSRP does not have appropriate safeguards for interactions with contacts overseas.

Recommendation no. 1: NSIRA recommends GSRP prioritize the development of a governance framework.

Recommendation no. 2: NSIRA recommends that GAC enforce data retention and information management practices as laid out in already-existing GoC policies.

Recommendation no. 3: NSIRA recommends the development of clear deconfliction guidelines between CSIS and GSRP and that there must be a consistent approach by CSIS and GSRP when engaging with foreign entities overseas.

Recommendation no. 4: NSIRA recommends that GSRP develop risk protocols and security guidelines specific to the GSRP.

Recommendation no. 5: NSIRA recommends that GAC complete a thorough legal assessment of GSRP activities. GSRP officers should receive applicable training based on the result of the assessment.

Recommendation no. 6: NSIRA recommends that GSRP develop best practices for interactions with contacts based on consultation with GAC legal advisors.

Recommendation no. 7: NSIRA recommends that GAC conduct a Privacy Impact Assessment of the GSRP.

Share this page
Date Modified:

Review of Air Passenger Targeting by the Canada Border Services Agency (CBSA)

Date of Publishing:

Executive Summary

The Canada Border Services Agency (CBSA)’s Air Passenger Targeting program performs pre-arrival risk assessments on inbound passengers. It seeks to identify passengers that may be at higher risk of being inadmissible to Canada or of otherwise contravening the CBSA’s program legislation. It does so by using information submitted by commercial air carriers called Advanced Passenger Information and Passenger Name Record data in a multi-stage process that involves manual and automated triaging methods, referred to as Flight List Targeting and Scenario Based Targeting.

The Advance Passenger Information and/or Passenger Name Record data used to perform these prearrival risk assessments include personal information about passengers that relates to prohibited grounds of discrimination under the Canadian Human Rights Act and the Canadian Charter of Rights and Freedoms (the Charter). These grounds include age, sex, and national or ethnic origin. The CBSA relies on information and intelligence from a variety of different sources to determine which of these data elements indicate a risk in passengers’ characteristics and travel patterns in the context of specific enforcement issues, including national security-related risks. Given their potential importance for Canada’s national security and for the CBSA’s concurrent obligations to avoid discrimination, attention to the validity of the inferences underpinning the CBSA’s reliance on the particular indicators it creates from this passenger data to perform these risk assessments is warranted. These considerations also have implications for Canada’s international commitments to combat terrorism and serious transnational crime and to respect privacy and human rights in the processing of passenger information.

NSIRA conducted an in-depth assessment of the lawfulness of the CBSA’s activities in the first step of the pre-arrival risk assessment, where inbound passengers are triaged using the passenger data provided by commercial air carriers. The review examined whether the CBSA complies with restrictions established in statutes and regulations on the use of the Advance Passenger Information and Passenger Name Record data and whether the CBSA complies with its obligations pertaining to non-discrimination.

While NSIRA found that the CBSA’s use of Advance Passenger Information and Passenger Name Record data complied with the Customs Act, the CBSA does not document its triaging activities in a manner that enables effective verification of compliance with regulatory restrictions established under the Protection of Passenger Information Regulations. This was more of a weakness in the CBSA’s manual Flight List Targeting triaging method than its automated Scenario Based Targeting method.

The CBSA was also unable to consistently demonstrate that an adequate justification exists for its reliance on particular indicators it created from the Advance Passenger Information and Passenger Name Record data to triage passengers. This is important, as the CBSA’s reliance on certain indicators results in drawing distinctions between travellers based on prohibited grounds of discrimination. These distinctions may lead to adverse impacts on passengers’ time, privacy, and equal treatment, which may be capable of reinforcing, perpetuating or exacerbating a disadvantage. Adequate justification for such adverse differentiation is needed to demonstrate that such distinctions are not discriminatory and are a reasonable limit on travellers’ equality rights.

Recordkeeping is important to ensure effective verification that Air Passenger Targeting triaging activities comply with the law and respect human rights and NSIRA observed important weaknesses in this regard. These recordkeeping weaknesses stem in part from the fact that the CBSA’s policies, procedures, and training are insufficiently detailed to adequately equip CBSA staff to identify discrimination and compliance-related risks and to act appropriately in their duties. Oversight structures and practices are also not rigorous enough to identify and mitigate potential compliance and discrimination-related risks. This is compounded by lack of collection and assessment of relevant data. NSIRA recommends improved documentation practices for triaging to demonstrate compliance with statutory and regulatory restrictions and to demonstrate that an adequate justification exists for its reliance on the indicators it creates from Advance Passenger Information and Passenger Name Record data. Such documentation is essential to enable effective internal oversight as well as external review.

NSIRA also recommends more robust training and increased oversight to ensure that triaging practices are not discriminatory. This should include updates to policies as appropriate as well as the collection and analysis of the data necessary to identify, analyze and mitigate discrimination-related risks

Front matter

Lists of acronyms

API Advance Passenger Information
APT Air Passenger Targeting
CBSA Canada Border Services Agency
CHRA COVID-19 EU Canadian Human Rights ActNovel Coronavirus/Coronavirus Disease of 2019European Union
FLT Flight List Targeting
IATA International Air Transport Association
ICES Integrated Customs Enforcement System
IRPA Immigration and Refugee Protection Act
IRPR Immigration and Refugee Protection Regulations
MOU Memorandum of Understanding
NSIRA National Security and Intelligence Review Agency
OAG Office of the Auditor General of Canada
OPC Office of the Privacy Commissioner
PAXIS Passenger Information System
PCLMTFA Proceeds of Crime (Money Laundering) and Terrorist Financing Act
PICR Passenger Information (Customs) Regulations
PNR Passenger Name Record
PPIR Protection of Passenger Information Regulations
RFI Request for Information
SBT Scenario Based Targeting
SOP Standard Operating Procedures
UNSC United Nations Security Council
US United States

Lists of figures

Figure 1. Advance Passenger Information and Passenger Name Record Elements

Figure 2. Steps in the Air Passenger Targeting

Figure 3. Process for Developing Scenarios for Scenario Based Targeting

Figure 4. What is a “High Risk” Flight or Passenger

Figure 5. Instances Where the Link to Serious Transnational Crime or Terrorism Offences was unclear

Figure 6. Instances Where the Potential Contravention was Unclear in Targets

Figure 7. Legal Tests under the CHRA and the Charter

Figure 8. Advance Passenger Information and Passenger Name Record Data That Relate to Protected Grounds

Figure 9. Instances Where Behavioural Indicators Were Protected Grounds or Did Not Narrow Scope

Figure 10. Impacts on Travellers Resulting from Initial Triage

Figure 11. Summary of NSIRA’s Assessment of Scenario Supporting Documentation

Figure 12. Examples of Weaknesses in Scenario Supporting Documentation

Figure 13. Example of a Well-Substantiated Scenario

Figure 14. Why the Justification for the Indicators Used in Targeting is Important

Authorities

The National Security and Intelligence Review Agency (NSIRA) conducted this review under paragraph 8(1)(b) of the NSIRA Act.

Introduction

The Canada Border Services Agency (CBSA)’s Air Passenger Targeting program is one of several programs that help the Agency fulfill its mandate of “providing integrated border services that support [Canada’s] national security and public safety priorities and facilitate the free flow of [admissible] persons and goods” into Canada. Air Passenger Targeting uses passenger data submitted by commercial air carriers called Advance Passenger Information and Passenger Name Record data to conduct pre-arrival risk assessments. The pre-arrival risk assessments are intended to identify individuals at higher risk of being inadmissible to Canada or of otherwise contravening the CBSA’s program legislation. In 2019-20, the CBSA received this information to risk assess 33.9 million inbound international travellers.

Air Passenger Targeting has become an increasingly important tool for screening passengers. The CBSA’s deployment of self-serve kiosks to process travellers arriving in Canadian airports has decreased the ability of Border Services Officers to risk assess travellers through in-person observations or interactions, increasing the CBSA’s reliance on pre-arrival risk assessments, like Air Passenger Targeting, to identify and interdict inadmissible people and goods.

The Canadian border context affords the CBSA considerable discretion in how it conducts its activities. Individuals have lower reasonable expectations of privacy at the border. Brief interruptions to passengers’ liberty and freedom of movement are reasonable, given the state’s legitimate interest in screening travellers and regulating entry. However, the activities of the CBSA must not be discriminatory, meaning that any adverse differential treatment on the basis of prohibited grounds of discrimination, such as national or ethnic origin, age, or sex must be justified. Both the Canadian Human Rights Act and the Canadian Charter of Rights and Freedoms (the Charter) create distinct obligations in this regard. The Advance Passenger Information and Passenger Name Record data that the CBSA uses to perform these pre-arrival risk assessments includes personal information about passengers that is either a prohibited ground of discrimination or that relates closely to such grounds, warranting further attention to the CBSA’s compliance with these obligations. As Air Passenger Targeting involves passenger screening to identify national security-related risks (among others), attention to the validity of the inferences underpinning the CBSA’s interpretation of passenger information also has implications for Canada’s national security.

Air Passenger Targeting also engages Canada’s international commitments to combat terrorism and serious transnational crime and to respect privacy and human rights in the processing of passenger information. The latter commitment has been of particular importance to the European Union in the context of ongoing negotiations on an updated agreement for sharing passenger information.

About the review

NSIRA’s review examined two main aspects of the lawfulness of the CBSA’s passenger triaging activities in Air Passenger Targeting and their effects on travellers. The review examined whether the CBSA’s triaging activities comply with restrictions established in statutes and regulations on the use of Advance Passenger Information and Passenger Name Record data; and whether passenger triaging activities comply with the CBSA’s obligations pertaining to non-discrimination under the Canadian Human Rights Act and the Charter.9 NSIRA expected to find that the CBSA’s triaging activities are conducted with appropriate legal authority and comply with use restrictions on the passenger data and non-discrimination obligations, namely, that any adverse differentiation among travellers based on protected grounds is supported by adequate justification.

The review focused on the CBSA’s triaging activities in Air Passenger Targeting relevant to identifying potential national security-related threats and contraventions. However, it also examined the program as a whole across the CBSA’s three main targeting categories—national security, illicit migration, and contraband—to fully appreciate the program’s governance and operations, given its reliance on intelligence analysis. The review examined the Air Passenger Targeting program as implemented by the CBSA between November 2020 and September 2021.

The review relied on information from the following sources:

  • Program documents and legal opinions
  • Information provided in response to requests for information (written answers and briefings)
  • [***Sentence revised to remove privileged or injurious information. It describes the number of scenarios that were active on May 26, 2021***]
  • Supporting documentation for a sample of 12 scenarios that were active on May 26, 2021
  • A sample of 83 targets issued between January and March 2021 (including 59 targets subsequent to Flight List Targeting and 24 targets subsequent to Scenario Based Targeting)
  • A live demonstration at the National Targeting Centre, which conducts Air Passenger Targeting
  • Open sources, including news articles, academic articles, and prior reviews by other agencies.
  • Past performance data and relevant policy developments

Confidence statement

For all reviews, NSIRA seeks to independently verify information it receives. Access to information was through requests for information and briefings by the CBSA. During this review, NSIRA corroborated the information that was received through verbal briefings by receiving copies of program files and alive demonstration of Air Passenger Targeting. NSIRA is confident in the report’s findings and recommendations.

Orientation to the Review Report

After providing essential background information on the steps and activities involved in Air Passenger Targeting and its contribution to the CBSA’s mandate in Section 5, the review’s findings and recommendations are presented in Section 6.

In Section 6.1, NSIRA’s assessed the CBSA’s compliance with statutory and regulatory restrictions on the CBSA’s use of Advance Passenger Information and Passenger Name Record data. Weaknesses in how the CBSA documents its Air Passenger Targeting program activities prevented NSIRA from verifying that all triaging activities complied with these restrictions. These weaknesses also impede the CBSA’s own ability to provide effective internal oversight.

In Section 6.2, NSIRA’s assessed the CBSA’s compliance with its obligations pertaining to nondiscrimination under the Canadian Human Rights Act and the Charter. Similar weaknesses in documentation and recordkeeping prevented the CBSA from demonstrating, in several instances, that an adequate justification exists for its reliance on the indicators it created from Advance Passenger Information and Passenger Name Record data to triage inbound travellers. Ensuring that Air Passenger Targeting triaging practices are substantiated by relevant, reliable and documented information and intelligence is important to demonstrating that travellers’ equality rights are being respected, given that some of the indicators relied on to triage passengers relate to protected grounds and given that passenger triage may lead to adverse impacts for travellers. NSIRA recommends a number of measures to improve recordkeeping and identify and mitigate discrimination-related risks.

Background and content

Air Passenger Targeting and the CBSA’s Mandate

The Air Passenger Targeting program is housed within the National Targeting Centre and is currently supported by 92 Full-Time Equivalents. Air Passenger Targeting is one of several targeting programs at the CBSA, and pre-arrival risk assessments are also performed on cargo and conveyances in other modes of travel, such as marine or rail. Pre-arrival risk assessments are currently only performed on crew and passengers for commercial-based air and marine travel. Screening and secondary examinations of travellers entering Canada through other modes of travel such as land or rail are undertaken at the border.

The Air Passenger Targeting pre-arrival risk assessments are intended to help front line Border Services Officers to identify travellers and goods with a higher risk of being inadmissible to Canada or of otherwise contravening the CBSA’s program legislation and referring them for further examination once they arrive at a Canadian Port of Entry.

Pre-arrival risk assessments are performed in relation to multiple enforcement issues, all of which are associated with ever-evolving travel patterns and traveller characteristics that may vary from one part of the world to the other. Staff at the National Targeting Centre receive training, develop on-the-job experience, and have access to a large body of information and intelligence to perform their duties.

How Air Passenger Targeting works

Key Information Relied Upon in Air Passenger Targeting

Air Passenger Targeting relies on two sets of information to triage passengers for these risk assessments. The first set consists of information about passengers that commercial air carriers submit to the CBSA under section 148(1)(d) of the Immigration and Refugee Protection Act and 107.1 of the Customs Act. This information is referred to as Advance Passenger Information and Passenger Name Record data. Advance Passenger Information comprises information about a traveller and the flight information associated with their travel to Canada; Passenger Name Record data is not standardized and refers to information about a passenger kept in the air carrier’s reservation system. The particular data elements are prescribed under section 5 of the Passenger Information(Customs) Regulations and section 269(1) of the Immigration and Refugee Protection Regulations.

For simplicity, NSIRA refers to Advance Passenger Information and Passenger Name Record Data collectively as “passenger data” in this review unless otherwise specified. Figure 1 provides an overview of common Advance Passenger Information and Passenger Name Record data elements. Once received by the CBSA, the passenger data is loaded into the CBSA’s Passenger Information System (PAXIS). This is the main system used to conduct Air Passenger Targeting.

Figure 1. Advance Passenger Information and Passenger Name Record Elements
Figure 1: Advance Passenger Information and Passenger Name Record Elements Graphic

The second set consists of information and intelligence from a variety of other sources that is used to help the CBSA determine which Advance Passenger Information and Passenger Name Record data elements may indicate risks in passengers’ characteristics and travel patterns in the context of specific enforcement issues and can therefore provide indicators for triaging passengers. Key sources include:

  • Recent significant interdictions that are cross-referenced with historical enforcement and intelligence information, as well as with the Advance Passenger Information and/or Passenger Name Record data for interdicted subjects
  • Port of entry seizures
  • Information from Liaison Officers overseas
  • International intelligence bulletins
  • Intelligence products shared by domestic and international partners concerning actionable indicators and trends from partner agencies based on their area of expertise.
  • Open sources, including news articles, op-eds, academic articles, social media.
  • CBSA intelligence products based on one or more of the above-mentioned sources, such as Intelligence Bulletins, Targeting Snapshots or Placemats, Country Threat Assessments, Intelligence Briefs, daily news briefings.

The quality of the information supporting the CBSA’s inferences as to who may be a high-risk traveller is important to ensure the triage is reasonable and non-discriminatory (see Section 6.2).

Step by Step Process of Air Passenger Targeting

Air Passenger Targeting involves three key steps, illustrated in Figure 2. First, CBSA officers triage passengers based on the Advance Passenger Information and Passenger Name Record data using manual or automated methods. Second, CBSA officers undertake a risk assessment of the selected passengers using different sources of information and intelligence. Third, Targeting Officers decide whether to issue a “target,” based on the results of this risk assessment.

Figure 2. Steps in the Air Passenger Targeting Process
Figure 2: Horizontal diagram of the steps in the Air Passenger Targeting Process

Step 1: Passenger Triage

The CBSA uses two distinct methods to triage passengers using Advance Passenger Information and Passenger Name Record data: Flight List Targeting and Scenario-Based Targeting.

Flight List Targeting is a manual triage method that involves two main steps. The officers use their judgement to make these selections (see Figure 4 for further details).

  • Targeting Officers select an inbound flight from those arriving that day that they consider to be at “higher risk” of transporting passengers that may be contravening the CBSA’s program legislation.
  • Targeting Officers then select passengers on those flights for further assessment, based on the details displayed about them in the list of passengers.

Scenario Based Targeting is an automated triage method that relies on “scenarios,” or pre-established set of indicators created from Advance Passenger Information and Passenger Name Record data elements that the CBSA considers as risk factors for a particular enforcement issue. The data for passengers on all inbound flights are automatically compared against the parameters of each scenario. Any passengers whose data match all of the parameters of one (or more) scenario are automatically selected for a Targeting Officer to assess further.

[***Sentence revised to remove privileged or injurious information. It describes the steps involved in developing scenarios ***]

Figure 3. Process for Developing Scenarios for Scenario Based Targeting

[***Figure revised to remove privileged or injurious information. It describes the steps involved in developing scenarios. ***]

Both of these triage methods are informed by an analysis of information and intelligence in slightly different ways. In Scenario Based Targeting, the National Targeting Centre’s Targeting Intelligence unit analyses intelligence and information to identify combinations of Advance Passenger Information and Passenger Name Record data elements associated with “high risk” passengers and travel patterns for the purposes of developing scenarios, as illustrated in Step 1 of Figure 3 above. In Flight List Targeting, Targeting Officers analyze information and intelligence to develop a personal “mental model” about what constitute “high risk” flights or passengers in the context of a specific enforcement issue. Examples are provided in Figure 4.

Figure 4. What is a “High Risk” Flight or Passenger?

Based on information about past trends and intelligence about future travel, CBSA officers identify certain flights or airports that have had a higher incidence of travellers subsequently found to be in contravention of the CBSA’s program legislation. The CBSA assesses flights from these points of origin as “high risk” flights. [Sentence revised to remove privileged or injurious information. It provided examples of flight information that the CBSA indicated was associated with past contraventions.]

Based on similar analysis, CBSA officers have assessed that certain combinations of traveller characteristics and travel patterns are or may be associated with contraventions of the CBSA’s program legislation. Travellers who match these characteristics are considered to be “high risk” travellers. [Sentence revised to remove privileged or injurious information. It provided examples of flight information that the CBSA indicated was associated with past contraventions.]

Steps 2 and 3: Passenger Risk Assessments and Issuing Targets

The initial triage of passengers may result in two additional steps for those who have been selected for further assessment: further passenger risk assessments (referred to by the CBSA as a “comprehensive review”) and a decision to issue a target if risks that were initially identified remain.

The passenger risk assessment process involves requesting and analyzing the following information to determine whether risks initially identified in the passenger’s Advance Passenger Information and Passenger Name Record data are no longer of concern (referred to as “negation”), whether they continue to be of concern, or whether those concerns have increased:

  • Mandatory and discretionary queries of CBSA and other government databases;
  • Open-source searches (including social media);
  • Requests for information to other Government of Canada departments and to the United States Customs and Border Protection agency (mandatory for all potential contraventions related to national security, but optional for other enforcement issues).

A target is issued when the risk assessment cannot “negate” risks initially inferred about the passenger. A target is a notification to Border Services Officers at a Canadian Port of Entry (in this case, airports) to refer the passenger for “secondary examination”. It does not mean that a passenger has been found in contravention of the CBSA’s program legislation. A target includes details about the passenger and the risks identified in relation to the potential contravention (referred to as a “target narrative”).

During secondary examinations, Border Services Officers engage in a progressive line of questioning. This questioning is informed by the details contained in the target as well as all other information available to the officers, including information provided by travellers and other observations developed during the examination. This information may allow the officers to establish a reasonable suspicion about whether the passenger has contravened customs, immigration, or other requirements that are enforced by the CBSA and pursue further questioning or examination. These examinations may also involve a search of luggage and/or digital devices where required and with managerial approval. The outcome of these examinations determines the next steps for individual travellers.

Findings and Recommendations

The CBSA’s Compliance with Restrictions Established in Law and Regulations

Restrictions that Apply to Air Passenger Targeting and Why They Matter

While Air Passenger Targeting is not explicitly discussed in legislation, both the Customs Act and the Immigration and Refugee Protection Act provide the CBSA with legislative authority to collect and use Advance Passenger Information and Passenger Name Record data in Air Passenger Targeting. Such use is further supported by section 4(1)(b) of the Protection of Passenger Information Regulations, which expressly contemplates the use of Passenger Name Record data to conduct trend analysis and to develop risk indicators for the purpose of identifying certain high-risk individuals.

NSIRA is satisfied that these statutory provisions also authorize the CBSA to collect and analyze the information and intelligence necessary to support Air Passenger Targeting. These inputs are necessary to contextualize its interpretation of the Advance Passenger Information and Passenger Name Record data and determine which data elements characterize “high risk” passengers and travel patterns in the context of different enforcement issues. However, the review did not examine whether all information and intelligence collected by the CBSA was necessary to the conduct of its operations (in Air Passenger Targeting or otherwise). This related topic may be the subject of future review.

These authorizing provisions create restrictions on the CBSA’s use of Advance Passenger Information and Passenger Name Record data. Two layers of use restrictions apply: one set arises from the Customs Act or the Immigration and Refugee Protection Act as authorizing statutes, and the other set arises from section 4 of the Protection of Passenger Information Regulations.

In examining compliance with the first set, NSIRA referred to section 107(3) of the Customs Act, the broader of the two authorities. Section 107(3) authorizes the CBSA to use Advance Passenger Information and Passenger Name Record data:

  • To administer or enforce the Customs Act, Customs Tariff, or related legislation;
  • To exercise its powers, duties and functions under the Immigration and Refugee Protection Act, including establishing a person’s identity or determining their inadmissibility; and/or
  • For the purposes of its program legislation.

NSIRA also examined compliance with the use restrictions established by section 4 of the Protection of Passenger Information Regulations. The regulations limit the CBSA’s use of Passenger Name Record data to the identification of persons “who have or may have committed” either a terrorism offence or a serious transnational crime. The data can be used to identify such persons directly, or to enable trend analysis or the development of risk indicators for that same purpose.

The Protection of Passenger Information Regulations were enacted to fulfill Canada’s commitments respecting its use of Passenger Name Record data as part of an agreement signed with the European Union. The Agreement specifies that “[Passenger Name Record] data will be used strictly for purposes of preventing and combating: terrorism and related crimes; other serious crimes, including organized crime, that are transnational in nature.” Although the 2006 agreement expired, ongoing efforts to negotiate a new agreement place continued importance on ensuring the CBSA’s ability to demonstrate compliance with the lawful uses of Passenger Name Record data. The constraints established in the regulations also indicate the Minister’s determination of when the use of Passenger Name Record data by the CBSA will be reasonable and proportional.

As a matter of law, the Protection of Passenger Information Regulations restrictions apply only to Passenger Name Record data provided to the CBSA under the Immigration and Refugee Protection Act. However, Advance Passenger Information and Passenger Name Record data are integrated within its systems. The CBSA also uses Passenger Name Record data to issue targets for the purposes of the Customs Act and the Immigration and Refugee Protection Act simultaneously. Given the CBSA’s commitments to the European Union under the above-mentioned Agreement and these other considerations, the CBSA observes these regulatory restrictions across its Air Passenger Targeting program as a matter of policy.

Assessing compliance with the Protection of Passenger Information Regulations required NSIRA to determine whether the enforcement issue of interest in the triaging decision fell within the regulations’ definitions of a “terrorism offence” or of a “serious transnational crime.”

What NSIRA found?

NSIRA found that, in its automated Scenario Based Targeting triaging method, the CBSA’s use of Advance Passenger Information and Passenger Name Record data to identify potential threats and contraventions of the CBSA’s program legislation complied with statutory restrictions. For its manual Flight List Targeting triaging method, NSIRA was not able to assess the reasons for the CBSA’s selection of individual travellers and was therefore not able to verify compliance with section 107(3) of the Customs Act. For both methods, NSIRA was also unable to verify that all triaging complied with the regulatory restrictions imposed by the Protection of Passenger Information Regulations on the CBSA’s use of Passenger Name Record data, namely that its use served to identify potential involvement in terrorism offences or serious transnational crimes. This was due to lack of precision in Scenario Based Targeting program documentation and lack of documentation about the basis for Flight List Targeting triaging decisions.

Do Scenario Based Targeting triage practices comply with statutory and regulatory restrictions?

In Scenario Based Targeting, all scenarios complied with the statutory restrictions on the use of Advance Passenger Information and Passenger Name Record data, as all scenarios were developed for the purposes of administering or enforcing the CBSA’s program legislation. However, in several instances, the scenario documentation did not precisely identify why the CBSA considered a particular enforcement concern to be related to a terrorism offence or serious transnational crime. This lack of precision obscured whether the scenarios complied with the Protection of Passenger Information Regulations.

NSIRA reviewed the information contained within the scenario templates for [***Sentence revised to remove privileged or injurious information. It describes the number of scenarios that were active on May 26, 2021***]. The templates require information on the specific legislative provisions associated with the potential contravention the scenario seeks to identify. The templates also require a general description of the details of the scenario, including the potential contravention.

The CBSA’s use of Advance Passenger Information and Passenger Name Record data in Scenario Based Targeting complied with the first layer of legal restrictions, as all of the scenarios sought to identify contraventions of the Immigration and Refugee Protection Act, the Customs Act, the Customs Tariff, and/or the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, which are authorized purposes under section 107(3) of the Customs Act. In many instances, the scenario’s purpose also complied with the complementary restrictions under the Immigration and Refugee Protection Act.

Regarding the second layer of restrictions imposed by the Protection of Passenger Information Regulations, most scenarios cited provisions for potential contraventions that were reasonably viewed as relating to terrorism or serious transnational crime. In several instances, however, the link to terrorism or serious transnational crime was not clear. This occurred in one of two ways:

  • Scenarios did not establish why a potential contravention cited as the intent of the scenario was related to an offence punishable by a term of at least four years of imprisonment, which one of the criteria in the definition of a serious transnational crime. It was therefore unclear how the enforcement interest related to a serious transnational crime (observed in at least 28 scenarios).Including more precise details on how the potential contravention relates to a serious transnational crime or terrorism offence would more clearly establish this link.
  • Scenarios cited three or more distinct grounds for serious inadmissibility, such as sections 34, 35,36, and/or 37 of the Immigration and Refugee Protection Act without providing further details as to why all grounds were relevant to the conduct at issue in the scenario (observed in at least 20 scenarios).

This obscured how the grounds related meaningfully to the conduct at issue and why the conduct related to a terrorism offence or serious transnational crime. Including more precise details on how each ground of inadmissibility included in a scenario is relevant to the conduct at issue would help in this regard.

Illustrative examples are provided in Figure 5, and further details on NSIRA’s assessment of compliance with the Customs Act and the Protection of Passenger Information Regulations are provided in Appendix 8.3.

[Figure revised to remove privileged or injurious information. It described two examples where the link to serious transnational crime or terrorism offences was unclear in scenarios.]

Do Flight List Targeting triage practices comply with statutory and regulatory restrictions?

Lack of documentation about why officers selected particular flights or passengers prevented NSIRA from verifying whether Flight List Targeting triaging practices comply with the use restrictions found in the Customs Act or the Protection of Passenger Information Regulations. This lack of documentation also impedes the CBSA’s internal verification that Flight List Targeting triaging complies with these use restrictions.

As Targeting Officers rely on their judgement to triage passengers in Flight List Targeting, record keeping about triaging decisions is important to be able to verify that triaging complies with relevant statutes and regulations and take corrective action as appropriate. Although the National Targeting Centre has a Notebook Policy, which requires officers to “record all information about the officers’ activities,” the National Targeting Policy and the Air Passenger Targeting Standard Operating Procedures do not specify what stages of Air Passenger Targeting need to be documented or what information needs to be recorded at each step. Moreover, the Air Passenger Targeting Standard Operating Procedures, the Target Narrative Guidelines, and the format for issuing targets in the CBSA’s systems do not require officers to include precise details about the potential contravention that motivated their decision to issue a target.

NSIRA was only able to infer why a passenger was first selected for further assessment in Flight List Targeting from the details of targets, even though the explanatory value of analyzing targets for insight about initial triaging is limited. Targets are not issued for all initially selected passengers : only 15 percent of the passengers that were selected for a comprehensive risk assessment led to a target being issued in 2019-20.

As well, the enforcement issue contained within targets may have changed during later stages in the Air Passenger Targeting process and may not necessarily reflect the issue that motivated the initial triaging decision.

NSIRA found that all targets in a sample of 59 targets issued subsequent to Flight List Targeting complied with the first layer of use restrictions under section 107(3) of the Customs Act, as they cited either the “IRPA” or the “Customs Act” in the details of the target. However, the targets did not always specify a particular contravention of these Acts, which created a challenge for determining why the officers’ interest in the passenger related to a terrorism offence or serious transnational crime. Based on other descriptive details about the behaviours or risk factors contained in the target, it was only possible to clearly infer the enforcement issue and determine that it was a terrorism offence or a serious transnational crime in approximately half the targets (29 of 59). Illustrative examples are provided in Figure 6.

Figure 6. Instances Where the Potential Contravention was Unclear in Targets

[***Figure revised to remove privileged or injurious information. It described two examples of targets where the potential was unclear based on the details of the target.***]

Why is precision in record keeping important?

It is important to ensure that the potential contravention at issue is clear in scenario templates and targets and to ensure that recordkeeping about the reasons animating Flight List Targeting triaging is adequate in order to allow effective verification that all triaging activities comply with statutory and regulatory restrictions.

The CBSA’s current oversight functions consist of reviewing new scenarios prior to and in parallel with their activation and of reviewing targets after the fact for quality control and performance measurement. However, the documentation weaknesses identified above prevent the CBSA from ensuring that its triaging activities comply with statutory and regulatory restrictions. The CBSA’s oversight mechanisms should include robust verification that scenarios and manual Flight List Targeting triaging practices are animated by issues relevant to the administration or enforcement of the CBSA’s program legislation. Where Passenger Name Record data is used, oversight should also verify that the enforcement issue constitutes or is indicative of a terrorism offence or serious transnational crime. More precise and consistent recordkeeping of the reasons underlying passenger triage decisions in both Scenario Based Targeting and Flight List Targeting would help in this respect.

Guidance on what the legislative and regulatory restrictions entail for targeting activities was also not clearly articulated in the National Targeting Centre’s policies, standard operating procedures, or training materials. These guidance materials should include further specifics on:

  • Which issues pertinent to admissibility under the Immigration and Refugee Protection Act or other contraventions of the CBSA’s program legislation constitute or relate to a serious transnational crime or terrorism offence and why; and
  • How to document triaging decisions on a consistent basis to enable internal and external verification that targeting activities align with these legal and regulatory restrictions.

For example, the Scenario Based Targeting Governance Framework included helpful examples of risk categories that identify associated legislative provisions. Though the examples align with the definitions of serious transnational crime and terrorism offences in the Protection of Passenger Information Regulations, no explanation linking the examples to alignment with the regulations are provided. Equivalent guidance does not exist for Flight List Targeting.

Clearly identifying the potential enforcement issue is also important to verifying that the indicators created from Advance Passenger Information and Passenger Name Record data that are used to triage passengers are relevant to the issue and reliably predictive of it. This is important for demonstrating that the triaging practices are reasonable and non-discriminatory (see Section 6.3).

Finding 1. The CBSA’s use of Advance Passenger Information and Passenger Name Record data in Scenario Based Targeting complied with section 107(3) of the Customs Act.

Finding 2. The CBSA does not document its triaging practices in a manner that enables effective verification of whether all triaging decisions comply with statutory and regulatory restrictions.

Recommendation 1. NSIRA recommends that the CBSA document its triaging practices in a manner that enables effective verification of whether all triaging decisions comply with statutory and regulatory restrictions.

The CBSA’s Compliance with Obligations Pertaining to Non-Discrimination

The CBSA’s Non-Discrimination Obligations and Why They Matter

The Canadian Human Rights Act and the Charter each establish obligations pertaining to nondiscrimination. The tests for assessing whether or not discrimination has occurred are thematically similar, though with differences in approach and terminology as illustrated in Figure 7. The analysis under both instruments begins with a factual inquiry into whether a distinction is being drawn between travellers based on prohibited grounds of discrimination, and if so, whether it has an adverse effect on the traveller or reinforces, perpetuates or exacerbates disadvantage. If so, the analysis under the CHRA examines whether there is a bona fide justification for the adverse differentiation. The corresponding analysis under the Charter examines whether the limit on travellers’ equality rights is demonstrably justified in a free and democratic society.

Figure 7: Legal Tests under the CHRA and the Charter diagram

What NSIRA Found

Although triaging in Air Passenger Targeting typically relies on multiple indicators that are created from Advance Passenger Information and Passenger Name Record data, some of these indicators are protected grounds or relate closely to protected grounds. Air Passenger Targeting triaging results in impacts on travellers that can be considered adverse in nature and are capable of reinforcing, perpetuating, or exacerbating disadvantages. This creates a risk of prima facie discrimination. While these limits on travellers’ equality rights may be justifiable, weaknesses in the CBSA’s program documentation prevented the CBSA from demonstrating that a bona fide justification supported the adverse differentiation of travellers in several instances. A large body of information and intelligence is available to CBSA staff; however, it was not compiled and documented in a way that consistently established why certain indicators used to triage passengers related to a threat or potential contravention and did not always establish that these indicators were current and reliable. This weakness with respect to ensuring precise, well-substantiated documentation is similar to the one already highlighted in relation to the CBSA’s compliance with legal and regulatory restrictions.

Further information on the nature of the differentiations made in Air Passenger Targeting triaging practices and their impact on individuals would be required to conclusively establish whether or not triaging practices are discriminatory. However, the risk of discrimination is sufficiently apparent to warrant careful attention. In this review, NSIRA will recommend measures that could help the CBSA to assess and mitigate discrimination-related risks.

Does the CBSA make a distinction in relation to “protected grounds”?

Some of the indicators relied on to triage passengers are either protected grounds themselves or relate closely to protected grounds. NSIRA observed instances where passengers appeared to be differentiated based on protected grounds.

NSIRA examined all scenarios that were active on May 26, 2021 and a sample of targets to determine whether the CBSA’s triaging practices engage prohibited grounds of discrimination, such as age, sex, or national or ethnic origin. NSIRA refers to these as “protected grounds” in the report. The assessment considered:

  • How the indicators used to triage passengers relate to protected grounds;
  • The significance of the indicators in triage and how individual indicators were weighted in relation to each other; and
  • Whether these indicators created distinctions among individuals, or classes of individuals, based on protected grounds, whether in their own right or by virtue of their cumulative impact.

NSIRA found that the CBSA triages passengers based on a combination of indicators that are created from Advance Passenger Information and Passenger Name Record data. This triaging often included indicators that were either protected grounds themselves or related closely to protected grounds. Examples of these indicators are provided in Figure 8 with further details on how the CBSA relied on these indicators in Appendix 8.4.

Figure 8. Advance Passenger Information and Passenger Name Record Data That Relate to Protected Grounds
Figure 8: Diagram/Table of the Advance Passenger Information and Passenger Name Record Data That Relate to Protected Grounds

Although the CBSA took certain measures to mitigate the possibility that triaging decisions were based primarily on protected grounds, NSIRA observed that these measures did not always adequately mitigate that risk. More specifically:

  • [***Note revised to remove injurious or privileged information. It lists examples of scenarios that relied on single elements.***] NSIRA observed instances where scenarios continued to rely largely on indicators that related closely to protected grounds. This was because the behavioural indicators were often used in a way that related closely to a protected ground (primarily national origin) or because the parameters for the behavioural indicators were very broad (for example: passports as a travel document) and did not significantly narrow the range of passengers captured by the scenario. Examples are provided in Figure 9.
  • Scenario Based Targeting triaging for potential contraventions relevant to national security focused disproportionately on a certain profile of passengers: [***Sentence revised to remove injurious or privileged information. It described a combination of traveller characteristics that relates to protected grounds.***] While individual scenarios considered a variety of other indicators that differed between each scenario and that appeared to be specific to a unique set of personal characteristics and behavioural patterns for each national security risk, the overall effect of the scenarios created a differential impact largely focused on this particular profile.
Figure 9. Instances Where Behavioural Indicators Were Protected Grounds or Did Not Narrow Scope

[***Figure revised to remove privileged or injurious information. It describes two examples of scenarios where behavioural indicators were used in a way that related closely to a protected ground or because the parameters for the behavioural indicators were very broad and did not significantly narrow the range of passengers captured by the scenario***]

As the CBSA’s triaging practices engage protected grounds and resulted in a differentiation of passengers based on protected grounds in certain instances, NSIRA considered the impacts that these distinctions may produce.

Do distinctions result in adverse impacts capable of reinforcing, perpetuating, or exacerbating a disadvantage?

Distinctions made in passenger triage lead to several types of potential impacts for the passengers that are selected for further assessment. These impacts are adverse in nature and are capable of reinforcing, perpetuating, or exacerbating disadvantages.

NSIRA considered the kinds of impacts that Air Passenger Targeting has for the passengers who are selected for further assessment through the initial triage. These impacts are illustrated in Figure 10. Each may have important effects on passengers’ time, privacy, and equality, particularly as the impacts accumulate during the screening process and/or where these impacts are experienced repeatedly by the same travellers.

Figure 10. Impacts on Travellers Resulting from Initial Triage
Figure 10. Impacts on Travellers Resulting from Initial Triage diagram

[Figure revised to remove privileged or injurious information. It describes numbers of passengers targeted by year.]

These impacts can be adverse in nature and are reasonably understood as being capable of reinforcing, perpetuating, or exacerbating disadvantage, particularly when viewed in light of possible systemic or historical disadvantages. However, disaggregated data on the ethno-cultural, gender, or other group identity of affected passengers and their circumstances in Canadian society would be required to fully appreciate Air Passenger Targeting’s impacts on affected groups.

A risk of prima facie discrimination is established where these adverse impacts accrue to individuals based on protected grounds. These adverse impacts on protected groups will not amount to discrimination under the Canadian Human Rights Act if the CBSA can demonstrate a bona fide justification for the differentiation and will be allowed under the Charter if the CBSA can establish that the distinctions are a reasonable limit on travellers’ equality rights.

Does the CBSA have an adequate justification for the adverse differentiation?

While a large body of information and intelligence is available to CBSA’s staff for their triaging activities, weaknesses in recordkeeping, in the coherent synthesis of this information, and in data collection prevented the CBSA from demonstrating, that an adequate justification exists for its use of the indicators it created from Advance Passenger Information and Passenger Name Record data in several instances.

NSIRA examined how the CBSA relied on information and intelligence to support its triaging practices by reviewing a sample of 12 scenarios and a sample of 59 targets issued subsequent to manual triaging in Flight List Targeting. NSIRA also examined performance data for the selected scenarios. In examining the supporting documentation provided for each scenario demonstrated an adequate justification for the indicators created from Advance Passenger Information and Passenger Name Record data to triage passengers, NSIRA considered a number of factors:

  • Whether the information was objective and empirical;
  • Whether it was credible and reliable, in terms of its source and the quality of its substantiation;
  • Whether the information was recent and up to date;
  • Whether the information established a meaningful connection between the indicator(s) and the enforcement issue;
  • Whether the indicators were specifically indicative of the enforcement issue or were general;
  • Whether the indicators were based on a representative sample size; and
  • Whether the reliance on the particular indicators to triage passengers was effective in identifying potential contraventions in the past (i.e. whether empirical results support the reliance).

In Scenario Based Targeting, 11 out of the 12 scenarios in the sample reviewed did not provide an adequate justification for the triaging indicators, due in part to weaknesses in the supporting documentation for scenarios.

A summary of NSIRA’s assessment in relation to each of the assessment criteria is provided in Figure 11 and examples are described below.

Figure 11. Summary of NSIRA’s Assessment of Scenario Supporting Documentation
Figure 11: Graph/Table of the summary of NSIRA’s Assessment of Scenario Supporting Documentation

Most of the supporting documentation for the scenario sample was based on empirical information about enforcement actions or other intelligence products developed by the CBSA or its partners that were derived from clearly identified empirical sources. NSIRA considered these products to be objective and reliable sources. However, NSIRA noted three instances where it was unclear what the basis of the information was, and therefore whether it was objective and credible.

Inconsistencies in how supporting documentation for scenarios was maintained created further challenges for verifying that scenarios were based on reliable and up-to-date information, as four of the scenarios examined relied on information that was more than five years old and the CBSA could not locate one or more documents cited as supporting documentation in nine of the scenarios. While deleting older information is appropriate if it is replaced with more recent information, doing so in absence of more recent supporting information may undermine the CBSA’s the ability to justify the basis of the scenario.

In 3 of 12 scenarios examined, it was unclear how the supporting documentation related to the potential contravention identified in the scenario, which prevented further analysis as to how the indicators created from Advance Passenger Information and Passenger Name Record data were meaningfully connected to the enforcement issue. In all except one of the 12 scenarios, the supporting documentation did not mention one or more of the indicators in the scenario, making it unclear what the basis was for relying on those indicators. A number of the unsubstantiated indicators in those scenarios related closely to protected grounds. Two examples are provided in Figure 12.

Figure 12. Examples of Weaknesses in Scenario Supporting Documentation

[***Figure revised to remove privileged or injurious information. It describes issues observed in the supporting documentation for two scenarios as examples. These concerned the reliability of speculative claims made in an op-ed that was used as supporting documentation for one scenario that did not provide a clear basis for the indicators relied on in the scenario, and lack of information related to one or more of the indicators in the other scenario.***]

In 11 of the 12 scenarios, the supporting documentation did not include enough information to assess whether the indicators in the scenarios were based on a representative sample size of passengers. This prevented verification that the indicators in the scenario and their parameters reflect a pattern or trend in traveller characteristics and travel patterns rather than a single instance or handful of instances. Deriving indicators from too small a sample size also creates a risk that the indicators are not reliably associated to a potential contravention but rather simply connoted individuals who happen to have been the subject of past enforcement activity. A small sample size can also create bias and confirmation bias about stereotypes pertaining to traveller behaviour or personal characteristics.

Lack of information in 11 of the 12 scenarios on the likelihood and impact of the risk posed by the enforcement issue also prevented further assessment of the extent that the indicators and parameters were unique to the particular enforcement issue either individually or collectively. Moreover, in 4 of the 12 scenarios, the supporting documentation did not include any information to indicate that the indicators and parameters of the scenario had indeed been associated with a confirmed contravention of the CBSA’s program legislation or whether the association between the indicators and the enforcement issue was simply hypothetical. While reliable intelligence could also provide an empirical basis for passenger triage to inform the development of scenarios, information about whether scenarios have actually resulted in confirmed contraventions of the CBSA’s program legislation can be integrated into the supporting documentation of scenarios over time. This issue is examined further in relation to performance data below.

Only one of the 12 scenarios in the sample had enough information to get a sense of the enforcement issue, to understand the basis for relying on the particular indicators in the scenario in relation to the enforcement issue, and to establish that the indicators were based on a clear pattern of association with a large number of confirmed contraventions and reflected an appropriate range. Details about this scenario and why the supporting document substantiated the scenario are provided in Figure 13.

[***Figure revised to remove privileged or injurious information. It describes how the supporting documentation provided for a scenario was based on credible, empirical information that helped to establish the enforcement issue, provided a sense of the prevalence of the issue and its pertinence to the CBSA mandate, established a correlation between the specific indicators in the scenario and confirmed contraventions based on a significant sample size, and established that the parameters for each indicator were appropriately defined.***]

A large body of information and intelligence is available to CBSA staff to inform their targeting activities; however, in all except one of the scenarios, the information, intelligence, and other analytical insights were not brought together coherently to demonstrate that the basis for triaging was justified in those particular instances. The CBSA indicated that they intend to prepare standardized intelligence products that would coherently bring together this information to support the development of new scenarios. Developing such products for all active scenarios would help ensure that an adequate justification exists for all differentiation arising from triaging decisions in Air Passenger Targeting. This issue is examined further in relation to oversight practices below.

In Flight List Targeting, there was insufficient documentation to explain why particular indicators were considered valid risk factors in the context of a particular enforcement issue.

While a large body of information and intelligence exists for Targeting Officers to draw from when triaging passengers in Flight List Targeting, these sources are not necessarily documented in the course of making triaging decisions. Flight List Targeting strategies are not codified and triaging decisions are not consistently documented. This means that the sources and considerations that informed individual triaging decisions were not always apparent in the program documentation that NSIRA reviewed.

Noting the limitations of analyzing targets for insight into initial triaging decisions mentioned previously, the sparse details contained within the sample of 59 targets issued subsequent to Flight List Targeting further limited NSIRA’s assessment. Most of the targets included information specific to each passenger that was obtained through the passenger risk assessment, which reasonably supported a justification for issuing the target. However, this information would have been obtained after initial triaging decisions. Targets occasionally included a brief explanation about why certain elements of Advance Passenger Information and Passenger Name Record data were considered to be risk factors, suggesting that the Targeting Officer’s triage decision may have been informed by information and intelligence. However, it was often unclear why the passenger data cited as risk factors in the target suggested a threat or potential contravention of the CBSA’s program legislation. Assessing how the passenger data cited as risk factors in a target corresponded with the potential contravention was further complicated where the enforcement issue was also unclear. Examples in Figure 14 illustrate this challenge.

Figure 14. Why the Justification for the Indicators Used in Targeting is Important

[***Figure revised to remove privileged or injurious information. It returns to the examples of targets discussed in Figure 6 where ambiguity about the enforcement issue created further challenges for assessing how the passenger data cited as risk factors in the target corresponded with the enforcement issue.***]

Performance data for the scenario sample indicates that the indicators created from Advance Passenger Information and Passenger Name Record data to triage passengers may not be closely correlated with the particular enforcement issue.

The CBSA should be able to demonstrate at the outset that information and intelligence justify the use of particular indicators created from Advance Passenger Information and Passenger Name Record data to triage passengers for potential contraventions, particularly where those indicators relate to protected grounds. However, secondary examination results from previously issued targets can provide a source of such information. These results also provide important insight into how strongly certain indicators correlate with potential contraventions and indicate areas where inferences should be revisited and revised.

NSIRA’s analysis of the performance data for the sample of 12 scenarios revealed that the indicators may not necessarily be closely correlated with the particular enforcement issue(s) in the scenarios or predict potential contraventions of the CBSA’s program legislation with high accuracy.

  • In many of the scenarios, less than 5 percent of passengers that matched to the scenario—based on their Advance Passenger Information and Passenger Name Record data—resulted in an enforcement action or relevant intelligence at the end of a secondary examination, which the CBSA refers to as a “resultant” target. This is due in part to the fact that the vast majority of passengers who are risk assessed do not result in a decision to issue a target. Additionally, certain enforcement issues may have a low probability of occurring, but a high impact. However, the fact that most passengers who match to a scenario are not of concern raises questions about the accuracy of relying on Advance Passenger Information and Passenger Name Record data elements as indicators and about the proportionality of the targeting practices.
  • On average, a quarter of targets issued (through both Flight List Targeting and Scenario Based Targeting) led to a “resultant” secondary examination, though the scenarios in the sample ranged widely from as low as 4.8 percent to as high as 72.7 percent.
  • Only nine of the 12 scenarios led to at least one enforcement action or useful intelligence between 2019-20 or 2020-21. Again, this is not necessarily an issue if an enforcement issue has a low probability of occurring, but a high impact. However, it also raises questions about the empirical basis of the scenario.
  • Many of the scenarios led to examination results for issues other than the one that justified the initial targeting. This suggests that the indicators may not be very precise and raises questions about the underlying assumptions or inferences.

NSIRA also observed that the performance data for scenarios matched to a significantly higher proportion of travellers and yielded a higher proportion of “resultant” targets in one year, with much lower results in the next year, indicating how rapidly travel patterns may change. The CBSA indicated that COVID-19 resulted in major shift in travel and business patterns, which has presented challenges for the CBSA to understand how the indicators have evolved in relation to a diversity of enforcement issues and to adapt their targeting strategies. This emphasizes the importance of ensuring that scenarios and Flight List Targeting activities are supported by up-to-date information and intelligence. It also emphasizes the importance of analyzing performance data to rigorously to evaluate, refine, and/or deactivate scenarios in order to remain consistent with a changing risk environment.

However, the insights that can be drawn from the performance data are limited, because the CSBA does not track the results of secondary examinations arising from random referrals or instances where passengers that were not targeted were later found to have contravened the CBSA’s program legislation by other means. This prevents contextualization of Air Passenger Targeting performance against a baseline (namely, whether Air Passenger Targeting is better, on par with, or less effective at predicting a potential contravention of its program legislation than a random referral). Beyond its relevance for performance measurement, baseline data would help to protect the CBSA against confirmation biases where enforcement results in a few isolated cases may reinforce stereotypes even though they do not represent a meaningful trend. Moreover, a “resultant” secondary examination according to the National Targeting Centre’s definition does not necessarily indicate a confirmed instance of non-compliance. This makes it difficult to analyze performance data as source of empirical information to support the CBSA’s justification for using certain indicators to triage passengers, as a “resultant” search may not always signify a correlation between the indicators and the potential contravention.

In sum, the CBSA was not able to demonstrate that adequate justification consistently supported its use of particular indicators in the scenarios and targets examined by NSIRA. This creates a risk that the triaging activities were discriminatory. To avoid discrimination, the link between the indicators used to triage passengers and the potential threats and contraventions they purport to identify must be well-substantiated by recent, reliable, and documented intelligence or empirical information that demonstrates that the indicators are reasonably predictive of potential harms to Canada’s national security and public safety. The CBSA was able to document an adequate justification for passenger triaging in one scenario. Compiling relevant information and intelligence for its other triaging activities would assist in demonstrating that they are also non-discriminatory.

Further information would be required to determine if any distinctions arising from Air Passenger Targeting that are capable of reinforcing, perpetuating, or exacerbating a disadvantage constitute a reasonable limit on travellers’ equality rights.

The analysis above establishes that Air Passenger Targeting may infringe travellers’ equality rights under the Charter. All Charter rights are subject to reasonable limits, however. To establish that a limit is reasonable, the state must demonstrate that it is rationally connected to a pressing and substantial objective, that it is minimally impairing of the right, and that there is a proportionality between its salutary and deleterious effects. These limits must also be prescribed by law.

The analysis of whether state actions constitute a reasonable limitation of Charter rights is highly fact specific. To examine this question, further data would be required on:

  • Precisely how various indicators relate to protected grounds;
  • Whether the indicators effectively further national security and public safety;
  • The reasonable availability of other means to ensure similar security outcomes at the border;
  • The impacts of Air Passenger Targeting for affected passengers; and
  • The significance of the contribution of Air Passenger Targeting to national security and other government objectives.

NSIRA notes these data gaps may create challenges for the CBSA in establishing that any discrimination resulting from Air Passenger Targeting is demonstrably justified under section 1 of the Charter. Documenting the contribution of Air Passenger Targeting to national security and public safety, the breadth and nature of its impacts, and contrasting the effectiveness of Air Passenger Targeting relative to other less intrusive means of achieving the CBSA’s objectives would assist the CBSA in demonstrating that the program is reasonable and demonstrably justified in Canadian society.

Has the CBSA complied with its obligations pertaining to non-discrimination?

Air Passenger Targeting triaging practices create a risk of prima facie discrimination. This is due to two key features. First, Air Passenger Targeting relies, in part, on indicators created from Advance Passenger Information and Passenger Name Record data that are either protected grounds themselves or that relate closely to such grounds. This was particularly the case for indicators relating to passengers’ age, sex, and national or ethnic origin. Passengers were differentiated based on these grounds, as they were selected for further assessment due in part to these characteristics. NSIRA also observed that the triaging resulted in disproportionate attention to certain nationalities and sexes, when the cumulative effect of scenarios was taken into account.

Second, this differentiation has adverse effects on travellers. Air Passenger Targeting triaging affects individuals’ privacy through subsequent risk assessments and mandatory referrals for secondary examination. Such scrutiny may also erode an individual’s sense of receiving the equal protection of the law, particularly where these impacts are repeatedly experienced by the same traveller or are perceived to be animated by racial, religious, ethnic, or other biases. These impacts are also capable of reinforcing, perpetuating, or exacerbating disadvantage, especially when viewed in light of systemic or historical disadvantage.

To comply with its obligations under the Canadian Human Rights Act, the CBSA must be able to demonstrate that a bona fide justification exists for this adverse differentiation. However, the CBSA was not able to demonstrate that its choice of indicators was consistently based on recent, reliable, and documented intelligence or empirical information. This weaknesses in the link between the indicators and the potential threats or contraventions they seek to identify, creates a risk of discrimination.

To comply with its Charter obligations, the CBSA must also be able to demonstrate that any resulting discrimination is a reasonable limit on travellers’ equality rights. The same weaknesses NSIRA observed in the CBSA’s substantiation of the link between particular indicators and potential threats or contraventions they seek to identify also undermines its ability to demonstrate the rational connection between its triaging indicators and potential contraventions of its program legislation. Further information on the contribution of Air Passenger Targeting to national security and its relative value compared to other screening means would also be needed to determine whether Air Passenger Targeting can be justified as a reasonable limit under the Charter.

The weaknesses NSIRA observed stem partly from lack of precision in the CBSA’s program documentation and other recordkeeping issues. These are examined in the following section.

Finding 3. The CBSA has not consistently demonstrated that an adequate justification exists for its Air Passenger Targeting triaging practices. This weakness in the link between the indicators used to triage passengers and the potential threats or contraventions they seek to identify creates a risk that Air Passenger Targeting triaging practices may be discriminatory.

Recommendation 2. NSIRA recommends that the CBSA ensure, in an ongoing manner, that its triaging practices are based on information and/or intelligence that justifies the use of each indicator. This justification should be well-documented to enable effective internal and external verification of whether the CBSA’s triaging practices comply with its non-discrimination obligations.

Recommendation 3. NSIRA recommends that the CBSA ensure that any Air Passenger Targeting-related distinctions on protected grounds that are capable of reinforcing, perpetuating, or exacerbating a disadvantage constitute a reasonable limit on travellers’ equality rights under the Charter.

What measures are in place to mitigate the risk of discrimination?

The policies, procedures, and training materials reviewed did not adequately equip CBSA staff to identify potential discrimination or to mitigate related risks in the exercise of their duties.

The CBSA’s Air Passenger Targeting policies acknowledged responsibility to respect privacy, human rights, and civil liberties. However, policies, procedures, and training were insufficiently detailed to equip staff to identify and mitigate discrimination-related risks in the exercise of their duties.

  • Targeting Officers did not receive any specific training related to human rights.
  • The CBSA’s policies, procedures, and other program guidance were not precise enough on specific requirements or steps to equip staff to mitigate risks related to discrimination. In particular, details were lacking in how to associate supporting documentation to a scenario or a triaging decision in Flight List Targeting, and when and how to revisit and update that information on are gular basis.
  • No specific policies, procedures, or guidelines were developed for Flight List Targeting beyond the Air Passenger Targeting Standard Operating Procedures, particularly those that relate to record keeping.

The oversight structures and practices that were reviewed were not rigorous enough to identify and mitigate potential discrimination-risks, compounded by an absence of relevant data for this task.

While the CBSA has oversight structures and practices in place for Air Passenger Targeting, it was unclear how these oversight practices were performed. NSIRA identified several areas where they may not be rigorous enough to identify and mitigate potential risks of discrimination as appropriate.

  • Scenarios are reviewed for policy, legal, privacy, human rights, and civil liberties implications as part of their activation and on an ongoing basis. However, it is not clear that these oversight functions are guided by a clear understanding of what constitutes discrimination or that all relevant aspects of scenarios are examined.
  • Scenarios are reviewed individually on a regular basis. However, it is not clear that the collective impact of the CBSA’s targeting activities is also assessed on a regular basis.
  • It is not clear whether any oversight functions related to non-discrimination take place in Flight List Targeting.

Moreover, the CBSA does not gather data relevant to fully assess whether Air Passenger Targeting results in discrimination or to mitigate its impacts.

  • The CBSA does not gather disaggregated demographic data about the passengers affected by each stage of the Air Passenger Targeting program. This is relevant to detecting whether the program may be drawing distinctions on protected grounds and/or whether it has a disproportionate impact on members of protected groups.
  • The CBSA does not compare information about its triaging practices against information relevant to understanding their potential impacts on travellers and whether those impacts indicate an issue with the CBSA’s targeting practices. This includes information about whether complaints about alleged discrimination at the border relate to a person identified through Air Passenger Targeting and whether the nature of secondary examinations resulting from Air Passenger Targeting may differ from those caused by random or other referrals.
  • The CBSA does not gather or assess relevant performance data or data on its impacts against a baseline comparator group in order to contextualize its analysis of this information.

Finding 4. The CBSA’s policies, procedures, and training are insufficiently detailed to adequately equip CBSA staff to identify potential discrimination-related risks and to take appropriate action to mitigate these risks in the exercise of their duties.

Finding 5. The CBSA’s oversight structures and practices are not rigorous enough to identify and mitigate potential discrimination-related risks, as appropriate. This is compounded by a lack of collection and assessment of relevant data.

A number of adjustments to current policies, procedures, guidance, training, and other oversight practices for the Air Passenger Targeting program will help the CBSA mitigate discrimination-related risks by ensuring that distinctions drawn in the initial triage of passengers are based on adequate justifications that are supported by intelligence and/or empirical information. A more detailed treatment on discrimination in training, policies, guidance materials, and oversight for the Air Passenger Targeting program could also provide CSBA staff and the units and committees that perform internal oversight functions with information they may require to exercise their functions accordingly. Careful attention should be paid to the following:

  • Understanding the CBSA’s human rights obligations and how risks related to discrimination should be identified and assessed;
  • Identifying when triaging indicators may relate to protected grounds;
  • Ensuring that any adverse differentiation is based on a well-substantiated connection between the indicators and the potential threat or potential contravention;
  • Ensuring the triage of travellers is informed by recent and reliable information and intelligence, with training on how to assess whether the supporting documents meets these requirements;
  • Identifying and addressing impacts resulting from passenger triaging practices to ensure that they are minimized and proportional to the benefit gained for public safety or national security;
  • Ensuring that impacts resulting from Air Passenger Targeting do not unduly reinforce, perpetuate, or exacerbate disadvantage; and
  • Developing tools to detect and mitigate potential biases by gathering and assessing relevant data on targeting practices, their performance, and their impacts.

In this respect, the obligations created by the United Kingdom Public Sector Equality Duty may be instructive. The duty is procedural in nature and requires that public bodies (including customs and immigration authorities) consider how they may eliminate discrimination in the exercise of their functions. It requires departments to turn their minds to the potential impact their decisions, policies or programs have, and how these may differ based on protected grounds, such as age, sex/gender, and race, ethnic or national origin, colour, or nationality. It also creates an obligation to acquire relevant information, if it is not already available, to avoid direct or indirect discrimination.

It is important to clarify that any data collection and analysis relevant to detecting and addressing potential discrimination should be conducted by a separate unit than the National Targeting Centre. Targeting Officers should not have access to disaggregated demographic data when triaging passengers, as this might increase discrimination-related risks. The CBSA recognizes this in its commitment to removing “sensitive data” about a person’s health or sex life from the Advance Passenger Information and Passenger Name Record data that it imports into its triaging systems. This precaution should not prevent other units within the CBSA from gathering and considering depersonalized, disaggregated demographic data, including to conduct Gender Based Analysis+ that could reduce the risk of discrimination and/or mitigate its potential impacts.

Recommendation 4. NSIRA recommends that the CBSA develop more robust and regular oversight for Air Passenger Targeting to ensure that its practices are not discriminatory. This should include updates to the CBSA’s policies, procedures, training, and other guidance, as appropriate.

Recommendation 5. NSIRA recommends that the CBSA start gathering and assessing the necessary data to identify, analyze, and mitigate discrimination-related risks. This includes disaggregated demographic data, data on the effects of Air Passenger Targeting on secondary examinations that may be apparent from related human rights complaints, and data on a baseline comparator group.

Conclusion

The pre-arrival risk assessments performed as part of the CBSA’s Air Passenger Targeting program support the CBSA’s ability to screen inbound travellers in relation to a variety of enforcement issues. However, some of the information used to triage passengers relates to protected grounds. This creates a risk that passengers may be differentiated based on prohibited grounds of discrimination. Triaging may lead to adverse impacts on passengers’ time, privacy, and equal treatment, which maybe capable of reinforcing, perpetuating or exacerbating disadvantage.

Careful attention to the reliability of the information and intelligence that underpin the choice of indicators to triage passengers and their connection to the threats or potential contraventions they seek to identify is needed to verify that the CBSA respects its non-discrimination obligations. This has implications for both Canada’s national security and its international commitments related to combatting terrorism and serious transnational crime and related to privacy and human rights.

NSIRA is satisfied that the CBSA has the legal authority to conduct Air Passenger Targeting. However, NSIRA observed shortcomings in the CBSA’s documentation of its program activities that complicated verification that all triaging decisions complied with statutory and regulatory restrictions. Improvements to documentation in these respects are essential and will help lower future compliance risks by ensuring the CBSA can verify that all triaging decisions comply with the terms of the Customs Act and the Protection of Passenger Information Regulations.

Similarly, the absence of adequate justification in several instances for the CBSA’s reliance on indicators created from passengers’ Advance Passenger Information and Passenger Name Record data leads to a risk of discrimination. Improving documentation requirements and setting out further detail in the CBSA’s policies, procedures, and training would better equip CBSA staff to understand these risks and mitigate them in the conduct of their duties. More robust and regular oversight to ensure that adequate justification exists for any adverse differentiation arising from Air Passenger Targeting grounds would equip the CBSA to identify which scenarios or manual Flight List Targeting triaging practices need further support. Improving relevant data gathering and assessment will also support the identification and mitigation of discrimination-related risks in Air Passenger Targeting.

Appendices

Findings & Recommendations

Findings Recommendations
Finding 1. The CBSA’s use of Advance Passenger Information and Passenger Name Record data in Scenario Based Targeting complied with section 107(3) of the Customs Act. Recommendation 1. NSIRA recommends that the CBSA document its triaging practices in a manner that enables effective verification of whether all triaging decisions comply with statutory and regulatory restrictions.
Finding 2. The CBSA does not document its triaging practices in a manner that enables effective verification of whether all triaging decisions comply with statutory and regulatory restrictions. Recommendation 2. NSIRA recommends that the CBSA ensure, in an ongoing manner, that its triaging practices are based on information and/or intelligence that justifies the use of each indicator. This justification should be well-documented to enable effective internal and external verification of whether the CBSA’s triaging practices comply with its non-discrimination obligations.
Finding 3. The CBSA has not consistently demonstrated that an adequate justification exists for its Air Passenger Targeting triaging practices. This weakness in the link between the indicators used to triage passengers and the potential threats or contraventions they seek to identify creates a risk that Air Passenger Targeting triaging practices may be discriminatory. Recommendation 3. NSIRA recommends that the CBSA ensure that any Air Passenger Targetingrelated distinctions on protected grounds that are capable of reinforcing, perpetuating, or exacerbating a disadvantage constitute a reasonable limit on travellers’ equality rights under the Charter.
Finding 4. The CBSA’s policies, procedures, and training are insufficiently detailed to adequately equip CBSA staff to identify potential discrimination-related risks and to take appropriate action to mitigate these risks in the exercise of their duties. Recommendation 4. NSIRA recommends that the CBSA develop more robust and regular oversight for Air Passenger Targeting to ensure that its practices are not discriminatory. This should include updates to the CBSA’s policies, procedures, training, and other guidance, as appropriate.
Finding 5. The CBSA’s oversight structures and practices are not rigorous enough to identify and mitigate potential discrimination-related risks, as appropriate. This is compounded by a lack of collection and assessment of relevant data. Recommendation 5. NSIRA recommends that the CBSA start gathering and assessing the necessary data to identify, analyze, and mitigate discrimination-related risks. This includes disaggregated demographic data, data on the effects of Air Passenger Targeting on secondary examinations that may be apparent from related human rights complaints, and data on a baseline comparator group.

The CBSA’s Authority to Collect and Use Advance Passenger Information and Passenger Name Record data in Air Passenger Targeting

Authority to Collect the Data
Customs Act, s. 107.1 & IRPA s. 148(1)(d) Air carriers are required to provide “prescribed information” about any person on board, or expected to be on board, a flight arriving into Canada.
Passenger Information Customs Regulations, s. 5 & Immigration and Refugee Protection Regulations, s. 269(1) Prescribe the required information, which constitute Advance Passenger Information and Passenger Name Record data.
Authority to Use the Data
Customs Act, s. 107(3) “Customs information” (including Advance Passenger Information/Passenger Name Record data)115 may be used for three purposes:
• Administer or enforce the Customs Act, Customs Tariff, or related legislation;
• Exercise the powers or perform the duties and functions of the Minister of Public Safety under the IRPA, including establishing a person’s identity or determining their inadmissibility;
• For the purposes of other program legislation that the Minister of Public Safety or the CBSA is authorized to enforce
Immigration and Refugee Protection Act, s.149(a) Advanced Passenger Information and Passenger Name Record data may be used for three purposes:
• for the purposes of the IRPA;
• for the purposes of the Department of Citizenship and Immigration Act;
• to identify a person for whom a warrant of arrest has been issued in Canada.
Protection of Passenger Information Regulations, s. 4 Passenger Name Record data provided to the CBSA under the Immigration and Refugee Protection Act116 may be used for two purposes:
• to identify persons who have or may have committed a terrorism offence or serious transnational crime;
• to conduct a trend analysis or develop risk indicators for that purpose.

Frequently Cited Provisions in Scenario Templates

The figure summarizes the main provisions cited as potential contraventions in scenario templates. [***Sentence revised to remove privileged or injurious information. It describes the number of scenarios that were active on May 26, 2021***]. Five of the provisions that were cited as potential contraventions did not clearly establish a link to a serious transnational crime or terrorism offence in compliance with the Protection of Passenger Information Regulations (PPIR). These are marked in orange and described below.

Provisions Description Complies with Cust Act Complies with PPIR
IRPA s. 20 Presenting visa or other documents Yes Yes*
IRPA s. 34 Inadmissible, national security reasons Yes Yes
IRPA s. 35 Inadmissible, human rights violations Yes Yes
IRPA s. 36 Inadmissible, serious criminality Yes Yes
IRPA s. 37 Inadmissible, organized criminality Yes Yes
IRPA s. 40 Inadmissible, misrepresentation Yes Yes*
IRPA s. 41 Inadmissible, IRPA non-compliance Yes Yes*
IRPA s. 117 Human smuggling Yes Yes
IRPA s. 118 Human trafficking Yes Yes
Customs Act s. 159 Smuggling goods Yes Yes
Customs Act s. 12 Reporting goods Yes Yes*
Customs Act s. 13 Truthfully answering questions about & presenting goods Yes Yes*
Customs Tariff 9899.00.00 Hate or terrorist propaganda; seditious materials Yes Yes
PCMLTFA s. 12 Reporting of currency Yes Yes
PCMLTFA s. 74 General Offences Yes Yes

Section 20 of the Immigration and Refugee Protection Act (IRPA) concerns the requirement for foreign nationals to have the proper documentation to enter or remain in Canada. As contraventions of the IRPA where a penalty is not specified (such as section 20) are punishable by a term of imprisonment of up to two years under sections 124 and 125 of the IRPA, this contravention does not meet the definition of a serious transnational crime.

Section 40 of the IRPA indicates that a foreign national is inadmissible to Canada for misrepresentation. The link to serious transnational crime would be clearer by citing the provisions that establish misrepresentation as an offence under sections 127 and 128 of the IRPA.

Section 41 of the IRPA indicates that a foreign national is inadmissible for non-compliance with the IRPA. Non-compliance with the IRPA is not itself a terrorism offence or serious transnational crime. Further details about the enforcement concern are necessary to establish such a link.

Sections 12 and 13 of the Customs Act concern traveller requirements to report goods and truthfully answer questions; reference to the penalty provision in section 160(1)(b) indicates it is a serious offence. Reliance on these sections to justify the use of Passenger Name Record data may be problematic however, as these sections relate to future conduct, whereas section 4 of the PPIR focuses on past conduct (“have or may have” committed such acts). Concerns about prohibited goods or potential smuggling of goods may also more appropriately cite section 159 of the Customs Act and/or the Customs Tariff, Item 9899.00.00.

Examples of the CBSA’s Reliance on Indicators Relating to Protected Grounds

The figure below presents examples from both Scenario Based Targeting and Flight List Targeting of how the CBSA relies on indicators created from Advance Passenger Information and Passenger Name Record data that are or may relate closely to the grounds of “national or ethnic origin,” “age,” or “sex,” which are prohibited grounds of discrimination under the Canadian Human Rights Act and the Charter. The CBSA often relies on more than one such indicator. This is discussed in Section 6.2.2.1. The CBSA’s basis for relying on such indicators is discussed in Section 6.2.2.3.

[***Figure revised to remove injurious or privileged information. It provides statistics on the number of scenarios that rely on indicators that relate to protected grounds for “national or ethnic origin,” “age,” and “sex.”***]

Share this page
Date Modified:

Review of Departmental Implementation of the Avoiding Complicity in Mistreatment by Foreign Entities Act for 2020

Completed Reviews

Review of Departmental Implementation of the Avoiding Complicity in Mistreatment by Foreign Entities Act for 2020


Backgrounder

The Avoiding Complicity in Mistreatment by Foreign Entities Act (ACA or Act) and its associated directions seek to prevent the mistreatment of any individual as a result of information exchanged between a Government of Canada department and a foreign entity. At the heart of the directions is the consideration of substantial risk, and whether that risk, if present, can be mitigated. To do this, the Act and the directions lay out a series of requirements that need to be met or implemented when handling information. This review covers the implementation of the directions sent to 12 departments and agencies from their date of issuance, January 1, 2020, to the end of the previous calendar year, December 31, 2020. It was conducted under subsection 8(2.2) of the National Security and Intelligence Review Agency Act (NSIRA Act), which requires NSIRA to review, each calendar year, the implementation of all directions issued under ACA.

This was the first ACA review to cover a full calendar year. Many of the reviewed departments noted that the pandemic impacted their information sharing activities, thus impacting the number of cases requiring further review as per the ACA. As such, NISIRA found that from January 1, 2020 to December 31, 2020, no cases under the ACA were escalated to deputy heads in any department.

As part of the review, NSIRA examined the case triage process of all twelve departments. NSIRA found that even when departments employ similar methodologies and sources of information to inform their determination of whether or not a case involving the same country of concern should be escalated, significant divergences in the evaluation of risk and the required level of approval emerge.

In keeping with NSIRA’s 2020 Annual Report which emphasized the implementation of a “trust but verify” approach for assessing information provided over the course of a review, NSIRA continues to work on various verification strategies with the Canadian intelligence community. However, due to the continuing COVID-19 pandemic, implementation of verification processes was not possible across all twelve departments which fall under the ACA. Notwithstanding, the information provided by departments has been independently verified by NSIRA through documentation analysis and meetings with department subject matter experts, as warranted. Further work is underway to continue developing an access model for the independent verification of information relevant to ACA considerations.

Date of Publishing:

Executive Summary

The Avoiding Complicity in Mistreatment by Foreign Entities Act (ACA or Act) and its associated directions seek to prevent the mistreatment of any individual as a result of information exchanged between a Government of Canada department and a foreign entity. At the heart of the directions is the consideration of substantial risk, and whether that risk, if present, can be mitigated. To do this, the Act and the directions lay out a series of requirements that need to be met or implemented when handling information. This review covers the implementation of the directions sent to 12 departments and agencies from their date of issuance, January 1, 2020, to the end of the previous calendar year, December 31, 2020. It was conducted under subsection 8(2.2) of the National Security and Intelligence Review Agency Act (NSIRA Act), which requires NSIRA to review, each calendar year, the implementation of all directions issued under ACA.

This was the first ACA review to cover a full calendar year. Many of the reviewed departments noted that the pandemic impacted their information sharing activities, thus impacting the number of cases requiring further review as per the ACA. As such, NISIRA found that from January 1, 2020 to December 31, 2020, no cases under the ACA were escalated to deputy heads in any department.

While NSIRA was pleased with the considerable efforts made by many departments new to ACA in building their frameworks, Canada Boarder Services Agency (CBSA) and Public Safety did not finalize their policy frameworks in support of the Directions received under the ACA for the review period.

As part of the review, NSIRA examined the case triage process of all twelve departments. NSIRA found that even when departments employ similar methodologies and sources of information to inform their determination of whether or not a case involving the same country of concern should be escalated, significant divergences in the evaluation of risk and the required level of approval emerge.

A case sent to both GAC and CSIS was reviewed by NSIRA for its implications under the ACA. While the information was ultimately not shared with the requesting foreign entity, nonetheless, NSIRA found that the risk of mistreatment was substantial and the decision should have been referred to the Deputy Minister of Foreign Affairs as the accountable deputy minister for this request.

Mitigation measures used by departments were also reviewed this year, since they are an integral part in the information sharing process for departments. NSIRA observed that there are gaps in departments’ ability to verify whether a country or entity has actually complied with caveats or assurances because of the difficulty in tracking compliance to mitigation measures.

NSIRA believes that it is now in a position to conduct in-depth case study assessments of individual departments’ adherence to the ACA and Directions, irrespective of whether or not a department reported any cases to its deputy head. Finally, future reviews will follow up on the ongoing implementation of NSIRA’s past recommendations.

In keeping with NSIRA’s 2020 Annual Report which emphasized the implementation of a “trust but verify” approach for assessing information provided over the course of a review, NSIRA continues to work on various verification strategies with the Canadian intelligence community. However, due to the continuing COVID-19 pandemic, implementation of verification processes was not possible across all twelve departments which fall under the ACA. Notwithstanding, the information provided by departments has been independently verified by NSIRA through documentation analysis and meetings with department subject matter experts, as warranted. Further work is underway to continue developing an access model for the independent verification of information relevant to ACA considerations.

Authorities

This review was conducted under subsection 8(2.2) of the NSIRA Act, which requires NSIRA to review, each calendar year, the implementation of all directions issued under the Avoiding Complicity in Mistreatment by Foreign Entities Act (ACA or the Act).

Introduction

Review background

Departments and agencies in the Government of Canada routinely share information with a range of foreign entities. However such practices can sometimes bring into play a risk of mistreatment for individuals who are the subjects of these exchanges or other individuals. It is therefore incumbent upon the Government of Canada to evaluate and mitigate the risks that this sharing entails.

In 2011, the Government of Canada implemented a general framework for Addressing Risks of Mistreatment in Sharing Information with Foreign Entities. The aim of the framework was to establish a coherent approach across government when sharing with and receiving information from foreign entities. Following this, Ministerial Direction was issued to applicable departments in 2011 (Information Sharing with Foreign Entities), and then again in 2017 (Avoiding Complicity in Mistreatment by Foreign Entities).

On July 13, 2019, the ACA came into force. The preamble of the Act recognizes Canada’s commitments with respect to the Canadian Charter of Rights and Freedoms, and Canada’s international legal obligations on prohibiting torture and other cruel and inhumane treatment. The Act also recognizes that information needs to be shared to enable the Government to fulfill its fundamental responsibility to protect Canada’s national security and the safety of Canadians.

On September 4, 2019, pursuant to section 3 of the ACA, the Governor in Council (GiC) issued written directions (Orders in Council (OiCs) or Directions) to the deputy heads of 12 departments and agencies. This added six new Canadian entities in addition to those that were already associated with the 2011 and 2017 Directions.

This report is NSIRA’s first full year assessment of the implementation of the Directions issued under ACA for the 2020 calendar year. The review builds upon two previous reviews conducted in respect of avoiding complicity in mistreatment. The first was in respect to the 2017 Ministerial Directions, while the second assessed the Directions issued under the ACA, but was limited to the four months from when the Directions were issued to the end of the 2019 calendar year.

ACA and Directions

The ACA and the Directions issued under its authority seek to prevent the mistreatment of any individual due to the exchange of information between a Government of Canada department or agency and a foreign entity. The Act and the Directions also aim to limit the use of information received from a foreign entity that is likely to have been obtained through the mistreatment of an individual.

Under the authority of subsection 3(1) of the Act, the Directions issued to the 12 departments and agencies are near identical in language and focus on the three aspects of handling information when interacting with a foreign entity: the disclosure of information, the requesting of information, and the use of any information received.

In regards to disclosure of information, the Directions state:

If the disclosure of information to a foreign entity would result in a substantial risk of mistreatment of an individual, the Deputy Head must ensure that the Department officials do not disclose the information unless the officials determine that the risk can be mitigated, such as through the use of caveats or assurances, and appropriate measures are taken to mitigate the risk.

With respect to requesting information, the Directions read as follows:

If the making of a request to a foreign entity for information would result in a substantial risk of mistreatment of an individual, the Deputy Head must ensure that Department officials do not make the request for information unless the officials determine that the risk can be mitigated, such as through the use of caveats or assurances, and appropriate measures are taken to mitigate the risk.

Lastly, as it relates to the use of information, the Directions provide:

The Deputy Head must ensure that information that is likely to have been obtained through the mistreatment of an individual by a foreign entity is not used by the Department
(a) in any way that creates a substantial risk of further mistreatment;
(b) as evidence in any judicial, administrative or other proceeding; or
(c) in any way that deprives someone of their rights or freedoms, unless the Deputy Head or, in exceptional circumstances, a senior official designated by the Deputy Head determines that the use of the information is necessary to prevent loss of life or significant personal injury and authorizes the use accordingly.

The consideration of substantial risk figures prominently in subsection 3(1) of the Act as well as the Directions. In considering whether to disclose or request information, a department must determine whether a substantial risk is present and if so whether it can be mitigated. As noted in the previous reviews on information sharing, the ACA does not define “substantial risk”. Departments refer to a definition of this term as set out in the 2017 Ministerial Directions as a general starting point when conducting assessments under the ACA. The 2017 Ministerial Directions define substantial risk as:

‘Substantial risk’ is a personal, present and foreseeable risk of mistreatment that is real and is based on something more than mere theory or speculation. In most cases, the test of a substantial risk of mistreatment would be satisfied when it is more likely than not there would be mistreatment; however, in some cases, particularly where the risk if of severe harm, the standard of substantial risk may be satisfied at a lower level of probability.

Based on the outcome of these determinations, the decision may be to approve, deny, or elevate to the Deputy Head for his or her consideration. Substantial risk is also contemplated in the consideration of the use of information received from a foreign entity. If it is evaluated that the information was likely obtained from the mistreatment of an individual, the department is prohibited from using the information in any way that creates a substantial risk of further mistreatment.

Throughout the process to determine whether to disclose or use information, the Directions require that the accuracy, reliability, and limitations of use of all information being handled are appropriately described and characterized.

Additionally, reporting requirements are found at sections 7 and 8 of the Act as well as within the Directions. Among these requirements, the Minister responsible for the department must provide a copy of the department’s annual report in respect of the implementation of the Directions during the previous calendar year as soon as feasible to NSIRA, the National Security and Intelligence Committee of Parliamentarians (NSICoP) and, if applicable, the Civilian Review and Complaints Commission (CRCC) for the Royal Canadian Mounted Police. Reporting requirements as articulated in the Directions oblige the reporting of decisions which were considered by the Deputy Head in regards to disclosure, requesting of information, or authorizing use of information that would deprive someone of their rights or freedoms be made as soon as feasible to the responsible Minister, NSIRA, and NSICoP.

Review Objectives and Methodology

The review period was January 1, 2020 to December 31, 2020. The objectives of this review included:

  • Following-up on departments’ implementation of the directives received under the ACA;
  • Assessing departments’ operationalization of frameworks/processes that enable them to meet the obligations set out in the ACA and directives; and
  • Assessing coordination and consistency in implementation across applicable departments.

Additionally, NSIRA evaluated all twelve ACA member departments’ ‘case triage’ frameworks (i.e., the combination of policy assessment criteria and a pre-determined ‘escalation ladder’ for cases that require higher levels of managerial approvals). Refer to annexes B to M that provide additional details on each departments’ triage process. Finally, NSIRA reviewed the use and policies around departmental mitigation measures.

FINDINGS

Reporting and Framework Updates

As per the Act, all twelve departments fulfilled their obligations to report to their respective ministers and NSIRA on progress made in operationalizing frameworks and identifying cases escalated to the deputy head level.

Of the nine departments who had reported to NSIRA last year that they had finalized frameworks, all continued to refine assessment protocols over the 2020 review period. Based on submissions to NSIRA, TC has developed a corporate policy to highlight the department’s ACA-related requirements. However, CBSA and PS had yet to finalize their ACA policy. As a result, employees may not have adequate and up to date guidance on how to make determinations related to the ACA.

NSIRA Finding #1: NSIRA found that CBSA and PS did not finalize their policy frameworks in support of Directions received under the ACA over the review period.

Referrals to Deputy Head

The Directions specify that when departmental officials are unable to determine whether the risk of mistreatment arising from a disclosure of or request for information can be mitigated, the matter must be referred to the Deputy Head. The Directions also require the Deputy Head, or in exceptional circumstances a senior official designated by the Deputy Head, to determine the matter where the use of information that is likely to have been obtained through mistreatment of an individual by a foreign entity would in any way deprive an individual of their rights or freedoms and the use of this information is necessary to prevent loss of life or significant injury. In 2020, no cases were escalated to the deputy head level. NSIRA sought clarification on the absence of cases referred; the most common reason provided by departments for this outcome was that cases were either mitigated before deputy head involvement and/or this was a result of an overall reduction in the number of foreign information exchanges generally due to the ongoing pandemic.

NSIRA Finding #2: NSIRA found that from January 1, 2020 to December 31, 2020, no cases under the ACA were escalated to deputy heads in any department.

Case Triage

Typically, when departments are making ACA applicability decisions, they employ varying “case triage” processes, that is, the combination of policy assessment criteria and a pre-determined ‘escalation ladder’ for cases that require higher levels of managerial assessment. NSIRA closely evaluated all twelve ‘case triage’ frameworks of the departments subject to the ACA (Refer to Annex B-M). In carrying out this work, NSIRA noted some issues in the implementation of triage systems; for example, there were instances of not having one designed and of information being outdated.

NSIRA observed that there were two main types of initial case triage processes: case-by-case, where the framework places the onus on the working level official to first make determinations based on policy assessment tools, relevant training, and individual experience; and country assessment rating, which emphasizes the initial use of a country-based risk level that may trigger case escalation. A country assessment rating is a representation of the assessed risk of mistreatment associated to a country, based on a number of criteria and often derived from a range of sources.

Initial Case Triage Category 1: Case-by-Case

All departments use working level officials to determine whether there is a risk of mistreatment. When a working level officials’ assessment is inconclusive as to whether a substantial risk of mistreatment exists, they will defer the decision to a higher management authority. NSIRA has developed Figure 1 to illustrate this type of triage process where the working level official consults assessment tools at his or her disposal to determine whether a substantial risk of mistreatment exists.

Figure 1: Case by Case Triage Diagram

Initial Case Triage Category 2: Informed by Country Assessment Rating

CSIS, CSE, FINTRAC, and RCMP require working level officials to use country assessment ratings that may trigger case escalation. For example, NSIRA has developed Figure 2 to illustrate this type of triage process where country assessment ratings may trigger case escalation.

Case Escalation

In addition to the two categories of case triage frameworks identified above, all departments except for FINTRAC, PS, CSE and TC make use of internal consultation groups/senior decision making committees when cases are identified as requiring consultation/escalation (e.g. working groups and senior management committee secretariats). The following table illustrates the various consultation groups across departments that would make determinations related to the ACA.

The general purpose of consultation groups is to serve as a single point of contact for employees who require assistance in assessing foreign information sharing activities or interpreting policy and procedure. Senior decision making committees are responsible for making determinations on the information exchange. They are the final decision making authority prior to escalation to the deputy head. NSIRA observed that leveraging the overall expertise of these groups may assist officials in consistently applying assessment criteria, as well as provide greater oversight for information exchanges with foreign entities.

Consistency in Implementation Across Departments

Beginning with the 2017 Ministerial Directions on Avoiding Complicity in Mistreatment by Foreign Entities, it was required that departments maintain policies and procedures to assess the risks of information sharing relationships with foreign entities. While not specified in the Act or Directions, departments continue to implement country and entity assessments, a practice NSIRA has supported. NSIRA has previously raised concerns regarding the absence of unified and standardized approach to departments’ country assessments. The PCO-led community response to last year’s recommendation on this element stated in part that:

The information sharing activities of these organizations all serve either an intelligence, law enforcement, or administrative purpose with each carrying different risk profiles, privacy concerns, and legal authorities. Individual departments and agencies are responsible for establishing specific thresholds or triggers in their information sharing frameworks that are appropriate for their operational contexts. It is the view of the Government of Canada that applying the same threshold across all organizations for triggering, evaluating, and elevating cases is not necessarily practical nor essential to ensuring that each department or agency is operating in compliance with the Act.

In order to engage in the questions to which the divergence of thresholds gives rise, NSIRA asked departments to rank bi-lateral information exchanges with foreign partners in terms of volume, excluding exchanges with [***example of foreign entity information sharing***]. Nine of the twelve departments identified ███████ as a foreign exchange entity, a country which is widely recognized as having human rights concerns.

NSIRA then selected only those departments that initially utilize country assessment ratings as a triage method (i.e. FINTRAC, RCMP, CSIS and CSE). [***description of how departments determined foreign entity example***]. Nonetheless, in carrying out this analysis, NSIRA observed that all four departments relied on a combination of open source human rights reports and consultations with other departments. Additionally, RCMP, CSIS and CSE utilize classified intelligence sources.

However, although these departments utilize a similar approach when assessing a country, the assigned rating for ████ was not consistent. CSIS assigned █████████████; FINTRAC and RCMP assigned a [***description of department’s specific ratings***] ; and finally, CSE assigned a ██████ rating.

NISRA examined to what degree country ratings affected the level of approval required for an information exchange. Because CSE has assigned a rating of █████ when they receive a request from ████, a CSE official could require [***description of the factors used to determine the appropriate level process***] CSE acknowledged that its “human rights assessments do not necessarily correlate with the risk level assigned to an instance of sharing,” and nor do they “necessarily correlate to levels of approval or to restrictions to sharing.” [***description of the factors used to determine the appropriate level process***]

In contrast, according to their framework and methodology, an exchange with any one of the █████ authorities listed in the RCMP’s country and entity assessment list could result in an [***description of department’s specific ratings***] because █████ is associated with a country assessment rating. When an entity is yellow, the employee must consider whether or not there is a risk of mistreatment by looking at a list of criteria. If one or more of these criteria exist, the employee must send the case to a senior management committee. NSIRA observes that where the RCMP has a red country rating, the working level official must escalate to the senior management committee. Therefore, unlike CSE and CSIS, country ratings within the RCMP have direct impacts on approval levels.

NSIRA’s ACA report from last year recommended that departments should identify a means to establish unified and standardized country and entity risk assessment tools to support a consistent approach when interacting with Foreign Entities of concern. While PCO disagreed with this recommendation, NSIRA believes that there remain concerns regarding divergences in country and risk assessments.

NSIRA Finding #3: NSIRA found that even when departments employ similar methodologies and sources of information to inform their determination of whether or not a case involving the same country of concern should be scalated, significant divergences in the evaluation of risk and the required level of approval emerge.

Following this review, NSIRA intends to further scrutinize the processes employed regarding ACA triage and decision making by reviewing GAC and RCMP.

A case study as provided for in Box 1 exemplifies the divergent nature on the evaluation of risk where two departments’ considered responding to an identical request made by a foreign entity.

Box 1: A divergent decision-making process

[***description of the case study***] The foreign entity provided this information to GAC and CSIS and requested confirmation [***description of the information sharing request***]

In considering whether to respond to this request, GAC determined that the human rights record of the country in question generally and of the foreign entity specifically making the request were of significant concern. GAC’s senior decision making committee, working under the presumption that the individual’s detention was ongoing, considered whether the disclosure of this information “would not substantially increase the detainee’s risk of mistreatment.” The senior decision making committee determined that confirmation of the individual’s previous employment status with GAC was permissible, subject to the determination of CSIS’s assessment.

Ultimately, the decision by CSIS was made by a DG-level executive and, as the foreign entity was listed by CSIS as a restricted partner, information was not shared.

The assessment by GAC’s senior decision-making committee is of concern. The Act and the Directions impose that departments consider whether disclosing or requesting information “would result in a substantial risk of mistreatment.” [***legal advice to department***]

NSIRA agrees with this interpretation of the law, but not with its implementation by GAC in this case. GAC’s position was that responding to the request “would not aggravate” the risk of mistreatment. However, NSIRA is of a different view. Regardless of the information sought, the human rights record of the foreign entity and of the foreign country was of significant concern, and GAC was operating under the presumption that the individual may have already been subjected to mistreatment. While GAC’s sharing could not have accounted for any mistreatment that could have occurred earlier, responding to the request given the facts of this case would have nonetheless resulted in a substantial risk of mistreatment. Therefore, this case should have been refered to the Deputy Minister of Foreign Affairs for consideration.

NSIRA also observes that this case was triaged at different levels within GAC and CSIS. In GAC’s triage process, the decision was made at the higher senior decision-making committee that disclosure was permissible. Comparatively, CSIS’s decision-making process was completed prior to reaching their senior-level committee and yielded the opposite result. The different levels of decision-making and different outcomes underscore a problematic inconsistency in how each organization considers the same information to be disclosed to the same foreign entity. Furthermore, while a department responsible for the information may consult with other departments as to whether disclosure of information is permissible, it cannot abdicate this responsibility and decision-making to another department.

NSIRA Finding #4: NSIRA found a procedural gap of concern in a case study involving the disclosure of information, even though information was ultimately not shared. The risk of mistreatment was substantial and the decision should have been referred to the Deputy Minister of Foreign Affairs as the accountable deputy minister for this request.

Mitigation Measures

Use of Mitigation Measures

To decrease the risk of mistreatment, departments will employ mitigation measures such as caveats, assurances, sanitization, and redactions. The most common mitigation measures are caveats and assurances. Caveats are specific stipulations appended to information to limit or prohibit certain uses of information unless otherwise authorized by the issuing department. For example, any departments use a ‘third party’ caveat that restricts further dissemination of the information to other departments (domestic and foreign), unless the originating department is consulted on the request to share.

Assurances are not specific to a single information exchange; rather, these are agreements with foreign entities (whether formal or informal), which aim to help ensure that a particular foreign entity understands Canada’s position on human rights and that the entity, in turn, agrees to comply with this expected behaviour. For example, when formulating a risk mitigation strategy for an information exchange, departments will consider written or verbal assurances, who provided the assurance (i.e. working level official or agency head), and whether the assurance is considered credible and reliable.

Furthermore, CSIS, CSE, and GAC have highlighted a number of differences in the types of assurances sought, including a number of informal and formal methods. For example, verbal assurances, scheduled formal assurances, and ad-hoc written assurances can be sought by various levels.

In a related issue, NSIRA observed that there are [***description and an example of a Department’s ability to track compliance***] CSIS, GAC, and CSE indicated that there is ████████████████████████████████████████████████████████████ is not specific to the ACA but is nonetheless key ████████████ when exchanging information with the Government of Canada.

Given that no cases were escalated to the level of deputy head, departments’ lower-level use of mitigation strategies would have taken on considerable prominence in decision making. In a subsequent review, NSIRA intends to further investigate policies of mitigation measures pertaining to their use and tracking.

CONCLUSION

This review assessed departments’ implementation of the directives received under the ACA and their operationalization of frameworks to address ACA requirements.

NSIRA’s first review of departments’ implementation of the Act and Directions was limited to a four month period (September-December 2019). As such, this review constitutes the first examination of the ACA over the course of one full year. NSIRA believes that it is now in a position to conduct in-depth case study assessments of individual departments’ adherence to the ACA and Directions, irrespective of whether or not a department reported any cases to its deputy head. Additionally, future reviews will follow up on the ongoing implementation of NSIRA’s past recommendations.

Annex A: Findings

NSIRA Finding #1: NSIRA found that CBSA and PS did not finalize their policy frameworks in support of Directions received under the ACA over the review period.

NSIRA Finding #2: NSIRA found that from January 1, 2020 to December 31, 2020, no cases under the ACA were escalated to deputy heads in any department.

NSIRA Finding #3: NSIRA found that even when departments employ similar methodologies and sources of information to inform their determination of whether or not a case involving the same country of concern should be escalated, significant divergences in the evaluation of risk and the required level of approval emerge.

NSIRA Finding #4: NSIRA found a procedural gap of concern in a case study involving the disclosure of information, even though information was ultimately not shared. The risk of mistreatment was substantial and the decision should have been referred to the Deputy Minister of Foreign Affairs as the accountable deputy minister for this request.

Annex B: Canada Border Services Agency

Annex B: Canada Border Services Agency Framework

Framework updates: In 2018, Canada Border Services Agency (CBSA) issued a high-level policy document in response to the 2017 MD. Since then, CBSA has drafted updated policies and procedures that have not yet been finalized.

Working Groups: CBSA Avoiding Complicity in Mistreatment Working Group (ACMWG)

Senior Management Committee: Senior Management Risk Assessment Committee (SMRAC). This committee convenes on an as needed basis, to assess cases that have a potential for mistreatment.

[***description of CBSA’s decision making methodology***]

Country Assessment: In-house risk scoring template under development

Mitigation Measures: The CBSA is currently working to strengthen its formal framework/process for deciding whether substantial risk of mistreatment associated with a given request can be mitigated.

Annex C: Canada Revenue Agency

Annex C: Canada Revenue Agency Framework

Framework Updates: The Canada Revenue Agency (CRA) indicated that it did not make any changes to its framework since last year’s response. The department continues to refine its processes and has developed the Canada Revenue Agency Exchange of Information Procedures in the Context of Avoiding Complicity in the Mistreatment by Foreign Entities Act.

[***departmental cabinet confidence***]

Working group: The CRA formed a Risk Assessment Working Group (RAWG) that developed a methodology to assess the human rights records of its information exchange partners, so that senior management can make informed assessments of the risk of mistreatment.

Canada has a large network of international partners with 94 tax treaties and 24 Tax Information Exchange Agreements. Canada is also a party to the Convention on Mutual Administrative Assistance in Tax Matters (MAAC), which includes 144 signatories. These International Legal Agreements allow the CRA to exchange information on request, spontaneously and automatically. Each legal agreement includes secrecy provisions (caveats) that govern appropriate use and disclosure. In addition, members of the Global Forum (Global Forum) on Transparency and Exchange of Information for Tax Purposes are subject to peer reviews on a cyclical basis, including on Confidentiality and Data Safeguard .

Senior Management Committee: During the review period a senior committee was not in place, however there was a formal process to escalate reviews/risk assessment through the Director, Director General and ultimately the Assistant Commissioner of the Compliance Programs Branch (CPB) who is accountable for the administration of the ACA.

Additionally, in July 2021, the CRA established an ACA governance framework that includes the ACA Panel, a senior management consultative committee to support risk assessments, reporting, recommendations, and priorities. The panel currently consists of DGs and Directors within the CPB and the Legislative Policy and Regulatory Affairs Branch. Also in July 2021, the CRA established an executive level committee to consider and develop recommendations on case specific engagements as well as issue identification and guidance. The committee consists of Directors across several directorates of the CRA that manage programs that are directly impacted by/reliant on exchange of information with other jurisdictions.

Triage: The initial assessment is done by a working level employee and requires, at minimum, director approval. The case may escalate to the DG and the AC and so on if there is doubt about risk mitigation.

In cases where risk was identified, there were challenges in conducting full assessments to determine if the risk was substantial, the CRA delayed disclosing the information until the full assessment could be completed. This was largely in part due to COVID-19. As such, files that normally would have been referred were temporarily put on hold and no action was taken during the review period.

The CRA informed NSIRA that funding from the November 2020 Fall Economic Statement was allocated to the creation of a dedicated risk assessment team. It is anticipated that the development and regular updating of country-level assessments and the preparation of individual-level risk assessments will transition to this new dedicated team housed within the CPB, in summer 2021.

The team will also be responsible for:

  • Creating and formalizing the framework for consulting with CRA senior management and other government departments and agencies;
  • Advising CRA officials who engage in exchange of information (EOI);
  • Identifying mitigation and other factors specific to the type of information that CRA exchanges and that would impact risk assessment;
  • Preparing annual and other reporting required under the Act and Directions;
  • Providing awareness and training sessions; and
  • Continuously improving documentation, policies, guidance, and procedures.

Country/Entity Assessments: Since January 2020, the CRA has completed their own set of mistreatment risk assessments for each potential information exchange, including the use of information received from the CRA’s information exchange partners in consultation with other Government of Canada partners. The CRA can only exchange information with another jurisdiction pursuant to a treaty, tax convention or other legal instrument that permits exchange of tax information.

The CRA uses a colour coded system to rate the risk related to a country: green; yellow; red. However, for specific or spontaneous exchanges of information, the CRA completes an analysis based on the specifics of the file to supplement the country specific risk assessment.

Mitigation Measures: Mitigation measures, including caveats (data safeguards and confidentiality provisions) are embedded in all legal instruments that govern and allow for all the CRA’s exchanges of information, while peer reviews of jurisdictions’ legal frameworks and administrative practices provide assurances of exchange partners’ compliance with international standards for exchange of tax information. According to CRA, all information exchanged during the review period were subject to these mitigation measures. Due to COVID19, and for the period under review, the CRA put on hold all exchanges where it was deemed there may be a residual potentially significant risk of mistreatment until a process and mitigation measures were in place, including to redact information. However, the CRA routinely redacted personal information where it would not impact the substance of the exchange for those mitigated risk exchanges that did proceed during this period.

Annex D: Communications Security Establishment

Annex D: Communications Security Establishment Framework

Framework Updates: No changes made to the framework in 2020. It is the same procedure as the last review period.

Working group: Based on the RFI, there are no working groups leveraged to assess the level of risk of mistreatment. The Mistreatment Risk Assessment Process follows a process that has been refined continuously since its inception in 2012. The higher the level of risk (low, medium, high, substantial), the higher approval authority required to exchange or use information.

Senior Management Committee: There is no Senior Management Committee. As explained above, CSE relies on an approval authority scale based on the level of risk (from low to substantial). Senior level officials are involved in the process when there are medium and high-risk cases, which require Director and Director General/Deputy Chief approval, respectively.

Triage: A CSE official performs an initial assessment by consulting the Mistreatment Risk Assessment (MRA), which considers equity concerns, geolocation and identity information, human rights assurances, risk of detention and a profile of the recipients’ human rights practices.

Low (For Low Risk Nations)

If the MRA indicates a low level of risk, the official will need Supervisor [***specific unit***], approval if they wish to proceed with the information exchange or use.

Low (For non-Low Risk Nations)

If the MRA indicates a low level of risk, the official will need Manager [***specific unit***], approval if they wish to proceed with the information exchange or use.

Medium

If the MRA indicates a medium level of risk, the official will need Director, Disclosure and Information Sharing approval if they wish to proceed with the information exchange or use.

High

If the MRA indicates a high level of risk, the official will need Director General, Policy Disclosure and Review or Deputy Chief, PolCom approval if they wish to proceed with the information exchange or use.

Substantial

If the MRA indicates a substantial level of risk, the official may not proceed with the information exchange or use.

Country Assessments: CSE establishes its own country assessments (which CSE refers to as Human Rights Assessments) by using information from OGDs, its own reporting, and open source information. Foreign entity arrangements are reviewed annually. These HRAs are part of CSE’s MRAs.

There are two types of MRAs: Annual and Case-by-case. Annual MRAs include foreign entities with whom CSE regularly exchanges information, [***description of the foreign entities with whom CSE exchanges information***] Caseby-case MRAs are conducted in response to particular requests. Case-by-case MRAs often concern individuals and information sharing activities. There are Abbreviated MRAs, which are a sub case-by-case MRA, and they are conducted for Limited Risk Nations. These nations are considered low risk by CSE.

When making MRAs, CSE does the following:

  • assesses the purpose of the information sharing;
  • verifies there are mistreatment risk management measures in existing information sharing arrangements;
  • reviews CSE’s internal records on the foreign entity under consideration;
  • consults other available Government of Canada assessments and reports related to the foreign entity;
  • assesses the anticipated effectiveness of risk mitigation measures; and
  • evaluates a foreign entity’s compliance with past assurances, based on available information.

CSE consults with GAC, DND, and the Ministers of Foreign Affairs and National Defence for some MRAs, usually case-by-case ones. CSE may also consult GAC for human rights-related advice in certain instances.

Mitigation Measures: CSE considers a number of mitigation factors, such as risk of detention, [***statement regarding information sharing obligations of partners***] caveats, formal assurances, and bilateral relationships. CSE’s principle mitigation measure is Second Party assurances. [***statement regarding information sharing obligations of partners***]

Identifying/Sensitizing: The DG, Policy Disclosure and Review or the DC PolCom review high-risk cases. 303 information-sharing requests were assessed for risk of mistreatment and 10 of them (3%) were referred to the Director, Disclosure & Information Sharing. For the 2020 review period, the Deputy Chief, Policy and Communications was responsible for ACA accountability and quality assurance.

Annex E: Canadian Security Intelligence Service

[***Info-graphic of CSIS’s Risk Assessment process***]

Framework Updates: While there were no changes during the 2020 review period, CSIS modified its procedure on January 2021. Most notably, cases will only be escalated to ISEC if the DG cannot determine if the substantial risk can be mitigated. In addition, CSIS merged the [***statement regarding internal process***] CSIS updated its human rights ‘Assurances’ procedures as a stand-alone policy. This policy requires CSIS Stations to seek assurances from [***statement regarding internal process***] coordination responsibilities for ISEC were moved to the ██████████. Through that, the █████ became ISEC’s Chair.

Triage: CSIS working-level officials do the initial assessment. This assessment requires the official to determine if one or more of the four risk criteria are met. These criteria are:

  • “Based on the available information about the foreign entity, if the information is disclosed or requested, is there a probability that the foreign entity will engage in torture or other forms of cruel, inhuman or degrading treatment or punishment against an individual(s)?”
  • “If the information is disclosed or requested, is there a probability that the foreign entity will disseminate the information in an unauthorized manner to a 3rd party, which may result in torture or other forms of cruel, inhuman or degrading treatment or punishment against an individual(s) by that 3rd party?”
  • “If the information is disclosed or requested, is there a probability that it may result in the extraordinary rendition of an individual(s) by the foreign entity which would lead to the individual(s) being tortured or subject to other forms of cruel, inhuman or degrading treatment or punishment?
  • “If the information is disclosed or requested, is there a probability or an extrajudicial killing of an individual(s) by the foreign entity or other security entities within the country?”

Four scenarios could occur before a case lands at ISEC:

[***description of four possible scenarios and the assessment criteria used to determine risk mitigation and/or ecalation***]

Working Group: While there is a senior management committee, there is no working level group on the operations side.

Senior Management Committee: ISEC is CSIS’s senior-level review committee for foreign information sharing activities. It is composed of CSIS senior managers and representatives from DoJ and GAC. This committee is responsible to determine if a case poses a substantial risk and if it can be mitigated. If ISEC cannot determine if the substantial risk is mitigatable, the case is referred to the Director. Of note, GAC and DoJ are no longer voting members on ISEC but will continue to provide feedback and advice.

Country Assessments: CSIS conducts its own country assessments. Each information exchange arrangement with a foreign entity has its own Arrangement Profile (AP). APs include a summary of the human rights summary.

Mitigation Measures: CSIS relies on a few mitigation measures. First, CSIS widely uses ‘Form of Words’, which include caveats. Second, CSIS uses assurances and relies on standardized templates provided to foreign entities. CSIS may also tailor assurances to address specific concerns, such as extra-judicial killings.

Identifying/Sensitizing Information: ██████ is responsible for CSIS’s information sharing framework. [***name of a specific unit***] is responsible for official policy management. Concerned program areas are responsible for applying related polices and procedures for ACA-related activities.

Annex F: DFO

Annex F: DFO Framework

Framework Updates: Fisheries and Oceans Canada (DFO) did not make any changes to last year’s approach.

Triage: The initial assessment is made by the person receiving the request for information sharing or who first comes into possession of information derived from a foreign source. Risk is determined on a case-by-case basis.

The sector-level analyst/officer does the initial assessment and relies on OGD assessments to determine the level of risk. They determine the level of risk in relation to the specific case and whether they assess that there is a substantial risk or not will impact the level of approval. If the analyst/officer does not think there is risk, the case may proceed. This, according to the decision screen and information received, does not require any manager or senior level approval.

If the analyst/officer believes or is unsure that there is a substantial risk, the senior-level Internal Review Committee (IRC) must seek DM approval.

Working Group: Internal Review Committee

Senior Management Committee: DFO employs the use of a decision screen and the IRC as demonstrated above. It is unclear whether DFO has developed guidance to help officials and management accurately and consistently determine the risk of mistreatment.

Country Assessments: DFO relies on country assessments conducted by GAC (as well as DFO legal services, RCMP and CSIS as needed) to make mistreatment risk determinations.

Mitigation measures: DFO indicated that it employs the use of caveats and assurances as necessary but has not yet had to seek such assurances. As such, there is no tracking mechanism in place. The Department is able to retroactively determine when, how, and why a decision was made through its record keeping system. A process is in place to record the details of each case, its evaluation process, and any resulting actions and decisions.

Annex G: Department of National Defence/Canadian Armed Forces

Annex G: Department of National Defence/Canadian Armed Forces Framework

Framework Updates: The Department of National Defence (DND) indicated that there were no changes to its framework since last year’s response.

Triage: The process of assessing risk is largely the same across all three forms of information sharing transactions. The process involves examining country human rights conditions, and researching specific partner entities, including any reports of mistreatment. Adverse information on a foreign partner is reviewed by the Defence Information Sharing Working Group (DISWG) and recommendations are made to the implicated L1s on how to manage information sharing activities (request, disclosure, or use). There are no differences in the types of mitigation measures employed across the three forms of information sharing. The primary governance document Release and Disclosure Officers (RDOs) and Release and Disclosure Authorities (RDAs) must adhere to is the CDI Interim Functional Directive: Information Sharing with Certain Foreign States and their Entities.

Working Group: The Defence Information Sharing Working Group (DISWG) is a working-level committee led by the Release and Disclosure Coordination Office (RDCO) within CFINTCOM that serves as an advisory body to operation Commanders regarding issues covered under the ACA. This Working Group exists as a platform for open dialogue related to information sharing arrangements and transactions. This group convenes monthly, or as required.

Senior Management Committee: The Defence Information Sharing Assessment Committee (DISAC) is chaired by the Chief of Defence Intelligence / Commander CFINTCOM . The DISAC’s primary object is to act as an advisory committee for the Deputy Minister and the Chief of Defence Staff in support of their decision making regarding issues pertaining to the ACA.

Country Assessments: Currently, RDCO has established a list of low-risk countries that can be referred to by other L1s. Inclusion in this list indicates CDI’s confidence that sharing information with government entities of that foreign state can take place without a substantial risk of mistreatment. Moreover, RDCO has developed a draft methodology for Country Human Rights Profiles to classify countries as low, medium, or high risk but has only begun producing country human rights profiles on a few medium and high-risk countries and the methodology has not yet formally approved. These profiles will be used by other L1s in the development of specific Partner Entity Assessments and to inform the overall risk assessment of sharing information with foreign entities.

Information Management: There is no common shared system or repository for all RDOs. Information decisions are recorded by RDOs at the unit level. In some cases, all transactions are recorded using a spreadsheet and should include all details relating to the collection, retention, dissemination or destruction of the information, but the precise format will vary. CFINTCOM is working to standardize RDO logs across DND/CAF. From an information management perspective, there have been no changes since last year’s report. Records of discussion of all DISWG meetings are kept centrally within RDCO/CFINTCOM and it is possible to retroactively determine how and why a decision or recommendation was made.

Mitigation Measures: DND uses mitigation measures to reduce the risk of mistreatment. For example, DND uses measures such as the sanitization of information, the inclusion of caveats, and/or the seeking of assurances, including on low-risk cases in order to err on the side of caution.

Annex H: FINTRAC

Annex H: FINTRAC Framework

Framework Updates: The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) did not make any changes to their framework for the 2020 review year.

Triage: Who does the initial assessment will depend on the risk level classification of the country. If it’s green, the intelligence analyst (IA) does the risk assessment. If it’s yellow, the IA’s team leader does the risk assessment. If it’s red, Senior Level does the risk assessment. Regardless of the determined risk level, Senior Level must ultimately approve or decline the information exchange/use.

Partnerships and Working Groups: FINTRAC makes use of external organizations, such as the Egmont group, to ensure that member organizations are adhering to global standards against mistreatment. If one of these groups is found to have breached their duty of care, and is expelled from the group, then FINTRAC will cease to exchange information until the matter has been rectified. FINTRAC enters Memoranda of Understandings (MOUs) with nations who wish to exchange information with them. To do so, each nation is assessed using a variety of criteria to determine their risk rating and whether an MOU should be established.

FINTRAC also regularly participates in ISCG meetings alongside other departments.

Senior Management Committee: FINTRAC does not have a senior management committee to determine risk like other departments. Instead, they rely on senior management and the Director to make final decisions on cases.

Country Assessments: FINTRAC established its own country assessments. Establishing each country assessment involves gathering pertinent information on the human rights situation in the country and using indicators to assess the risk level of mistreatment of each country. During the development of the country assessment process, FINTRAC consulted with other agencies/government departments captured under the ACA.

The Manager of International Relationships is responsible for monitoring and assessing the human rights profile of countries with which FINTRAC shares an MOU.

Mitigation Measures: Caveats and assurances are established at the signing of an MOU and repeated whenever sharing information with any foreign entity. The sharing of information is not allowed without a signed MOU.

Annex I: Global Affairs Canada

Annex I: Global Affairs Canada Framework

Framework Updates: Global Affairs Canada (GAC) indicated that no changes to their framework was made during the current review period.

Triage: There is not one unified set of processes at GAC for determining whether information being used by the department is likely to have been obtained through the mistreatment of an individual by a foreign entity. If an official determines that information that he or she has received is likely to have been obtained through the mistreatment of an individual by a foreign entity and that official still wants to use the information, they are instructed in their training to consult with their Program management at HQ. Should that manager be unable to make a determination on their own as to whether the use would comply with the Act, they will consult the relevant departmental policy group and the department’s Legal Services Unit.

Working Groups: The Ministerial Direction Compliance Committee Secretariat

Senior Management Committees: The Ministerial Direction Compliance Committee (MDCC) meetings focuses on the following:

  • Has the information, the use of which is being sought, likely been derived from mistreatment?
  • What are the proposed measures to mitigate the risks? What is the likelihood of their success?
  • Consider the justifications for and proportionality of any potential involvement with the foreign state or entity that may result in mistreatment.

The MDCC Secretariat will create a record of decision and circulate it for comment by MDCC members. Once finalized, it will be kept by the Secretariat for future reporting. The MDCC Secretariat follows up with the requesting official for updates on the outcome of the situation and requests a final update from the requesting official once the situation is resolved. Currently the MDCC Secretariat consists of one person.

Country Assessments: Global Affairs Canada’s human rights reports provide an evidence-based overview of the human rights situation in a particular country, including significant human rights-related events, trends and developments and include a section focused on mistreatment. There are no scores for countries however, and it is up to the officials to assess the risk based on the information in the reports.

Mitigation Measures: The Legal Services Unit and/or Intelligence Policy and Programs division will provide guidance on the limitations and the prohibitions of the use of information obtained through mistreatment. They are also able to propose potential mitigation measures, such as sanitization of the information, if there is a risk of further mistreatment; of depriving someone of their rights or freedoms; or if the information could be used as evidence in any judicial, administrative or other proceeding.

Annex J: IRCC

Annex J: IRCC Framework

Framework Updates: Immigration, Refugees and Citizenship Canada (IRCC) indicated that there were no changes to its procedures regarding the disclosure of information to foreign entities.

Triage: The initial assessment is done by the employee/officer receiving a request to disclose information. Officers are provided with a country assessment tool that provides a country-level risk assessment. If the country is listed as low-risk and the employee does not believe there are any risks of mistreatment, they may proceed with the exchange and record the details of that exchange (i.e., what information was exchanged; to which country, etc) into the Global Case Management System (GCMS). If the country is high-risk, or the officer believes that there is any risk of mistreatment and they wish to pursue with the case, then the officer is required to refer the case to IRM and Admissibility to assess the risk of the exchange.

Senior Management Committee: IRCC has the Avoiding Complicity Assessment Committee. The Committee is comprised of executives representing relevant policy, operations, legal and privacy branches within the Department. The purpose of the Committee is to reassess whether the circumstances of the case meet the “substantial risk” threshold, and to determine whether mitigations could be sufficiently imposed to allow for the disclosure. If the Committee is unable to unanimously determine if the risk can be mitigated, and there remains a need to disclose the information to the requesting foreign entity, then the case will be referred to the Deputy Minister for final decision.

Country Assessments: IRCC officers are instructed to refer to an initial country assessment tool when they are contemplating any disclosure or request for information from a foreign entity. This tool provides a general assessment of the country’s risk. If the country is identified as a high-risk country, then the officer is required to make a Consultation Request before disclosing, requesting or using information. If the country is identified as medium-risk, then it is recommended that the officer make a Consultation Request.

Mitigation Measures: Possible mitigation measures for a case where a substantial risk of mistreatment has been determined, if available, would be established in the Consultation Request assessment and, if necessary, in the Avoiding Complicity Assessment Committee’s recommendation. In either case, the mitigations will be manually recorded in the case file where they can be later recalled and noted in the Annual Report.

Annex K: Public Safety

Annex K: Public Safety Framework
Annex K: Public Safety Framework Image 2

Please note that the above flow charts are draft and have not yet been approved.

Framework Updates: Public Safety (PS) does not yet have a framework for deciding whether an exchange of information with a foreign entity would result in a substantial risk of mistreatment of an individual. PS noted, however, that it has drafted a departmental policy to support the department’s implementation of the Directions but it has not yet been approved by senior management.

Triage: PS officials at the operational level are responsible for identifying whether the disclosure of or request for information would result in a substantial risk of mistreatment of an individual. Prior to the disclosure of or request for information to/from a foreign entity, PS officials, as per the draft policy, are expected to:

  • review risk assessments and information sharing arrangements/agreements to determine risks;
  • identify mitigation measures as needed; and
  • seek DG approval for the disclosure or request; and the DG would determine whether the risk can or cannot be mitigated and whether the case should be referred to the DM for determination and decision.
  • PS officials at the operational level are responsible for identifying whether information for potential use was likely obtained through the mistreatment of an individual. As per the draft policy, prior to the use of information, PS officials are expected to:
  • conduct an assessment to determine if the information was likely obtained through the mistreatment of an individual, if not previously completed by PS officials or another government department, and mark it accordingly, based on DG-level determination;
  • assess and characterize the accuracy and reliability of the information; and,
  • advise their DG of the circumstance; and the DG would determine whether the information would be used as per section 3 of the Directions and refer the decision to the DM to determine if the use of information in any way that deprives someone their rights or freedoms is necessary to prevent the loss of life or significant personal injury.

For PS program areas where responsibilities for program delivery are shared among multiple Government of Canada departments, PS officials may use accuracy and reliability assessments conducted by another Government of Canada department for the express purpose of the specific information exchange. In these cases, and where PS does not have sufficient information (such as the source of the information) to conduct an assessment, it will require Government of Canada departments to attest to having conducted the assessment. This same principle applies risk assessments and assessments as to whether information was likely obtained through the mistreatment of an individual.

Working Group: The ISCG is the primary interdepartmental forum for supporting interdepartmental collaboration and information-sharing between members as they implement the Act and Directions and is regularly attended by all members.

PS participates in the ISCG in three ways as the:

  1. chair, coordinator and PS policy lead;
  2. area responsible for implementing the ACA;
  3. legal counsel representative.

PS has also made progress with ISCG guidance. However, due to COVID-19, the ISCG was limited in its capacity to convene meetings.

Senior Management Committee: PS does not have a formal senior management committee to review high-risk cases. The Investigative Authorities and Accountability Policy (IAAP) unit supports program areas in the referral process to the Senior Assistant Deputy Minister (SADM) of the National and Cyber Security Branch for further examination. Acting as a senior Public Safety official, the SADM is responsible for referring cases to the Deputy Minister if they are unable to determine whether the risk of mistreatment can be mitigated.

Country Assessments: PS currently does not have any country assessments completed and plans to use other department’s assessments, but as outlined in its draft policy, PS expects to conduct country and entity assessments as part of its annual risk assessment process. The risk assessment process will ensure that an agreement with the foreign entity is in place prior to information sharing exchanges; review risk and country assessments developed by portfolio agencies (e.g. CSIS) and other departments (e.g. GAC), and consider human rights reporting from non-government entities.

The IAAP will coordinate, on an annual basis, risk assessments. To do so, IAAP may, for example, review human rights reports developed by Global Affairs Canada (GAC), country assessments prepared by portfolio agencies (e.g. CSIS), human rights reporting from non-government entities and country/entity specific material.

Mitigation Measures: PS currently has developed a draft policy to address mitigation measures and caveats. The draft policy will provide guidance to officials on how to assess risk and apply mitigation measure, while also defining approval levels and country assessment responsibilities.

Once a risk of mistreatment has been identified, the PS official is required to undertake a risk mitigation assessment prior to requesting the information. Approved risk mitigation mechanisms include:

  • the caveating of information,
  • obtaining assurance and/or
  • disclosing a limited amount of the information.

The policy also outlines requirements regarding the use of congruent mitigation mechanisms to collectively reduce the risk.

Annex L: Royal Canadian Mounted Police

Annex L: Royal Canadian Mounted Police Framework

Framework Updates: There were no changes to the Royal Canadian Mounted Police’s (RCMP) framework in 2020. RCMP has undertaken a number of internal reviews of its information sharing framework and continues to refine and optimize its processes.

RCMP also noted that it was in its final stages of rolling out an online training course specifically tailored to the ACA.

Triage: The Foreign Information Risk Advisory Committee (FIRAC) process may be initiated if and when an information exchange involves a country identified as high or medium risk. A low-risk case would only be sent if an official believes there is the potential for mistreatment.

All RCMP personnel are required to consider the risk of mistreatment before requesting, disclosing or using information and to engage the FIRAC process if there is a substantial risk identified to a specific individual(s) with a country of exchange.

An employee is almost always the one to perform the initial risk assessment. When an entity is green, the employee may exchange or use information without consulting FIRAC, unless they express doubts. When an entity is yellow, the employee must consider whether or not there is a substantial risk of mistreatment by looking at a list of criteria (similar to CSIS). If one or more of these criteria is present, the employee must send the case to FIRAC. If the entity is red, the employee must send the case to FIRAC for the initial assessment, unless no personal information is exchanged.

Working Group: Law Enforcement Assessment Group (LEAG). Full-length LEAG assessments include classified information from other Federal departments and agencies. The FIRAC Portal was developed to allow RCMP employees to access the assessments, and to further support compliance with the directions.

Senior Management Committee: FIRAC was established to facilitate the systematic and consistent review of RCMP files to ensure information exchanges do not involve or result in the mistreatment of any person.

FIRAC holds the responsibility to determine if a substantial risk exists and in cases where a substantial risk of mistreatment exists, make a recommendation on whether the proposed mitigating measures are adequate to mitigate the risk.

FIRAC’s recommendations are made by the Chair, upon the advice of the Committee, to the appropriate Assistant Commissioner / Executive Director responsible for the operational area seeking to disclose, request or use the information.

FIRAC determines if the risk is mitigatable or not. If it is, the case goes to the Assistant Commissioner. If it is not, FIRAC declines the exchange or use of information.

Country Assessments: An in-house country assessment model has been completed.

Countries are listed in alphabetical order, along with any specific foreign entities (i.e. police forces, military units, etc.) that have been assessed. For each entity, the risk level (Red-High, Yellow-Medium, Green-Low) is provided, as are the specific crime types and conditions.

Mitigation Measures: The RCMP leverages existing MOU’s with specific partners to partially mitigate underlying risk, in particular where mutually agreed standards around human rights exist as well as having a good track record for respecting caveats. Similarly, officials work with Liaison Officers to identify any relevant assurances or strategies, factors or conditions that could mitigate the risk of mistreatment posed by the information exchange, request for information or use of information.

All mitigation measures used are tracked through the FIRAC by filling in a FIRAC Request Form. Noting which mitigations/caveats are used is a mandatory part of the process.

Annex M: Transport Canada

Does not have a departmental framework for assessing ACA considerations, outside of the Passenger Protect Program (PPP).

Changes: Transport Canada (TC) developed a corporate policy in September 2020 to highlight the department’s ACA-related requirements, roles and responsibilities and remains a participant in PS framework.

Triage: Relies on PS’ framework for the Passenger Protect Program.

Should they have any concerns about a request for information from a foreign partner they will consult with other agencies, such as CSIS or GAC.

Working Group: TC is a voting member of the PPP Advisory Group but does not have any responsibility for drafting case briefs. At each meeting of the PPP Advisory Group, TC has ensured that all other voting members have acknowledged TC’s SATA-legislated responsibility for sharing the List with domestic and foreign air carriers, and its associated responsibilities under the ACA.

Senior Management Committee: TC does not have any senior management committee in place to further review cases with a potential for mistreatment.

Country Assessments: Rely on other government departments.TC relies on assessments by other departments such as PS and GAC.

Mitigation measures: The framework was established by Public Safety (lead on PPP), with consultations with the PPP partners (RCMP, CSIS, CBSA). TC has worked with PS to integrate mitigation measures into the operating procedures and protocols of PPP partners.

Share this page
Date Modified:

Review of the CSE ministerial authorizations and ministerial orders under the CSE Act

Backgrounder

Following the coming in to force of the Communications Security Establishment Act (CSE Act), CSE received a new set of Ministerial Authorizations (MA) – written documents by which the Minister of National Defence authorizes CSE to engage in activity that risks contravening an “Act of Parliament or interfering with a reasonable expectation of privacy of a Canadian or person in Canada.” The CSE Act also created a legislative authority for the Minister of National Defence to “designate electronic information or information infrastructures or classes of electronic information or information infrastructures as being of importance to the Government of Canada” through a Ministerial Order (MO).

NSIRA’s Foundational Review of CSE’s Ministerial Authorizations (MAs) and Ministerial Orders (MOs) represents a different approach to reviewing MAs than that of the Office of the Communications Security Establishment Commissioner (OCSEC), CSE’s former independent external review body. While OCSEC previously reported on the number of private communications, we leave this matter to CSE’s classified annual report to the Minister. Further, it is not necessary to review whether Ministerial Authorizations are based on reasonable conclusions, which is now the responsibility of the Intelligence Commissioner. NSIRA chose to approach the Ministerial Authorizations as an opportunity to learn about CSE’s operational activities, and the Ministerial Orders were reviewed as supplementary to the Ministerial Authorizations.

This foundational review highlighted the need to focus on Active and Defensive Cyber Operations immediately following the completion of this review, given that the Intelligence Commissioner does not approve these activities and that they represent a new aspect of CSE’s mandate.

Table of Contents

Date of Publishing:

Share this page
Date Modified:

Review of CSIS threat reduction activities: A Focus on Information Disclosure to External Parties

Review Backgrounder

This is the second annual review of the Canadian Security Intelligence Service’s (CSIS) threat reduction measures (TRMs) completed by the National Security Intelligence Review Agency (NSIRA). This review sought to expand upon findings from last year’s review by examining a larger number of TRMs wherein CSIS disclosed information to external parties with their own levers of control, to reduce identified threats.

The review studied the characteristics of these particular TRMs but focused its examination upon the extent to which CSIS appropriately identified, documented and considered any plausible adverse impacts that these measures could have on affected individuals.

Date of Publishing:

1. Executive Summary

██ This is the second annual review of the Canadian Security Intelligence Service’s (CSIS) threat reduction measures (TRMs) completed by the National Security Intelligence Review Agency (NSIRA). This review sought to expand upon findings from last year’s review by examining a larger number of TRMs wherein CSIS disclosed information to external parties with their own levers of control, to reduce identified threats.

██ The review studied the characteristics of these particular TRMs but focused its examination upon the extent to which CSIS appropriately identified, documented and considered any plausible adverse impacts that these measures could have on affected individuals.

██ With respect to the TRMs studied, NSIRA observed that ███████████ of external parties were involved in these TRMs, ██████ which had varied levers of control with which they could take action against identified threats or the subjects of these measures. NSIRA also observed that CSIS disclosed different kinds of information to external parties for these TRMs. NSIRA noted that CSIS’s documentation of TRMs was uneven. CSIS did not always document ████████████████████ sometimes excluded an account of the actions taken by external parties as part of these measures. NSIRA also noted that CSIS documentation of the information it disclosed to external parties, as part of these TRMs, was inconsistent, and at times, lacked clarity and specificity.

██ An understanding of both external parties’ levers of control and the scope and breadth of information disclosed to external parties for TRMs is important and feeds into the overall risk assessment of each proposed measure. Without more robust documentation, CSIS is neither capable of assessing the efficacy of its measures nor appreciating the full impact of its actions on the subjects of its measures.

██ In 2020, NSIRA asserted that, when determining whether a warrant is required, CSIS should consider impacts on individuals resulting from the entirety of threat reduction measures: both from CSIS’s disclosure of information and from actions taken by recipient external parties, to reduce the threat. The adverse impacts on individuals observed in the TRMs examined for this year’s review underscore NSIRA’s position.

██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████.

██ The current assessment framework ████████████ to determine whether a warrant is required is overly narrow and does not sufficiently consider the full impacts of CSIS threat reduction measures. NSIRA recommends that CSIS consider plausible adverse impacts resulting not only from CSIS disclosures of information but also from the actions of external parties as part of TRMs, when determining whether a warrant is required.

██ NSIRA was able to use its direct access to CSIS information repositories to confirm information that it needed to verify and to pursue necessary additional inquiries. For that reason, NSIRA has a high level of confidence in the information on which it relied to complete this review. NSIRA would also like to recognize that CSIS was timely in responding to NSIRA’s requests for information throughout the course of this review.

2. Authorities

██ This review was conducted under the authority of subsection 8(2) of the National Security and Intelligence Review Agency Act (NSIRA Act).

3. Introduction

Background

██ This review is the second annual review of CSIS threat reduction measures (TRMs) completed by the National Security Intelligence Review Agency (NSIRA).

██ In its first review of TRMs (NSIRA’s 2020 review), NSIRA examined ███ TRMs in which CSIS disclosed information to an external party. In all cases examined, CSIS disclosed the information to an external party in order for the external party to take action in some way using its own levers of control to address the identified threat.3 This year’s review examined a larger subset of TRMs that involved CSIS disclosing information to an external party for the purpose of obtaining a desired threat reduction outcome. NSIRA focused primarily on examining how CSIS identifies and considers the plausible adverse impacts of these measures on affected individuals.

Scope

██ The review period covers June 18, 2015 to December 31, 2020, and includes ██ proposed TRMs that involved CSIS disclosing information to an external party for the purpose of using that external party as a conduit for the desired action against the subject of the TRM. Of these ██ proposed TRMs, ██ were approved and ██ were implemented.

Sources and Methodology

██ NSIRA examined information from a variety of sources, including:

Document Review

  • ██ Ministerial directions issued by the Minister of Public Safety and Emergency Preparedness to CSIS.
  • ██ CSIS’s internal governance framework for TRMs, which included policies, procedures, guidance and training material, tracking systems and cooperation agreements.
  • ██ All pertinent threat reduction measure documentation, ██████████████████████████████████████████ email communications, operational messages, and █████████████.
  • ██ Relevant █████████ , including responses to NSIRA’s Requests for Information.

Briefing

  • ██ One briefing from the Department of Justice.

Analysis of Administrative Data

  • ██ Descriptive statistics of the TRM sample.
  • ██ Cross-reference of TRM subjects in the review sample with NSIRA’s investigation files for complaints submitted to SIRC (2015 to July 2019) and NSIRA (July 2019 to 2020) in order to document any complaints investigations underpinned by a CSIS TRM.

TRM mandate

██ In June 2015, Parliament enacted the Anti-terrorism Act, 2015, which authorized CSIS, in the new section 12.1 of the CSIS Act, to take measures to reduce threats to the security of Canada, within or outside Canada. The new measures represented an unprecedented departure from CSIS’s traditional intelligence collection role.

██ In July 2019, the National Security Act, 2017, came into force and introduced amendments to CSIS’s TRM mandate that sought to clarify and further define this power. In particular, the amendments stressed the importance of compliance with the Canadian Charter of Rights and Freedoms (Charter). They included specific provisions affirming the need for all TRMs to comply with the Charter, and stipulating that measures could only limit Charter rights or freedoms if authorized by a judge under a warrant. The amendments also included an expanded list of prohibited conduct under the TRM regime: among other things, CSIS cannot engage in measures that cause death or bodily harm, subject an individual to torture, or detain or violate the sexual integrity of an individual.

██ The CSIS Act does not provide a precise definition of “measures to reduce the threat.” As such, CSIS has developed its own definition to guide its TRM activities. According to CSIS, a TRM is “[a]n operational measure undertaken by the Service, pursuant to section 12.1 of the CSIS Act, whose principal purpose is to reduce a threat to the security of Canada as defined in s. 2 of the CSIS Act.

██ Section 12.1 of the CSIS Act states that CSIS may only undertake a TRM if there are reasonable grounds to believe that the identified conduct is a threat to the security of Canada. TRMs must be reasonable and proportional in the circumstances, having regard to the nature of the threat, the nature of the measures, the reasonable availability of other means to reduce the threat, and the reasonably foreseeable effects on third parties, including on their right to privacy. CSIS must also consult with other federal departments, where appropriate, with respect to whether they may be in a position to reduce the threat. CSIS must also seek a warrant from a judge where a proposed TRM would limit a right or freedom guaranteed by the Charter or would otherwise be contrary to Canadian law.

██ The 2015 Ministerial Direction for Operations and Accountability and the 2019 Ministerial Direction for Accountability issued by the Minister of Public Safety require all TRMs to undergo a four-pillar risk assessment that examines the operational, political, foreign relations, and legal risks of proposed actions on a scale of low, medium or high. In addition, they require that, when assessing the appropriate means of reducing a threat, CSIS consider the range of other possible national security tools available to the broader community, and consult with departments and agencies of the Government of Canada with mandates or authorities closely related to the proposed TRM.

Governance

██ CSIS’s TRM unit is made up of full-time employees, and is responsible for developing and updating policies and procedures related to TRMs; it also provides support to operational units involved with TRMs.

██ Operational units must consult with the TRM unit at the planning stage, and while drafting ██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

██ CSIS’s governing policy outlines the requirements associated with planning, approving, implementing, and reporting TRMs, including their use in exigent circumstances.9 The policy replicates the relevant provisions of the CSIS Act, without adding much direction beyond citing the existing legislative regime. For example, the policy incorporates the Act’s requirement to ensure that TRMs are reasonable and proportional, having regard to the nature of the threat, the nature of the measures, the reasonable availability of other means to reduce the threat, and the reasonably foreseeable effects of the measure on third parties, including their right to privacy. ████████████████████████████████████████████████████████████████████████████████

███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

███████████████ NSIRA notes that in conducting its legal assessments, ████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████.

██ CSIS has also developed internal guidelines for consultations with other government departments, ████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

4. Findings and recommendations

Brief overview – TRMs, by the numbers

During the review period, CSIS proposed TRMs in total.

  • proposed measures involved an external party that had an ability to act using its own levers of control.
  • Of these proposed measures, were approved and implemented.
  • Of the approved measures, none of them, in CSIS’s view, required judicial authorization, or warrants, to proceed.

██ Comprising █████████ proposed measures, information disclosure to external parties was a common strategy that CSIS proposed as part of TRMs, to reduce perceived threats to the security of Canada.

CSIS’s information disclosures as part of TRMs

██ NSIRA examined documentation supporting the ██ proposed TRMs, including the ██ implemented TRMs where CSIS disclosed information to an external party to reduce a threat to the security of Canada. NSIRA looked to identify and assess:

  • the types of external parties involved in the proposed TRMs;
  • the nature of the information that CSIS shared as part of these measures; and
  • the extent to which CSIS identified, documented and considered the plausible adverse impacts of the measure on individuals.

Types of external parties involved in proposed TRMs

████████████ NSIRA provides examples of the types of external parties involved in proposed TRMs, as well as some of the varied actions they could take in Table 1, below.

*Completed Redacted table*

Nature of information disclosed

████████████ NSIRA examined implemented TRMs to identify the different types of information CSIS shared with external parties. NSIRA observed that the nature of the disclosures varied greatly and also often included information ███████████ linking the subject to threat-related or criminal activity:

█████████████████████████████████████████████████████████████████

█████████████████████████████████████████████████████████████████

█████████████████████████████████████████████████████████████████

███████████████████████████████████████████████████████████████████████████████████████

████████ NSIRA also observed that CSIS used ███████████████████████████████████████████████████████████████████████████████████████ For example, █████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

███████████ NSIRA observed that CSIS’s documentation of the information disclosed to the external party was uneven and, at times, lacked clarity and specificity. █████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████ Where the information to be disclosed is vaguely described, the full range of plausible adverse direct and indirect impacts may be difficult to ascertain with any precision. This affects the rigour of any associated risk assessment, including the legal risk assessment.

██████████ By contrast, NSIRA noted certain instances in which CSIS provided a sufficiently detailed description of the information to be disclosed in its documented materials.

██ In NSIRA’s view, the precise content, including the scope and breadth of the information to be disclosed to an external party as part of a TRM, is important and feeds into the overall risk assessment of the proposed measure. A detailed and precise description of the information to be disclosed would allow for more considered assessments.

██ Finding 1: NSIRA finds that CSIS’s documentation of the information disclosed to external parties as part of TRMs was inconsistent and, at times, lacked clarity and specificity.

██ Recommendation 1: NSIRA recommends that when a TRM involves CSIS disclosing information to external parties, CSIS should clearly identify and document the scope and breadth of information that will be disclosed as part of the proposed measure.

Identification, documentation and consideration of impacts

██ NSIRA’s 2020 TRM review examined ██ TRMs where CSIS disclosed information to an external party in order to disrupt a ██████ threat actor. That review underlined the importance of considering all plausible adverse impacts on an affected individual as part of the TRM approval process. In this year’s review, NSIRA sought to examine a larger sample of TRMs in which CSIS disclosed information to external parties to reduce an identified security threat. This year’s review allowed NSIRA to gain greater insight into CSIS’ intended outcomes for these TRMs and how CSIS assessed their impact on the individual.

██ The following examples highlight common impacts that NSIRA identified:

████████████████████████████████████████████████████

████████████████████████████████████████████

████████████████████████████████

██████████████████████████████████████████

██ The interests engaged where measures affect ██████████████████████████████████████████████████████████████████████████████ can have significant and lasting impacts on the subjects and their families. For example, measures that impact the ████████████████████████████████████████████████ interfere with ████████████████████████████████████████████████ Moreover, the associated hardships can affect the subject’s inherent dignity. The norms of our liberal democracy dictate that people in society should be able to █████████████████████████████████████████████

When CSIS is assessing the reasonableness and proportionality of TRMs that can impact the █████████████

as well as assessing whether a warrant is required, it is important that the analysis sufficiently take these factors into consideration.

Measures affecting ███████

███████

███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

████████████████████████ In NSIRA’s view, the identification and assessment of the risks associated with ███████████████████████████████████████████████████████████ failed to fully explore the plausible adverse impacts of these actions. ████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

████████████████████

████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

████████████████████

Nevertheless, NSIRA observes that CSIS approved a TRM without knowing the actions, if any, that the ██████████ was required to take under Canadian law or could take, pursuant to its ██████████ This information could have contributed to the assessment of the plausible adverse impacts of the measure upon individuals. ████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

Measures affecting ██████████

████████████████████

██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

███████████████████████████ NSIRA notes that, at the time the proposed measure was assessed, CSIS did not appreciate the authority and capacity of each of the organizations to prevent the individual from ██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

Measures preventing ████████████

███████████████

████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

Measures ██████████████████████████████

█████████████

█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

██████████████████████████ While this TRM likely raises issues associated with the extraterritorial application of the Charter, NSIRA focused its assessment on the scope and nature of the plausible adverse impacts of the measure. NSIRA notes that at the time the proposed measure was assessed, CSIS did not have a developed understanding of potential harms ██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

██████████████████

███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

Identification of impacts

██ NSIRA observes that CSIS’s understanding of the scope and breadth of the potential ramifications of disclosing information to external parties varied across the reviewed sample. NSIRA expected to see that when CSIS disclosed information to an external party, CSIS had a genuine appreciation of the scope of the plausible adverse outcomes, including the actions that the external party could take. NSIRA also expected to see a consideration of, not only the impacts of the intended outcomes of the measure, but also any collateral adverse impacts.

██ For examples, █████████████████████████████████████████████████████████████████ NSIRA expected CSIS to understand the ability of the external party to take action. As noted in some of the examples above, while CSIS always had a clear desired outcome for the TRM, CSIS did not always have an adequate appreciation of the powers and authority (levers of control) of the external party receiving the information.

██████████████████████████████ NSIRA observed that CSIS had turned its mind to whether the proposed measure could have █████████████████████████████████████████████ However, the identified impacts fell short because they did not consider the foreseeable possibility that the individual could be █████████████

██ Finding 2: NSIRA finds that CSIS does not systematically identify or document the external parties’ authority and ability to take action, or plausible adverse impacts of the measure.

██ Recommendation 2: NSIRA recommends that CSIS fully identify, document and consider the authority and ability of the external party to take action, as well as the plausible adverse impacts of the measure.

Documentation of outcomes

██ NSIRA expected to obtain more certainty with respect to the outcomes of these measures by reading official outcomes reports, ██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████ This suggested that CSIS’s reporting system was inadequate or that these reports were improperly filed or non-existent.

██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

██ NSIRA observes that follow-ups with the external party should be an essential
component of measures involving information disclosure whose principal purpose is to reduce a security threat. Without robust documentation and after action reports on TRMs, CSIS is incapable of assessing the efficacy of the measure as well as appreciating the full impact of its actions. An examination of well-documented afteraction reports will also enable CSIS ██████ to determine whether their initial reasonableness and proportionality assessment may have failed to consider important considerations, which can, in turn, inform the assessments of future proposed TRMs.

██ Finding 3: NSIRA finds that CSIS did not consistently document the outcomes of TRMs in accordance with its policy. Furthermore, CSIS policy doesnot require it to document the actions taken by external parties.

██ Recommendation 3: NSIRA recommends that CSIS should amend its TRM policy to include a requirement to systematically document the outcomes of TRMs, including actions taken by external parties. This practice should inform post-action assessments and future decision-making.

██ Recommendation 4: NSIRA recommends that CSIS comply with its record-keeping policies related to documenting the outcomes of TRMs.

Consideration of impacts when assessing whether a warrant is required

██ The variety of impacts observed in this year’s TRM review highlights the salience of NSIRA’s recommendation in 2020, namely that CSIS consider more comprehensively potential adverse impacts of these types of measures on the affected individuals. This recommendation underlined that all potential impacts on an affected individual, even where they are carried out by the external party and not CSIS, should be consideredwhen determining whether a warrant is required.

██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

██ This limited consideration of the impacts of TRMs was also evident in this year’s review. ████████████████████████████████████████████████████████████████████████████████

████████████████████████████████████████ In an October 2021 briefing between NSIRA and ████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

██ NSIRA notes that CSIS cannot avoid responsibility just because the outcomes of an action would be effected by someone else’s hand. ████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████ Where there is a sufficient causal connection between CSIS’s actions and the ultimate outcomes, the principles of fundamental justice apply to deprivations of life, liberty or security effected by external parties. ████████████████████████████████████████████████████████████████████████████████████████████████████████ This is particularly so when such a foreseeable risk has been identified in the reasonableness and proportionality analysis.

██ The current structure used to determine whether CSIS should obtain a warrant for its TRMs is an insufficient implementation of the warrant requirements of the TRM provisions. Sections 12.1 (3.2) and (3.4) require CSIS to seek a warrant when the measure would limit a Charter right or otherwise be contrary to Canadian law. The current ██████████████████ by CSIS is overly narrow and should not be based on the impacts of a CSIS action alone. Rather, it should consider the full impact of the measure, including any direct and indirect impacts caused or initiated by external parties.

██ The CSIS Act is clear that when a proposed TRM would limit a Charter right or freedom, or would otherwise be contrary to Canadian law, CSIS must seek a judicial warrant. In NSIRA’s 2020 TRM Review, CSIS deemed that a warrant was not required for the reviewed TRMs, because it viewed the external party as responsible for taking action, not CSIS. NSIRA identified its concerns with this approach, and noted that consideration of the full impact of such proposed TRMs, including any downstream Charter implications resulting from the external parties’ actions could require CSIS to obtain a warrant before undertaking these types of measures.

██ CSIS’s response to this recommendation stated “the Department of Justice will further consider this recommendation and factor it into its work related to TRM under the CSIS Act.

██████████████████████ However, as noted above, ██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

██ NSIRA fundamentally disagrees with CSIS’s understanding of and approach to the legal analysis of determining whether a warrant is required for proposed TRMs.

██ Going forward, NSIRA expects that when proposing a TRM where an individual’s Charter rights would be limited, or that would otherwise be contrary to Canadian law, whether at the direct hand of CSIS or that of an external party to whom CSIS disclosed information, CSIS will seek a warrant to authorize the TRM.

██ Finding 4: NSIRA finds that when determining whether a warrant is required,CSIS’s assessment is overly narrow due to a failure to appropriately consider the impacts resulting from external party actions.

██ Recommendation 5: NSIRA recommends that CSIS appropriately consider the impacts resulting from external party actions when determiningwhether a warrant is required.

Conclusion

██ The variety of impacts observed in this year’s review, combined with the gaps identified in CSIS’s understanding and assessment of these impacts highlights the salience of a number of NSIRA’s recommendations in 2020.

██ The TRM regime was introduced in 2015 to address an evolving security and intelligence landscape. NSIRA recognizes that CSIS’ threat disruption powers can be an effective tool to diminish a national security threat. While these powers provide CSIS with additional flexibility, they also demand heightened responsibility, given their covert nature and ability to profoundly impact, not only the subject of a given TRM, but others potentially captured by its scope. As this review demonstrates, TRMs can interfere with ███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████ Mindful of the need to reduce threats, but recognizing the competing values at stake, it is critical that CSIS subject its TRMs to robust and thorough analyses, both prior to and following their implementation.

██ NSIRA reiterates its recommendation that CSIS consider more comprehensively the plausible adverse impacts of these types of measures on the affected individuals, even when they are carried out by the external party and not CSIS. These impacts should be considered not only when considering the reasonableness and proportionality of a proposed measure, but also when determining whether a warrant is required.

██ In addition, this year’s review again highlighted the importance of Justice’s involvement in the TRM approval process. More specifically, the necessity for Justice to be provided sufficient information, in this case on the nature of the information to be disclosed by CSIS as well as the authority and actions (levers of control) the external party can take, to allow Justice to provide considered legal advice.

██ Finally, without robust documentation and after action reports on TRMs, CSIS is incapable of assessing the efficacy of the measures or appreciating the full impact of its actions. CSIS should systematically identify the actions that are taken by external parties for threat reduction measures that involve CSIS disclosures of information. Identifying and recording these actions and the subsequent impacts on TRM subjects will inform not only TRM risk assessments, but also enable CSIS to build upon its experience with TRMs and guide future decision-making.

██ While outside of the scope of this review, NSIRA is aware that in January 2021, CSIS launched ████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████ NSIRA may in the future review ████████████████████████████████ and whether it has impacted the identification and consideration of plausible adverse impacts of measures on individuals.

Annex A: Findings and Recommendations

██ Finding 1: NSIRA finds that CSIS’s documentation of the information disclosed to external parties as part of TRMs was inconsistent and, at times, lacked clarity and specificity

██ Finding 2: NSIRA finds that CSIS does not systematically identify or document the external parties’ authority and ability to take action, or plausible adverse impacts of the measure.

██ Finding 3: NSIRA finds that CSIS did not consistently document the outcomes of TRMs in accordance with its policy. Furthermore, CSIS policy does not require it to document the actions taken by external parties.

██ Finding 4: NSIRA finds that when determining whether a warrant is required, CSIS’s assessment is overly narrow due to a failure to appropriately consider the impacts resulting from external party actions.

██ Recommendation 1: NSIRA recommends that when a TRM involves CSIS disclosing information to external parties, CSIS should clearly identify and document the scope and
breadth of information that will be disclosed as part of the proposed measure.

██ Recommendation 2: NSIRA recommends that CSIS fully identify, document and consider the authority and ability of the external party to take action, as well as the plausible adverse impacts of the measure.

██ Recommendation 3: NSIRA recommends that CSIS should amend its TRM policy to include a requirement to systematically document the outcomes of TRMs, including actions taken by external parties. This practice should inform post-action assessments and future decision-making.

██ Recommendation 4: NSIRA recommends that CSIS comply with its recordkeeping policies related to documenting the outcomes of TRMs.

██ Recommendation 5: NSIRA recommends that CSIS appropriately consider the impacts resulting from external party actions when determining whether a warrant is required.

Share this page
Date Modified:

Review of the Canadian Forces National Counter-Intelligence Unit

Review Backgrounder

This review focused on one aspect of the Department of National Defence / Canadian Armed Force’s (DND/CAF) intelligence activities: The Canadian Forces National Counter-Intelligence Unit (CFNCIU, or the Unit). The review was selected given that it is consistent with NSIRA’s emphasis on conducting a series of safeguarding reviews over the next few years.

The review examined CFNCIU’s domestic efforts at investigating Counter Intelligence (Cl) threats posed to DND/CAF, the rationale used by CFNCIU for justifying investigations, and the associated activities that transpire once this determination is made.

NSIRA reviewed the Unit’s case files, interviewed CFNCIUFIQ staff, detachment investigators and other internal stakeholders, as well as key senior officers with the aim of understanding CFNCIU’s contribution to Cl and insider-threat scenarios within DND/CAF. Based on the assessment of this information, NSIRA made several findings and recommendations to improve how intelligence is derived from investigations and conveyed to government decision-makers.

It is important to note that since inception of the Unit in 1997, the CFNCIU has been the subject of ten internal studies, each of which have identified the Unit as having suffered from resource and policy limitations (among others), resulting in an inability to fully meet its mandate. This review does not significantly depart from these previous assessments.

Table of Contents

Date of Publishing:

Share this page
Date Modified:

Study of the Government of Canada’s use of Biometrics in the Border Continuum

Review Backgrounder

The Government of Canada (GoC) uses biometrics to identify individuals with a level of confidence beyond what is possible absent such techniques.

Biometrics play a fundamental role in the border continuum, which includes the screening of foreign nationals seeking admission to Canada and the identification of passengers travelling internationally by air. In the course of this study, the National Security and Intelligence Review Agency (NSIRA) examined activities conducted by the Canadian Border Services Agency (CBSA), Immigration, Refugees, and Citizenship Canada (IRCC), and Transport Canada (TC). The study also extended to the Royal Canadian Mounted Police (RCMP), which plays a supporting role in one of the major IRCC-led programs in this area.

Biometrics are sensitive personal information. The identification of persons by virtue of their biological characteristics raises privacy and human rights concerns. There is public apprehension about the government’s use of biometric analysis, as reflected in discussions regarding the use of facial recognition technology and, relatedly, its possible disparate impact on marginalized groups. At the same time, identifying individuals entering the country – and consequently determining whether they have a right to enter, or what risks they might pose – serves a national security function. In this way, the use of biometrics requires an assessment of the balance between privacy and security.

This report informs, contextualizes, and contributes to this conversation by presenting NSIRA’s foundational study of the GoC’s biometric activities in the border continuum.

Date of Publishing:

1. Executive Summary

The Government of Canada (GoC) uses biometrics to identify individuals with a level of confidence beyond what is possible absent such techniques.

Biometrics play a fundamental role in the border continuum, which includes the screening of foreign nationals seeking admission to Canada and the identification of passengers travelling internationally by air. In the course of this study, the National Security and Intelligence Review Agency (NSIRA) examined activities conducted by the Canadian Border Services Agency (CBSA), Immigration, Refugees, and Citizenship Canada (IRCC), and Transport Canada (TC). The study also extended to the Royal Canadian Mounted Police (RCMP), which plays a supporting role in one of the major IRCC-led programs in this area.

Biometrics are sensitive personal information. The identification of persons by virtue of their biological characteristics raises privacy and human rights concerns. There is public apprehension about the government’s use of biometric analysis, as reflected in discussions regarding the use of facial recognition technology and, relatedly, its possible disparate impact on marginalized groups. At the same time, identifying individuals entering the country – and consequently determining whether they have a right to enter, or what risks they might pose – serves a national security function. In this way, the use of biometrics requires an assessment of the balance between privacy and security.

This report informs, contextualizes, and contributes to this conversation by presenting NSIRA’s foundational study of the GoC’s biometric activities in the border continuum.

The study identified a set of observations linked to nine overarching themes:

  1. Biometrics and National Security. The centrality of national security as a justification for biometric activities has waned over time relative to other objectives, such as identity management and traveller facilitation. This makes it challenging to assess biometric activities in general as national security activities. Future NSIRA reviews may focus more narrowly on biometric activities that directly engage national security.
  2. The Steady-State Activities. The steady-state biometric activities in the border continuum are generally well-supported by current legal authorities and are consistent with international practice.
  3. Expanding Use of Biometrics over Time. The use of biometrics in the border continuum has significantly expanded over the last three decades, and is likely to continue expanding in the future. This trajectory is driven partly by advancing technological capabilities, partly by evolving challenges in identity management. It is reflected in other jurisdictions around the world. Exploiting the possibilities created by technological developments and keeping pace with other jurisdictions cannot justify the expanded use of biometrics in their own right. New biometric activities must be justified according to the necessity and proportionality of collecting and using biometrics for particular, intended objectives.
  4. Pilot Projects. Pilot projects and initiatives raise more concerns than do steady-state activities, as they risk being implemented on an experimental basis, without sufficient legal analysis or policy development. These projects represent an area of continued interest for NSIRA. Despite the temporary or experimental nature of a project, NSIRA expects that departments will conduct the analysis necessary to ensure that legal authority is in place for the conduct of the activity, and that the attendant collection, use, retention and disclosure of personal information is well-governed by policy.
  5. Evolving Legal and Societal Norms. The public debate surrounding legal authorities questions whether existing standards and protections are sufficient for regulating biometric activities or whether new standards and protections are required. The border is, comparatively, a space in which greater intrusiveness is considered reasonable – but the boundaries of those justifications are not limitless, and will require careful calibration moving forward.
  6. The Dual-Use of Biometrics. NSIRA observed several instances of possible dual-use of biometric information in the activities examined in this report. Even where they pose demonstrable benefits, new uses of biometrics must be carefully considered to ensure their reasonableness and proportionality. In addition, all new uses must be justified and well-authorized in law. The principle of “purpose limitation” may be a way of guarding against unjustified dual-use in the context of biometric activities.
  7. Technical Systems. There is significant overlap between the technical systems and databases used across the steady-state biometric activities. The overall architecture of this system – biometric collection, transmission, and storage in the course of the GoC’s activities in the border continuum – is complex, though not necessarily problematic.
  8. Visibility into Algorithms. Departments and agencies have limited visibility into how the algorithms they use for biometric analysis operate. Each department and agency did, however, demonstrate that performance metrics are known and tested, and that custom thresholds are used when appropriate.
  9. Preventing Bias and Discrimination. IRCC and CBSA have conducted preliminary analyses to explore how their biometric activities may impact diverse groups of people, though the implementation of possible mitigation strategies was not always apparent. In some contexts, technological advancements have helped to reduce, but not eliminate, differential impacts. More work remains in terms of mitigating differential impacts on segments of the population. At the same time, the departments and agencies under review have demonstrated their awareness of possible systemic inequalities and their commitment to addressing them.

These observations are intended to contribute to Canadians’ understanding of the complex and evolving use of biometrics in the border continuum, and to shape how NSIRA as an organization engages with this area in future work.

Public debate about the government’s application of biometric technology will continue to evolve, driving change in the legal and regulatory frameworks associated with such activities. As such, continued scrutiny from NSIRA is warranted, particularly in those instances where the collection and use of biometric information is justified by explicit reference to national security outcomes.

List of Acronyms

Glossary of Terms

2. Authorities

The National Security Review Agency (NSIRA) conducted this study under section 8(1)(b) of the National Security and Intelligence Review Agency Act.

3. Introduction

Background

Biometrics enhance the government’s ability to know who you are. The measurement and analysis of unique biological characteristics – including, inter alia, fingerprints, iris patterns, and facial features – facilitates the identification of individuals to a level of confidence beyond what is possible absent the use of such techniques. Biometrics can be layered with traditional identifiers – such as name, date of birth, place of birth, gender etc. – to enhance the government’s identification process.

Knowing who you are – including verifying that you are who you claim to be – has benefits for national security. At the border, in particular, questions about identity are paramount: who has the right to enter the country, who does not, and who might pose a threat to the security of Canada and Canadians?

At the same time, the identification of persons by virtue of their biological characteristics raises acute privacy and human rights concerns. Biometrics are intrinsically personal information, and are largely immutable (i.e., they cannot be easily changed, as can passwords or other identifiers). There is public apprehension about the government’s use of biometric analysis, as reflected in discussions regarding the use of facial recognition technology and, relatedly, its possible disparate impact on marginalized groups. As biometric technology is increasingly integrated into public spaces, it will be important for government and for Canadians to consider the associated calibration of security, privacy, and human rights.

This report informs, contextualizes, and contributes to this conversation by presenting NSIRA’s foundational study of the Government of Canada (GoC)’s biometric activities in the border continuum, with a focus on activities relating to the screening of foreign nationals seeking admission to Canada and the identification of passengers travelling internationally by air.  The immediate objective of the study was to map the biometric activities occurring in this space. This includes examining the collection, retention, use, and disclosure of biometric information, as well as the legal authorities under which said activities occur. The baseline for an informed public discussion is accurate information about which activities are being pursued by the GoC and whether/how they are authorized in law.

The study also considered the reasonableness and necessity of these activities, studying the accuracy and reliability of biometrics, including the possibility of discrimination on the basis of identity factors like race and gender; the proportionality of their collection, retention, use and disclosure; and the transparency with which the GoC discusses its use of biometrics and their contribution to national security.

NSIRA’s ability to look across departments and agencies and to make both specific and general observations – to examine the forest as well as the trees – was particularly valuable in assessing a wide and growing biometric landscape.

In addition to informing an important public conversation, the report’s broad treatment of biometric activities in the border continuum advances NSIRA’s work in two ways. First, it identifies several more narrow areas of interest or concern, to which NSIRA may return in future targeted reviews. Second, it defines a set of criteria against which NSIRA may review the GoC’s use of biometrics in national security and intelligence activities – both within and beyond the border continuum.

The Study

Scope

The border is distinct from other public settings. There are security imperatives that arise when individuals cross sovereign boundaries, such that the state is justified in taking measures not permissible in other contexts. While privacy rights and civil liberties do not disappear, expectations of privacy and of free movement are significantly lower. In considering the GoC’s biometric activities, therefore, it was practical to separate the border continuum from other settings; what might be overly intrusive in the latter may be justified in the former. Further, the border can serve as a testing ground for new biometric techniques and technologies, which then spread to other areas. If there are public concerns about biometric technology more generally, the border may serve as a harbinger of things to come and ought to be scrutinized accordingly.

In this study, we examine the collection, retention, use, and disclosure of biometric information and evaluate, where applicable, said activities against the criteria outlined below. We reviewed relevant policy and legal frameworks as communicated by departments and agencies, to inform our assessment of reasonableness and necessity, and to establish foundational knowledge that will inform future compliance assessments in the biometrics space. Our assessment of reasonableness and necessity was conducted at a high-level, reflecting on the themes, trends and issues manifest in considering the GoC’s biometric activities in the border continuum as a whole. We did not conduct independent verification or audit of the claims or activities themselves.

In the course of this study, NSIRA examined activities conducted by the Canada Border Services Agency (CBSA), Immigration, Refugees, and Citizenship Canada (IRCC), and Transport Canada (TC). The study also extended to the Royal Canadian Mounted Police (RCMP), which plays a supporting role in one of the major IRCC-led programs in the border continuum.

NSIRA also surveyed the history, and possible future, of biometric activities in the border continuum. The biometric landscape is not static, nor are practices in traveler facilitation and border security. Much of the public concern regarding biometrics (in particular over something like facial recognition technology) has to do with what lays just over the horizon, rather than simply any activity currently taking place. To this end, discussion of past activities, programs, and pilot projects illustrate the expansion of biometrics that has culminated in the present moment. Similarly, several pilot projects and initiatives known to be in development serve as examples of what may be to come. This wider lens contextualizes present activities and thus helps fulfill the broader objectives of the study.

Criteria

A set of basic criteria guided NSIRA’s assessment of the GoC’s present biometric activities in the border continuum:

  • Compliance. NSIRA examined the legislative and policy framework governing departments’ and agencies’ collection and use of biometrics. It examined the enabling legislation’s compliance with the Canadian Charter of Rights and Freedoms and Privacy Act; considered the safeguards and features of the departments’ or agencies’ enabling statutes and regulations as applies to their biometric programs; and reviewed applicable departmental and Treasury Board policies.
  • Proportionality. Proportionality, in this context, weighs the government’s objectives in using biometrics against any impacts on individuals’ privacy or human rights. Generally speaking, NSIRA expects that any intrusions on the rights and freedoms of individuals be readily justifiable and offer important benefits to pressing and substantial objectives.
  • Accuracy. Because biometrics are fundamentally designed to identify individuals, it is important that they do so accurately, such that they can effectively contribute to the government’s objectives in a given activity/program. Biometric analysis (including the use of algorithms) is subject to error rates and false-matches that can have significant consequences for individuals. Relatedly, algorithms used for biometric analysis are susceptible to demographic performance variables which could give rise to bias or discrimination.
  • Transparency. In light of the GoC’s National Security Transparency Commitment of 2017, this criterion generally assessed the public transparency of biometric activities in the border continuum. It emphasized the availability of information regarding the type of biometrics collected and the connection of biometrics to GoC priorities, including national security.
  • Data Security. Given the sensitive nature of biometric information, protection of said data throughout the so-called “privacy lifecycle” (collection, storage, transmission, and destruction) is particularly important. As such, NSIRA assessed the policy frameworks of the activities under review for data security protections, such as encryption, access limitations, and privacy-by-design principles.

Collectively, these criteria informed NSIRA’s assessment of the lawfulness, reasonableness and necessity of the departments’ exercise of their powers as concerns the use of biometrics in Canada’s border continuum. Our observations highlight potential issues and areas of concern, which may serve as a basis for subsequent in-depth review of particular activities.

Methodology and Information Requirements

NSIRA received information from departments and agencies in the form of briefings, written responses, and documents. The latter included policies, procedures, project reports, technical studies, operational bulletins, manuals, correspondence, websites, and relevant legal opinions.

In addition to information obtained from departments and agencies, the nature of the study – dealing with a broad category of information widely used and heavily scrutinized across the globe – meant that a significant volume of open-source research was pertinent. As such, NSIRA examined media reports (both domestic and international), industry reports, academic research, think tank reports, government reports/documents from other jurisdictions, and intergovernmental and non-governmental organization research on biometrics and related technology. What emerged was a sense of the common standards, themes, risks, and even lexicon associated with biometrics, all of which helped inform NSIRA’s observations regarding the GoC’s biometric activities in the border continuum.

The Report

The body of the report is organized into three descriptive sections, presented in chronological order:

  • Biometrics Past: a discussion of the history and evolution of the use of biometrics in the border continuum, including relevant pilot projects and key expansions along the way;
  • Biometrics Present: a description of current, steady-state biometric activities; and,
  • Biometrics Future: a discussion of the role biometrics are likely to play in the border continuum moving forward, based on present trajectories.

The concluding section unpacks overarching themes and observations pertinent to the study objectives outlined above. While some of these observations are specific to a particular program or activity, others apply horizontally across various aspects of the study. The mélange reflects both the nature of a foundational study and the unique, crosscutting mandate that NSIRA enjoys. Our observations are intended to contribute to Canadians’ understanding of the complex and evolving use of biometrics in the border continuum, and to shape how NSIRA as an organization engages with this area in future work.

4. Biometrics Past

IRCC began collecting fingerprints from asylum claimants and deportees in 1993, partly as a consequence of the rise in global migration volumes following the end of the Cold War. Canada received 37,000 refugee protection claims in 1992, up from just a few thousand annually for the balance of the 1980s. The resulting pressure on the system led, in part, to the introduction of Bill C-86 in June 1992, which included several provisions designed to enhance the efficiency and integrity of Canada’s immigration and refugee system, among them the fingerprinting of asylum claimants and deportees. This provision generated public criticism, with the government eventually amending it to include the deletion of fingerprints if/when an individual became a Canadian citizen. Ultimately, the purpose of the collection was to introduce processing efficiency into the system and to enhance both fraud detection and fraud deterrence through rigorous identity management.

Over the subsequent years, the collection and use of biometrics in the border continuum has steadily expanded, such that nearly everyone entering Canada by air – whether a foreign national or Canadian citizen – now has their biometric information collected and/or analyzed in some way. How did we get from there to here? The present section addresses this question by describing the evolution of the GoC’s activities over time, highlighting key moments, programs, and projects that animate it along the way.

9/11

The terrorist attacks of September 11, 2001, dramatically altered Canada’s national security landscape. The 2001 budget reflected the new priorities of the day, with $7.7 billion over five years allocated to security measures, including $1 billion to immigration screening and enforcement and $1.2 billion to border security initiatives.

These outlays came on the heels of explicit recommendations from a parliamentary committee to, among other things, “modernize border management to accommodate future security and trade needs” and “test and implement […] advanced technologies in […] border processing operations.” The latter recommendation included the suggestion that “biometric technology in the form of fingerprint or retina scanners could […] be considered to identify individuals […] crossing the border.” The report also called for the reactivation and full implementation of the NEXUS program, which had been a cross-border travel pilot project between the US and Canada launched in November 2000 but suspended in the wake of the attacks.

The central plank of post-9/11 US-Canada border security cooperation, however, was the Smart Border Declaration, signed on December 12, 2001. Accompanied by a 30-point Action Plan, the declaration guided US and Canadian efforts to enhance border security. The very first item on the Action Plan was the introduction of “biometric identifiers”, calling for the two countries to “develop on an urgent basis common biometric identifiers in documentation such as permanent resident cards, NEXUS, and other travel documents to ensure greater security.” Also of note were the provisions to expand information sharing in the visa and refugee/asylum context.

The two countries explicitly framed the Smart Border Action Plan as an effort to “develop a zone of confidence against terrorist activity”. In the US, the Final Report of the National Commission on Terrorist Attacks Upon the United States (more widely known as the “9/11 Commission Report”) expressed this logic, calling for a “biometric screening system” that would encompass the entire border continuum, from passport and immigration application to arrival at ports of entry, along with information sharing between jurisdictions. Canada’s 2004 National Security Policy (NSP) similarly foregrounded biometrics in its chapter on border security. The NSP noted that Canada would “work toward a broader use of biometrics” and “examine how to use biometrics in [its] border and immigration systems to enhance the design and issuance processes of travel and proof-of-status documents and to validate the identity of travellers at [Canada’s] ports of entry.” For both countries, biometrics were seen as a means of identifying possible terrorists crossing the border. 9/11 had fused border security to national security, turning identity management – hitherto primarily associated with efficiencies and fraud – into a national security priority.

In Canada, the NSP set the basic outline of the GoC’s current steady-state biometric activities: facial recognition in the issuance and use of travel documents (Passport Program) and fingerprints and the validation of identity at ports of entry (Immigration Program). We return to these in Section 5.

In the balance of this section, we briefly describe the key biometric activities and programs adopted in the years following 9/11.

ePassport

Though standard in the document for decades, passport photographs were not considered “biometrics” until passports became machine-readable. The 2003 International Civil Aviation Organization (ICAO) guidelines on ePassports, also commonly referred to as “biometric passports,” therefore mark the introduction of biometric identifiers to the document on the international stage. Canada committed to the ePassport in 2004, though actual implementation unfolded in stages over subsequent years, with the full rollout occurring in 2013. Hundreds of other jurisdictions adopted the ePassport during this period, gradually establishing it as an international recommended practice for official travel documents. Canada’s current iteration of the ePassport is discussed in paragraphs 95-112, below.

In addition to the “smart chip” embedded in the ePassport and containing the facial photograph, the government also pursued facial recognition in the passport application/issuance process. The first Privacy Impact Assessment (PIA) for what was then known as the “Facial Recognition Project” was crafted in 2003, though full implementation under the guise of the “Facial Recognition Solution” (FRS) did not occur until 2010. The system used facial recognition to help assess entitlement to a Canadian passport or other official Canadian travel document. The specific objectives of the program were: to detect fraud, support the authentication of identity, and prevent passport issuance to ineligible applicants. We discuss the current iteration of the FRS, which is a key component of the steady-state Passport Program, in paragraphs 95-112, below.

Temporary Resident Biometrics Program (TRBP) (2009-2018)

The “Temporary Resident Biometrics Program” (TRBP) – initiated in 2009 and operational by 2013 – marked a significant expansion of the collection of biometrics in the immigration context. Under the TRBP, biometrics (fingerprints and a digital photograph) were collected by IRCC (then-Citizenship and Immigration Canada [CIC]) as part of temporary resident applications from 30 nationalities. The fingerprints were screened “against fingerprint records of known criminals, past refugee claimants, persons previously deported, and previous immigration applicants” held by the GoC. Once the application was approved and the applicant arrived in Canada, the CBSA verified the biometrics ensuring that the person presenting was the same individual that had applied. In 2014, biometrics collection was expanded beyond temporary resident applications to include overseas refugee and resettlement applications.

According to the GoC, biometrics were adopted as a means to access more complete and accurate information, so as to inform admissibility decisions made under the Immigration and Refugees Protection Act (IRPA) regarding temporary resident applicants. The TRBP’s use of biometrics therefore supported identity management goals, with national security – the identification of individuals who might pose a security threat – constituting a supporting feature of the larger program.

Beyond the Border (2011) and Immigration Information Sharing (IIS) (2013-2016)

In 2011, Canada and the US issued the joint declaration Beyond the Border: A Shared Vision for Perimeter Security and Economic Competitiveness and its accompanying “Beyond the Border Action Plan”. The plan made a commitment to increase information sharing between the two countries. Canada and the US had shared immigration information on a case-by-case, ad hoc basis since 2003, but the process was labour intensive and consequently limited in volume.

The resulting program was the Immigration Information Sharing (IIS) initiative, which made it possible for Canadian and American authorities to systematically exchange immigration information on the basis of a biometric match between their respective immigration databases – a capability that became fully operational in August 2015. For example, all biometric-required applicants to Canada had their fingerprints systematically checked against US fingerprint holdings at the time of enrolment. In the event of a match, the US returned relevant immigration information (e.g. biographical information to confirm identity, the outcome of any previous immigration applications, etc.) to IRCC, to help inform decisions about admissibility. The arrangement was reciprocal, meaning the US similarly queried Canadian immigration fingerprint holdings, with Canada returning immigration information in the event of a match. As characterized by a 2015 implementation report, this capability helped to “counter identity fraud, strengthen identity management and provide valuable information to inform respective admissibility determinations.”

The IIS was, in many ways, the natural extension of TRBP. Whereas TRBP made it possible to screen an applicant’s biometrics against domestic databases, IIS extended this capability to US databases, thereby increasing the range of information obtainable through biometric querying.

Information-Sharing Pilot between CBSA and IRCC/CIC (2013-2016)

Beginning in 2013, a two-phase pilot project between CBSA and IRCC/CIC explored the benefits of leveraging facial recognition through information sharing. The impetus for the project was the experimental querying of 72 photographs of individuals wanted by the CBSA against IRCC/CIC’s passport database. The querying was intended to verify whether any passports had been issued to individuals subject to CBSA warrants for arrest under the IRPA (under genuine or false identities), thus helping protect the integrity of the passport system, while also facilitating enforcement of the IRPA. The CBSA and IRCC rely on sections 7, 8(2)(a) and 8(2)(e) of the Privacy Act for the use and disclosure of this information.

Using facial recognition, the one-to-many identification of these 72 individuals identified three individuals who had fraudulently acquired travel documents. On the strength of these results, the organizations drafted a Memorandum of Understanding (MOU) in December 2013 to share photographs of 1,000 individuals wanted on active CBSA warrants and ran a one-to-many identification against the passport database using facial recognition. This time, 15 individuals were found to have submitted fraudulent passport applications.

In 2015, another round of the project was initiated under a subsequent MOU, raising the number of queries to 3,000 individuals. Also expanded was the scope of information that could be returned as a result of a positive match. Whereas the 2013 MOU only authorized the sharing of information related to document fraud, the 2015 MOU authorized the sharing of any derogatory information relevant to the enforcement of the IRPA. Appendix III of the Information Sharing Annex to the 2017 IRCC-CBSA MOU established this information sharing on a permanent basis.

Research into Facial Recognition

In addition to the expansion, refinement, and leveraging of biometric activities associated with passports and immigration, the GoC explored additional uses of biometrics, including facial recognition, through research into emerging technologies and pilot initiatives, testing possible applications in the border continuum.

Pilot and Research on Operational Video-based Evaluation of Infrastructure and Technology: Face Recognition in Video (PROVE-IT: FRiV) (2011-2013)

In 2011, CBSA led the “Pilot and Research on Operational Video-based Evaluation of Infrastructure and Technology: Face Recognition in Video” (PROVE-IT: FRiV) project. PROVE-IT: FRiV examined, in a lab setting, the possible use of live-capture facial recognition in a controlled environment, such as an airport. Researchers evaluated commercial products and tools available for this purpose, and determined that “face-based surveillance” was ready for live use in “in semi-constrained environments.”

Faces on the Move (FOTM) (2014-2017)

Building on the findings and results of PROVE-IT: FRiV, CBSA launched the “Faces on the Move” (FOTM) pilot project in 2014. FOTM involved the live video capture of the facial images of travellers as they passed through Toronto Pearson International Airport Terminal 3 for a six-month period between June 2016 and November 2016.

Project-specific video cameras were installed to capture facial images in the immigration arrivals area, primary inspection, and toward the exit following primary processing. Facial images were checked in real time using facial recognition against two image databases: a “control” watchlist comprised of 65 CBSA volunteers, and an “operational” watchlist of 4,860 previously deported individuals, generated by CBSA. The CBSA volunteers conducted over 1,200 test walkthroughs over the course of the six-month demonstration. At the same time, approximately 15,000 to 20,000 travellers per day were screened against the operational watchlist, of which forty-seven were correctly detected by the system. All records of personal information were to be destroyed at the end of the project, save those that served an administrative purpose, which would be retained for two years following the date of their last use in keeping with section 6(1) of the Privacy Act and section 4(1)(a) of the Privacy Regulations.

The immediate purpose of FOTM was to raise the technology readiness level of facial recognition to the point of being ready for live, real-time implementation in a controlled environment. Further objectives included the establishment of privacy and security protocols governing the deployment of facial recognition and the development of Canadian industry offerings in the facial recognition space through partnership with CBSA and access to the CBSA’s operational environment (i.e. the border). Longer-term strategic goals included promoting the “efficient flow of people across Canada’s borders” and addressing “evolving threats to public safety at or before the border…while respecting Canadian values including the right to privacy.” Ultimately, FOTM was couched as a building block toward future applications of facial recognition in the border continuum and “similar security scenarios (transportation facilities, shopping malls, stadiums, mass public events).” The lessons from FOTM were to inform a “roadmap” for the use of “science and technology […] for face surveillance, specifically at the border.”

According to the project’s final report, FOTM experienced several policy challenges, “including concept of operation, deployment constraints, public notification, data security, data retention/purging rules, and legality of enforcement based on face recognition and privacy issues.” These and other challenges were likely to “influence face surveillance future deployments and/or technology road maps.” Nonetheless, it recognized that the combination of advancing capabilities and relaxing public resistance to facial recognition technology “will drive the need for continual investment in both the science and the application of face recognition based surveillance.”

Prior to the demonstration period, a PIA conducted for FOTM in consultation with the OPC had brought additional issues to light. This resulted in certain changes to the project, including dropping plans to use watchlist photographs from multiple government agencies and foregoing plans to advise enforcement agencies of a previously deported person’s presence if the individual was not intercepted by the CBSA before leaving the port of entry. The consultants’ final report for the project “recognized that should facial recognition be deployed for long-term, operational use, the PIA would have to be redone and updated to identify potential ongoing risks that did not affect the short-term FOTM project.” Furthermore, CBSA recognized that, were FOTM to become a permanent program, the use of facial recognition would require an update to its Policy on the Overt Use of Audio-Video Monitoring and Recording Technology, and to the description of the related CBSA Personal Information Bank57 (PIB), PPU 1104, which did not include “biometric information.”

Indeed, public signage and notice about the cameras was limited during the demonstration period. Signage at Terminal 3 of Toronto Pearson’s International airport stated that “[t]his area is under video surveillance,” but made no mention of facial recognition. Similarly, the November 19, 2012, version of the CBSA’s Privacy Notice on Video Monitoring and Recording, referred to in the PIA for FOTM, discloses that “[c]ameras may […] monitor the movement of travelers and goods from one point of CBSA operation to another, for example, from primary to secondary,” but does not provide notice of a facial recognition capability. These lacunae in the notice provisions appear to have been acknowledged in the final report on FOTM, however, which notes that the machine learning component “may require an extension to the current [privacy and security] protocols.”

To date, FOTM or similar use of facial recognition has not been adopted as an ongoing activity. Other operational priorities, including the deployment of Primary Inspection Kiosks (PIKs) at select airports, took precedence at the time the project was completed, and CBSA has not indicated plans to revive FOTM. The technology for FOTM was removed from the airport at the end of the pilot.

The CBSA relied on its powers of examination under sections 15-18 of IRPA to authorize the FOTM project, explaining that “[t]hese sections require all persons seeking entry to Canada to submit to an examination of their persons and documents” and “allow for the presentation of photographic evidence of an applicant’s identity.” Indeed, section 15(3) of IRPA authorizes “an officer [to] … examine any person carried by [a means of transportation bringing persons to Canada],” and to examine “any record or document respecting that person.” Section 16 of IRPA further specifies that “[a] person who makes an application must answer truthfully all questions put to them for the purpose of the examination and must produce [at this examination] a visa and all relevant evidence and documents that the officer reasonably requires.” In the case of a foreign national, this evidence includes “photographic and fingerprint evidence.” The CBSA did not request legal assessment from the Department of Justice (DOJ) as to whether these authorities would support the FOTM pilot program.

The CBSA’s reliance on these general powers of examination to conduct facial recognition on travelers as they make their way to the point of processing is of concern to NSIRA. The legislative authorities relied on by the CBSA presume an overt interaction between the traveler and CBSA officials, and the knowing presentation by travelers of their individual documents, fingerprints and photographs during their examination. NSIRA is not satisfied that sections 15-18 of the IRPA provide clear authority for the collection of travellers’ facial biometrics, particularly prior to – and away from – the point of formal examination. NSIRA is of the opinion that further legal advice would be required in order to ensure that the use of facial recognition in Canadian airports (or elsewhere at the border) is well-founded in the CBSA’s legislative authorities.

Moreover, with respect to the pilot’s compliance with section 8 of the Charter, the CBSA explained that a legal opinion from the Department of Justice (DOJ) was not required because “no information [was] being collected above and beyond the CBSA’s current use of CCTV technology.” The pilot used “the existing surveillance infrastructure” and “did not introduce any additional (audio or video) at ports of entry.” As such, the CBSA was of the opinion that FOTM did not engage privacy or other concerns that would necessitate legal consultation.

As described in paragraph 39, however, project documents indicate that new cameras were installed for the demonstration period. Moreover, these arguments under-value the effects of facial recognition technology on individuals’ privacy. The important fact is not the installation or absence of new cameras, but rather their ability to conduct facial recognition. This new aspect of what is being collected arguably changes the subject-matter of the search. As the OPC has recommended, PIAs (and, in NSIRA’s view, assessments of lawful authority) should be renewed when new technologies are used, in order to ensure that the subject-matter of the search – and its privacy implications – are well-understood. Notices should also be updated to ensure that the use of facial recognition is clearly made known to the public, unless operational imperatives justify a lower degree of transparency.

The deployment of such technology, whether on a short-term or long-term basis, must be carefully studied and be fully supported by legal authority and a sound policy framework. The FOTM demonstrated genuine benefits for the execution of the CBSA’s duties at the border, specifically the identification of individuals of concern. Individuals previously deported for inadmissibility are known to attempt re-entry into Canada under assumed or false identities. The 47 “real hits” during the six-month demonstration window of FOTM attest to this fact. As noted in other contexts, of course, national security is one among many interests supported through better identity management. Further, findings of inadmissibility on security grounds (s. 34 of the IRPA) constitute a comparatively small portion of overall inadmissibility decisions. At the same time, rare events can have extreme consequences. National security cases are, by their nature, infrequent but serious.

FASTER-PrivBio Project (2015-2017)

FASTER-PrivBio was a ‘proof of concept’ project that developed a prototype mobile application that facilitated the application and approval of electronic travel authorizations (eTAs). It was led by IRCC in conjunction with CBSA and other partners (including the University of Ottawa and Ryerson University). The application captured a digital photograph (selfie), extracted the digital photograph contained in the ePassport chip, compared the two using facial recognition (one-to-one comparison), and validated the authenticity of the travel document. Upon successful enrolment, the application would then create a ‘client token’ facilitating movement through the travel continuum for low-risk travellers. The project incorporated a ‘Privacy-by-Design’ framework, with a specific emphasis on addressing the privacy concerns raised by the use of biometrics.

Two basic security benefits were envisioned: first, the facilitation of low-risk travellers would allow resources and attention to be applied elsewhere, including toward higher-risk travellers in manual processing. Second, the application would automatically check enrolled travellers against CBSA, IRCC and other applicable (e.g. International Criminal Police Organization [INTERPOL]) biographic watchlists, thereby identifying individuals of concern. This latter function, however, would largely replicate existing screening in the eTA process.

The project closed in 2017 having successfully demonstrated its intended deliverables. Its key takeaways included the viability of mobile (smartphone-based) biometric credentials (including adequate data security protections, according to project participants), compatibility with ePassports and related IRCC systems and infrastructure, and the robust identity verifications possible through such a system. The next phase of the project was to work toward live implementation, set to occur under the “Chain-of-Trust” (CoT) initiative. CoT development continues at present and is covered in Section 6, paragraphs 151-155, below.

Biometrics Expansion Project (2015-2020)

Initiated in 2015, the Biometrics Expansion Project (BEP), as its name suggests, marked another significant increase in the collection of biometrics in the immigration stream. Building on the TRBP, the BEP expanded the collection of biometrics to all persons (unless exempted) making a claim, application or request under the IRPA. The BEP incorporated the IIS initiative and extended automated immigration information sharing, including through biometric querying, to other international partners in the Migration 5 (M5) group, which comprises the immigration agencies of the United States, Australia, New Zealand, and the United Kingdom. The BEP also broadened the capacity for fingerprint verification at Canadian ports of entry (POE) through the introduction of automated Systematic Fingerprint Verification (SFV) at eight international airports (see paragraph 73) and the addition of discretionary fingerprint verification at secondary inspection at an additional 11 airports and 40 land POE.

The BEP closed in 2020 and the biometric activities it established were transferred to steady-state operations. As such, the activities described here are addressed in Section 5, paragraphs 63-94, below.

Assessing Biometrics Past

This section surveyed the development of biometric activities in the border continuum over the past several decades, highlighting key moments, programs, and pilots along the way. Taken collectively, several themes emerge.

First, the GoC’s collection and use of biometrics has steadily expanded. In the immigration context, for example, what began with deportees and asylum claimants in 1993 culminated in 2018 with all persons (unless exempted) making a claim, application or request under IRPA.

Second, the commitments and priorities established in the wake of the 9/11 attacks spurred the adoption of biometrics in the early part of the millennium, setting the foundation for the basic architecture of biometric activities in the border continuum today. In this context, the rationale for biometric adoption was national security. Identifying individuals meant possibly identifying terrorists.

Third, identifying individuals is also (and increasingly) about broader identity management. For CBSA and IRCC, biometrics contribute to overall organizational goals, not just national security objectives. As the immediacy of 9/11 receded, broader identity management became a relatively larger part of the rationale for collecting and using biometrics. This shift reflected a more balanced logic for biometric adoption, embracing their overall utility rather than emphasizing the smaller – though important – national security subset.

Fourth, as biometric activities have expanded, so too has the overlap and/or shared responsibility between organizations in their design and implementation: between government departments/agencies (e.g. IRCC and CBSA); between jurisdictions (e.g. Canada and the US, and Canada and other international partners); and between the public and private sector (as the GoC engages industry partners). Such closer cooperation may have implications for individuals’ privacy rights, for possible future uses of biometrics, and also underscores the importance of sound data security across these various institutions.

Fifth, traveller facilitation has emerged as another force behind biometric adoption, to improve efficiency at the border and to reflect evolving societal norms about the use of technology. As the FASTER-PrivBIO project suggests, the development of new biometric activities takes for granted traveller familiarity with digital devices. At the same time, individuals are likely to be more comfortable adopting relatively intrusive technologies when they do so voluntarily and consensually. This tension – between expectations of convenience and expectations of privacy – is likely to shape public dialogue over biometrics moving forward.

Sixth, and related to the above, the expansion of biometrics has coincided with a growing emphasis on privacy and privacy protections. Many of the pilots and projects described in this section explicitly addressed such concerns, including by adopting so-called “Privacy-by-Design” principles, which are intended to proactively protect personal information. This dynamic reflects the development, over time, of the wider understanding (whether on the part of government, industry, the legal community, or academia) as to the particular risks associated with the collection and use of biometrics. Some applications of biometric analysis – for example the facial recognition used in the FOTM project – carry more risks than others, and ought to be scrutinized accordingly.

5. Biometrics Present

This section focuses on the GoC’s steady-state biometric activities in the border continuum. The balance of the section examines the role of biometrics in the immigration and Passport programs, respectively. For each, we examine how biometrics serve program objectives (noting, as relevant, their collection, use, retention, and disclosure) and consider the criteria outlined in Section 3. The end of the section examines the process of “arriving into Canada”, which includes the analysis of traveller and NEXUS member biometrics by automated kiosks at Canadian airports. Throughout, we highlight the relevant national security considerations.

Immigration Program

IRCC is responsible for screening the admissibility of potential permanent and temporary residents coming to Canada. As part of this process (hereafter the “Immigration Program”), IRCC employs biometrics, in cooperation with CBSA and the RCMP. As IRCC characterized it to NSIRA, for biometrics in the Immigration Program: “IRCC collects, the RCMP stores, and the CBSA verifies.”

IRCC collects (all ten) fingerprints and a digital photograph in support of applications for temporary resident visas or status, work permits, study permits, temporary resident permits, and permanent residency, and in support of refugee and asylum claims. The collected biometrics are stored in two databases: photographs are stored in the IRCC’s Global Case Management System (GCMS) and fingerprints are stored in the RCMP’s Automated Fingerprint Identification System (AFIS). The digital photograph, while ICAO compliant, is not used for facial recognition and may not be of sufficient quality for that type of analysis. As such, we focus primarily on fingerprints in our description and analysis of activities.

Biometrics are collected and enrolled at multiple service points, both in Canada and abroad, with the vast majority (approximately 90%) occurring at Visa Application Centres (VACs). VACs are commercial service suppliers, managed by private companies, contracted by IRCC to deliver biometric enrolment overseas.

The collection phase is a sensitive juncture given the personal nature of biometric information. The primary concerns here relate to privacy and the security of biometric data. Media reports have highlighted concerns about VACs, questioning whether adequate privacy protection can be maintained given the central role of private contractors based outside of Canada. Possible links between the subcontractor administering Canada’s VAC in Beijing and Chinese security forces have also been scrutinized. Foreign governments have an interest in knowing who is applying to come to Canada – the information can be leveraged to monitor, suppress, harass, coerce, threaten or otherwise harm an individual. The possible interception or theft of biometric data is especially concerning, given its possible use in monitoring, surveillance, and identification.

IRCC has taken steps to ensure the flow of biometric information (including collection and transmission) at VACs is controlled. Contracts with VAC providers stipulate that they must abide by Canadian privacy laws. IRCC further states that oversight of VAC contractors occurs through audits and site reviews, conducted by Canadian officials, at VAC locations. All biometric information collected outside of Canada is said to be encrypted before being transmitted back to IRCC servers located in Canada (photographs in GCMS) and to the RCMP (fingerprints in the AFIS). Once successfully transmitted, IRCC states that the information is deleted from the point of collection.

Given the nature of operating in certain foreign jurisdictions, however, there remain challenges to securing the information provided by applicants at VACs. Some VACs are located in countries with national interests inimical to those of Canada – the national security consequences of security breaches at these VACs may therefore be particularly acute. While the scope of the present study precluded in-depth examination of the security arrangements at VACs, NSIRA may wish to revisit the issue at a later date.

In the border continuum, Canada leverages (or uses) the collected biometrics in three ways: for screening at enrolment (with any returned information informing decisions about an application), for verification upon arrival at a Canadian POE, and for ongoing assessment of admissibility (or immigration status) once an individual is present in Canada.

Screening at enrolment is automatic, and includes both domestic (Canadian) and foreign databases. For enrolment, IRCC or CBSA submits the collected fingerprints to the RCMP. Fingerprints and biographic information are then compared against the RCMP’s criminal and immigration fingerprint repositories (the latter includes fingerprints collected as part of previous applications). Fingerprints are also queried against the immigration databases of Canada’s M5 partners.

Information returned from domestic and foreign screening informs decisions on admissibility – including possible inadmissibility on IRPA s. 34 security grounds. Biometric immigration information sharing with the M5 partners includes sharing of derogatory alert codes. Information that indicates a potential national security concern may be referred to the Public Safety portfolio (including CSIS and CBSA) for additional security screening. While foreign screening also occurs using biographical information, biometrics confer the additional advantage of identifying matches to previous applications associated with different names and/or with discrepant biographical information.

Following the screening process, biometrics are used by the CBSA to verify the identity of enrolled foreign nationals arriving at a Canadian POE. This ensures – to a level of confidence beyond what is generally possible absent the use of biometric information – that the individual granted a visa or permit is the same individual entering Canada.

The mode of verification varies between POE. At eight international airports, Systematic Fingerprint Verification (SFV) occurs through Primary Inspection Kiosks (PIKs). PIKs are automated kiosks used to process travellers through customs and immigration at major Canadian airports (for more on the PIK see paragraphs 125-137, below). The PIK captures fingerprints and transmits biometrics to the RCMP for one-to-one matching against the traveller’s reference fingerprint in the RCMP database. Where SFV is not available, Border Services Officers (BSOs) verify identity by comparing the traveller’s enrolled photograph with the individual presenting in front of them, while fingerprint verification occurs on a discretionary basis at secondary inspection using CBSA’s LiveScan device.

Biometrics are also used to assess ongoing admissibility. That is, they serve as a means to connect individuals to information that could affect their immigration status and/or future immigration applications (for example interaction with law enforcement that might indicate inadmissibility).

The retention period for biometrics collected is partially contingent on the application’s outcome. For both temporary resident and permanent resident applications refused on the grounds of what the IRCC considers “serious inadmissibility” (sections 34-37 of the IRPA), biometrics are retained until the individual’s 100th birthday.

This extended retention period provides security benefits as biometrics can help identify an individual should they submit a subsequent application at any (realistic) point in the future, even if submitted under a different name. Extended retention also makes such identification possible for domestic and/or foreign partners with querying access to the immigration database. Should the individual receive a record suspension, criminal rehabilitation, or ministerial relief, the retention period reverts to the typical 15 years from the date of biometric enrolment. This caveat is important, as it realigns the retention of an individual’s biometrics beyond the resolution of the underlying circumstances which warranted the extended retention.

At the end of the retention period, biometric information is disposed of by IRCC according to disposition authorizations issued by Library and Archives Canada. With respect to fingerprints held by the RCMP, an automated electronic purge transaction request is transmitted by IRCC and a confirmation of the purge returned.

In 2021, IRCC discovered a privacy breach related to the retention of immigration fingerprints and photographs beyond their prescribed retention period. The information belonged to individuals who attained Canadian citizenship meaning that, according to IRCC biometric retention policy, fingerprints and photographs associated with their immigration file should have been deleted. IRCC notified the OPC in February 2021 about the issue, and notified affected clients, by email, in March 2021. A public notification was placed on the IRCC website.

The disclosure of biometric information raises privacy considerations and calls for attentive consideration of their subsequent use. Given that biometrics are personal information, the current legal framework requires that the GoC only use them for the purposes for which they were obtained (namely, determining an individual’s admissibility to enter, or remain in, Canada); for a use consistent with that purpose; or as otherwise authorized by law.

The automated querying that occurs between Canada and its M5 partners involves an anonymous biometric (fingerprint) search, with no identifying biographic information included; if a match is detected, relevant immigration information is returned; if there is no match, the receiving country sends a nil result. In either case, the receiving country is required to purge and not retain the fingerprint. The system is designed, ultimately, with the intention that no biographic and/or immigration information is exchanged unless both parties already possess the biometric in their databases – an important privacy protection measure. Further, the automated agreements specify that any information exchanged will pertain to third-party nationals only; that is, Canada will not send or receive information on Canadian citizens or, with the exception of asylum claims, permanent residents.

Less frequent case-by-case (or ad hoc) exchanges may result in the actual exchange of underlying biometric information (whether photographs or fingerprints) if the information is deemed, by the requesting party, relevant to enforcing that party’s immigration and citizenship laws. Such exchanges are subject to caveats regarding use, onward disclosure, and retention, which apply to any information disclosed (not just biometrics), but which are not legally binding on the participants. IRCC further indicated that ad hoc exchanges of biometric information may also occur with international partners beyond the M5, “with either the consent of the individual to whom the information pertains, or pursuant to section 8(2)(a) [i.e. the consistent use provision] of the Privacy Act.”

The primary sources of authority for the collection, use, and disclosure of biometric information in the Immigration Program are the IRPA and the Immigration and Refugee Protection Regulations (IRPR). Specifically, s.10.01 of the IRPA authorizes the collection of biometrics for the purposes of enrollment and verification pursuant to an application under the Act. Under s. 10.02 of IRPA, the Minister may issue regulations respecting the implementation of these processes, through the IRPR. The Regulations specify to whom the biometrics requirements apply, the type of biometrics at issue, and guide their collection, processing and verification. Section 16(1) of the IRPA requires that individuals making an application under the Act submit truthfully to examination and produce “relevant evidence and documents” while 16(2), which applies only to foreign nationals, specifies that such evidence includes “photographic and fingerprint evidence”. IRCC also cites s. 4 of the Privacy Act as authorizing their collection of biometrics, given that the information relates “directly to the administration of [IRCC’s] immigration programs.” They note further that, consistent with s. 7 of the Privacy Act, biometrics “will only be used for the purposes for which it was collected, or for a use consistent with that purpose.”

In terms of the IRCC’s disclosure of biometrics to international allies, s. 7 of the IRPA authorizes the Minister, with the approval of the Governor in Council, to enter into an agreement(s) with the government of a foreign state(s), for the purposes of the IRPA. Multiple such agreements are part of the IRPR, which cover Canada’s information sharing activities with each M5 partner including: the ‘Agreement between the Government of Canada and the Government of the United States of America for the Sharing of Visa and Immigration Information’; the ‘Annex Regarding the Sharing of Information on Asylum and Refugee Status Claims to the Statement of Mutual Understanding’; and the bilateral automated exchange arrangements with the Governments of Australia, New Zealand and the United Kingdom. These agreements provide for the disclosure of biographic and biometric data between the parties to the extent “necessary, relevant and proportionate to achieve [the administration and enforcement of the parties’ citizenship and immigration laws].” Provisions in each agreement also govern the destruction of the information, the correction of previously disclosed information, and grant the Minister a discretion to refuse to disclose information detrimental to Canada’s national interests.

Such disclosures would also be consistent with s. 8(2)(f) of the Privacy Act, which allows for the disclosure of personal information under an agreement or arrangement between the Government of Canada and a foreign state, for the purpose of administering or enforcing its laws. Ad hoc exchanges with partners beyond the M5 are conducted pursuant to the consistent use provisions of s. 8(2)(a) of the Privacy Act.

Canadian law enforcement may also access fingerprints collected by IRCC during the immigration application process for law enforcement purposes. Section 13.11 of the IRPR allows the RCMP to use – or disclose to other law enforcement agencies in Canada – any biometric information and specified, related personal information for the purpose of establishing or verifying a person’s identity in order to prevent, investigate or prosecute an offence. This information may also be used to establish or verify the identity of a person whose identity cannot reasonably be otherwise established or verified because of a physical or mental condition or because of their death. In other words, when law enforcement agencies submit fingerprints collected in the course of its duties to the RCMP — or the RCMP itself verifies a fingerprint — both criminal and immigration repositories, containing the fingerprints of foreign nationals and permanent residents, are included in the search. Section 13.11(2) of the IRPR allows the following personal information to be used or disclosed: the individual’s fingerprints and the date on which they were taken; their surname and first name; their other names and aliases, if any, their date of birth, their gender, and any file number associated with the biometric information or related personal information.

Assessing the Immigration Program

Biometrics facilitate identity management in the Immigration Program. First, the enrolment of biometrics ties an application to an individual. Second, biometric querying screens applicants against domestic and foreign databases, with the information returned as part of these queries informing decision-making regarding their admissibility into Canada. Third, biometrics are verified upon arrival at a Canadian POE to ensure that the individual presenting is the one to whom a visa or permit has been granted. Finally, biometrics are retained for a specified period (varying between application streams) so as to both assess continuing admissibility (status) under the IRPA and allow foreign nationals to submit subsequent applications without having to re-enrol their biometrics.

National security benefits are a consequence of robust identity management. National security is a component of, rather than the sole impetus behind, the use of biometrics. Enrolling biometrics at the application stage serves as a potential deterrent to individuals who might otherwise apply for mala fide purposes. Biometric screening of domestic and foreign databases helps identify individuals who are inadmissible (including, potentially, for reasons of national security). Verifying biometrics upon arrival ensures that the individual authorized to enter and not an individual posing as that person is the individual who does enter. The retention of biometrics which includes the retention of biometrics tied to applications denied for reasons of national security allows for the ongoing assessment of admissibility under the IRPA (including s. 34) and facilitates the reciprocal querying of foreign databases. Without biometrics, such exchanges would rely on biographical information, which is more susceptible to fraud and/or error.

Unique to each individual and easily captured by digital technology, fingerprints are generally regarded as accurate and reliable means of identification. However, both CBSA and IRCC noted potential concerns in relation to Gender Based Analysis Plus (GBA+), which is an analytical process designed to assess how diverse groups of people may experience policies, programs and initiatives. Specifically, some groups have more difficulty than others having their fingerprints captured, including individuals working in certain trades (which may indicate lower socio-economic status) and women (due to a biological difference in finger ridges). Mitigation strategies at the collection stage included training for operators, and operational guidelines as well as a regulatory provision (R12.8 of the IRPR) that allow the application process to continue if fingerprint capture is not possible.

Similarly, research has shown that fingerprint-matching algorithms – such as those used during SFV – may be less accurate for certain ethnic, gender, age, and socio-economic groups. Examples include individuals of East Asian origin, women, those working in certain trades, and older individuals. These groups may be subject to higher error rates when their fingerprints are verified (e.g. compared to an existing fingerprint holding). Mitigation strategies identified by CBSA included hardware and software adjustments that would improve the ability of PIKs (the kiosks used for SFV) to capture and analyze fingerprints.

In terms of transparency, there is significant material available to the public regarding biometrics and the immigration application process. Much of this content is practical in nature, intended to guide prospective applicants in the provision of their biometric information. IRCC also explains the program benefits of using biometrics, including that they help facilitate entry into Canada, ensure that the person seeking entry is the same as the one who was granted a visa, permit, or permanent residence, and to help prevent the use of stolen, borrowed, or altered visas and/or permits to enter Canada. While national security justifications are provided, the emphasis is on service delivery and the broader imperatives of identity management.

Overall, fingerprints appear to be a reasonable, appropriate choice of biometric to use in the immigration system. They can be collected relatively easily, with little intrusion, and while they are reliable identifiers, they offer comparatively little extrinsic evidence about individuals’ lifestyles or personal choices. Moreover, they offer a vital inter-operability across domestic immigration and law enforcement systems, as well as with those of nearly all foreign jurisdictions. The privacy costs of relying on biometrics for immigration screening therefore appear to be reasonable and proportionate to the benefits they convey to the state and the integrity of its immigration system.

Once collected, the use of biometrics for screening and verification are proportionate to the objective of identity management. From a national security perspective, decisions about admissibility – who may and who may not enter the country – are fundamental. So, too, is the desire to prevent fraudulent entry. At the screening stage, biometrics are particularly helpful in linking information across databases – e.g. in connecting information about an individual held in domestic or foreign repositories. The ability to make such linkages even in the face of multiple names or biographical profiles – perhaps cultivated for mala fide purposes – is largely unique to biometrics as a class of information. Likewise, verification – confirming that an individual is who they say they are when presenting at the border – is significantly enhanced through biometric analysis.

The activities are not without risks, however. The availability of immigration biometrics to Canadian law enforcement, for example, has the potential to stigmatize the immigrant population by associating them with criminality. In 2015, the European Union’s EURODAC (European Asylum Dactyloscopy Database) was heavily criticized by civil rights groups for “criminalizing” asylum seekers by making their fingerprints available to European law enforcement agencies. While held in different repositories, immigration and criminal fingerprints exist within the same RCMP system, and both are searchable by law enforcement, including when attempting to identify latent fingerprints taken from crime scenes.

There are benefits to making immigration fingerprints available to law enforcement, most immediately in assisting police with the enforcement of Canadian criminal law and, consequently, in returning information to IRCC and CBSA which may be relevant for enforcing the IRPA. At the same time, if the fingerprints of all Canadian citizens were in the possession of the government and searchable by Canadian law enforcement, that too would benefit the enforcement of Canadian law, though few – if any – would consider such an arrangement proportionate or desirable. It is therefore legitimate to question whether the availability of immigration fingerprints – collected in the course of applying to come to Canada – to law enforcement is proportional in all circumstances, or whether it should be limited to certain serious offences.

Passport Program

The Passport Program, led by IRCC, is responsible for “issuing, refusing to issue, revoking, withholding, cancelling, recovering and providing instructions on the use of Canadian passports and other travel documents.” The program’s ultimate purpose is to enable the travel of eligible Canadian citizens, permanent residents, and refugees. Preventing individuals who are ineligible or not entitled to a passport from obtaining and travelling under official documents is the obverse of this goal. A subset of applicants will be ineligible for reasons related to national security. Established pursuant to the royal prerogative on passports, the Canadian Passport Order (CPO) constitutes the main legal framework for the issuance of regular and temporary passports by the Passport Program. It provides the authority for IRCC to collect and use personal information, including biometrics, for the processing of applications and determining an individual’s entitlement to a passport. IRCC maintains that this collection is consistent with s. 4 of the Privacy Act, given that collection relates directly to the administration of a lawfully authorized program.

Specifically with respect to biometrics, s. 8.1(1) of the CPO allows IRCC to convert an applicant’s photograph into a digital format and insert it on the electronic chip in the ePassport. Section 8.1(2) facilitates the use of the FRS by authorizing the conversion of the photograph into a biometric template “for the purpose of verifying the applicant’s identity, including nationality, and entitlement to obtain or remain in possession of a passport.” This provision similarly authorizes the use of the System Lookout-Facial Recognition System (SL-FRS) described below.

As with the Immigration Program, the full range of benefits associated with biometrics extend beyond national security outcomes. According to IRCC, the “use of biometrics in the Passport Program does not per se constitute a security and intelligence activity.” Rather, as in the immigration context, biometrics serve identity management, with potential national security benefits downstream of that broader ambit.

Two identical, printed facial photographs, meeting certain International Civil Aviation Organization (ICAO) standards, must be submitted as part of applications for all Canadian travel documents. According to IRCC, all application information is transmitted via secure systems, and all facial recognition data traffic is secured through encryption.

The collected photograph is used for two purposes. First, it is screened using facial recognition to help establish identity and inform an assessment of the applicant’s eligibility and entitlement to Canadian travel document services. Second, it is embedded in the document and used by border officials to validate the identity of the holder when crossing an international border.

The applicant’s digitized photograph is transferred to the Facial Recognition Solution (FRS) application. The FRS then converts the image into a biometric template using a proprietary algorithm and stores it in an accompanying database. If the application is linked to a previous application, such as renewals or the replacement of lost or stolen passports, one-to-one facial verification is performed against the applicants’ previous template(s). For both renewals and new applications, one-to-many facial identification is performed against existing templates (approximately 55 million, from previous applications) in the FRS database from adult (age 16+) applicants and photographs supplied as part of the Passport System Lookout (SL). The SL-FRS , as it is called, is effectively a watchlist comprised of individuals who are considered high-risk for identity fraud, including those known to have a history of using false identities or multiple aliases, or who have otherwise been identified by security partners – including CSIS and the RCMP – as high-risk for such behaviour. The precise criteria or circumstances for inclusion on the list are not clear, and appear to be highly discretionary. IRCC caveats, however, that “only a small number of IRCC Passport Program officers have the ability to add entries to the list.” The list has been in operation since February 2018, and currently includes fewer than 100 individuals.

According to IRCC, the use of the FRS protects the integrity of the Canadian passport. IRCC cites 2016 ICAO guidelines on security in the issuance of travel documents noting that the issuance phase – or the “beginning of the chain” – is becoming the primary target for fraud given “the rapid development of new technologies and new security techniques” which make forgery increasingly difficult, including, for example, the security features associated with the ePassport.

The authority to refuse passport applications for national security reasons lies with the Minister of Public Safety, as per the CPO. Biometric screening through FRS may inform that decision-making process by detecting identity fraud or flagging individuals from the SL-FRS. No such decisions are automatic; individuals on the SL-FRS may still be entitled to a passport or travel document following review.

Preventing fraud (whether through deterrence or detection) in the issuance of official travel documents offers clear national security benefits. The movement of mala fide actors across borders threatens both international and Canadian security. While identity fraud is committed for a host of reasons – including criminal, financial, or personal – the possibility that terrorism, espionage, or other national-security threats may involve the misuse of passports is well documented. Again, rare events can have significant consequences.

The second fundamental usage of the collected biometric is by way of the ePassport itself during the course of international travel. When the passport is issued, the facial photograph is both printed on the biographical page and embedded as a digital image on an electronic chip within the document.

The embedded digital photograph enables three-way verification between the image on the passport, the image on the chip, and the person presenting the passport. Certain countries – including Canada (see the discussion of the PIK in paragraphs 125-137, below) – leverage facial recognition technology for this purpose. The result is greater confidence in a) the integrity and authenticity of the document, and b) that the individual presenting the document is the individual to whom it was issued. The chip is digitally signed using Public Key Infrastructure (PKI) techniques allowing for the verification of the document against the issuing country and to ensure that the data contained within has not been modified.

Photographs submitted as part of passport applications, as well as the biometric templates derived therefrom, are retained until an applicant has reached 100 years of age. IRCC assesses that this retention period is consistent with the practices of international partners (e.g., the United Kingdom and Australia), and balances, in their estimation, the need to issue secure, trusted travel documents with the requirements of the Privacy Act to retain personal information only for as long as necessary. Hard paper copies of the passport applications, including photographs, are retained for six weeks following conversion to digital format, and subsequently shredded.

The length of the retention period facilitates identity management as individuals renew their passports over the course of their lifetime. Each returning adult applicant (e.g. renewal, replacement, etc.) can be verified through the FRS against previous applications from the same individual. Similarly, one-to-many FRS screening includes templates from most adult applicants, maximizing the scope of detecting possible identity fraud.

IRCC discloses photographs and related biographic information collected by the Passport Program to other government departments (OGDs). Unlike in the Immigration Program, these disclosures are not systematic. Rather, they come in response to ad hoc requests from OGDs with criminal, national security, and intelligence mandates. The OGDs make the requests pursuant to their own legislation, and their scope is circumscribed by s. 4 of the Privacy Act. According to IRCC, the context of many of these requests is often the need for information regarding Canadians travelling abroad to engage in foreign conflicts or unlawful acts.

Such requests can involve confirmation or validation of biometric information provided by the OGD against passport records, or identifying individuals of security concern by processing a photograph provided by the OGD through the FRS. For example, the RCMP may identify a person of national security concern, but have only a photograph of the person (e.g. from their social media presence); CSIS may provide IRCC with a photograph of an individual they are investigating but cannot identify. Alternatively, the RCMP and CSIS may share photographs of known individuals with the IRCC. The purpose of these checks is to ensure the person has not obtained a passport under another identity. The IRCC states that, for the RCMP, the scenarios described herein may require the RCMP to obtain a Production Order, depending on the particular circumstances of the request.

In both cases, the IRCC converts the photograph provided by CSIS/RCMP into a biometric template and runs it through FRS. In the first instance, in the event of a possible match, the IRCC would return limited biographic and/or biometric information to the RCMP or CSIS to assist in confirming the person’s identity. In the second instance, the IRCC may validate the person’s previously known identity and confirm whether the person’s photograph is associated to any other identities logged by the Passport Program. The scope of information disclosed by the IRCC, in both cases, depends on the nature of the investigation and its authorities to disclose.

The IRCC discloses this information pursuant to s. 5 of the Security of Canada Information Disclosure Act (SCIDA), if applicable, or may rely on s. 8(2)(e) of the Privacy Act in the case of specific requests. Section 5 of SCIDA allows the IRCC to disclose information to the RCMP, CSIS and other specified institutions where it is satisfied that the disclosure will contribute to the exercise of the recipient institution’s jurisdiction in respect of activities that undermine the security of Canada. To disclose under SCIDA, the IRCC must also be satisfied that the disclosure will not affect a person’s privacy interest more than is reasonably necessary in the circumstances. In contemplating such disclosures, the IRCC affirms that it first obtains sufficient details to ensure these conditions are met. In other instances, such as when the disclosure is to assist a law enforcement investigation, the IRCC may rely on s. 8(2)(e) of the Privacy Act to provide specific investigative bodies with information they have requested in writing, for the purpose of enforcing Canadian law or carrying out a lawful investigation. Where a production order or warrant supports the OGD requests, section 8(2)(c) of the Privacy Act authorizes the disclosure of information for the purpose of complying with the warrant.

In addition to these disclosures to assist national security or law enforcement investigations, the IRCC may disclose information to the Department of Public Safety, where necessary to assist the Minister of Public Safety in rendering a decision under the CPO. Sections 10.1 and 11.1(2) of the CPO authorize the Minister of Public Safety to decide that a passport should not be issued, or that a current passport should be revoked or cancelled, when such action is necessary to prevent the commission of a terrorist act or protect the national security of Canada or a foreign state. By virtue of this authority, the IRCC may collect information on an ongoing basis to verify an individual’s continued entitlement to possess the document. The IRCC also relies on the CPO to disclose, to the Minister of Public Safety, information necessary to support his decision on such matters. In practical terms, this includes IRCC’s disclosure of the relevant passport application, including the digitized photo, to Public Safety. Section 5 of SCIDA and section 8(2)(a) of the Privacy Act (on consistent use) further support these disclosures.

Assessing the Passport Program

A significant source of public concern regarding the use of facial recognition is the possibility that the technology will be inaccurate. In the passport context, false positive identification could lead to inconvenience and/or additional investigative attention for individuals. False negatives, by contrast, worry operators, as they potentially undermine the security benefits of the system.

The FRS has certain natural advantages with respect to accuracy. First, it predominately uses high-quality probe images (templates extracted from passport photographs taken according to ICAO specifications) and searches them against the same (a gallery populated by templates extracted from passport photographs). Exceptions are the images on the SL-FRS and images supplied by OGDs for checking against FRS, which may be of lesser quality. Second, the matching process is not time sensitive (as would be the case in a live environment such as a POE). Adjudication – triage, analysis, and investigation – of possible matches (one-to-many) or non-matches (one-to-one) can be conducted thoroughly before any decisions are made which affect individuals.

A related concern is that certain groups will be disproportionately affected by system inaccuracies. Extant research has demonstrated that age, gender, and ethnicity, among other factors, may influence the ability of a facial recognition system to accurately identify individuals, leading to possible bias and discrimination.

IRCC employs several mitigation measures. First, enrolled templates are stored in one of six separate galleries according to age (adults 16+ and children under the age of 16) and self-identified gender (male, female, or other). Age and gender are known to be confounding factors in facial recognition; separating the database into galleries according to these characteristics allows thresholds to be adjusted as necessary to improve the performance of the system.

In January 2021, IRCC completed an evaluation of a next generation algorithm for possible use in FRS. The results were favourable in terms of the accuracy observed in testing, and implementation of the new algorithm is set for 2021-22. Specifically, the new algorithm demonstrated superior performance in terms of age and gender disparity as compared to the algorithm currently in use. The new algorithm demonstrated improvement in matching photographs taken at lengthy time intervals (e.g. 15 years), which is directly relevant to passport renewals. The testing did not evaluate, however, the algorithm’s performance with respect to race and ethnicity.

IRCC provides public information regarding the use of facial recognition in the passport application process. The photograph guidelines posted on the IRCC website state that “The [ICAO] recommends that passport photos be taken with a neutral expression. This lets us use facial recognition systems to help prevent fraud.” Similarly, a Privacy Notice Statement is included on passport application forms, describing the collection, use, disclosure and retention of personal information, including biometrics.

The biometric embedded on the electronic chip in the ePassport does not constitute a significant risk or expansion beyond what was included in analog passports prior to the ePassport’s implementation. What is on the chip – the facial image and biographical information – is also on page 2 (the biographical page) of the physical document itself.

By contrast, the issuance process – including the use of FRS – directly implicates both biometric information and national security considerations. Preventing mala fide actors – including those posing a threat to national or international security – from obtaining bona fide travel documents warrants stringent processes and security measures during the issuance phase. At the same time, information collected and used in the context of the issuance process will impact all individuals – millions of Canadians and individuals living in Canada – who apply for a passport or other official travel document.

The key consideration is whether the privacy impact of the FRS is commensurate with the benefit to national security associated with its collection, use, retention, and disclosure of biometric information.

The OPC’s recent investigation into the RCMP’s use of facial recognition services supplied by the private firm Clearview-AI is worth considering in this context. In that case, the OPC found that the RCMP’s leveraging of biometric information collected by Clearview-AI from social media and other internet sources violated the Privacy Act because Clearview-AI’s collection of that information had been unlawful. More relevant for the present discussion, however, is the OPC’s characterization of the practical effect of law enforcement’s use of Clearview AI, which meant that “billions of people essentially found themselves in a ‘24/7’ police line-up.” That is, the existence of their biometric information in a database available to law enforcement meant they were subject to identification by law enforcement at any time.

In national security investigations, there may be different policy justifications, security benefits, and disclosure limitations that render use of the IRCC’s passport database proportionate. The disclosure of this information by the IRCC to the RCMP is also supported by law (see paragraph 111). The connection between passport biometrics and the investigations and activities of the RCMP, CSIS and CBSA remains a striking example, however, of the connections made possible by biometrics. Moving forward, NSIRA may wish to review these arrangements, to assess their reasonableness and necessity in terms of balancing individual interests (privacy, liberty, etc.) and the state’s security goals.

Arriving into Canada

The Passport and Immigration programs are the major programs governing Canada’s border continuum. Together, they help manage the processes by which individuals enter the country, largely by providing the documentation that makes international travel possible. Related to these larger programs is the actual process of arriving at a POE and going through Canadian customs and immigration. While the above discussions of both Immigration and Passport touched on these processes, this section discusses two additional activities that involve the analysis of biometric information to verify the identity of individuals arriving into Canada.

Primary Inspection Kiosks (PIKs)

Primary Inspection Kiosks (PIKs) are automated, self-serve kiosks present at ten major Canadian airports. The kiosks facilitate the immigration and customs process for international arrivals into Canada.

As discussed in relation to the Immigration Program, biometrically-enrolled foreign nationals are subject to biometric verification upon arrival into Canada. At airports equipped with Systematic Fingerprint Verification (SFV), this occurs through PIKs. Additionally, PIKs validate ePassports and help verify the identity of ePassport holders (including Canadians) using facial recognition (one-to-one matching) technology.

In 2019, PIKs processed 21,853,422 individuals, an average of 59,872 travellers per day. This means that most individuals – whether Canadian or foreign – arriving in Canada by air have their biometrics analyzed in some way (either as biometrically-enrolled foreign nationals, ePassport holders, or both). CBSA derives its authority to collect information from individuals as they arrive in Canada from s. 11 of the Customs Act and ss. 15 and 18(1) of the IRPA.

The PIK facilitates risk assessment by sending passport and biographical information to CBSA for processing in real time. CBSA uses the information to check the traveller against existing traveller processing systems. This includes the Interdiction and Border Alert System and the Integrated Customs Enforcement System.

According to CBSA, all information passes between the PIK and CBSA through an encrypted tunnel and is purged prior to the next traveller using the device.

The use of the facial photograph embedded on the ePassport’s electronic chip is for identity verification at the kiosk and during primary inspection. Facial recognition – or facial “matching” as it is called by CBSA in this context – occurs on a one-to-one basis by extracting the digital photograph from the chip and comparing it to a live photograph of the traveller captured by the kiosk. A match score is generated, based on the vendor’s proprietary algorithm, and the score is sent to the CBSA to determine whether it is above or below a pre-determined threshold. The result is printed on the PIK receipt. The CBSA itself defines the match/no-match threshold; it is not determined by, nor shared with, either the vendor or Airport Authorities.

The PIK receipt also includes the facial photograph taken by the kiosk. The traveller presents the receipt to a Border Services Officer (BSO); in the event of a no-match, the BSO may correct obvious non-technical errors (for example, one individual was photographed twice as part of a group of two travellers) through visual verification, ask additional questions, and/or refer the individual to secondary inspection on a discretionary basis.

The inclusion of the photograph on the receipt was a significant issue in the 2012 PIA conducted for the PIK project. CBSA justified the practice on the basis of efficiency (quicker processing by the BSO collecting receipts) and security (preventing receipt swapping prior to egress at primary inspection). The PIK receipt – including the printed photograph – is retained by CBSA for seven years. The OPC expressed concerns regarding this retention period given the presence of the traveller’s photograph. In essence, the retention of these photographs constitutes a database of (nearly) all travellers who enter Canada. While CBSA asserted that the photographs are not searchable nor used for facial recognition purposes, OPC noted the sensitivity of retaining biometric information in centralized databases and has urged CBSA to consider mitigation strategies.

The CBSA details the necessary specifications and requirements for PIKs, but relies on Airport Authorities to procure both the hardware and software (including the algorithm used for facial matching). This means that different versions exist at different airports across Canada. The accuracy of the facial matching process consequently varies between locations. The algorithms are proprietary, meaning CBSA does not have visibility into precisely how they operate, though it does have access to data on accuracy and performance through the US Department of Commerce’s National Institute of Standards and Technology (NIST) as well as from in-house performance testing.

In 2020, CBSA evaluated the performance of the four face-matching algorithms integrated in the three kiosk designs currently in use, and determined that opportunities existed to improve performance in certain airports by adjusting facial matching thresholds. The testing similarly examined issues of possible demographic bias. The results suggested that small discrepancies along the lines of gender (lower matching rates for females) and age (lower matching rates for younger and older) did exist in airports using a particular algorithm. Recommendations for mitigation included shifting vendors and/or setting gender-specific match thresholds, though the latter option was considered potentially problematic in terms of inviting higher false positive match rates.

Public reporting has expressed concern that higher facial matching error rates for certain ethnicities might result in more frequent referrals from PIKs to secondary inspection. It has been observed, for example, that rates of referral are higher for nationals from Iran and Jamaica, as compared to countries such as Iceland and Denmark. The CBSA indicated to NSIRA that no referrals to secondary inspection occur as a result of the facial matching process (i.e. there are no referral codes associated with facial matching leading from the PIK to secondary inspection). In practice, however, a failed match will lead to greater scrutiny as a BSO at primary inspection assesses the reason for the failed match. It is possible that discretionary referrals to secondary occur as a result; the CBSA does not track statistics associated with this scenario.

CBSA is aware of concern regarding possible bias associated with higher facial match error rates for certain ethnicities, and points to improvements in the overall accuracy of algorithms that will help close any gaps in performance across demographic categories. Further, CBSA notes that its “work in this area is nascent and is not yet conclusive with significant work still to be conducted.” Given the significance of the public interest and concern associated with possible bias, NSIRA encourages CBSA to continue its work in this area. In addition to technical solutions aimed at further closing identified gaps, an examination of the implications of facial matching errors on travellers might suggest policy solutions to mitigate any possible disparate impacts.

The PIK will continue to play an integral role in future applications of biometric technology at Canada’s international airports. As noted in the CBSA’s 2021-22 Departmental Plan, the agency is set to integrate the PIK into new applications of mobile technology with the aim of further streamlining the customs and immigrations arrival process.

NEXUS

NEXUS is a voluntary trusted traveller program intended to expedite border crossing between the US and Canada for preapproved, low-risk travelers (“NEXUS”). Section 11.1(1) of the Customs Act authorizes the Minister to administer such programs, by allowing him to authorize persons to present themselves at the border “in an alternative manner.” The program is jointly managed by CBSA and US Customs and Border Protection (CBP). As mentioned in Section 4, although NEXUS began as a pilot initiative prior to 9/11, it was expanded and implemented following the attacks with an eye toward robust identity verification and traveller facilitation in the context of enhanced border security.

In 2019, NEXUS underwent a “modernization” process, which saw the adoption of the PIK facialmatching model into NEXUS-dedicated kiosks for air arrivals, replacing iris scans with facial matching as the biometric modality for identity verification. In order to facilitate facial matching, CBSA collects the biometric from electronic passports, stores it in the NEXUS database, and uses the photograph to verify identity during travel. The process is similar to how the PIK operates in other traveller streams and produces roughly similar outcomes. The main difference here is that the photograph taken at the kiosk is matched against the traveller’s image in the NEXUS database. NEXUS’ purpose in using the passport photograph is the same as in the regular PIK process: to verify the individual’s identity prior to allowing them admission into Canada. NEXUS’ use of the passport photograph was preferred because the image provides better facial recognition matching (given that it was taken according to ICAO specifications) as compared to the membership photograph (taken by border services officers under varying conditions – light, background, distance, etc.). NEXUS participants are informed of the extraction of their passport photograph for facial matching purposes.

NEXUS’ voluntary nature, and the consistent purpose of using the passport photograph within NEXUS to facilitate identity verification and travel, renders this second use of the ePassport photograph reasonable in NSIRA’s view. The consistency of purpose between the programs also respects the norms and the requirements of sections 7 and 8 of the Privacy Act.

The use of the passport photograph for facial matching within NEXUS is nevertheless noteworthy as an example of when it has been beneficial to use an existing biometric in an additional program. The dual-use of biometrics in this case is relatively benign, but the dynamic which produced it – that is, the convenience, availability, and possible value-added (accuracy in identification) of existing biometric information – is likely to be common to scenarios which may be of more concern, as discussed below (see paragraphs 191-201, below).

6. Biometrics Future

We expect the landscape detailed in the preceding sections of this report to change significantly in the short-, medium-, and long-term. In this section, we highlight select projects and initiatives to illustrate how biometrics in the border continuum are likely to evolve, and to mark key points of consideration for Canadians – and NSIRA – as we move into this unfolding technological future.

The GoC has publicly committed to continued research, development, and deployment of biometric technologies in the border continuum. For instance, Budget 2021 allocates $656.1 million over five years (beginning in 2021-22) and $123.8 ongoing to the CBSA for the “modernization” of Canadian borders. CBSA “proposes to utilize new technologies, such as facial recognition and fingerprint verification” as part of such efforts.

The agency has announced the creation of an Office of Biometrics and Identity Management (OBIM) under a newly formed Biometrics Transformation Directorate (BTD) within the Chief Transformation Officer Branch (CTOB). CBSA indicated to NSIRA that the purpose of the BTD is to coordinate biometric initiatives (including design, implementation, and operation) across the agency. In addition to its coordination role, OBIM will act as a Centre of Expertise and focal point within CBSA for guidance on the appropriate use of biometrics. This will include developing and managing CBSA’s biometrics governance, risk and compliance framework. A June 2021 Notice of Proposed Procurement (NPP) solicited proposals from contractors for aid in establishing the OBIM and “to work with the [CBSA] in researching, planning for and rapidly developing a strategy and roadmap related to the use of Digital [sic] solutions enabled by supporting technologies in biometrics, in response to the COVID 19 situation and other operational priorities.” The proposal further specified that the successful contractor would aid in “the development of a comprehensive approach and plan to manage, evolve and adapt in using biometrics” to fulfill CBSA’s mandate and objectives. As part of this coordinating function, the OBIM will review current steady-state biometric activities and make recommendations where necessary for aligning them with overarching CBSA standards and objectives.

With respect to immigration, CBSA’s Departmental Plan 2021-22 commits to “explor[ing] measures to standardize the collection of biometric information on potentially inadmissible travellers to strengthen compliance verification at the border.” In July 2021, IRCC released a tender notice soliciting industry information regarding the procurement of a next generation Canadian Immigration Biometric Identification System (CIBIDS). The new system will “take advantage of the latest technologies […] to modernize [IRCC’s] biometric technology solution” and may include the “design and development of a new IRCC custom Biometric Collection Solution.”

“Next generation” development is occurring in the Passport Program as well, with “a new passport booklet, incorporating advancements in technology to enhance the document’s durability and security features” aimed, in part, at “alignment with documents issued by our Five Nations Passport Group partners.” Phased rollout of the new ePassport will occur between 2023 and 2024.

Passport issuance, similarly, is undergoing “modernization”, as part of an ongoing process initiated in 2013 to facilitate the transition of the Passport Program from the Department of Foreign Affairs, Trade and Development to CIC (now IRCC). The Passport Program Modernization Initiative (PPMI) is a multi-year project that is scheduled to be completed in 2023. PPMI intends to streamline “all aspects of Passport Program operations” and “keep pace with evolving international passport issuance and identity management best practices.” The initiative also aims to systematize passport services across intake locations, and lay “the foundation for online passport services and automation to improve the service experience.”

In June 2020, IRCC issued an NPP for a “Passport Digital Services Project” that “will allow Canadians to apply online for passports, using a computer, tablet or mobile device, as a convenient alternative to mail-in or in-person service options.” The procured platform will transmit passport applications – including digital photographs – from individuals to IRCC. Media reporting in early 2021 indicated that IBM was selected as the successful bidder. The proposed system has generated privacy concerns, particularly with respect to transmitting biometric information (digital photographs) over a private platform. We can expect the tension illustrated here, between convenience and privacy, to be a key theme in public conversations surrounding new biometric activities in the coming years.

In this vein, CBSA’s Department Plan 2021-22 highlights several experimentation and innovation initiatives involving mobile technology (e.g. smartphones), including “explor[ing] digital identity concepts and opportunities to pilot digital identity in the travel continuum from a border management perspective.” Digital Identity refers to paper-less identification, whereby trusted and secure digital proof of one’s identity replaces traditional, physical documentation (e.g. passports, driver’s licenses, etc.).

A Digital Identity is typically linked to an individual through biometrics. ICAO’s first iteration (Type 1) Digital Travel Credential (DTC), for example, “binds” a traveller to their Digital Identity by way of the biometric embedded in the ePassport, limiting the need to produce the physical document during travel. The DTC is an international project that, while coordinated by ICAO, includes input from jurisdictions around the world and encompasses several future iterations (Types 2 and 3). IRCC and CBSA are currently members of ICAO’s New Technology Working Group (NTWG) and the NTWG’s Digital Travel Credentials (DTC) sub-group. Ultimately, the long-term vision of the DTC project is to replace physical passports with Digital Identity “tokens” (which would include the facial photograph from the ePassport) stored on mobile devices.

As discussed in Section 4, IRCC and CBSA’s FASTER-PrivBIO Project (2015-2017) also explored the use of identity “tokens,” stored in a mobile application, in the context of Electronic Travel Authorizations (ETAs). FASTER-PrivBIO closed in 2017, and “Phase II” of the project became the Chain-of-Trust (CoT) initiative, led by CBSA in collaboration with IRCC, Defence Research and Development Canada (DRDC), the University of Ottawa, and industry partners.

CoT further explored the adoption of mobile technology in the eTA process, while also expanding to include other steps in the travel continuum. As described in CBSA’s Blueprint 2020 Report (published in December 2018):

[t]he Chain of Trust process would require travellers to download an app to their smartphone and create an account including a unique identifier built from their biometrics. At every stage of the trip – from flight reservation, to obtaining a boarding pass, to disembarking the plane – the traveller’s data would be collected and used to speed up the traveller’s passage. Just before landing, the traveller would create an e-declaration and digitally sign it using biometric facial verification. Upon arrival, cameras would match the biometric face to the traveller’s unique identifier.

The purpose of the process, ultimately, is to enhance risk assessment. Linking traveller information to traveller identity throughout the travel continuum (including by using facial recognition as an individual moves through the airport) facilitates the flow of low-risk travellers (including by minimizing touch-points with border control, a feature that will take on additional significance in the context of post-COVID 19 travel), while enhancing the detection of possible high-risk travellers.

In 2018, a simulated prototype demonstrated the basic features and process flow of the CoT to Canadian government officials. While the prototype project closed in 2019, the overarching CoT initiative continues, as per CBSA’s 2021-22 Departmental Plans, through the deployment of “small-scale minimum viable products to assess feasibility in a live environment and obtain user experience feedback.” The stated goal of CoT remains the streamlining of “traveller identification through the use of digital travel credentials and biometrics.” Notably, CoT is explicitly aligned with other international initiatives and projects, including ICAO’s DTC, reflecting the extent to which coordination exists in the broader ecosystem of biometric experimentation.

To be clear, the features of CoT described above do not reflect current practice at the border, nor do they represent commitments from CBSA (or any other GoC entity) regarding what the traveller experience will look like in the future. By the time the CoT, some version of it, or a new project operating in similar terrain, is implemented, the specifics of how biometrics verify identity or travellers move through the airport may have significantly changed. Nonetheless, the trend lines are apparent, as Digital Identity, mobile technology, and biometric verification converge on the traveller experience.

An additional example is the Known Traveller Digital Identity (KTDI) pilot project, led by Transport Canada (TC) in collaboration with the World Economic Forum (WEF), the government of the Netherlands, and commercial partners. In 2018, Canada announced its participation in the WEF’s broader KTDI vision and, in 2019, committed to a proof of concept pilot project which would operate between Canadian (Toronto-Pearson and Montreal-Trudeau) and Dutch (Amsterdam-Schiphol) airports on Air Canada and KLM Royal Dutch Airlines flights.237 This project may access required funding under Budget 2021, which proposes $105.3 million over five years to develop an approach to digital identity for air travellers.

KTDI will combine blockchain technology and facial recognition to “provide a seamless and secure air travel experience facilitated via a mobile application.” Travellers will have their facial photograph captured for one-to-one matching against their ePassport photograph at different touch points in the travel continuum (e.g. boarding and customs). They will be able to “push” their information (including their facial biometric) to relevant partners (e.g. airlines or Dutch or Canadian customs) at their own discretion, or revert to conventional identity verification (e.g. ePassport) at any time. While TC will interface with CBSA to conduct checks on ePassports at enrolment (to verify authenticity and ensure that the document is not lost or stolen) no passenger risk assessments will be conducted.

At the time of writing, the pilot is not yet live. The COVID-19 pandemic has impacted both the project’s timelines and its operational context. Originally, part of the rationale for KTDI was to accommodate increasing traveller volumes; although the pandemic has led to a decrease in travel volumes, it has also amplified the need for low-contact, ‘touchless’ travel. Indeed, the budget commitment noted in paragraph 156 was linked to the GoC’s investment in “safe air travel […] that limits transmission of COVID-19 and protects travellers.” For present purposes, the KTDI is important for what it suggests about the general trajectory of biometrics in the air travel and border continuum.

The Canadian KDTI pilot traces its origins to the broader KDTI vision articulated by the WEF. In the WEF’s KTDI concept, passports would effectively be replaced with digital credentials stored on mobile devices, while facial recognition-enabled gates (often referred to as smart gates or egates) would allow passengers to transit through airports from arrival to boarding to customs and exit with little to no interruptions. Other elements of the travel experience – for example hotel and car rentals, or shopping at duty free – would also be incorporated. Over time, travellers would compile a trail of interactions – or “attestations” – from various entities (border control, commercial entities) that cumulatively built trust in that individual. Risk profiles, supplemented by security screening, would help determine the level of scrutiny applied to a traveller by relevant authorities. Further, the Digital Identity “wallet” (encrypted mobile application) would include more than just passport information and biometrics, storing bank information, health records (including proof of vaccinations), educational degrees, credit scores, etc.

This broader vision is ambitious. The Canadian KTDI pilot – even as it evolves to reflect post-COVID priorities – is decidedly more circumspect in its aims. TC was clear in communications with NSIRA that the pilot (while including the WEF as a partner) is distinct from, and not beholden to, the broader WEF vision. Yet the sheer ambition of the latter indicates a probable trend in the future of international travel. As this report has demonstrated, the use of biometrics tends toward expansion over time. Concomitant advances in mobile technology – including the development of secure Digital Identity platforms, predicated on biometrics – find natural application in the border continuum, where identification is key and, increasingly, so is convenience.

However, enhanced convenience continues to rub up against privacy concerns, particularly with respect to facial recognition technology. A robust public debate is emerging regarding the legal authority for the use of facial recognition in public spaces. Jurisdictions around the world are grappling with how to manage the proliferation of facial recognition technology, in some cases issuing moratoriums or outright bans on new applications of the technique until its implications are properly considered and new legal and/or regulatory frameworks governing its use are established. The OPC’s recent investigations into the use of Clearview-AI by the RCMP reflect the Canadian salient of this broader conversation.

The basic contours of the debate are whether existing frameworks for the handling of personal information (in some cases drafted decades ago, before the advent of facial recognition and other biometric technology) are adequate or whether specific legislation is required, designed explicitly for facial recognition. Greater specificity in legislation would enable standards to be set as to when the use of facial recognition is appropriate and proportional. It would also enhance the transparency of the norms set by Parliament and provide public information about the circumstances in which Parliament considers facial recognition to be lawful and reasonable in promoting security and convenience in Canadian society.

The OPC is currently drafting new privacy guidance on biometrics, for both the public and private sector, intended to shape how the technology is applied moving forward. While the border context is distinct from other public settings when it comes to privacy, applications of biometric technology at the border cannot be exempt from emerging legal and societal norms. The development of new activities must be aware of such challenges, and account for shifts in the legal and regulatory landscape.

Public concern is likely to be most acute with respect to live capture facial recognition, in the vein of the FOTM pilot discussed in Section 4. Static, one-to-one verification of identity at mobile kiosks – for example as currently takes place at PIKs – is well-established, and allows travellers to know when facial recognition is being used. Roving, one-to-many identification – in which biometrics are captured at a distance – are the source of more anxiety. Consider, for example, the legal challenge to the use of this type of facial recognition in the UK and the multiple calls for moratoriums with respect to the use of facial recognition in public places.

Given the developments described above, NSIRA expects that biometric information will be systematically incorporated into the traveller experience across the border continuum moving forward. Security considerations and general identity management will remain important, but so too will traveller convenience and, in the wake of COVID-19, ‘touchless’ or decongested travel. The use of mobile technology and Digital Identities reflect broader societal trends that are particularly well-suited for application in the border continuum. Informed consent, and/or specific, transparent legal authorities are important considerations for ensuring that such applications occur lawfully and with sound public understanding surrounding when biometrics are collected, how they are used, and how they are protected when in the possession of the government.

7. Observations

This report has documented and described the GoC’s use of biometrics in the border continuum. The scope of these activities is large and growing. For government, biometric information offers a firm foundation for identity management. At the same time, civil society groups, academics, and other concerned Canadians worry about the privacy implications of the government collecting, using, retaining, and disclosing information about immutable physical characteristics. The fundamental purpose of the present study was to inform this ongoing conversation, to both demystify present government activities and evaluate them from NSIRA’s unique, crosscutting perspective. In this final section, we leverage that perspective to articulate our observations according to nine general themes.

1. Biometrics and National Security

Biometrics enhance identity management; identity management at the border in turn serves national security. As outlined in Section 4, the impetus for the expanded collection and use of biometrics, particularly post-9/11, was their purported national security benefits.

Nonetheless, the centrality of national security as a justification for biometric activities has waned over time relative to other objectives.

First, there were the broader benefits associated with identity management, including assessing admissibility and entitlement, preventing fraud, and introducing efficiencies into service delivery. Of note, the CBSA and IRCC do not currently characterize their steady-state biometric activities primarily in national security terms. The Passport Program’s purpose is to enable the travel of eligible Canadians, while the Immigration Program’s purpose is to manage the flow of foreign nationals into Canada, the vast majority of whom arrive for legitimate reasons. Biometrics are information about individuals that facilitate these functions. The benefits to national security, in each instance, are a consequence of the robust identity management to which biometrics contribute. More recently, traveller facilitation has risen to the fore, with programs and pilots incorporating biometrics and mobile technology in pursuit of “seamless” and “touchless” travel (the latter of particular interest given COVID-19).

Although biometrics extend beyond the national security domain, the national security outcomes they support are undeniable. Part of identity management is identifying mala fide actors, including possible terrorists, Canadian extremist travellers, and other national and international security threats. Biometric screening for both immigration and passport applications, for example, includes querying databases (domestic and foreign) that may return information pertinent to national security (e.g. presence on a watchlist, suspected terrorist activity, previous national security convictions, multiple identities, etc.).

The assessment of these programs’ proportionality must therefore be done in light of the full panoply of benefits that biometrics contribute to Canada’s activities at its border. This includes their benefits for identity management in admissibility and passport decisions, traveller screening, and also national security.

As pertains to areas for future NSIRA review, the present study’s overview of the border continuum highlighted several possibilities:

The collection of biometrics at Visa Application Centres (VACs). Here the national security concern stems from personal information – including biometrics – passing through VACs operating in high-risk jurisdictions and run by private contractors and sub-contractors. A review of VACs would include the risks associated with the collection and transmission of biometric information, but also cover the broader security arrangements and national security implications pertaining to the overall operation of such locations.

Instances where biometrics link information across databases for national security purposes. For example, when automated querying occurs with M5 partners in the immigration context, what are the statistics and other metrics associated with national security outcomes (e.g. information that leads to a decision of inadmissibility on IRPA s. 34 grounds)? What about case-by-case exchanges with M5 and other partners that occur because of national security concerns? Finally, what role, if any, has biometric information played in cases where the Minister of Public Safety has denied, revoked, or cancelled a Canadian passport for reasons of national security? These examples illustrate the potential for review of national security activities made possible by biometrics. In such instances, the balance between privacy and security – between protecting sensitive personal information and the security objectives of the state – suggests a clear role for NSIRA in terms of reviewing lawfulness, reasonableness, and necessity.

Other situations where biometrics collected for one purpose are subsequently used for any other program or purpose (see the discussion of dual-use in paragraphs 191-201, below).

2. The Steady-State Activities

Overall, the GoC’s steady-state biometric activities in the border continuum are well-supported by current legal authorities and are consistent with international practice.

The IRCC and CBSA’s use of biometrics in their steady-state programs is well-established and supported by detailed, statutory authority. Canada’s collection and verification of fingerprints and facial photographs in the immigration context is also consistent with that of other M5 members. By design, the use of fingerprints facilitates information sharing with the M5, who similarly collect fingerprints in support of their own immigration programs and to enforce domestic immigration law.

The Canadian ePassport, similarly, adheres to standards established by the International Civil Aviation Authority (ICAO), which mandates the use of facial photographs as a biometric measurement. Globally, more than 140 countries currently use ePassports based on ICAO specifications, making the system interoperable and facilitating international travel for Canadian passport holders. The use of facial recognition in the passport application process is consistent with ICAO guidelines and best practices on the issuance of travel documents.

The legislative framework for the steady-state activities provides a solid basis for the collection, use, retention and disclosure of biometrics as part of the GoC’s immigration and passport programs. Nonetheless, there may be more targeted areas of concern, as articulated below.

3. Expanding Use of Biometrics over Time

The use of biometrics in the border continuum has significantly expanded over the last three decades, and is likely to continue expanding in the future. The trend is driven, in part, by advancing technological capabilities and evolving challenges in identity management.

Beginning with asylum claimants and deportees in 1993, the collection of biometrics now covers all non-exempt foreign nationals entering Canada and, through the passport program, all Canadian citizens who apply for a passport as well as permanent residents who apply for a Certificate of Identity and refugees who apply for a Refugee Travel Document. The Biometric Expansion Project was initiated with the expressed aim of widening the scope – collection, sharing, and use – of biometrics. The M5 partners meet regularly in working groups to refine and enhance (frequently, to extend) the immigration information that is shared between them. Pilot and research projects conducted within the last several years have examined the use of facial recognition technology in airports, while others have explored the integration of mobile technology into biometric identity management in the travel continuum.

Undoubtedly, developments in technology drive some of this momentum. We can do more, so we do. Leveraging new capabilities to enhance program delivery is a legitimate objective. At the same time, however, such technological determinism cannot justify the collection of sensitive information in its own right. New biometric activities must be justified according to the necessity and proportionality of collecting and using biometrics for intended objectives.

Also at play is the impetus to keep pace with other jurisdictions. As countries around the world expand their biometric activities, it is natural for Canada to do the same; doing so facilitates global travel for Canadians, makes it easier for non-Canadians to travel to and through Canada, and helps Canadian officials identify possible security risks (as in M5 information-sharing). Yet keeping up with others, even Canada’s close international partners, is not on its own a valid justification for the expanded collection and use of sensitive personal information. Again, each new activity must be assessed, and justified, independently.

Exploiting the possibilities created by technological developments and keeping pace with other jurisdictions cannot justify the expanded use of biometrics in their own right. New biometric activities must be justified according to the necessity and proportionality of collecting and using biometrics for particular, intended objectives.

4. Pilot Projects

Pilot projects and initiatives raise more concerns than do steady-state activities, as they risk being implemented on an experimental basis, without sufficient legal analysis or policy development. These projects represent an area of continued interest for NSIRA.

Pilots are vehicles of expansion: a forum for new techniques and technologies that may strain the proportional balance between the government’s goals and intrusions on personal privacy. Furthermore, there tends to be less public information available to Canadians about pilot activities. In this report, we describe several such projects, though it was beyond the scope of our emphasis on current activities to determine whether any single pilot was proportionate in terms of its collection and use of biometrics.

Nonetheless, an illustration of the challenges and possible concerns associated with pilots is provided by the Faces-on-the-Move (FOTM) project. The pilot relied on legislative authority under sections 15-18 of the IRPA; yet, these provisions were drafted before facial recognition technology was contemplated. NSIRA is not satisfied that sections 15-18 of the IRPA provide clear authority for the collection of travellers’ facial biometrics, particularly prior to – and away from – the point of formal examination. In the future, legal advice should be sought to ensure that any similar activities are well-founded in the CBSA’s legislative authorities and consistent with the requirements of s.8 of the Charter. Attention must also be paid to the policy framework governing pilot activities to ensure the proper characterization of the affected personal information. Privacy notice statements and public signage should also ensure an appropriate degree of public transparency about the deployment of new technologies and the purposes for which they will be used.

Pilot projects that entail the collection of private or personal information must receive commensurate legal and policy attention. Despite the temporary or experimental nature of a project, NSIRA expects that departments will conduct the analysis necessary to ensure that legal authority is in place to conduct the activity, and that the attendant collection, use, retention and disclosure of personal information is well-governed by policy.

The public debate surrounding legal authorities questions whether existing standards and protections are sufficient for regulating biometric activities or whether new standards and protections are required.

This debate is growing, especially as relates to facial recognition technology. Biometrics are personal information, but they have particular features that may set them apart: they capture immutable personal characteristics, they allow for reliable identification at a distance, and they act as unique identifiers that can be used to discover and connect information about individuals across multiple datasets. The question is whether it is appropriate to treat biometrics as being commensurate with other personal information collected by the government in the course of its programs and activities. Are specific legal regimes necessary to create standards that appropriately reflect the potential intrusiveness and sensitivity of certain biometric data, and ought there be specific use limitations beyond those currently applicable by virtue of the Privacy Act?

The Office of the Privacy Commissioner (OPC) commented on this issue in the context of its recent investigation into the RCMP’s use of facial recognition via the private firm Clearview AI. “Canada’s privacy laws were designed to be technology neutral”, wrote the OPC, “which is positive, given the pace of technological change compared to that of legislative modernization. However, the risks of [facial recognition] technology are such that […] specific rules may be warranted.” The report further noted that many jurisdictions around the world have developed privacy laws which specifically regulate biometric activities. Quebec is presently the only Canadian jurisdiction to have enacted a law that specifically addressed biometrics. Other jurisdictions are calling for, or implementing, outright bans on facial recognition technologies. The European Data Protection Supervisor, for example, has called for a ban on facial recognition in public spaces, arguing that such applications constitute a “deep and non-democratic intrusion into individuals’ private lives.”

Civil liberty organizations have been vocal in raising concerns about biometric activities, as have academia and the media. Governments, meanwhile, can benefit from new capabilities and innovation in pursuit of program objectives, but must do so in a way that respects fundamental human rights. The tension at the core of this debate – how to achieve government objectives efficiently and effectively, while safeguarding individuals’ privacy – is familiar. It is the tension manifest in national security activities more generally, as society balances individual rights against collective protection. In the present context, this evergreen dilemma is catalyzed by advancements in technology, which widen the government’s toolkit while also widening the scope of possible intrusion on individual privacy, specifically the collection and use of sensitive personal data. Moving forward, the question of how biometric activities are designed, implemented, and regulated will be determined, in part, by shifting societal norms, established legal principles (including Charter considerations), and long-standing Canadian values associated with democracy and individual rights.

While the border is, comparatively, a space in which greater intrusiveness is considered reasonable, the boundaries of those justifications are not limitless, and will require careful calibration. For NSIRA, as for other review bodies, evolving legal and societal norms will shape how considerations such as compliance and reasonableness ought to be applied.

6. The Dual-Use of Biometrics

Dual-use refers to when biometrics collected for one purpose are subsequently used for any other program or purpose. The logic is appreciable. Biometrics constitute robust identifying information about individuals; if they are useful in one context, they are likely to be useful in another. However, this dynamic constitutes one of the main privacy concerns associated with biometrics.

NSIRA observed several instances of possible dual-use of biometric information in the activities examined in this report.

First, photographs collected under the Passport Program are also used for facial matching purposes in NEXUS.

Second, fingerprints collected from foreign nationals as part of immigration applications become searchable by law enforcement in the course of criminal investigations. While the RCMP maintains separate repositories for immigration fingerprints and criminal fingerprints, both are searched when law enforcement submit fingerprints for identification purposes.

Third, CSIS, RCMP and CBSA can submit photographs to IRCC to have them checked against passport and travel document application photographs using facial recognition. This can occur in the context of national security or law enforcement investigations in an attempt to identify an unknown individual, to determine if a known individual has multiple identities, and/or to assist in the execution of a warrant.

Dual-use does not always present a compliance issue. Indeed, many such uses are well-supported in law given the “consistent use” standard in s. 8(2)(a) of the Privacy Act, the ability for certain institutions to request personal information under s. 8(2)(e) of the Privacy Act, and other sector-specific legislative provisions (see, for example, paragraphs 85, 109, and 112, which outline the authorities that govern the law enforcement uses discussed above). With respect to NEXUS, in particular, the use of passport photographs is a clear consistent use (see paragraph 140). Privacy concerns are further muted given the program’s voluntary nature and individuals’ prior consent.

However, even where they pose demonstrable benefits, new uses of previously collected biometrics must be carefully considered to ensure their reasonableness and proportionality. In addition, all new uses must be justified and well-authorized in law.

Though authorized by law, the situations in which biometrics collected in the border continuum are leveraged for purposes outside of that continuum (such as when investigative agencies use biometric information initially compiled for immigration or passport purposes) may be worthy of particular scrutiny. NSIRA may return to these cases as it contemplates future review of biometric activities.

Additionally, the principle of “purpose limitation” may be a way of guarding against unjustified dual-use in the context of biometric activities.

Purpose limitation involves explicitly stipulating the specific purpose for which the collected biometrics will be used, with a commitment to not use them for any additional purposes in the future. It is well established in UK and European jurisprudence and is more restrictive than “consistent use.” While the “consistent use” principle reflects the GoC’s standing commitment to limit the repurposing of personal information, the standard ought to be read as narrowly as possible for biometric information. Again, biometrics are unique compared to other personal identifiers because they are essentially permanent and immutable. This means that once they are collected, if they are not subject to clear retention/deletion policies and purpose limitations, the government has a ready repository of information for identifying individuals in the future – perhaps in activities that are less benign than the activities under which the biometrics were originally collected.

It is premature for NSIRA to make a finding on whether the possible instances of dual-use identified above are reasonable or proportionate. Future review, whether by NSIRA or another review body, may consider the question in greater depth.

7. Technical Systems

NSIRA reviewed high-level technical information about the activities documented in this study. This included information pertaining to the various systems and databases used in the course of the GoC’s biometric activities.

There is significant overlap between the technical systems and databases used across the steady-state biometric activities.

Both the Passport Program and Immigration Program use the Global Case Management System (GCMS), and IRCC, CBSA and RCMP have access to GCMS. In the immigration context, facial photographs are stored in GCMS, while fingerprints are sent to the RCMP and stored in one (immigration) of several repositories of the Automated Fingerprint Identification System (AFIS). The immigration repository is then searchable by domestic law enforcement and can be queried by Canada’s M5 partners for immigration purposes.

The passport and travel document applications in the Passport Program, meanwhile, are stored in both GCMS and in IRCC’s Central Index (see Annex A), though IRCC has communicated that a full transition to GCMS is planned moving forward. The digitized photograph from the application is sent to IRCC’s FRS, converted into a biometric template, sent for evaluation in the FRS database, and stored in the CI. In both the Immigration Program and Passport Program, the intake of applications – and biometrics – employ a range of systems at different intake locations around the world, all of which connect back to IRCC servers in Canada.

The overall architecture of this system – biometric collection, transmission, and storage in the course of the GoC’s activities in the border continuum – is complex, though not necessarily problematic.

In keeping with the foundational nature of the study, NSIRA makes these observations as a first step in mapping the relevant systems architecture. This mapping, summarized in Annex A, will support NSIRA should it choose to review in detail the various technical systems used for biometrics in the course of border activities, including how they overlap and what privacy or security issues, if any, might arise from the present structure.

8. Visibility into Algorithms

In addition to the public concern about governmental surveillance noted above, there is related apprehension about automated decision-making and about decision-making aided by automation, particularly when it occurs in conjunction with biometric identification. The general concern with respect to algorithms and automation is that the decision-making process is opaque, even to the human operators who rely on the algorithms or systems to do their work.

In the Immigration Program, Passport Program, and at PIK kiosks, IRCC, CBSA, and the RCMP have limited visibility into how the algorithms used operate.

The algorithms are procured from private vendors, and the details of how they work are proprietary. They are, in this sense, essentially a ‘black box’. NSIRA supports greater transparency in how algorithms work when analyzing personal information. Such transparency is necessary for third-party verification of the algorithms’ accuracy and reliability and would enhance public confidence in both the algorithms’ ability to function fairly and without discrimination and in the departments’ ability to mitigate any shortcomings in that respect.

Each department and agency did, however, demonstrate that performance metrics (e.g. error rates) are known and tested, and that customizations (such as adjusting match thresholds) are applied when appropriate.

Moreover, for IRCC’s FRS, and for the RCMP’s AFIS, human intervention occurs to either verify system results or complete matches if necessary. Facial matching at PIKs, by contrast, occurs without human adjudication, though any obvious errors may subsequently be corrected by BSOs through visual verification.

9. Preventing Bias and Discrimination

Related to the opacity of algorithms is the possibility that automated biometric analysis – e.g. facial recognition and fingerprint matching – may be subject to bias. It is well documented in the academic literature, for example, that many facial recognition algorithms are less reliable in identifying women, the very young and very old, and individuals with darker skin tones. Similarly, fingerprint capture and matching may be more difficult and/or less accurate for females, particular ethnic groups, and individuals working in certain trades (which may reflect socio-economic status). Given that important decisions in the border continuum – including the issuance of official travel documents, the granting of visas, asylum, and/or residency status, and possible referral for additional questioning/inspection during the immigration and customs process – are informed by automated analysis, the possibility of systematic bias is of concern.

IRCC and CBSA have conducted preliminary analyses to explore how their biometric activities may impact diverse groups of people, though the implementation of possible mitigation strategies was not always apparent.

For example, CBSA’s GBA+ for the PIK, completed in May 2016, suggested that the agency apply gender-specific thresholds for facial matching; an October 2020 analysis on possible gender bias at PIKs made a similar recommendation. For facial recognition in both FRS (IRCC) and PIK (CBSA), recent performance testing explicitly addressed the possibility of demographic bias. This analysis noted minor imbalances in terms of gender accuracy, but emphasized that advancements over time (updated algorithms) have steadily reduced, though not eliminated, the gap.

In some contexts, technological advancements have helped to reduce, but not eliminate, differential impacts.

The work to comprehensively address these issues – beyond noting that small discrepancies do exist – remains to be done. CBSA noted, for example, that its “work in this area is nascent and is not yet conclusive with significant work still to be conducted.” This includes GBA+ on facial recognition technologies, work on the visibility of bias in data, and the development of possible policy mitigations. Similarly, IRCC stated that “further demographic bias assessments will […] be conducted” following the implementation of a new algorithm in the FRS.

This is not to suggest that efforts to mitigate possible bias have been insufficient to this point; rather, both IRCC and CBSA have demonstrated that they are aware of possible issues and committed to future work in this area. However, such efforts should not be confined to accuracy testing, and relying on improving algorithms. Solutions at the policy level should also be explored, including the implementation of previously identified mitigation strategies and the analysis of the possible consequences of biometric errors for the experience of affected individuals.

A commitment to continuing to minimize discrepancies in the algorithms’ function for diverse groups, and to ensure such differences are taken into account by the human decision-making that follows biometrics screening, will continue to be important in ensuring the reasonable use of these algorithms in the future.

More work remains in terms of mitigating differential impacts on segments of the population. At the same time, the departments and agencies examined in this study have demonstrated their awareness of possible systemic inequalities and their commitment to addressing them.

8. Conclusion

Biometrics play a fundamental role in the border continuum. The Government of Canada uses biometrics to verify and establish identity. The question of who is coming into the country – and whether they have a right to – is more confidently answered as a result. In the immigration context, this involves the screening, verification (at arrival), and ongoing assessment of admissibility of foreign nationals coming to Canada as temporary or permanent residents. Applicants for Canadian passports (and other official travel documents) are screened to confirm eligibility to passport services and entitlement to a passport, and subsequently use their biometric, embedded in the ePassport, during the course of international travel. These two streams converge at Canadian airports, where CBSA verifies the identity of travellers using facial recognition at automated kiosks.

The purpose of this study was to examine and contextualize these activities. We looked back, tracing the evolution of the GoC’s biometric activities in the border continuum, noting a shift from strict national security objectives to broader goals of identity management. We looked forward, to possible future biometric applications, including the adoption of Digital Identities, and even greater systematization of biometrics into the overall traveller experience.

Our observations are meant to inform both the Canadian public as it contemplates the government’s collection and use of biometric information, and NSIRA as it plans future review of the same. We noted that the steady-state activities are well-supported by current legal authorities, and are consistent with international practice. At the same time, certain areas raise potential concern. These include pilot projects, which are vehicles for experimentation and require careful legal consideration; the ongoing possibility of systemic inequalities across diverse groups of people resulting from algorithmic biometric analysis; and the possible dual-use of biometric information, including the availability of biometric information to investigative agencies.

Public debate about the government’s application of biometric technology will continue to evolve, driving change in the legal and regulatory frameworks associated with such activities. As such, continued scrutiny from NSIRA is warranted, particularly in those instances where the collection and use of biometric information is justified by explicit reference to national security outcomes.

Share this page
Date Modified:

NSIRA Review arising from Federal Court’s Judgment in 2020 FC 616

Review Backgrounder

This is a report about the manner in which the Canadian Security Intelligence Service (CSIS) seeks and receives legal services from the Department of Justice (Justice) and prepares and executes the warrants it needs to collect information. This review stemmed from a 2020 decision of the Federal Court (2020 FC 616). In that matter, the Federal Court recommended that a “comprehensive external review be initiated to fully identify systemic, governance and cultural shortcomings and failures that resulted in CSIS engaging in operational activity that it has conceded was illegal and the resultant breach of candour.”

This review found an intelligence service and its counsel who struggle to organize themselves in a manner that allows them to meet easily their legal obligations, including to the Federal Court.

NSIRA also found a failure at CSIS to professionalize fully and sustainably the warrant application process as a specialized trade that requires training, experience, and investment. This report also demonstrates the need to transform the relationship between CSIS and its legal counsel.

This review was led by NSIRA Members Marie Deschamps and Craig Forcese. One or both Members were directly involved in every aspect of the review including review process management, briefings, interviews and document review. To conduct this review, NSIRA conducted dozens of confidential interviews with Justice and CSIS employees whose perspectives were essential for “ground-truthing” the knowledge NSIRA had gained from documents and formal briefings. In organizing these interviews, NSIRA ensured robust representation covering the range of functions in the warrant and legal-advice giving processes. The interviews raised issues and concerns that would have otherwise been unavailable to NSIRA. This assisted NSIRA in making recommendations on governance, systemic, and cultural issues that contribute to inefficiencies threatening the ability of CSIS and Justice to fulfil their mandates.

NSIRA heard repeated concerns from interviewees that the problems stemming from governance, systemic, and cultural challenges put at risk the ability of the intelligence service to meet the mandate Parliament has assigned to it. Addressing these challenges is in the urgent public interest. Though CSIS and Justice have made improvements, difficulties are still evident.

NSIRA groups its findings and recommendations into three overarching areas:

  1. Justice’s Provision of Legal Advice
  2. CSIS’s and Justice’s Management of the Warrant Acquisition Process
  3. Investment in People

In its conclusion, this report also makes comments and recommendations about the broader cultural and governance context.

Date of Publishing:

1. Executive Summary

This is a report about the manner in which the Canadian Security Intelligence Service (CSIS) seeks and receives legal services from the Department of Justice (Justice) and prepares and executes the warrants it needs to collect information. This review stemmed from a 2020 decision of the Federal Court (2020 FC 616). In that matter, the Federal Court recommended that a “comprehensive external review be initiated to fully identify systemic, governance and cultural shortcomings and failures that resulted in CSIS engaging in operational activity that it has conceded was illegal and the resultant breach of candour.”

This review found an intelligence service and its counsel who struggle to organize themselves in a manner that allows them to meet easily their legal obligations, including to the Federal Court.

NSIRA also found a failure at CSIS to professionalize fully and sustainably the warrant application process as a specialized trade that requires training, experience, and investment. This report also demonstrates the need to transform the relationship between CSIS and its legal counsel.

This review was led by NSIRA Members Marie Deschamps and Craig Forcese. One or both Members were directly involved in every aspect of the review including review process management, briefings, interviews and document review. To conduct this review, NSIRA conducted dozens of confidential interviews with Justice and CSIS employees whose perspectives were essential for “ground-truthing” the knowledge NSIRA had gained from documents and formal briefings. In organizing these interviews, NSIRA ensured robust representation covering the range of functions in the warrant and legal-advice giving processes. The interviews raised issues and concerns that would have otherwise been unavailable to NSIRA. This assisted NSIRA in making recommendations on governance, systemic, and cultural issues that contribute to inefficiencies threatening the ability of CSIS and Justice to fulfil their mandates.

NSIRA heard repeated concerns from interviewees that the problems stemming from governance, systemic, and cultural challenges put at risk the ability of the intelligence service to meet the mandate Parliament has assigned to it. Addressing these challenges is in the urgent public interest. Though CSIS and Justice have made improvements, difficulties are still evident.

NSIRA groups its findings and recommendations into three overarching areas:

  • Justice’s Provision of Legal Advice
  • CSIS’s and Justice’s Management of the Warrant Acquisition Process
  • Investment in People

In its conclusion, this report also makes comments and recommendations about the broader cultural and governance context.

CSIS operates in often rapidly evolving and legally challenging environments. Timely, nimble and actionable legal advice is critical. This review highlighted factors that prevent the National Security Litigation and Advisory Group (NSLAG) of Justice from providing CSIS with the operational advice it needs.

Justice has employed a centralized “one voice” model for delivering its legal services. The “one voice” model reflects a desire for uniform and consistent legal advice delivered on behalf of the Attorney General of Canada. Although the premise for the “one voice” approach is sound, NSIRA found that NSLAG struggled to provide timely, responsive, and useful legal advice in the CSIS context. The way Justice provides advice has often not been responsive to CSIS operations. For example, NSLAG presents its advice as a legal risk assessment using the Justice-wide Legal Risk Management grid. This grid uses a colour-coded risk rating that can be compared to a “traffic light” system: a green risk rating represents a low legal risk to CSIS, a red risk rating represents a high legal risk, and, more ambiguously, a yellow risk rating represents an intermediate legal risk. Yellow light responses are reportedly the most common and the most frustrating for CSIS, especially when unaccompanied by discussions on how to mitigate the risk, the inclusion of which NSIRA heard is not currently common practice.

In consequence, some at CSIS perceive Justice as presenting a road-block because of its bureaucracy, its perceived operational illiteracy, and its unhelpful approach to communicating legal advice.

However, the problems with timely, responsive, and useful legal advice do not stem from Justice alone. NSIRA heard that CSIS has not always shared all relevant information with Justice, prompting a degree of mistrust. The internal process for requesting legal advice at CSIS also contributes to delays and lack of relevance. The advice that sometimes comes back to operational investigators at CSIS filtered through bureaucratic hierarchies may be of limited or little relevance.

NSIRA heard that the laborious advice-seeking and -receiving process has sometimes caused [discussion of the detrimental effects on and risks to operations] CSIS and Justice often operate in a situation of legal doubt, because of lack of clarity in the law. Clarifying legal standards often requires judicial case law. However, an unwieldy warrant process, discussed below, makes that prospect more difficult.

Finding no. 1: NSIRA finds that the legal advice-seeking and giving process, and resource constraints at NSLAG contribute to considerable delays, [description of timeline]

Finding no. 2: NSIRA finds that Justice legal opinions have sometimes been prepared without sufficient attention to the audience that needs to understand and act on them. Opinions have been focused on assessing legal risk, often late in the development of a CSIS activity, with limited effort made to propose alternative and legally sustainable means of arriving at the intended objective.

Finding no. 3: NSIRA finds that the Justice Legal Risk Management Framework is misunderstood at the working level at CSIS and further that it does not provide an appropriate framework for the unequivocal communication of unlawful conduct to CSIS.

Finding no. 4: NSIRA finds that difficulties in acquiring prompt and relevant legal advice have contributed to [discussion of the detrimental effects on and risks to operations] that may require legal advice. In consequence, the manner in which Justice has provided legal advice to CSIS does not always meet the needs of CSIS operations.

Finding no. 5: NSIRA finds that Justice does not generate the necessary business analytics to track its service delivery performance to CSIS.

Justice is aware of the need for change. Broad, recent initiatives include the Vision Project, which promises client-centric strategic partnerships. New procedures have been implemented at NSLAG to address internal silos between advisory and litigation counsel, and to improve training, access to legal advice and facilitate consistent legal opinions. NSLAG also appears to recognize the desire for a different approach to providing legal advice, including moving toward legal advice that promotes collaborative and iterative engagement with CSIS to achieve its operational goals, within the bounds of the law (a “road map”-style form of advice-giving). However, it does not appear that CSIS and Justice have thus far systematically put this model into effect.

To facilitate proper advice-giving, especially in a “road map”-style model, CSIS needs to provide NSLAG with all the facts, and to engage NSLAG early on, at the operational level. Earlier and ongoing involvement throughout the stages of an investigation or operation would enable counsel to provide informal legal nudges that allow CSIS to course-correct before too much time has been spent. A more iterative process of incorporating legal advice over the full course of an operation could address the reported challenge of operations halted due to untimely or ambiguous legal advice.

Finding no. 6: NSIRA finds that Justice has acknowledged that internal silos at NSLAG between the advisory and litigation wings have sometimes left warrant counsel unaware of emerging legal issues and that Justice has taken steps to resolve these issues.

Finding no. 7: NSIRA finds that Justice has committed to improve its advice-giving to CSIS, including moving toward “road map” style legal advice that involves working collaboratively and iteratively with CSIS to achieve operational goals within the bounds of the law.

Finding no. 8: NSIRA finds that CSIS has not always shared all relevant information with NSLAG, prompting a degree of mistrust and limiting Justice’s ability to provide responsive legal advice.

In view of these findings, NSIRA recommends that:

Recommendation no. 1: Justice pursue its commitment to reforming the manner of providing legal advice to CSIS, and its stated commitment to “road map”-style advice as a best practice. In support of this objective and the provision of timely, operationally relevant advice, NSIRA further recommends that Justice implement the following:

  • Whether through an expanded “office hours” and liaison counsel program or otherwise, NSLAG must develop a legal support service operating full time, staffed by experienced lawyers empowered to provide operational advice in real time on which CSIS officers can rely, on the basis of settled Justice positions on recurring legal issues, accessible directly to CSIS officers across all regional offices and at all levels.
  • NSLAG develop a concise reference tool with its position on recurring issues and most common legal authorities invoked and make the tool accessible to counsel to support their real-time advice.
  • To minimize the need to resort to the formalized legal advice-seeking process, NSLAG (in coordination with CSIS) must involve counsel with CSIS officers at the early stage of the planning of key or novel operations and throughout their entire operational lifecycle to case-manage an iterative legal guidance process.

Recommendation no. 2: NSLAG (in coordination with CSIS) develop Key Performance Indicators to measure the delivery of legal services to CSIS.

Recommendation no. 3: CSIS and Justice include in their training programs interactive scenario-based training developing the operational intelligence activities expertise of NSLAG counsel and the legal knowledge of CSIS operational staff.

Recommendation no. 4: To ensure Justice is able to give meaningful and responsive legal advice as recommended in recommendation #1, CSIS invite Justice counsel to sit at the table at all stages of the lifecycle of key and novel operations, and that it fully and frankly brief counsel on operational objectives, intent, and details.

Recommendation no. 5: Justice’s advice-giving must clearly and unequivocally communicate advice on the unlawfulness of client conduct, whether criminal or otherwise.

Management of the Warrant Process

CSIS organizes the process of seeking a warrant around a system of internal preparation and approvals before proceeding to the statutory step of seeking ministerial approval of the warrant application. A number of legal concepts and expectations enter into the warrant process, including the “duty of candour” owed to the Court.

The Federal Court duty of candour concerns now fit into two categories: disclosure of information material to the credibility of the sources who supply information used in the application; and disclosure of information material to matters of potential concern about the broader context of the warrant and how it will be executed.

Despite past attempts at reforms the current warrant process adopted by CSIS and supported by Justice, the warrant process has repeatedly failed to meet these candour obligations. Many reforms appear to have contributed to the bureaucratic complexity of the warrant process, without addressing candour issues.

Finding no. 9: NSIRA finds that CSIS has a history of quick reforms, followed by neglect, high turnover of personnel leading to a loss of institutional knowledge, and resourcing that did not match stated priorities. CSIS does not track or measure the outcome of past reforms adequately and has no performance metrics for assessing success.

Finding no. 10: NSIRA finds that CSIS policies have not kept pace with operational reality, as they are often vague, dated, overlapping and contradictory. The absence of clear policy creates legal doubt or concerns, and gives rise to disparate interpretations of legal and operational standards.

Finding no. 11: NSIRA finds that there is little common understanding regarding the process or basis on which a warrant is prioritized. Frequent shifts in this process of prioritization have added to operational uncertainty. The prioritization process has made it very difficult to bring novel issues to the Court with the goal of addressing legal ambiguities through court decisions.

Finding no.12: NSIRA finds that the actors involved in the warrant process do not have a common understanding of the rationale for each of the [multiple] of steps in the overarching warrant application scheme and are not always sure what role each approval step plays.

Finding no. 13: NSIRA finds that the proliferation of process in seeking warrants has created a system of diluted accountability widely regarded as slow and unwieldy, with delays caused by multiple levels of approval.

Finding no. 14: NSIRA finds that there is no regular feedback process in which explanations for warrant-related decisions made at one level filter back to other levels. The absence of feedback is especially acute for the regional investigators.

Finding no. 15: NSIRA finds that often, the sole means to address legal uncertainty is to bring legal questions to the Federal Court through warrant applications. In consequence, an unwieldy warrant process makes resolution of legal doubt more difficult.

CSIS has struggled especially to ensure that all information material to the credibility of sources is properly included in warrant applications. NSIRA heard repeatedly that CSIS officers involved in the early stages of preparing warrant applications do not clearly understand the legal expectations surrounding the duty of candour. Deficient information management systems related to human sources at CSIS have also resulted in important omissions, violating duty of candour obligations. These challenges produce what NSIRA calls the “recurring omissions” problem.

Finding no. 16: NSIRA finds that CSIS has struggled to ensure that all information material to the credibility of sources is properly contained in warrant applications. This “recurring omissions” problem stems from a misunderstanding of the Federal Court’s role in assessing the credibility of sources and from the presence of multiple, siloed information management systems. NSIRA acknowledges that CSIS has undertaken reforms, but work remains to implement successfully long term sustainable solutions.

In view of these findings, NSIRA recommends that:

Recommendation no. 6: CSIS adopt, and share internally, clear criteria for the warrant prioritization process.

Recommendation no. 7: CSIS establish a new warrant process eliminating steps that do not make a significant contribution to a more accurate application. The process should assign clear lines of responsibility for the production of accurate applications. The reformed system should ensure that delays associated with managerial approvals are minimized, and that time is reallocated to those steps contributing to the preparation of the accurate applications.

Recommendation no. 8: CSIS integrate the regional stakeholders (including the implicated investigators) at every key milestone of the warrants process.

Recommendation no. 9: CSIS adopt policies and procedures governing the reformed warrant process that clearly outlines the roles and responsibilities of each participant and the objective of each step in the warrant process and that these policies be kept current as the process evolves.

Recommendation no. 10: To address the seeming inevitability of “recurring omissions”, NSIRA recommends that CSIS prioritize the development of [an improved] system for human source information management. CSIS should also continue initiatives meant to ensure that source handlers are assiduous in documenting and then reporting in source precis information going to credibility. Even with these reforms, the Affiant Unit should adopt procedures for verifying the information prepared by the regions.

In 2019, CSIS sought to professionalize affiant work by creating an Affiant Unit (AU). CSIS’s establishment of the AU is a critical development and, properly resourced and staffed, it would be well positioned to respond to long-standing problems with the duty of candour. However, when created, the AU was placed under the [Name of Branch]. [Name] has a broad mandate that does not align with the AU’s functions in preparing legally robust warrant applications. This governance anomaly may explain the AU’s present administrative and human resource challenges. The AU’s sustainability is in question, and indeed NSIRA heard that the unit could currently be described as in a state of crisis. CSIS has not supported the unit with resources commensurate with the importance of this unit in fulfilling CSIS’s mission.

Finding no. 17: NSIRA finds that the Affiant Unit (AU) constitutes a vital and laudable reform within CSIS. However, the AU is currently at risk of collapse. CSIS has not supported the unit with resources commensurate with the importance of this unit in fulfilling CSIS’s mission. The benefits of the AU are currently in jeopardy because of governance, human resource, and training deficiencies.

Finding no. 18: NSIRA finds that the AU’s placement in the [Name] branch is not commensurate with its functions and importance. This governance anomaly most likely contributes to administrative hurdles and resource challenges faced by the AU.

Finding no. 19: NSIRA finds that without a functional AU able to produce timely and accurate warrant applications, CSIS puts at risk access to warrants and the information collected under them.

In view of these findings, NSIRA recommends that:

Recommendation no. 11: CSIS recognize the importance of the Affiant Unit by assigning affiants and analysts an employment classification congruent with their responsibilities.

Recommendation no. 12: CSIS create an Affiant Branch reporting directly to the CSIS Director.

Recommendation no. 13: CSIS urgently resource the Affiant Unit to meet its responsibilities and ensure its sustainability. In deciding the size of the AU, CSIS should assess how many warrants an affiant team might reasonably complete every year.

Recommendation no. 14: CSIS, in consultation with Justice, develop a comprehensive training course for all affiants and analysts, codifying best practices and methods for members of the AU.

Warrants counsel at NSLAG have several key roles in the warrant application process, and are intimately implicated in ensuring adherence to the duty of candour. Fostering a strong, collaborative, and productive relationship with CSIS is key. Morale among NSLAG warrants counsel may have suffered in light of the recent Federal Court decision that prompted this review. With recent staffing increases, it appears that NSLAG currently has the requisite complement to manage the number of annual warrant applications expected from CSIS, but recruitment challenges remain an ongoing issue. NSLAG should be staffed to ensure that CSIS’s operations are not stalled due to the lack of availability of warrants counsel.

Recommendation no. 15: NSIRA recommends that NSLAG be staffed by a complement of counsel and support personnel sufficient to ensure that CSIS operations are not impeded by resource limitations at NSLAG.

The warrant application process is meant to be strengthened through a review of the near-final affidavit by an “independent counsel” (IC) – in practice, a lawyer drawn from the National Security Group (NSG) of the Department of Justice. The role was originally envisioned as performing a rigorous challenge of the warrant application. However, the primary role of the IC appears to be more clerical than substantive, designed to cite check rather than assertively perform a “devil’s advocate” function.

NSIRA believes that the presence of a rigorous challenge function performed by a knowledgeable, adequately-supported lawyer distant from the warrant application is valuable and necessary. However, NSIRA proposes that the current IC model be abandoned in favour of a challenge function performed at Public Safety Canada, whose precise role is that of oversight of the CSIS warrant application process.

Working with the Public Safety unit charged with warrant review, an experienced and specialized warrant counsel could perform a genuine challenge role to the warrant, analogous to the role a defence lawyer would play were warrants subject to an adversarial process. NSIRA believes that a testing review of this sort will help forestall duty of candour shortcomings stemming from a failure to disclose fully information material to matters of potential concern about the broader context of the warrant and how it will be executed.

Finding no. 20: NSIRA finds that the “Independent Counsel” (IC) role as performed by NSG counsel falls short of creating a rigorous challenge function.

In view of this finding, NSIRA recommends that:

Recommendation no. 16: the function of the Independent Counsel as performed by NSG counsel at the Department of Justice be eliminated, in favour of a new challenge function, analogous to the role a defence lawyer would play were warrants subject to an adversarial process, situated at Public Safety and supported by the Public Safety vetting team, and performed by a knowledgeable lawyer from the Public Prosecution Service of Canada, the private sector, or elsewhere, who is independent from Justice management and not otherwise involved in CSIS warrant applications.

Once a judge issues a warrant, CSIS may execute the warrant. That execution must comply with the scope and terms of the warrant. However, the CSIS regional warrants coordinators have not received sufficient training to enable the contents of warrants to be translated into advice on proper execution.

Finding no. 21: NSIRA finds that the CSIS regional warrants coordinators have not received sufficient training enabling them to translate the contents of the warrants into advice on proper warrant execution.

In view of this finding, NSIRA recommends that:

 Recommendation no. 17: CSIS regional warrants coordinator positions receive adequate training, and that CSIS professionalize the position and enable warrant coordinators to more effectively translate the content of warrants into advice on warrant execution.

Investment in People

Concern about inadequate training at CSIS was a recurring theme in this review. This concern was noted in internal CSIS documents. CSIS acknowledges that it is currently not a learning organization and does not have a learning culture. There are too few training opportunities required to sustain a modern professional intelligence service operating in a complex environment.

Finding no. 22: NSIRA finds that CSIS lacks long-term training programs for Intelligence Officers.

Finding no. 23: NSIRA finds that CSIS has failed to provide systematic training programs for “non-Intelligence Officers”.

Finding no. 24: NSIRA finds that the CSIS’s Learning and Development Branch has not been sufficiently resourced to develop and administer comprehensive training programs, especially in specialized areas not covered by the training offered for Intelligence Officers early in their career.

In view of these findings, NSIRA recommends that:

Recommendation no. 18: CSIS adequately resource and regularly deliver evergreen scenario-based training programs for all CSIS employees, including;

  • annual, comprehensive, warrant training for all operational employees;
  • specialized onboarding training for all employees not part of the Intelligence Officer program; and
  • continued long-term training for all specialized personnel.

Conclusions

This report concludes with observations on cross-cutting cultural and governance challenges that stem, at least in part, from challenges characterizing the provision of legal advice and the warrant process. NSIRA divides these broad, cross-cutting phenomena into two categories: morale and attitudes; and, performing the mission.

Low morale at CSIS was a common theme throughout this review. The systemic problems in the warrant application process are likely one cause of this problem: morale is affected when a warrant acquisition system repeatedly prevents CSIS officers from performing their mandated duties, and is the source of regular reputational crises stemming from failures to meet the duty of candour.

Meanwhile, a failure to correct problems with the warrant process impairs CSIS and Justice’s abilities to fulfill their mandates. Justice must go from being perceived as a roadblock, to a frank and forthright advisor fully attuned to operational objectives.

Within CSIS, the warrant application process was sometimes likened to winning a lottery – not because the Federal Court declines to issue warrants, but because of the resources required to prepare and complete the application. The current, laborious warrant application process is preventing some collection activities from moving forward.

In sum, this review was sparked by a compliance failure in a duty of candour matter. It concludes that repeated failures in this area are both caused by, and cause, deep-seated cultural and governance patterns. This vicious cycle has compounded the challenges of reform in the warrant acquisition process.

Cherry-picked or paper-based reforms that mask without addressing the overarching systemic, cultural, and governance challenges will suffer the fate of prior reforms: the problems will continue.

Finding no. 25: NSIRA finds that CSIS and Justice are at risk of not being able to fulfill their respective mandates. No one reform is likely to succeed unless each is pursued as part of a coherent package. No package will succeed unless backed by prioritization at senior levels, and the stable provision of resources, including people with the means and institutional knowledge to see reforms through, and no reform initiative will succeed unless accompanied by clear performance indicators, measured and analyzed regularly to track progress.

In view of NSIRA’s findings above, and of prior unsuccessful reforms, NSIRA recommends that:

Recommendation no. 19: The recommendations within this review be treated as a coherent package and that progress and outcomes in implementing these recommendations be tracked, allowing management, the Ministers of Public Safety and of Justice, and NSIRA, to assess the efficacy of reforms and course-correct if necessary.

NSIRA intends to launch a follow-up review within two years that will measure progress at CSIS, Justice and Public Safety in resolving the systemic problem with the warrants process addressed by this review. Moreover, in other regular reviews implicating warrants, NSIRA will document recurrences of systemic problems. In the meantime, since this review originated with a decision of the Federal Court, it is vital that the Minister and CSIS share it in its full form with the designated judges of that court.

In recognition of the fact that this report was initiated following a recommendation of the Federal Court, NSIRA in turn recommends that:                                                             

(U) Recommendation no. 20: The full classified version of this report be shared with the designated judges of the Federal Court.

2. Authorities

(U) This review was conducted under the authority of paragraphs 8(1)(a), (b) and (c) of the NSIRA Act.

3. Introduction

(U) This review deals with how the Canadian Security Intelligence Service (CSIS) seeks and receives legal services from the Department of Justice (Justice) and obtains and executes warrants it needs to collect intelligence. In their current forms, these processes suffer from severe flaws due to systemic, governance and cultural issues. In this review, NSIRA found an intelligence service and its counsel who struggle to organize themselves in a manner that allows them to easily meet their legal obligations – towards the Federal Court in particular. NSIRA also found a failure to professionalize fully and sustainably the warrant process as a specialized trade that requires training, experience, and investment.

(U) This is not the first report on issues related to the warrant process. Since CSIS’s creation in the 1980s, there have been several independent and internal reviews of various aspects of this topic, which are described in Annex A. Many of the findings made in this review echo those made in earlier assessments. In response to these reviews, CSIS has planned many reforms, initiated some, but persisted with only a subset. Though CSIS (and Justice) have made improvements, difficulties are still obvious. The failure to effect sustainable solutions following the multiplicity of reviews and duty of candour breaches is indicative of organizational struggles with deep rooted cultural issues that risk the execution of their With each incomplete reform, CSIS faces change fatigue that makes future course corrections more difficult. Yet the stakes are considerable.

(U) This report demonstrates the need to transform the relationship between CSIS and its legal counsel. It also points to the urgency of CSIS succeeding in fully professionalizing the warrant process, a prospect that appears to be in jeopardy. When implemented, the changes that are recommended will help to reestablish the Federal Court’s trust in the warrant process. At the same time, legal support is not – and should not – be limited to the warrant process. As such, the review could not be restricted to the warrant process. It recommends reforms in the manner in which Justice gives legal advice to CSIS.

(U) The Federal Court’s “judicial control” in overseeing the issuance of warrants is a key accountability safeguard in a country governed by the rule of law and attentive to rights and liberties. The warrants the Court issues, meanwhile, are the lifeblood of CSIS’s functions as an intelligence agency – especially in an era where face to face interaction increasingly tends to be replaced by electronic communication.

(U) NSIRA heard repeated concerns from interviewees that the systemic problems rooted in governance and cultural issues risk creating an intelligence service incapable of meeting its intelligence mandate. These problems could also afflict other CSIS mandates potentially subject to judicial control, such as certain threat reduction measures. Urgently addressing challenges is therefore in the public interest. This review aims to recognize and encourage recent progress, while in some areas recommending new, essential reforms.

(U) This report first sets out the background to this review; the methodology NSIRA adopted for it; and the institutional and legal environment in which CSIS and Justice operate. The report then describes issues arising from Justice’s provision of legal advice to CSIS and the manner in which CSIS and Justice construct a warrant application, ultimately presented to the Federal Court, and if granted, executed by CSIS. It also examines the question of training and skills- development, a recurring issue in this review. In each area, this report notes shortcomings, while recommending reforms. The report ends with an examination of cross-cutting cultural and governance issues that are reflected in the warrant process, and which make change difficult.

(U) As the recommendations address the systemic, governance and cultural issues that are interrelated, a selective approach to their implementation will likely lead to the same outcome previous reviews have: repetition of the same problems, change fatigue and morale issues. The time has come for CSIS and Justice to face the harsh reality of potential failure to fulfill their mandates if they do not succeed with concrete governance, cultural and process change.

A. Review Background

(U) This review stemmed from a 2020 decision of the Federal Court (2020 FC 616). In that matter, the Federal Court recommended that a “comprehensive external review be initiated to fully identify systemic, governance and cultural shortcomings and failures that resulted in CSIS engaging in operational activity that it has conceded was illegal and the resultant breach of candour.” As a matter of law, before issuing such a warrant, the judge must believe on reasonable grounds that statutory pre-requisites are met and that the court should allow the invasive CSIS, assisted by Department of Justice lawyers, must fully apprise the judge of all information material to this decision. Thus, the state must disclose to the judge, not just information supporting its application, but also information that weakens its case. The duty reflects the fact that a warrant proceeding is by necessity conducted in the absence of the proposed subject of the warrant, known as the “target”, and closed to the public so the target is not alerted to the state’s activities. The “duty of candour” in such proceedings aims to compensate for the absence of a party opposed to the state, by obliging the state to be especially frank and forthcoming about the merits of its application.

(U) At issue in 2020 FC 616 was whether CSIS should have told the Court about issues regarding the legality of CSIS human source activities that yielded information used in support of warrant applications. Some of these human source activities may have constituted terrorism offences in Canadian This was not the first instance of duty of candour problems – indeed, such problems have been a recurring feature of CSIS’s warrant practice. Because CSIS has repeatedly struggled with the duty of candour in its warrant applications, the Federal Court in 2020 FC 616 recommended an external review of both Justice and CSIS.

(U) In response, on June 23, 2020, the Minister of Justice and the Minister of Public Safety and Emergency Preparedness jointly referred the matter to NSIRA under paragraph 8(1)(c) of the NSIRA Act. NSIRA also chose to exercise its own independent jurisdiction under paragraph 8(1)(a)(b) to initiate this review.

(U) While the Federal Court of Appeal subsequently allowed the government’s appeal of the decision in 2020 FC 616, its holdings did not disturb – and indeed, reaffirmed — the lower court’s core preoccupation with the duty of candour.

B. Methodology

(U) NSIRA conducted this review during a pandemic that frequently impaired access to its facilities housing classified This reality presented challenges and inevitable delays for both NSIRA and the reviewed departments.

(U) NSIRA made this a “Member-led review”. Specifically, one or both of the two assigned NSIRA members (Marie Deschamps and Craig Forcese) managed the review process, reviewed the documents, participated in most of the CSIS and Justice briefings (and reviewed the transcripts of others), conducted most of the confidential interviews, and led the writing of this report. A specialized team at NSIRA participated in every aspect of the work.

(U) NSIRA drafted broad Terms of Reference to govern this review, with a heavy focus on the CSIS warrant application process and the manner by which Justice conveys legal advice to CSIS. As the review evolved, it became clear that the problems with the CSIS warrant process are more properly a symptom of broader systemic, governance and cultural issues at both CSIS and Justice, including Justice’s specialized legal services unit supporting CSIS, the National Security Litigation and Advisory Group (NSLAG). NSIRA therefore examined not only the operational provision of legal advice and the warrant process, but also information management, the use of technology, and related training programs. While the Terms of Reference indicate that the review covers the period of January 1, 2015 to September 30, 2020, NSIRA took into consideration information outside this period in order to fully understand the issues at play.

(U) This report does not revisit the specific circumstances of 2020 FC 616, nor does it conduct a forensic accounting of the events leading to it. From time to time, the report makes observations related to that case in order to contextualize findings. However, this review was intentionally forward-looking, reflecting the fact that CSIS and Justice have introduced (or proposed) reforms since the 2020 decision.

U) In conducting this review, NSIRA relied on both its regular process and confidential interviews. Under its regular protocols, it issued a number of requests for information, reviewed the documents provided, and received briefings from CSIS and Justice. In the case of CSIS, NSIRA also used its direct access to CSIS systems to retrieve information independently. Among other things, NSIRA examined the complete record of a recently filed complex warrant application. Most briefings involved CSIS and Justice managers describing their policies, governance structures, and practices. NSIRA heard about a number of initiatives – some that are planned, others underway or partially implemented, and still others abandoned.

(U) To supplement these briefings, NSIRA adopted an innovative approach to this review by also conducting dozens of confidential interviews with former and current management and staff at all levels from CSIS and Justice. These interviews were conducted in the absence of CSIS or Justice supervisors and without their knowledge. NSIRA conducted these interviews under a strict guarantee that it would protect the identities of those who participated. At the outset, the NSIRA Members leading the review met with both the Director of CSIS and the Deputy Minister of Justice. Following the meeting, both officials encouraged members of their management and staff to participate in confidential, in-person interviews with NSIRA. NSIRA thanks both leaders for their explicit support, including through their internal communications with their employees. NSIRA especially thanks all the individual employees who then participated in these confidential interviews and trusted NSIRA’s promise of anonymity.

(U) In some instances, NSIRA selected individuals to ensure it had full coverage of the warrant process and invited them to participate in a confidential Other interviewees contacted NSIRA and offered to participate. Some interviewees occupied operational positions at CSIS, while others worked on legal and policy matters. Some interviewees had daily exposure to the warrant process, while others had had more episodic exposure to the process. Since NSIRA conducted these interviews with the understanding it would protect the identities of interviewees, NSIRA has drafted this report carefully to honour this undertaking and has not identified interviewees by name or by position revealing their identity.

(U) The individuals who participated in confidential interviews with NSIRA were frank, professional, insightful about their experiences, and open. Interviewees did not come to voice personal grievances, nor were they inclined to defend past practices as ideal. Rather, the interviewees displayed a genuine commitment to their organizations’ mandates and a sincere desire to see positive, lasting change. Where they expressed dissatisfaction, it stemmed from earnestly (and often deeply held) concerns that their organization was falling short of meeting its mandate, and that the warrant process reflected certain organizational shortcomings. These interviews were essential for “ground-truthing” the knowledge NSIRA had gained from documents and formal They also raised issues and perspectives that would otherwise have been unavailable to NSIRA.

(U) NSIRA also consulted external experts on national security, organizational development, and human resources. These conversations contributed to NSIRA’s understanding of the systemic, governance, and cultural issues that often develop in organizations. NSIRA conducted a small number of discussions with foreign counterparts who have dealt with similar issues in the past. In addition, NSIRA consulted with experts who had been, in the past, involved in reviewing similar issues relating to NSIRA is grateful to these experts for their generosity in contributing to this review. All of NSIRA’s discussions with stakeholders external to the Canadian government took place at the unclassified level.

(U) Finally, as part of its standard protocol, NSIRA presented the draft report to both CSIS and Justice for factual accuracy verification. This part of the process provides reviewees with the opportunity to signal factual omissions or errors, if any. At the end of the factual accuracy verification period, the members met with the Deputy Minister of Public Safety and again with the Director of CSIS and the Deputy Minister of Justice. NSIRA thanks them for their time and

When examining the insights of its interviewees and throughout the finalization of this report, NSIRA was alive to the particular challenge of disaggregating legacy issues from contemporary concerns. During briefings and in comments received on the draft report, the departments noted projects, initiatives and reforms either being planned, scheduled for execution, or underway. NSIRA acknowledges the initiatives upon which it was briefed. However, this report focused on ascertaining the existing challenges with the provision of legal advice and the warrants process. NSIRA did not discount existing issues and challenges simply on account of promised (but not yet fully achieved) administrative reforms. NSIRA is confident that the issues described in this report persist as of the second half of 2021. As described at the end of this report, NSIRA intends to undertake a further review in two years’ time to assess progress in implementing the report’s recommendations. At that time, NSIRA will have an opportunity to assess whether any reform initiatives have been successful.

(U) Confidence Caveat: Some of the documents provided by the reviewed institutions have not been independently verified by NSIRA. However, to a large extent, NSIRA was able to verify much of the information relied upon in this review through NSIRA’s own confidential interviews. In addition to this direct access to staff, NSIRA was able to use its direct access to CSIS information repositories to confirm information that it needed to verify and to pursue necessary additional For that reason, NSIRA has a high level of confidence in the information on which it relied to complete this review.

C. Institutional Environment

1. Systemic, Governance and Cultural Issues

(U) In this review, NSIRA makes recommendations on systemic, governance, and cultural issues that contribute to inefficiencies and may threaten the ability of CSIS and Justice to fulfil their mandates.

(U) NSIRA defines “systemic” issues as ones affecting an organization as a whole, in the sense that they are not the consequence of a specific individual or isolated factor. “Governance” refers to the rules, practices and processes by which managers direct and control an organization. Governance addresses three key questions: how are decisions made; who makes the decisions; and who is accountable. Organizational “culture” is the way in which, over time, the members of an organization learn to work in a particular setting by developing a set of shared understandings. These understandings may be based not only on formal policies but also on assumptions and practices that members develop in response to the implicit rules and influences governing their organization.

(U) These three concepts operate together and are interconnected. For example, inadequate governance may be the source of deficiencies in training programs that may prompt increased requests for legal support, which in turn create resource management issues, delays in providing advice, and operational hurdles. These operational challenges may give rise to systemic issues, while imperfect workarounds to these problems may eventually become embedded as cultural practices.

(U) Systemic issues tied to governance and cultural issues may impede CSIS and Justice from fulfilling their mandates, while also meeting their obligation to adhere to the rule of law. In this last respect, Canada is a “rule of law” country. Among other things, the “rule of law” means that the state is subject to, and not above, the law. It only has the powers conferred upon it by law, and any exercise of state power must be traced to a law. Indeed, as discussed next, both CSIS and Justice operate in a highly legalized environment.

(U) The next section will briefly describe the basic legislative and operational framework of both CSIS and Justice.

a) CSIS

(U) The CSIS Act is the statute of Parliament that created CSIS, and confers upon CSIS certain powers to discharge its mandates. The key mandates implicated in this review are security intelligence (or “section 12 investigations”) and foreign intelligence (or “section 16 investigations”). Both of these types of investigations have their own distinct pre-requisites – not least, the conditions that CSIS must meet before it undertakes an investigation and then applies for a warrant under section 21.

(U) CSIS is one of several security organizations found within the portfolio of the Minister of Public Safety and Emergency Preparedness (Minister of Public Safety). CSIS is accountable to this minister, and this minister is in turn responsible to Parliament for CSIS.

(U) The manner in which CSIS discharges its mandates is governed by the CSIS Act and Ministerial Directions issued by the Minister of Public Safety. For instance, in 2015 and 2019, the Minister issued Ministerial Directions addressing issues of accountability. The 2015 Ministerial Direction (2015 MD) for Operations and Accountability states the fundamental principles that guide all of CSIS’s The 2015 MD is premised on the expectation that “the service will perform its duties and functions with due regard for the rule of law…”

(U) Other laws are pertinent to CSIS. Especially relevant for this review are Part VI of the Criminal Code of Canada, which governs the interception of private communications, and section 8 of the Canadian Charter of Rights and Freedoms, which protects the reasonable expectation of privacy against state searches and seizures. CSIS must acquire judicial warrants from the Federal Court before it embarks on investigative techniques that would otherwise violate these laws.

(U) Under the CSIS Act, CSIS is led by a Director who holds the status of deputy head of the organization. The Director performs the leadership function assisted by a team of executives responsible for specific business lines within CSIS, including the Deputy Director Operations (DDO). The DDO is responsible for CSIS’s operations across all active investigations. The CSIS management structure also includes an Assistant Director Legal (ADL), a position occupied by the NSLAG’ Executive Director (discussed below).

(U) CSIS converts legal requirements into administrative processes through Critically, it has struggled to do so. The CSIS operational policy suite has been incomplete and out-of- date for a number of years, a finding noted repeatedly by both NSIRA’s predecessor, SIRC, and by NSIRA. This issue was again pervasive in the course of this review, making it difficult to precisely describe the formal operational policy environment applicable to the warrant acquisition process throughout the period covered by this review. The consequences of this shortcoming are considerable. Policies are the building blocks of any organization. They guidethe conduct of its members from the bottom up to the senior leadership. Without clear policies, employees are likely to devise their own interpretations of how to act and of the limits of their powers, causing confusion and making legal compliance difficult.

b) Justice and NSLAG

(U) The Department of Justice provides legal services to departments and agencies on a broad range of issues across the federal Its mandate is to support the dual roles of the Minister of Justice and the Attorney General of Canada (AG).

(U) The Minister of Justice, as the official legal advisor to Cabinet, is responsible for the general management and direction of the department, and for ensuring that the administration of public affairs is in accordance with the The Minister is responsible for matters related to the federal administration of justice. The Minister exercises political judgment, except when providing legal advice, which must be independent and non-partisan.

(U) The Minister is also ex officio the AG, also referred to as the Chief Law Officer of Canada. The role of the AG is to provide legal advice and legislative services to government departments and agencies, and to conduct litigation on behalf of the government. Importantly, the AG represents the Crown and not individual departments or agencies, and therefore seeks to protect whole-of-government interests. Although departments generally act as the instructing clients, it is the Attorney General’s responsibility to facilitate, with these departments, adherence to the rule of law.

(U) The Deputy Minister (DM) of Justice, who is also the Deputy Attorney General of Canada, manages the work and operations of the department as its most senior public servant. The DM is supported by an Associate Deputy Minister who is entrusted to lead some of Justice’s specialized portfolios. This includes the Public Safety, Defence and Immigration (PSDI) Portfolio which is led by an Assistant Deputy Minister reporting directly to the Associate Deputy Minister.

(U) Justice delivers legal services to federal departments and agencies through a mix of three models, all of which apply to CSIS: (1) specialized centers of expertise, within the department; (2) a network of regional offices located across the country; and (3) dedicated legal service units (LSUs) that are physically located with the departments they advise.

(U) LSU counsel provide day-to-day advice on all issues. LSU counsel may consult or collaborate with counsel from the specialized branches, or at other LSUs as needed. Although co-located with client departments, LSU counsel are Justice employees, and in keeping with the status of the Attorney General, must remain independent from the client.

(U) The National Security Litigation and Advisory Group (NSLAG) is the LSU that supports and advises CSIS. It is located at CSIS headquarters and is part of the PSDI Portfolio. With approximately 50 counsel positions, NSLAG is led by an Executive Director and Senior General Counsel who reports directly to the Assistant DM of PSDI. The two meet every two weeks to discuss NSLAG’s work. The ADM, in turn, must report any matters of concern to the Associate DM.

(U) As mentioned previously, NSLAG’s Executive Director also occupies the position of ADL within the CSIS executive structure, reporting to the Director. Justice described this reporting relationship as functional only. In the ADL role, the head of NSLAG has confidential, bilateral meetings with the CSIS Director, to provide briefings on legal files and discuss issues that arise. This functional reporting relationship to the client co-exists with the formal reporting relationship within While at first glance this functional reporting role might seem to pose a challenge in terms of maintaining full independence from the client, Justice asserts that this structure is not unique to CSIS and does not create concerns regarding client capture.

(U) NSLAG provides both advisory and litigation services to CSIS on its security and intelligence Its advisory work involves matters related to the duties and functions of CSIS, including questions of legal authority, and advice related to the Charter, threat reduction measures, and the application of other legislation to CSIS operations. NSLAG’s litigation work consists mainly of representing CSIS in applications for warrants before the Federal Court and related matters, and representing both CSIS and other government departments and agencies in complaints investigations before NSIRA.

(U) CSIS also receives legal services from the National Security Group (NSG), a specialized legal branch located at Justice’s headquarters. As part of the AG’s National Litigation Sector, NSG leads the litigation of claims related to national security privilege under section 38 of the Canada Evidence Act. Its counsel are security cleared at the Top Secret level. NSG counsel also play a role in the CSIS warrant application process – namely, to conduct an “independent challenge” exercise as part of the internal approval process for warrant NSG’s role as Independent Counsel (IC) in the CSIS warrant application process is discussed in section 4e below.

(U) While the basic legislative and operational framework may seem simple, a closer analysis sheds light on many ongoing issues.

4. Analysis

(U) This review revealed governance and cultural challenges in both CSIS and Justice that contribute to systemic issues in the warrant process, including with respect to the duty of candour. NSIRA’s findings fall within three overarching areas:

  • Justice’s provision of legal advice;
  • CSIS and Justice’s management of the warrant acquisition process; and
  • Investment in people in terms of training.

The report concludes with comments on systemic, governance and cultural issues.

(U) In order to meet its obligations with regard to the rule of law, CSIS must know what the law is. An unwieldy, tardy or indefinite means of ascertaining the lawfulness of activities jeopardizes CSIS’s ability to fulfill its mandate while adhering to the rule of law. This review considered, therefore, the fashion in which Justice (and specifically, NSLAG) provides legal advice to CSIS in performing its mandated activities, and how it has organized itself to do so. NSIRA noted three specific issues: the bureaucratic manner of obtaining advice; its timeliness; and the usefulness of this advice to CSIS in meeting its mandate.

1. Giving Advice to CSIS

(U) CSIS operates in often rapidly evolving and legally challenging environments. Timely, nimble and actionable legal advice is critical. To meet these objectives, Justice has adopted “operating principles”, including a centralized “one-voice” model for delivering legal In this model, Justice counsel are described as speaking “with one voice”, reflecting a desire for uniform and consistent legal advice delivered on behalf of the AG. To this end, Justice seeks consistency in the legal advice provided and the legal positions taken across Justice, to ensure a “whole-of-government” approach. Its advice does not simply reflect the opinion of the assigned legal counsel. Rather, the advice provided has “all of Justice behind [it]”.

(U) The one voice approach responds to a prior era in which many federal government departments hired their own lawyers to provide them with legal These lawyers were not part of Justice. When difficult, cross-governmental legal issues arose, counsel representing the various ministries did not always agree, which would then place the AG in a difficult position in Cabinet. A decision was made to bring all such departmental lawyers together in a common legal service operating under the Justice umbrella.

(U) In support of its one voice approach, Justice now employs a number of tools, including:

  • establishing centers of expertise within Justice to provide consistent, “government-wide” advice, primarily to Legal Services Units, in key areas of public law, such as constitutional law, human rights law, and information and privacy law;
  • maintaining a legal knowledge portal called “Justipedia” to serve as a single, national, searchable repository for all legal opinions from Justice’s services;
  • fostering discussion of legal issues at various committees, such as the national and regional litigation committees and other ad hoc committees;
  • convening working groups to determine legal positions;
  • creating practice groups to exchange and share relevant knowledge; and,
  • applying a common legal risk management (LRM) framework when providing advice to client departments and agencies.

(U) While the premise for the one voice approach is sound, this review has noted some disadvantages in the current implementation of the model in the CSIS context. Importantly, because of the bureaucratic process required to complete a legal opinion, obtaining legal advice can be burdensome, inefficient, and a source of undue delay. Hierarchies in both CSIS and Justice have impeded fluid collaboration between Justice counsel and their CSIS client by limiting counsel’s ability to deliver advice rapidly. The pace of legal advice-receiving from Justice is slower than a CSIS intelligence operation, which leads to the advice not being delivered in a timely manner and in CSIS being [discussion of how collection activities are affected]

(U) In addition to the challenges of timeliness associated with bureaucratic hierarchies, there are also communication challenges associated with the different knowledge base involved in legal analysis versus operational expertise. NSIRA noted several critiques. Interviewees urged that Justice counsel would benefit from a greater understanding of CSIS’s operations. It was suggested that new or junior lawyers could participate in key operational training sessions to gain a better understanding of the CSIS Some discussed current initiatives to cultivate greater understanding between Justice and CSIS, voicing skepticism about their success. For instance, Justice was said to pitch its “lunch and learn” sessions with CSIS at the wrong level, and is too esoteric and theoretical when discussing, for example, section 8 of the Charter. Legal training of CSIS employees conducted by inexperienced counsel was also identified as a problem.

(S/C) These complaints are consistent with a 2018 client feedback survey on CSIS legal advisory That survey measured four dimensions of its service in comparison to those of the overall PSDI Portfolio. The survey found the overall quality of legal advisory services fell slightly below the departmental target, landing in the “moderate” category, with similar ratings from CSIS on the overall accessibility and responsiveness, as well as usefulness of its legal services. The survey results demonstrated satisfaction with legal risk management, which met the target standard. On the issue of timeliness, however, Justice scored poorly. Justice concluded that the survey indicated that CSIS users were, by and large, somewhat unsatisfied with the services provided and that there was room for improvement. Some comments from CSIS consistent with those frequently echoed in the interviews conducted by NSIRA included:

  • “I don’t get the impression that DOJ lawyers working within my organization actually comprehend what we do.”
  • “Responses take too long. Has impact on our operational abilities.”[discussion of how collected activities are affected]
  • “Justice staff were adept at pointing out…legal risks associated with initiatives, but were not adept at providing practical advice to mitigate risk (other than recommending cessation of the initiative)”
  • “There seems to be a lack of coordination.”

(U) The following sections describe more detailed and pointed CSIS preoccupations with the manner by which its officials seek advice from Justice and about the nature of the resulting advice.

a) Obtaining Advice

(U) Barriers to accessing legal advice were a common theme of interviews. CSIS must formally frame its questions as clearly as possible, to avoid “half-baked” inquiries. However, rather than a collaborative process between counsel and CSIS, the conventional advice- seeking system is a formalized, bureaucratic process. Formal advice requests generally appear to be funneled from CSIS investigators and related personnel in the regional offices through their hierarchies, sometimes (but not usually) up to headquarters, and then from there to Justice counsel.

(U) This process, and resource constraints at Justice, contribute to considerable delays, [description on timeline]. Apart from prioritized, urgent requests for legal advice, it can take [timeline] to receive legal advice. In situations involving novel or complex issues, advice may take [timeline].

(U) Once prepared, advice then filters back through the same hierarchy, sometimes never reaching the investigators in its full form. Some interviewees reported concerns about “broken telephones” in which advice requests morphed in their travels through the hierarchy without an iterative process between counsel and the investigators seeking the advice, resulting in legal advice of limited relevance.

(U) Since this conventional process implicates both CSIS and Justice, it can be difficult to ascertain how much of this reported delay stems from Justice’s advice-giving mechanics and how much from CSIS’s own internal bureaucracy. Moreover, statements by interviewees estimating delay in receiving advice are hard to corroborate since NSLAG does not track the time it takes to provide its advice. The absence of such data at Justice raises a separate issue of whether it is in a position to measure progress and improvements stemming from any reform initiative.

 (U) Regardless of precise cause, the lack of clear timely advice has reportedly had considerable impact on CSIS operations. With an increase in electronic communication and information, the need for timely, clear advice on investigative methods has become pivotal. The operational impact is notable: interviewees repeatedly described an [discussion of detrimental effects on operations] that may require legal advice. Managers have reportedly sometimes advised staff to seek alternative solutions where a matter may require legal advice [discussion of detrimental effects on operations]

(U) Clearly, the conventional legal advice process does not adequately support CSIS operations, both in terms of timeliness and relevance.

 (U) In addition to timeliness and relevance, NSIRA heard regular and often related concerns about the nature of the legal advice supplied by NSLAG to CSIS. NSIRA interviewees repeatedly described legal opinions pitched at an esoteric and legalistic level, without sufficient attention to the audience that needs to understand and act on them.

 (U) NSLAG has typically presented its advice as a legal risk assessment, in which NSLAG opines on the risk associated with a specific activity, in accordance with the Justice Legal Risk Management (LRM) Framework, described further below. The style of the resulting advice can be compared to a “traffic light” system, where an activity represents a low legal risk to CSIS (green light); a high legal risk (red light); or, more ambiguously, an intermediate legal risk (yellow light). Yellow light-style responses were reportedly the most common and the most frustrating to consumers of the advice, especially when unaccompanied with discussions of how risk could be mitigated.

(U) In this last respect, CSIS interviewees often described NSLAG opinions as not making efforts to propose alternative and legally sustainable means of arriving at the intended objective. That is, NSLAG reportedly does not always understand CSIS’s objectives, and then provide advice designed to guide CSIS on how it might lawfully meet that objective (if possible). Several CSIS interviewees emphasized the potential value of having Justice assist them by providing advice in the form of a “road map” to how an operation might reach its objective lawfully. They stressed, however, that this road map-style form of advice was not a regular part of the NSLAG advice-giving approach or practice culture. That said, NSIRA also heard that there may now be the beginnings of a shift from the conventional advice-giving approach, as discussed below. Because of the importance NSIRA places on it, this report returns repeatedly to the concept of road map-style advice.

(S) NSIRA heard that in instances where CSIS managers received advice indicating a medium level of risk (yellow light), they often [description within CSIS of an unwillingness to accept risk]. In other instances, managers expressed discomfort with assuming the risk and reportedly forwarded the decision up the hierarchy to diffuse responsibility. Operationally, such delays in decision-making often have detrimental effects on investigations.

(U) As a result, some at CSIS perceive Justice as presenting a road-block. This is not because Justice provides principled and clear positions reflecting the primacy of the rule of law over ill-advised operations, but rather as a result of the bureaucracy at Justice, its perceived operational illiteracy, and its unhelpful approach to communicating legal advice.

(U) There is, however, another dimension to these issues. Justice, and NSLAG especially, face challenges in giving advice to CSIS. Justice is not directly analogous to a private sector law It must perform a public law function tied to the roles of the Minister of Justice and the AG. In giving its legal advice, Justice must be especially attentive to the rule of law and the AG’s role in defending it.

(U) When interacting with its clients, Justice acts merely as an advisor and sees it as its client’s responsibility to make the ultimate decision, informed by the advice given. A factor that may explain Justice’s resistance to go beyond pure legal analysis is that Justice is necessarily wary of a reported tendency by CSIS to recast legal questions in an effort to get different answers. CSIS, it was said, sometimes resists the law as it is, hoping that the law will be what it wants it to be.

(U) Additionally, NSIRA heard that CSIS has not always shared all relevant information with Justice, prompting a degree of mistrust. NSIRA heard of instances in which CSIS provided Justice with partial information, but did not convey the full NSLAG has informed CSIS that to provide the most meaningful legal advice and to better support its operations, counsel need to have “all the facts”, and to be engaged “sooner and deeper”. NSLAG conveyed that earlier and ongoing involvement throughout the stages of an investigation or operation, with participation in CSIS meetings and discussions along the way, would enable counsel to gather facts more naturally, and permit a more nuanced understanding. If there is uncertainty as to the client’s true goals and current situation, it is understandable that Justice lawyers are sometimes reluctant to provide a road map.

(U) The provision of advice on highly classified matters also presents logistical challenges. NSLAG lawyers operate in an environment that may impede easy interaction with other components of Justice, including in the specialized practice groups, where top secret security clearance holders are few and information management systems are not approved for classified information storage. Further, Justice is not well structured to address the range of matters arising in national security, and other units may produce advice that is too late, or unhelpful. Specialized units struggle where they are excluded from relevant classified information, and have sometimes been consulted by NSLAG too late in the advice process. The process by which differences of opinion between these specialized groups and NSLAG are reconciled would appear not to be fully formalized. There are some joint committees, and strong disagreement on a high profile matter could be advanced to the deputy minister. It is unclear how much these processes are leveraged to overcome the identified challenges.

(U) Internal silos at NSLAG between the advisory and litigation wings also play a role. These internal silos were reportedly a contributing factor in the confusion and uncertainty surrounding the omission of information in the warrants in 2020 FC 616. Many of the unlawful activities at issue in that case involved sources and operations for which legal advice had been previously discussed within NSLAG in the advisory branch, where relevant opinions on matters such as crown immunity had been produced. However, warrants counsel reportedly were not always aware of this The breakdown of internal silos is thus essential for the avoidance of such sequences of events in the future.

 (U) Moreover, CSIS’s activities are sufficiently unique and unusual to impose a steep learning curve on counsel. This learning curve manifests itself in several ways. First, NSLAG lawyers must become familiar with the unique and classified CSIS operational environment, something that some interviewees on the CSIS side suggested counsel needed to better understand. Second, novel questions may require careful and collective consideration, ensuring that Justice “speaks with one voice” but also slowing the process of delivering advice.

(U) Finally, Justice cannot easily overcome the inherent uncertainty of some legal issues, and Justice lawyers may often be obliged to voice legal doubt; that is, the unhelpful “yellow light” concept. Legal doubt is anathema in a rule of law system – it is difficult to ask an organization to comply with a law when that law is unknown. The law in national security can be especially unsettled. The sometimes imprecise statutory law applicable to CSIS is rarely subject to judicial interpretation, creating considerable uncertainties. Meanwhile, case law on section 8 of the Charter mostly arises in the criminal law context, and Justice counsel are left to extrapolate from these decisions to the related, but still distinct world of CSIS operations. Often, the sole means to address legal uncertainty is to bring legal questions to the Federal Court through warrant applications.

(U) In sum, national security law is a highly specialized and constantly developing area. Nonetheless, CSIS needs efficient advice, a need that goes to the heart of both CSIS and Justice’s mandates.

2.    Reform Initiatives

This section addresses recent reform initiatives in the delivery of legal services at Justice.

a) NSLAG’s Recent Internal Protocols

(U) Justice told NSIRA that it is aware of the need for change in the organizational culture at NSLAG.A new NSLAG Executive Director took office in January 2020 and, since then, has reportedly participated in senior-level discussions with CSIS on cultural change management. NSLAG noted some resistance to change management within its organization, but reported a generally healthy appetite for change, including with an aim of addressing concerns about information silos.

(U) NSLAG has implemented several new internal procedures addressing internal silos by facilitating awareness among litigation counsel on emerging legal issues on the advisory side (and presumably vice versa). NSLAG has developed its own classified version of Justipedia to assist with knowledge management, with the aim of ensuring consistent legal opinions. NSLAG holds weekly practice group meetings in which participants provide “roundtable” updates on their work. If a practice group is unable to sort out a legal issue, the matter may escalate through several levels of management within NSLAG, to the Executive Director. While these reforms may assist in bridging internal silos, they may not be sufficient. NSLAG must develop a process whereby there is a method to communicate with, or brief warrant counsel where advice has been provided for an operation that subsequently becomes prioritized for a warrant.

(U) Justice sometimes issues practice directions to provide guidance to counsel on certain aspects of their practice. In 2019, Justice issued two practice directions related to the duty of candour in warrant applications. The first specified that warrant applications will not rely on information derived from unlawful activity, and where unlawful activity occurs, it must be brought to the Court’s attention. The second provided guidance on information that must be disclosed to the Court, including whether the human source has engaged in illegal activities, as well as issues that inform the credibility and reliability of a source.

(S/C) On September 22, 2020, Justice issued a practice note to NSLAG counsel [Description of contents of note]

(S) Not all interviewees thought these changes would suffice to address NSLAG’s internal silos, and worried that dots would not be connected between legal advisory opinions and operational legal One suggestion was to ensure that relevant advisory opinions are [IM solution suggested]

(U) Moreover, NSLAG’s range of expertise may not suffice to identify every latent legal issue. In addition, those components of Justice with that capacity may not appreciate the nature of CSIS’s mandate and operations. Some interviewees urged NSLAG’s litigation role needs to be supplemented by working more closely with Justice’s general litigation lawyers in their counsel role,80 requiring that information silos be overcome. NSIRA notes Justice recently implemented tools specific to its national security role. These include a number of DM-level committees that address broad policy and operational matters in national security and which involve other LSUs.

(U) NSIRA observes that Justice’s capacity to anticipate new issues depends on an alert client. Interviewees described an effort to be more proactive, and to raise to the CSIS Director legal issues requiring proactive resolution.  At a minimum, it will be important for the Director to work with Justice and Public Safety Canada to anticipate emerging legal issues, and organize effective means of resolving them.

b) Renewed NSLAG and CSIS Relations

(U) NSLAG acknowledged the need “to do a better job ensuring that the client understands the legal landscape”. It recognized client frustration with the law in some circumstances, since court cases may provide direction that is sometimes confusing in real world situations, including with respect to Charter issues and a person’s reasonable expectation of privacy. Although it does conduct some training for CSIS, NSLAG says it could be doing more outreach and engagement. As part of CSIS’s Project  [Name], discussed further below, NSLAG has indicated the need for more outreach training in both directions, including CSIS providing training for NSLAG.

(U) NSLAG also appears to recognize the desire for a different approach to giving advice, including moving toward road map-style legal advice that works collaboratively and iteratively with CSIS to achieve operational goals within the bounds of the law. NSIRA heard that NSLAG regards this approach as a best practice and is committed to it, although it was not clear at the time of the review how far Justice had moved toward a generalized, road map-style form of advice-giving.

(U) It was clear, however, that Justice generally does not support a solution of “embedded” legal counsel at CSIS regional offices. Justice interviewees regarded embedding as raising risks of client capture and posing challenges for internal staffing and consistency of advice. Instead, Justice and CSIS have recently launched a pilot project in which specific counsel were designated to support CSIS throughout a specific operational ‘mission’.

 (U) Moreover, NSLAG has piloted an “office hours” practice, relying on headquarters-based counsel serving as liaison counsel for the regions. Those regional liaison counsel who currently provide support make themselves available to the regions to receive informal queries. The office hours initiative was conceived as a means of permitting CSIS personnel to put forth “trial balloons” regarding operational possibilities before possibly formulating a request for formal legal advice, which would then be put through the conventional advice request process.

(U) NSIRA also heard that a revamped approach to the giving of advice would require cultural adjustments at both CSIS and Justice. The Justice practice of vetting advice through a hierarchy may be difficult to reconcile with more timely legal involvement. Novel questions may require careful and collective consideration, ensuring that Justice “speaks with one voice” but they will need to be mindful that delay may jeopardize operation or reach a point of uselessness. As noted, short of converting CSIS officers into legal experts, regular and timely access to legal advice is essential to meeting the standards of the rule of law without stymying operations. NSIRA would also note that even formal legal advice will need be geared to the consumer, and thus should avoid legalistic discussions largely meaningless to non-lawyers.

(U) In moving toward such a system, NSLAG will need to avoid client capture in order to meet the Attorney General’s obligation to honour and advance adherence to the rule of law, while also facilitating CSIS’s operational imperatives. A dominant theme of the interviews was the challenge of reconciling the Attorney General’s obligation to maintain the rule of law with client-centered service delivery models giving clear and consistent legal advice to CSIS in the execution of its lawful mandate. Lawyers do not easily reconcile these objectives, and interviewees were of the view that clearer instruction on the role of the AG and codified standards for giving advice were advisable. Thus, NSIRA heard support for the idea that NSLAG should have advisory service standards. Such standards are especially important if, as NSIRA heard, at the more senior levels in Justice, the border between legal advice and policy advice may begin to blur. Some interviewees indicated that at this level, there can be a strong cultural desire to give the client room to maneuver.

(U) For its part, CSIS will need to become more comfortable working closely with legal advisors, and in disclosing the full range of sensitive details needed for Justice counsel to provide useful advice. Generally, CSIS interviewees seemed to welcome the office hours approach, though some noted its usefulness will be dependent on the personality and experience of the counsel, and in any case, it is not a panacea. This reaction highlighted the reservations of some CSIS officers based on past unsatisfactory interactions involving inexperienced counsel.

c) Additional Steps at NSLAG

(U) Justice faces, therefore, the ongoing challenge of giving fearless, timely, consistent and clear legal advice while at the same time developing client-centered service models, in an area (national security) that is a niche, often highly-specialized concern for the department and fraught with legal uncertainties.

(U) In assessing current initiatives in future reviews, NSIRA will be especially concerned with how Justice embraces a road map-style of advice-giving. Based on the information collected for this review, NSIRA believes that useful advice must be offered during operational planning and execution, a prospect that NSIRA expects the pilot project involving an operational mission will explore. Advice should continue as the operation is evolving in response to unforeseen legal matters requiring immediate guidance. Based on its interviews, NSIRA believes the success of this system will depend on a number of features. First, the optimal delivery of legal services must rely on Justice counsel who are sufficiently experienced and attuned to the unique CSIS operating environment. While not embedded in the regions, it seems these counsel will need to be entrusted with the ability to interact directly with CSIS operational clients at all levels, including during live operations, and give advice on routine matters without delay. These counsel will also need to be familiar with Justice’s position on recurring issues so as not to jeopardize the one voice model. To this end, NSLAG would likely benefit from developing a concise reference tool with its position on recurring issues and most common legal authorities invoked and make the tool accessible to counsel to support their real-time advice.

(U) Not every legal issue will be routine. Yet, counsel participating in operational planning should be well positioned to anticipate and articulate more difficult legal issues, and then be responsible for resolving these legal questions in keeping with Justice’s one voice approach. Counsel involved in operational planning should serve as the entry to Justice for matters requiring additional internal consultation at Justice with either their NSLAG colleagues or those in centres of expertise. A counsel fully apprised of operational realities who is able to “case- manage” the provision of advice in this manner may avoid the problems of “broken telephone” and non-responsive legal advice associated with the conventional advice-giving model.

(U) Legal involvement in CSIS activities, as they are being planned and organized, should also allow Justice to provide informal legal nudges that allow CSIS to course-correct before too much time has been spent. Closer legal involvement during the early phases will minimize the need for legal opinions on operations that are late in the development cycle or that are already underway. Put another way, a more iterative process of incorporating legal advice over the full course of an operation could address the reported challenge of operations halted due to untimely or ambiguous legal advice.

(U) Critically, meeting these objectives requires CSIS to invite Justice counsel to sit at the table at all stages of the lifecycle of an operation, and for Justice counsel to be fully and frankly briefed on operational objectives, intent, and details.

d) Broader Department of Justice

(U) Justice has embarked on a “transformational change” initiative, in consultation with clients, to improve how it conducts its work and supports its clients. Launched in 2018, the VISION comprises four pillars: meaningful risk assessments; client-centric strategic partnerships; recognizing and building expertise; and, simplifying the funding model. One of the key priorities includes an overhaul of the existing Legal Risk Management Framework, which Justice has recognized for some time does not effectively communicate risk.

(U) Interviewees made clear that Justice’s manner of characterizing legal risk in the Legal Risk Management (LRM) Framework is not understood in the same way by its lawyers and its clients and is not always regarded as useful even by the lawyers applying it. For instance, something that is “high legal risk” is very likely unlawful under the LRM Framework, but this was not always understood by clients. Justice did not provide NSIRA with the full draft revised LRM Framework as modified in the context of VISION, as it is still under development. Justice did however provide and brief NSIRA on some working LRM documents. On the basis of these materials and briefings, NSIRA believes that two [aspects relating to the LRM Framework] need to be addressed.

(U) First, there will be instances in giving advice where Justice should describe activity not as “high risk”, but simply as unlawful. Certain legal questions can be answered unequivocally, even accounting for the cautious nature of lawyerly advice. In a system based on the rule of law, and given the role of the Attorney General, such questions should be answered in as definitive a manner as possible. That there may be some hypothetical possibility that the activity might not be unlawful does not mean that Justice should fall back only on the language of “high risk”, since this phrase may give a client the impression such activities, while “risky”, are still a viable option for risk-embracing officials. Justice should avoid such situations. Where an activity is very likely unlawful, Justice should tell the client exactly that and describe the consequences of proceeding, rather than simply couch its conclusions in a probabilistic formula.

(S/C) Some interviewees underscored this view in discussions with NSIRA. Further, NSIRA notes that Justice has proposed [discussion of Justice initative]

(S/C) [Discussion of operational aspects and purpose of Justice initative]

(U) In contrast [discussion of an NSIRA perceived gap in Justice initative]. In NSIRA’s view, this approach is [Discussion of NSIRA’s recommended approach to address the identified gap]

(U) Second, NSIRA notes that many of the [description of certain aspects of Justice’s tools] NSIRA regards these considerations as inappropriate,

(U) Justice believes that the draft [discussion of aspects of Justice initative]

(U) Still, without careful mitigation, NSIRA believes that there remains a risk [discussion of a concern relating to Justice initative]

(U) In sum, based on the role of the AG in advancing the rule of law, [discussion of a standard to address the identified concern in the Justice initative] In future reviews implicating Justice’s legal advice, NSIRA will be attentive to whether advice meets this standard.

Finding no. 1: NSIRA finds that the legal advice-seeking and giving process, and resource constraints at NSLAG, contribute to considerable delays, [description of timeline]

Finding no. 2: NSIRA finds that Justice legal opinions have sometimes been prepared without sufficient attention to the audience that needs to understand and act on them. Opinions have been focused on assessing legal risk, often late in the development of a CSIS activity, with limited effort made to propose alternative and legally sustainable means of arriving at the intended objective.

Finding no. 3: NSIRA finds that the Justice Legal Risk Management Framework is misunderstood at the working level at CSIS and that it does not provide an appropriate framework for the unequivocal communication of unlawful conduct to CSIS.

Finding no. 4: NSIRA finds that difficulties in acquiring prompt and relevant legal advice have contributed to the [discussion of the detrimental effects on and risks to operations] that may require legal advice. In consequence, the manner in which Justice has provided legal advice to CSIS does not always meet the needs of CSIS operations.

Finding 5: NSIRA finds that Justice does not generate the necessary business analytics to track its service delivery performance to CSIS.

Finding no. 6: NSIRA finds that Justice has acknowledged that internal silos at NSLAG between the advisory and litigation wings have sometimes left warrant counsel unaware of emerging legal issues and that Justice has taken steps to resolve these issues.

Finding no. 7: NSIRA finds that Justice has committed to improve its advice giving to CSIS, including moving toward “road map” style legal advice that involves working collaboratively and iteratively with CSIS to achieve operational goals within the bounds of the law.

Finding no. 8: NSIRA finds that CSIS has not always shared all relevant information with NSLAG, prompting a degree of mistrust and limiting Justice’s ability to provide responsive legal advice.

In view of these findings, NSIRA recommends that:

(U) Recommendation no. 1: Justice pursue its commitment to reforming the manner of providing legal advice to CSIS, and its stated commitment to “road- map” style advice as a best practice. In support of this objective and the provision of timely, operationally relevant advice, NSIRA further recommends that Justice implement the following:

  • Whether through an expanded office hours or liaison counsel program or otherwise, NSLAG must develop a legal support service operating full time, staffed by experienced lawyers empowered to provide operational advice in real time on which CSIS officers can rely, on the basis of settled Justice positions on recurring legal issues, accessible directly to CSIS officers across all regional offices and at all levels.
  • NSLAG develop a concise reference tool with its position on recurring issues and most common legal authorities invoked and make the tool accessible to counsel to support their real-time advice.
  • To minimize the need to resort to the formalized legal advice-seeking process, NSLAG (in coordination with CSIS) must involve counsel with CSIS officers at the early stage of the planning of key or novel operations and throughout their entire operational lifecycle to case manage an iterative legal guidance process.

(U) Recommendation no. 2: NSLAG (in coordination with CSIS) develop Key Performance Indicators to measure the delivery of legal services to CSIS.

(U) Recommendation no. 3: CSIS and Justice include in their training programs interactive scenario-based training developing the operational intelligence activities expertise of NSLAG counsel and the legal knowledge of CSIS operational staff.

(U) Recommendation no. 4: To ensure Justice is able to give meaningful and responsive legal advice as recommended in recommendation #1, that CSIS invite Justice counsel to sit at the table at all stages of the lifecycle of key and novel operations, and that it fully and frankly brief counsel on operational objectives, intent, and details.

(U) Recommendation no. 5: Justice’s advice giving must clearly and unequivocally communicate advice on the unlawfulness of client conduct, whether criminal or otherwise.

B. Warrant Process

(U) While the preceding section dealt with issues related to the provision of legal advice in the course of all of CSIS operations, the current warrant process is fraught with its own problems, as illustrated by numerous Federal Court decisions.

(U) Warrants are critical to CSIS’s success as an intelligence service. [Discussion of prior internal review]“The information obtained through their execution is the Service’s lifeblood”. At the same time, another, more recent review concluded that for many within CSIS, the warrant process is regarded as a “necessary evil” on account of its onerousness. This section examines the “warrants life cycle”, from prioritization to execution, in order to identify and assess the underlying factors that have made CSIS’s warrant process cumbersome.

(U) Section 21 of the CSIS Act provides the basic rules for warrant applications. If CSIS believes on reasonable grounds that a warrant is required to enable it to investigate a threat to the security of Canada (or collect foreign intelligence for section.16 purposes), it may, with the approval of the Minister, make an application to the Federal Court for a warrant. The affidavit supporting the application must provide the supporting facts demonstrating the reasonable grounds to believe that a warrant is needed to investigate the threat.

(U) In practice, CSIS organizes the process of seeking a warrant around a system of internal preparation and approvals before proceeding to the statutory step of seeking ministerial approval of the warrant application. In order to understand fully the warrant process, NSIRA has broken it down into several stages of a larger “warrant lifecycle”, each of which are discussed below.

(U) A number of legal concepts and expectations enter into the warrant process, including, in particular, the “duty of candour” owed to the Court. As noted, warrant proceedings are conducted in the absence of the target and are closed to the public in order to protect the covert nature of a search. To compensate, however, for the one-sided nature of such proceedings, courts (and the law societies that regulate the legal profession) impose elevated obligations of candour on the lawyers and party appearing before the court, also known as a duty of utmost good faith. The evidence presented by the party “must be complete and thorough and no relevant information adverse to the interest of the party must be withheld.” In consequence, the party must “conduct a thorough review of the information in its possession and make representations based on all of the information including that which is unfavourable to their case.”

(U) The concept of “materiality” guides which facts must be disclosed to the court. Thus, in CSIS warrant applications, CSIS “must present all material facts, favourable or otherwise”. “Materiality” simply means a fact relevant to an issue in the case. For CSIS warrants, “information is material if it is relevant to the determination a judge must make in deciding whether or not to issue a warrant, and if so, on what terms.” For instance, a material fact is one that is relevant to “the belief, on reasonable grounds, that a warrant… is required to enable” CSIS to investigate a threat to the security of Canada.

(U) The Federal Court has held, however, that materiality extends beyond facts relevant to the factors expressly listed in section 21 of the CSIS Act. For instance, materiality reaches “information about the broader framework in which applications for the issuance of CSIS Act warrants are brought”. This means the duty of candour includes information that is “material to the judicial exercise of discretion” to issue a warrant. It includes the flagging of “legal issues that could be of concern to the Court”. Legal issues do not, however, exhaust this broader category of materiality, as it also reaches disclosure of CSIS’s precise conduct under a warrant that may influence the Court’s exercise of discretion.

(U) This broader category of “material to the exercise of discretion” relates to the especially important role of the Federal Court as the primary source of independent control over CSIS activities conducted under warrant. Unlike a police warrant, which may be retrospectively scrutinized by a second judge in adversarial proceedings if a police investigation culminates in a prosecution, the Federal Court judge is often the only judge who ever examines a CSIS warrant. The target of the warrant or the broader public will usually never know the CSIS activities conducted under the authority of that warrant. In this context, the Federal Court has signaled a redoubled urgency to meeting a broad duty of candour.

(U) It is clear, however, from our interviews, that the broad conception of materiality has led to doubt and confusion within NSLAG and thus within CSIS. Those interviewees who addressed the issue appeared to agree that Federal Court candour concerns now fit into (at minimum) two categories, which we define as “material to credibility”, and “material to matters of potential concern”. NSIRA defines these categories as follows:

  • Material to Credibility: Facts relevant to an express statutory threshold that the court is asked to assess, most notably the statutory standards judges consider in issuing warrants. This category includes, especially, information that goes to the credibility of the sources whose information supports the warrant application.
  • Material to Matters of Potential Concern: Facts or legal issues concerning those aspects of the CSIS activity that might be unusual (or unanticipated) and that a judge will wish to know in exercising their discretion to issue a warrant and in imposing associated conditions. This category includes, for example, a failure to disclose tradecraft conducted to gather information supporting the warrant that may constitute illegal activity, the failure to disclose conduct under a warrant that might result in information sharing with other agencies, potentially imperiling the target, or circumstances in which the warrant will be implemented and that may not be obvious in the application.

(U) The first category of materiality should be well understood by CSIS and its lawyers. The contours of the second category are not as easily determined and require careful consideration by Justice counsel, assisted by a professional cadre of affiants who reach out to regions to determine how warrants will be executed.

2. Historical Initiatives

(U) As outlined in Annex A, incidents concerning CSIS’s observance of its duty of candour are almost as old as CSIS. Following each failure, CSIS Directors promised reforms. CSIS introduced new policies, but problems recurred. In other words, repeatedly, progress has been made on paper, but without genuinely correcting the underlying problems. CSIS appears to have a long history of quick reforms, followed by neglect, high turnover of personnel leading to a loss of institutional knowledge, and resourcing that did not match stated priorities. Some interviewees described reforms as typically focused on the minutiae of process rather than on achieving measurable outcomes. CSIS does not track or measure the success of past reforms. In the eyes of some, CSIS reforms often represented “band-aid” solutions rather than attempts to get to the core of issues, and often resulted in the creation of new bureaucracy. In NSIRA’s view, CSIS’s chief challenge is to break this cycle.

Finding no. 9: NSIRA finds that CSIS has a history of quick reforms, followed by neglect, high turnover of personnel leading to a loss of institutional knowledge, and resourcing that did not match stated priorities. CSIS does not track or measure the outcome of past reforms adequately and has no performance metrics for assessing success.

3. Description of the Warrant Process

(U) NSIRA notes that even determining how the warrants process works presents Internally, warrant requirements are not adequately codified in applicable policy. CSIS policies have not kept pace with operational reality, as they are often vague, dated, overlapping and contradictory. The gap in policy was evident when examining the warrants policies, which were last updated in 2018 prior to the warrant process undergoing substantial changes, including the implementation of the Affiant Unit (AU) in 2019. Given these issues, a basic question that arises is whether those CSIS officers conducting investigations are sufficiently attuned to when the law requires a warrant.

(U) NSIRA heard that there is a clear threshold for when a warrant process must typically be initiated for well-established collection techniques. However, absent clear policy, there was more legal doubt when at issue was the use of novel technologies with uncertain legal ramifications and requirements.

a) Prioritization of Investigations for Warrants

(U) Once a region or desk has identified the need for a warrant, the first step in the process is the internal prioritization at CSIS of a target case file or investigation for a warrant application. In practice, this prioritization amounts to a system of triage, assigning limited warrant application resources to specific files. However, it was evident to NSIRA that CSIS employees involved in the warrants process had little to no common understanding regarding the process or basis on which a warrant is prioritized. Even senior officials in the CSIS hierarchy regarded the prioritization process as a mystery.

(U) NSIRA heard that headquarters prioritization standards remain a work in progress, and sometimes a struggle among competing interests. The DDO meets weekly with a number of CSIS executives to discuss the investigations requesting a warrant and the possible operational, legal or process developments that could affect priorities for decision-making on warrants prioritization.  While NSIRA was informed that there is a record of decision produced after each prioritization meeting, it remains unclear what criteria are used to prioritize a warrant. Some information suggested prioritization has focused on security-related issues. Others speculated that prioritization also considered the perceived amount of work, availability of lawyers and affiants, and how long it would be until current warrant powers expired and needed renewal. Frequent shifts in this process of prioritization have reportedly produced situations where a warrant process starts and stops several times, wasting precious time and adding to operational uncertainty.

(U) Given the complexity and lack of clarity of the prioritization process, it has been very difficult to bring novel issues to the Court with the goal of addressing legal ambiguities through court decisions. NSIRA heard about activities that [discussion of detrimental effects on operations] over unresolved questions of law that could have been addressed by the Court. There appeared to be agreement among our interviewees that more matters should be taken to court – and whenever in doubt, seek a warrant.

(U) Given the current situation, however, NSIRA’s impression is that for CSIS to take a legal issue to Court likely requires the combination of a high priority investigation and the existence of just the right real-world scenario to illustrate the legal issue. Of course, any attempt to resolve legal uncertainty runs the risk of obtaining a legal ruling that constrains rather than empowers investigations. NSIRA heard from some interviewees that there may be a reluctance to take issues to court as there is always a risk of obtaining the “wrong answer”.

Finding no. 10: NSIRA finds that CSIS policies have not kept pace with operational reality, as they are often vague, dated, overlapping and contradictory. The absence of clear policy creates legal doubt or concerns, and gives rise to disparate interpretations of legal and operational standards.

Finding no. 11: NSIRA finds that there is little common understanding regarding the process or basis on which a warrant is prioritized. Frequent shifts in this process of prioritization have added to operational uncertainty. The prioritization process has made it very difficult to bring novel issues to the Court with the goal of addressing legal ambiguities through court decisions.

Recommendation no. 6: NSIRA recommends that CSIS adopt, and share internally, clear criteria for the warrant prioritization process.

b) The Complexity of the Warrant Acquisition Process

(S/C) Once CSIS decides to prioritize a warrant application for an investigation/case, CSIS begins the warrant acquisition process. This process has always been lengthy and bureaucratic. In 1992, the Honourable George Addy reviewed the CSIS warrant process and reported [number] steps spanning a total of [number] and involving from [number] people. Approximately [number] people knew the identity of the target before the warrant was issued, seemingly undercutting the “need to know” principle. George Addy commented adversely on the length of the warrant process. He wrote: “[w]hatever procedures might finally be decided upon, it is of paramount importance that, from the moment the decision to initiate the process is taken, the time required to obtain a warrant should never exceed [timeline], as an absolute maximum.”

(S/C) Yet, [discussion of prior internal review]

(S) At present, according to the documents provided to NSIRA, the process involves [Number] administrative steps in a security intelligence warrant request, [Number] which are internal to CSIS and Justice prior to the application’s filing at the Federal Court. For a foreign intelligence warrant, there [Number] steps. The timetable for the renewal of a security intelligence warrant anticipates a process of [Number] working days, or [timeline] (Annex B). The process involves  committees or units within CSIS (and possibly more if the warrant implicates more than one region), NSLAG, and Public Safety Canada. At least [Number] CSIS managers are named in the process, as are [Number] Justice employees and the Minister and Deputy Minister of Public Safety.

(U) NSIRA was unable to find any one person who could describe precisely the rationale of each of these [multiple] of steps in the overarching scheme; even those close to the process were not always sure what role each approval step played. Few of the steps are mandated by law, but rather they appear to have accrued over time despite repeated efforts at streamlining. Some steps appear to reflect older reform efforts triggered by concerns over compliance, not least with the duty of candour. And yet, as noted at the outset of this review, the candour issues at CSIS persist.

(U) In sum, the warrant process appears to be caught in a vicious cycle whereby duty of candour failures (or the fear of prospective failures) cause CSIS to add more bureaucratic fixes, which complicate an already lengthy and inefficient process without actually resolving the underlying issues that led to the duty of candour failures in the first place. Indeed, as discussed below, the complexity of the warrant process appears itself to contribute to CSIS’s candour issues. CSIS and Justice must break this cycle. A description of how best to do this will first require further discussion of the warrant process itself.

c) The Key Steps in the Process

(U) CSIS maintains five categories of warrant applications, the most common of which are new warrants, replacement of existing warrants159, and supplemental warrants. Each category has its initiating procedures.160 In all applications, the relevant desk at headquarters and the implicated CSIS operational region conducting the investigation prepare a [content of document]. Together, the [number] documents detail the threat, the targets, and set out the investigative powers CSIS proposes to use. Once approved, CSIS sends the [document] to NSLAG for a “threshold” determination; i.e., an assessment of whether there are reasonable grounds to believe that a warrant is required to investigate the threat. If NSLAG concludes that the proposed targets meet the threshold, then development of the rest of the warrant application begins. The key contributors to this process are the Affiant Unit, NSLAG and the Warrant Administration Unit.

(U) The Affiant Unit (with the advice and legal support of NSLAG) is responsible for preparing the affidavit used in support of the warrant application. The affidavit is the affiant’s sworn written testimony and includes a range of information required pursuant to section 21 of the CSIS Act. The affidavit is often laid out as follows.

  • Part 1 – Introduction: this section outlines the affiant’s work experience and introduces the sources of information and the exhibits used in the application.
  • Part 2 – The threat: this section provides information regarding the broader threat and how it relates to CSIS’s investigation and the specific list of target(s).
  • Part 3 – The subjects of the investigation: this section includes a thorough explanation of the threat posed by each target, based on information from human sources and other operational reporting.
  • Part 4 – Powers sought: this section describes the non-warranted (that is pre- or without the need for a warrant) investigative techniques used in the investigation thus far, as well as the powers requested in the application.
  • Part 5 – Other matters: this section includes the duration for which the warrant is sought as well as the required consultation with the Deputy Minister and Minister as per subsections 7(2) and 21(1) of the CSIS Act.

(S) The affidavit will also include a number of exhibits, the most important of which are the human source précis and the foreign agency précis. The human source précis is a summary of information from CSIS’s files that allows the court to assess the reliability and credibility of the human source without revealing the source’s identity. It comprises information pertaining to the source’s relationship with CSIS, [description of information] and motivation. The précis will also include a corroboration table used to support the source information contained in the affidavit. Where the application relies on information supplied by a foreign agency, the foreign agency précis includes background information regarding the mandate of that agency, the agency’s history with CSIS, and whether the information relied upon in the application may have been obtained as a result of mistreatment.

(U) Once approved and reviewed in keeping with several additional steps, including the Independent Counsel vetting discussed below, the application goes before the Warrant Review Committee (WRC) for approval. The committee comprises senior members of CSIS and the department of Public Safety Canada as well as observers from other government agencies such as CSE and the RCMP. At the WRC, the affiant provides a brief overview of the investigation, the application is discussed, and a decision is made regarding whether to proceed with the application, and if so, what changes are required. The application is then submitted to Public Safety Canada, where it is reviewed and passed to the Minister accompanied by a summary and advice as to whether the Minister should approve the application. Once approved, Justice files the warrant application package in court on behalf of CSIS.

4. Observations on the Warrant Process

a) A Lengthy, Bureaucratic Process

(U) The complexity of the CSIS warrant acquisition process is quite unlike the manner in which the police obtain their search warrants. The length of the process itself can pose operational risks, [it may affect the warrant].

(U) There are reasons why CSIS warrants are more administratively burdensome. Unlike police investigations, CSIS investigations rarely produce evidence culminating in criminal proceedings in court. They thus lack the prospect of retrospective challenge by a party with a vested interest in testing the propriety of the warrant. The safeguards in the CSIS warrant context are therefore prospective, and properly include a careful bureaucratic vetting, as well as executive control exercised by the Minister of Public Safety and judicial control by the Federal Certain steps, such as the Warrant Review Committee, discussed further below, are therefore desirable. However, beyond a certain point, more steps does not correlate with better quality. Indeed, NSIRA observed that many of the steps in the warrant process amount to a series of minor tweaks and clerical changes of limited importance to an application that often becomes an exercise in ‘drafting by committee’. What the proliferation of steps has done, however, is to create a process widely regarded as slow and unwieldy, with no clear lines of accountability.

(U) For many of our interviewees, the process had the following features:

  • Lack of clear accountability due to the proliferation of approvals: Some interviewees described the multiplicity of approvals as a symptom of a broader CSIS culture in which responsibility is diffused, ensuring that the locus of responsibility is never clear. Put more strongly, some interviewees saw the proliferation of approvals as reflective of a risk-averse culture in which officials employ a ‘safety in numbers’ approach to decisions and sign-offs. In this model, no individual is personally accountable; rather, accountability is diffused throughout the institution. Senior management disputed this characterization noting their support for the concept of shared accountability through approvals. Even so, there did not appear to be disagreement that accountability could be better defined.
  • Privileging sign-offs over substance: The long list of approvals over the course of the warrant process consume time; each level of approval means a pause in the work, meaning that the time available to do the substantive work of preparing the warrant application is often squeezed. Since it is not always clear what function each step performs, it is difficult to disaggregate substantive steps from various forms of managerial review, approval and vetting. However, by NSIRA’s estimate, only [timeline] associated with a warrant (renewal) application involve core substantive work. Many interviewees across varying levels favoured prioritizing time spent on preparation over that spent on managerial approvals. Although recent attempts to streamline the process have resulted in several steps being conducted concurrently, there is little indication that the time saved was reallocated to the preparation of the most complex portions of the application, such as the human source précis.
  • A process of black boxes: The warrant process involves a large number of people. Officials implicated at each stage often seemed unfamiliar with decisions made at other stages or the rationales for these decisions. Put another way, each official understood their piece of the puzzle, but had little sense of how the various pieces fit together. There appeared to be few (if any) regular feedback loops, in which explanations for decisions made at one level filtered back to other levels. This tendency to keep information ‘siloed’ meant that many employees felt that their knowledge of the warrant process was not as good as it should have been and wanted greater visibility on the process as a whole.
  • Lack of regional involvement: The ‘silo’ or ‘black box’ approach is most galling to the regional investigators. Even though the warrant requests originate from the regions and are made to support regional investigations, operational officials in the regions often have a very limited role in the warrant process. Some requests move forward and others do not, but it is not clear why. When warrants come up for renewal, NSIRA was told that headquarters has not typically sought input from the regions on new collection techniques, and that regions have struggled to obtain modifications in subsequent iterations of warrants to ensure that the warrant reflects operational needs. Interviewees regularly advanced the argument for feedback to and closer engagement with the regions (including on technical matters) throughout the warrant application. The region is best placed to flag issues of concern with the investigation and the sources involved, issues that could be important to the Court. To this end, NSIRA notes that the affidavit and source précis should be regularly shared with the source handler in the region. Likewise, the region should be consulted throughout the warrant application process, and should be represented at the Warrant Review Committee.
  • Excessive warrant scope and scale: One matter of concern was the sheer length of some of the affidavits CSIS has put forward in support of warrant applications. This was most pronounced in [type] warrants where requests are made in support of multiple investigations under one application. A related issue is CSIS’s tendency to include requests for a wide range of investigative techniques, regardless of whether there was an actual plan to employ them. This appears to be done on the theory that it was prudent to seek all possible powers rather than risk needing to return to court later on – particularly given the amount of time that such a process would involve. An alternative approach is more targeted and streamlined warrant applications, done in greater number and on a predictable annual schedule. This reform was repeatedly favoured in our interviews. Of course, this approach will only succeed if a higher number of warrant applications does not produce more warrant applications of the same length and complexity of the [type] warrants. If the administrative burden of approvals associated with the present system is applied to more warrants, it seems unlikely the system will work. That is, this reform may only succeed by relaxing what was described to us as a “one size fits all” approach to warrant applications, with length and complexity unconnected to the scale or degree of intrusiveness of the techniques at issue.

(U) NSIRA is therefore of the view that there are significant changes that CSIS could make that would materially improve the quality of warrant applications. NSIRA does not think that the bureaucratization of the CSIS warrant process as described above has improved matters; on the contrary, the lack of clear accountability, lack of internal communication, and excessive complexity have all contributed to the problems facing the process. NSIRA agrees fully with the view that time should be reallocated to those stages that make for a better warrant, including regular engagement with the regions.

(U) The warrant process should not be mired in steps that amount to the shuffling of paper between desks. These should either be eliminated, or conducted concurrently with more substantively meaningful steps, avoiding the reality or perception of pro forma involvement by officials who lack a clear and manifest need for involvement in the warrants process. Put another way, where there are steps that do not make a significant contribution to a more accurate application, CSIS should eliminate them.

Finding no.12: NSIRA finds that the actors involved in the warrant process do not have a common understanding of the rationale for each of the [multiple] steps in the overarching warrant application scheme and are not always sure what role each approval step plays.

Finding no. 13: NSIRA finds that the proliferation of process in seeking warrants has created a system of diluted accountability widely regarded as slow and unwieldy, with delays caused by multiple levels of approval.

Finding 14: NSIRA finds there is no regular feedback process in which explanations for warrant-related decisions made at one level filter back to other levels. The absence of feedback is especially acute for the regional investigators.

Finding 15: NSIRA finds that often, the sole means to address legal uncertainty is to bring legal questions to the Federal Court through warrant applications. In consequence, an unwieldy warrant process makes resolution of legal doubt more difficult.

In view of these findings, with respect to the warrant process, NSIRA recommends that:

Recommendation no. 7: CSIS establish a new warrant process eliminating steps that do not make a significant contribution to a more accurate application. The process should assign clear lines of responsibility for the production of accurate applications. The reformed system should ensure that delays associated with managerial approvals are minimized, and that time is reallocated to those steps contributing to the preparation of the accurate applications.

Recommendation no. 8: CSIS integrate the regional stakeholders (including the implicated investigators) at every key milestone of the warrants process.

Recommendation no. 9: CSIS adopt policies and procedures governing the reformed warrant process that clearly outlines the roles and responsibilities of each participant and the objective of each step in the warrant process and that these policies be kept current as the process evolves.

b) Incomplete Knowledge Management in the Regions

(U) When discussing the warrant process, NSIRA often asked who should be responsible for the accuracy and completeness of the warrant application. There are two clear points of responsibility. First, staff in the regional offices conducting investigations are responsible for feeding complete, correct and appropriately contextualized information into the warrant production process. Second, the individual most responsible for the final product is the affiant, whose sworn affidavit supports the warrant application and supplies the factual basis permitting the Court to conclude that the legal requirements for the issuance of a warrant have been met. After all, if there is to be a duty of candour failure, it will be because of an inadequate affidavit. Meeting these obligations is, however, unnecessarily difficult for both the regions and the affiant, for the reasons below.

(U) CSIS warrant applications often depend on information collected from confidential human sources. As discussed above, the reliability of this information – and the credibility of the source – constitute key material facts in warrant applications. A failure to apprise the court of information relating to credibility is a clear violation of the duty of candour.

(U) As noted, source information appears in the warrant application through the source précis and affidavit. The source précis and affidavit, in turn, stem from information that was originally collected by the regions, which handle human sources. In practice, therefore, the affidavit is no better than the quality of the information provided by the regions. If that information is incomplete, none of the [multiple] steps in the CSIS warrant acquisition process can compensate. Notably, omissions regarding human sources have occurred repeatedly in the past. This report calls this the “recurring omissions” problem.

i. Misunderstanding Concepts

(U) NSIRA detected several factors that heighten the risk that regions will omit information material to the warrant application. Indeed, some duty of candour breaches seem to be explained by these factors.

(U) NSIRA was told that police learn how to piece together a narrative that “shows their work”, and police informant handlers also are generally familiar with credibility and candour issues. CSIS is not culturally attuned to this same standard, despite the importance of the legal expectations it must meet. Indeed, CSIS officers, when writing intelligence reports, are trained to dissociate the substance of the intelligence from its provenance, in order to allow the resulting reporting to be disseminated to clients in government without permitting readers to infer the identity of sources.

(U) Indeed, there seems to be a disconnect between CSIS’s traditional understanding of reliability for intelligence purposes, and the broader concept of credibility for legal purposes. Intelligence reliability is based on the source’s track record as corroborated by other sources of information. Credibility, however, may depend on more information about the sources themselves, including their personal conduct and disposition. CSIS source handlers may, however, be inclined culturally to invest [ description of relationship between source handler and source ].  Moreover, NSIRA heard repeatedly that CSIS officers involved in the early stages of warrant preparation do not clearly understand the legal expectations associated with the duty of candour.

(U) For these reasons, it has sometimes not occurred to these officers that conduct exhibited by the source –   [example of source conduct]  – may constitute material information important to a court in assessing the credibility of that source. CSIS may have long ago noted these issues, but nonetheless concluded that the source’s reporting was generally accurate. Thereafter, officers may not realize that it is vital to put all such context before the Court. Officers may also misunderstand the implications of source shortcomings for the Court, fearing that their sources’ information will be discounted because of personal shortcomings. In fact, the Court has understood that a source’s moral shortcomings alone do not mean that the source cannot be believed; judges do not assume that sources in national security investigations will always be upstanding citizens, any more than they do in police organized crime investigations. This was recently reiterated by the Court, noting that “the fact that human sources live what some would consider unsavoury lives is something to be expected when assessing human source information provided in the context of a CSIS Act warrant application”.

(S) Under the current CSIS procedure on Human Source [name of procedure] every CSIS human source is assigned a a brief and standardized description of [Discussion of human source issues, including reliability and credibility]

(U) The role of a judge in issuing a warrant is different. The judge must independently conclude that the information before them is reliable. In conducting this independent assessment, the judge must have all of the information they need to be satisfied that the source of the information is reliable and credible, even if CSIS believes that the information is accurate. The Federal Court recently noted that:
“Judges of this Court expect a Human Source Précis to bring to their attention all information known to the Service that might be relevant to the Court’s assessment of the credibility or reliability of a human source. The Service must provide the Federal Court with a relevant and full picture concerning the credibility and reliability of a human source. This Human Source Précis must be relevant, full and complete if the Service is to comply with the duty of candour. The Service employee must not pull punches, conceal information, or convey half-truths, nor may he or she bring false or misleading information to the Court.”

(U) To this end, CSIS’s own assessment of a source’s reliability may be relevant but it is not for the Court to take it on faith. The best analogy presented to NSIRA was this: the affidavit must “show CSIS’s work” just as a math student shows the full calculation in computing an answer through long division. That is, the affidavit must contain the full range of considerations relevant to a source’s credibility, and then explain why CSIS considers the source’s information reliable. The judge can then make their own assessment, and not simply depend on CSIS’s pre-existing conclusion. Asserting that conclusion without “showing the work” and articulating the range of considerations tied to credibility amounts to a failure to be candid, particularly when CSIS has concluded that a source is reliable despite certain factors that, on their own, could give rise to doubts about the source’s credibility. NSIRA believes this analogy to be a helpful one so long as “showing CSIS’s work” includes the full range of information material to the issuance of the warrant, a point to which we return below.

(U) In summary, to avoid “recurring omissions” before the Court, CSIS must internalize a clearer understanding of the Court’s This is particularly crucial amongst those involved in the preparation of warrants, including source handlers compiling the initial information.

ii. Information Management Struggles

(S) Even if CSIS officers were fully conscious of the scope of the concept of candour to the Court, the way in which CSIS manages its information would likely still give rise to recurring omissions. In its interviews, NSIRA heard that CSIS’s management of information related to human sources creates problems. [Discussion of IM issues]

(S) Information is often situated in the (changing and variable) institutional memory of source handlers. [Discussion of IM issues] Any institutional knowledge not archived properly is lost, as Intelligence Officers (IOs) are rotated regularly under CSIS’s human resources model.

(S) Since source-related information [discussion of IM issues] the review process can be laborious. When connected to the first factor noted above – a limited understanding by CSIS officers of legal materiality – mistakes are inevitable. Moreover, as operational reports written by handlers are sent through a hierarchal chain of approval, there is no method of tracking any changes made by supervisors to the handler’s report, making it difficult to identify the origin of a problem should it arise.

iii. Fixing the Recurring Omissions Problem

(U) CSIS and NSLAG are alive to these problems. They have conducted more training on the need for adequate documentation in order to fulfill the duty of candour obligations to the Court. Justice counsel have more access now than in the past to source materials. Indeed, in the short term, in some cases, they have responded to the recurring omissions problem by involving warrant counsel directly in the review of source files. Counsel auditing of source files is, however, resource intensive and arguably displaces a responsibility for source information preparation that properly lies with CSIS itself. It is the affiant, working with the regions, who should guarantee and be answerable for the accuracy of the source information, not counsel.

(S) More generally, CSIS should ensure that source handlers are assiduous in documenting information going to credibility, no matter how seemingly unimportant. The lack of adequate documentation was a key finding in the Rosenberg report, an independent review commissioned following a breach of the duty of candour to the court. In response to it, CSIS set up Project [Name]. Its main objective was to encourage better documentation of the full picture of intelligence and operational activity with the goal of improving operational effectiveness. One identified quick win now associated with [Name] was the regional roll out of [discussion of an information gathering tool] NSIRA was advised that this approach is being prioritized for sources whose information supports active warrants.

(S) NSIRA heard, however, that completing [information gathering tool] is a considerable task, requiring a comprehensive and thorough review [requirements of the information gathering tool]. Furthermore, NSIRA heard there is a certain level of frustration by source handlers at the implementation of this stand-alone requirement rather than building on preexisting [category of] documents, [examples of preexisting documents]

(S) Indeed, CSIS acknowledges that it designed [information gathering tool] to be a temporary tool to address and mitigate the larger recurring omissions problem. One of the long-term goals of Project [Name] is to develop a system [objectives of the system] It is unclear if this system will be stand-alone, integrated into preexisting systems, or developed as part of a planned [Name] , designed to consolidate all the administrative processes and workflows required to manage a case and document its progression. The [Name] is due to be partially implemented [timeline] while the proposed [Name] human source information system appeared to be aspirational and only at the early stages of identifying a possible solution. This is unfortunate, as the [info.tool] represents a “band-aid” solution to issues that, in the long run, would be better addressed by deeper improvements to the management of human source information.

(S) Even setting aside longer-term considerations, a [info. gathering tool] process is not a panacea. For one thing, the [info. gathering tool] is only as good as the person completing it. Until recently, there was no formal [info. tool] training for source handlers. More than a year after it was implemented, CSIS’s Learning and Development Branch was unaware of the [info gathering] tool. Furthermore, it should be possible to audit the responses provided in the [info. gathering tool] In the past, prior to the creation of the Affiant Unit (AU), the facting was formally reviewed by the [name of branch and positions conducting review]. Only [postion] had access to the full range of human source information, however, as verification was considered a “side of desk” task. Now, the AU has access to the human source files and NSIRA was told it reviews the original documents referenced in the [info. gathering tool] as well as running queries through human source and operational databases and consulting with the source handler. To do this properly, however, the AU itself will need to be resourced and encouraged to audit the information prepared by the regions. This report discusses the question of the AU’s sustainability below.

(U) Finally, several of the interviewees noted that the reformed process is revealing a number of “legacy problems” with CSIS human sources; that is to say, additional duty of candour issues are coming to light as a result of CSIS’s more stringent review of human source files when preparing for warrants. This is indeed a regrettable consequence of CSIS’s former lax practices. For the next few years, therefore, the Federal Court can expect to receive further duty of candour submissions. For its part, NSIRA will need to distinguish between those duty of candour issues rooted in past practices and those that have emerged despite the recent changes.

Finding no. 16: NSIRA finds that CSIS has struggled to ensure that all information material to the credibility of sources is properly contained in warrant applications. This “recurring omissions” problem stems from a misunderstanding of the Federal Court’s role in assessing the credibility of sources and from the presence of multiple, siloed information management systems. CSIS has undertaken reforms, but work remains to implement long-term sustainable solutions.

Recommendation no. 10: To address the seeming inevitability of “recurring omissions”, NSIRA recommends that CSIS prioritize the development of [ an improved ] system for human source information management. CSIS should also continue initiatives meant to ensure that source handlers are assiduous in documenting and then reporting in source précis information going to credibility. Even with these reforms, the Affiant Unit should adopt procedures for verifying the information prepared by the regions.

c) The Affiant Unit

(U) As noted above, the individual most responsible for the final product is the affiant, whose sworn affidavit supports the warrant application and supplies the factual basis for concluding the legal requirements for the issuance of a warrant have been met. Yet while NSIRA’s interlocutors agreed that affiants are ultimately responsible for the affidavit, NSIRA notes that they have not been given a status and authority commensurate with this obligation.

i. The Traditional Approach

(U) Pre-2019, CSIS recruited affiants in security intelligence investigations on an ad hoc basis in support of a particular warrant application. There was no such thing as a professional affiant. The result was considerable unevenness in the caliber and skill-set of affiants. The employees assigned as affiants were, NSIRA was told, sometimes not the best possible candidate, but rather a person with down-time, surplus to immediate operational needs, and not necessarily experienced in the affidavit process. The seeming casualness of affiant selection surprised NSIRA; the affiant is effectively CSIS’s spokesperson to the Federal Court, which alone can authorize invasive investigative techniques. Ensuring a roster of excellent affiants should have been regarded as “mission critical” to CSIS.

ii. The Current Approach

(U) In 2017, in response to the Segal report recommendations (see Annex A), the Affidavit Working Group (AWG) at CSIS recommended the creation of an Affiant Unit of “experienced Intelligence Officers who would be dedicated full-time to the role of representing the Service in court”. The objective of this new unit was the creation of an actual centre of affiant expertiseThe AWG recommended that affiants be employed at Level 10 (typically a senior manager) in the CSIS employment hierarchy “indicating the seniority and importance vested in the role”, with ongoing training and professional development being key components to the unit’s success. The AWG also proposed a process and structure for the development of the unit.

.(U) CSIS ultimately created the Affiant Unit (AU) in 2019, after an order from the Director and during the Federal Court 2020 FC 616 matter.230 NSIRA was repeatedly told that the resources allocated to the unit were based on estimates by the project management team in 2019. The CSIS “End of Project Summary – Establishment of the Affiant Unit” identified the need for an AU structure that included [number] “ Affiants” in order to accommodate past averages of [number] section 12 warrant applications annually. For reasons that are not clear, the final approved structure cut the number of affiants in half, to [number]  The final structure therefore comprised [description of internal structure]. The mandate of the AU was later expanded to include warrant applications for section 16 investigations by adding [number] although this affiant is managed out of the [Name] Unit and the Affiant Unit. This report discuss the implications of how the AU has been staffed below.

iii. The Advantages of an Affiant Unit

(U) Professionalizing affiant work involves trade-offs. For instance, dedicated affiants are better placed to develop and implement consistent processes and standards regarding warrant preparation, but will often have less mastery of the operational details than an affiant chosen from an operational desk, thereby obliging the affiant to spend considerable time familiarizing themselves with the details of each application. Still, our interviewees were consistently of the view that despite the trade-offs, the dedicated affiants and the AU itself represented a significant improvement over the prior ad hoc approach, and noted that the new dedicated affiants have been well received by the Court. Indeed, NSIRA is of the view that a well-staffed AU should constitute a body of expertise on warrant preparation within Robust vetting by the AU could also replace many of the seemingly pro forma steps in the current warrant process that contribute little of substance.

(U) Justice counsel reported having effective working relationships with the affiants, whom they considered to be knowledgeable and professional. For reasons discussed below, however, some counsel were concerned that the affiants were at risk of burn out, and raised concerns regarding the sustainability of the AU.

(U) With regard to the regions, we heard that some affiants, on their own initiative, regularly communicate with regional partners, potentially creating links that could forestall future duty of candour problems. Indeed, NSIRA heard that investigators and their managers welcomed the AU as the path to obtaining warrants. NSIRA was told that AU/regions communication should be a standard practice given the current communication silos existing between headquarters and the regional units responsible for executing warrants. NSIRA agrees that affiants should consistently consult with the regions to understand how the proposed warrants will be executed and to understand generally what is working and what is not. NSIRA notes that experienced affiants could serve as critical sources of institutional knowledge while field officers in the region cycle in and out. Moreover, this interaction between affiant and regions should help counsel anticipate any possible candour matters that could arise were the Court not apprised of potentially controversial means of executing warrant powers.

iv. Challenges to Affiant Unit Sustainability

(U) As explored above, CSIS’s establishment of the AU is a critical development. It is thus all the more concerning that the AU’s sustainability is in question, and indeed NSIRA heard that the unit could currently be described as in a state of crisis. CSIS has not supported the unit with resources commensurate with the importance of this unit in fulfilling CSIS’s mission. Indeed, there may now be less support to affiants operating from the AU than existed under the prior regime of ad hoc affiants supported by other units in CSIS.

(S) The AU faces several overlapping challenges. Over the course of NSIRA’s review, AU staffing was in considerable flux, with personnel cycling through affiant, analyst and management posts. Indeed, by summer 2021, the key role of analysts – usually charged with compiling material from the region and the initial drafting of the affidavit and human source précis – was filled by  [number]  temporary analyst. Of the [number] new affiants hired by the AU during our review, [number] had left by the end of it. Meanwhile, the remaining affiants were cycling through a vacancy as [position] (of the AU). In the result, it would appear there were only [number] people able to act as affiants for and [type of warrant] summer 2021.

(U) NSIRA heard that joining the AU is an unattractive career choice, because CSIS’s human resources policies do not support the stated objective of professionalizing the warrant process. Affiants, much like many at CSIS who are not Intelligence Officers, do not gain the operational experience that is traditionally tied to status and advancement.

(U) At the time of writing, the AU was relying on “surge capacity” by drafting analysts available temporarily from other units of  NSIRA heard that these temporary analysts lack warrant experience. They thus need to be trained by the affiants, only to depart and be replaced. This has added to the burden on affiants, some of whom now complete the drafting process once led by analysts. This also contributes to the workload of NSLAG counsel, who must help fix draft products.

(U) Moreover, the benefits of the AU are currently in jeopardy because of governance and training deficiencies. The AU did not inherit an existing infrastructure or suite of policies and professional standards. The affiants at the time of our review were experienced CSIS officers who often had some prior affiant experience. Those affiants who have been in the AU for a length of time have deepened their expertise through learning on the job. However, none of the affiants or supporting analysts received formal training on their roles. CSIS has not yet put in place a training system to ensure continuity of a standard base of knowledge and skills in the AU. Even if it did, the AU is already under-resourced, fueling turnover, and NSIRA doubts whether the AU has the time and capacity to step back from the day-to-day work in order to build expertise and human capital. For instance, weekly meetings with NSLAG counsel have often been impossible due to time constraints, making it harder for the AU to stay apprised of legal issues.

(S) It is clear that the AU cannot continue to operate in its present manner, and that the risk of burnout for the remaining staff is real. As this review progressed, NSIRA became increasingly concerned that the AU [is in a state of crisis] . The apparent neglect of the AU’s human resources needs is alarming: the AU is not only a key element of CSIS’s response to its recurring candour problems, but it is also operationally vital. Without a functional AU able to produce accurate and compelling warrant applications in a timely manner, [discussion of how CSIS collection activities are affected]

v. Improving and rebuilding

(U) It is clear that the AU needs to be stabilized and expanded by an immediate infusion of new personnel. NSIRA asked how an expanded AU could function, and in response received remarkably consistent responses:

  • “Affiant Teams”: NSIRA heard that each affiant should be supported by [discussion of number of analysts, administrative assistants and paralegals required] –
    forming an expert team. Teams should specialize in counterintelligence or counterterrorism, and should be managed so not everyone leaves as the same time. Likewise, files should be managed so that inexperienced affiants and affiant teams are not paired with inexperienced lawyers.
  • Workload expectations: NSIRA heard that a professional affiant should be able to manage [numbers] affidavits annually, although others emphasized that [numbers] was
    feasible. The lower estimate is closer to CSIS’s own calculation that “given that each application takes approximately [timeline] one affiant could process [number] applications per year.” At this rate, the present roster [number] should be able to generate [number] warrant applications annually. This assumes that affiants are adequately supported, however, which was not the case as of summer 2021. [number] warrants annually would seem inadequate given CSIS’s investigative needs. CSIS will not be able to acquire more warrants without either sacrificing the quality of its applications – and risking new candour problems – or expanding the AU. Moreover, as discussed below, [number] warrants is fewer than the number of warrants that NSLAG is now equipped to support.

(U) Building bigger, skilled and stable affiant teams will require new people willing to join the AU and stay for a reasonable length of time. NSIRA believes achieving this objective requires two sets of reforms: first, changes to career development within the AU; and second, greater institutional commitment.

(U) Without human resources reform and firm prioritization of the AU, NSIRA doubts CSIS will be able to recruit and retain a talented cadre prepared to specialize as affiants and analysts. The ideal affiant, NSIRA was told, was a great analyst and writer, with advanced research skills and robust institutional knowledge about how CSIS operates and how, especially, source information is retained. They must, in addition, be comfortable in court and have an understanding of applicable law. Some affiants have handled sources, while others have not. Source handling experience was not regarded as essential by at least some interviewees, but it was felt that the affiant needed people skills and an ability to manage the affidavit process and relationships with the regions. A successful affiant should have gravitas and an ability to persuade other partners in the warrant process. Moreover, once these people are recruited, like any expert, affiants and analysts need to acquire institutional knowledge – and the AU will need to resist the level of turnover we were told is endemic in CSIS.

(U) NSIRA heard that retaining talent will require attention to several problems. Unlike with at least some police forces, CSIS assigns little prestige to this career path. Indeed, CSIS human resource policies risk orphaning affiants in career limbo, with no natural career progression and advancement path given that time in the Affiant Unit is not time spent gaining front-line operational experience. Specifically, affiants are classified as a “level 9” in the CSIS human resources hierarchy, but only temporarily (if not already level 9). If advanced from level 8 to be an affiant, they return to level 8 if they leave – or must compete for a permanent level 9 elsewhere in CSIS. Despite the considerable pressures on affiants to manage a complicated warrant process and represent CSIS credibly before the Federal Court, affiant work is reportedly not countenanced as meeting prerequisites for promotion into management. Being an affiant is, in other words, not a clear career progression so much as a career diversion.

(U) CSIS has also struggled to resource permanent analysts for the AU. Analysts, much like other non-intelligence officer (non-IO) employees at CSIS, are left with so few career progression options that they often feel like second-class citizens within the the organization.  In order to attract talented analysts, there must be incentives allowing for progression within the non-IO stream, including the AU.

(S) As this discussion underscores, the AU needs more resources, especially in the form of analysts and affiants. However, the AU is left to compete for resources as just another unit under the broad umbrella of the [Name] Branch [Name]. NSIRA heard that the AU’s functions in preparing legally robust warrant applications are not a natural subset of [Name and function of Branch] and that the AU is not well situated in the present structure. This governance anomaly may explain a number of administrative hurdles and human resource and sustainability issues. A new governance structure, with reporting mechanisms consistent with the importance of the function needs to be instituted.

(U) A new Affiant Branch needs to be created and situated in CSIS’s organizational hierarchy reporting directly to the CSIS Director. This would be consistent with the Director’s direct accountability as provided by CSIS Act and signal the AU’s importance to CSIS’s ongoing success and presumably ease the risk of neglect. This change would coincide with the elimination of the often-unnecessary hierarchy of approvals that exist as a result of the AU’s current status as part of [Name] branch. This change may also respond to another observation: that priorities not directly visible to the Director sometimes stall lower in the CSIS hierarchy, and that reform also stalls among managers who do not have a clear incentive to change.

(U) In sum, NSIRA believes that CSIS’s success in overcoming its long-standing difficulties with the warrant process will depend on a robust Affiant Unit. In our future reviews of the warrant process, NSIRA will be attentive to CSIS’s progress in sustaining a robust AU.

Finding no. 17: NSIRA finds that the Affiant Unit (AU) constitutes a vital and laudable reform within CSIS. However, the AU is currently at risk of collapse. CSIS has not supported the unit with resources commensurate with the importance of this unit in fulfilling CSIS’s mission. The benefits of the AU are currently in jeopardy because of governance, human resource, and training deficiencies.

Finding no. 18: NSIRA finds that the Affiant Unit’s placement in the [Name] branch is not commensurate with its functions and importance. This governance anomaly most likely contributes to administrative hurdles and resource challenges faced by the AU.

Finding no. 19: NSIRA finds that without a functional AU able to produce timely and accurate warrant applications, CSIS puts at risk access to warrants and the information collected under them.

In view of the above findings with respect to the AU, NSIRA recommends that:

Recommendation no. 11: CSIS recognize the importance of the Affiant Unit by assigning affiants and analysts an employment classification congruent with their responsibilities.

Recommendation no. 12: CSIS create an Affiant Branch reporting directly to the CSIS Director.

Recommendation no. 13: CSIS urgently resource the Affiant Unit to meet its responsibilities and ensure its sustainability. In deciding the size of the AU, CSIS should assess how many warrants an affiant team might reasonably complete every year.

Recommendation no. 14: CSIS, in consultation with Justice, develop a comprehensive training course for all affiants and analysts, codifying best practices and methods for members of the AU.

d) NSLAG Warrants Counsel

(U) Warrant counsel have several key roles anticipated in the CSIS warrant application process, and are intimately implicated in securing adherence to the duty of candour in warrant applications. As noted, the duty of utmost candour in warrant proceedings is a professional obligation that rules of professional conduct impose on lawyers. Crown counsel in police warrant cases have a redoubled incentive to test warrant applications – no Crown wishes to be the lawyer on a warrant that subsequently fails on ex post facto challenge in a criminal proceeding, jeopardizing a prosecution. While NSLAG counsel face different pressures, duty of candour failures still risk professional reputations, especially given the vigorous displeasure expressed by Federal Court judges in their judgments.

(U) It seems clear that, as a result of 2020 FC 616, NSLAG has weathered a difficult period. Counsel reasonably see themselves as both personally in the cross-hairs of the court’s discontent and dependent on CSIS managing its responsibilities in the warrant process in a way attentive to its legal obligations. From the counsel’s perspective, the process feels like a high risk enterprise, over which hangs a “sword of Damocles”. For its part, as noted, CSIS operational employees may regard Justice as inaccessible and unhelpful. Lawyers vary in their style and manner of operating, with no consistency.

(U) Some lawyers have responded to duty of candour failures by becoming more meticulously involved, in a way described by some CSIS observers as intrusive, micro-managing matters that CSIS feels it should handle. It is apparent that tensions have increased in the last several years between Justice and CSIS, shaped by these perceptions each has of the other. This tension was especially acute, NSIRA was told, at the more senior levels, with some noting that little had improved by the time of our interviews. NSIRA also heard about the need to correct this situation by building mutual trust. This section focuses on the structural sources of those tensions and the prospects of restoring confidence.

(S) First, CSIS interviewees urged that CSIS needed access to more lawyers, sometimes seeing lawyers as the bottleneck in the warrants process. Other interviewees contested this view. These different views may reflect change over time. It is clear that during a recent period, NSLAG had too few available warrant counsel. That situation appears now to be evolving, as new lawyers are recruited by NSLAG. NSIRA agrees, however, with the principle that NSLAG should be staffed to ensure that CSIS’s operations are not stalled due to the non- availability of warrants counsel.

(U) At present, a General Counsel is the strategic lead for warrants and Federal Court matters. In addition, the Senior Counsel warrant coordinator oversees the warrant applications led by NSLAG warrant counsel. The senior counsel warrant coordinator would ideally not manage their own files, and instead would maintain comprehensive visibility on the warrant practice, while assisting and mentoring new warrant counsel. These positions must also bridge the warrant and advisory side of NSLAG, ensuring that emerging legal issues are shared.

(U) The number of actual warrant counsel will affect how many warrants CSIS might seek at the Federal Court. NSIRA asked for views on a metric for determining the ideal number of counsel. Whereas an experienced warrant counsel might once have transacted [number] warrants annually, the scope and scale of applications is now such that the maximum number is [range]. Given this number, and with a roster of  [number] experienced warrant counsel (and several more junior) available by the second half of 2021, the maximum number of warrants NSLAG might support annually may be in the 30-60 range. Notably, this number is several multiples above the number of affidavits the AU is presently equipped to manage, assuming the calculations provided above. These calculations seem to affirm the views that resourcing issues at the AU now constitute the critical bottleneck, whatever may have been the case in the past.

(U) NSIRA also heard views about the importance of mentoring of new warrant counsel by experienced warrant counsel, and how NSLAG must make this a priority. This includes the need for junior lawyers to be trained on matters pertaining to CSIS tradecraft and technology.

(U) NSLAG recruitment also emerged as an issue in NSIRA’s discussions. NSLAG is regarded by other components of Justice as too close to its client and concerned with maintaining an ongoing relationship with the client, a characterization regarded as unfair by the interviewees who addressed it. Morale in NSLAG was badly affected by the 2020 FC 616 saga. NSLAG’s practice area is also, from the perspective of many lawyers, obscure and narrow, and not necessarily perceived as part of a Justice lawyer’s ideal career path. Employment at NSLAG requires enhanced security clearance, including a polygraph. The clearance process may be lengthy, and prospective employees may lose interest in the interim. These factors together contribute to NSLAG recruitment challenges.

(U) NSIRA notes that the range of professional backgrounds among counsel seems to be increasing, and more NSLAG warrant counsel have prior experience with NSIRA was told NSLAG has been encouraged to hone its public law expertise, as well as recruit lawyers with criminal law experience. NSIRA welcomes these developments and will consider NSLAG’s evolution in future reviews.

Recommendation no. 15: NSIRA recommends that NSLAG be staffed by a complement of counsel and support personnel sufficient to ensure that CSIS operations are not impeded by resource limitations at NSLAG.

e) Revamping the Independent Challenge Function

(U) The warrant application process is buttressed by a review of the near-final affidavit by an “independent counsel” (IC) – in practice, a lawyer drawn from the National Security Group (NSG) of the Department of Justice. “Independent” in this context means, therefore, at arm’s length from CSIS and NSLAG and otherwise not implicated in the warrant process.

 i. The Imperfect Independent Counsel Model

(U) The IC position was created in 1988 following the 1987 “Atwal” matter in which extensive errors were made in a CSIS warrant application (Annex A). In its 1986-1987 Annual Report, SIRC noted that the Solicitor General in consultation with CSIS should consider whether there ought to be a devil’s advocate position at some stage of the warrant process to argue the case against the warrant. The position of the devil’s advocate was described as an official appointed to ensure that all aspects of a matter are fully considered.  The following year, the “devil’s advocate” position had been established, yet, SIRC noted that, “at present the devil’s advocate does no more than ensure that the information CSIS intends to cite in a warrant application is accurate. We had in mind, rather, someone who would challenge the need for a warrant at all – someone to make the case that the proposed target (who does not of course even know a warrant is being sought) might make.

(U) Ultimately, very little has NSIRA was informed that the primary goal of the IC is to “ensure that, as much as possible, factual mistakes don’t make their way into the material that is submitted to the Court”. Scrutiny of the warrant is done through reviewing documents to ensure that factual assertions in the affidavit are accurately sourced.

(U) The IC is charged with playing a fact-checking function, described as largely a form of checking the characterization of facts in the affidavit and source précis against the source material. NSIRA was informed that NSLAG and CSIS were once more resistant to questioning by the IC. This situation has reportedly improved in the last several years, with counsel and CSIS described as now accepting of this querying.  In reality, however, changes proposed by the IC are usually very minor. Every once in a while, IC reported finding contradictions in the source material relevant to credibility issues, or treatment in the affidavit that were not justified.

(U) There will always remain inherent limits to the role of an IC coming at the end of the process. It cannot protect against all duty of candour shortcomings. Additionally, NSIRA noted a number of factors that have contributed to the inability of the IC to perform a robust challenge function:

  • Lack of policy and training: short of a two-page document outlining the description of the IC function, there are currently no up to date internal policies, guidelines, or criteria governing the expectation or mandate associated with the IC role – much depends on the individual expertise of, and investment of effort by, the IC. NSIRA was informed that typically new IC shadow senior IC counsel on their applications before being given their own. There is no official training program; counsel are given a binder of historical documents outlining the genesis of the IC role and where necessary may be given additional training on how the warrants process works. Mentoring may therefore be inconsistent due to the absence of a standardized training program and clear descriptions of the required functions of the IC.
  • Lack of knowledge: at NSG, counsel conduct their IC role as a supplement to their main legal work, involving among other things Canada Evidence Act s. 38 proceedings. By one estimate, IC work constitutes less than 5% of what NSG counsel do, and the NSG does not otherwise have any involvement in warrant-related activities. The IC have little visibility on developments in the Federal Court, including on the specific CSIS warrants they have challenged. There is no formal debrief mechanism, no proactive sharing of classified reasons, and NSG counsel neither convene their own best practices/issue sharing sessions nor participate in NSLAG’s sessions discussing emerging issues relevant to warrant practice. Some IC noted that this lack of exposure to warrant-related activities results in a lack of knowledge needed to perform a more probing review or address broader issues beyond fact checking. These knowledge constraints mean that it is extremely unlikely that the IC will be able to ask probing questions of the sort necessary to unearth the duty of candour issues stemming from possible issues on how a warrant might be executed – the second class of candour issues noted above. Meanwhile, counsel who may have this relevant experience, joining NSG from NSLAG, are required to wait a year before undertaking any IC functions. This means that often by the time they inherit a warrant file they are likely no longer current on recent CSIS practices.
  • Lack of access and time: the IC does not currently have timely access to the breadth of underlying information that would be required to play an authentic challenge role meaningfully. The IC does not receive important components of the warrant application in advance, including the source précis, and is often provided with very short deadlines for reviewing documents. While ICs have recently obtained some on-premise (CSIS) access to these other materials, this sort of advance review is uncommon. The IC is not encouraged or provided with sufficient time to fully test the theory of the case presented in an application as a form of “red team” exercise. Nor can they be expected to counter the recurring omissions issue, discussed above. It is unlikely, therefore, that the IC is fully effective in addressing candour issues resulting from failure to disclose information material to credibility.

(U) The result has been an IC role that is often regarded as more clerical than substantive, designed to cite check rather than assertively peer review. Indeed, the majority of interviewees involved in the warrants process regarded the IC as unhelpful as a form of quality control. Recent changes in the CSIS warrant process indicate that the IC “challenge” is to be completed one day prior to the WRC and once the affidavit has already been circulated to WRC participants. This change is further reflective of the general view that the IC serves only to fact check or that nothing substantial will arise from the challenge that necessitates changes prior to the WRC. Some interviewees doubted that the IC’s role was necessary – a good, well-supported affiant should suffice to guarantee the facing. NSIRA has commented above on how professionalized affiants are able to contribute to quality control.

(U) Still, NSIRA believes that the presence of an independent challenge in the system is necessary. NSIRA fears, however, that the current IC is largely a pro forma feature of the CSIS warrant process, giving the impression of a robust check and balance without accomplishing this objective. NSIRA remains unpersuaded that a robust devil’s advocate is best situated at Justice, drawing on lawyers from NSG. As noted above, while some individuals have a background involving warrants of various sorts, NSG lawyers are not, in their role, experts in warrants or necessarily knowledgeable about CSIS. Nor does NSG have any formal role in the warrant approval process. NSG would appear simply to be a convenient place to situate the IC, among lawyers who are security-cleared for very different functions. Put another way, a robust devil’s advocate function has yet to be created, and there is no reason to prefer it be situated in another branch of Justice. As discussed next, NSIRA would propose the creation of this function in the third agency of government whose precise role is oversight of the CSIS warrant process: Public Safety.

ii. Reconceiving Public Safety’s Oversight Role

(U) Public Safety Canada is the vessel through which the Minister exercises their oversight role, one intended by Parliament to be robust. The Minister’s role in the warrants regime is enshrined in legislation. Section 21 of the CSIS Act mandates that an application for a warrant may only be filed “having obtained the Minister’s approval”. The Minister’s role on section 12 warrants therefore requires that the Minister is aware of the full implications of the application, including determining if the intrusive methods to be used are justified by the gravity of the threat to the security of Canada.

(U) Yet, Public Safety has not had full visibility on the various aspects of the warrants application. There has traditionally been an information asymmetry favouring CSIS with whom the information resides. This challenge was further exacerbated by capacity issues at Public Safety, including limited ability to access information and knowledge necessary to assess risk for the Minister. The 2019 Ministerial Direction for Accountability (2019 MD) and the Framework for Cooperation between Public Safety and CSIS, sought to decrease the information asymmetry problems and increase ministerial oversight of CSIS. Pursuant to section 8 (i) of the Framework, CSIS must update Public Safety on reviews conducted by NSIRA. NSIRA interprets this obligation to mean an ongoing commitment by CSIS to provide periodic updates on the progress of reforms to the warrant process including the implementation of the recommendations in this review which will inevitably affect warrant applications.

(S) Functionally, Public Safety officials review all warrant applications with the support of legal counsel assigned to the Once the warrant application is received by Public Safety, officials will typically review the warrant for: clarity and logic; legal issues; candour issues; policy considerations; and additional considerations such as issues related to the impact on Canadians. The Public Safety delegate will attend the WRC. Following the WRC, and once the warrant has been reviewed, Public Safety officials draft a briefing note summarizing the nature of the threat posed by the target of the warrant, along with a recommendation memorandum for the Minister’s consideration. If approved, Public Safety sends the application back to CSIS to be filed in Court.

(U) Some Public Safety practices are of relatively recent vintage, prompted to some large degree by 2020 FC NSIRA cautions, however, that Public Safety is not well positioned to perform a thorough challenge of the warrant application. First, asymmetrical access to information means that Public Safety does not review the ingredients comprising the warrant application, including the source file materials or even the source précis. It would not be realistic, in our view, to expect Public Safety to audit the full information trail leading to the warrant application – it will never be able to cure a “recurring omissions” problem. Again, NSIRA believes skilled affiants in the AU validating information received from the regions and performing peer reviews of each other’s work product constitute the best means of verifying inclusion of the correct information.

(S) On the other hand, Public Safety should be positioned to solve systemic and governance issues giving rise to the second category of duty of candour issues noted in this review – those stemming from issues underlying the warrant and material to a judge’s exercise of discretion. As noted by Justice Brown in reference to the failure of CSIS to flag high-risk human source operations, which were subsequently the subject of a warrant application before the Court: “the responsibility for fully informed decision-making lies on every person participating in the decision”. Situated at some distance from CSIS and warrant counsel, an adequately staffed and expert Public Safety vetting team should contemplate the blind spots from which those closer to the process may suffer. Indeed, NSIRA learned that Public Safety, even as presently constituted, at times raises such issues. In this manner, Public Safety is in a much better position to anticipate lurking candour issues than is a lawyer at NSG, tasked with conducting an IC as a secondary function of their For this reason, NSIRA favours a new reform that would bolster Public Safety’s vetting process, and would replace the NSG IC, all in service to the Minister’s legislated oversight role.

(U) To this end, NSIRA favours a devil’s advocate model that helps meet the Minister’s own obligation to oversee the warrant process. That is, NSIRA recommends the creation of a role meeting the original vision proposed by SIRC in the report noted above: “someone who would challenge the need for a warrant at all – someone to make the case that the proposed target (who does not of course even know a warrant is being sought) might make”. The counsel should be as assiduous as a defence lawyer would be, defending a client in a fully adversarial process. They should know, and know how, to ask questions about the information supporting the warrant, its planned execution, and any relevant surrounding context that might escape the attention of a lawyer less familiar with warrants or CSIS procedures and functions, or might be lost to tunnel vision among those closer to the In this manner, NSIRA suggests that this person, working with Public Safety’s warrant vetting team, should be well-situated to anticipate the second category of candour issues discussed in the report.

.(U) Right now, Public Safety is supported by its own Justice departmental service unit. NSIRA suggests that unit should be supplemented by a seconded counsel with practical warrant experience employed at the Public Prosecution Service of Canada, the private sector or elsewhere, independent from Justice management, and not otherwise involved in CSIS warrant applications. This counsel would be deployed for the specific purpose of supporting a Public Safety warrant vetting team in its challenge function. This challenge and review of the warrant conducted by the seconded counsel must be documented in a manner that is visible to the Minister when considering whether to approve the proposed warrant application. NSIRA cautions that the purpose is not to increase the number of steps or the length of time the application takes. Rather, abolishing the current IC model entirely in favour of a true devil’s advocate conducted as part of ministerial oversight would thin the process in addition to reinforcing it with a built-in, thorough challenge function.

Finding no. 20: NSIRA finds that the “independent counsel” (IC) role falls short of creating a thorough challenge function.

Recommendation no. 16: NSIRA recommends that the function of the Independent Counsel as performed by NSG counsel at the Department of Justice be eliminated, in favour of a new challenge function, analogous to the role a defence lawyer would play were warrants subject to an adversarial process, situated at Public Safety and supported by the Public Safety vetting team, and performed by a knowledgeable lawyer from the Public Prosecution Service of Canada, the private sector, or elsewhere, who is independent from Justice management and not otherwise involved in CSIS warrant applications.

f) Submission to the Federal Court

(U) The final stage in the warrant process is the proceeding before the Federal Court. No warrant exists until authorized by the Federal However, trust between the Federal Court, NSLAG and CSIS has clearly been strained by the long history of duty of candour failures.

(U) The Court is perceived by interviewees as more assertive now than in the past. Some interviewees described doubts about the degree of control exercised by the Court, sometimes seeing it as more akin to a review function and less like the classic judicial control exercised by a court in issuing (or not) warrants. Others rejected any notion that Justice questioned the legitimacy of the Court’s approach. Still, the institutions implicated in the warrant process seem to have entered a cycle in which duty of candour failures have contributed to a climate of mistrust involving closer scrutiny and more searching judicial control, which inevitably heightens anxiety at the CSIS level about operational implications and reputational risk. It has also been the source of some uneasiness at Justice.

(U) Of particular note, interviewees told NSIRA that anticipating in advance the full range of considerations relevant to a judge in exercising their discretion is not easy, especially since judges reportedly focus on different concerns depending on the case before them. This creates a residual category of information that may have to be provided with the application. CSIS and Justice reportedly now err on the side of being over inclusive.

(U) Because of all of these factors, the warrant application process currently operates like a ratchet, as ever more detail is layered into the affidavit and supporting documents in an effort to anticipate and avoid a new duty of candour failure. There is some “cut and paste” possible for recurring issues, but this material must be tailored to each warrant, and then re-vetted through the bureaucratic warrant approval process. The resulting warrant applications become more lengthy, complex, and time-consuming to prepare.

(U) Breaking this cycle, however, requires restored credibility through change at CSIS and Justice, not resistance. NSIRA believes that doing so requires an embrace of the recommendations made in this review. It also notes other ways in which CSIS and Justice could show a commitment to candour, possibly alleviating the workload involved in warrant applications. NSIRA noted one approach suggested by our interviewees: warrant applications would describe information that is excluded (because it is believed not to be material) in sufficient detail that a judge might ask for its disclosure should they wish. Justice could also seek direction from the Court in the form of a practice direction or annotated standard warrant templates, or the bench and bar system recommended by the Segal report.

g) Doubts Arising on Warrant Execution

(S) Once a judge issues a warrant, CSIS may execute the warrant. That execution must comply with the scope and terms of the After the warrant’s issuance, CSIS and Justice conduct a debrief with the affiant, lawyer, the relevant headquarters desk and the responsible officials at the regions. This process includes a “reading of the warrant”, designed as NSIRA understands it, to help inform execution. NSIRA was told that this debrief is sometimes regarded as vague and unhelpful, and that those charged with overseeing warrant execution had no resources to translate “warrant language” into techniques and powers they could use.

(S) The warrant coordinators in the regions lack formal training, and learn their task on the job – existing training is too broad and abstract, unconnected to the practical scenarios arising in the execution of warrants343. In consequence, expectations accrue as myths rather than clearly understood legal standards. NSIRA was told there were perceived disparities between what seemed to be on the face of the warrant and what lawyers described as the judge’s intent. This sort of ambiguity reportedly gives rise to “invisible rules”. The regions are extremely uncomfortable with implied permissions, preferring tangible authorizations in warrants. [discussion of the detrimental effects on and risks to operations]

(U) Finding no. 21: NSIRA finds that the CSIS regional warrants coordinators have not received sufficient training enabling them to translate the contents of the warrants into advice on proper warrant execution.

Recommendation no. 17: NSIRA recommends that CSIS regional warrants coordinator positions receive adequate training, and that CSIS professionalize the position and enable warrant coordinators to more effectively translate the content of warrants into advice on warrant execution.

C. Investment in People: Training

(S) As the discussion in this report demonstrates, training and institutional knowledge are recurring themes in this Most interviewees noted that they had not received specialized training prior to assuming their specific role in the warrant process, instead learning through word of mouth from others doing the same function. Some interviewees clearly felt unprepared for their role, and regretted the absence of systematic training. Several others tied the lack of training and the paucity of modernized processes and policies to compliance failures. CSIS is to a certain extent alive to the shortcomings in its training programs and has itself noted that:
“CSIS is currently not a learning organization and does not have a learning culture. There are insufficient training opportunities to build and sustain a modern professional intelligence service that operates in a continuously evolving and complex environment, it is evident that the exponential needs across operational and corporate requirements has not kept pace with the current L&D staffing and funding allocation”.

(U) The inadequacies of training featured in a recent internal review of the warrant process. NSIRA embraces its recommendations on the need for reform in this area. NSIRA emphasizes especially, however, the need for education through scenario-based learning, and not simply training through the passive consumption of learning materials.

(S) CSIS’s Learning and Development (L&D) branch has considerably revamped both the intensive program taken when employees join CSIS as Intelligence Officers (IOs), and the intensive course IOs take after several years at headquarters, before deployment to the regions. For instance, the IO Entry Training (IOET) which is largely content and theory heavy, is being overhauled to include scenario-based learning. L&D has embraced learner-centered approaches, with high instructor to trainee ratios. In its most recent iteration, the [training program name] now trains IOs in scenarios relevant to the duty of candour, including [training program content] capturing details related to legal credibility and conditioning passing grades on responsiveness to these matters.

(U) Trainers – IOs themselves participate in train-the-trainers programs. These trainers may themselves cycle to operational roles, where they are well-positioned to transmit expertise and mentor others. Meanwhile, NSLAG will work with CSIS’s policy centres and provide feedback on learning modules raising legal issues. The [Name] will raise issues that may involve legal dilemmas. However, [Name] training does not address legal issues per se – rather the purpose is to train IOs in recognizing legal doubt, necessitating consultation with NSLAG. IOs are not trained, in other words, on answers to legal questions, so much as trained to recognize the existence of legal issues. Precise legal answers, it is feared, change with time, and a decision has been made to train a reflex to seek legal answers from NSLAG. NSIRA notes, however, that the IOET and the [Name]  come relatively early in an IO’s career and that CSIS has no ongoing, formal professional development requirements. NSIRA further notes that warrants- related training including duty of candour is of sufficient importance to necessitate annual mandatory warrant training for all operational personnel. This would allow operational personnel to remain apprised of changes in the warrants process as well as changes in the operational environment including technological advancements which may influence their assessment of when a warrant is required.

(S) Aside from IO training early in an IO’s career, specialized training in CSIS’s various specialized trades is uneven. Most of the interviewees indicated they had received no formal training beyond that at the beginning of their careers, with a few exceptions (such as [Branch Name]). Where there is in-house training, NSIRA’s view is that it is often relatively informal and lacks some of the experiential features that the modern has developed. L&D is not responsible for training in specialized sub-trades or units of CSIS, although they may be consulted on design such that unit wish to establish a training system. This creates a gap in training for individuals who are not within the IO career stream.

(S) Following 2020 FC 616, CSIS implemented organization-wide mandatory training for all operational employees on the duty of candour. The thirty-minute training was contained in an online module that employees complete.  The module contains 22 slides discussing the duty of candour, including prior breaches and the role of every individual in ensuring that duty of candour is met. The module contains only two theory-based questions, no scenario-based training and may be completed in half the time by employees. This type of training reflects concerns voiced during the review that CSIS cannot build a compliance culture by PowerPoint training, and complaints that training included too much pro forma box checking.

(U) In sum, the training culture at CSIS has been largely a “once and done” approach to formal skills acquisition. Moreover, NSIRA was led to believe that prior generations of the entry level and pre-regional deployment training courses were less robust than the present generation, and depended on more passive forms of education (such as PowerPoints). Bringing modernized training to more advanced IOs and standardized training of any sort to non-IOs appears to remain a challenge. L&D is not adequately resourced at present to expand a formal CSIS training footprint, despite considerable demand for specialized training. Noteworthy, L&D has recently received CSIS management approval for their business plain to establish three regional training hubs to incorporate modern training at the regional level and enhance the skill set of IOs whose training may predate the existing training curriculum.

(U) While both IOs and non-IOs noted the lack of training as a major issue, it was more pronounced with non-IOs. NSIRA heard from non-IOs including managers, analysts and technical experts that they did not receive the benefit of any form of formal training upon joining the organization. Many had to ask for specific mentorship, while others have found that they are regarded as the most senior subject matter experts, leaving them with no mentorship options.

(U) NSIRA observes that a commitment to training is only as real as the importance and resources devoted to Accordingly, training will succeed only to the extent that employee time is freed up to allow the acquisition of new skills and knowledge. In this respect, some interviewees expressed doubt that units already confronting personnel shortages will succeed in building human capital.

Finding 22: NSIRA finds that CSIS lacks long-term training programs for Intelligence Officers.

Finding 23: NSIRA finds that CSIS has failed to provide systematic training programs for “non-Intelligence Officers”.

Finding 24: NSIRA finds that the CSIS’s Learning and Development Branch has not been sufficiently resourced to develop and administer comprehensive training programs, especially in specialized areas not covered by the training offered for Intelligence Officers early in their career.

In view of these findings, NSIRA recommends that:

Recommendation no. 18: CSIS adequately resource and regularly deliver evergreen scenario-based training programs for all CSIS employees, including;                                                     

  • annual, comprehensive, warrant training for all operational employees;
  • specialized onboarding training for all employees not part of the Intelligence Officer program; and
  • continued long-term training for all specialized

5. Consequences Of Systemic Problems

(U) This report ends with an examination of, and associated observations on, cross-cutting governance and cultural issues that stem, at least in part, from challenges characterizing the provision of legal advice and the warrant process. NSIRA divides these broad, cross-cutting phenomena into two categories: morale and attitudes; and, performing the mission.

a) Morale and Cultural Resistance to Change

(U) NSIRA heard and read much about very low morale at CSIS — a central concern not only to individuals whom NSIRA interviewed but also in employees’ resignation and retirement exit. There are likely many reasons for this morale problem. The systemic and governance interviews issues in the warrant process are part of them. Morale is injured by a warrant acquisition system that seems to impede performance of the mandate while at the same time being the source of regular reputational crises stemming from duty of candour failures.

(U) At the same time, employees see themselves as participating in a rigorous process. Indeed, so rigorous is this process that employees are frustrated that too few warrants are being sought. They feel caught in a no-win environment compounded by the bureaucratic burden associated with having a warrant application reach the Court.

(U) NSIRA notes that those disillusioned by seemingly unending compliance issues reportedly fall into three categories, reflecting sometimes quite different perspectives: those viewing compliance measures as an inconvenience; those who do not understand the purpose of compliance measures; and, those who viewed them as a manifestation of diffused or insufficient governance responsibility.

(U) First, some interviewees stated that, while duty of candour failures at the Federal Court have resulted in further disclosure obligations and demanded additional undertakings, these failures are perceived as a risk to be managed rather than a problem to be solved. For this group, the implication is that the rule of law is not a grounding consideration. Indeed, some interviewees did doubt the existence of a compliance culture, or that compliance with duty of candour standards was embraced seriously as part of confidential source management.

(U) Others had very different views, and regarded compliance failures as tied to the lack of training and the paucity of modernized processes and policies. CSIS has historically under- resourced policy, compliance and training. Even where policies are changed, NSIRA was told that simply announcing new protocols cannot effect change – and indeed, they may go unread. Some interviewees reported, for example, that Project [Name] communications are ignored. CSIS is developing policy centres, but employees may have a foggy understanding of the role of these units, and may not be sufficiently attuned to issues to know when to seek expert input.

(U) With regards to the third category, NSIRA heard concerns about flawed governance in warrant and compliance matters. Some interviewees expressed concern about governance vacuums. In the eyes of some, managers have done too little to redress employee uncertainty about rules, and indeed even managers at the executive level reportedly sometimes lack understanding of applicable rules. NSIRA heard concerns that employees are reportedly not rewarded for compliance initiatives, and indeed some personnel implicated in poor compliance conduct have been promoted. CSIS was described by some as possessing a culture in which bad news does not travel upwards, and one in which managers resist lessons-learned analysis and reporting, and prefer positive spins on errors.

(U) For other interviewees, CSIS allegedly has a zero-fail approach to some compliance issues, producing a brittle, risk averse working For instance, within CSIS there is reportedly no attitude that in litigation, one wins some and loses some. A troubled warrant application is widely regarded as disastrous, and career impairing. Indeed, interviewees described an internal fear of making mistakes, and a punitive, “call out” culture when mistakes are made. The aim is “not to fail” in order to be promoted, leading to a cautious culture in which some people prefer not to act or ask questions. This culture likely undergirds the multiplicity of warrant steps, and the diffusion of responsibility. It may also be a partial explanation for why some legal doubts are not brought before the court for resolution through the warrant process.

(U) In crafting its recommendations, NSIRA aligned the core warrant responsibilities to the legislative accountability framework while ensuring that those controlling the process can set a careful watch over one of the drivers of morale within their organization.

b) Performing the mission

(U) In this report, NSIRA has identified several governance and cultural The lack of alignment in the way Justice provides legal services with the needs of CSIS, the delay inherent to the quest for legal advice, and the disconnect between the content of legal advice and the operational imperatives of CSIS may not completely explain the current climate. However, this situation can only have compounded other possible causes, if any, beyond the parameters of this review. The problems have resulted in a culture of distrust towards Justice counsel and a systemic reaction whereby CSIS sometimes avoids seeking legal advice.

(U) While NSIRA does not question the need for Justice to speak with “one voice”, the governance structure put in place to safeguard consistency cannot override another fundamental goal, which is to allow its client to comply with and to respect the rule of law.

(U) To become “client-centric” as promised in Justice’s VISION Project, Justice must go from being perceived as a roadblock, to a frank and forthright advisor fully attuned to operational objectives. To achieve that goal, several interconnected recommendations of this report need to be implemented. They reach into Justice’s governance and culture. On the governance aspect, they relate to training, to prompt and clear advice-giving, and to early and extended availability of counsel. On the culture aspect, they relate to the culture of support that goes beyond the mere provision of legal opinions constituting traffic signals – they call for counsel working as advisors opining in an iterative manner on how an intelligence operation might proceed in a manner that respects the rule of law. Providing road map-style advice does not mean Justice abandons its fearless defence of the rule of law, or its independence. It does mean that it situates this advice in a manner that best serves the shared goal of operations compliant with the rule of Changing the culture of distrust and avoidance can take time, but early, continued and consistent engagement in operations should contribute to rebuilding the relationship.

(U) The current governance of advice-giving is unnecessarily detrimental to If the course is not corrected, both organizations put at risk the fulfillment of their mandates.

(U) For CSIS, the risks to its fulfillment of its mandate arise on multiple fronts. NSIRA endorsed above the view that warrants are the “lifeblood” of CSIS. CSIS members may, however, vary in the degree to which they appreciate the significance of warrants. Many interviewees adhered to what may be called a national security culture, in which success is about leveraging CSIS’s mandate to contribute to Canada’s national security. The objective is to provide useable, lawfully-collected information of value to the government of Canada. In this view, the entire CSIS apparatus needs to understand the objectives behind the collecting of information, and see itself as engaged in a collective enterprise, rather than discrete, atomized endeavours. Disillusionment, NSIRA concluded, often reflected recognition of how warrants (and law) are increasingly important in intelligence operations, but at the same time hard to obtain. With the increasing dominance of electronic communications, what was once standard pre- or non-warranted tradecraft is now increasingly crossing the line into activities requiring warrants. Warrants, in other words, reach far into CSIS’s traditional tradecraft.

(U) It was, however, the considered opinion of a number of our interviewees that too many CSIS investigations are now stranded by the warrant process. That process was sometimes compared to winning a lottery, not because of lack of success at the Federal Court but because of the resource intensity of getting the application to the Court.

(S) NSIRA was also advised of investigators [discussion of how collection activities are affected] doing their best to advance investigations [discussion of effects on collection activity]. Leaving to individual interpretation which  [collection activity] may be used could result in boundaries being pushed, compounding grey zone legal issues and reputational risk if these practices then culminate in review or court proceedings. Further, while warranted collection might clarify whether CSIS’s reasonable belief that the individual is engaged in threat activities is well-founded, other techniques may leave the target in limbo. [discussion of how collection activities are affected]. At the same time, it risks focusing the state’s attention on people for greater periods of time because [discussion of how collection activities are affected]

(U) There was widespread support for the view that the warrant process should not be the bottleneck on warranted activities – that any bottlenecks should be driven by operational imperatives. NSIRA was told the metric of success for a reformed warrant process amounts to: more warrants, more closely tailored to the threat, with shorter and more detailed threat assessments that simultaneously meet the court’s expectations.

(U) As the calculations in the preceding sections show, the question of how many warrants CSIS should transact annually was not easily The near-consensus was, more than the number that have been sought in the recent past. The expectation is that operational imperatives in an era of complex threats and burgeoning electronic communication will require more warranted activities. The number of novel issues can only increase, compounding the need for legal advice, which highlights the need for cooperation with Justice.

(U) Given the challenges identified in this report, NSIRA could detect no clear path to achieving such an objective under the status quo. In these circumstances, the warrant process risks remaining the worst of all worlds: a system that makes it too hard for CSIS to perform the mandate given to it, while at the same time doing too little to safeguard against legal error.

(U) This report has identified many governance issues at both Justice and CSIS. The deficiencies in information management; the lack of training; the multiple steps in the warrant process; the absence of an efficient challenge function; the lack of understanding of the decision-making process; and the absence of clear accountability lines all go to the heart of the very questions that characterize the notion of governance: How are decisions made? Who makes them? Who is accountable for them?

(U) Reforms should allow for clear answers to these questions. Among other things, NSIRA has recommended that the CSIS Director assume more immediate responsibility for the Affiant Unit and that the Minister and Public Safety host a more immediate role in challenging warrants. These structural reforms, however, will only produce positive changes if accompanied by the implementation of the other recommendations, especially those sustaining the Affiant Unit.

(U) In sum, this review was sparked by a compliance failure in a duty of candour matter. It concludes that repeated failures in this area are both caused by, and cause, deep-seated governance and cultural patterns. This vicious cycle has compounded the challenges of reform in the warrant acquisition process. NSIRA agrees with the 2020 Rosenberg Independent Review that “a precondition to successfully implement the recommendations is to address the cultural issues around warrants”.

(U) The challenges communicated by many interviewees will not disappear unless widespread governance reforms facilitate an improved warrant process. Cherry-picked changes or paper reforms that mask governance and cultural issues, without addressing them, will suffer the ignominious fate of prior rounds of changes: they will not fix systemic issues. This will require a major effort. In this review, NSIRA has proposed a series of reforms. No single recommendation made here will alone resolve the source of systemic issues in the warrant process. CSIS and Justice shall need to pursue recommendations as a package.

(U) Finding no. 25: NSIRA finds that CSIS and Justice are at risk of not being able to fulfill their respective mandates. No one reform is likely to succeed unless each is pursued as part of a coherent package. No package will succeed unless backed by prioritization at senior levels, and the stable provision of resources, including people with the means and institutional knowledge to see reforms through. And no reform initiative will succeed unless accompanied by clear performance indicators, measured and analyzed regularly to track progress.

In view of NSIRA’s findings above, and of prior unsuccessful reforms, NSIRA recommends that:

(U) Recommendation no. 19: The recommendations within this review be treated as a coherent package and that progress and outcomes in implementing these recommendations be tracked, allowing management, the Ministers of Public Safety and of Justice, and NSIRA, to assess the efficacy of reforms and course correct if necessary.

(U) NSIRA intends to launch a follow-up review, within two years, which will measure progress at CSIS, Justice and Public Safety in resolving the systemic issues with the warrants process addressed by this review. Moreover, in other regular reviews implicating warrants, NSIRA will document recurrences of systemic problems. In the meantime, since this review originated with a decision of the Federal Court, it is vital that the Minister and CSIS share it in its full form with the designated judges of that court.

In recognition of the fact that this report followed a recommendation of the Federal Court, NSIRA in turn recommends that:

(U) Recommendation no. 20: The full, classified version of this report be shared with the designated judges of the Federal Court.

Share this page
Date Modified:

Review of Departmental Frameworks for Avoiding Complicity in Mistreatment by Foreign Entities

Review Backgrounder

In 2019-2020, NSIRA conducted its first interdepartmental review on the implementation of the 2017 Ministerial Directions on Avoiding Complicity in Mistreatment by Foreign Entities (2017 MD). The review set out to build NSIRA’s knowledge of the information sharing process adopted by the six departments that received the 2017 MD.

NSIRA conducted a case study for each department that had operationalized the 2017 MD. NSIRA noted significant differences in the six departments’ implementation and operationalization of information sharing processes. NSIRA found that CSE, CSIS and the RCMP had implemented the 2017 MD; DND/CAF was implementing the final elements of the 2017 MD; GAC had not yet fully implemented the 2017 MD; and, the CBSA had not yet operationalized the 2017 MD.

NSIRA examined and found differences in how high-risk decision-making is removed from operational personnel who may have a vested interest in the sharing. CSE and the RCMP had the most independent processes; GAC removed high-risk decision-making from front line personnel, while CSIS and DND/CAF decision makers had a direct operational interest in sharing information. NSIRA recommended that Departments ensure that in cases where the risk of mistreatment approaches the threshold of “substantial”, decisions are made independently of operational personnel directly invested in the outcome.

NSIRA also found a lack of standardization in information sharing risk assessments for both foreign countries and foreign entities. This issue has been noted in other NSIRA information sharing reviews.

In 2019, parliament passed the Avoiding Complicity in Mistreatment by Foreign Entities Act, which in conjunction with the subsequent issued Orders in Council (OIC’s) codified many of the provisions of the 2017 MD and left the essential prohibitions and limits unchanged. Noteworthy, the six departments examined in this review are also the same departments for which there is an obligation to issue OICs pursuant to the Act. This review set out the foundation that has assisted and facilitated NSIRA’s subsequent mandated information sharing reviews.

Publishing this review aligns with NSIRA’s efforts at increasing transparency and being more accessible to Canadians through its work.

Date of Publishing:

1. Executive Summary

In 2011 and again in 2017, ministers issued direction (hereafter Ministerial Direction or MD) to a number of departments setting out how to manage the risks of mistreatment posed by the sharing of information with foreign entities. Most recently, Parliament passed the Avoiding Complicity in Mistreatment by Foreign Entities Act (ACMFEA). In September 2019, direction under the ACMFEA was issued to twelve departments, six of which had never before received formal direction regarding information sharing with foreign entities.

This review set out to build NSIRA’s knowledge of the information sharing processes adopted by departments under the 2017 MD. The direction issued pursuant to the ACMFEA in September 2019 codified many provisions of the 2017 MD and left the essential prohibitions and limits unchanged. As such, this review provided a foundation that will expedite and facilitate NSIRA’s future information sharing reviews.

The review focused on the six departments that had received the 2017 MD: the Canadian Security Intelligence Service (CSIS), the Communications Security Establishment (CSE), the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CSBA), Global Affairs Canada (GAC), and the Department of National Defence and the Canadian Armed Forces (DND/CAF).

Observations and Recommendations

Degrees of implementation vary across departments

NSIRA noted significant differences between the six departments with regard to the level of implementation of information sharing processes. In summary:

  • CSE, CSIS and the RCMP have implemented the 2017 MD.
  • DND/CAF is in the process of implementing final elements of the 2017 MD.
  • GAC has not yet fully implemented the 2017 MD.
  • In practice, CBSA has not yet operationalized the 2017 MD.

The concept of “substantial risk” of mistreatment is not defined

Like the 2017 MD, the ACMFEA and its associated direction prohibit information sharing that would result in a “substantial risk” of mistreatment. Neither the ACMFEA nor its direction include a definition of substantial risk, however, despite the centrality of this concept to the regime. A definition of substantial risk existed in both the 2011 and 2017 MD; its absence now raises concerns about its interpretation in future.

Recommendation: The definition of “substantial risk” should be codified in law or public direction.

Departments vary with respect to the independence of their decision-making

  • CSE and the RCMP have the most independent processes.
  • The information sharing processes implemented by GAC to date remove high- risk decision-making from “front line” personnel.
  • At CSIS and DND/CAF, decision-makers typically have a direct operational interest in the sharing of information.
  • CBSA has not yet operationalized its information sharing processes.

Recommendation: Departments should ensure that in cases where the risk of mistreatment approaches the threshold of “substantial”, decisions are made independently of operational personnel directly invested in the outcome.

Lack of standardized information sharing risk assessments

Under the 2017 MD, GAC, CSIS, CSE, and the RCMP all maintain their own sets of foreign country and/or entity profiles, while DND/CAF is currently developing its own as well. The existence of multiple different assessments is duplicative and unnecessary. It may also yield inconsistencies, as departments have at times come to quite different conclusions about foreign countries’ and entities’ human rights records and the associated risks of information sharing.

Recommendation: Departments should develop: (a) a unified set of assessments of the human rights situations in foreign countries including a standardized ‘risk of mistreatment’ classification level for each country; and (b) to the extent that multiple departments deal with the same foreign entities in a given country, standardized assessments of the risk of mistreatment of sharing information with foreign entities.