Review Backgrounder
On August 23rd, 2019, the National Security and Intelligence Review Agency (NSIRA) presented the Minister of Public Safety and Emergency Preparedness with a classified report on its review of CSIS’s use of geolocation information.
In this review, NSIRA found that CSIS’s use of this geolocation data without a warrant risked breaching section 8 of the Canadian Charter of Rights and Freedoms (Charter), which protects against unreasonable search and seizure. On March 16, 2020, NSIRA submitted a report under section 35 of the NSIRA Act, to the Minister of Public Safety regarding the possible unlawful activity.
This review raised pressing questions regarding the use of publically available data, but that nevertheless engages a person’s reasonable expectation of privacy. NSIRA’s review examined the decision-making process that led CSIS to use this data without a warrant, and found that CSIS lacked the policies or procedures to ensure that, prior to using the data, CSIS sought legal advice to avoid its unlawful use.
The review was also an opportunity to note more broadly that, in this environment, ongoing legal support to CSIS’s data exploitation activities is essential in allowing CSIS to operate at an acceptable level of risk. It also noted that CSIS and the Department of Justice are expected to demonstrate institutional leadership in this regard.
Going forward, NSIRA will prioritize the scrutiny of CSIS’s use of technology, particularly new or emerging technologies that pose the greatest risks.
Date of Publishing:
1. Authorities
This review began under the authority of the Security Intelligence Review Committee (SIRC) articulated in subsection 38(1 ) of the Canadian Security Intelligence Service’s (CSIS Act), which provided SIRC the mandate to review CSIS’s operations in the performance of its duties and functions.
During the course of the review. Bill C-59 -An Act Respecting National Security Matters received Royal Assent on June 21, 2019. Part 1 of Bill C-59 enacted the National Security and Intelligence Review Agency Act (NSIRA Act), which came into force by order of the Governor in Council on July 12, 2019. The NSIRA Act repeals the provisions of the CSIS Act that established and governed SIRC and establishes in its place the National Security and Intelligence Review Agency (NSIRA). The NSIRA Act sets out the composition, mandate and powers of NSIRA and amends the CSIS Act, and other Acts, in order to transfer certain powers, duties and functions to NSIRA.
This review continued under the authority described in subsections 8(1 )(a) and 8(3) of the NSIRA Act to review any activity carried out by CSIS and to make any finding and recommendation that NSIRA considers appropriate.
2. Introduction
In its review function, NSIRA expects CSIS’s activities to be lawful and comply with ministerial direction. This review focused on CSIS’ s non-warranted collection of geolocation information and is part of NSIRA’s ongoing interest in CSIS’s collection and exploitation of both warranted and unwarranted data. Past reviews have assessed CSIS’s warranted collection and retention of metadata and CSIS’s unwarranted collection and exploitation of bulk personal datasets. This is NSIRA’s first dedicated look at CSIS’s collection of geolocation data.
The review takes place in the context of Federal Court decisions, most particularly the IMSI decision of September 27. 2017, that impact on CSIS’s collection, use and retention of data, including geolocation data. The IMSI decision found that, though CSIS’s authority under section 12 does authorize it to obtain geolocation information for which there is a low expectation of privacy, anything beyond that, such as geolocating an individual, would require a warrant.
It is worth noting that the scope of the review was broader at the outset and was intended to include a more comprehensive examination of the collection of different types of geolocation information, both warranted and unwarranted. Although the scope was reduced in the course of the review, NSIRA will be mindful of this for future reviews.
3. Objectives
The objective of this review is to assess whether CSIS’s collection of unwarranted geolocation information used by CSIS in support of its operations is compliant with applicable sources of law, including the Canadian Charter of Rights and Freedoms (Charter) and the CSIS Act, as well as ministerial direction and operational policy. A related objective is to determine whether CSIS has sufficient safeguards in the form of formal procedures and policies to ensure that it is able to comply with its legal obligations amid a period of rapid change in technology and a correspondingly fluid legal environment.
4. Scope and Methodology
The scope and direction of the review was identified through a preliminary investigation of available documentation and a briefing with the ████████████████████████████████████████████████████████ Further, NSIRA requested that CSIS identify all activities undertaken by the █████ that may result in geographic information collected against non-warranted targets within the review period. This information was used as a foundation to
request specific documents from CSIS.
NSIRA examined all documents provided by CSIS and sought, retrieved and reviewed documents through CSIS’s various computer and email systems to ensure a clear record of activity. Documents reviewed included: ██████████████ taskings from the regions, responses to these taskings, briefing notes, planning documents, legal assessments and internal correspondence.
To conduct a compliance assessment of CSIS’ s use of geolocation information, NSIRA chose to conduct an in-depth case study of ██████████████████████████████████████████ geolocation information. NSIRA reviewed all instances when ██████████ was used by CSIS during the period under review. As this review consists of a single case study. NSIRA is mindful of generalizing the findings and conclusions to other types of geolocation data.
The core review period for this study was from January 1, 2017 to June 30, 2018, although NSIRA examined documentation that fell outside this period in order to provide a complete assessment of relevant issues.
5. Criteria
Legal and Ministerial Requirements
NSIRA expects CSIS to conduct its activities in accordance with relevant sources of law. including the CSIS Act. the Charter. the Privacy Act. and case law. NSIRA also expects CSIS to conduct its activities in accordance with ministerial direction. Most relevant in this review given the subject matter was an analysis of the Charter, which, in section 8, provides everyone with the right to be secure against unreasonable search and seizure.
In this case, at issue was whether the use of ███████ to collect information about an individual’s location information constitutes a search for the purposes of section 8 such that a warrant would be required.
Policies and Procedures
NSIRA’s expectation was that there would be policies and procedures in place to guide the collection, use and retention of data from ███████ despite its uniqueness, and that those policies and procedures would support compliance with CSIS’s legal obligations, including the Charter, as well as its obligations stemming from ministerial direction.
For reference, the relevant policies that pertain to the collection of information ███████
- ███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████ In principle, this allows collection of this nature on a very broad cross-section of individuals;
- The collection of █████████ policies, including the DDO Memorandum of 2015 that request the establishment of █████████ as the National Policy Centre for █████████. Additionally there is the procedure on █████████ that allows █████ to conduct █████████ defined as a non-warranted collection tool or technique, against a ██████████████████████████████████████████████████████████████.
6. Background
The Investigative Technique – █████████
████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████ from users across the world.
█████████ contains three months of data. The information is not available in real-time; however, there is a delay of only 24-48 hours between the collection of the ████ and it becoming available in ████████.
████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
See Annex A for an example of the use of █████ against a CSIS target.
A chronology of CSIS’s use of █████
a. From introduction to the beginning of the pilot: July 2015 – January 2018
████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
█████ echoed those same governance-related issues; specifically, it questioned whether there were legal issues associated with █████ that needed to be addressed prior to the trial period. █████ asked for “the rules of engagement so that we can plan accordingly and get the most of this evaluation.”█████ further noted that, although the data seemed “wonderful….there must be some legal/governance rules that apply to this when in the hands of a government agency. These questions were raised in an email to both █████ and the ██████████
███████████████████████████████████████████████████████████████████████████████████████████████████████████████████ Nevertheless, by September 2017 █████ was anticipating an evaluation of █████ that would involve using █████ for a trial period of two months with a limited ██████████.
█████convened a meeting in October with █████████████████████████████████████████████████████████████████████████████████████████████████████████ The objective of the meeting was to prepare for a █████ evaluation and, for that purpose, “to make decisions on a few details to ensure compliance with
legal and policy.
The questions to be covered in the agenda were:
- 1 ) Does existing █████ policy cover the use of █████ or does the policy need to be adapted?
- 2) Is the information contained in ███████ subject to a reasonable expectation of privacy?
- 3) Is there anything else that needs to be considered before CSIS can use █████? For example, additional █████ procedures or tests?
According to a written summary of discussions circulated by █████ following the meeting, it was agreed that ███████ would be compliant with collection under the ████████████ which allows ████ to “research and use open information” in support of investigations, it was further decided that the use of ██████ would align with ████ policies as it would constitute threat related queries ██████████████ and would be used only with the ██████████ authorities in place. Finally, it was assessed that the ██████ data invested would meet the “strictly necessary” threshold for collection and retention as set out in the CSIS Act as it would be based on a specific threat.
██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
Following the meeting, approval was granted for the trial use of ██████ by Deputy Chief █████████. Documentation of the approval consists of an email from the Deputy Chief to ███ and ███ with the understanding that, ██████████████████████████████████████████████████████████████████.
b. CSIS’s trial period – March 2018 – July 2018
CSIS began its pilot of ████ on January 14. 2018. It was initially to be for two months; but because of technical issues at the beginning that delayed its full use, and due to ████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
During that time, ████████ was tasked a total of approximately ████ times, resulting in ████ operational messages. As noted, efforts were made by ███ to ensure that its use of ████████ was compliant with CSIS’s ████ policies on collection ████████████████████ as well as the CSIS Act provision that collection and retention be done only to the extent that is “strictly necessary.”
████ completed its evaluation of ████ by the end of April 2018. ████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████.
The first version of a briefing note to gain approval for the ████████████ was drafted jointly by ████ and ███ in April 2018. The briefing note stated that the pilot for ████ was “conducted operational policies.” The briefing note also ████████████████████ one was a restricted amount of information that would meet the strictly necessary threshold; and the other was a situation in which ████████████████████ in which case it would be ████████████████████████████.
A subsequent version of the briefing note was prepared, also jointly by ████████████. This one was dated May 15, 2018 and was sent to the Director General of ████. In contrast to the first version of the briefing note, this one was the dual purpose of obtaining a legal opinion and ████████████████. This version was ultimately sent to the DG ████████ and also included that ████████ had been assessed as compliant with ████ authorities, following discussion with CSIS’s External Review and Compliance (ERC). ████ as well as informally with a representatives of the DLS. The briefing note stated that ████████████████████████ fall within existing authorities and directives” and, further that “although ████ has assessed that ████████████████ a formal legal opinion has not yet been conducted and suggest this briefing note be used as a mechanism to obtain one.”
NSIRA inquired as to the substance of the ERC and DLS discussion, as well as documentation of those meetings. NSIRA was advised that the ERC compliance officer embedded within ████ was aware of ████ which was presented at a town hall, but that it was not discussed with her beyond that. NSIRA asked for documentation to substantiate the DLS discussions but non was provided.
c. Legal advice: July 2018 – February 2019
Following the May briefing note, on July 20th, the DG ██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
By July 31, preliminary legal advice was received:
██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
A formal legal opinion was provided on December 7, 2018, that called into question CSIS’s use of ████████ without a warrant except in very narrow circumstances, ████████████████████████████████████████████████████████████████████.
A further legal opinion was requested by CSIS to determine whether ████████████████████████████████████████. The resulting legal opinion, dated February 19 2019, ████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████. Accordingly, section 8 of the CHarter would not be engaed in this narrow circumstance.
based in part on the February 2019 legal opinion, CSIS subsequently took the decision to ████████████████████████████████████████████████████████████████████████████████████████████████████████. It is NSIRA’s understanding that, presently, ████████████ being used only in very specific circumstances and according to the guidelines set out in the legal opinions.
7. Findings
Finding no. 1 Compliance with the CSIS Act and the Charter NSIRA finds that there was a risk that CSIS breached section 8 of the Charter during the trial period in which it used █████ without a warrant.
DLS was asked to provide a legal opinion to CSIS on this investigative technique; in particular, to address the question of the “legal risk of using ██████████ (i) with respect to Canadians or persons in Canada; and (ii) human sources and employees, with their informed consent”. CSIS was advised in a Legal Memorandum dated December 7,2018 that:
██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
NSIRA’s own review of the file, which is meant to provide the Committee with independent legal advice, supports DLS’s opinion in that regard. In particular, NSIRA believes that the use of ████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████. NSIRA observes that it is very unlikely that a court would find that section 12 of CSIS Act was sufficient legal authority to render warrantless use of ██████ reasonable” for the purposes of section 8 of the Charter. Accordingly, CSIS would be required to obtain a warrant pursuant to section 21 of the CSIS Act for such searches. Of note, NSIRA’s legal analysis was based on the same set of facts as DLS used for its opinion.
In reaching this conclusion. NSIRA interprets section 12 of the CSIS Act as only providing authority for collection activities of minimal intrusiveness. In that regard, NSIRA concurs with the DLS opinion that, ██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
At the time of writing, CSIS is pursuing options for how █████████ may be used under the authority of a warrant in the future.
NSIRA recommends that CSIS review its use of █████████ to date and make a determination as to which of the operational reports generated through the use of ███████ were in breach of section 8 of the Charter. These operational reports and/or any documents related to those results should be purged from its systems.
Findings no. 2 Governance related to piloting █████████
NSIRA finds that there was no policy centre clearly responsible for the use of the data contained in ████████.
NSIRA asked about the policies and procedures that guided the decision to authorize the trial period, as well as which unit within the ██████████████████ branch would have been responsible for assessing and authorizing the use of ███████ As described above, the record suggests there were three discrete units involved in the ████████████████████████ for the trial period.
█████████████ was involved in the ██████████████████ As the policy centre with respect to the ███████████████████████████████ the role and mandate of ████ is to coordinate, manage and █████████████████████████████████. In this capacity, ████ would have been responsible for assessing ████████ for privacy impacts, among other things, had ████████ been assessed as a ████████. However, ████████ was not ████████████████ but rather, as ████████████████████████████████████████████████████████████████. Therefore, █████ did not officially assess ███████████████████████████████████████. That said, the briefing note of May 15 2018, clearly indicates that ██████ assessed that the use of ████████████ fall within existing authorities and directives.” Given the lack of a formal record, NSIRA was unable to assess the content of, or the rationale for, this assessment.
██████ is the unit responsible for providing operational support for ████████████████████████ intelligence through the use of covert ████████████████████████████████████████████████████████████████████████████████████ and it was to ████ that the first demonstration of ██████ was given, ███ authorities were eventually identified as those under which ██████ would operate. However ██████ was not the primary user of ██████. Neither did it participate in the formal evaluation of the data contained in ████████████.
Responsibility for developing a means of formally evaluating ██████ fell to the ██████ given its expertise in geolocation information. However, ████ does not generally collect data, but is merely the user of data provided to it. As such, █████ thorough preliminary evaluation to determine whether there were legal or other issues that needed to be addressed, even at the pilot stage. Nevertheless, ████ prepared, on its own initiative, a formal document to guide its evaluation of ██████ during the trial period. NSIRA also notes that ████ followed existing policy in using ███████ only in instances when a valid targeting authority was in place.
NSIRA was not provided any formal documentation on the decision to authorize the pilot period. The record of decision to pilot ██████ consisted of an email, which contained the following:
I don’t see any reason not to start an evaluation – ████████████████████████████████████████████████ In addition, ████████████████████████ are not provided until after we can determine that they are “strictly necessary” and of relevance to the investigation -just until we find something of relevance.
Ultimately, NSIRA was unable to identify which of the three policy areas within ██████ should have had, according to existing policies and procedures, responsibility for the assessment of ████████████████████████████████████████████████████████████████████████████████████.
Finding no. 3 Record of decision
NSIRA finds that the record of approval to pilot ██████ consisted of an email and that this email was not “put-away” as part of the official record, as it should have been.
As noted, the closest thing to a record of decision to pilot ██████ was an email from a Deputy Chief of ██████ the full text of which is cited above.
NSIRA notes that this email was not “put-away” as is should have been given that it represents, de facto, the approval for acquiring ██████ for the purposes of evaluation and is required for robust records management and for accountability purposes. Instead, it was saved on a “personal” drive and only produced as part of the review process.
Findings no. 4-5 Assessment of risk in the case of ██████
NSIRA finds that there are no developed policies or procedures around the assessment and handling of new and emerging collection technologies, such that a formal evaluation of the legal risks of using ██████ would have been required.
NSIRA finds that CSIS overlooked multiple indicators that using ██████ might raise legal issues.
Ministerial Direction requires that the risk of operational activities be assessed across four pillars (operational, political, foreign policy and legal ). In particular, the Direction states that CSIS should “consider its ow n level of experience and novelty of the operational activity in assessing risk”.
NSIRA was told that there is no formal process for the evaluation of risk in cases like ████████████ given that it was assessed as ████████████████████████. This is consistent with NSIRA’s reading of the relevant policies, cited earlier, pertaining to ██████████████████████████████████████████ of which require an assessment of legal risk prior to the use of ████████████ for collection purposes.
██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
It was suggested to NSIRA that it would not have been possible to conduct a thorough assessment of ████████ before the pilot based on the reasoning that a risk assessment is only possible with full ████████. NSIRA accepts in principle that there are situations when it would be difficult to appreciate the legal risks until such time ████████████████ and fully evaluated. Notwithstanding the difficulties, it is the responsibility of CSIS to mitigate these risks to the extent possible.
In this case, moreover. NSIRA notes that there were indications of a need for caution with respect to the ████████ in the period before the trial was even begun, including the IMSI decision of the Federal Court, which found that geolocating an individual would require a warrant.
Internally, there were multiple indications to the effect that there may be reason for particular attention, including:
two emails sent prior to the pilot, one by █████ on June 28. 2017. and the other by █████ September 27. 2017, both containing legal and governance questions;
the meeting convened by █████ for the purpose of discussing whether there existed a reasonable expectation of privacy in the █████ data;
the examples provided by ███████████████████████████████████████████████████████████████████████████████████████████████ and the evaluation of █████ in April 2018. which indicated that there were privacy concerns with this tool given its ability to generate ███████████████ and to ██████████████████████████████████████████████████████████████████████
There were other indications of a need for caution, ████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
Despite these signs, no formal action was taken to assess the question of legal risk until the briefing note in May 2018 requested a formal legal opinion.
NSIRA recommends that policy be developed or amended as appropriate that would require a documented risk assessment, including legal risks, in situations like ██████████ when information collected through new and emerging technologies may contain information in respect of which there may be a reasonable expectation of privacy. If not █████ NSIRA further recommends that a policy centre for this type of █████ collection be clearlv identified.
Conclusion
At the outset █████ was characterized as making use of ██████████. This is made clear from the approval email, ████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████ would consider, it is not clear that the data exploited through ██████████ represents genuinely ██████████ at least as defined in plain language, as was asserted.
Assessing █████ in this way was not without its consequences in that it appears to have justified the lack of a more thorough legal assessment. This assumption proved to be problematic; the consequence was that CSIS placed itself at risk of having violated the Charter. Throughout this review. NSIRA has been mindful of the length of time it took for CSIS to obtain the final legal opinion, which was requested in July but finalized only in December, a full five months later.
NSIRA is aware that there have been discussions within ██████████ on the need to have ongoing legal support. In particular █████ has requested the establishment of a policy and legal operating envelope to ensure that policy and legal questions related to data exploitation are properly covered, including a resource from DLS who would provide ongoing, even weekly, legal assistance. NSIRA understands that this request was made in part due to the difficulties associated with obtaining legal advice on an as needed basis. NSIRA has been advised that █████ request to have weekly legal support has not yet been actioned.
The combination of an expanding scope in the type, volume and sources of data collected by CSIS and a fluid legal situation makes this an area of persistent high legal risk. CSIS has publicly affirmed that the concept of a reasonable expectation of privacy is evolving over time and committed to ensuring that CSIS’s approach to a reasonable expectation of privacy “is kept consistent”.
NSIRA is of the view that, in this environment, legal support to █████ is essential to operate at an acceptable level of risk. NSIRA expects CSIS and the Department of Justice ( DOJ) to demonstrate institutional leadership that would allow responsible decision-making in an environment of uncertainty by making available legal support to █████ as required on a priority basis.