Backgrounder
Ottawa, Ontario, October 7, 2022 – The third Annual Report of the National Security and Intelligence Review Agency (NSIRA) was tabled in Parliament today, October 7, 2022.
NSIRA’s 2021 Annual Report focuses on our progress and activities in our second full year of operation. During this time, we pursued the reform of our processes and methods for doing review and investigations, both of which helped us improve the consistency and efficiency of our work.
This report highlights key findings and recommendations. The report also presents our intention to use future annual reports to publicly assess and track the implementation of previous recommendations, in accordance with our continued commitment to transparency and public engagement. Review highlights include:
- Four reviews of important areas of CSIS activities, notably CSIS threat reduction measures (TRMs) and technical capabilities, as well as the manner in which CSIS seeks and receives legal service from de Department of Justice and prepares and executes the warrants it needs to collect information. An annual compliance review of CSIS’s activities was also completed;
- CSE activities, notably CSE’s governance framework that guides the conduct of active and defensive cyber operations, internal information sharing, and CSE disclosures of Canadian-identifying information (CII);
- DND/CAF Defense Intelligence Enterprise and a follow-up review of the Canadian Forces National Counter-Intelligence Unit;
- Two specifically mandated multi-departmental reviews with respect to the Avoiding Complicity in Mistreatment by Foreign Entities Act and sharing of information within the federal government under the Security of Canada Information Disclosure Act; and,
- One multi-departmental review relating to the collection and use of biometrics in the “border continuum”.
In 2021, NSIRA saw its complaints investigation caseload increase significantly as a result of 58 complaints referred to NSIRA by the Canadian Human Rights Commission pursuant to subsection 45(2) of the Canadian Human Rights Act. NSIRA also completed its investigation process reform initiative after consultation with multiple stakeholders. NSIRA investigations under this new model are already showing improved efficiency.
NSIRA’s 2021 Annual Report also discusses our organization’s underlining goals and values, and highlights how the organization continued to grow in size and capacity throughout the year, and sought to enhance its technical and subject-matter expertise.
Date of Publishing:
Dear Prime Minister,
On behalf of the National Security and Intelligence Review Agency, it is my pleasure to present you with our third annual report. Consistent with subsection 38(1) of the National Security and Intelligence Review Agency Act, the report includes information about our activities in 2021, as well as our findings and recommendations.
In accordance with paragraph 52(1)(b) of the National Security and Intelligence Review Agency Act, our report was prepared after consultation with relevant deputy heads, in an effort to ensure that it does not contain information the disclosure of which would be injurious to national security, nation al defence or international relations, or is information that is subject to solicitor-client privilege, the professional secrecy of advocates and notaries, or to litigation privilege.
Yours sincerely,
The Honourable Marie Deschamps, C.C.
Chair // National Security and Intelligence Review Agency
Message from the members
The National Security and Intelligence Review Agency (NSIRA) is pursuing its mission of enhancing accountability for national security and intelligence activities in Canada. In 2021, our agency continued to grow in size and improved its ability to fully take advantage of its broad review and investigations mandate covering the national security and intelligence activities of departments and agencies across the federal government.
It is our pleasure to present to you our third annual report in which we discuss our progress and activities in our second full year of operation. Despite the recurrent challenges posed by the COVID-19 pandemic and delays caused by a cyber incident, we completed a wide array of reviews and investigations, and continued improving our processes across the agency. Indeed, we pursued the reform of our processes and methods for doing reviews and investigations, both of which helped us to improve the consistency and efficiency of our work tremendously. These reforms, in conjunction with our growing experience, have allowed us to implement and deliver on our review plan. All of this was made possible by the development of a much stronger corporate policy framework backed by a corporate group that really cares about service delivery and the health of the agency.
In accordance with our continued commitment to transparency and public engagement, this report will present our intention to use future annual reports to publicly assess and track the implementation of previous recommendations. In the same spirit of holding us and the reviewed organizations accountable, we also formalized standards that will allow us to assess the timeliness of responses. It is our hope that these initiatives, in addition to the stringent verification process to assess our confidence in each review that we are currently developing, will inspire confidence and trust in our recommendations and findings.
We would like to thank the staff of NSIRA’s Secretariat for their efforts, patience and resilience throughout this challenging year and we hope you share our enthusiasm for what we can accomplish in the year ahead.
Marie Deschamps
Craig Forcese
Ian Holloway
Faisal Mirza
Marie-Lucie Morin
Executive Summary
The National Security and Intelligence Review Agency (NSIRA) marked its second full year in operation in 2021. With the agency’s broad jurisdiction under the National Security and Intelligence Review Agency Act (NSIRA Act), it reviewed and investigated national security and intelligence matters relating to not only the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), but also several federal departments and agencies, including:
- the Department of National Defence (DND) and the Canadian Armed Forces (CAF);
- the Royal Canadian Mounted Police (RCMP);
- Immigration, Refugees and Citizenship Canada (IRCC);
- the Canada Border Services Agency (CBSA);
- Transport Canada; and
- all departments and agencies engaging in national security and intelligence activities in the context of NSIRA’s yearly reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act.
In 2021, NSIRA continued to grow in capacity and sought to enhance its technical and subject-matter expertise.
Review highlights
Canadian Security Intelligence Service
Over the course of 2021, NSIRA completed four reviews that strengthened its knowledge of important areas of CSIS activity:
- a review of the cultural, governance and systemic issues arising in the context of the manner in which CSIS seeks and receives legal services from the Department of Justice and prepares and executes the warrants it needs to collect information;
- a survey of CSIS’s suite of technical capabilities, along with its associated governancestructure, and areas of interest or concern to which NSIRA may return in future reviews;
- the second annual review of CSIS’s Threat Reductions Measures (TRMs) that expandson findings from the previous review by examining a larger number of TRMs; and
- an annual compliance review of CSIS’s activities.
Communications Security Establishment
In 2021, NSIRA completed two reviews of CSE activities, and directed CSE to conduct one departmental study:
- a review of CSE’s governance framework that guides the conduct of active and defensive cyber operations, including whether CSE appropriately considered its legal obligations and the foreign policy impacts of operations;
- a review focused on internal information sharing within CSE between the foreign intelligence aspect and the cybersecurity and information assurance aspect of its mandate; and
- a departmental study on whether CSE disclosures of Canadian-identifying information were conducted in a manner that complies with the Communications Security Establishment Act, and were essential to international affairs, defence, security or cybersecurity.
Department of National Defence and the Canadian Armed Forces
In 2021, NSIRA completed two reviews of the DND/CAF:
- a scoping exercise to gain foundational knowledge of the Defence Intelligence Enterprise, where a significant part of intelligence functions of the DND/CAF are located; and
- a follow-up review on the previous year’s examination of the Canadian Forces National Counter-Intelligence Unit, with emphasis on operational collection and privacy practices.
Multi-departmental reviews
NSIRA conducted two specifically mandated multi-departmental reviews in 2021:
- a review of directions issued with respect to the Avoiding Complicity in Mistreatment by Foreign Entities Act; and
- a review of information sharing within the federal government under the Security of Canada Information Disclosure Act.
NSIRA also completed a multi-departmental review under its general mandate to review any activity carried out by a department that relates to national security or intelligence:
- to map the collection and use of biometrics across several federal government departments and agencies in security and intelligence activities related to international travel and immigration, that is, the “border continuum.”
Complaints investigations
In 2021, NSIRA saw its complaints investigation caseload increase significantly as a result of 58 complaints referred to NSIRA by the Canadian Human Rights Commission pursuant to subsection 45(2) of the Canadian Human Rights Act.
Further, the COVID-19 pandemic contributed to delays in NSIRA’s investigations by reducingparties’ responsiveness in providing access to information and evidence.
In 2021, NSIRA completed its investigation process reform initiative after consultation with multiple stakeholders. NSIRA investigations under this new model are already showing improved efficiency.
Introduction
1.1 Who we are
Established in July 2019, the National Security and Intelligence Review Agency (NSIRA) is an independent agency that reports to Parliament and conducts investigations and reviews of the federal government’s national security and intelligence activities. Prior to NSIRA’s creation, several gaps existed in Canada’s national security accountability framework. Notably, NSIRA’s predecessor review bodies did not have the ability to collaborate or share their classified information but were each limited to conducting reviews for their specified department or agency.
By contrast, NSIRA has the authority to review any Government of Canada national security or intelligence activity in an integrated manner. As noted in the 2019 annual report, with NSIRA’s expanded role, Canada now has one of the most extensive systems for independent review of national security.
1.2 Mandate
NSIRA has a dual mandate to conduct reviews and investigations of Canada’s national security and intelligence activities. Annex B contains a financial and administrative overview of NSIRA.
Reviews
NSIRA’s review mandate is broad, as outlined in subsection 8(1) of the National Security and Intelligence Review Agency Act (NSIRA Act). This mandate includes reviewing the activities of both the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security- or intelligence-related activities of any other federal department or agency. This includes, but is not limited to, the national security or intelligence activities of the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CBSA), the Department of National Defence (DND) and Canadian Armed Forces (CAF), Global Affairs Canada (GAC), and the Department of Justice.
Further, NSIRA reviews any national security or intelligence matters that a minister of the Crown refers to NSIRA. Annex C contains summaries of the reviews completed in 2021.
NSIRA reviews assess whether Canada’s national security and intelligence activities comply with relevant laws and ministerial directions, and whether they are reasonable and necessary. In conducting its reviews, NSIRA can make any findings or recommendations it considers appropriate.
Reviews of CSIS and CSE will always remain a core part of NSIRA’s work since the entire focus of these organizations is to address national security and intelligence matters. Unlike its predecessor review bodies, however, NSIRA has an all-encompassing review mandate. NSIRA will thus continue to prioritize and examine how other departments engaging in national security and intelligence activities meet their obligations. NSIRA reviews help keep Parliament and Canadians informed about the lawfulness and reasonableness of Canada’s national security and intelligence activities.
Investigations
In addition to its review mandate, NSIRA is responsible for investigating national security- or intelligence-related complaints. This duty is outlined in paragraph 8(1)(d) of the NSIRA Act, and involves investigating complaints about:
- the activities of CSIS or CSE;
- decisions to deny or revoke certain federal government security clearances; and
- ministerial reports under the Citizenship Act that recommend denying certain citizenship applications.
This mandate also includes investigating national security-related complaints referred to NSIRA by the Civilian Review and Complaints Commission for the RCMP (the RCMP’s own complaints mechanism) and the Canadian Human Rights Commission.
Reviews
2.1 Canadian Security Intelligence Service reviews
Overview
NSIRA has a mandate to review any Canadian Security Intelligence Service (CSIS) activity. The NSIRA Act requires NSIRA to submit a classified annual report to the Minister of Public Safety and Emergency Preparedness on CSIS activities each year, including information related to CSIS’s compliance with the law and applicable ministerial directions, and the reasonableness and necessity of the exercise of CSIS’s powers.
In 2021, NSIRA completed four reviews of CSIS, summarized below. NSIRA also began two more reviews: one of CSIS’s Justification Framework and the other of CSIS’s Dataset Regime. Several other ongoing NSIRA reviews contain a CSIS component.
Review arising from the Federal Court’s decision in 2020 FC 616, Rebuilding Trust: Reforming the CSIS Warrant and Department of Justice Legal Advisory Processes
In a 2020 decision (2020 FC 616), the Federal Court recommended that a “comprehensive external review be initiated to fully identify systemic, governance and cultural shortcomings and failures that resulted in CSIS engaging in operational activity that it has conceded was illegal and the resultant breach of candour.” Based on that recommendation, the Minister of Public Safety and Minister of Justice referred the review to NSIRA pursuant to paragraph 8(1)(c) of the NSIRA Act. Acting on this reference and relying on its own jurisdiction, NSIRA therefore reviewed the manner in which CSIS seeks and receives legal services from the Department of Justice and prepares and executes the warrants it needs to collect information.
This review found an intelligence service and its counsel who struggle to organize themselves in a manner that enables them to meet their legal obligations, including to the Federal Court. NSIRA also found a failure at CSIS to fully and sustainably professionalize the warrant application process as a specialized trade requiring training, experience and investment. This review also demonstrated the need to transform the relationship between CSIS and its legal counsel.
This review was led by NSIRA members Marie Deschamps and Craig Forcese. One or both members were directly involved in every aspect of the review including review process management, briefings, interviews and document review. This included dozens of confidential interviews with Department of Justice and CSIS employees whose perspectives were essential for “ground-truthing” the knowledge NSIRA had gained from documents and formal briefings.
In organizing these interviews, NSIRA ensured robust representation covering the range of functions in the warrant and legal advice giving processes. The interviews raised issues and concerns that would have otherwise been unavailable to NSIRA. This assisted NSIRA in making recommendations on governance, systemic and cultural issues that contribute to inefficiencies threatening the ability of CSIS and the Department of Justice to fulfil their mandates.
NSIRA heard repeated concerns from interviewees that these problems put at risk the ability of the intelligence service to meet the mandate Parliament has assigned to it. Addressing these challenges urgently is in the public interest. Though CSIS and the Department of Justice have made improvements, difficulties are still evident.
NSIRA grouped its findings and recommendations into three overarching areas:
- the Department of Justice’s provision of legal advice;
- CSIS’s and the Department of Justice’s management of the warrant acquisition process; and investment in people.
The Department of Justice’s provision of legal advice
CSIS operates in often rapidly evolving and legally challenging environments. Timely, nimble and actionable legal advice is critical. The Department of Justice provides CSIS with legal advice on national security matters via the National Security Litigation and Advisory Group (NSLAG). This review highlighted factors that prevent NSLAG from providing CSIS with the legal advice it needs.
The Department of Justice has employed a centralized “one voice” model for delivering its legal services. The one voice model reflects a desire for uniform and consistent legal advice delivered on behalf of the Attorney General of Canada. Although the premise for the one voice approach is sound, NSIRA found that NSLAG struggled to provide timely, responsive and useful legal advice in the CSIS context. The way the Department of Justice provides advice has often not been responsive to CSIS operations. For example, NSLAG presents its advice as a legal risk assessment using the Department of Justice-wide Legal Risk Management grid. This grid uses a colour-coded risk rating that can be compared to a “traffic light” system: a green risk rating represents a low legal risk to CSIS, a red risk rating represents a high legal risk, and, more ambiguously, a yellow risk rating represents an intermediate legal risk. Yellow light responses are reportedly the most common and the most frustrating for CSIS, especially when unaccompanied by discussions on how to mitigate the risk, the inclusion of which NSIRA heard is not currently common practice.
Therefore, some at CSIS perceive the Department of Justice as presenting a roadblock because of its bureaucracy, its perceived operational illiteracy and its unhelpful approach to communicating legal advice.
However, the problems with timely, responsive and useful legal advice do not stem from the Department of Justice alone. NSIRA heard that CSIS has not always shared all relevant information with the Department of Justice, prompting a degree of mistrust. The internal process for requesting legal advice at CSIS also contributes to delays and lack of relevance. The advice that sometimes comes back to operational investigators at CSIS filtered through bureaucratic hierarchies may be of limited relevance.
NSIRA heard that the laborious advice-seeking and -receiving process has sometimes caused [discussion of detrimental effects on and risks to operations].
CSIS and the Department of Justice often operate in a situation of legal doubt because of lack of clarity in the law. Clarifying legal standards often requires judicial case law. However, an unwieldy warrant process, discussed below, makes that prospect more difficult.
The Department of Justice is aware of the need for change. Broad, recent initiatives include the Vision Project, which promises client-centric strategic partnerships. New procedures have been implemented at NSLAG to address internal silos between advisory and litigation counsel, and to improve training, improve access to legal advice and facilitate consistent legal opinions. NSLAG also appears to recognize the desire for a different approach to providing legal advice, including moving toward legal advice that promotes collaborative and iterative engagement with CSIS in order to achieve its operational goals, within the bounds of the law. However, as of fall 2021, it did not appear that CSIS and the Department of Justice had systematically put this model into effect.
To facilitate proper advice-giving, CSIS needs to provide NSLAG with all the facts, and to engage NSLAG early on, at the operational level. Earlier and ongoing involvement throughout the stages of an investigation or operation would enable counsel to provide informal legal nudges that allow CSIS to course-correct before too much time has been spent. A more iterative process of incorporating legal advice over the full course of an operation could address the reported challenge of operations halted due to untimely or ambiguous legal advice.
Management of the warrant process
CSIS organizes the process of seeking a warrant around a system of internal preparation and approvals before proceeding to the statutory step of seeking ministerial approval of the warrant application. A number of legal concepts and expectations enter into the warrant process, including the “duty of candour” owed to the Court.
The Federal Court duty of candour concerns fit into two categories: disclosure of information material to the credibility of the sources who supply information used in the application; and disclosure of information material to matters of potential concern about the broader context of the warrant and how it will be executed.
Despite past attempts at reforms, the current warrant process adopted by CSIS and supported by the Department of Justice has repeatedly failed to meet these candour obligations. Many reforms appear to have contributed to the bureaucratic complexity of the warrant process, without addressing candour issues.
CSIS has especially struggled to ensure that all information material to the credibility of sources is properly included in warrant applications. NSIRA heard repeatedly that CSIS officers involved in the early stages of preparing warrant applications do not clearly understand the legal expectations surrounding the duty of candour. Deficient information management systems related to human sources at CSIS have also resulted in important omissions, violating duty of candour obligations. These challenges produce what NSIRA calls the “recurring omissions” problem.
In 2019, CSIS sought to professionalize affiant work by creating an Affiant Unit. CSIS’s establishment of the Affiant Unit is a critical development and, properly resourced and staffed, it would be well positioned to respond to long-standing problems with the duty of candour. However, when created, the Affiant Unit was placed [Name of Branch]. [Name] has a broad mandate that does not align with the Affiant Unit’s functions in preparing legally robust warrant applications. This governance anomaly may explain the Affiant Unit’s present administrative and human resource challenges. The Affiant Unit’s sustainability is in question, and indeed NSIRA heard that the unit could currently be described as being in a state of crisis. CSIS has not supported the unit with resources commensurate with the importance of this unit in fulfilling CSIS’s mission.
Warrants counsel at NSLAG have several key roles in the warrant application process and are intimately implicated in ensuring adherence to the duty of candour. Fostering a strong, collaborative and productive relationship with CSIS is key. Morale among NSLAG warrants counsel may have suffered in light of the recent Federal Court decision that prompted this review. With recent staffing increases, it appears that NSLAG currently has the requisite complement to manage the number of annual warrant applications expected from CSIS, but recruitment challenges remain an ongoing issue. NSLAG should be staffed to ensure that CSIS’s operations are not stalled due to the lack of availability of warrants counsel.
The warrant application process is meant to be strengthened through a review of the near- final affidavit by an “independent counsel” (IC) – in practice, a lawyer drawn from the Department of Justice’s National Security Group. The role was originally envisioned as performing a rigorous challenge of the warrant application. However, the primary role of the IC appears to be more clerical than substantive, designed to cite check rather than assertively perform a devil’s advocate function.
NSIRA believes that the presence of a rigorous challenge function performed by a knowledgeable, adequately supported lawyer distant from the warrant application is valuable and necessary. However, NSIRA proposes that the current IC model be abandoned in favour of a challenge function performed at Public Safety Canada, whose precise role is that of oversight of the CSIS warrant application process.
Working with the Public Safety Canada unit charged with warrant review, an experienced and specialized warrant counsel could perform a genuine challenge role to the warrant, analogous to the role a defence lawyer would play were warrants subject to an adversarial process. NSIRA believes that a testing review of this sort will help forestall duty of candour shortcomings stemming from a failure to disclose fully information material to matters of potential concern about the broader context of the warrant and how it will be executed.
Once a judge issues a warrant, CSIS may execute the warrant. That execution must comply with the scope and terms of the warrant. However, the CSIS regional warrant coordinators have not received sufficient training to enable the contents of warrants to be translated into advice on proper execution.
Investment in people
Concern about inadequate training at CSIS was a recurring theme in this review. This concern was noted in internal CSIS documents. CSIS acknowledges that it is currently not a learning organization and does not have a learning culture. There are too few training opportunities required to sustain a modern professional intelligence service operating in a complex environment.
Conclusions
This report concluded with observations on cross-cutting cultural and governance challenges that stem, at least in part, from challenges characterizing the provision of legal advice and the warrant process. NSIRA divides these broad, cross-cutting phenomena into two categories: morale and attitudes; and performing the mission.
Low morale at CSIS was a common theme throughout this review. The systemic problems in the warrant application process are likely one cause of this problem: morale is affected when a warrant acquisition system repeatedly prevents CSIS officers from performing their mandated duties and is the source of regular reputational crises stemming from failures to meet the duty of candour.
Meanwhile, a failure to correct problems with the warrant process impairs CSIS’s and the Department of Justice’s abilities to fulfil their mandates. The Department of Justice must go from being perceived as a roadblock to a frank and forthright advisor fully attuned to operational objectives.
Within CSIS, the warrant application process was sometimes likened to winning a lottery — not because the Federal Court declines to issue warrants, but because of the resources required to prepare and complete the application. The current, laborious warrant application process is preventing some collection activities from moving forward.
In sum, this review was sparked by a compliance failure in a duty of candour matter. It concludes that repeated failures in this area are both caused by, and cause, deep-seated cultural and governance patterns. This vicious cycle has compounded the challenges of reform in the warrant acquisition process.
Cherry-picked or paper-based reforms that mask without addressing the overarching systemic, cultural, and governance challenges will suffer the fate of prior reforms: the problems will continue.
NSIRA intends to launch a follow-up review within two years that will measure progress at CSIS, the Department of Justice and Public Safety Canada in resolving the systemic problem with the warrant process addressed by this review. Moreover, in other regular reviews implicating warrants, NSIRA will document recurrences of systemic problems. In the meantime, since this review originated with a decision of the Federal Court, it is vital that the Minister and CSIS share it in its full form with the designated judges of that court. NSIRA’s full redacted report can be read on its website.4
Response to NSIRA’s recommendations
NSIRA’s recommendations, the management response of CSIS, Public Safety Canada and the Department of Justice, and other details about this review are found in Annex D of this report.
Study of CSIS Technical Capabilities
Canada’s national security threat landscape is constantly evolving and changes in technology present CSIS with a variety of new investigative opportunities. Consequently, CSIS must develop and acquire new technical capabilities, as well as adapt (repurpose) existing tools to support its mandated collection activities. This process presents potential compliance risk, as CSIS’s existing governance and legal frameworks may not capture the new deployment or adaptation of these technical capabilities. Furthermore, certain personnel and supporting legal counsel may not fully understand how these tools are used operationally, impacting their ability to advise whether or not CSIS has the legal and policy framework required to support use of the technology. These risks require NSIRA to maintain up-to-date knowledge of CSIS’s technical capabilities and related warrant powers.
NSIRA’s survey of CSIS technical capabilities offers a first step in this endeavour by surveying CSIS’s suite of capabilities, along with its associated governance structure, and identifying areas of interest or concern to which NSIRA may return in future reviews.
Reality of the risks
NSIRA’s review of CSIS’s use of a geolocation tool found that the lack of “developed policies and procedures around the assessment of new and emerging collection technologies” directly contributed to the risk that CSIS had breached section 8 of the Canadian Charter of Rights and Freedoms while testing the tool.
– NSIRA Study 2018-05
The full range of technical capabilities CSIS currently employs in support of its intelligence collection operations was examined. NSIRA reviewed relevant policy and legal frameworks as communicated by CSIS but did not conduct an independent verification or audit of the claims or activities themselves. NSIRA also examined the tripartite information/knowledge sharing and support nexus that exists between CSIS’s operational branches, technological branches and CSIS’s Department of Justice counsel with regard to the deployment of capabilities in support of operations.
In addition to the foundational knowledge NSIRA gained of CSIS’s technical capabilities, NSIRA made several observations identifying areas of interest for possible future reviews. For example, NSIRA noted, and CSIS agreed, that the main policy suite related to the use of technical capabilities is outdated and under revision, though the timeline for completing this task is unclear.
In the interim, the policy suite is buttressed as required by directives from senior leadership and other relevant policies and practices. The lack of up-to-date policies and procedures may result in heightened compliance risks, an issue of interest to future NSIRA reviews.
In addition, CSIS is currently reworking the framework it uses to assess compliance and risk in this area. CSIS indicated that greater efficiencies in addressing stakeholder needs and compliance gaps could be achieved through new initiatives such as the creation of the Operational Technology Review Committee, which was created in May 2021. This committee’s objective is to review all new technologies used to collect intelligence and existing technologies that will be used in a new or different manner. The creation of the Operational Technology Review Committee suggests a positive step toward mitigating the risk of compliance breaches related to the deployment of technologies in support of operations. Most obviously, it presents a forum in which potential risks can be proactively identified and mitigated. The evolving nature of how compliance is monitored in relation to technical capabilities will be of interest to NSIRA moving forward.
Further questions exist regarding how CSIS monitors the operational value of technical capabilities. CSIS needs to strengthen its performance metrics program with regard to its deployment of technologies in support of operations. A performance measurement regime, currently under development, will become an important feature of the governance framework, with attendant compliance implications for possible future NSIRA reviews.
Overall, it will be important for NSIRA to remain up to date with respect to the technical aspects of CSIS intelligence collection operations, particularly given the speed with which technology and associated technical capabilities evolve.
As part of this effort, it may be possible to leverage existing reporting requirements already undertaken by CSIS. For example, Section 3 of the Ministerial Direction to the Canadian Security Intelligence Service: Accountability (September 10, 2019) requires CSIS to inform the Minister of Public Safety of operational activities in which “a novel authority, technique or technology is used.” These notifications could provide NSIRA with ongoing and up-to-date knowledge of CSIS’s capability suite and how/when technologies are deployed operationally. Furthermore, sharing the notifications would bolster CSIS’s efforts toward proactive transparency, which are in line with commitments to provide explanatory briefings to the Federal Court on new technologies used in warranted operations.
NSIRA has recommended that the full, unredacted, version of this technical survey be shared with the designated judges of the Federal Court.
Review of CSIS Threat Reduction Activities: A Focus on Information Disclosure to External Parties
Under the Anti-terrorism Act, 2015, CSIS was granted the authority to undertake threat reduction measures (TRMs). NSIRA is required to review, annually, at least one aspect of CSIS’s performance in the use of its threat reduction powers. NSIRA recognizes that CSIS’s threat reduction powers can be an effective tool to diminish a national security threat; however, these powers also command heightened responsibility, given their nature and ability to profoundly impact, not only the subject of a given TRM, but others potentially captured by its scope.
This year, NSIRA produced its second annual review of CSIS’s TRMs. This review sought to expand on findings from the previous review by examining a larger number of TRMs, wherein CSIS disclosed information to external parties, and in doing so, provided the external party the opportunity to take action, at their discretion and pursuant to their authorities, to reduce identified threats. This review studied the characteristics of these particular TRMs but focused its examination on the extent to which CSIS appropriately identified, documented and considered any plausible adverse impacts that these measures could have on affected individuals.
NSIRA observed that several different kinds of external parties were involved in the TRMs. These external parties had varied levers of control through which they could take action to reduce a threat.
NSIRA found that CSIS’s documentation of the information disclosed to external parties as part of TRMs was inconsistent and, at times, lacked clarity and specificity. NSIRA also found that CSIS did not systematically identify or document the authorities or abilities of external parties to take action, or the plausible adverse impacts of the TRM. NSIRA also found that CSIS did not always document the outcomes of a specific TRM, or the actions taken by external parties to reduce a threat.
Without robust documentation, CSIS is neither capable of assessing the efficacy of its measures nor appreciating the full impact of its actions related to these measures.
NSIRA recommended that when a TRM involves the disclosure of information to external parties, CSIS should clearly identify and document the scope and breadth of information that will be disclosed as part of the proposed measure. NSIRA recommended that CSIS should also fully identify, document and consider the authority and ability of the external party to take specific action to reduce a threat, as well as the plausible adverse impacts of the measure. Beyond recommending that CSIS comply with its record-keeping policies, NSIRA recommended that CSIS amend its TRM policy to include a requirement to systematically document the outcomes of TRMs, including actions taken by external parties. This practice should inform post-action assessments and future decision-making.
In addition, NSIRA found that the current assessment framework employed as part of the TRM approval process is overly narrow and does not sufficiently consider the full impact of CSIS TRMs. NSIRA recommended that CSIS consider plausible adverse impacts resulting not only from CSIS disclosures of information, but also from the actions of external parties as part of TRMs.
The variety of impacts observed in this year’s review, combined with the gaps identified in CSIS’s understanding and assessment of these impacts, highlights the salience of a number of NSIRA’s recommendations made in 2020. NSIRA reiterated its 2020 recommendation that CSIS consider more comprehensively the plausible adverse impacts of these types of measures on the affected individuals, even when they are carried out by the external party and not CSIS. These impacts should be considered not only when assessing the reasonableness and proportionality of a proposed measure, but also when determining whether a warrant is required.
The Canadian Security Intelligence Service Act (CSIS Act) is clear that when a proposed TRM would limit a right or freedom protected in the Canadian Charter of Rights and Freedoms, or would otherwise be contrary to Canadian law, CSIS must seek a judicial warrant. NSIRA fundamentally disagrees with CSIS’s understanding of and approach to the legal analysis of determining whether a warrant is required for proposed TRMs. In 2020, CSIS responded to this recommendation by stating, “the Department of Justice will consider this recommendation and factor it into its work related to TRMs under the CSIS Act.”
Going forward, NSIRA recommended that CSIS seeks a warrant when a proposed TRM could infringe on an individual’s Charter rights, or where it would otherwise be contrary to Canadian law, regardless of whether the activity would be conducted by CSIS directly, or via an external party to whom CSIS discloses information.
NSIRA was able to use its direct access to CSIS information repositories to confirm information that it needed to verify and pursue necessary additional inquiries. For that reason, NSIRA has a high level of confidence in the information used to complete this review. NSIRA would also like to recognize CSIS’s timeliness in responding to NSIRA’s requests for information throughout the course of this review.
Response to NSIRA’s recommendations
NSIRA’s recommendations, the management response of CSIS and other details about this review are found in Annex D of this report.
NSIRA’s annual review of CSIS activities
In accordance with the CSIS Act, CSIS is required to provide information to NSIRA on specific activities. In response, NSIRA has developed a process to examine this information throughout the year and highlight any significant observations as part of NSIRA’s annual reporting obligations to the Minister of Public Safety. This process aims to keep NSIRA informed of key CSIS activities so that it can identify emerging issues and compliance gaps in a timely manner, and plan reviews and annual reporting obligations. Furthermore, this process facilitates additional scrutiny of these activities, as necessary, to assess for compliance, reasonableness and necessity.
In 2021, NSIRA formalized this process and initiated an annual review pursuant to its review mandate (paragraph 8(1)(a) of the NSIRA Act). To enhance transparency, NSIRA requested additional categories of information from CSIS, including approved warrant applications, compliance reports, internal audits and evaluations, and communications between CSIS and the Federal Court and CSIS and the Minister of Public Safety. These additional categories sought to ensure that NSIRA has the benefit of specific policy and governance information beyond that which CSIS is legislatively required to provide.
NSIRA found that CSIS met its legislated reporting requirements; however, these requirements do not always translate into information that can be used for assessments by NSIRA. Notably, CSIS did not provide information on the additional categories of activities requested by NSIRA. Conversations to address these gaps will continue in 2022.
In 2022, NSIRA will continue its review of CSIS activities with the support of the information from CSIS as required under the CSIS Act and the NSIRA Act.
Statistics
NSIRA requested that CSIS provide for publication statistics and data about public interest and compliance-related aspects of its activities. NSIRA is of the opinion that the following statistics will provide the public with information related to the scope and breadth of CSIS operations, as well as display the evolution of activities from year to year.
Warrant applications
Section 21 of the CSIS Act authorizes CSIS to make an application to a judge for a warrant if CSIS believes, on reasonable grounds, that more intrusive powers are required to investigate a particular threat to the security of Canada. Warrants may be used by CSIS, for example, to intercept communications, enter a location, and/or obtain information, records or documents. Each individual warrant application could include multiple individuals or request the use of multiple intrusive powers.
NSIRA is aware that difficulties with the warrant acquisition process within CSIS persist. NSIRA’s Review on Rebuilding Trust: Reforming the CSIS Warrant and Justice Legal Advisory Process found that the current warrant process continues to be overly burdensome, despite attempts at reform. The review found a failure at CSIS to professionalize the warrant application process fully and sustainably. The lack of clear accountability and clear communication combined with excessive complexity have contributed to the problems facing this process. The review made a number of findings and recommendations related to systemic problems with CSIS’s warrant process.
Section 21 warrant applications made by CSIS, 2018 to 2021
2018 | 2019 | 2020 | 2021 | |
Approved warrants Total | 24 | 23 | 15 | 31 |
New warrant | 10 | 9 | 2 | 13 |
Replacements | 11 | 12 | 8 | 14 |
Supplemental | 3 | 2 | 5 | 4 |
Denied total | 0 | 1 | 0 | 0 |
Threat reduction measures (TRMs)
Section 12.1 of the CSIS Act authorizes CSIS to take measures to reduce threats to the security of Canada, within or outside Canada. CSIS is authorized to seek a judicial warrant if it believes that certain intrusive measures (outlined in subsection 21 (1.1) of the CSIS Act) are required to reduce the threat. To date, CSIS has sought no judicial authorizations to undertake warranted TRMs.
NSIRA’s first two reviews of CSIS’s use of threat reduction measures found that CSIS did not sufficiently consider the full impact of the measure as part of the approval process for these activities. More specifically, these impacts were not explicitly considered when determining whether a warrant may be required. As already noted, NSIRA expects that when CSIS is proposing a TRM where an individual’s Charter rights would be limited or the TRM would otherwise be contrary to Canadian law, whether CSIS is undertaking the TRM directly or whether it will be executed by an external party, CSIS will seek a warrant to authorize the TRM.
Threat reduction measures approved, executed by CSIS and warranted, 2015 to 2021
2015 | 2016 | 2017 | 2018 | 2019 | 2020 | 2021 | |
Approved TRMs | 10 | 8 | 15 | 23 | 24 | 11 | 23 |
Executed | 10 | 8 | 13 | 17 | 19 | 8 | 17 |
Warranted TRMs | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
CSIS targets
CSIS is mandated to investigate threats to the security of Canada, including espionage; foreign-influenced activities; political, religious or ideologically motivated violence; and subversion. Section 12 of the CSIS Act sets out criteria permitting CSIS to investigate an individual, group or entity for matters related to these threats. Sub jects of a CSIS investigation, whether they be individuals or groups, are called “targets.”
CSIS targets, 2018 to 2021
2018 | 2019 | 2020 | 2021 | |
Number of targets | 430 | 467 | 360 | 352 |
Datasets
Data analytics is a key investigative tool for CSIS, providing it with the capacity to make connections and identify trends that are not possible through traditional methods of investigations. The National Security Act, 2017, which was passed by Parliament in June 2019, gave CSIS a suite of new powers including a legal framework for the collection, retention and use of datasets. The framework authorizes CSIS to collect datasets (sub- divided into Canadian, foreign and publicly available datasets) that have the ability to assist CSIS in the performance of its duties and functions. It also establishes safeguards for the protection of Canadian rights and freedoms, including privacy rights. These protections include enhanced requirements for ministerial accountability. Depending on the type of dataset, CSIS must meet different requirements before it is able to use the dataset.
The CSIS Act also requires CSIS to keep NSIRA apprised of certain dataset-related activities. Reports prepared following the handling of datasets are to be provided to NSIRA, under certain conditions and within reasonable timeframes. While CSIS is not required to advise NSIRA of judicial authorizations or ministerial approvals for the collection of Canadian and foreign datasets, CSIS has been proactively keeping NSIRA apprised of these activities.
While this new framework has provided opportunities to execute CSIS’s mandate to investigate threats, CSIS noted in its 2020 Public Annual Report that the current legislative framework is not without its challenges. NISRA is currently reviewing CSIS’s implementation of its dataset regime. The results of this review will inform Parliament’s review of the National Security Act, 2017.
Datasets evaluated by CSIS, approved or denied by the Federal Court or Intelligence Commissioner, and retained by CSIS, 2019 to 2021
2019 | 2020 | 2021 | |
Publicly available datasets | |||
Evaluated | 8 | 11 | 4 |
Retained | 8 | 11 | 215 |
Canadian datasets | |||
Evaluated | 10 | 0 | 2 |
Retained by CSIS | 0 | 0 | 016 |
Denied by the Federal Court | 0 | 0 | 0 |
Foreign datasets | |||
Evaluated | 8 | 0 | 0 |
Retained by CSIS | 0 | 1 | 117 |
Denied by Minister | 0 | 0 | 0 |
Denied by IntelligenceCommissioner | 0 | 0 | 0 |
Justification Framework
The National Security Act, 2017, also created a legal justification framework for CSIS’s intelligence collection operations. The framework establishes a limited justification for CSIS employees, and persons acting at their direction, to carry out activities that would otherwise constitute offences under Canadian law. CSIS’s Justification Framework is modelled on those already in place for Canadian law enforcement. The Justification Framework provides needed clarity to CSIS, and to Canadians, as to what CSIS may lawfully do in the course of its activities. It recognizes that it is in the public interest to ensure that CSIS employees can effectively carry out its intelligence collection duties and functions, including by engaging in otherwise unlawful acts or omissions, in the public interest and in accordance with the rule of law. The types of otherwise unlawful acts and omissions that are authorized by the Justification Framework are determined by the Minister and approved by the Intelligence Commissioner. There remain limitations to what activities can be undertaken, and nothing in the Justification Framework permits the commission of an act or omission that would infringe a right or freedom guaranteed by the Charter.
According to subsection 20.1 (2) of the CSIS Act, employees must be designated by the Minister of Public Safety in order to be covered under the Justification Framework while committing or directing an otherwise unlawful act or omission. Designated employees are CSIS employees who require the Justification Framework as a part of their duties and functions. Designated employees are justified in committing an act or omission themselves (commissions by employees) and they may direct another person to commit an act or omission (directions to commit) as a part of their duties and functions. NSIRA is currently reviewing CSIS’s implementation of the Justification Framework. The results of this review will inform Parliament’s review of the National Security Act, 2017.
Authorizations, commissions and directions under the Justification Framework, 2019 to 2021
2019 | 2020 | 2021 | |
Authorizations | 83 | 147 | 178 |
Commissions by employees | 17 | 39 | 51 |
Directions to commit | 32 | 84 | 116 |
Emergency designations | 0 | 0 | 0 |
Compliance
CSIS’s internal operational compliance program leads and manages overall compliance within CSIS. The objective of this unit is to promote a “culture of compliance” within CSIS by investing in information technology (IT) to support the process around warrants, designing an approach for reporting and assessing potential non-compliance incidents, embedding experts in operational branches to provide timely advice and guidance, and producing internal policies and procedures for employees. This program is the centre for processing all instances of potential non-compliance related to operational activities.
NSIRA’s knowledge of CSIS operational non-compliance and associated violations of the Charter is limited to what is contained in the CSIS Director’s Annual Report on Operations to the Minister of Public Safety. NSIRA notes with interest that CSIS reports Charter violations as operational non-compliance. NSIRA will continue to monitor closely instances of non- compliance that relate to Canadian law and the Charter, and to work with CSIS to improve transparency around these activities.
Non-compliance incidents processed by CSIS, 2019 to 2021
2019 | 2020 | 2021 | |
Processed compliance incidents19 | 53 | 99 | 85 |
Administrative | 53 | 64 | |
Operational | 4020 | 19 | 21 |
Canadian law | 1 | ||
Canadian Charter of Rights and Freedoms | 6 | ||
Warrant conditions | 6 | ||
CSIS governance | 8 |
CSIS review plan
In 2022, NSIRA is commencing or conducting five reviews exclusively focused on CSIS, one review focused on CSIS and CSE operational collaboration (See 2022 CSE review plan, below), one focused on threat management by CSIS and the RCMP of ideologically motivated violent extremism, and a number of interagency reviews that contain a CSIS component.
In addition to NSIRA’s three legally mandated reviews of the Security of Canada Information Disclosure Act, the Avoiding Complicity in Mistreatment by Foreign Entities Act and CSIS’s TRMs, NSIRA has initiated or is planning the following CSIS reviews:
Justification Framework |
This review will assess the implementation of CSIS’s new Justification Framework for activities that would otherwise be unlawful, authorized under the National Security Act, 2017. |
Datasets |
This review will examine the implementation of CSIS’s dataset regime following the coming into force of the National Security Act, 2017. |
CSIS Cover Program |
This review would be the first review of CSIS Cover Operations. It will survey the full range of CSIS cover activities and concentrate on building foundational knowledge to allow NSIRA to select specific activities for detailed review in future years. |
Ideologically Motivated Violent Extremism |
This is a joint CSIS-RCMP review of their respective and joint threat management of ideologically motivated violent extremism. The core of the review will be the interplay between CSIS and the RCMP in the context of ideologically motivatedviolent extremism, and an assessment of whether activities complied with the law, applicable ministerial directions, operational policies, and whether activitieswere necessary and reasonable. |
Beyond 2022, NSIRA intends to explore reviews of CSIS on topics including, but not limited to:
- the lifecycle of warranted information;
- CSIS’s section 16 mandate;
- “Strictly Necessary” retention policies; and
- CSIS’s Internal Compliance Framework.
Access to CSIS information
Throughout 2021, NSIRA faced differing levels of access and responsiveness in relation to CSIS. COVID-19 related restrictions resulted in considerable delays with receiving requested information and briefings and impeded direct access to NSIRA’s dedicated office space within CSIS Headquarters.
In response to NSIRA’s requests for information, CSIS was transparent in its ability to respond and communicate anticipated delays. When access and staffing levels were no longer restricted, CSIS responses to formal and informal requests related to the Study of Technical Capabilities and the TRM review were timely and complete, and briefings were well administered and provided the requested information.
As mentioned above, throughout 2021, NSIRA did not have consistent access to its dedicated office space within CSIS Headquarters, which is used by NSIRA review, legal and investigation staff. As a result, NSIRA’s direct access to CSIS’s information systems was notably limited. NSIRA was provided various temporary accommodations within CSIS headquarters during this time.
CSIS was able to continue to provide NSIRA members access to its regional offices across Canada throughout 2021, however. This access supported NSIRA members not based in the National Capital Region, whose work often requires secure facilities where they can safely and securely access information relevant to reviews and investigations. NSIRA greatly appreciates the willingness and efforts of CSIS and its regional colleagues in this regard.
2.2 Communications Security Establishment reviews
Overview
NSIRA has the mandate to review any activity conducted by CSE. NSIRA must also submit a classified annual report to the Minister of National Defence on CSE activities, including information related to CSE’s compliance with the law and applicable ministerial directions, and NSIRA’s assessment of the reasonableness and necessity of the exercise of CSE’s powers.
In 2021, NSIRA completed two reviews of CSE, and directed CSE to conduct one departmental study, all of which are summarized below. NSIRA also began five new reviews focused on CSE’s activities that are scheduled for completion in 2022 (see 2022 CSE Review Plan, below). Furthermore, CSE is implicated in other NSIRA multi-departmental reviews, such as the legally mandated annual reviews of the Security of Canada Information Disclosure Act (SCIDA) and the Avoiding Complicity in Mistreatment by Foreign Entities Act (ACA), the results of which are described below (see Multi-departmental Reviews).
Although the pandemic and other priorities precluded NSIRA from advancing its previous commitments to redacting, translating and publishing reviews of the former Office of the CSE Commissioner, NSIRA remains committed to releasing this material, resources permitting.
Review of CSE’s Governance of Active and Defensive Cyber Operations
The Communications Security Establishment Act (CSE Act) provides CSE with the authority to conduct active cyber operations (ACOs) and defensive cyber operations (DCOs). As defined by the CSE Act, an ACO is designed to “degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security.” A DCO helps protect Canadian federal government systems, or systems deemed by the Minister of National Defence to be important to Canada against foreign cyber threats. ACOs and DCOs are authorized by ministerial authorizations and, due to the potential impact on Canadian foreign policy, require the Minister of Foreign Affairs to consent to an ACO ministerial authorization or be consulted on a DCO ministerial authorization.
In this review, NSIRA assessed the governance framework that guides the conduct of ACOs and DCOs, and whether CSE appropriately considered its legal obligations and the foreign policy impacts of operations. NSIRA analyzed policies and procedures, governance and operational documentation, and correspondence within and between CSE and GAC. The review scope included the earliest available materials pertaining to ACOs and DCOs and ended concurrently with the validity period of the first ACO and DCO ministerial authorizations (2019–2020).
NSIRA incorporated GAC into this review, given the role of the Minister of Foreign Affairs in the ACO and DCO governance structure. As a result, NSIRA gained an understanding of the governance and accountability structures in place for these activities by obtaining unique perspectives from the two departments on their respective roles and responsibilities.
The novelty of these powers required CSE to develop new mechanisms and processes while also considering new legal authorities and boundaries. NSIRA found that both CSE and GAC made considerable efforts in building the ACO and DCO governance structure. In this context, NSIRA has found that some aspects of the governance of ACOs and DCOs could be improved by making them more transparent and clearer.
Specifically, NSIRA found that CSE could improve the level of detail provided to all parties involved in the decision-making and governance of ACOs and DCOs, within documents such as the ministerial authorizations authorizing these activities and the operational plans that are in place to govern their execution. Additionally, NSIRA also identified several gaps that CSE and GAC need to address, and recommended improvements relating to:
- engaging other departments to ensure an operation’s alignment with broader
- Government of Canada priorities;
- demarcating an ACO from a pre-emptive DCO;
- assessing each operation’s compliance with international law; and
- communicating with each other any newly acquired information that is relevant to the risk level of an operation.
The gaps observed by NSIRA, if left unaddressed, could carry risks. For instance, the broad and generalized nature of the classes of activities, techniques and targets comprising ACOs and DCOs could capture unintended higher-risk activities and targets. Additionally, given the difference in the required engagement of GAC in ACOs and DCOs, misclassifying what is truly an ACO as a pre-emptive DCO could result in a heightened risk to Canada’s international relations through the insufficient engagement of GAC.
While this review focused on the governance structures at play in relation to ACOs and DCOs, of even greater importance is how these structures are implemented and followed in practice. NSIRA made several observations about the information contained within the governance documents developed to date and will subsequently assess how they are put into practice as part of NSIRA’s forthcoming review focused on the operations themselves.
Response to NSIRA’s recommendations
NSIRA’s recommendations and other details about this review are found in Annex D of this report.
Review of Information Sharing across Aspects of CSE’s Mandate
This review examined CSE’s legal authority for sharing information obtained in the course of one aspect of its mandate for the purposes of fulfilling another aspect of its mandate. Specifically, the review focused on internal information sharing within CSE between the foreign intelligence aspect and the cybersecurity and information assurance (cybersecurity) aspect of CSE’s mandate.
NSIRA examined whether CSE’s internal sharing of information relating to a Canadian or a person in Canada (IRTC) is consistent with the Privacy Act, which limits how collected personal information can be used by a federal institution, and the CSE Act, which applies to CSE’s incidental collection and use of IRTC. NSIRA concluded that from the descriptions of the aspects in sections 16 and 17 of the CSE Act, sometimes information acquired under one aspect can be used for the same, or a consistent purpose, as another. This would satisfy Privacy Act requirements for sharing information internally. However, this principle cannot simply be assumed to apply as the purposes of the aspects differ within the CSE Act. CSE must conduct case-by-case compliance analysis that considers the purpose of the collection and sharing.
NSIRA considers it necessary for the Chief of CSE’s application for a ministerial authorization to fully inform the Minister of National Defence of how IRTC might be used and analyzed by CSE, including the sharing of IRTC to another aspect, and for what purpose. With one exception, the Chief’s applications for the period of review appropriately informed the Minister that retained IRTC might be used to support a different aspect. Moreover, the foreign intelligence applications appropriately informed the Minister how CSE assessed “essentiality” for IRTC collected under the foreign intelligence aspect.
Under CSE policy, an assessment of IRTC’s relevance, essentiality or necessity to each aspect is required for sharing information across the aspects. CSE policy offers definitions and criteria for assessing and applying these thresholds to the information. NSIRA found that CSE’s policy framework with regards to the internal sharing of information between the foreign intelligence and cybersecurity aspects of the mandate is compliant with the CSE Act.
Response to NSIRA’s recommendations
NSIRA’s recommendations, CSE’s management response and other details about this review are found in Annex D of this report.
CSE Departmental Study on Disclosures of Canadian Identifying Information
Following a 2020 review of CSE’s disclosures of Canadian identifying information (CII),21 NSIRA concluded that CSE’s implementation of its disclosure regime under the National Defence Act may not have been in compliance with the Privacy Act. On November 25, 2020, following the release of the review, NSIRA submitted a compliance report to the Minister of National Defence. NSIRA was of the opinion that CSE, as the custodian of incidentally collected CII, has the responsibility to assure itself and to document that both a collection and disclosure authority exist before sharing it with third-party recipients. NSIRA then directed CSE to conduct a departmental study of its disclosure of CII from August 1, 2019, to March 1, 2021.
The purpose of the departmental study was to ensure that disclosures of CII conducted by CSE were conducted in a manner that complies with the CSE Act, and that all disclosures of CII were essential to international affairs, defence, security or cybersecurity.
CSE provided the completed departmental study to the Minister of National Defence on October 8, 2021, with a copy to NSIRA, on November 1, 2021. NSIRA is satisfied that CSE provided a complete accounting of its disclosure regime for the requested period of review and provided a report that meets the objectives detailed in NSIRA’s terms of reference. In doing so, CSE defined its process for assessing and disclosing CII requests to Government of Canada and foreign clients under the CSE Act while also providing an update on relevant changes that have been made to its disclosure regime based on NSIRA’s recommendations from the last CII review.
The production of the departmental study also provided an opportunity for CSE to review the CII disclosure regime from CSE’s own perspective. This process provides NSIRA with a clearer understanding of how CSE manages its program and evaluates its relevant legal authorities. In addition to contributing to NSIRA’s current understanding of CSE’s disclosure regime, the study will also assist in identifying avenues of inquiry for the planned follow-up review of CII scheduled for 2023.
Statistics
To achieve greater public accountability, NSIRA recommends that CSE publish statistics and data about public interest and compliance-related aspects of its activities. NSIRA is of the opinion that the following statistics will provide the public with information related to the scope and breadth of CSE operations, as well as display the evolution of activities from year to year.
Ministerial authorizations and ministerial orders
Ministerial authorizations are issued by the Minister of National Defence and authorize specific activities conducted by CSE pursuant to one of the aspects of the CSE mandate. The following table lists the ministerial authorizations issued between 2019 and 2021.
CSE ministerial authorizations, 2021
Type of ministerial authorization | Enabling section of the CSE Act | Number issued in 2019 | Number issued in 2020 | Number issued in 2021 |
Foreign intelligence | 26(1) | 3 | 3 | 3 |
Cybersecurity — federal and non- federal | 27(1) and27(2) | 2 | 1 | 2 |
Defensive cyber operations | 29(1) | 1 | 1 | 1 |
Active cyber operations | 30(1) | 1 | 1 | 2 |
Note: This table refers to ministerial authorizations that were issued in the given calendar years and may not necessarily reflect ministerial authorizations that were in effect at a given time. For example, if a ministerial authorization was issued in late 2020 and remained in effect in parts of 2021, it is counted above solely as a 2020 ministerial authorization.
Ministerial orders are issued by the Minister of National Defence and designate people or organizations with whom CSE can work and share information. For instance, a ministerial order designating non-federal information infrastructures as being of importance to the Government of Canada is required for CSE to carry out certain aspects of its cybersecurity and defensive cyber operations mandate. A ministerial order is also required to designate recipients of CII. The following table lists the three ministerial orders in effect in 2021.
CSE ministerial orders, 2021
Nameof ministerial order | In effect in 2021 | Enabling section of the CSE Act |
Designating electronic information and information infrastructures of importance to the Government of Canada | 1 | 21(1) |
Designating recipients of information relating to a Canadian or person in Canada acquired, used or analyzedunder the cybersecurity and information assurance aspects of the CSE mandate | 1 | 44(1) and45 |
Designating recipients of Canadian identifying information used, analyzed or retained under a foreign intelligence authorization pursuant to section45 of the CSE Act | 1 | 43 and 45 |
Foreign intelligence reporting
Pursuant to section 16 of the CSE Act, CSE is mandated to acquire information from or through the global information infrastructure, and to use, analyze and disseminate the information for the purpose of providing foreign intelligence in accordance with the Government of Canada’s intelligence priorities.
According to CSE, it released 3,050 foreign intelligence end-product reports to 1,627 clients across 28 departments or agencies of the Government of Canada in 2021.
Information relating to a Canadian or a person in Canada
As discussed in NSIRA’s Review of Information Sharing Across Aspects of CSE’s Mandate, IRTC includes information about Canadians or persons in Canada that may be incidentally collected by CSE while conducting foreign intelligence or cybersecurity activities under the authority of a ministerial authorization. According to CSE policy, IRTC is any information recognized as having reference to a Canadian or person in Canada, regardless of whether that information could be used to identify that Canadian or person in Canada.
CSE was asked to release statistics or data about the regularity with which IRTC or “Canadian-collected information” is included in CSE’s end-product reporting. CSE responded that “as this type of information has not previously been disclosed publicly, CSE is carrying out an injury assessment to determine if information can be provided for publication.” CSE subsequently advised that “The impact assessment for disclosure of information requested … is a longer-term endeavour that is unlikely to be resolved in time for the 2021 NSIRA public annual report. Please consider [CSE’s response] as ‘no releasable information’ for the purpose of this year’s report.”
Canadian identifying information
CSE is prohibited from directing its activities at Canadians or persons in Canada. However, given the nature of the global information infrastructure and CSE’s collection methodologies, such information may be incidentally acquired by CSE. When used in CSE foreign intelligence reporting, incidentally collected information potentially identifying a Canadian or a person in Canada is suppressed in order to protect the privacy of the individual(s) in question. CSE may release unsuppressed CII to designated recipients when the recipients have the legal authority and operational justification to receive it and when it is essential to international affairs, defence or security (including cybersecurity).
The following table shows the number of requests CSE received for disclosure of CII in 2021.
Number of requests for disclosure of Canadian identifying information, 2021.
Type of request | Number |
Government of Canada requests | 741 |
Five Eyes27 requests | 90 |
Non-Five Eyes requests | 0 |
Total | 831 |
CSE was also asked to release the number of instances where CII is suppressed in CSE foreign intelligence or cybersecurity reporting. CSE indicated that “as this type of information has not previously been disclosed publicly, CSE is carrying out an injury assessment to determine if information can be provided for publication.” CSE subsequently advised that “The impact assessment for disclosure of information requested … is a longer-term endeavour that is unlikely to be resolved in time for the 2021 NSIRA public annual report. Please consider [CSE’s response] as ‘no releasable information’ for the purpose of this year’s report.”
Privacy incidents and procedural errors
A privacy incident occurs when the privacy of a Canadian or a person in Canada is put at risk in a manner that runs counter to, or is not provided for, in CSE’s policies. CSE tracks such incidents via its Privacy Incidents File, Second-party Privacy Incidents File and Minor Procedural Errors File.
The following table show the number of privacy incidents and procedural errors CSE tracked in 2021.
CSE privacy incidents and procedural errors, 2021
Type of incident | Number |
Privacy incidents | 96 |
Second-party privacy incidents | 33 |
Minor procedural errors | 18 |
Cybersecurity and information assurance
Pursuant to section 17 of the CSE Act, CSE is mandated to provide advice, guidance and services to help protect electronic information and information infrastructures of federal institutions, as well as non-federal entities which are designated by the Minister as being of importance to the Government of Canada.
CSE was asked to release statistics or data characterizing CSE’s activities related to the cybersecurity and information assurance aspect of its mandate. CSE responded that:
- Generally, the Canadian Centre for Cyber Security does not comment on specific cyber security incidents, nor do we confirm businesses or critical infrastructure partners that we work with or provide statistics on the number of reported incidents. Statistics on cyber incidents, including cybercrime, are predicated upon victims coming forward, which is not an accurate reflection of the Canadian environment.
- CSE and its Canadian Centre for Cyber Security work every day to defend Government of Canada systems from cyber attacks. On any given day, CSE’s dynamic defence capabilities block up to seven billion reconnaissance scans on these systems.
Defensive and active cyber operations
Pursuant to section 18 of the CSE Act, CSE is mandated to conduct DCOs to help protect electronic information and information infrastructures of federal institutions, as well as non- federal entities that are designated by the Minister of Defence as being of importance to the Government of Canada from hostile cyber attacks.
Pursuant to section 19 of the CSE Act, CSE is mandated to conduct ACOs against foreign individuals, states, organizations or terrorist groups as they relate to international affairs, defence or security.
CSE was asked to release the number of DCOs and ACOs approved during 2021. CSE responded that it is “not in a position to provide this information for publication by NSIRA, as doing so would be injurious to Canada’s international relations, national defence and national security.”
Technical and operational assistance
As part of the assistance aspect of CSE’s mandate, CSE receives Requests for Assistance from Canadian law enforcement and security agencies, as well as from the DND/CAF.
The following table shows the number of requests for assistance CSE received and acted on in 2020 and 2021.
CSE requests for assistance received and acted on, 2020 and 2021
Requests for assistance | 2020 | 2021 |
Number received | 24 | 35 |
Number acted on | 23 | 32 |
2022 CSE review plan
In addition to NSIRA’s two legally mandated reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act, both of which implicate CSE, NSIRA has initiated or is planning the following five reviews of CSE:
Review of CSE’s Internal Security Program (Safeguarding) |
This review will examine how CSE safeguards its employees, information and assets. It will explore the ways in which CSE mitigates internal security risks through inquiries and investigations, and in particular, the use of the polygraph as a tool in the security screening process. This review will alsoassess CSE’s compliance with Treasury Board security policies and directives, as well as the adequacy of, adherence to and effectiveness of CSE’s internal processes used to address potential or actual security incidents, violations and breaches of security. |
Review of Cybersecurity — Network-Based Solutions |
This will be NSIRA’s first review focused on the cybersecurity and information assurance aspect of CSE’s mandate. It will explore the use of a specific tool: Network Based Solutions as outlined within the cybersecurity ministerial authorization. |
Review of Active and Defensive Cyber Operations — Part 2 (Operations) |
This review is the continuation of NSIRA’s examination of CSE’s active and defensive cyber operations conducted prior to July 30, 2021. The first review focused on the internal policies and procedures governing CSE’s use of active and defensive cyber operations. This review builds on NSIRA’s previous work and will focus on the implementation of these governance structures in actual operations. |
Review of a Program under the Foreign Intelligence Mandate |
This is a review of a classified program under the foreign intelligence aspect of CSE’s mandate. Thisprogram is authorized by a ministerial authorization, which also sets out its parameters. |
Review of CSE-CSIS Operational Collaboration |
This review will examine operational collaboration between CSE and CSIS, both under the assistance aspect of CSE’s mandate, but also as it relates to joint operational activities coordinated between them under each agency’s respective mandates. |
Beyond 2022, NSIRA intends to review topics including, but not limited to:
- an annual compliance review of CSE;
- CSE’s signals intelligence(SIGINT) retention practices;
- a CSE collection program conducted under a ministerial authorization; and
- CSE’s Equities Management Framework.
Access to CSE information
In its 2020 Public Annual Report, NSIRA noted that it was seeking to formalize CSE’s provision of specific categories of information on a regular basis, such as ministerial authorizations, orders and directives, which would be used to ensure compliance of activities and to inform the conclusions NSIRA provides in the annual classified report to the Minister of National Defence. NSIRA will commence this review, called the annual compliance review of CSE, in 2022. NSIRA is pleased to report that CSE has already begun the process of providing the requested information.
NSIRA also previously reported that a lack of comprehensive and independently verifiable access to CSE’s information repositories posed a significant challenge to NSIRA’s ability to review CSE’s activities. In 2021, this challenge persisted.
In 2021, NSIRA sought to develop direct access to CSE information repositories, further to NSIRA’s “trust but verify” review model. With the exception of dedicated office space, which NSIRA continues to utilize at CSE’s Headquarters, NSIRA and CSE have been unable to achieve a workable trust-but-verify model for any reviews of CSE to date, despite several proposals for test cases brought forward by NSIRA throughout the year. NSIRA remains committed to developing a greater degree of verifiable access to CSE information so as to ensure the robustness of its findings and recommendations and, in turn, provide greater transparency of CSE activities to Parliament and the Canadian public.
In lieu of direct access to CSE information repositories, NSIRA has to rely on CSE External Review staff to collect relevant information held by CSE on its behalf. CSE External Review organizes briefings by subject matter experts, solicits responses to specific questions, and coordinates searches by CSE staff through information repositories for documents and other materials relevant to reviews. NSIRA recognizes the work of CSE External Review staff and thanks them for their contribution to the work of review.
However, reliance on CSE to locate, collate and curate information for NSIRA is not a proper long-term alternative to direct access. Currently, and on receipt of a request for information, CSE conducts a lengthy process to locate and collect information, followed by an internal review of this information to determine relevance prior to releasing materials to NSIRA. CSE’s predetermination of relevance of information undercuts NSIRA’s authority to decide whether information relates to its reviews and contributes to significant delays in the provision of information to NSIRA. Furthermore, this process creates a burden on CSE staff to coordinate responses to NSIRA’s information requirements. This workload could be substantially reduced by allowing NSIRA to conduct its own searches in CSE’s information repositories. Concurrently, it would serve as an element of verification that could strengthen NSIRA’s confidence in the completeness of information reviewed.
Beyond the issues related to limitations on NSIRA’s ability to trust but verify are ongoing concerns related to CSE’s responsiveness. As mentioned above, significant delays in the provision of information continued to pose a disruptive challenge to all NSIRA reviews of CSE activities in 2021. Although the COVID-19 pandemic interrupted life everywhere, it alone could not account for the extent of delays experienced during 2021. The timely provision of information required for a review not only facilitates the work of NSIRA, but is a legal requirement to which NSIRA expects CSE to adhere.
The sole exception to NSIRA’s right of access to information under the control of CSE is a confidence of the Queen’s Privy Council for Canada, otherwise known as a Cabinet confidence. Information subject to the Privacy Act, or any other act of Parliament, for that matter, as well as highly classified or Exceptionally Controlled Information (ECI) must be made available to NSIRA in a timely manner, when it relates to a review. This was not always the case in 2021.
In light of the ongoing challenges to NSIRA reviews of CSE activities, NSIRA continues to be of the opinion that the only mechanism to ensure a high degree of confidence, reliability and independence in its work is to have direct access to information relevant to its reviews. One important way by which CSE can continue to increase the level of transparency for its activities is to facilitate greater direct access for external review. For NSIRA to be able to conduct its work with a high degree of confidence, it must be able to verify the accuracy and completeness of the information on which it bases its findings and recommendations. NSIRA will continue to work with CSE to identify ways it can begin to implement additional elements of NSIRA’s trust but verify methodology in a more comprehensive and meaningful manner.
2.3 Other government departments
Overview
Beyond CSIS and CSE, NSIRA initiated reviews of the following departments and agencies in 2021:
- the Department of National Defence / Canadian Armed Forces (DND/CAF);
- the Royal Canadian Mounted Police (RCMP);
- Immigration, Refugees and Citizenship Canada (IRCC);
- the Canada Border Services Agency (CBSA); and
- Transport Canada.
As well, through the annual reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act, NSIRA has engaged with all departments and agencies that make up the Canadian national security and intelligence community.
The following sections outline reviews completed or initiated in 2021, by department or agency, as well as some planned future reviews.
Department of National Defence and the Canadian Armed Forces
Study of the Defence Intelligence Enterprise of the Department of National Defence and the Canadian Armed Forces
The purpose of this study was threefold. The primary objective focused on understanding the concept of the Defence Intelligence Enterprise (DIE), the umbrella under which DND/CAF conducts its intelligence activities. The second objective focused on developing an understanding of the compliance and oversight functions within the DIE, as well as the reporting of instances of non-compliance. Finally, the information gathered through the two primary objectives of this review provided NSIRA with prerequisite knowledge to help design future reviews.
Although comprising only a small percentage of the work of DND/CAF, the intelligence function is growing both in how DND/CAF perceives its importance, as well as in resource allocation. All of DND/CAF’s intelligence activities and structures fall within the DIE and without an understanding of this enterprise, NSIRA’s review plan would lack focus and organization. The DIE represents a large and complex structure with widely varied activities and functions. Successive reviews will build on NSIRA’s knowledge and experience, as well as developing the required expertise to proactively identify areas of future review. In addition, having a more complete understanding of the DIE will help NSIRA better situate DND/CAF in the broader security and intelligence community, so it can identify more opportunities for horizontal review activities.
This study also helped to highlight and identify some of the challenges NSIRA may face in reviewing DND/CAF moving forward. Notably, DND/CAF represents a large and complex structure with widely varied activities and functions. Reporting structures are complex. For example, DND senior management structures report directly to the Deputy Minister, CAF Commands report directly to the Chief of the Defence Staff, and some accountability structures require reporting to both. NSIRA also observed that information collection and storage procedures vary across the organization and that it has over 180 independent electronic repositories. The combination of these elements emphasizes the importance of maintaining strong working relationships with DND/CAF to help navigate access to timely information and assets. NSIRA is working closely with DND/CAF on how to overcome these challenges, including the possibility of providing detailed search strings and follow-up briefings to attest to the reliability, completeness and specificity of the provided documentation.
Review of the Canadian Forces National Counter-Intelligence Unit — Operational Collection and Privacy Practices
This review was a follow up to last year’s review of the Canadian Forces National Counter- Intelligence Unit (CFNCIU). This year’s review focused on how IT searches were used to support counter-intelligence investigations. NSIRA assessed whether IT searches and the collection of information in support of counter-intelligence investigations interfered with individuals’ reasonable expectation of privacy in the circumstances.
Over the course of the review, NSIRA identified three areas of concern tied to the requests for, and conduct of, counter-intelligence internal IT network searches. These are arranged under the following categories: (1) CFNCIU’s search of a subject’s email, internet and removable device activity; (2) the CFNCIU checklist used to identify and restrict search parameters, and how applicable stakeholders define search parameters; and (3) the use acquired information to expand supplementary searches.
NSIRA believes that DND employees and CAF members have a reasonable expectation of privacy when using work computers for personal use. CFNCIU requires the assistance of police or security agencies to obtain search warrants or technical intercept services, under Level II and Level III investigations. NSIRA found that CFNCIU may be inappropriately relying on DND/CAF policies as lawful authority to interfere with a subject’s reasonable expectation of privacy.
NSIRA observed that information obtained by CFNCIU via the checklist has the potential to capture intimate and personal information that touches on a subject’s biographical core. NSIRA found that the checklist risks capturing information that is protected by section 8 of the Charter. NSIRA also found that DND/CAF is applying a definition of metadata that captures information that could be subject to a reasonable expectation of privacy.
NSIRA observed that CFNCIU IT inquiries used broad search parameters, which may include information not relevant to the investigation. These parameters were applied as broad approvals with no specific internal controls or oversight at both the operational and working levels. Collection techniques, due in part to the limitations of IT audit tools and broad search parameters, resulted in a wide net being cast. NSIRA found that the investigative IT system practices observed in the context of CFNCIU’s counter-intelligence investigations have insufficient legal oversight to ensure that they are as minimally invasive as possible.
As a result of these findings, NSIRA recommended that DND/CAF suspend investigative IT system practices in the context of CFNCIU counter-intelligence investigations until a reasonable legal authority has been established. Once a reasonable legal authority has been established, DND/CAF should create a new policy framework that is reflective of the noted findings.
Response to NSIRA’s recommendations
NSIRA’s recommendations, DND/CAF’s management response and other details about this review are found in Annex D of this report.
Reviews planned or in progress
NSIRA has several reviews planned for DND/CAF and will conduct further work on two in 2022. The first one in progress is NSIRA’s review of DND/CAF’s human intelligence (HUMINT) program. This review will examine the entirety of the human source handling program used by DND/CAF.
Second, NSIRA is currently examining the domestic open-source collection activities of DND/CAF. More specifically, this review will take a closer look at legal authorities and the policy framework, program support and training, information and technology management systems, collection activities, intelligence production and dissemination, and oversight and accountability mechanisms.
Access to DND/CAF information
DND/CAF is the largest federal government department, both in terms of personnel (127,000 including regular and reserve forces) and number of physical locations occupied (42 in the National Capital Region alone). Given its domestic and international breadth, information collection and storage varies across the organization, with 180+ independent electronic repositories. NSIRA primarily accesses information through DND/CAF’s liaison body, the National Security and Intelligence Review and Oversight Coordination Secretariat (NSIROCS).
To help ensure that NSIRA receives timely and complete access to requested information, DND/CAF has formalized processes for responding to requests for information that includes a Level 1 (assistant deputy minister or equivalent) approval and attestation. Therefore, when NSIROCS receives a request for information, it coordinates with internal stakeholders to provide the requested information and submit it for Level 1 approval, after which the assistant deputy minister (or equivalent) provides a managerial attestation verifying the completeness and accuracy of the information provided.
NSIRA has also established direct access to specific DND/CAF IT systems for an ongoing review, and is working on a “proxy access” model for future reviews. Ultimately, the nature and scope of the review will dictate the access and verification model to be applied. NSIRA remains committed to working with NSIROCS to ensure that access and verification processes meet review requirements.
Royal Canadian Mounted Police
Reviews in progress or planned
NSIRA is currently working on three reviews focused exclusively on the RCMP. One of these reviews assesses the RCMP’s use of human sources in national security criminal investigations. Another review examines how the RCMP bypasses encryption when it intercepts private communications in national security criminal investigations. Lastly, NSIRA’S review of the Operational Research Unit of the RCMP will be examining the unit’s access to and use of security intelligence. The RCMP is also implicated in one multi- departmental review that is discussed below.
Access to RCMP information
NSIRA began reviewing the RCMP in 2020 and does not yet have direct access to the RCMP’s IT systems. The decentralized nature of the RCMP’s information holdings, COVID-19- related restrictions, and limitations resulting from other emergencies have resulted in delays in the RCMP providing NSIRA with requested information. NSIRA is committed to working with the RCMP’s National Security External Reviews and Compliance (NSERC) team to establish approaches for the timely provision of information.
In lieu of direct access to RCMP IT systems, NSIRA currently relies on the RCMP’s NSERC team to collect relevant information. NSIRA thanks the NSERC team for its contribution to the work of review but looks forward to working toward direct access to RCMP IT systems or alternate independent verification processes that provides NSIRA with independent confidence in the reliability and completeness of the information it has access to.
Canada Border Services Agency
In 2021, NSIRA completed its review of the Government of Canada’s use of biometrics in the border continuum that, while also examining IRCC and Transport Canada, had a strong CBSA component. The summary of this review can be found in the multi-departmental review section below.
NSIRA also made considerable progress on two CBSA -focused reviews. The first review is of air passenger targeting and examines the CBSA’s use of predictive analysis to identify inbound air travellers for further scrutiny in relation to national security threats. The second review assesses the CBSA’s use of confidential human sources, building on prior work in this area by National Security and Intelligence Committee of Parliamentarians.
Financial Transactions and Reports Analysis Centre of Canada
NSIRA is currently working on its first review of the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). NSIRA will examine FINTRAC’s existing regime for sharing information with its domestic and international partners by looking at queries and disclosures to foreign financial intelligence units.
2.4 Multi-departmental reviews
Study of the Government of Canada’s Use of Biometrics in the Border Continuum
Biometrics play a fundamental role in the border continuum, which includes the screening of foreign nationals seeking admission to Canada and the identification of passengers travelling internationally by air. In the course of this review, NSIRA examined activities conducted by the CBSA, IRCC and Transport Canada. The review also extended to the RCMP, which plays a supporting role in one of the major IRCC-led programs using biometrics.
Biometrics are sensitive personal information. The identification of persons by virtue of their biological characteristics raises privacy and human rights concerns. There is public apprehension about the government’s use of biometric analysis, as reflected in discussions regarding the use of facial recognition technology and, relatedly, its possible disparate impact on marginalized groups. At the same time, identifying individuals entering the country — and consequently determining whether they have a right to enter, or what risks they might pose — serves a national security function. In this way, the use of biometrics requires an assessment of the balance between security and privacy.
The immediate objective of this review was to map the nature and scope of biometric activities occurring in this space. This included examining the collection, retention, use and disclosure of biometric information, as well as the legal authorities under which these activities occur. This review also considered the reasonableness and necessity of these activities, studying the accuracy and reliability of biometrics.
This review identified a set of observations linked to nine overarching themes:
- Biometrics and national security. The centrality of national security as a justification for biometric activities has waned over time relative to other objectives, such as identity management and traveller facilitation. This makes it challenging to assess biometric activities in general as national security activities. Future NSIRA reviews may focus more narrowly on biometric activities that directly engage national security.
- The steady-state activities. The steady-state biometric activities in the border continuum are generally well-supported by current legal authorities and are consistent with international practice.
- Expanding use of biometrics over time. The use of biometrics in the border continuum has significantly expanded over the last three decades and is likely to continue expanding in the future. New biometric activities must be justified according to the necessity and proportionality of collecting and using biometrics for particular, intended objectives.
- Pilot projects. Pilot projects and initiatives raise more concerns than do steady-state activities, as they risk being implemented without sufficient legal analysis or policy development. Despite the temporary or experimental nature of a project, NSIRA expects that departments will conduct the analysis necessary to ensure that legal authority is in place for the conduct of the activity, and that the attendant collection, use, retention and disclosure of personal information is well-governed by policy.
- Evolving legal and societal norms. The public debate surrounding legal authorities questions whether existing standards and protections are sufficient for regulating biometric activities or whether new standards and protections are required. The border is, comparatively, a space in which greater intrusiveness is considered reasonable — but the boundaries of those justifications are not limitless, and will require careful calibration moving forward.
- The dual use of biometrics. NSIRA observed several instances of possible dual use of biometric information in the activities examined in this report. Even where new uses of biometrics offer demonstrable benefits, new uses must be carefully considered to ensure their reasonableness and proportionality. In addition, all new uses must be justified and well-authorized in law. The principle of “purpose limitation” may be a way of guarding against dual use in the context of biometric activities.
- Technical systems. There is significant overlap between the technical systems and databases used across the steady-state biometric activities. The overall architecture of the systems is complex, though not necessarily problematic.
- Visibility into algorithms. Departments and agencies have limited ability to see how the algorithms they use for biometric analysis operate. Each department and agency did, however, demonstrate that performance metrics are known and tested, and that custom thresholds are used when appropriate.
- Preventing bias and discrimination. IRCC and the CBSA have conducted preliminary analyses to explore how their biometric activities may impact diverse groups of people, though the implementation of possible mitigation strategies was not always apparent. In some contexts, technological advancements have helped to reduce, but not eliminate, differential impacts. More work remains in terms of mitigating differential impacts on segments of the population. At the same time, the departments and agencies under review have demonstrated their awareness of possible systemic inequalities and their commitment to addressing them.
Public debate about the government’s application of biometric technology will continue to evolve, driving change in the legal and regulatory frameworks associated with such activities. As such, continued scrutiny from NSIRA is warranted, particularly in those instances where the collection and use of biometric information is justified by explicit reference to national security outcomes.
Review of Federal Institutions’ Disclosures of Information under the Security of Canada Information Disclosure Act in 2020
In November 2021, NSIRA and the Office of the Privacy Commissioner of Canada (OPC) completed a joint review of the 215 disclosures made under the Security of Canada Information Disclosure Act (SCIDA) in 2020 — NSIRA’s first joint review with another review body.
SCIDA encourages and facilitates the sharing, or disclosure, of information within the federal government to protect against activities that undermine or threaten national security, subject to certain conditions. SCIDA permits disclosures of information where the disclosing federal institution satisfies itself that the information will contribute to the exercise of the recipient federal institution’s jurisdiction or responsibilities in respect of activities that undermine the security of Canada, and will not affect any person’s privacy interest more than is reasonably necessary. This is called the disclosure test.
The review found that 212 of the 215 disclosures (approximately 99%) appeared to meet both parts of the disclosure test. In the remaining three disclosures, the information appeared speculative, with no clear connection to activities that undermine the security of Canada. All three of the disclosures of concern were proactive disclosures by the RCMP. Of particular interest was the RCMP’s disclosure of the identities and biometric information about approximately 2,900 individuals to the CAF. NSI RA and the OPC recommended that the RCMP update its policies and practices to support compliance with the disclosure test, that the institution that received the disclosure of concern from the RCMP delete or return the information unless they can demonstrate a valid reason not to,and that any institution disclosing personal information about a large number of individuals (bulk disclosure) exercise heightened due diligence.
The records reviewed also highlighted one case of a verbal disclosure made to CSIS months prior to a formal SCIDA disclosure and without an apparent source of legal authority. NSIRA and the OPC recommended that institutions with national security expertise ensure that when they request personal information for national security purposes from other federal institutions, they make it clear that their request, in and of itself, does not constitute or confer authority on the other institution to disclose personal information.
Based on CSE’s and IRCC’s information-sharing patterns under SCIDA, NSIRA and the OPC recommended that these two institutions enter into an information-sharing arrangement, and that GAC and CSIS update their information-sharing arrangement to incorporate SCIDA’s guiding principles.
Finally, the review examined the federal government’s SCIDA policies. The review found that Public Safety Canada developed a SCIDA guide for federal institutions, led an interdepartmental working group, and provided training that included all 17 of the federal institutions listed in SCIDA. The review also found that 16 of the 17 federal institutions listed in SCIDA — the exception being the Canadian Food Inspection Agency — have policies to support compliance with SCIDA. NSIRA and the OPC recommended that the Canadian Food Inspection Agency develop a similar framework to implement a SCIDA policy.
Response to NSIRA’s recommendations
NSIRA’s recommendations, the management response of reviewees and other details about this review are found in Annex D of this report.
Review of Departmental Implementation of the Avoiding Complicity in Mistreatment by Foreign Entities Act for 2020
The Avoiding Complicity in Mistreatment by Foreign Entities Act (ACA) and directions issued according to the ACA seek to prevent the mistreatment of any individual as a result of information exchanged between a department of the Government of Canada and a foreign entity. At the heart of the directions is the consideration of substantial risk, and whether that risk, if present, can be mitigated. To do this, the ACA and the directions lay out a series of requirements that need to be met or implemented when handling information.
This review covered the implementation of the directions sent to 12 departments and agencies from January 1, 2020, to the end of the calendar year, December 31, 2020. It was conducted under subsection 8(2.2) of the NSIRA Act, which requires NSIRA to review, each calendar year, the implementation of all directions issued under the ACA.
This was the first ACA review to cover a full calendar year. Many of the reviewed departments noted that the COVID-19 pandemic impacted their information-sharing activities, such as the number of cases requiring further review as per the ACA. As such, NSIRA found that from January 1, 2020, to December 31, 2020, no cases under the ACA were issued to deputy heads in any department.
While NSIRA was pleased with the considerable efforts made by many departments new to the ACA in building their frameworks, the CBSA and Public Safety Canada had not finalized their policy frameworks in support of the directions received under the ACA within the review period.
Mitigation measures used by departments were also reviewed this time, since they are an integral part in the information-sharing process for departments.
NSIRA believes that it is now in a position to conduct in-depth case study assessments of individual departments’ adherence to the ACA and directions, irrespective of whether a department reported any cases to its deputy head. Finally, future reviews will follow up on the ongoing implementation of NSIRA’s past recommendations.
Reviews planned or in progress
In the future, NSIRA intends to continue to take advantage of its mandate to “review any activity carried out by a department that relates to national security or intelligence” by pursuing more multi-departmental reviews and avoiding examinations in siloes. In addition to the mandated annual SCIDA and ACA reviews, NSIRA plans to work on two more reviews involving multiple departments. The first one is a review of how CSIS and the RCMP manage threats posed by ideologically motivated violent extremism. The second review will study the relationship between CSE and CSIS on operational activities.
2.5 Technology in review
Integration of technology in review
Traditionally associated with the systems and software responsible for the administrative support of an organization, IT plays an increasingly large role in the operational activities of Canada’s national security and intelligence community. By taking advantage of rapid advances in cutting-edge technologies, Canada’s security and intelligence community is operationalizing advancements in technology to a degree greater than ever before. Modern national security and intelligence agencies must not only use new technologies to enhance their respective mandates, but they also do so to keep abreast of new opportunities, as well as new threats.
These advancements happen quickly, are complex and are often unique to each institution. Furthermore, emerging technologies, while ostensibly developed for one purpose, often have unforeseen implications on civil liberties and privacy, especially when used in an intelligence or security capacity. It is essential for an accountability body like NSIRA to keep pace with the use of developing technologies in Canada’s national security and intelligence community to ensure that the organizations it is responsible to review are discharging their mandates lawfully, reasonably and appropriately.
The vision for NSIRA’s Technology Directorate is to enhance the review landscape to incorporate an appropriate focus on the use and implementation of technology by security and intelligence agencies in Canada. By extending its reach into the practical applications of technology, and by entrusting this new focus to an in-house team of engineers, computer scientists and experienced review professionals, NSIRA will be well placed to ensure that the departments and agencies are held accountable for the decisions they make in leveraging the various aspects of emerging technology.
The development of this capacity at NSIRA will also provide a unique opportunity to build a review model that will put us on equal footing within the Five Eyes and the international review community. Without dedicated in-house technology expertise, NSIRA’s work will not stay current with contemporary national security legal and compliance risks or issues.
To that effect, NSIRA’s Technology Directorate will:
- lead the review of IT systems and cutting-edge technical advancements;
- conduct independent technical investigations;
- support assigned NSIRA members in the investigation of complaints against CSIS, CSE or the RCMP requiring technological expertise to assess the evidence;
- produce reports explaining and interpreting sophisticated technical subjects;
- assess the risk of a reviewed entity’s IT compliance with applicable laws and policy;
- recommend IT system and data safeguards to minimize the risk of legal non- compliance;
- lead the integration of technology themes into yearly NSIRA review plans; and leverage external expertise in the understanding and assessment of IT risks.
Future of technology in review
In 2022, NSIRA will continue to increase the number of employees working in the Technology Directorate as it takes an increasingly active and significant role. It will also lead the first technology-focused reviews of the lifecycle of CSIS information collected by technical capabilities pursuant to a Federal Court warrant. NSIRA is also scheduled to review CSE’s SIGINT retention practices in 2023.
In terms of important considerations for ongoing reviews, NSIRA Technology Directorate has identified the following three technology-related topics as priorities for consideration:
- dual-use technologies;
- data warehousing, bulk data and data analytics; and
- automated decision-making.
As Canada’s security and intelligence community continues to grow its technical collection and analytic capacity, NSIRA must develop its own expertise in technical review in tandem. Over the next year, NSIRA intends to establish domestic and international partnerships and develop working relationships with academics, civil society and commercial leaders to ensure key technological issues factor into its approaches. NSIRA’s Technology Directorate will also support the NSIRA complaint investigations team to understand where and when technology advancements could be applied to NSIRA investigations.
2.6 Review policies and processes
Method for assessing timeliness
Guidelines for assessing timeliness in reviews
To ensure greater accountability and predictability, NSIRA will be using the following guidelines to assess the timeliness of reviewee responses to requests for information (RFIs) during the review process, and will comment both privately and publicly on the outcomes. Notably, NSIRA’s annual report will track timeliness each year. These guidelines provide clear, standardized expectations on this important aspect of the review process.
Standard request for information (RFI) timelines
Much of the information requested by NSIRA falls into two categories: “off-the-shelf,” readily available material, and material requiring additional work to compile. Off-the-shelf material may include items such as policy documents, ministerial directives, operational policies, legal opinions and standard operating procedures. Information that requires additional work to compile may include things such as material that requires data manipulation or explanations and material in certain specialized databases and emails. RFIs will clearly state which type of material they pertain to, and standard timelines of 15 or 30 days, respectively, will be provided for responses.
Non-standard RFI timelines
NSIRA may deem it necessary to provide longer response times for information requests, for example, when the review covers new subject matter, the request is expected to return a large amount of information or documentation, or the reviewee has other ongoing reviews or other operational considerations. Non-standard timelines are at NSIRA’s discretion and will be applied based on the judgment of the review team.
NSIRA recognizes that extraordinary factors and extenuating circumstances may affect responses to requests for information and documentation. To accommodate this, reviewees may present, with significant justification, an alternative RFI timeline to the one originally provided. This should be done on receipt and review of the request, if possible. The decision to grant an extension is made by the NSIRA review team, and other arrangements, such as providing the requested information in tranches, can be considered. Regardless, RFI’s will always have an associated response timeline attached to them. This timeline will determine whether subsequent remedial steps are required.
Remedial steps
NSIRA will implement a three-stage approach to engage reviewees when no response is received to an RFI within the associated timeline. When a deadline is missed with no satisfactory response, NSIRA will escalate its concerns progressively by sending a series of letters to the assistant deputy minister, deputy minister and, finally, the responsible minister.
The letters will be attached as an annex to the related review and will inform an overall assessment of timeliness of the reviewee in NSIRA’s public annual report. The above guidelines will also be reviewed annually and may be updated based on the outcome of their ongoing implementation to ensure they meet their objectives.
Implementation of recommendations
The key outcomes of the work flowing from NSIRA’s review mandate are typically captured and distilled in the recommendations NSIRA provides based on its findings. In most NSIRA reviews completed since its inception, NSIRA has issued recommendations to the departments and agencies under review. In turn, reviewees have provided responses to these recommendations, which may include a plan for implementation. With a little over two years since recommendations for the first NSIRA reviews were issued, NSIRA believes enough time has elapsed to begin seeing the results of the implementation of these recommendations reflected in reviewees’ activities and policies. Therefore, NSIRA will begin considering the most appropriate means to track and evaluate the implementation of the recommendations issued in past reviews.
NSIRA will discuss with agencies and departments that were reviewed how to evaluate the implementation of past recommendations. For example, if issues and challenges remain unaddressed, NSIRA may initiate follow-up reviews. NSIRA’s public annual report may also raise issues in the implementation of recommendations as needed.
Verification
As noted above, verification is a fundamental component of credible and professional independent review. NSIRA must be able to test the completeness or accuracy of information it may receive as a matter of course during every review. This component is key to NSIRA’s ability to assure its stakeholders that it has confidence in the information it receives during a review, and thereby in the findings and conclusions of the review.
During a review, NSIRA is entitled to receive all information it deems relevant, except for Cabinet confidences. This feature of the NSIRA Act is critical for the success of NSIRA’s mandate. For NSIRA to assure Parliament and Canadians that it has a high level of confidence in the information it receives, departments and agencies under review are expected to support processes that satisfy NSIRA’s requirement to independently verify the completeness and accuracy of information provided by the department or agency. For example:
- provide NSIRA, in support of each review, an index of documents provided, and an indication as to whether any information has been altered or removed and why; and
- include a record of how searches of information are conducted, including which search terms were used, and which databases were queried.
Reviewees should always expect an element of verification as a regular part of each review. In keeping with its commitment to transparency and methodological rigour, NSIRA reviews now contain a “confidence statement.” This statement reflects NSIRA’s ability to verify information during a review. The confidence statement also provides important additional context to the review, apprising readers of the extent to which NSIRA has been able to verify necessary or relevant information during the review, and whether its confidence was impacted as a result of this exercise.
Complaints investigations
3.1 Overview
In the course of the year, NSIRA continued to adapt in conducting its complaints investigations by using innovative approaches. This included the use of videoconference technology for its hearings and investigative interviews, as well as finding procedural efficiencies such as proceeding with some investigations in writing. In part due to challenges inherent to the COVID-19 pandemic, NSIRA experienced delays in its investigations stemming from reduced responsiveness in accessing information and evidence. Annex E contains statistics for NSIRA’s complaints investigations in 2021.
Advancing the investigations and obtaining evidence presented issues for both NSIRA and the federal government parties to investigations that were obligated to provide information to NSIRA. In several ongoing matters, NSIRA granted adjournments and extensions of deadlines for procedural steps, including the filing of submissions and evidentiary material. In addition to pandemic-related delays, NSIRA notes that federal government parties to investigations cited other reasons for their requests for extensions of deadlines to file material, such as issues related to availability of witnesses and shortage of resources. Furthermore, NSIRA had to ask for additional information in response to incomplete initial disclosures in more than one investigation, which also created delays.
As to NSIRA’s investigation caseload in 2021, NSIRA dealt with a continued substantial increase in its inventory of cases. This increase resulted from 58 complaints referred in April 2021 to NSIRA for investigation by the Canadian Human Rights Commission, pursuant to subsection 45(2) of the Canadian Human Rights Act. This high-volume caseload has impacted NSIRA’s overall management of its cases.
NSIRA has also been focusing on strengthening its program delivery by working on strategies for the collection, analysis and use of race-based and demographic data in the context of the complaints investigation process. Working closely with its partner, the Civilian Review and Complaints Commission for the RCMP, NSIRA has been developing strategies of common interest in improving procedures to take into account considerations of diversity and inclusion. The specific objective is to improve access to justice by improving awareness and understanding of the investigation process. The intent is also to document the different racial groups among civilian complainants and determine:
- whether there are significant racial disparities;
- whether there are racial differences with respect to the types of complaints made against national security organization members based on different groups;
- the frequency of complaints that include allegations of racial or other forms of bias; and
- whether complaint investigation outcomes vary by racial group.
Looking to the year ahead, NSIRA will analyze procedural data with respect to the timelines of its investigations in order to inform the establishment of new service standards, continuing its efforts to ensure efficiency and transparency in the process. NSIRA is mindful that service standards are based on time commitments in normal circumstances. As the public health situation with respect to the COVID-19 pandemic continues to improve, NSIRA looks forward to the cooperation of federal government parties in increasing their responsiveness to advance investigations. In light of NSIRA’s objective of developing service standards, it will be adopting a measured approach to requests for adjournments and extensions of deadlines, which will be permitted in exceptional circumstances. Also for the year ahead, NSIRA will continue to improve its website to promote accessibility to and relevance of processes in the investigation of complaints.
3.2 Status of complaints investigation process reform
In 2021, NSIRA completed its investigation process reform initiative after a complex consultation with multiple stakeholders. In July 2021, NSIRA launched its new process that included the implementation of its new rules of procedure, aiming to provide greater accessibility as well as greater efficiency in NSIRA’s investigation mandate. Investigations under this new model show early signs of efficiency in that NSIRA has set timelier dates for the conduct of investigative interviews.
3.3 Investigations
Final report summaries
Investigation Concerning Allegations Against the Canadian Security Intelligence Service (1500-516)
Background
The Complainant filed a complaint against the Canadian Security Intelligence Service (CSIS) regarding its involvement in different incidents with airport authorities while the Complainant was travelling.
In addition, the Complainant alleged harassment, possible interference with employment opportunities, interference with a passport application, intercepting and reviewing mail, and disrupting personal relationships.
Investigation
During the investigation, the Complainant raised several separate incidents that led to the filing of their complaint. NSIRA reviewed the evidence before it to determine whether CSIS’s actions were reasonable and proportionate in the circumstances; whether CSIS’s actions constituted harassment; and whether it had acted lawfully.
NSIRA considered the evidence given by witnesses, the documentation submitted by the parties, as well as other relevant material made available during the course of the investigation of the complaint. NSIRA also heard evidence provided by the Complainant.
With respect to one specific incident in dealing with airport authorities while travelling, NSIRA heard evidence by witnesses regarding section 8 of the Canadian Charter of Rights and Freedoms (Charter). Section 8 of the Charter provides that everyone has the right to be secure against unreasonable search and seizure.
Conclusion
With respect to all allegations, NSIRA determined that the complaint is unsupported. However, concerning events related to CSIS participating in a Canada Border Services Agency search of the Complainant’s cell phone at an airport on one occasion, NSIRA found that CSIS breached section 8 of the Charter.
NSIRA concluded that CSIS did not take the Complainant’s privacy interests casually and did not deliberately disregard privacy considerations in relation to the search. The breach of section 8 of the Charter was not egregious and constituted an error in judgment.
Reopened Investigation Concerning Allegations Against the Canadian Security Intelligence Service (1500-471)
Background
NSIRA issued a supplemental final report resulting from a reopened investigation that was concluded by its predecessor, the Security Intelligence Review Committee (SIRC).
The Complainant alleged that CSIS had violated his constitutional rights due to his race and religion as well as his refusal to work as a human source. He further alleged that CSIS agents were harassing him by stopping him in airports and following him. Lastly, the Complainant alleged that CSIS had disclosed false information to a foreign entity, which resulted in him being held for eight hours without food in a foreign country’s airport.
In SIRC’s final report, SIRC concluded that the Complainant’s allegations of discrimination and harassment were unsupported. SIRC also concluded that the actions of CSIS officials had violated section 12 of the CSIS Act, ministerial directions, policies and operational procedures, and that these actions resulted in adverse consequences for the Complainant.
NSIRA’s reopened investigation was strictly limited to two questions of law: (1) whether the reasonable grounds to suspect standard under section 12 of the CSIS Act must be met when CSIS makes initial inquiries of its operational holdings; and (2) whether CSIS was required to obtain an individual targeting authority against the Complainant.
Investigation
The investigation of the reopening was deemed to be continued before NSIRA pursuant to subsection 11(1) of the National Security Act. NSIRA considered the documentation submitted by the parties, including classified submissions and documents filed by CSIS. NSIRA also considered the submissions filed by the Complainant as well as any other relevant material made available during the course of the investigation of this reopening.
With respect to whether the reasonable grounds to suspect standard under section 12 of the CSIS Act must be met when CSIS makes initial inquiries of its operational holdings, CSIS conceded during the investigation that it requires reasonable grounds to suspect that activities constitute a threat to the security of Canada, as described in section 2 of the CSIS Act, to conduct such initial inquiries of its operational holdings.
On the facts of this case, NSIRA determined that SIRC had correctly found that CSIS did not possess objective facts about activities that met the requisite reasonable grounds to suspect standard.
With regard to whether CSIS was required to obtain an individual targeting authority against the Complainant, NSIRA concluded that SIRC’s findings of fact regarding the extent and manner in which CSIS investigated the Complainant would not be revisited by NSIRA. NSIRA found that SIRC’s conclusion that there is a point in the CSIS investigation where CSIS agents were specifically investigating the activities of the Complainant was unequivocal, and, therefore, it was clear that CSIS should have obtained an individual targeting authority against him, yet failed to do so.
Conclusion
NSIRA determined that SIRC’s report and the findings were affirmed.
Conclusion
In 2021, NSIRA delivered on its mandate by completing reviews on a wide array of federal departments and agencies involved in national security and intelligence activities. Similarly, despite the challenges of the COVID-19 pandemic for complaints investigation proceedings and a large increase in its workload, NSIRA adapted its methods and continued its efforts to improve its program delivery.
NSIRA aims to increase its capacity to review technology and its practical use in national security and intelligence activities. The ongoing growth in NSIRA’s staff complement will also help the organization review a greater variety of national security and intelligence activities and continue to progress in its investigation of a large number of complaints.
NSIRA remains committed to engage with non-government stakeholders. NSIRA took note of feedback on its prior annual report and will continue to aim to improve its usefulness.
Once again, NSIRA members are very grateful for the excellent work of the Secretariat staff and their dedication to the organization’s mission of promoting greater accountability in the Canadian security and intelligence community and improving the confidence of Canadians in their oversight institutions.