Date of Publishing:

GAC Minister letter to NSIRA To Follow

Executive Summary

This review focused on Global Affairs Canada’s (GAC) Global Security Reporting Program (GSRP, or the Program). The review was selected given that the GSRP is a key component to GAC’s security and intelligence footprint overseas, with approximately thirty officers posted around the world dedicated and funded to collect overt security-related information. GSRP clients have reported that the Program is both unique and valuable to the Government of Canada. This review is the first external review of GSRP and NSIRA’s inaugural review of GAC.

Many of the receiving states where GSRP officers work have poor human rights records and/or are environments where surveillance of foreigners and citizens is commonplace. As such, receiving state perceptions of GSRP activities have direct implications on reputational risk to Canada and its allies, to other Canadian departments and agencies (like the Canadian Security Intelligence Service (CSIS), for example), to GSRP officers, and finally, on the local contacts used to help collect the Program’s information.

The review found a number of areas where the Program can improve, including more robust governance and accountability structures, additional oversight and attention to information management best practices.

More significantly, the review found that although the GSRP operates under the Vienna Convention on Diplomatic Relations (VCDR), it does so without legal guidance assessing the activities of the Program. Likewise, GSRP officers do not receive adequate training regarding their legal obligations. In particular, the activities of certain GSRP officers abroad raised concern that some activities may not be in accordance with the duties and functions under the VCDR.

Although GSRP officers rely on the VCDR as a shield for their actions, some officers did not appear to appreciate the limitations of this immunity nor understand the true scope of their duties and functions. In addition, it was not clear if all officers understood that once they are no longer afforded diplomatic immunity, a receiving state may seek retaliatory measures against them. The review found an absence of risk assessments, security protocols, and legal guidance specific to the increased scrutiny that GSRP officers may attract due to the nature of their reporting priorities.

As government partners overseas, CSIS and GSRP frequently interact with each other, with overlap between these respective mandates. Insufficient deconfliction at Mission and Headquarters between CSIS and GAC exists, which results in inconsistent governance [redacted].

The review also found that the Program does not have appropriate safeguards in place regarding the safety of contacts overseas. Although most interactions between officers and contacts are innocuous, the Program does not appear to appreciate the associated risks of these exchanges. Significantly, the review identified some possible concerns related to how recommended that GAC Canadian identity information is managed, and therefore conduct a privacy impact assessment of the Program.

The creation of a foreign intelligence entity within GAC, or the allowance of mission creep by the GSRP into covert collection would run against the principles of the VCDR. Therefore, NSIRA believes it is important that the Government consider the implications stemming from this review and decide on the most appropriate means of collecting this kind of information. NSIRA acknowledges that this is a topic that goes beyond our remit, and therefore may require consideration by the National Security and Intelligence Committee of Parliamentarians. We intend to share this review with our review counterpart in order to commence such deliberations.

Authorities

This review was conducted under the authority of subsections 8(1)(a) and 8(1)(b) of the National Security and Intelligence Review Agency Act.

Introduction

Global Affairs Canada’s (GAC) Global Security Reporting Program (GSRP) collects and disseminates information in support of Canada’s intelligence priorities. As the program has matured during its nearly twenty years of existence, GSRP products have received attention from Government of Canada (GoC) departments and agencies, as well as allied nations.

This was the National Security and Intelligence Review Agency’s (NSIRA) first standalone review of GAC. As such, NSIRA familiarized itself with GAC’s mandate, policies, and legal authorities while simultaneously reviewing the GSRP as a unique and complex program.

NSIRA assessed whether GSRP activities were conducted in accordance with the law, relevant policies and procedures, and whether the activities were reasonable and necessary. Additionally, NSIRA examined whether the Program’s policies and procedures were sufficiently comprehensive to support overseas activities.

The core review period for this study was from January 1, 2017, to December 31, 2019, however, NSIRA reviewed information outside of this period in order to conduct a complete assessment. NSIRA also examined a significant sample of GSRP Missions that provided diverse perspectives on the nature and scope of the Program’s activities.

Given the unique circumstances of NSIRA’s recent establishment and the various logistical and procedural challenges associated with this transition, this review was only possible with the support of GAC staff, especially those within its External Review Liaison Unit. Additionally, NSIRA thanks CSIS and its External Review and Compliance team for its help in facilitating this review. This report was scheduled to be completed in the summer of 2020, but was delayed due to the COVID-19 pandemic that began when the review was in its initial scoping stages.

History of the GSRP

During the Cold War, security reporting was integrated into political reporting by Canadian diplomats abroad. The Canadian security and intelligence (S&l) community largely relied on this foreign security reporting to meet its information needs. Following the end of the Cold War, security reporting was no longer routinely incorporated into political reporting by Canadian diplomats. The change was reflective of:

“an evolving world order, in which different, non-traditional security challenges arose; new and changing national and departmental priorities; the loss of subject matter expertise as diplomats and managers both moved on and retired; and significant public service cuts and budget restraints in the 1990s influenced GAC activities and priorities.”

GSRP was created soon after the events of 9/11. The contemporary Program has a unit of approximately 30 diplomatic personnel dedicated to overt single source* reporting — from a network of primarily “non-traditional” contacts — on issues pertinent to the Canadian security, intelligence, defence, and foreign policy community. GSRP. officers (or officers) operate within and outside of host country capitals and regularly travel to areas less frequented by most diplomats. Since 2009, these reports (which inform both Canadian and allied decision-makers), have been anchored in the GoC intelligence priorities.

GSRP officers report to the Intelligence Assessments and Reporting Division (INA) under the Intelligence Bureau which falls under the ADM of International Security and Political Affairs.” The GSRP adheres to a matrix management structure: at mission, GSRP officers report to the Foreign Policy and Diplomacy Service (FPDS) manager or Head of Mission (HoM), while GSRP Headquarters (HQ) primarily determines officer collection priorities. In addition, GSRP HQ defines the expectations for the Program.

Findings and recommendations

Utility of GSRP

The GSRP is the only Canadian diplomatic program that is dedicated and funded to collect overt security-related information. GSRP functions as a fenced resource wherein the majority of an officer’s time (90%) is devoted to the production of single- source reports. No other GAC program devotes similar resource allocation to “pure collection”.

GSRP’s clients repeatedly stated that the reports provide pertinent information consistent with their department/agency’s collection requirements. Specifically, GSRP reporting provides “on-the-ground” perspectives from a diverse group of individuals, which is unique in comparison to other GoC collection streams. Recipients mentioned the reports provide useful information on broader threats and trends in areas of emerging interest.

Clients reported that one of the greatest assets of the GSRP is the priority placed on language training. This includes, in some cases, over a year of training, including immersive in-country exposure.’ GSRP clients have noted that language fluency is a key value of the Program.

Moreover, clients commended the Program’s ability to rapidly deploy officers to cover a specific area, event, or issue that is of significant value to the GoC. Despite these benefits, review of GSRP documentation indicates the need for improved product feedback mechanisms to help determine whether reports meet client needs”.

Legal Authorities

Duties and Functions under the Vienna Convention on Diplomatic Relations

The lawful functions of a diplomatic mission and the duties owed by diplomats who enjoy privileges and immunities in a receiving state are articulated in the Vienna Convention on Diplomatic Relations (VCDR). The VCDR is generally accepted as a codification of diplomatic law, rules and practices under customary international law. According to GAC, the GSRP falls within the functions of a diplomatic mission, as listed in Article 3 of the VCDR. As outlined under Article 3(1)(d), it forms part of the function of a diplomatic mission to ascertain, by all lawful means, the conditions and developments in the host state and report on them to the government of the sending state. Article 3(1)(d) specifically requires diplomatic reporting to be “by lawful means.”

Under Article 41(1) of the VCDR, it is the duty of diplomats exercising the functions listed under Article 3 and who enjoy privileges and immunities in the receiving state “to respect the laws and regulations of the receiving state” and “not to interfere in the internal affairs of that state”. Breaches of these duties constitute abuses of privileges and immunities (also referred to as abuses of diplomatic functions).

Remedies for abuse of diplomatic privileges and immunities

Remedy for abuse of diplomatic privileges and immunities, as outlined in the VCDR, includes notifying the sending state that a diplomat in question is declared persona non grata (Article 9 of the VCDR) and, in the most exceptional circumstances, breaking off diplomatic relations, which are established by mutual consent as articulated in Article 2 of the VCDR.

Importantly, these remedies do not require the host state to give reasons for the remedial action. The result is that the perception of abuse can be as likely a cause for expelling a diplomat or even breaking off diplomatic relations as an actual abuse. The International Court of Justice in the Tehran Hostages Case explained the discretion built into this regime as follows:

Article 9 of the [VCDR]… take[s] account of the difficulty that may be experienced in practice of proving such abuses in every case or, indeed, of determining exactly when exercise of the diplomatic function”…”may be considered as involving such acts as “espionage” or “interference in internal affairs”. The way in which Article 9 paragraph 1, takes account of any such difficulty is by providing expressly in its opening sentence that the receiving state may “at any time and without having to explain its decision” notify the sending state that any particular member of its diplomatic mission is “persona non grata” or “not acceptable”… Beyond that remedy for dealing with abuses of the diplomatic function by individual members of a mission, a receiving state has in its hands a more radical remedy if abuses of their functions by members of a mission reach serious proportions. This is the power which every receiving state has, at its own discretion, to break off diplomatic relations with a sending state and to call for the immediate closure of the offending mission. (emphasis NSIRA’S).

The personal immunity enjoyed by diplomats will normally cease when the functions of the diplomat have come to an end and “at the moment when he leaves the country, or on expiry of a reasonable period in which to do so. There are circumstances wherein the receiving state may prosecute a diplomat for those breaches that contravene their domestic law where the personal diplomatic immunity enjoyed by the diplomat has ceased.

Acts performed by a diplomat “in the exercise of his functions as a member of the mission” will continue to be covered by immunity despite the diplomat’s personal immunity having ended. However, acts falling outside of a diplomat’s legitimate functions will not continue to be covered by immunity, and the diplomat may be liable to prosecution for illegal acts they performed during the mission if they later re-enter the receiving state without the protection of diplomatic immunity or where they fail to leave the receiving state within a reasonable time.

There are of course other less severe means at the receiving state’s disposal to respond to a diplomat’s abuse of functions, both legal and political. Aside from the more unlikely risks of expulsion or severing of diplomatic relations, there is a wide spectrum of reputational harm that may result from perceived breaches of the VCDR. NSIRA emphasizes that GSRP officers should be wary of placing a receiving state in the position to seek remedy.

Where the GSRP activities depart from the legal framework for diplomatic functions in international law, attention should also be turned to whether these activities are lawful under Canadian law. Diplomatic relations are conducted under the authority of Crown Prerogative over foreign relations, which is constrained, to some extent, by international law. Prohibitive rules of customary international law, which would include prohibitive rules of diplomatic law, are considered to be incorporated into Canadian common law unless there is legislation to suggest the contrary. Crown Prerogative is likewise part of our common law. Consideration must be given as to how the exercise of Crown Prerogative reconciles with these prohibitive rules.

Perceptions

Diplomatic vs. Intelligence Functions

Existing within GAC’s intelligence bureau, the GSRP’s reporting directions are derived from Canada’s intelligence priorities. Nonetheless, GAC characterized the Program to NSIRA as being consistent with regular diplomatic reporting. Effectively, NSIRA views the Program as existing within a grey zone between these two dichotomies.

GSRP officers are posted to countries to collect information relevant to the GoC’s intelligence priorities. These countries are often characterised by poor human rights records; a high degree of mistrust for outsiders; often take a hard line on internal security matters; and, tend to deploy mass surveillance on foreigners and citizens. This is why the perception of GSRP activities by receiving states is a relevant consideration for the Program.

When NSIRA asked how the Program accounts for disparities between what are legally permitted activities and the laws of the receiving state, GSRP officers were insistent that they operate under the VCDR.”’ Although officers acknowledged that they have a right under diplomatic law to fulfill their duties, they also understood that the receiving state might perceive their role differently. To help mitigate this risk, some officers indicated that they avoid reporting on sensitive topics.

Although the GSRP reports on intelligence priorities and obtains information from human contacts, officers believe they are distinct from intelligence practitioners given that they operate overtly as accredited members of a diplomatic mission, and do not pay or task their contacts. Despite these assertions, whether the actions of the GSRP officer are “overt” or “covert”, and whether or not they task or pay contacts, is not determinative when assessing for an abuse of privileges and immunities under the VCDR. In fact, many cases where interference activities have attracted the attention of receiving states were clearly overt.

Risk

GSRP officers must be alert to any activity that may be perceived by receiving states as falling outside of the functions of a diplomatic mission. This portion of the review briefly outlines some of the attendant risks.

Risk to the Government of Canada and its Allies

NSIRA expected to find a GSRP governance framework that articulates internal policies and provides guidance to GSRP officers on how to perform their diplomatic reporting functions. Such a governance framework does not exist.

When questioned on the absence of a governance framework, GSRP indicated that a policy suite was unnecessary given that officers “are doing what diplomats have always done.” Although GSRP management noted that they are working towards professionalizing the Program, policy is currently:

established by the Head of the GSRP, exercising their judgement and discretion, and drawing on specialized expertise, including support from legal, human resources and finance divisions, and seeking formal or informal approval from senior executives as required and when appropriate.

Policy guidance provided by the Head of GSRP is disseminated to officers via email. There is no central repository to organize this information. In addition to a lack of information management structures, there are information management weaknesses in other areas, including multiple incompatible systems and various security accreditations across missions. Additionally, some information is solely held at mission, limiting HQ’s visibility and oversight of mission developments.

As a result of the absence of a sufficient governance structure, information management challenges and limited oversight of mission developments, there have been instances where the Program has not managed risk appropriately.

For example, the review observed instances in which Canada’s allies misidentified GSRP officers as Canadian intelligence representatives.

Although NSIRA did not observe any instances where GSRP officers intentionally mislead receiving states, in one case, the lack of understanding of the Program’s mandate [redacted].

Some recipients of GSRP reports also indicated that other recipients (particularly those with limited security and intelligence backgrounds) do not fully understand that these products are single-source, unvalidated, or uncorroborated. This is particularly relevant given that GSRP officers have in the past unwittingly reported information that turned out to be misinformation and disinformation. Of note, GSRP produced just over five thousand reports over the review period, with two significant instances of confirmed disinformation in ten reports. Moreover, recipients repeatedly referred to misinformation in GSRP reports, yet NSIRA was unable to independently corroborate all of the Program’s reports over the review period.

As already noted, one of the challenges facing the Program is the absence of sufficient oversight. Four full time employees at HQ are responsible for the management of approximately thirty officers, the vetting of approximately two thousand reports per year, for providing informal policy guidance, and conducting outreach with relevant stakeholders. This deprives HQ of the capacity to perform adequate quality control of officer activities.

Finding no. 1: NSIRA found that GSRP’s governance and accountability structures are insufficiently developed.

Finding no. 2: NSIRA found that GSRP activities have the potential to cause unnecessary reputational and political harm to the Government of Canada.

Finding no. 3: NSIRA found that GSRP does not adequately maintain central repositories or follow information management best practices.

Recommendation no. 1: NSIRA recommends GSRP prioritize the development of a governance framework.

Recommendation no. 2: NSIRA recommends that GAC enforce data retention and information management practices as laid out in already-existing GoC policies.

GAC-CSIS Operational Partnership

CSIS has a framework that outlines host country expectations, both politically and operationally. The CS/S Act specifies, under section 17, how these arrangements are to be governed. In addition, there is Ministerial Direction that further guides CSIS’ conduct abroad. This governance framework structures CSIS’ operations to be consistent with domestic and international law. In most cases, CSIS prefers to be the primary interlocutor with foreign security or intelligence partners, just as GAC prefers to be the primary contact with diplomatic representatives.

In at least one instance, GSRP was a primary contact with a foreign intelligence agency instead of CSIS. In this instance, GAC refused to approve a Section 17 relationship between CSIS and [redacted] due to an ongoing sensitive diplomatic case. However, NSIRA did not observe anything to indicate these same relationship prohibitions were extended to RCMP or GSRP. Regardless of the circumstances, in cases where CSIS is prohibited from engaging a foreign entity due to restrictions on the foreign arrangement, GAC does not have the same restrictions.

Moreover, where CSIS and GAC have identical legal obligations under the Avoiding Complicity in Mistreatment by Foreign Entities Act (ACMFEA), these obligations risk being applied differently. For example, where CSIS has controls on who they can and cannot liaise with as derived from Ministerial direction (i.e. s.17, CS/S Act), GAC does not have comparable restrictions. Rather, GAC relies on internal mitigation processes when sharing information with foreign entities, which for CSIS, are only relevant if the Minister permits the Service to engage with that entity to start with.

Although GSRP management stated that it is not the role of officers to liaise with foreign security and intelligence agencies, GSRP officers did not consistently articulate this to NSIRA. For instance, some officers interacted with members of local intelligence agencies, while others mentioned that they consider this to be outside their mandate.

In several instances, CSIS was asked by receiving states to clarify what was perceived to be inappropriate activities by GSRP officers. In these cases, CSIS. attempted to reassure these partners that the GSRP was not a covert collection program. NSIRA also observed coordination challenges in regions where CSIS and GSRP activities overlap (e.g. contact pools).

NSIRA heard from multiple GSRP officers that they generally found CSIS partners at missions collegial and forthcoming with security advice.” In one other instance, the GSRP officer reported a hostile relationship with their CSIS counterpart.

NSIRA also observed numerous cases where it did not appear that GSRP officers had adequately productive relationships with CSIS at mission. In these instances, although individuals were cordial, there was minimal interaction, with CSIS officers often keeping to themselves. Although NSIRA understands the legal protections pertaining to CSIS information sharing, there appeared to be a lack of consistent deconfliction and interaction between GSRP and CSIS in the field.

When NSIRA raised the issue of deconfliction overseas, GSRP management maintained that such mechanisms were unnecessary given that CSIS is a client, and not a partner, of the Program Although CSIS is indeed a client of GSRP reporting, the above also clearly indicates that the GSRP and CSIS operate in close proximity to each other overseas, with attendant relationship complexities that must be managed.

CSIS and GAC both participate in a Joint Management Team (JMT), which convenes at the Director General and Deputy Minister levels. NSIRA observed that although there is potential for the JMT to serve as an effective deconfliction mechanism, there was no evidence that key takeaways concerning GSRP and CSIS collaboration were acted upon. Further, the JMT convenes too infrequently to have a lasting or substantive impact.

Finding no. 4: NSIRA found that there is insufficient deconfliction between CSIS and GSRP, which results in inconsistent governance when engaging foreign entities.

Recommendation no. 3: NSIRA recommends the development of clear deconfliction guidelines between CSIS and GSRP and that there must be a consistent approach by CSIS and GSRP when engaging with foreign entities overseas.

Risk to Officers

GAC advised that they have no legal opinions on the legal framework for the GSRP. NSIRA observes that not enough attention has been turned to ascertaining the scope of the functions of a diplomatic mission as described by Article 3(1)(d) and the duties outlined in Article 41(1) of the VCDR, as well as the types of activities that may expose GSRP officers to being declared persona non grata by the receiving state. One area of particular ambiguity is the broad concept of diplomatic interference under Article 41(1) which is not clearly defined under diplomatic law and requires further consideration. The more sensitive a GSRP officer’s conduct, the more likely a receiving state may perceive interference. In addition, thresholds for interference will likely differ between states.

Similarly, where GSRP activity takes on the perceived attributes of espionage, there is increased risk of exceeding the GSRP mandate, violating the receiving state’s domestic law, and exceeding the GSRP officer’s legal diplomatic functions. These risks require further consideration by GAC’s legal and policy team, as outlined further below.

The risks of not creating a legal and policy framework could result in reputational harm to Canada and its diplomatic relations, and presents risks to the individual GSRP officers. NSIRA observed that many GSRP officers routinely relied on the VCDR as a shield for their actions. Indeed, officers did not appear to appreciate that a breach of their obligations under the VCDR amounts to an abuse of their diplomatic privileges and immunities. Article 3(1)(d) of the VCDR recognizes reporting information ascertained through lawful means. Any departure from this requirement would mean that a GSRP officer runs a risk of not being protected by immunity once the GSRP officer’s personal immunity ceases at the end of the individual’s diplomatic posting.

GAC’s Conduct Abroad Code explicitly acknowledges that host country local norms are to be followed by Canadian representatives and that perceptions of Canadian representatives may have a negative effect on Canada’s reputation. Additionally, the activities of GSRP officers are governed by other protocols, which cover the risk of natural disasters, local health concerns, crime, and the physical security of the mission.

In order to collect pertinent information, GSRP officers often travel to dangerous regions not regularly frequented by other diplomats. In addition, GSRP officers also engage with contacts who may hold viewpoints that are considered sensitive by receiving states. Obviously, these contacts would be of little value to the Program if the information/perspective they possess could be collected anywhere. Although all diplomats can attract attention of local authorities, given the nature of the GSRP’s mandate, officers are at particular risk of scrutiny by receiving states.

There also appears to be a disconnect between GSRP HQ and mission management. Namely, there does not appear to be a shared accountability structure. As a result, this undermines the primacy of any one of the managing parties. For example, NSIRA observed multiple instances in which the reporting structure was not clear either for Program partners or for GAC management. For example, the time lag for receiving critical guidance placed one officer at risk of continuing activities which could have been perceived as non-compliant with the VCDR.

GSRP officers do not receive adequate training or briefings on the parameters of diplomatic privileges and immunities. This lack of knowledge may have serious consequences on the GSRP officer’s ability to conduct themselves in accordance with their diplomatic duties. In addition, once a GSRP officer is no longer afforded diplomatic immunity, a receiving state may seek retaliatory measures.

Case Study: Accepting and reporting on classified information

During the course of the review, NSIRA observed many instances where GSRP officers claimed to have a good understanding of their legal boundaries. However, an instance that occurred in [redacted] highlighted the need to ensure that GSRP officers are properly aware of their legal obligations. In this case, a GSRP officer received what appeared to be classified [redacted] from a contact.

Like Canada, [redacted] has laws prohibiting the disclosure of classified information. The GSRP officer’s actions must comply with [redacted]. In addition, Article 41 of the VCDR is clear that diplomats are required to respect the laws and regulations of the receiving state. NSIRA did not see any indication that consultation with legal counsel occurred in this particular case.

In another case, a GSRP officer [redacted] requested and received what was likely classified information from a contact. The information received included [redacted].

In both of the cases examined above, the two GSRP officers appeared to believe that their actions were distinguishable from the activities of an intelligence officer because they did not pay for the information. As noted previously, this is not pertinent when considering compliance with the VCDR; moreover, the aforementioned cases raise concerns related to abuses of diplomatic privileges.

GSRP officers do not have clear guidelines on how to proceed when exposed to information that falls outside the limits of diplomatic collection. NSIRA did observe one instance in which a GSRP officer was given suspected classified information and appropriately returned it to the contact. However, this result was a consequence of the good judgment exhibited by the officer, rather than derived from explicit direction.

Finding no. 5: NSIRA found there was an absence of risk assessments and security protocols specific to the increased scrutiny that GSRP officers may attract because of the nature of their reporting priorities.

Finding no. 6: NSIRA found that although the GSRP operates under the VCDR, it does so without adequate legal guidance assessing the activities of the Program.

Finding no. 7: NSIRA found that GSRP officers do not receive adequate training regarding their legal obligations.

Recommendation no. 4: NSIRA recommends that GSRP develop risk protocols and security guidelines specific to the GSRP.

Recommendation no. 5: NSIRA recommends that GAC complete a thorough legal assessment of GSRP activities. GSRP officers should receive applicable training based on the result of the assessment.

Risk to Contacts

As already explained above, the more sensitive a GSRP officer’s conduct, the more likely a receiving state will perceive interference. This is particularly true with respect to officer interactions with contacts. It is important to underscore that the assumed diplomatic protections granted to the GSRP officer do not apply to contacts. As such, everything depends on a) the degree to which the contact is genuinely free to share such information with a foreign state and b) the degree to which the GSRP officer’s activities do not raise unnecessary suspicion about this interaction.

GSRP officers reported many different experiences regarding risk and security for their contacts, consistent with the diverse environments in which they operate. Most GSRP officers believed that there was little reason to be concerned for contacts, irrespective of the environment, given the overt nature of the collection. In cases where officers acknowledged that certain regions and/or circumstances created a higher risk to the contact, these situations were often mitigated by following the lead of the contact. In other words, given that the contact was most familiar with the environment, the GSRP officer paid close attention to these sensitivities.

In some instances however, GSRP officers mentioned concern for the security of their contacts, which could not be easily mitigated. One GSRP officer noted in an interview that his contact informed him that their interactions would garner unwanted attention by local authorities. Similarly, another GSRP contact was detained by the local authorities and questioned about his interaction with a GSRP officer. In other instances, GSRP officers reported political turmoil or increased security as reasons why contacts suddenly stopped talking to them.’”

Throughout the course of this review, the implications of the differences between overt contacts and clandestine sources were ever-present. In many respects, GSRP. management’s contention that a contact cannot be perceived in the same manner as an intelligence source is accurate. Certainly, most GSRP officers’ interactions with contacts are innocuous. However, given the very nature of the reporting requirements for the Program, there were cases where the contact’s interactions with the officer were high risk. Such examples include GSRP [redacted] speaking with various individuals in [redacted].

These topics and regions are not only widely known as highly sensitive to the receiving states, but also align closely with what a covert source may be tasked to collect information on.

The problem facing the Program from a “contact management” perspective is that anything that takes on the trappings of a “source management” program lends itself to appropriate criticism of being too closely affiliated to non-diplomatic reporting. For example, although the Program would benefit from some of the best practices of HUMINT management, discerning precisely which aspects would be most beneficial, while remaining a diplomatic program, is a key challenge.

In the absence of a “contact management” governance structure, it is therefore left to the best judgment of individual officers on how these interactions are to transpire. This includes the officer determining who to meet, where to meet, and what security protocols are most appropriate in the given circumstances.

In some cases, the officer took it upon themselves to try to enhance security for the contact, including setting up meeting venues minutes before in order to decrease the likelihood of third parties discovering the meeting location. In another example, the officer attempted to obscure mobile device tracking with a faraday bag.

Although these measures were undertaken with the best interest of the contact at hand, intelligence services observing these behaviours could draw an alternative perspective about the intent of such behaviours. Most notably, this could run the risk that GSRP contacts would be perceived by receiving states as assets of a hostile intelligence service.

Irrespective of the environment, or the comfort of the contact, there was also inconsistency in how GSRP officers provided assurances to contacts. For example, while some officers reassured contacts that there is anonymity or confidentiality in GSRP reports, others did not. There was no evidence of a consistent understanding among officers on what assurances could be offered to contacts, or if contacts fully understood what would be done with the information they provided.

Recipients of GSRP reports repeatedly mentioned the ease at which they were able to identify contacts from the descriptions in the reports. Significantly, the majority of officers mentioned that they also report on meetings with Canadian contacts. The anonymization of Canadians is particularly important with regard to ensuring that GAC is meeting its obligations under the Privacy Act and other pertinent legislation. NSIRA will examine the issue of the GSRP meeting their information-sharing obligations with regard to Canadian contacts in the future.

Finding no. 8: NSIRA found that the GSRP does not have appropriate safeguards for interactions with contacts overseas.

Recommendation no. 6: NSIRA recommends that GSRP develop best practices for interactions with contacts based on consultation with GAC legal advisors.

Recommendation no. 7: NSIRA recommends that GAC conduct a Privacy Impact Assessment of the GSRP.

Conclusion

GSRP operates in a distinctly grey zone; GSRP’s vision for the Program includes “greater integration of intelligence community standards and best practices into the GSRP, while maintaining its diplomatic ethos”. Reconciling what this means, in practice, is the most pressing challenge facing the Program.

Reciprocity is an important element of diplomacy. The activities of certain GSRP officers abroad raises concerns that Canada’s diplomats are at times not conducting themselves in accordance with their duties and functions under the VCDR, and of consequence, this may inadvertently influence how these states conduct activities in Canada.

There is a strong appetite for foreign intelligence collected by Canadians. Academics and senior officials from various departments have made clear that Canada’s allies are also eager for Canada to be more involved.

The creation of a foreign intelligence entity within GAC, or the allowance of mission creep by the GSRP into this area of collection, would run against the principles of the VCDR. Therefore, it is important that the GoC consider the implications stemming from this review and decide on the most appropriate means of collecting this kind of information. NSIRA appreciates that issues raised in this review necessarily evoke a renewed conversation on a dedicated Canadian foreign intelligence agency. This is, however, beyond the remit of NSIRA and may require consideration by the NSICoP.

Annex A: Findings and Recommendations

Finding no. 1: NSIRA found that GSRP’s governance and accountability structures are insufficiently developed.

Finding no. 2: NSIRA found that GSRP activities have the potential to cause reputational and political harm to the Government of Canada.

Finding no. 3: NSIRA found that GSRP does not adequately maintain central repositories or follow information management best practices.

Finding no. 4: NSIRA found that there is insufficient deconfliction between CSIS and GSRP which results in inconsistent governance when engaging foreign entities.

Finding no. 5: NSIRA found there was an absence of risk assessments and security protocols specific to the increased scrutiny that GSRP officers may attract because of the nature of their reporting priorities.

Finding no. 6: NSIRA found that although the GSRP operates under the VCDR, it does so without adequate legal guidance assessing the activities of the Program.

Finding no. 7: NSIRA found that GSRP officers do not receive adequate training regarding their legal obligations.

Finding 8: NSIRA found that the GSRP does not have appropriate safeguards for interactions with contacts overseas.

Recommendation no. 1: NSIRA recommends GSRP prioritize the development of a governance framework.

Recommendation no. 2: NSIRA recommends that GAC enforce data retention and information management practices as laid out in already-existing GoC policies.

Recommendation no. 3: NSIRA recommends the development of clear deconfliction guidelines between CSIS and GSRP and that there must be a consistent approach by CSIS and GSRP when engaging with foreign entities overseas.

Recommendation no. 4: NSIRA recommends that GSRP develop risk protocols and security guidelines specific to the GSRP.

Recommendation no. 5: NSIRA recommends that GAC complete a thorough legal assessment of GSRP activities. GSRP officers should receive applicable training based on the result of the assessment.

Recommendation no. 6: NSIRA recommends that GSRP develop best practices for interactions with contacts based on consultation with GAC legal advisors.

Recommendation no. 7: NSIRA recommends that GAC conduct a Privacy Impact Assessment of the GSRP.