Date of Publishing:
Executive Summary
This review focused on the Canadian Forces National Counter-Intelligence Unit (CFNCIU) and how Information Technology (IT) searches were used to support counter-intelligence (CI) investigations. The review assessed whether IT searches and the collection of information in support of CI investigations interfered with individuals’ reasonable expectation of privacy in the circumstance(s).
Through the course of the review NSIRA has identified three (3) areas of concern tied to the requests for, and conduct of, CI information technology network searches. These are arranged under the following categories: (1) CFNCIU’s search of a Subject’s email, Internet and removable device activity; (2) The CFNCIU checklist used to identify and restrict search parameters, and how applicable stakeholders define search parameters; and, (3) How the acquisition of information is used to expand supplementary searches.
DND employees and CAF members have a reasonable expectation of privacy when using work computers for personal use. [**contains information related to DND/CAF operational capabilities**]. NSIRA found that CFNCIU may be inappropriately relying on DND/CAF policies as lawful authority to interfere with a Subject’s reasonable expectation of privacy.
NSIRA observed that the checklist has the potential to capture intimate and personal information that touches upon a Subject’s biographical core. NSIRA found that the checklist risks capturing information that is protected by s. 8 of the Charter. NSIRA also found that DND/CAF is applying a definition of metadata that captures information that could be subject to a reasonable expectation of privacy.
NSIRA also observed that CFNCIU IT inquiries utilized broad search parameters which may include information not relevant to the investigation. These parameters were applied as broad approvals with no specific internal controls or oversight at both the operational and working levels. Collection techniques, due in part to the limitations of IT audit tools and broad search parameters, resulted in a wide net being cast. NSIRA found that the investigative IT system practices it observed in the context CFNCIU’s CI investigations [**contains information protected by solicitor-client privilege**] have insufficient legal oversight to ensure that they are as minimally invasive as possible.
As a result of these findings, NSIRA recommends that DND/CAF suspend investigative IT system practices in the context of CFNCIU CI investigations until a reasonable legal authority has been established. Once a reasonable legal authority has been established DND/CAF should create a new policy framework that is reflective of the noted findings.
In keeping with NSIRA’s 2020 Annual Report which emphasized the implementation of a “trust but verify” approach for assessing information provided over the course of a review, NSIRA worked with the DND/CAF to design an approach for “proxy access” i.e. an approach involving a departmental intermediary an intermediary who accesses information repositories in the presence of NSIRA staff, and who can review relevant information on the system. DND/CAF agreed in principle to this form of access, however, given the disparate number of databases for which CI searches are conducted, this initiative could not be implemented in the course of this review. Notwithstanding, the information provided by DND/CAF has been independently verified by NSIRA through documentation analysis and meetings with DND/CAF subject matter experts. Further work is underway to continue mutually developing an access model for the independent verification of various kinds of information.
Authorities
This review is being conducted under the authority of paragraph 8(1)(b) of the National Security Intelligence Review Agency Act (NSIRA Act).
Review background
In July 2019, the NSIRA Act came into force, establishing the National Security Intelligence Review Agency (NSIRA). NSIRA’s mandate allows it to review the full range of national security or intelligence activities across the Government of Canada, including authority to review the Department of National Defence / Canadian Armed Forces (DND/CAF).
NSIRA completed its first review of DND/CAF in 2020, focusing on the Canadian Forces National Counter-Intelligence Unit (CFNCIU). During the course of the review, two (2) possible compliance issues were identified, with NSIRA Members approving further review in 2021.
The issues identified for further review were:
- the practice by CFNCIU, Assistant Deputy Minister Information Management [ADM(IM)] and DND/CAF of requesting information from, and searching DND/CAF Information Technology (IT) systems in support of Counter-Intelligence (CI) investigations; and,
- 2014 CFNCIU Subject interview [**contains information related to DND/CAF operations**]
IT System Searches
This review assessed, both in legal and technical terms, how IT searches are used to support CI investigations and the accountability structures that guide the acquisition of information and data.
Through the course of this review NSIRA examined all available written and electronic records, case files, correspondence, computer databases, and other information holdings and documentation related to the operations/investigations selected for review, as well as applicable policies, procedures, and legal advice to verify compliance with legal, ministerial and policy requirements. Presentations, interviews and meetings were conducted with managers/officers, as well as other pertinent DND/CAF personnel.
Through examination of selected case files, the review assessed whether IT searches and the collection of information in support of CI investigations interfered with individuals’ reasonable expectation of privacy in the circumstance(s). More specifically, NSIRA closely examined whether the searches used to support counter-intelligence (CI) investigations had the potential to include information that is meaningful, intimate and touching on a user’s “biographical core” of personal information. Everyone in Canada is constitutionally entitled to expect privacy in personal information of this kind, including when this information is contained on workplace computers.
NSIRA selected a sample of CFNCIU’s requested IT system searches, to assess whether CFNCIU, in the course of its activities, acted in compliance with the law, ministerial direction, and internal directives, policies and procedures, and had exercised its powers in a manner that is consistent, reasonable and necessary.
The review examined a cross-section of CFNCIU case files, and has focused on a contemporary, high level (Level III) case file [**redacted**] to illustrate CFNCIU and ADM(IM)’s practices when conducting searches on IT systems (Please refer to Appendix 1 for more on this case file). Through the lens of [**redacted**], NSIRA has examined whether CFNCIU and/or ADM(IM) interfered with individuals’ reasonable expectation of privacy in the circumstance(s) through the course of CI investigation. NSIRA closely examined searches conducted by Department of Information Management End- User Services (DIMEUS), Directorate of Information Management Engineering and Integration (DIMEI), and Canadian Forces Network Operations Center (CFNOC).
Subject interview
NSIRA also conducted an in-depth examination of the 2014 CFNCIU Subject interview in order to understand the lead up to the interview, what happened during the interview, the possible consequences, and what was done by DND/CAF after the incident. NSIRA reviewed CFNCIU’s case file and its compliance with relevant legislation, Ministerial Directives, DND/CAF policy, as well as the legal advice provided by the Office of the Judge Advocate General (OJAG) and the Canadian Forces Legal Advisor (CFLA).
As a direct result of NSIRA’s inquiries, the Canadian Forces Intelligence Command (CFINTCOM) issued a directive on September 9th 2021, [**contains information related to DND/CAF operations**].
In NSIRA’s view these measures have addressed the initial concerns exemplified in the 2014 Subject interview referenced above. As a result, NSIRA has suspended further inquiry into the matter, however, NSIRA may choose to re-examine this investigative practice in future reviews after an updated functional directive is provided by CFINTCOM.
CFNCIU historical context
Since 1997, Counter-intelligence (CI) and security functions within the DND/CAF have experienced continuous transformation in an effort to find efficiencies and de-conflict with other security, intelligence, and law enforcement stakeholders. Since inception, the CFNCIU has been the subject of ten internal studies, each of which have identified the Unit as having suffered from resource and policy limitations (among others), resulting in an inability to fully meet its mandate. Very few of the recommendations presented in these reports have be implemented. When asked why so many recommendations were ignored the Unit cited resourcing shortfalls.
In 1997, the security and criminal investigative services that had resided within the Special Investigations Unit (SIU) were separated into two new and distinct units, the CFNCIU and Canadian Forces National Investigative Service (CFNIS). This was a direct result of the tabling of the Report of the Special Advisory Group on Military Justice and Military Police Investigation Services, and the External Review of the Canadian Forces Special Investigation Unit.
The separation mirrored the bifurcation that occurred in the mid-eighties between the Royal Canadian Mounted Police (RCMP) and CSIS. For the first time, separate and distinct mandates within the DND/CAF were created for law enforcement, security and counter intelligence, and security clearance functions.
The newly created CFNCIU assumed the role of the security and counter intelligence functions within the DND/CAF. The CFNIS focused solely on criminal investigations. Finally, the security clearance function was established and now known as the Director General Defence Security, the Director Personal Security and Identification Management (DGDS/DPSIM).
Legal and policy authorities
The formation of the CFNCIU is authorized by the Minister of National Defence (MND) through a Ministerial Organization Order. Subsequently, the Chief of the Defence Staff (CDS), through a Canadian Forces Organization Order, established the CFNCIU as a regular force unit allocated to the Canadian Forces Intelligence Group (CF INT GP).
Issued in March of 2003, under the authority of the Deputy Chief of the Defence Staff, the 8002 series Defence Administrative Orders and Directives (DAOD) established the main policy framework for defence CI activities by reaffirming responsibilities of the MND, DM and CDS in safeguarding the resources of DND/CAF. [**contains information protected by solicitor-client privilege**] would be equivalent to those undertaken by departmental security officers in other federal government departments.
There are no provisions of the National Defence Act (NDA) that authorize the conduct of defence intelligence activities. CFNCIU investigations are the only area of defence intelligence that is squarely focused on Canadian citizens (DND employees/CAF members). [**contains information protected by solicitor-client privilege**]
In addition, Canadian law imposes legal constraints under the Privacy Act, the Criminal Code and the Charter on intelligence activities conducted in support of domestic operations. For example, the application of the interception of private communications provisions under the Criminal Code and the application of section 8 Charter protections against unreasonable search and seizure, would apply to domestic activities of DND/CAF.
Issued in July of 2012, under the authority of the Assistant Deputy Minister (Information Management) and the Chief Information Officer, the 6002 series Defence Administrative Orders and Directives (DAOD) establishes the main policy framework for operational, technical and security authorities for communications and information systems within the DND/CAF.
DAOD 6002-2, Acceptable Use of the Internet, Defence Intranet, Computers and Other Information Technology Systems, provides users with instructions on official, authorized, unauthorized and prohibited uses of IT systems. It is this policy that defines authorized use and a user’s expectation of privacy.
In DAOD 6002-2, users are advised that authorized use includes communication with family, friends and other persons, conducting personal banking transactions, as well as shopping for personal and family items, and would fall within the other than official uses category. Users are also advised that that there is only a limited expectation of privacy afforded due to the department’s responsibility for monitoring IT systems for the purposes of system administration, maintenance and security, and to ensure compliance with Treasury Board, DND/CAF policies, instructions, directives and standards.
Investigative process
Threat related information comes from a variety of sources to CFNCIU. Such information can originate from different detachments as well as from external partners. On initial receipt of threat-related information about a DND/CAF employee and/or incident, the Regional Detachments (RD) drafts an Intelligence Report (IntRep) to Headquarters (HQ), which centrally manages all investigations.
Following the initial identification of this security concern, there are two key determinatives to launch an investigation:
- there must be a suspicion linking an activity/individual as a threat (i.e. Terrorism, Extremism, Subversion, Sabotage, and Organized Crime) known as a TESSOC; and,
- the suspected threat must have a clear “nexus” to DND/CAF information, people and/or assets.
When operating within this scope, the nexus must be established for every investigation. [**contains information protected by solicitor-client privilege**].If the TESSOC and nexus determinations are sufficiently justifiable, the Regional Detachments will submit a request outlining the proposed investigative level.
The investigative framework for CFNCIU is unique insofar as it covers security intelligence concerns similar to those of CSIS (i.e. TESSOC, in addition to organized crime), yet is limited in investigative scope to DND/CAF information, people and assets (i.e. nexus). Unlike CSIS, CFNCIU does not collect expansively on threats given the need for a nexus; and unlike a Departmental Security Officer, CFNCIU does not conduct investigations on issues regarding policy compliance, or security issues involving inappropriate behaviour by employees that do not point to an obvious TESSOC. Furthermore, CFNCIU does not have responsibility for security screening (which is the responsibility of DGDS/DPSIM), or for criminal investigations, which is the responsibility of the Canadian Forces National Investigation Service (CFNIS).
The investigative scope of CFNCIU is therefore best understood as occupying a very narrow space above those related to discipline and security screening, yet falling below criminal thresholds. Prior to the authorization of a counter-intelligence investigation or operation, DND/CAF must determine that:
- The investigation complies with the law;
- Any investigative techniques are related to the threat posed and the probability of its occurrence;
- The need to use intrusive techniques is weighed against any possible breach of constitutionally protected rights and freedoms; and
- The least intrusive technique of information collection are used, taking into account the specific circumstance.
The following text box summarizes the various investigative levels and what activities are authorized by departmental policy to be performed within that investigative threshold:
Although the levels of investigation are temporal, the review observed that most investigations are contained within the lowest investigative thresholds (i.e. PA or L1). This is not due to an absence of serious TESSOC threats but rather, this is due, in part, to CFNCIU’s [**redacted**] legal authorities [**contains information related to DND/CAF operational capabilities**].
When CFNCIU was created in 1997, the legal landscape with regard to the Charter was much different than it is today, and technology has expanded in a way that computers have become an all-encompassing tool. In addition, surveillance capacity and techniques have evolved. The law has evolved accordingly to protect Charter rights by requiring the State to obtain specific judicial authorizations (warrants) where there is a reasonable expectation of privacy.
[**contains information protected by solicitor-client privilege**]
- [**redacted**]
- [**redacted**]
- [**redacted**]
- [**redacted**]
- [**redacted**]
- [**redacted**]
- [**redacted**]
- [**redacted**]
- [**redacted**]
- [**redacted**]
[**contains information protected by solicitor-client privilege**] Warrantless searches that interfere with a reasonable expectation of privacy are presumptively unreasonable, unless the Collins test criteria is satisfied. CFNCIU has not identified a clear lawful authority that would permit warrantless searches for section 8 purposes during CI investigations. It is clear that under this evolved legal landscape that CFNCIU’s authorities have not kept up with the articulated mandate. The Unit, and largely CFINTCOM, have acknowledged that policy is outdated in terms of both terminology and content. NSIRA notes, however, that updating internal policies would not provide adequate authorities to conduct activities that would amount to a lawful interference with Charter rights. Amendments to allow CFNCIU to conduct most activities that would fall under a Level 2 or Level 3 investigation would require legislative amendments. This was documented within a number of internal reports identifying significant discrepancies in policy.
This explains why the Unit relies on the policies and legal authorities of external investigative bodies when carrying out certain functions, including those that would require a warrant. For example, CFNCIU cannot [**contains information related to DND/CAF operational capabilities**] these investigative techniques are all facilitated through other investigative bodies and these bodies’ mandates (i.e. CFNIS, CSIS, etc.).
This contemporary review NSIRA REVIEW 2021-10 should be viewed as a continuation to NSIRA’s 2019 review, the Canadian Forces Counter-Intelligence Unit (2019-01). As a result of the challenges posed by the COVID-19 pandemic and access to DND/CAF’s IT/IM infrastructure, NSIRA elected to bifurcate the review. This separation allowed for the provision of findings and recommendations to the Minister of National Defence in February of 2021. While the DND/CAF have accepted all of the findings and recommendations from the 2019 review, NSIRA recognizes this current review follows in relatively short succession and changes may already be underway. The intent of this review is not to restate previous findings and recommendations, but to provide additional observations viewed through an operational context.
This review examined a cross-section of CFNCIU case files, and has focused on a contemporary, high level (Level III) case file [**redacted**] to illustrate CFNCIU and ADM(IM)’s practices when conducting searches on IT systems (Please refer to Appendix 1 for more on this case file).
Through the lens of [**redacted**] NSIRA has examined whether CFNCIU and/or ADM(IM) interfered with an individuals’ reasonable expectation of privacy in the circumstance(s) through the course of CI investigation. NSIRA closely examined searches conducted by Department of Information Management End-User Services (DIMEUS), Directorate of Information Management Engineering and Integration (DIMEI), and Canadian Forces Network Operations Center (CFNOC) on behalf of CFNCIU for CI purposes.
NSIRA selected a sample of CFNCIU’s IT system searches, to assess whether CFNCIU, in the course of its activities, acted in compliance with the law, ministerial direction, and internal directives, policies and procedures, and had exercised its powers in a manner that is consistent, reasonable and necessary.
Findings and recommendations
This review focuses on CFNCIU searches of the Defence Wide Area Network (DWAN). This unclassified network allows for personal use by DND/CAF employees in accordance with internal policy. CFNCIU submits requests to three units which have the capability to query the DWAN activity and provide reports on specific users, and Subjects of investigation(s). The three internal units reviewed included the Department of Information Management End-User Services (DIMEUS), Directorate of Information Management Engineering and Integration (DIMEI), and Canadian Forces Network Operations Center (CFNOC).
Through the course of the review NSIRA has identified three (3) areas of concern tied to the requests for, and conduct of, CI information technology network searches. These are arranged under the following categories:
- DWAN searches: CFNCIU’s search [**contains information related to DND/CAF operations**]
- Multi-point Checklist: The CFNCIU checklist used to identify and restrict search parameters, and how applicable stakeholders define search parameters; and,
- Expanded Search: How the acquisition of information is used to expand supplementary searches.
DWAN Network Searches
CFNCIU requests advanced IT system searches as an investigative tool when conducting CI investigations. This potentially includes searches across [**redacted**] networks across multiple classification levels (See Annex F: IT SYSTEMS MATRIX). In the context of investigations, searches are best described as mosaics compiled from the previously mentioned distinct internal groups: DIMEI CFNOC, and, DIMEUS.
When conducting a CI investigation, CFNCIU must engage these groups individually through separate requests. Each group has a separate process for searching, collecting and reporting information. DIMEI, DIMEUS and CFNOC may lawfully access and monitor IT system searches for the purpose of “the management or protection of computer systems,” and may take reasonable measures for such purposes, including the interception of private communications. However, DIMEI, DIMEUS and CFNOC’s access to DND/CAF IT systems for network security activities does not provide an authority to access those IT systems for the purposes of [**redacted**]
The process for IT system searches, as described by CFNCIU, is illustrated by the figure below:
[**redacted figure**]
Generally DIMEI, DIMEUS and CFNOC utilize similar processes for providing “remits” – i.e. the collected product – to CFNCIU across IT systems. At the collection and filtering stage it is the IT analyst (DIMEI, DIMEUS, CFNOC) that decides what information is included as part of the remit. Analysts retrieve data from the Subject’s repositories based on a set of predefined selectors which is stipulated in a multi-point checklist (discussed further below) and relevance to the request is ultimately determined by the analyst’s post- collection review. [**contains information protected by solicitor-client privilege**]
While CFNOC engages its legal counsel with the initiation of CFNCIU’s request, they do not appear to be engaged with, or consulted through the course of the investigation [**contains information protected by solicitor-client privilege**] DIMEUS and DIMEI do not have assigned legal review, or oversight, and rely on the checklist to support their collection and filtering activities. DND/CAF notes that legal advice is sought by CFNOC and may be requested by DIMEUS and DIMEI, including verbally, [**contains information protected by solicitor-client privilege**]. However, NSIRA cannot verify this claim.
A Reasonable Expectation of Privacy when using IT Systems
Importantly, CFNCIU IT searches may not interfere with an individual’s Charter rights. As noted above, this review examined whether searches of the unclassified DWAN network for CI purposes had the potential to infringe upon an individual’s reasonable expectation of privacy in the informational content included on workplace computers. Case law recognizes that an individual’s use of workplace computers for personal purposes may give rise to a reasonable, though diminished expectation of privacy, protected by s. 8 of the Charter. A reasonable expectation of privacy inquiry is fact-sensitive and fact-specific, and depends on the “totality of the circumstances”.
It is likely that users of DND/CAF unclassified IT systems have a reasonable expectation of privacy when using such systems for personal use. DND/CAF policy on acceptable use of computer systems and devices permits limited personal use of such systems for a range of personal activities that are not necessary to carry out duties and official functions in furtherance of DND and CAF goals and objectives. This can include communicating with family, friends and other persons, for other than official use; shopping for personal and family items; or accessing news and other electronic network information sources. Such authorized activities (i.e, those for personal purposes) can generate revealing and meaningful private information that falls within the “biographical core” of information protected by section 8 of the Charter. A Subject under investigation by CFNCIU, therefore, would be able to establish a direct interest and a subjective expectation of privacy in any information content searched related to the personal use of DND/CAF networks.
DND Employees and CAF members have a reasonable expectation of privacy when using work computers for personal use. DND/CAF policy recognizes that:
“[t]here is only a limited expectation of privacy when using IT systems because they are subject to monitoring for the purposes of system administration, maintenance and security, and to ensure compliance with the Treasury Board, DND and CAF policies, instructions, directives and standards.”
A limited, or diminished, expectation of privacy is nonetheless a reasonable expectation of privacy protected by section 8 of the Charter. [**contains information protected by solicitor-client privilege**]
NSIRA acknowledges that DND/CAF has a legitimate interest in safeguarding the resources of DND and the CAF. However, the “finer points” of an employer’s right to monitor computers issued to employees has been left by the Supreme Court for another day. While the law on employee computer searches continues to evolve, a reasonable expectation of privacy is subject to state intrusion only under the authority of a reasonable law.
A search carried out without a warrant is presumptively unreasonable and contrary to s. 8 of the Charter. In the absence of a warrant, the Crown must establish on a balance of probabilities (1) that the search was authorized by law; (2) that the authorizing law was itself reasonable; and (3) that the authority to conduct the search was exercised in a reasonable manner. NSIRA is concerned that CFNCIU has not adequately considered their legal authorities to determine whether they have reasonable lawful authority to conduct warrantless searches for CI purposes.
As CFNCIU [**contains information protected by solicitor-client privilege**] and therefore CI activities would not constitute an unreasonable search within the meaning of s. 8 of the Charter.
[**contains information protected by solicitor-client privilege**]
[**contains information protected by solicitor-client privilege**]
CFNCIU [**redacted**] for CI activities, and is not clearly authorized by law to intrude upon a Subject’s reasonable expectation of privacy. NSIRA notes that the objective of the Treasury Board Policy is to manage government security, which is distinct from intelligence-gathering. Further, NSIRA emphasizes that internal policies– even those that “reflect and instantiate broader Treasury Board Policy on Government Security” – are likely not adequate authorities to conduct CI activities that allow for an interference with Charter rights. [**contains information protected by solicitor-client privilege**] While the CFNCIU search is not for criminal purposes, the strict requirement to report wrongdoing to the authorities would likely aise the standards for protections under section 8 of the Charter.
[**contains information protected by solicitor-client privilege**]
[**redacted**] Searches
In [**redacted**], the Counter-Intelligence Oversight Committee (CIOC) authorized a Level III CI investigation codenamed [**contains information related to national security investigations**].
[**contains information related to DND/CAF operations**]
[**contains information protected by solicitor-client privilege**]
[**contains information protected by solicitor-client privilege**]
[**contains information protected by solicitor-client privilege**]
Finding 1: NSIRA found that CFNCIU is inappropriately relying on DND/CAF policies as lawful authority to interfere with a Subject’s reasonable expectation of privacy.
Multi-Point Checklist
The multi-point checklist is applied as a standard operating procedure that sets out the parameters used to capture CFNCIU IT search requests, by aligning technical search capabilities with DND/CAF’s existing cyber defence tools.
The checklist identifies IT inquiry questions to be answered in retroactive analysis reports on Subjects of investigation. The multi-point checklist is viewed as a list of pre-consulted IT support requests and associated search criteria that has been reviewed [**redacted**] The checklist serves as a basis for all CFNCIU requests to DIMEI and DIMEUS by aligning the specific information request to the allowable search criteria, all the while falling within CFNCIU’s mandate and legal authorities. CFNCIU has indicated [**redacted**].
[**contains information protected by solicitor-client privilege**]
[**redacted**] DIMEUS and DIMEI do not have imbedded legal counsel, and rely on legal counsel from Directorate of Law/ Intelligence and Information Operations (DLAW/I&IO), or legal counsel from headquarters within ADM(IM) through CFNCIU.
CFNCIU distinguishes metadata from content as “…the attributes of the content without revealing the content.” Their view is that because the metadata does not include content, it is claimed by CFNCIU to be less sensitive. Metadata, [**redacted**] is returned to CFNCIU as a list of all emails sent or received by the Subject, including all the email metadata attributes such as the sender, the recipient, as well as the subject line and any attachment names.
NSIRA notes that metadata can be just as revealing as content about a Subject’s biographical core, depending on the context. Information that might appear outside of the biographical core of a Subject may be revealing or intrusive when coupled with other information. When viewing the information compiled by the checklist in its entirety, it is possible that intimate personal information related to the Subject under investigation may be revealed beyond what was initially contemplated or authorized. Additionally, email subject lines are akin to content rather than metadata. An email subject line can reveal the content of the communication that it describes, and it can be just as sensitive as any communication contained within an email. Therefore, it is inaccurate to consider email subject lines as metadata, rather than content.
It is important to note that DIMEUS analysts, during the filtering process, assesses relevance based on the Subject’s email metadata, [**redacted**] DIMEI has a similar process where returns are filtered to include only metadata related to the Subject. DIMEUS and DIMEI, as mentioned above, do not have integrated legal support. NSIRA notes that the practice of DIMEUS and DIMEI analysts filtering information for relevance – and in some cases, to ensure the results do not include content – is an inappropriate method for conducting IT searches, as it is likely to intrude upon the Subject’s privacy interests (further discussed below). The proposed checklist selectors are applied to all DIMEI and DIMEUS search requests by means of a standardized template. These selectors are used as filters that are applied to each search. Data returns only include the selector, or an iteration of that selector. Noteworthy, is the practice of DIMEI, which if a date range is not specified by CFNCIU, all records irrespective of time period are provided. In practice, there is in fact no constraint on the metadata being provided to CFNCIU in this scenario. This appears to contradict two checklist items which limit the information requests to the inquiry period.
[**contains information protected by solicitor-client privilege**]
Ultimately, current CFNCIU IT policy [**redacted**] on IT searches [**contains information protected by solicitor-client privilege**]. Further, IT searches based on use of the checklist are not subject to additional legal consultation or oversight (beyond the creation of the checklist template) [**redacted**]. This is problematic as the checklist items as drafted may capture information that has the potential to reveal intimate details of the lifestyle and personal choices of the Subject, which would be protected by section 8 of the Charter.
For example, item 8 of the checklist is [**contains information protected by solicitor-client privilege**]. Such an approach may still reveal information for which a Subject has a reasonable expectation of privacy. [**contains information protected by solicitor-client privilege**].
It is important to note that CFNCIU, during the course of the [**redacted**] investigation, submitted a request to CFNOC that included [**contains information related to DND/CAF operations**] CFNOC reminded CFNCIU that a reasonable expectation of privacy existed and ‘fishing expeditions were prohibited. This resulted in the withdrawal of the request for [**redacted**] with CFNOC. By contrast, CFNCIU requested similar information from DIMEI who complied and provided [**redacted**]. Although these two requests were not issued concurrently, they clearly demonstrate two separate outcomes based on very similar CI requests.
In contrast to DIMEUS and DIMEI’s approach, CFNOC operates under their own policies, directions and standard operating procedures, and need to meet specific requirements before a CFNCIU request can be initiated. For example, unlike DIMEI and DIMEUS, the CFNOC process includes an initial legal review by their CFIOG JAG [**redacted**].
[**contains information protected by solicitor-client privilege**]. NSIRA notes that the CFNOC approach to receiving initial legal review by their CFIOG JAG in the context of an investigation is preferable to DIMEUS and DIMEI’s approach [**redacted**].
Given the risk that the checklist items and proposed selectors have the potential to capture intimate and personal information that touches upon a Subject’s biographical core, the use of the checklist outside of the initially agreed upon parameters and without additional legal guidance or approval is problematic.
Finding no. 2: NSIRA found that the DND/CAF checklist applied as a standard investigative operating procedure risks capturing information that is protected by s. 8 of the Charter.
Finding no. 3: NSIRA found that DND/CAF is applying a definition of metadata that captures information that could be subject to a reasonable expectation of privacy.
Expanding the search
CFNCIU has taken measures to constrain its search parameters over the course of the [**redacted**]. Initial Requests For Information (RFI) (before the multi-point checklist was constituted) included far-reaching and extensive search parameters. From 2014, to the introduction of the checklist RFI items included [**contains information related to DND/CAF operations**] was included as part of the RFI. The [**redacted**].
In [**redacted**] a month prior to the authorization of the [**redacted**] investigation, CFNCIU investigators discussed the contents of the associated RFI and highlighted their preference to [**contains information related to the DND/CAF operations**].
DND/CAF has made attempts to constrain the search parameters with the implementation of the multi-point checklist. However, even with the checklist, the CFNCIU IT inquiry requests for the [**redacted**] investigation utilized broad search parameters which may have included information not relevant to the investigation.
[**contains information protected by solicitor-client privilege**]
Filtering the data for relevancy after this initial collection and search has occurred poses legal risks, as any potential interference into the Subject’s reasonable expectation of privacy would have already occurred by state action. The post-filtration of the information by the IT analyst before it is returned to CFNCIU does not negate that this initial search and seizure of the information by the IT analyst already constitutes a ‘search’ and ‘seizure’ within the meaning of s. 8 of the Charter, if this search interfered with a reasonable privacy interest.
These parameters are applied as broad approvals with no specific internal controls or oversight at both the operational and working levels. Collection techniques, due in part to the result in a wide net [**redacted**] being cast. It is left to the analyst/investigator to determine what is relevant and filter results after the information/data has been collected.
NSIRA has observed six instances of expanded search criteria, either outside of the stipulated checklist criteria or outside the initial request to CFNOC, as illustrated in Appendix II: Expanding the Search: [**redacted**] – Specific Examples, with no additional legal consultation, yet with clear risk of intruding upon Charter interests. As previously mentioned, the use of broad search parameters and then subsequent filtration of ‘relevant’ information is not an appropriate investigative technique. Furthermore, this approach does not align with DND/CAF policy on the CI program to ensure that prior to investigation or operation, the need to use intrusive techniques is weighed against a possible breach of constitutionally protected rights; and the least intrusive technique of information collected is used, taking into account the specific circumstances.
Finding 4: NSIRA found that CFNCIU risks breaching protected privacy interests by not having clear policy guidance based on lawful authority for IT searches, and by expanding IT searches beyond the approved search parameters.
Finding 5: NSIRA found that the investigative IT system practices it observed in the context CFNCIU’s CI investigations contradict the Office of the JAG and the Department of Justice’s legal advice, [**contains information protected by solicitor-client privilege**]
Recommendation 1: NSIRA recommends that DND/CAF suspend investigative IT system practices in the context of CFNCIU CI investigations until a reasonable legal authority has been established.
Recommendation 2: Once a reasonable legal authority has been established DND/CAF should create a new policy framework that is reflective of the noted findings, namely, the multi-point checklist, the categorization of metadata, the expansion of IT searches and the principle that these searches be as minimally invasive as possible.
Appendices
Appendix I: [**redacted**]
On [**contains information related to national security investigations**]
[**contains information related to national security investigations**]
In [**redacted**] the CIOC authorized a level III CI investigation codenamed [**contains information related to DND/CAF operations**].
DND/CAF, through its coordination body National Security and Intelligence Review and Oversight Coordination Secretariat (NSIROCS), has provided a large amount of documents in response to our Requests for Information. It is however also important to note that the information provided has not been independently verified by NSIRA.
[**redacted diagram and table containing information related to DND/CAF operations**]
Appendix II: [**redacted**] – Specific Examples
[**contains information protected by solicitor-client privilege**]
DIMEI 3-5 provided [**redacted**] in [**redacted**] DIMEI 3-5 further elaborated with the release of the information that the report was generated from [**contains information related to DND/CAF operations**]
Between [**redacted**] CFNOC provided CFNCIU with information in response to the IT inquiry request. This included [**contains information related to DND/CAF operations**].
On [**redacted**] CFNCIU requested from CFNOC “a master spreadsheet of all emails with subject headings to date.”112 This request did not include the initially agreed upon search criteria. CFNOC agreed to this change and provided an additional report containing [**redacted**]. This change also affected all subsequent [**redacted**] reports generated by CFNOC and provided to CFNCIU on a periodic basis.
In [**redacted**] CFNCIU requested from CFNOC [**redacted**]. They also requested [**contains information related to DND/CAF operations**].
In [**redacted**] DIMEI 3-5 prodived a report to the CFNCIU containing [**redacted**]. The search criteria used was more than the [**redacted**] previously identified by CFNCIU. DIMEI 3-5 also state that: “If there is an [**contains information related to DND/CAF operations**]
[**redacted**] Activity
In [**redacted**] CFNCIU requested CFNOC with a search of [**redacted**] CFNOC performed the search and provided the results, which included [**redacted**]. This additional request appears to have expanded the search criteria for all subsequent [**redacted**] activity reports. The new search criteria now included activity from any user where the device matched one previously used by the Subject of investigation.
[**redacted**]
In [**redacted**] CFNCIU requested from DIMEI 3-5 Security Information and Event Management (SIEM) data from [**contains information related to DND/CAF operations**]. SIEM data includes [**redacted**] DIMEI 3-5 later confirmed that [**redacted**].
On [**redacted**] CFNCIU requested from DIMEUS IT inquiries for [**contains information related to DND/CAF operations**] as well as any [**redacted**]. A few days later, DIMEUS shared with CFNCIU that they “are seeing [**redacted**].
In [**redacted**] DIMEI 3-5 internally discuss a pending CFNCIU request for “identify [**redacted**]. They further indicate that this is possible by [**redacted**]. At this point, it is unclear why the scope of the investigation includes more than the [**redacted**]. In a subsequent correspondence, DIMEI 3-5 defined the exact search criteria used to response to the 20 “IT Inquiry” questions. It included the [**redacted**] identified by CFNCIU has having been [**redacted**].
In [**redacted**] CFNCIU provided a list of [**redacted**] to CFNOC. The list of [**contains information related to DND/CAF operations**]. This list was provided alongside a request to CFNOC [**redacted**].
In [**redacted**] CFNCIU requested from DIMEUS a search of [**contains information related to DND/CAF operations**]. One month later, DIMEUS replied with a report containing [**redacted**]. Of the [**redacted**].
Annex A: Findings and Recommendation
Finding 1: NSIRA found that CFNCIU is inappropriately relying on DND/CAF policies as lawful authority to interfere with a Subject’s reasonable expectation of privacy.
Finding 2: NSIRA found that the DND/CAF checklist applied as a standard investigative operating procedure risks capturing information that is protected by s. 8 of the Charter.
Finding 3: NSIRA found that DND/CAF is applying a definition of metadata that captures information that could be subject to a reasonable expectation of privacy.
Finding 4: NSIRA found that CFNCIU risks breaching protected privacy interests by not having clear policy guidance based on lawful authority for IT searches, and by expanding IT searches beyond the approved search parameters.
Finding 5: NSIRA found that the investigative IT system practices it observed in the context CFNCIU’s CI investigations contradict the Office of the JAG and the Department of Justice’s legal advice, [**contains information protected by solicitor-client privilege**].
Recommendation 1: NSIRA recommends that DND/CAF suspend investigative IT system practices in the context of CFNCIU CI investigations until a reasonable legal authority has been established.
Recommendation 2: Once a reasonable legal authority has been established DND/CAF should create a new policy framework that is reflective of the noted findings, namely, the multi-point checklist, the categorization of metadata, the expansion of IT searches and the principle that these searches be as minimally invasive as possible.
Annex B: List of Acronyms
| ADM(IM) | Assistant Deputy Minister Information Management |
| CDS | Chief of the Defence Staff |
| CF INT GP | Canadian Forces Intelligence Group |
| CFINTCOM | Canadian Forces Intelligence Command |
| CFIOG | Canadian Forces Information Operations Group |
| CFIOG JAG | Canadian Forces Information Operations Group Judge Advocate General |
| DND/CF Legal Advisor | Office of the Department of National Defence and Canadian Forces Legal Advisor |
| CFNCIU | Canadian Forces National Counter-Intelligence Unit |
| CFNIS | Canadian Forces National Investigation Service |
| CFNOC | Canadian Forces Network Operations Center |
| CI | Counter-intelligence |
| CIOC | Counter-Intelligence Oversight Committee |
| DAOD | Defence Administrative Orders and Directives |
| DGDS/ DPSIM | Director General Defence Security, the Director Personal Security and Identification Management |
| DIMEI | Directorate of Information Management Engineering and Integration |
| DIMEUS | Department of Information Management End-User Services |
| Cabinet du JAG | Cabinet du Juge-avocat général |
| CEMD | Chef d’état-major de la défense |
| CI | contre-ingérence |
| CJ du MDN/FAC | Bureau du Conseiller juridique du ministère de la Défense et des Forces canadiennes |
| COMRENSFC | Commandement du renseignement des Forces canadiennes |
| CONS JUR | Bureau du conseiller juridique auprès du ministère de la Défense nationale et des Forces canadiennes |
| CORFC | Centre d’opérations des réseaux des Forces canadiennes |
| CSCI | Comité de surveillance de la contre‑ingérence |
| DGSD/DSPGI | directeur général – Sécurité de la défense, Directeur – Sécurité du personnel et gestion de l’identité |
| DIIGI | Direction – Ingénierie et intégration (Gestion de l’information) |
| DJ/R et OI | directeur juridique/Renseignement et opérations d’information |
| DOAD | Directives et ordonnances administratives de la défense |
| DSUFGI | Direction – Services à l’utilisateur final (Gestion de l’information) |
| GOIFC | Groupe des opérations d’information des Forces canadiennes |
| GP RENS FC | Groupe du renseignement des Forces canadiennes |
| INTREP | compte rendu de renseignement (Intelligence Report) |
Annex C: CFINTCOM Directive
[**redacted letter**]
Annex D: 20-Point Checklist
[**redacted checklist**]
Annex E: [**redacted**]
Annex F: IT Systems Matrix
The table below highlights the networks within the DND/CAF IM/IT infrastructure as well as the areas of responsibility for each group described above.
[**redacted table**]
