Review Backgrounder
On August 23rd, 2019, the National Security and Intelligence Review Agency (NSIRA) presented the Minister of Public Safety and Emergency Preparedness with a classified report on its review of CSISโs use of geolocation information.
In this review, NSIRA found that CSISโs use of this geolocation data without a warrant risked breaching section 8 of the Canadian Charter of Rights and Freedoms (Charter), which protects against unreasonable search and seizure. On March 16, 2020, NSIRA submitted a report under section 35 of the NSIRA Act, to the Minister of Public Safety regarding the possible unlawful activity.
This review raised pressing questions regarding the use of publically available data, but that nevertheless engages a personโs reasonable expectation of privacy. NSIRAโs review examined the decision-making process that led CSIS to use this data without a warrant, and found that CSIS lacked the policies or procedures to ensure that, prior to using the data, CSIS sought legal advice to avoid its unlawful use.
The review was also an opportunity to note more broadly that, in this environment, ongoing legal support to CSISโs data exploitation activities is essential in allowing CSIS to operate at an acceptable level of risk. It also noted that CSIS and the Department of Justice are expected to demonstrate institutional leadership in this regard.
Going forward, NSIRA will prioritize the scrutiny of CSISโs use of technology, particularly new or emerging technologies that pose the greatest risks.
Date of Publishing:
1. Authorities
This review began under the authority of the Security Intelligence Review Committee (SIRC) articulated in subsection 38(1 ) of the Canadian Security Intelligence Serviceโs (CSIS Act), which provided SIRC the mandate to review CSIS’s operations in the performance of its duties and functions.
During the course of the review. Bill C-59 -An Act Respecting National Security Matters received Royal Assent on June 21, 2019. Part 1 of Bill C-59 enacted the National Security and Intelligence Review Agency Act (NSIRA Act), which came into force by order of the Governor in Council on July 12, 2019. The NSIRA Act repeals the provisions of the CSIS Act that established and governed SIRC and establishes in its place the National Security and Intelligence Review Agency (NSIRA). The NSIRA Act sets out the composition, mandate and powers of NSIRA and amends the CSIS Act, and other Acts, in order to transfer certain powers, duties and functions to NSIRA.
This review continued under the authority described in subsections 8(1 )(a) and 8(3) of the NSIRA Act to review any activity carried out by CSIS and to make any finding and recommendation that NSIRA considers appropriate.
2. Introduction
In its review function, NSIRA expects CSIS’s activities to be lawful and comply with ministerial direction. This review focused on CSIS’ s non-warranted collection of geolocation information and is part of NSIRAโs ongoing interest in CSIS’s collection and exploitation of both warranted and unwarranted data. Past reviews have assessed CSISโs warranted collection and retention of metadata and CSIS’s unwarranted collection and exploitation of bulk personal datasets. This is NSIRAโs first dedicated look at CSISโs collection of geolocation data.
The review takes place in the context of Federal Court decisions, most particularly the IMSI decision of September 27. 2017, that impact on CSISโs collection, use and retention of data, including geolocation data. The IMSI decision found that, though CSISโs authority under section 12 does authorize it to obtain geolocation information for which there is a low expectation of privacy, anything beyond that, such as geolocating an individual, would require a warrant.
It is worth noting that the scope of the review was broader at the outset and was intended to include a more comprehensive examination of the collection of different types of geolocation information, both warranted and unwarranted. Although the scope was reduced in the course of the review, NSIRA will be mindful of this for future reviews.
3. Objectives
The objective of this review is to assess whether CSISโs collection of unwarranted geolocation information used by CSIS in support of its operations is compliant with applicable sources of law, including the Canadian Charter of Rights and Freedoms (Charter) and the CSIS Act, as well as ministerial direction and operational policy. A related objective is to determine whether CSIS has sufficient safeguards in the form of formal procedures and policies to ensure that it is able to comply with its legal obligations amid a period of rapid change in technology and a correspondingly fluid legal environment.
4. Scope and Methodology
The scope and direction of the review was identified through a preliminary investigation of available documentation and a briefing with the โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ Further, NSIRA requested that CSIS identify all activities undertaken by the โโโโโ that may result in geographic information collected against non-warranted targets within the review period. This information was used as a foundation to
request specific documents from CSIS.
NSIRA examined all documents provided by CSIS and sought, retrieved and reviewed documents through CSISโs various computer and email systems to ensure a clear record of activity. Documents reviewed included: โโโโโโโโโโโโโโ taskings from the regions, responses to these taskings, briefing notes, planning documents, legal assessments and internal correspondence.
To conduct a compliance assessment of CSIS’ s use of geolocation information, NSIRA chose to conduct an in-depth case study of โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ geolocation information. NSIRA reviewed all instances when โโโโโโโโโโ was used by CSIS during the period under review. As this review consists of a single case study. NSIRA is mindful of generalizing the findings and conclusions to other types of geolocation data.
The core review period for this study was from January 1, 2017 to June 30, 2018, although NSIRA examined documentation that fell outside this period in order to provide a complete assessment of relevant issues.
5. Criteria
Legal and Ministerial Requirements
NSIRA expects CSIS to conduct its activities in accordance with relevant sources of law. including the CSIS Act. the Charter. the Privacy Act. and case law. NSIRA also expects CSIS to conduct its activities in accordance with ministerial direction. Most relevant in this review given the subject matter was an analysis of the Charter, which, in section 8, provides everyone with the right to be secure against unreasonable search and seizure.
In this case, at issue was whether the use of โโโโโโโ to collect information about an individual’s location information constitutes a search for the purposes of section 8 such that a warrant would be required.
Policies and Procedures
NSIRA’s expectation was that there would be policies and procedures in place to guide the collection, use and retention of data from โโโโโโโ despite its uniqueness, and that those policies and procedures would support compliance with CSIS’s legal obligations, including the Charter, as well as its obligations stemming from ministerial direction.
For reference, the relevant policies that pertain to the collection of information โโโโโโโ
- โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ In principle, this allows collection of this nature on a very broad cross-section of individuals;
- The collection of โโโโโโโโโ policies, including the DDO Memorandum of 2015 that request the establishment of โโโโโโโโโ as the National Policy Centre for โโโโโโโโโ. Additionally there is the procedure on โโโโโโโโโ that allows โโโโโ to conduct โโโโโโโโโ defined as a non-warranted collection tool or technique, against a โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ.
6. Background
The Investigative Technique – โโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ from users across the world.
โโโโโโโโโ contains three months of data. The information is not available in real-time; however, there is a delay of only 24-48 hours between the collection of the โโโโ and it becoming available in โโโโโโโโ.
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
See Annex A for an example of the use of โโโโโ against a CSIS target.
A chronology of CSIS’s use of โโโโโ
a. From introduction to the beginning of the pilot: July 2015 – January 2018
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโ echoed those same governance-related issues; specifically, it questioned whether there were legal issues associated with โโโโโ that needed to be addressed prior to the trial period. โโโโโ asked for “the rules of engagement so that we can plan accordingly and get the most of this evaluation.”โโโโโ further noted that, although the data seemed “wonderfulโฆ.there must be some legal/governance rules that apply to this when in the hands of a government agency. These questions were raised in an email to both โโโโโ and the โโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ Nevertheless, by September 2017 โโโโโ was anticipating an evaluation of โโโโโ that would involve using โโโโโ for a trial period of two months with a limited โโโโโโโโโโ.
โโโโโconvened a meeting in October with โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ The objective of the meeting was to prepare for a โโโโโ evaluation and, for that purpose, โto make decisions on a few details to ensure compliance with
legal and policy.
The questions to be covered in the agenda were:
- 1 ) Does existing โโโโโ policy cover the use of โโโโโ or does the policy need to be adapted?
- 2) Is the information contained in โโโโโโโ subject to a reasonable expectation of privacy?
- 3) Is there anything else that needs to be considered before CSIS can use โโโโโ? For example, additional โโโโโ procedures or tests?
According to a written summary of discussions circulated by โโโโโ following the meeting, it was agreed that โโโโโโโ would be compliant with collection under the โโโโโโโโโโโโ which allows โโโโ to “research and use open informationโ in support of investigations, it was further decided that the use of โโโโโโ would align with โโโโ policies as it would constitute threat related queries โโโโโโโโโโโโโโ and would be used only with the โโโโโโโโโโ authorities in place. Finally, it was assessed that the โโโโโโ data invested would meet the โstrictly necessaryโ threshold for collection and retention as set out in the CSIS Act as it would be based on a specific threat.
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Following the meeting, approval was granted for the trial use of โโโโโโ by Deputy Chief โโโโโโโโโ. Documentation of the approval consists of an email from the Deputy Chief to โโโ and โโโ with the understanding that, โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ.
b. CSIS’s trial period – March 2018 – July 2018
CSIS began its pilot of โโโโ on January 14. 2018. It was initially to be for two months; but because of technical issues at the beginning that delayed its full use, and due to โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
During that time, โโโโโโโโ was tasked a total of approximately โโโโ times, resulting in โโโโ operational messages. As noted, efforts were made by โโโ to ensure that its use of โโโโโโโโ was compliant with CSIS’s โโโโ policies on collection โโโโโโโโโโโโโโโโโโโโ as well as the CSIS Act provision that collection and retention be done only to the extent that is “strictly necessary.”
โโโโ completed its evaluation of โโโโ by the end of April 2018. โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ.
The first version of a briefing note to gain approval for the โโโโโโโโโโโโ was drafted jointly by โโโโ and โโโ in April 2018. The briefing note stated that the pilot for โโโโ was “conducted operational policies.” The briefing note also โโโโโโโโโโโโโโโโโโโโ one was a restricted amount of information that would meet the strictly necessary threshold; and the other was a situation in which โโโโโโโโโโโโโโโโโโโโ in which case it would be โโโโโโโโโโโโโโโโโโโโโโโโโโโโ.
A subsequent version of the briefing note was prepared, also jointly by โโโโโโโโโโโโ. This one was dated May 15, 2018 and was sent to the Director General of โโโโ. In contrast to the first version of the briefing note, this one was the dual purpose of obtaining a legal opinion and โโโโโโโโโโโโโโโโ. This version was ultimately sent to the DG โโโโโโโโ and also included that โโโโโโโโ had been assessed as compliant with โโโโ authorities, following discussion with CSIS’s External Review and Compliance (ERC). โโโโ as well as informally with a representatives of the DLS. The briefing note stated that โโโโโโโโโโโโโโโโโโโโโโโโ fall within existing authorities and directives” and, further that “although โโโโ has assessed that โโโโโโโโโโโโโโโโ a formal legal opinion has not yet been conducted and suggest this briefing note be used as a mechanism to obtain one.”
NSIRA inquired as to the substance of the ERC and DLS discussion, as well as documentation of those meetings. NSIRA was advised that the ERC compliance officer embedded within โโโโ was aware of โโโโ which was presented at a town hall, but that it was not discussed with her beyond that. NSIRA asked for documentation to substantiate the DLS discussions but non was provided.
c. Legal advice: July 2018 – February 2019
Following the May briefing note, on July 20th, the DG โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
By July 31, preliminary legal advice was received:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
A formal legal opinion was provided on December 7, 2018, that called into question CSIS’s use of โโโโโโโโ without a warrant except in very narrow circumstances, โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ.
A further legal opinion was requested by CSIS to determine whether โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ. The resulting legal opinion, dated February 19 2019, โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ. Accordingly, section 8 of the CHarter would not be engaed in this narrow circumstance.
based in part on the February 2019 legal opinion, CSIS subsequently took the decision to โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ. It is NSIRA’s understanding that, presently, โโโโโโโโโโโโ being used only in very specific circumstances and according to the guidelines set out in the legal opinions.
7. Findings
Finding no. 1 Compliance with the CSIS Act and the Charter NSIRA finds that there was a risk that CSIS breached section 8 of the Charter during the trial period in which it used โโโโโ without a warrant.
DLS was asked to provide a legal opinion to CSIS on this investigative technique; in particular, to address the question of the “legal risk of using โโโโโโโโโโ (i) with respect to Canadians or persons in Canada; and (ii) human sources and employees, with their informed consent”. CSIS was advised in a Legal Memorandum dated December 7,2018 that:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
NSIRA’s own review of the file, which is meant to provide the Committee with independent legal advice, supports DLS’s opinion in that regard. In particular, NSIRA believes that the use of โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ. NSIRA observes that it is very unlikely that a court would find that section 12 of CSIS Act was sufficient legal authority to render warrantless use of โโโโโโ reasonable” for the purposes of section 8 of the Charter. Accordingly, CSIS would be required to obtain a warrant pursuant to section 21 of the CSIS Act for such searches. Of note, NSIRA’s legal analysis was based on the same set of facts as DLS used for its opinion.
In reaching this conclusion. NSIRA interprets section 12 of the CSIS Act as only providing authority for collection activities of minimal intrusiveness. In that regard, NSIRA concurs with the DLS opinion that, โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
At the time of writing, CSIS is pursuing options for how โโโโโโโโโ may be used under the authority of a warrant in the future.
NSIRA recommends that CSIS review its use of โโโโโโโโโ to date and make a determination as to which of the operational reports generated through the use of โโโโโโโ were in breach of section 8 of the Charter. These operational reports and/or any documents related to those results should be purged from its systems.
Findings no. 2 Governance related to piloting โโโโโโโโโ
NSIRA finds that there was no policy centre clearly responsible for the use of the data contained in โโโโโโโโ.
NSIRA asked about the policies and procedures that guided the decision to authorize the trial period, as well as which unit within the โโโโโโโโโโโโโโโโโโ branch would have been responsible for assessing and authorizing the use of โโโโโโโ As described above, the record suggests there were three discrete units involved in the โโโโโโโโโโโโโโโโโโโโโโโโ for the trial period.
โโโโโโโโโโโโโ was involved in the โโโโโโโโโโโโโโโโโโ As the policy centre with respect to the โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ the role and mandate of โโโโ is to coordinate, manage and โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ. In this capacity, โโโโ would have been responsible for assessing โโโโโโโโ for privacy impacts, among other things, had โโโโโโโโ been assessed as a โโโโโโโโ. However, โโโโโโโโ was not โโโโโโโโโโโโโโโโ but rather, as โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ. Therefore, โโโโโ did not officially assess โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ. That said, the briefing note of May 15 2018, clearly indicates that โโโโโโ assessed that the use of โโโโโโโโโโโโ fall within existing authorities and directives.” Given the lack of a formal record, NSIRA was unable to assess the content of, or the rationale for, this assessment.
โโโโโโ is the unit responsible for providing operational support for โโโโโโโโโโโโโโโโโโโโโโโโ intelligence through the use of covert โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ and it was to โโโโ that the first demonstration of โโโโโโ was given, โโโ authorities were eventually identified as those under which โโโโโโ would operate. However โโโโโโ was not the primary user of โโโโโโ. Neither did it participate in the formal evaluation of the data contained in โโโโโโโโโโโโ.
Responsibility for developing a means of formally evaluating โโโโโโ fell to the โโโโโโ given its expertise in geolocation information. However, โโโโ does not generally collect data, but is merely the user of data provided to it. As such, โโโโโ thorough preliminary evaluation to determine whether there were legal or other issues that needed to be addressed, even at the pilot stage. Nevertheless, โโโโ prepared, on its own initiative, a formal document to guide its evaluation of โโโโโโ during the trial period. NSIRA also notes that โโโโ followed existing policy in using โโโโโโโ only in instances when a valid targeting authority was in place.
NSIRA was not provided any formal documentation on the decision to authorize the pilot period. The record of decision to pilot โโโโโโ consisted of an email, which contained the following:
I donโt see any reason not to start an evaluation – โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ In addition, โโโโโโโโโโโโโโโโโโโโโโโโ are not provided until after we can determine that they are โstrictly necessaryโ and of relevance to the investigation -just until we find something of relevance.
Ultimately, NSIRA was unable to identify which of the three policy areas within โโโโโโ should have had, according to existing policies and procedures, responsibility for the assessment of โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ.
Finding no. 3 Record of decision
NSIRA finds that the record of approval to pilot โโโโโโ consisted of an email and that this email was not โput-awayโ as part of the official record, as it should have been.
As noted, the closest thing to a record of decision to pilot โโโโโโ was an email from a Deputy Chief of โโโโโโ the full text of which is cited above.
NSIRA notes that this email was not โput-awayโ as is should have been given that it represents, de facto, the approval for acquiring โโโโโโ for the purposes of evaluation and is required for robust records management and for accountability purposes. Instead, it was saved on a โpersonal” drive and only produced as part of the review process.
Findings no. 4-5 Assessment of risk in the case of โโโโโโ
NSIRA finds that there are no developed policies or procedures around the assessment and handling of new and emerging collection technologies, such that a formal evaluation of the legal risks of using โโโโโโ would have been required.
NSIRA finds that CSIS overlooked multiple indicators that using โโโโโโ might raise legal issues.
Ministerial Direction requires that the risk of operational activities be assessed across four pillars (operational, political, foreign policy and legal ). In particular, the Direction states that CSIS should “consider its ow n level of experience and novelty of the operational activity in assessing risk”.
NSIRA was told that there is no formal process for the evaluation of risk in cases like โโโโโโโโโโโโ given that it was assessed as โโโโโโโโโโโโโโโโโโโโโโโโ. This is consistent with NSIRA’s reading of the relevant policies, cited earlier, pertaining to โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ of which require an assessment of legal risk prior to the use of โโโโโโโโโโโโ for collection purposes.
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
It was suggested to NSIRA that it would not have been possible to conduct a thorough assessment of โโโโโโโโ before the pilot based on the reasoning that a risk assessment is only possible with full โโโโโโโโ. NSIRA accepts in principle that there are situations when it would be difficult to appreciate the legal risks until such time โโโโโโโโโโโโโโโโ and fully evaluated. Notwithstanding the difficulties, it is the responsibility of CSIS to mitigate these risks to the extent possible.
In this case, moreover. NSIRA notes that there were indications of a need for caution with respect to the โโโโโโโโ in the period before the trial was even begun, including the IMSI decision of the Federal Court, which found that geolocating an individual would require a warrant.
Internally, there were multiple indications to the effect that there may be reason for particular attention, including:
two emails sent prior to the pilot, one by โโโโโ on June 28. 2017. and the other by โโโโโ September 27. 2017, both containing legal and governance questions;
the meeting convened by โโโโโ for the purpose of discussing whether there existed a reasonable expectation of privacy in the โโโโโ data;
the examples provided by โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ and the evaluation of โโโโโ in April 2018. which indicated that there were privacy concerns with this tool given its ability to generate โโโโโโโโโโโโโโโ and to โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
There were other indications of a need for caution, โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Despite these signs, no formal action was taken to assess the question of legal risk until the briefing note in May 2018 requested a formal legal opinion.
NSIRA recommends that policy be developed or amended as appropriate that would require a documented risk assessment, including legal risks, in situations like โโโโโโโโโโ when information collected through new and emerging technologies may contain information in respect of which there may be a reasonable expectation of privacy. If not โโโโโ NSIRA further recommends that a policy centre for this type of โโโโโ collection be clearlv identified.
Conclusion
At the outset โโโโโ was characterized as making use of โโโโโโโโโโ. This is made clear from the approval email, โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ would consider, it is not clear that the data exploited through โโโโโโโโโโ represents genuinely โโโโโโโโโโ at least as defined in plain language, as was asserted.
Assessing โโโโโ in this way was not without its consequences in that it appears to have justified the lack of a more thorough legal assessment. This assumption proved to be problematic; the consequence was that CSIS placed itself at risk of having violated the Charter. Throughout this review. NSIRA has been mindful of the length of time it took for CSIS to obtain the final legal opinion, which was requested in July but finalized only in December, a full five months later.
NSIRA is aware that there have been discussions within โโโโโโโโโโ on the need to have ongoing legal support. In particular โโโโโ has requested the establishment of a policy and legal operating envelope to ensure that policy and legal questions related to data exploitation are properly covered, including a resource from DLS who would provide ongoing, even weekly, legal assistance. NSIRA understands that this request was made in part due to the difficulties associated with obtaining legal advice on an as needed basis. NSIRA has been advised that โโโโโ request to have weekly legal support has not yet been actioned.
The combination of an expanding scope in the type, volume and sources of data collected by CSIS and a fluid legal situation makes this an area of persistent high legal risk. CSIS has publicly affirmed that the concept of a reasonable expectation of privacy is evolving over time and committed to ensuring that CSISโs approach to a reasonable expectation of privacy โis kept consistentโ.
NSIRA is of the view that, in this environment, legal support to โโโโโ is essential to operate at an acceptable level of risk. NSIRA expects CSIS and the Department of Justice ( DOJ) to demonstrate institutional leadership that would allow responsible decision-making in an environment of uncertainty by making available legal support to โโโโโ as required on a priority basis.