Review of the Canadian Security Intelligence Service’s (CSIS) use of Geolocation information

Backgrounder

On August 23rd, 2019, the National Security and Intelligence Review Agency (NSIRA) presented the Minister of Public Safety and Emergency Preparedness with a classified report on its review of CSIS’s use of geolocation information.

In this review, NSIRA found that CSIS’s use of this geolocation data without a warrant risked breaching section 8 of the Canadian Charter of Rights and Freedoms (Charter), which protects against unreasonable search and seizure. On March 16, 2020, NSIRA submitted a report under section 35 of the NSIRA Act, to the Minister of Public Safety regarding the possible unlawful activity.

This review raised pressing questions regarding the use of publically available data, but that nevertheless engages a person’s reasonable expectation of privacy. NSIRA’s review examined the decision-making process that led CSIS to use this data without a warrant, and found that CSIS lacked the policies or procedures to ensure that, prior to using the data, CSIS sought legal advice to avoid its unlawful use.

The review was also an opportunity to note more broadly that, in this environment, ongoing legal support to CSIS’s data exploitation activities is essential in allowing CSIS to operate at an acceptable level of risk. It also noted that CSIS and the Department of Justice are expected to demonstrate institutional leadership in this regard.

Going forward, NSIRA will prioritize the scrutiny of CSIS’s use of technology, particularly new or emerging technologies that pose the greatest risks.

Questions & Answers

In September 2017, the Federal Court issued a decision commonly known as the IMSI decision, that impacted CSIS’s collection, use and retention of data, including geolocation data. The decision found that, though CSIS’s authority under section 12 of the CSIS Act does authorize it to obtain geolocation information for which there is a low expectation of privacy (e.g. subscriber information, device number), anything beyond that, such as the actual location of an individual as pinpointed by their device would require a warrant.

The primary objective of this review was to assess whether CSIS’s collection of geolocation information was compliant with the Canadian Charter of Rights and Freedoms (Charter), the CSIS Act, Ministerial Direction and policy.

In this review, at issue was whether the use of the data to collect information about an individual’s location information constituted a search for the purposes of section 8 of the Charter, such that a warrant would be required.

The review found that CSIS’s use of the data during the trial period was conducted without a warrant. NSIRA concluded that, in most cases, CSIS will need a warrant to collect a person’s location information; otherwise, there will be a risk of breaching section 8 of the Charter, which protects against unreasonable searches and seizures.

CSIS overlooked legal aspects that related to using the geolocation data. Moreover, it was noted that there were indicators of a need for caution with respect to the data, including the IMSI decision of the Federal Court, which found that geolocating an individual would require a warrant.

There were no policies or procedures around the assessment and handling of new and emerging collection technologies, such that a formal evaluation of the legal risks would have been required. NSIRA was told that there is no formal process for the evaluation of risk, in cases like this, given that the data was assessed as “open source”.

NSIRA recommended that policy be developed or amended that would require a documented risk assessment, including legal risks, when information collected through new and emerging technologies may contain information in respect of which there may be a reasonable expectation of privacy.

Privacy Preference Center