Dissecting CSIS’ Statement Concerning Indefinite Metadata Retention

PR? by Ged Carrol (CC BY 2.0) https://flic.kr/p/6jshtz

PR? by Ged Carrol (CC BY 2.0) https://flic.kr/p/6jshtz

In this brief post I debunk the language used by CSIS Director Michel Coulombe in his justification of CSIS’s indefinite data retention program. That program involved CSIS obtaining warrants to collect communications and then, unlawfully, retaining the metadata of non-targeted persons indefinitely. This program was operated out of the Operational Data Analysis Centre (ODAC). A Federal Court judge found that CSIS’ and the Department of Justice’s theories for why the program was legal were incorrect: CSIS had been retaining the metadata, unlawfully, since the program’s inception in 2006. More generally, the judge found that CSIS had failed to meet its duty of candour to the court by failing to explain the program, and detail its existence, to the Court.

The public reactions to the Federal Court’s decision has been powerful, with the Minister of Public Safety being challenged on CSIS’s activities and numerous mainstream newspapers publishing stories that criticize CSIS’ activities. CSIS issued a public statement from its Director on the weekend following the Court’s decision, which is available at CSIS’ website. The Federal Court’s decision concerning this program is being hosted on this website, and is also available from the Federal Court’s website. In what follows I comprehensively quote from the Director’s statement and then provide context that, in many cases, reveals the extent to which the Director’s statement is designed to mislead the public.

The CSIS’ Director’s Statement

“Given recent media coverage, as I indicated in my previous statement and in the news conference when the Federal Court’s ruling was issued, I would like to reiterate that all associated data was legally collected under warrants.

The Federal Court did not suggest data had been collected unlawfully, but rather that it had been unlawfully retained. CSIS had chosen to separate ‘content’ information from ‘metadata’, and retain the latter indefinitely. CSIS did not consult with the Federal Court to confirm its interpretation of the judicial authorization. That authorization instructed the Service to delete collected information after one year if what was collected could not be definitively linked to a specific threat.

CSIS, in consultation with the Department of Justice, interpreted the CSIS Act to allow for the retention of non-threat related associated data linked with third party communications that were collected while under warrant.

This can be read as: CSIS and the Department of Justice conspired to (re)interpret the CSIS Act and the judicial authorizations they had received to legitimize a program that has been found to be unlawful. Moreover, their (re)interpretation was possible because there was never an open discussion with the Court concerning whether this (re)interpretation fit with the Court’s intent.  And, for clarity, the “non-threat retated associated data linked with third party communications that were collected while under warrant” that is referred by the Director can be (re)interpreted as “information about persons whom CSIS had no reason to suspect were involved in any illegal activities, or posed any threat to national security. Thus it involved collecting and retaining information about an unspecified number of persons regardless of those persons having done absolutely nothing wrong.”

The Federal Court has disagreed with this interpretation and we accept their decision. I would like to make it clear that the Service was not knowingly exceeding the scope of the CSIS Act.

The Federal Court found that CSIS misled the court, going so far as to write that “[i]f the CSIS unduly limits the flow of information the Court needs to make proper determinations, then the CSIS can be seen as manipulating the judicial decision-making process.” The only reason that the service did not “knowingly” exceed the scope of the CSIS Act was because the Service and the Department of Justice declined to confirm that its activities were legal and, instead, functionally created secret law as a method of casting a fig leaf of legality over the Service’s unlawful activities. The Court was never given a chance over the past decade to ‘disagree’ with CSIS’ and the Department of Justice’s interpretations because the Court was never appraised of the interpretations in the first place.

I would like to address the apparent perception that the Service created and operated ODAC without the knowledge of key government stakeholders.

In other words, the Director would like to drag as many other persons under the bus with him as possible. This may be to ‘encourage’ other stakeholders to back off and not investigate the Service or Department of Justice’s involvement in deliberately concealing CSIS’ activities from the Federal Court.

ODAC was created in 2006 to derive more value from the data already being collected under warrant using data exploitation techniques. The creation of ODAC and this core operational capability was presented to the Minister of Public Safety in July 2006 explaining the requirement for advanced data analytics and the ability of ODAC to retain data, including metadata, for extended periods of time.

CSIS was not retaining data for ‘extended’ periods of time. It was retaining the data indefinitely. And at least one past Minister, Stockwell Day, has explicitly stated on Power and Politics (.mp3) that he wasn’t aware of CSIS’ decision to retain metadata indefinitely. Furthermore, later in CSIS’ own Statement, the Service admits that past briefings “may not have specifically addressed the retention of the sub-set of associated data on which the Court has now ruled.”

So, while CSIS may have provided Minister Day (and successive Public Safety Ministers) with information pertaining to ODAC, the presentation of that information meant that the Ministers wouldn’t have known about the (now found as) unlawful activities that CSIS was involved in. As a result, not only did CSIS mislead the courts but it “may” have misled its Minister as well, and thus undermined the Minister’s ability to be accountable for the Service and its activities.

The Minister was also briefed on the program in March 2010.

Again, there is a baseline question of how this was presented to each Minister and the extent to which Ministers understood what was being presented to them.

Information was also shared over the years with various government stakeholders, including the Security Intelligence Review Committee (SIRC), the Privacy Commissioner, including a Privacy Impact Assessment, and the Inspector General of CSIS.

SIRC (the body responsible for reviewing CSIS’s activities) raised alarms about ODAC when they got around to investigating it. This indicates that SIRC can work when it attends to a given issue but, also, that SIRC’s relative lack of resources prevents it from conducting timely reviews of what end up being unlawful actions that are undertaken by CSIS.

The Privacy Commissioner has a limited ability to act: even in reviewing Privacy Impact Assessments the Commissioner can only recommend changes. The Commissioner cannot compel modifications of practice. It remains to be seen what the Commissioner was informed of when CSIS submitted those assessments, or the comments provided by the Commissioner concerning CSIS’ proposed activities, or CSIS’ responses to those comments.

The Inspector General of CSIS is no more: it’s unclear just what the prior Inspector General noted about ODAC to the Minister.

Ultimately, neither SIRC, nor the Privacy Commissioner, nor the Inspector General were in positions to challenge the legality of CSIS’ activities. They could raise concerns but ultimately were not situated to stop a given activity. This is the precise reason why CSIS’ deliberate decision to not involve the courts in evaluating its novel-interpretations of law were so problematic.

The CSIS 2007-08 Public Report also refers to ODAC, noting the support being provided to its operational branches through the performance of advanced analysis of data, and the program was described over the years in the Directors’ Annual Reports to the Minister.

CSIS is deliberately misleading the public. That report states the following: “Additionally, the CSIS Operational Data Analysis Centre (ODAC) provides support to the Service’s operational branches by performing advanced analysis of data that is collected on subjects of investigation.” This description suggests that the work is targeted toward those who are ‘subjects of investigation’. The Federal Court ruling lays bare that the problem is not focusing on legitimate targets but, instead, lays with the indefinite retention of persons’ information who are not targets of CSIS’ investigations.

Given the Service and Department of Justice interpretation that the activity in question was within the scope of the CSIS Act, these briefings may not have specifically addressed the retention of the sub-set of associated data on which the Court has now ruled.

Because CSIS’ and the Department of Justice’s secret interpretation of law authorized CSIS’ activities, neither saw fit to actually tell anyone else — such as the successive Ministers who have been responsible for the Service — that metadata was indefinitely retained. Instead the briefings were general and/or obfuscatory, which had the impact of undermining Ministerial accountability.

The intent of the Service, however, was to ensure key stakeholders were aware of ODAC, its capabilities, and intentions around retention.

The intent of the Service was decidedly not to alert ‘key stakeholders’ of activities that only enjoyed a fig leaf of legality. The Service was not particularly interested in revealing to its Minister or the public the full scope of activities that, if known, might have led to CSIS to being forced to limit its operations.

SIRC reviewed CSIS’ use of associated data and published its findings on the issue in its 2014-15 annual report. SIRC did not conclude that the retention of associated data was illegal, but did suggest that the Federal Court be made aware.

CSIS’ assertions here are deeply misleading. Per the Federal Court’s decision, SIRC “recommended to the CSIS that it inform the Court of its retention program, but that the CSIS refused to do so.” CSIS’ rational was that it “did not agree with SIRC’s recommendation to advise the Federal Court of activities relating to metadata collected under warrant. CSIS’s position is that section 21 of the CSIS Act does not confer any general supervisory authority to Federal Court judges, therefore, it believes that SIRC’s recommendation was both inappropriate and unwarranted. Moreover, the Service maintains that its position on the issue in question was communicated clearly and transparently to the Federal Court during a warrant application in December 2011. […]”

In other words, SIRC strongly encouraged CSIS to go back to the Federal Court and confirm that the Court knew what CSIS was doing with the warrants it was receiving. CSIS held that Federal Judges lacked any supervisory authority and, as such, were not permitted or entitled to evaluate how CSIS actually used the powers it was warranted to use.

To be very, very blunt: If CSIS had gotten its way — if the Service hadn’t been called to task by the Federal Court — then the Service would still be operating the ODAC with its permanent metadata collection right now. And CSIS would still maintain that the program was lawful. The result would be that CSIS’ Minister and the Federal Court alike would continue to be oblivious to the unlawful nature of CSIS’ activities, if the Federal Court had not taken its own initiative following the SIRC report.

As I noted in my previous statement, CSIS agrees that the Court should have been informed earlier of the existence of ODAC and the approach to data retention, and acknowledges this was a significant omission. At no point did CSIS deliberately seek to withhold this information from the Court, and the Court acknowledged that there is no evidence to suggest CSIS did.

The Court stated that it could not definitely prove that CSIS was deliberately misleading the Court. However, it did note that CSIS had previously held that the Court should be informed of the permanent retention of metadata and simply failed to do so. The Federal Court could not determine why this failure took place — presumably there were no incriminating memos that would explicitly prove the Department and Justice and CSIS conspired to keep the Court in the dark — and thus stopped just short of stating there was a deliberate conspiracy to mislead the court.

However, the Court did state that the Assistant Deputy Attorney General (Litigation) provided non-factual information when describing some of CSIS’ interception- and metadata-related activities. While perhaps CSIS does believe that it “should have” informed the Court earlier to avoid the current threat of contempt of court charges, CSIS’ response to SIRC indicates that it didn’t think it owed the Federal Courts explanations of CSIS’ activities nor of how CSIS and Department of Justice lawyers had creatively re-imagined what CSIS was warranted to collect and retain.

CSIS recognizes the importance of maintaining public trust and confidence in its activities.

In the absence of such trust and confidence there is a real risk that CSIS will be compelled to be more transparent in how, and under what conditions, it monitors Canadians. At worst (for CSIS), this ‘risk’ might expose that CSIS has other, as yet unstated, surveillance activities that may be unlawful when examined by Federal Courts. And at best (for CSIS), the ‘risk’ might prompt the general public to regard some of CSIS’ activities as over broad or inappropriate and call for curtailing some of CSIS’ operational capacities to little or no effect.

CSIS takes very seriously the privacy considerations related to its work, and it is committed to ensuring that its activities are in compliance with all legislation and Ministerial Direction.

Past Public Safety Ministers have asserted they were unaware of the ODAC and CSIS’ permanent metadata retention regime. A Federal Court judge has stated that CSIS was non-compliant with ‘all legislation’ that applies to CSIS. And CSIS itself asserted that it was not required to report back to the Federal Court when it applied creative interpretations of law. Why, exactly, should this suggest to the public that CSIS is generally operating in a trusted and lawful manner?


CSIS’ public statement is a public relations effort and nothing more. What has transpired is CSIS unlawfully and indefinitely retained information about an unknown number of Canadians and non-Canadians alike. The collection of that information was, itself, lawful: CSIS is now desperately attempting to convince the public and lawmakers that the Service committed a minor error as opposed to engaging in a (seemingly deliberate) effort to mislead the courts, not fully brief the Minister, and continue to operate under the fig leaf of lawfulness.

CSIS’ public statement also dangerously confirms some of the public’s worst cynicism and suspicions concerning the Service’s operations: What else does CSIS not believe it should be reporting to the Courts? What else is CSIS leaving out of Ministerial briefing books? What other creative or novel evaluations of law is CSIS and the Department of Justice using to justify programs that are poorly understood or simply unknown to those outside of those two agencies?

Security and intelligence services are only tenable when the public believes that the agencies are operating within the scope of law, are directing their activities exclusively towards national threats, and are properly accountable to their political masters. The indefinite metadata retention program that CSIS was running stands counter to each of those basic beliefs. As such, the current CSIS scandal should shake Canadians’ confidence in CSIS as well as the principle that Ministers can be held to account for what Canada’s security and intelligence agencies are doing.