On June 18, 2021, the National Security Intelligence Review Agency (NSIRA) released a review of how the Communications Security Establishment (CSE) disclosed Canadian Identifying Information (CII) to domestic Canadian agencies. I draw three central conclusions to the review.

1. CSE potentially violated the Privacy Act, which governs how federal government institutions handle personal information.
2. The CSE’s assistance to the Canadian Security Intelligence Service (CSIS) was concealed from the Federal Court. The Court was responsible for authorizing warrants for CSIS operations that the CSE was assisting with.
3. CSE officials may have misled Parliament in explaining how the assistance element of its mandate was operationalized in the course of debates meant to extend CSE’s capabilities and mandate.

In this post I describe the elements of the review, a few key parts of CSE’s response it, and conclude with a series of issues that the review and response raise.

Background

Under the National Defence Act, CSE would incidentally collect CII in the course of conducting foreign signals intelligence, cybersecurity and information assurance, and assistance operations. From all of those operations, it would produce reports that were sent to clients within the Government of Canada. By default, Canadians’ information is expected to be suppressed but agencies can subsequently request CSE to re-identify suppressed information.

NSIRA examined disclosures of CII which took place between July 1, 2015 – July 31, 2019 from CSE to all recipient government departments; this meant that all the disclosures took place when the CSE was guided by the National Defense Act and the Privacy Act.¹ In conducting their review NSIRA looked at, “electronic records, correspondence, intelligence reports, legal opinions, policies, procedures, documents pertaining to judicial proceedings, Ministerial Authorizations, and Ministerial Directives of relevance to CSE’s CII disclosure regime” (p. 2). Over the course of its review, NSIRA engaged a range of government agencies that requested disclosures of CII, such as the Royal Canadian Mounted Police (RCMP) and Innovation Science and Economic Development Canada (ISED). NSIRA also assessed the disclosures of CII to CSIS and relevant CSIS’ affidavits to the Federal Court.

Inappropriate Disclosures of Canadian Identifying Information

NSIRA found that CSE received requests for 3,708 identifiers and released 3,671 of them. Of those released, 28% of the requests from Canadian agencies for CII were, “insufficiently justified to warrant the release of CII”.

In assessing the CSE’s internal procedures for disclosing CII NSIRA found that:

• Employee training and documentation requirements were lacking, with the effect that rationales for disclosure were “generally not documented” and approvals for disclosure did not include, “the reasons for approving the requests” (p. 3). In contrast, there were detailed rationales for approving or denying requests made by foreign clients for CII.
• Management oversight was insufficient on the basis that requests which were elevated for approval were all approved without, “documentations of the rationale behind the decision to approve the remainder” (p.4). Further, compliance checks were insufficiently formal and lacked analyses of disclosure requests.

Moreover, NSIRA found that the disclosure of requested information itself was often problematic. To request information a domestic agency must have both the legal authority to make the request as well as the operational requirement to receive the information. When agencies submitted disclosure request forms to CSE they did not always note the legal authorities for obtaining this information and NSIRA found no evidence that CSE, “would follow up with requestors or assure itself through its own assessment that the requestor had the appropriate legal authority for collecting CII” (p. 4).

Turning to operational needs, NSIRA noted that CSIS, the RCMP, and Canada Border Services Agency (CBSA) made up about half of NSIRA’s sample they were assessing, and “generally demonstrated a clear link between the intelligence reporting and associated CII to their mandated activities, with some exceptions” (p. 5). Some of the justifications accepted by CSE, however, were found to be inadequate:

[NSIRA] found 69% to be justified, 28% to be insufficiently justified to warrant the release of CII, 2% that could not be evaluated, and 1% that CSE denied.

When releasing CII, CSE sometimes released personal information in excess of what clients had requested, such as presenting an individual’s personal information when information was requested about a company’s identity. This was not a one-off situation, as “NSIRA observed other types of scenarios where CSE disclosed more identifiers than requested” (p. 5).

To address deficiencies in CSE’s disclosure regime, NSIRA ultimately suggested that better policies, procedures, and legal assessments be developed to guide CSE in its activities. A consistent understanding of disclosure requirements is needed and this will involve a governance structure that makes clear to clients how and when CSE can disclose CII. NSIRA recommends that information sharing agreements be established between CSE and key domestic clients to address at least some of these governance challenges.

CSE and CSIS

CSIS is responsible for collecting security intelligence and limited forms of foreign intelligence. The latter is authorized under Section 16 of the CSIS Act, and CSIS may obtain Section 21 warrants to carry out intrusive surveillance to fulfil obligations under Section 16. With warrants in hand, CSIS can then request assistance from CSE. During the time covered in NSIRA’s review, CSE could provide assistance under the National Defence Act that governed CSE’s activities. CSE’s assistance capabilities were restricted to activities that were authorized per the warrant CSIS received from the Federal Court.

Filings to the Federal Court did not fulsomely disclose that CSE would provide CII to CSIS, nor did CSE’s internal plans or support parameters make mention that such disclosures could happen when assisting CSIS under the Section 21 warrant. Nevertheless, “both agencies insist that CSE can disclose such CII using its regular disclosure policies and procedures” (p. 6). Ultimately, NSIRA found that CSIS’ disclosures to the Court did, “not present a complete picture” due, in part, to CSIS noting, “in less detail and with omissions, some aspects of CSE’s parallel disclosure of CII collected through its assistance to CSIS under these warrants” (p. 7).

Of note, while CSIS has senior approval requirements that must occur before Canadian officials’ CII is disclosed, CSE does not possess equivalent processes. This has meant that working-level staff have made decisions to disclose officials’ CII. CSE staff who disclosed information to non-CSIS agencies were sometimes, also, unaware that the CII that was disclosed was subject to restrictions flowing from assisting CSIS’ Section 16 activities, or that there were conditions and limitations under Section 21 warrants that applied to the handling of the CII in question. The effect was that information which was collected or previously disclosed under Section 16 assistance to CSIS had been disclosed to non-CSIS government departments. Broadly, then, how CSIS characterizes how CSE handles CII diverges from actual practice and, as such, NSIRA argues that the court should be better appraised of CSE’s activities.

CSE Misleading Parliament

In testimony given in 2018, NSIRA notes that, “CSE was asked how it operationalizes its assistance mandate” and that its response was, “not a complete representation of the lifecycle of information collected by CSE in its assistance” to CSIS (p. 7). NSIRA is likely pointing to comments by two people in particular.

Ms. Shelly Bruce (then Associate Chief of CSE, now Chief of CSE) stated to Committee that, “if [CSIS] had the authority, they could ask us for assistance in that space, and we could use our capabilities to assist them as long as it was done within the parameters of whatever legal authority they’re operating under.” Mr. Dominic Rochon (then-Deputy Chief, Policy and Communications) said that:

In that particular example, CSIS would be interested in you as a Canadian. They have a legal mandate to do that. They could leverage us under our assistance mandate. We always talk about part (a) as foreign signals intelligence, part (b) as cybersecurity, and part (c) as our assistance mandate. Today, as with this new legislation, if CSIS is interested in you, they have to have a legal mandate to go after you, meaning they have to get a warrant. If they show us that they have a warrant, at that point in time they wouldn’t have access to our systems. They would ask us to act on their behalf. We would then use our capabilities to help them collect information. Any information that we collect is segregated and is given back to them and is their information. Effectively, we’re acting on behalf of CSIS.

NSIRA’s review found that the description of how CSE operationalizes requests from CSIS are not entirely accurate on the basis that, “CSE’s treatment and dissemination of [CII] differs from the stringent standards communicated to the Court by CSIS, particularly when it pertains to Canadian public officials and sensitive groups” (p. 7). In particular, information which was collected or disclosed under CSE’s assistance mandate to facilitate Section 16 operations under the CSIS Act was not kept separate from all other information which had been collected or disclosed, nor were CSE staff instructed to treat such information with particular care. As a result, some CII which was disclosed in support of Section 16 operations was also disclosed to other departments.

The CSE officials were appearing before committee while Parliament was debating Bill C-59, which significantly expanded both CSIS’ and CSE’s capabilities, as well as CSE’s very mandate. The not-so-hidden implication is that when CSE’s officials were explaining how CSE operated to committee they didn’t provide information that the committee may have needed to fully appreciate what CSE was already doing with its powers or how those activities might change subsequent to the passage of the CSE Act. One is left wondering whether NSIRA would take issue with other statements provided by CSE executives to committees, or if this was an isolated case.

CSE’s Rebuttal

In responding to NSIRA’s report, the Establishment notes that:

… to help support audit and review, CSE implemented a requirement for government clients to provide an operational justification to support their CII disclosure requests. It is important to note, however, that this is a matter of internal policy and that the Privacy Act does not require the documentation of legal authorities before information can be collected and disclosed.”

It is unclear when these requirements were established or whether they were in operation during the period of time that NSIRA was reviewing CSE’s activities. If they were, then they appear to be insufficient. When CSE argues that the Privacy Act does not include a requirement for documentation the Establishment appears to be suggesting that future federal privacy reform should correct this oversight, so that CSE and all other members of the intelligence community recognize the need to document how they handle CII. Perhaps the Chief of CSE can speak with the Office of the Privacy Commissioner of Canada to coordinate on this particular set of recommendations.

Of note, CSE’s response recognizes that their disclosure of CII had been repeatedly approved by their then-review body, the CSE Commissioner. The Establishment makes specific mention to their 2018-2019 review, stating that, “[i]n his final 2018-2019 review, the Commissioner confirmed that CSE’s disclosures of CII complied with the law and were done in accordance with ministerial direction.” NSIRA’s review, in effect, calls into question the decisions which were reached by the CSE Commissioner and raises the prospect that other findings of non-compliance with the law could follow should the CSE Commissioner’s decisions and reports continue to be re-assessed by NSIRA.

Finally, CSE strenuously objected to NSIRA’s, “overall conclusions and characterization of the disclosure process and its role in the broader privacy framework”. Likely due to these objections, the Minister of National Defence sent NSIRA’s review to the Attorney General of Canada, along with analyses of records analyzed by NSIRA. The Minister’s analyses, “supports the view that [CSE’s] activities, including applying protections for the privacy of Canadians, were conducted within a robust system of accountability, including compliance with the Privacy Act.” It is perhaps unsurprising that such analyses would have supported CSE’s position and, I suspect, may depend on past findings from the CSE Commissioner. What this does in practice, however, is pull conflicts between the reviewers and reviewed into the dark shade of an overcast day and reveal the contentious relations that can characterize some reviews of the CSE’s activities.

Questions and Issues Raised

First, NSIRA has adopted a much different approach to assessing the lawfulness of CSE’s activities as compared to how the CSE Commissioner undertook reviews. As previously discussed by Bill Robinson the CSE Commissioner:

• sometimes declined to undertake reviews of controversial subjects,
• found that inadequate record keeping prevented the Commissioner from “properly assessing the legality of a CSE activity”,
• Refrained from passing a judgment of illegality and thus would either refrain “from issuing an assessment or bases his assessment on the CSE/DOJ interpretation pending further discussion”,
• found that incidents of non-compliance with law were unintentional and thus did not constitute violations of law,
• did not declare CSE in violation of law if they had changed their practices to become compliant,
• would not declare CSE non-compliant, “as long as the government has promised to make amendments to the law to clarify that the activities in question are indeed authorized under the law—no matter how many years may go by with no evidence of the government actually taking steps to implement that promise.”

That NSIRA is willing to examine historical practices and find that there was likely inappropriate disclosure of CII, potentially in contravention of the Privacy Act, showcases that the Agency will be far less deferential to the CSE and Government of Canada, and thus fulfil its role as a serious review agency.

Second, CSE’s disclosure of information in excess of what was requested by Canadian agencies is concerning as it indicates that CII was circulated more broadly than needed. When juxtaposing the NSIRA report and CSE’s response, this suggests CSE believes that its internal policies may justify these over-broad disclosures of CII, despite NSIRA finding that disclosure policies are not sufficiently documented by the Establishment. The result is to give an impression that CSE believes its processes are adequate despite NSIRA’s findings to the contrary. A referee needs to step in to correct the record. Given the publicity of the review, said referee’s decision should be similarly publicized to clarify the policies concerning disclosures of CII.

Third, NSIRA’s assessment that CSE’s officials were not entirely candid with Parliament is disturbing, and should lead Parliament to compel the heads of CSE to present themselves to committee and explain themselves. The very nature of CSE’s activities are largely secret and thus unknown to the public, including to parliamentarians. If CSE officials are found to be misleading in their testimony or when providing answers to committee, especially at times where committees are evaluating whether to supplement CSE’s existing capabilities, these officials risk putting CSE’s activities outside of a lawful democratic mandate. Security services and intelligence agencies are wholly dependent on the trust of the population, and politicians, to retain their moral authority to operate in secrecy; misleading Parliament is a quick way to lose that authority.

Fourth, CSE’s response is non-specific in what has changed. The Establishment suggests there are problems with NSIRA’s methods without detailing them with any specificity; as written, CSE attempts to dispute NSIRA’s conclusions without actually explaining why they are inaccurate. Perhaps there are serious issues in NSIRA’s process of review and if that’s the case then it’s important that those deficiencies are brought forward. CSE’s attempt to do so, however, is unsuccessful and does little to cast NSIRA’s actual review into dispute.

There are further items in the review that merit attention. For starters, it’s worth asking whether CSE’s disclosures of Canadian officials’ CII to CSIS may force NSIRA or others to assess whether the disclosures contravened CSIS’ own policies surrounding sensitive sector investigations: did CSE’s disclosures mean that CSIS had access to information in excess of what it’s own policies authorized it to have and use? Further, in calling into question the appropriateness of decisions reached by the CSE Commissioner, what does this mean given that the same individual who was the CSE Commissioner now occupies the role of the Intelligence Commissioner? And finally, while there are better policies in place to control the disclosure of CII to foreign agencies and clients–likely a result of past publicly reported incidents where CSE unintentionally disclosed information to them–what might NSIRA find when inspecting those policies, today?

Addendum: This post was updated on June 22, 2021 to further clarify that NSIRA assessed all disclosures of CII to all government departments and, also, that the review body found that information that CSE collected or disclosed while assisting CSIS in Section 16 or Section 21 activities was not necessarily kept entirely separate from other CSE-controlled information, with the effect that CSE staff provided non-CSIS departments with CII that was subject to restrictions under their assistance mandate.

---

1. CSE, today, is guided by the CSE Act as well as the Privacy Act. ↩︎