ATIPs

This page includes links to various Access To Information and Privacy (ATIP) requests that I have received or obtained over the past several years. Each link, unless otherwise indicated, is to a locally hosted .pdf of the relevant ATIP. In some cases I indicate what is notable about a given ATIP or the language of the original request and, where possible, dates associated with the released records.

  1. Canadian Security Intelligence Service
  2. Communications Security Establishment (CSE)
  3. Department of National Defence
  4. Global Affairs Canada
  5. Public Safety Canada
  6. Royal Canadian Mounted Police
  7. Shared Services Canada
  8. Treasury Board of Canada

Canadian Security Intelligence Service

  • Summaries of the US Senate Report on Examining the U.S. Capitol Attack and the US National Strategy for Countering Domestic Terrorism, and CSIS Considerations. This ATIP includes detailed discussion of sought-after powers for CSIS on page 4. Dated July 29, 2021.
  • Project SITKA: Serious Criminality Associated to Large Public Order Events with National Implications. This document was principally created by the RCMP but was released by CSIS under provisions of the Privacy Act and/or Access to Information Act. The report summarizes RCMP intelligence gathering activities that were focused on aboriginal-rights issues, such as land claims, energy projects, and right advocacy. Dated March 16, 2015.
  • CSIS Policy: Conduct of Operations. This policy describes the Service’s stance regarding operations conducted pursuant to its national security mandate under Sections 12, 15, and 16 of the Canadian Security Intelligence Service Act (CSIS Act). It also provides additional principles and requirements that the Service and its employees will adhere to while working to achieve the commitments outlined in this policy. Notable details include a discussion that warrants are coordinated by the Warrant Acquisition Control and Requirements (WACR) unit of the DDO secretariat, which is responsible for reviewing paperwork before it is submitted to the courts. Further, under S. 15, collected data can be used for supporting S. 12 investigations, and where there is no pre-existing S.17 foreign partner agreement to share data, CSIS may share data in emergency situations without first consulting the Minister or Deputy Minister. The Deputy must be informed “as soon as possible”. Finally, “[t]he Service will weigh the need to use intrusive operational tools and techniques against potential damage to civil liberties or the activities of a Canadian Fundamental Institution (CFI). CFIs include, but are not limited to, post-secondary, political, religious and media organizations.” Dated January 10, 2014.
  • [Redacted] Data Management Governance Plan. This document outlines the data management and governance of the Operational Data Analysis Centre (ODAC) which is responsible for storing data collected by CSIS for analysis and analytics purposes. it contains broad-level discussions of how governance should function within CSIS that parallels equivalent discussions that would take place in any organization for data analytics purposes. Dated July 2012.

Communications Security Establishment (CSE)

  • A-2019-00040: Cyber Defence Activities MA 2nd Semi-Annual Report 2018/19. This ATIP pertains to private communications (PCs) that were retained by the CSE in the course of undertaking defensive elements of its mandate. It makes clear CSE adopts an analyst-based approach to identifying PCs (and redacted how many PCs were collected) and that, due to a new method, there were fewer identified. Of note, communications which were “intentionally malicious” were not counted as PCs. Dated August 2019.
  • A-2019-00033: Directions for Data Science at CSE. This ATIP concerns data science activities that are being undertaken at the CSE, with all information being about the Tutte Institute or Applied Research at the CSE. Topics include the skills that are needed for data science at the CSE, a slide deck on what is data science/machine learning, and a discussion on page 72 that the Tutte Institute undertakes strategic research whereas the CSE undertakes applies research. Dated 2018.
  • A-2019-00025: Memorandum to the Minister of National Defence–Notification of Cyber Defence Defence Activities at [Redacted]. This ATIP concerns requests to the CSE to provide federal institutions with services under part B of the CSE’s mandate. It includes a letter from an unnamed agency requesting cyber defence services (note: this does not indicate defensive cyber operations, but cyber security services). The party responsible for this defensive work was the Director Autonomous Defence and Sensors at the Cyber Centre. Dated May-June 2019.
  • A-2019-00020: Social Media/WeChat Guidance. This ATIP addresses questions put to CSE about whether, and if so under what conditions, MPs should use WeChat. Page 26 includes a discussion of communications in the CSE, about the PMO asking for a sense of the kind(s) of advice that CSE would provide to MPs on using WeChat. This is in reaction to (page 27) a note that “…parties are encouraging the use of WeChat in their campaigning” to which an individual (presumably within CSE) responded with “Just heard about this … thought it was a joke. Thanks for flagging.” Dated June-July 2019.
  • A-2018-903: 2017 Security Review Program report and Public Safety Media Clippings. Pages 1-17 are highly redacted but indicate that telecommunications systems (likely those associated with Huawei) are subject to a review though no company is named. Material is from Fall of 2018.
  • A-2018-00041: Supply Chain Integrity. This is a slide deck prepared about supply chain integrity, with page 7 revealing the number of requests from SSC to the CSE about supply chain requests. In 2014-15 there were 449, 2015-16 were 704, 2016-17 were 868, and in 2017-2018 were 746. Dated late 2017 or 2018.
  • A-2018-00040: PIAs concerning SIMON (used to disseminate, retain and dispose of personal information for the purposes of personnel screening) as well as its Key Management Infrastructure. SIMON is used by the CSE’s Corporate Security Directorate (CSD) to both record information about personnel who have been screened as well as control access to SIGINT materials and, on page 8, the document notes it is used to track accesses managed by other organizations, and specifically refers to National Defence as TALENT KEYHOLE (TK). Page 45 reveals that Canadian Top Secret Network (CTSN) was formally known as MANDRAKE. Dated 2016-2017.
  • A-2017-00077: C-59 Briefing Binder. This ATIP includes the formal unclassified briefing binder associated with C-59, the Charter Statement associated with the legislation, and specific examples of how the different elements of the CSE’s mandate might be exercise (e.g., what was entailed in FORINT, Information Assurance, Assistance, and Active or Defensive Cyber Operations). Dated November 2017.
  • A-2017-00026: Briefing Note for Minister of DND-Response to the CSE Commissioner’s Review of CSE Cyber Defence Metadata Activities. This document includes a description of how CSE’s cyber threat detect systems operate, including that it extracts some metadata and content from communications and that such activities do not constitute bulk unselected collection. The collection of malicious code of social engineering prompts is treated by CSE as private communications at the time of writing. Dated February 2017.
  • A-2015-00037: CSEC 2015 Report. This provides high-level summaries of CSE’s vision, mission, principles, and priorities. It contains extensive redactions, with information remaining addressing the new building CSE staff would be moving into, plans to generally strengthen the staff at CSE (e.g., by improving “transparency and accountability for decision making at CSEC within a renewed governance framework and improved resource management tools”), and ensure that by 2015 “cyber defence operations will fit seamlessly within the extended cryptologic enterprise, and ITS, SIGINT domestic and Five Eyes partners will continually share information critical to the protection of government systems.” Finally it is of note that CSE recognizes it had “delivered valued technology support to and strengthened partnerships with national security agencies and law enforcement” and that CSE was working “tirelessly” to secure additional funding for the CSE’s new building.
  • A-2015-00037: Everything You Never Wanted To Know About ATIP (Part 1 and Part 2). This document provides a detailed explanation to CSE employees about the rules and laws surrounding ATIP legislation. It includes a warning that CSE staff should be careful to manage information, including deleting transitory information once it is no longer required while preserving official documents. It, also, explains how to handle information under CSE’s control but which might have originated from another government (e.g., USA and NSA) or agency (e.g. Department of Justice). CSE employees are advised that, if they have a concern that an ATIP request relates to a security breach that they “speak with the ATIP Analyst identified in the ATIP request” who can, then, but the concern to the “attention of the Minister’s senior delegated officials […] for consideration.” These officials “are authorized to know the identity of the requestor.” Notably, in at least some cases “very motivated requestors are willing to pay over a million dollars in additional fees for the records they originally requested.” Dated after April 1, 2014.
  • Memo Regarding Updated Collection and Use of Metadata Ministerial Directive. This document explains how Ministerial Directives operate and also denote the number of Ministerial Authorizations being sought (1 SIGINT for supporting Canadian troops in Afghanistan, 1 SIGNT linked with CSE interception activities, and 2 SIGINT MAs for undisclosed interception activities.” Among the seven Ministerial Directives, there was one for assistance to federal law enforcement and security agencies, which updated a 2001 MD, and another on the Collection and Use of Metadata, which updated a 2005 MD on the same topic. There was no information bout other MDs. Dated 2011.
  • A-2012-00397: Supply Chain Threats to Canada. This highly-redacted document indicates that CSE was mindful of supply chain threats, and multiple slides in the deck discuss threats or risks associated with Huawei technologies. At the time the briefing was prepared IT security requirements were not frequently included in procurement processes which made it difficult for the government to protect information and services; proactively the government was working with PWGSC to finalize its IT security contract clauses with CSE, as well as developing recommendations for inclusion in all It contracts with the government of Canada. Dated May 2012.
  • Quantum Computing from an IT Security Perspective. This 1-page ATIP provides a high-level description of Quantum Computing. It notes that its academic partnerships have “focused on University of Waterloo’s Institute for Quantum Computing (IQC).” Undated.
  • A-2011-00637: IT Security Bulletins. This sequence of bulletins provide information about government policy for the protection of Classified information, the security of PIN-to-PIN Blackberry messaging, guidance for the communication security of SECRET information, as well as a McAfee report that references Government of Canada victims of a hacking campaign and a discussion of best practices concerning emergency management notification systems. Dated March – September 2011.
  • A-2011-00763: OPS-5-1 Operational Use of the Internet. This highly redacted document discusses Internet activities and associated risks, as well as best practices and definitions. The concluding annexes outline which systems can be used for which activities, as well as the matrix of approves systems vs kinds of Internet activity. Dated January 2005.
  • A-2011-00969: Definitions. This document provides definitions for critical information, such as what constitutes a Canadian person, Target, the Global Information Infrastructure, and more. Dated March 2003.

Department of National Defence

  • A-2022-00081: MND Cyber Playbook–A DND/CAF Perspective. This ATIP (French and English) provides a high-level overview of how DND/CAF looks at cyber, with attention to deterrence, collaboration, coordination across government, and workforce development as essential to advancing DND/Canadian interests.
  • A-2013-00910: Event Approval for NATO Cyber Defence Capability Team (CD CaT). This document requests permission to send one individual to represent Canadian interests at the NATO Cyber Task Force from June 30-July 5, 2013. Not participating was seen as damaging given Canada’s past contributions and Canada operating as the lead nation in another NATO Cyber Defence Initiative (the Multi National Cyber Defence Capability Project). Dated May 13, 2013.

Global Affairs Canada

Public Safety Canada

Royal Canadian Mounted Police

  • Encryption and Law Enforcement. Discusses risks of ‘going dark’ due to encryption and how the RCMP was developing a study meant to identify challenges posed by encryption and, also, efforts with Five Eyes partners to work collectively to increase their “collective clout when engaging with TSPs, industry, and privacy-related academics” which was seen as important “given the challenges associated with developing a legislative or regulatory solution.” Dated February 2016.

Shared Services Canada

  • A-2012-00049: Investment Canada Act and Foreign Takeover of Blackberry. This ATIP pertains to the Government of Canada’s Investment Canada Act, and the conditions under which Canada might reject a foreign takeover of RIM/Blackberry. Page 4 notes that ICA review takes place when a non-Canadian wishes to acquire control of an asset valued at $330 million (CAD) or more and page 34 includes the Minister’s briefing notes for discussion with new RIM CEO. These notes include a discussion concerning export controls/cryptography, though it’s not clear what, specifically, they spoke about beyond “administrative changes” by DFAIT. Dated December 2011 – March 2012.

Treasury Board of Canada

  • Cabinet Committee on Priorities and Planning, June 8, 2010. This document outlines the business need and rationale for Treasure Board to approve funding enterprise communications and infrastructure upgrades for CSIS’ foreign stations communications. It is suggested that the Minister approves the dispensation of funds. Dated June 8, 2010.