ATIPs

This page includes links to various Access To Information and Privacy (ATIP) requests that I have received or obtained over the past several years. Each link, unless otherwise indicated, is to a locally hosted .pdf of the relevant ATIP. In some cases I indicate what is notable about a given ATIP or the language of the original request and, where possible, dates associated with the released records.

  1. Canadian Security Intelligence Service
  2. Communications Security Establishment (CSE)
  3. Department of National Defence
  4. Employment and Social Development Canada
  5. Global Affairs Canada
  6. Innovation, Science and Economic Development Canada
  7. Offices of the Communications Security Establishment Commissioner
  8. Office of the Privacy Commissioner of Canada
  9. Public Safety Canada
  10. Royal Canadian Mounted Police
  11. Shared Services Canada
  12. Transport Canada
  13. Treasury Board of Canada

Canadian Security Intelligence Service

  • Summaries of the US Senate Report on Examining the U.S. Capitol Attack and the US National Strategy for Countering Domestic Terrorism, and CSIS Considerations. This ATIP includes detailed discussion of sought-after powers for CSIS on page 4. Powers discussed include access to basic subscriber information, sharing classified information with law enforcement agencies, and possessing tools that enable the identification and disruption of IMVE-related threat actors operating online while simultaneously protecting Canadians’ privacy. Dated July 29, 2021.
  • A-2018-997: Documents pertaining to Huawei and/or 5G technology. These documents include, from page 9-13, part of a slide deck that offers an introduction to 5G and its potential benefits; this may be used to understand how decision makers were informed of the capabilities of the technology as it interrelated with the Internet of Things and Artificial Intelligence. 5G was seen as an economic driver and, also, the document (Page 13) indicates that Canada was to begin planning for 6G technologies, with a recognition that Ericsson and Huawei–their Canadian divisions–were seen as leaders for domestic innovation. Dated 2018.
  • A-2018-524: A CSIS Developing Intelligence Issue document that provides brief and broad background on the positions held by opponents against the Trans Mountain Expansion project. Dated 2018.
  • A-2018-421: Documents completed from Jan. 1, 2018 to June 26, 2018 concerning potential threats to the energy industry/pipelines. Of note, on page 6 under ‘what does CSIS investigate?’: activities directed toward undermining the government of Canada by covert unlawful acts – but does not include lawful advocacy, protest or dissent, unless carried on in conjunction with espionage/sabotage/serious acts of politically, religiously or ideologically motivated violence. Dated 2018.
  • A-2018-122: Threats to the Montréal-Pierre Elliot Trudeau International Airport. This document contains a discussion of threats to Pierre-Elliot Trudeau airport. Page 4 notes that the two core threats to the airport include terrorism, as well as espionage/foreign interference. Other than noting a news report (CBC/Radio-Canada article) on detection of IMSI catchers are the airport, all espionage/foreign interference elements are redacted. Dated 2017.
  • A-2017-214: All documents created by the Forbearance Working Group, SGES working group, and forbearance program from Jan. 1 2016 to August 23, 2017. Page 3 notes that a party was making a forbearance request under the SGES on April 26, 2016 and that it was granted on July 25, 2016 (5-6). Page 20 reveals that the party that had previously requested forbearance, once again requested it in/around Feb 23, 2017. Dated 2016-2017.
  • A-2017-138: All documents produced or received by CSIS concerning what would happen to all of the data captured by devices used to intercept data and metadata from mobile devices, or any similar tool for the surveillance of cell phones or tracing tool. Per these documents, CSIS, under guidance from SIRC, was working to “further enhance feedback on the utility of IMSI operations, and based on these findings, that the 2012 internal assessments be updated to help guide the direction of this potentially promising program” (2). Per page 7, and in response to the Federal Court asserting that CSIS could not collect or retain certain technical identifiers indefinitely, the Service established new directions concerning the collection and retention of electronic identifiers. This mean that, as of Feb 13, 2017, CSIS could not use technical measures for the purpose of collecting identifiers under s.12 or s. 16 (though note: still could under s. 21), and that the retained identifiers had to be retroactively destroyed. At least some retained data which had previously been managed per DDO Directive on Long-Term Operational Data Retention, was to no longer be “considered as falling into the category of Potentially Exploitable.” Page 8-15 includes a memo pertaining to CSIS’s targeting procedures. Here, we find that there is a class of activities identified as “General Authority” which do not require a targeting authority, whereas Level 1 and Level 2 operational tools and techniques do require authorization. What is included in those levels is redacted as well as that where foreign states’ information is guiding a decision to potentially engage in targeting, CSIS is required to take into consideration the states’ or agency’s “human rights record … and the specific circumstances under which the information was obtained.” There are special rules for targeting underage individuals. Paged 16-19 includes a directive on long-term operational data retention. This is an updated directive, and adds a third kind of collected information to support the collection of non-warranted imagery and other non-warranted technical information. All data is classified as either Unpublished (that which doesn’t have intelligence value one year after collection and then destroyed, with all data defaulting ot this), Potentially Exploitable Information (which has not be Published but may be operationally relevant and thus kept per CSIS’ retention schedule) and Published (i.e. information which has been included in a report, or any data that is found relevant under s. 13, 15, or 16 of the Act; such data is subject to a formal data retention period). Page 18 explains that retention conditions do not apply to metadata or datasets that are received from a redacted source, save for that which contains solicitor-client privileged material and thus must be dealt with under CSIS’ protocols to determine if the information should be destroyed. Page 22 contains examples to explain retention and notes that if data is subject to two conditions (e.g., potentially exploitable vs published) that the longer of the two states prevails. Dated 2014-2017.
  • A-2017-90: Documents that were produced from March to June 2017 as a result of the CBC allegations on April 3, 2017 pertaining to devices known as Mobile Device Identifiers (MSI), Stingray, IMSI catcher, etc. and their use in Ottawa. On page 26 we learn that the CSIS legal department is looking to confirm/fact check CBC/Radio-Canada story, concerning IMSI Catchers. Otherwise, the released comments largely replicate CSIS ATIPs A-2017-18 and A-2017-19. Dated 2017.
  • A-2017-19: Documents from March 27, 2017 to April 6, 2017 concerning the CBC/Radio-Canada story on MDI devices (IMSI catchers) near Parliament Hill. This ATIP contains nothing of note given that the internal communications have largely been redacted. Dated 2017.
  • A-2017-18: Documents from January 1, 2016-July 20, 2017 concerning the use of MDI devices (IMSI Catchers) by Canadian security agencies. Of note, page 2 makes clear that CSIS is not always required to obtain warrants to use MDIs. On Page 14, CSIS recognises that in determining whether to use techniques like IMSI Catchers, they either rely on authority under S.12 of their Act or in a redacted situation apply for a warrant to the federal court under S.21 of their Act. Page 25 reveals that SIRC contacted CSIS for information following the release of the CBC/Radio-Canada story on IMSI Catchers near Parliament Hill and the Capital Region more generally. Dated 2017.
  • A-2016-331: All records pertaining to research and application in the field of quantum research. This is a pair of research reports, one from 2016 and the other from 2012. The 2016 report is actually written for CSE, and presumably the 2012 report for CSIS. Both are future looking forecasts, with big picture assessments of what technologies or trends might have national security implications in the future. On the whole, the reports are not particularly interesting save for how the agencies might have thought about, or planned for, future changes in society and technology. Dated 2012 and 2016.
  • Government Response to the ODAC Ruling. This 555 page ATIP includes communications following the ODAC federal court ruling. Highlights include the following. There is a transcript of for-background information provided to external CSIS stakeholders post-ODAC decision on pages 108-118. Page 159-172, in reference to the CSE Comissioner’s 2014-2015 report on the CSE, discusses how CSE cannot ascertain how much unredacted Canadian metadata was shared with 5-eyes partners, in contravention of the law (this was done unintentionally per the CSE Commissioner) (171), that FVEY partners were not asked to minimized the shared information b/c it was not believed to be sufficiently contextual to individual Canadians to raise a significant privacy concern (171), and that CSE does not clarify how long this was taking place (171-172). CSIS hold that, with regard to ODAC, “It is impossible to quantify the number of individuals linked to the associated data, much less identify personal data such as citizenship” (192) and that on page 194, “Neither metadata or associated data includes any information that could relate to content.” On page 378, when assessing the SIRC’s review of CSIS’ accessing taxpayer information without warrant, and with insufficient managerial controls, a proposed speaking point to the minister was that under SCISA no warrant would be required in the future. Between pages 398-400, CSIS outlined that ministers had received briefings, or mentions, of ODAC at least 7 times (including one verbal warning), and that while information about the legal basis of ODAC’s operations or associated data hadn’t been explicitly discussed, ODAC itself (insofar as it existed) had been raised. Page 400 includes each time CSIS could determine when a Minister or Deputy Minister had been advised. Page 445 has a sentence beginning “With these principles…”, indicates there are 2-3 major issues with how CSIS has handled the ODAC system, also suggesting that there are potential long-term consequences associated with CSIS’ handling of ODAC. Page 465 includes a discussion of CSIS’ collection of bulk datasets, and the fact that insufficient information existed to guide the lawful collection of ‘referential’ datasets, with the issue being that in at least one cases data was obtained that exceeded referentiality and thus constituted a collection (and would have required a warrant). At the time the assessment was conducted, there was “no evidence to indicate CSIS’s data acquisition program had appropriately considered the threshold of “strictly necessary” as required in the CSIS Act.” Page 467 suggests that CSIS used s.17 to establish a partnership with a foreign agency with which it lacked a formal s.17 arrangement. Broadly, much of the document includes CSIS doing the following: asserting that it needn’t notify the Federal Court regarding associated data and, upon being told that it violated its duty of candour, seeking to avoid blame by pointing to the number of times Ministers were notified, the PIA submitted to the OPC as sufficient to ‘explain’ the program to the Commissioner, etc. So it’s a document that outlines crisis communications and blame deferral. Dated 2016.
  • Project SITKA: Serious Criminality Associated to Large Public Order Events with National Implications. This document was principally created by the RCMP but was released by CSIS under provisions of the Privacy Act and/or Access to Information Act. The report summarizes RCMP intelligence gathering activities that were focused on aboriginal-rights issues, such as land claims, energy projects, and right advocacy. Dated March 16, 2015.
  • CSIS Policy: Conduct of Operations. This policy describes the Service’s stance regarding operations conducted pursuant to its national security mandate under Sections 12, 15, and 16 of the Canadian Security Intelligence Service Act (CSIS Act). It also provides additional principles and requirements that the Service and its employees will adhere to while working to achieve the commitments outlined in this policy. Notable details include a discussion that warrants are coordinated by the Warrant Acquisition Control and Requirements (WACR) unit of the DDO secretariat, which is responsible for reviewing paperwork before it is submitted to the courts. Further, under S. 15, collected data can be used for supporting S. 12 investigations, and where there is no pre-existing S.17 foreign partner agreement to share data, CSIS may share data in emergency situations without first consulting the Minister or Deputy Minister. The Deputy must be informed “as soon as possible”. Finally, “[t]he Service will weigh the need to use intrusive operational tools and techniques against potential damage to civil liberties or the activities of a Canadian Fundamental Institution (CFI). CFIs include, but are not limited to, post-secondary, political, religious and media organizations.” Dated January 10, 2014.
  • A-2012-238: All documents on terrorist and the use of cyberattacks to commit terrorist acts for the period from Nov 9 2010 to Nov 9 2012. On page 9 there is a discussion of Anonymous using SQL injections as part of their hacking tools, and page 11 discusses a proposal in an online jihadist forum to attack SCADA systems. Dated 2011-2012.
  • A-2012-088: Most recent reports concerning terrorism and extremism; foreign espionage and interference; proliferation of WMDs; cyber security and support to Canada’s Northern Strategy. On page 11 we learn that “small number of domestic extremists continue to be associated with issue-based causes such as environmentalism, anti-capitalism, anti-globalization, and far-right racism.” Further, ““Aboriginal communities across Canada remain focused on key issues such as sovereignty and outstanding land claims. At times more radical members of Aboriginal warrior societies advocate violence as a means of drawing attention to these issues.” On pages 12-24, there is a discussion of vulnerable computer systems and the availability of exploit kits, and as well as a note that companies are reticent to disclose intrusions to government authorities. Dated 2011-2012.
  • [Redacted] Data Management Governance Plan. This document outlines the data management and governance of the Operational Data Analysis Centre (ODAC) which is responsible for storing data collected by CSIS for analysis and analytics purposes. it contains broad-level discussions of how governance should function within CSIS that parallels equivalent discussions that would take place in any organization for data analytics purposes. Dated July 2012.
  • A-2011-150: All correspondence exchanged between the Director of CSIS and the Minister of Public Safety between January 1, 2011 and February 8, 2012. This release has a number of noteworthy elements. On page 10 we learn there is, “… a noticeable increase in economic espionage is posing risks to our control over strategic critical infrastructure, and refers to ongoing efforts by some countries to illegally acquire and transfer technology from Canada, especially as it relates to weapons proliferations.” Moreover, “As Canada is one of the most technologically advanced countries in the world, we remain especially vulnerable to cyber threats and attacks” (11). Pages 49-56 provide an update to the rules for CSIS sharing information with foreign partners. Page 52, in particular, notes that in some cases, CSIS may need to share or act on information derived from “mistreatment” (i.e. torture). Pages 97-102 includes an assessment by CSIS of the UK’s Green Paper at the time on the issue of intelligence to evidence. This is presented as a summary of the matters raised in the UK, with some small elements of lesson drawing (e.g., “the liberal democratic state is limited in how far it can reconcile the equally important imperatives of national security and procedural fairness in the administration of justice…the public communications benefit can also be limited, particularly when interlocutors choose to frame the debate in an adversarial manner.” Dated 2011-2012.
  • A-2011-114: All briefing notes to the Director and/or to the Minister concerning “Lawful Access” legislation for the period September 2011 to the present. Cabinet confidences should be excluded. (Includes references to CALEA, Interception standards, and regional interception standards bodies). This memo outlines why the CSIS does not believe that the arguments being made by industry stakeholders about the difficulty and costs of building in interception capabilities are accurate. It argues that the TSPs will not be required to meet any standards and that this is a good thing, because it will provide TSPs with the option of meeting requirements however they see fit. Moreover, there is an assertion that this isn’t all that different from CALEA, though there is no specific rationale as to why that’s the case–the Canadian proposal was in excess of just CALEA-based information. Dated 2011.
  • A-2011-082: All information regarding CSIS involvement with the WikiLeaks Task Force from November 2010 to August 2011. This ATIP release mostly involved internal DFAIT assessments of the documents which were released about cables from Wikileaks. In aggregate, it showcases the number of people who were stood up into a ‘war room’ to assess cables and their potential damage towards Canadian interests, as well as media monitoring for how the Canadian and international media were covering the cables, with specific focus on the Canadian angle. Dated 2010.
  • A-2011-07-04: For the period of 2008 to present. Threat assessments produced by the Integrated Threat Assessment Centre relating to cyber security, cyber threats and cyber incidents including but not limited to malware, bots and other cyber attacks. Page 3 includes an assessment that was created in response to request from Canadian Electricity Association Security and Infrastructure Protection Committee. We learn that, on page 4, insider threats to power generation systems, as opposed to external actors, were seen as the most significant threat. A definition of cyber-terrorism is provided on page 17: “…cyber terrorism is defined as a computer-generated attack against other computers or computer-controlled systems via a communications network … Examples of cyber terrorism include computer hacking introducing viruses to vulnerable networks, web site defacing, denial of service (DoS), and distributed denial of service (DDoS) attacks.” Page 30 includes the definition of a backdoor: “Backdoor: a means of access to a computer and or program that bypasses security mechanisms. A programmer may install a backdoor so that the program can be accessed for means of troubleshooting or other purposes, but an attacker may exploit or use a backdoor to gain unauthorized access to information or install spyware.” Dated 2008-2010.

Communications Security Establishment (CSE)

Department of National Defence

Employment and Social Development Canada

Global Affairs Canada

Innovation, Science and Economic Development Canada

  • A-2019-00451: Records regarding Canada Infrastructure Bank exploring creating a public utility, investing in 5G in urban areas, public Wi-Fi and Next-Generation 9-1-1 services. This short ATIP just includes parts of an email chain that followed from the Logic posting an article about how the Canadian Infrastructure Bank had proposed developing a competing 5G network as a public utility to better serve rural customers. The chain indicates that, by the time that either the news outlet published the article or the participants in the chain had started discussing the issue, the government was believed to have moved past the proposal after setting it aside. Dated 2019.
  • A-2018-00168: This ATIP provides information concerning the 2015-2016 Lawful Access Initiative (LAI) Performance Management Report (PMR) 2015-2016. This ATIP includes points of clarification that ISED posed for Public Safety, with the most interesting elements of the documents coming from the partial disclosure of the LAI PMR. Page 5 refers to Green Report and seems to strike off encryption and data retention, while not striking basic subscriber information (BSI) and intercept-ready networks. Page 12 refers to challenges to obtaining BSI; access laws are listed as those linked with reasonable expectations of privacy, costs to industry, potential secondary uses by industry (unclear what this means), and transparency reporting requirements. Finally, page 16 makes reference to the challenges to obtaining intercept-ready networks, and includes public optics, initial infrastructure costs, ongoing maintenance costs, regulatory inflexibility, potential impacts on small providers, transparency reporting by industry and government, and bundling with other initiatives. It also refers to “Plan B” without greater explanation.
  • A-2018-00073: Examination of IMSI catcher and mobile device identifier devices (January 1, 2012 to April 24, 2018). The ATIP begins with an extensive report from Communications Research Centre Canada, titled “Technical Study on Privacy in Wireless Networks”. This 2014 study does a good job summarizing high level how wireless networks operate and associated privacy concerns. Items of note include that, on page 4, there isn’t a single thing to resolve privacy issues and, instead, a range of things must be done including work with providers, establish privacy metrics with industry players, work to steer international standards, and make sure CRC is available for relevant consultations. Of note, at the time of writing CRC was of the opinion that “… Canada’s wireless privacy is comparable with the US and behind Western Europe” (30). Page 31 moves to discuss the risks of IMSI Catchers and ease at which mobile communications can be intercepted using “recipes” from the public Internet with pages 38-39 continuing by noting that even on LTE you can obtain the IMSI, and that encryption isn’t a guaranteed to be implemented and thus must be tested to confirm transmission security. Page 40 discusses the possible ability to evade detection of using an IMSI catcher by actively compelling devices to attach to fake base station, which is using international (i.e. not licensed) spectrum. Pages 58-61 include a sample Harris Corp confidentiality contract. Page 90 notes that a company in the UK, Smith Myers Communication, sells an IMSI catcher that is referred to “the Artemis System”, and how it doesn’t interfere with emergency calls of non-targets, and can target mobile and non-mobile communications. It is an aerial system with a range of up to 25km and does not interfere with cellular networks. These were intended for Search and Rescue operations. Later in the ATIP, on pages 160-164, we see the RCMP’s draft 2016 policy for IMSI catchers/MDI devices and page 166 notes that the RCMP, at the time, had different policies for what warrants it used to obtain authorizations; sometimes they used a transmission data recorder order, in others a general warrant. Dated 2014-2017.
  • A-2017-01408: This ATIP includes information from ISED to the RCMP (and other agencies) concerning authorizations to the RCMP technical branch for the use of IMSI Catchers. Of note, this ATIP makes clear that the RCMP, OPP, Calgary Police, Winnipeg Police, all receive authorizations. Dated 2017.
  • A-2017-01164: Documents written by Huawei Canada that reference the 3.5 GHz spectrum, between May 1, 2017 and November 1, 2017. This set of documents is merely a briefing deck from Huawei about the uses of, and benefits of, 5G for everything from smart cities, to remote surgery and factory automation, to driving, as well as some of the standards work at 3GPP that are ongoing. Dated 2016.
  • A-2017-00632: 2014-2015 Lawful Access Initiative Report. One page 5 it discuses that the partners in the lawful access initiative include: CSIS, CSE, DoJ, ISED, Public Prosecution Service of Canada, PSC, and RCMP, and page 6 asserts that the limited funds through LAI are insufficient to address operational requirements. Moving forward to page 46, the ATIP documents note that the CSE is responsible for actual cryptographic techniques and decryption efforts pertaining to communications, though a number of earlier categories indicate tracking of how often materials are inaccessible to CSIS/LEAs. Dated 2016.
  • A-2017-00043: CBC or Radio-Canada story on MDI devices AKA IMSI catchers near Parliament Hill, March 27 – April 6, 2017. Page 1 discusses false positive, and potential to get the Certification and Engineering Bureau in ISED to evaluate IMSI Catcher detectors, “…even if only to debunk false positives reported in the media.” Dated 2017.

Offices of the Communications Security Establishment Commissioner

Office of the Privacy Commissioner of Canada

Public Safety Canada

Royal Canadian Mounted Police

Shared Services Canada

  • A-2012-00049: Investment Canada Act and Foreign Takeover of Blackberry. This ATIP pertains to the Government of Canada’s Investment Canada Act, and the conditions under which Canada might reject a foreign takeover of RIM/Blackberry. Page 4 notes that ICA review takes place when a non-Canadian wishes to acquire control of an asset valued at $330 million (CAD) or more and page 34 includes the Minister’s briefing notes for discussion with new RIM CEO. These notes include a discussion concerning export controls/cryptography, though it’s not clear what, specifically, they spoke about beyond “administrative changes” by DFAIT. Dated December 2011 – March 2012.

Transport Canada

  • A-2012-00008: Issuance of UAV Licenses and Draft UAV Issue Paper. This ATIP contains answers to a reporter’s questions concerning the number of SFOCs that were issued (293 applicants and for approximately 1, 000 UAVs), media lines explaining relevant laws governing UAVs in Canadian airspace, training requirements, and recognition that LEAs can use drones “provided they comply with Transport Canada regulations and obtain the required SFOC” (13). Page 16 also details the number of SFOC applications that were rejected by region. The Issue Paper (pages 22-26) outline considerations for establishing restricted airspace for UAVs, as well as recommendations; many of these recommendations include ‘TBD’, which is indicative of the early stage of the government’s regulation of UAVs. Dated 2011-2012.

Treasury Board of Canada

  • Cabinet Committee on Priorities and Planning, June 8, 2010. This document outlines the business need and rationale for Treasure Board to approve funding enterprise communications and infrastructure upgrades for CSIS’ foreign stations communications. It is suggested that the Minister approves the dispensation of funds. Dated June 8, 2010.