This page includes links to various Access To Information and Privacy (ATIP) requests that I have received or obtained over the past several years. Each link, unless otherwise indicated, is to a locally hosted .pdf of the relevant ATIP. In some cases I indicate what is notable about a given ATIP or the language of the original request and, where possible, dates associated with the released records.
- Canadian Security Intelligence Service
- Communications Security Establishment (CSE)
- Department of National Defence
- Employment and Social Development Canada
- Global Affairs Canada
- Innovation, Science and Economic Development Canada
- Offices of the Communications Security Establishment Commissioner
- Office of the Privacy Commissioner of Canada
- Public Safety Canada
- Royal Canadian Mounted Police
- Shared Services Canada
- Transport Canada
- Treasury Board of Canada
Canadian Security Intelligence Service
- Summaries of the US Senate Report on Examining the U.S. Capitol Attack and the US National Strategy for Countering Domestic Terrorism, and CSIS Considerations. This ATIP includes detailed discussion of sought-after powers for CSIS on page 4. Powers discussed include access to basic subscriber information, sharing classified information with law enforcement agencies, and possessing tools that enable the identification and disruption of IMVE-related threat actors operating online while simultaneously protecting Canadians’ privacy. Dated July 29, 2021.
- A-2018-997: Documents pertaining to Huawei and/or 5G technology. These documents include, from page 9-13, part of a slide deck that offers an introduction to 5G and its potential benefits; this may be used to understand how decision makers were informed of the capabilities of the technology as it interrelated with the Internet of Things and Artificial Intelligence. 5G was seen as an economic driver and, also, the document (Page 13) indicates that Canada was to begin planning for 6G technologies, with a recognition that Ericsson and Huawei–their Canadian divisions–were seen as leaders for domestic innovation. Dated 2018.
- A-2018-524: A CSIS Developing Intelligence Issue document that provides brief and broad background on the positions held by opponents against the Trans Mountain Expansion project. Dated 2018.
- A-2018-421: Documents completed from Jan. 1, 2018 to June 26, 2018 concerning potential threats to the energy industry/pipelines. Of note, on page 6 under ‘what does CSIS investigate?’: activities directed toward undermining the government of Canada by covert unlawful acts – but does not include lawful advocacy, protest or dissent, unless carried on in conjunction with espionage/sabotage/serious acts of politically, religiously or ideologically motivated violence. Dated 2018.
- A-2018-122: Threats to the Montréal-Pierre Elliot Trudeau International Airport. This document contains a discussion of threats to Pierre-Elliot Trudeau airport. Page 4 notes that the two core threats to the airport include terrorism, as well as espionage/foreign interference. Other than noting a news report (CBC/Radio-Canada article) on detection of IMSI catchers are the airport, all espionage/foreign interference elements are redacted. Dated 2017.
- A-2017-214: All documents created by the Forbearance Working Group, SGES working group, and forbearance program from Jan. 1 2016 to August 23, 2017. Page 3 notes that a party was making a forbearance request under the SGES on April 26, 2016 and that it was granted on July 25, 2016 (5-6). Page 20 reveals that the party that had previously requested forbearance, once again requested it in/around Feb 23, 2017. Dated 2016-2017.
- A-2017-138: All documents produced or received by CSIS concerning what would happen to all of the data captured by devices used to intercept data and metadata from mobile devices, or any similar tool for the surveillance of cell phones or tracing tool. Per these documents, CSIS, under guidance from SIRC, was working to “further enhance feedback on the utility of IMSI operations, and based on these findings, that the 2012 internal assessments be updated to help guide the direction of this potentially promising program” (2). Per page 7, and in response to the Federal Court asserting that CSIS could not collect or retain certain technical identifiers indefinitely, the Service established new directions concerning the collection and retention of electronic identifiers. This mean that, as of Feb 13, 2017, CSIS could not use technical measures for the purpose of collecting identifiers under s.12 or s. 16 (though note: still could under s. 21), and that the retained identifiers had to be retroactively destroyed. At least some retained data which had previously been managed per DDO Directive on Long-Term Operational Data Retention, was to no longer be “considered as falling into the category of Potentially Exploitable.” Page 8-15 includes a memo pertaining to CSIS’s targeting procedures. Here, we find that there is a class of activities identified as “General Authority” which do not require a targeting authority, whereas Level 1 and Level 2 operational tools and techniques do require authorization. What is included in those levels is redacted as well as that where foreign states’ information is guiding a decision to potentially engage in targeting, CSIS is required to take into consideration the states’ or agency’s “human rights record … and the specific circumstances under which the information was obtained.” There are special rules for targeting underage individuals. Paged 16-19 includes a directive on long-term operational data retention. This is an updated directive, and adds a third kind of collected information to support the collection of non-warranted imagery and other non-warranted technical information. All data is classified as either Unpublished (that which doesn’t have intelligence value one year after collection and then destroyed, with all data defaulting ot this), Potentially Exploitable Information (which has not be Published but may be operationally relevant and thus kept per CSIS’ retention schedule) and Published (i.e. information which has been included in a report, or any data that is found relevant under s. 13, 15, or 16 of the Act; such data is subject to a formal data retention period). Page 18 explains that retention conditions do not apply to metadata or datasets that are received from a redacted source, save for that which contains solicitor-client privileged material and thus must be dealt with under CSIS’ protocols to determine if the information should be destroyed. Page 22 contains examples to explain retention and notes that if data is subject to two conditions (e.g., potentially exploitable vs published) that the longer of the two states prevails. Dated 2014-2017.
- A-2017-90: Documents that were produced from March to June 2017 as a result of the CBC allegations on April 3, 2017 pertaining to devices known as Mobile Device Identifiers (MSI), Stingray, IMSI catcher, etc. and their use in Ottawa. On page 26 we learn that the CSIS legal department is looking to confirm/fact check CBC/Radio-Canada story, concerning IMSI Catchers. Otherwise, the released comments largely replicate CSIS ATIPs A-2017-18 and A-2017-19. Dated 2017.
- A-2017-19: Documents from March 27, 2017 to April 6, 2017 concerning the CBC/Radio-Canada story on MDI devices (IMSI catchers) near Parliament Hill. This ATIP contains nothing of note given that the internal communications have largely been redacted. Dated 2017.
- A-2017-18: Documents from January 1, 2016-July 20, 2017 concerning the use of MDI devices (IMSI Catchers) by Canadian security agencies. Of note, page 2 makes clear that CSIS is not always required to obtain warrants to use MDIs. On Page 14, CSIS recognises that in determining whether to use techniques like IMSI Catchers, they either rely on authority under S.12 of their Act or in a redacted situation apply for a warrant to the federal court under S.21 of their Act. Page 25 reveals that SIRC contacted CSIS for information following the release of the CBC/Radio-Canada story on IMSI Catchers near Parliament Hill and the Capital Region more generally. Dated 2017.
- A-2016-331: All records pertaining to research and application in the field of quantum research. This is a pair of research reports, one from 2016 and the other from 2012. The 2016 report is actually written for CSE, and presumably the 2012 report for CSIS. Both are future looking forecasts, with big picture assessments of what technologies or trends might have national security implications in the future. On the whole, the reports are not particularly interesting save for how the agencies might have thought about, or planned for, future changes in society and technology. Dated 2012 and 2016.
- Government Response to the ODAC Ruling. This 555 page ATIP includes communications following the ODAC federal court ruling. Highlights include the following. There is a transcript of for-background information provided to external CSIS stakeholders post-ODAC decision on pages 108-118. Page 159-172, in reference to the CSE Comissioner’s 2014-2015 report on the CSE, discusses how CSE cannot ascertain how much unredacted Canadian metadata was shared with 5-eyes partners, in contravention of the law (this was done unintentionally per the CSE Commissioner) (171), that FVEY partners were not asked to minimized the shared information b/c it was not believed to be sufficiently contextual to individual Canadians to raise a significant privacy concern (171), and that CSE does not clarify how long this was taking place (171-172). CSIS hold that, with regard to ODAC, “It is impossible to quantify the number of individuals linked to the associated data, much less identify personal data such as citizenship” (192) and that on page 194, “Neither metadata or associated data includes any information that could relate to content.” On page 378, when assessing the SIRC’s review of CSIS’ accessing taxpayer information without warrant, and with insufficient managerial controls, a proposed speaking point to the minister was that under SCISA no warrant would be required in the future. Between pages 398-400, CSIS outlined that ministers had received briefings, or mentions, of ODAC at least 7 times (including one verbal warning), and that while information about the legal basis of ODAC’s operations or associated data hadn’t been explicitly discussed, ODAC itself (insofar as it existed) had been raised. Page 400 includes each time CSIS could determine when a Minister or Deputy Minister had been advised. Page 445 has a sentence beginning “With these principles…”, indicates there are 2-3 major issues with how CSIS has handled the ODAC system, also suggesting that there are potential long-term consequences associated with CSIS’ handling of ODAC. Page 465 includes a discussion of CSIS’ collection of bulk datasets, and the fact that insufficient information existed to guide the lawful collection of ‘referential’ datasets, with the issue being that in at least one cases data was obtained that exceeded referentiality and thus constituted a collection (and would have required a warrant). At the time the assessment was conducted, there was “no evidence to indicate CSIS’s data acquisition program had appropriately considered the threshold of “strictly necessary” as required in the CSIS Act.” Page 467 suggests that CSIS used s.17 to establish a partnership with a foreign agency with which it lacked a formal s.17 arrangement. Broadly, much of the document includes CSIS doing the following: asserting that it needn’t notify the Federal Court regarding associated data and, upon being told that it violated its duty of candour, seeking to avoid blame by pointing to the number of times Ministers were notified, the PIA submitted to the OPC as sufficient to ‘explain’ the program to the Commissioner, etc. So it’s a document that outlines crisis communications and blame deferral. Dated 2016.
- Project SITKA: Serious Criminality Associated to Large Public Order Events with National Implications. This document was principally created by the RCMP but was released by CSIS under provisions of the Privacy Act and/or Access to Information Act. The report summarizes RCMP intelligence gathering activities that were focused on aboriginal-rights issues, such as land claims, energy projects, and right advocacy. Dated March 16, 2015.
- CSIS Policy: Conduct of Operations. This policy describes the Service’s stance regarding operations conducted pursuant to its national security mandate under Sections 12, 15, and 16 of the Canadian Security Intelligence Service Act (CSIS Act). It also provides additional principles and requirements that the Service and its employees will adhere to while working to achieve the commitments outlined in this policy. Notable details include a discussion that warrants are coordinated by the Warrant Acquisition Control and Requirements (WACR) unit of the DDO secretariat, which is responsible for reviewing paperwork before it is submitted to the courts. Further, under S. 15, collected data can be used for supporting S. 12 investigations, and where there is no pre-existing S.17 foreign partner agreement to share data, CSIS may share data in emergency situations without first consulting the Minister or Deputy Minister. The Deputy must be informed “as soon as possible”. Finally, “[t]he Service will weigh the need to use intrusive operational tools and techniques against potential damage to civil liberties or the activities of a Canadian Fundamental Institution (CFI). CFIs include, but are not limited to, post-secondary, political, religious and media organizations.” Dated January 10, 2014.
- A-2012-238: All documents on terrorist and the use of cyberattacks to commit terrorist acts for the period from Nov 9 2010 to Nov 9 2012. On page 9 there is a discussion of Anonymous using SQL injections as part of their hacking tools, and page 11 discusses a proposal in an online jihadist forum to attack SCADA systems. Dated 2011-2012.
- A-2012-088: Most recent reports concerning terrorism and extremism; foreign espionage and interference; proliferation of WMDs; cyber security and support to Canada’s Northern Strategy. On page 11 we learn that “small number of domestic extremists continue to be associated with issue-based causes such as environmentalism, anti-capitalism, anti-globalization, and far-right racism.” Further, ““Aboriginal communities across Canada remain focused on key issues such as sovereignty and outstanding land claims. At times more radical members of Aboriginal warrior societies advocate violence as a means of drawing attention to these issues.” On pages 12-24, there is a discussion of vulnerable computer systems and the availability of exploit kits, and as well as a note that companies are reticent to disclose intrusions to government authorities. Dated 2011-2012.
- [Redacted] Data Management Governance Plan. This document outlines the data management and governance of the Operational Data Analysis Centre (ODAC) which is responsible for storing data collected by CSIS for analysis and analytics purposes. it contains broad-level discussions of how governance should function within CSIS that parallels equivalent discussions that would take place in any organization for data analytics purposes. Dated July 2012.
- A-2011-150: All correspondence exchanged between the Director of CSIS and the Minister of Public Safety between January 1, 2011 and February 8, 2012. This release has a number of noteworthy elements. On page 10 we learn there is, “… a noticeable increase in economic espionage is posing risks to our control over strategic critical infrastructure, and refers to ongoing efforts by some countries to illegally acquire and transfer technology from Canada, especially as it relates to weapons proliferations.” Moreover, “As Canada is one of the most technologically advanced countries in the world, we remain especially vulnerable to cyber threats and attacks” (11). Pages 49-56 provide an update to the rules for CSIS sharing information with foreign partners. Page 52, in particular, notes that in some cases, CSIS may need to share or act on information derived from “mistreatment” (i.e. torture). Pages 97-102 includes an assessment by CSIS of the UK’s Green Paper at the time on the issue of intelligence to evidence. This is presented as a summary of the matters raised in the UK, with some small elements of lesson drawing (e.g., “the liberal democratic state is limited in how far it can reconcile the equally important imperatives of national security and procedural fairness in the administration of justice…the public communications benefit can also be limited, particularly when interlocutors choose to frame the debate in an adversarial manner.” Dated 2011-2012.
- A-2011-114: All briefing notes to the Director and/or to the Minister concerning “Lawful Access” legislation for the period September 2011 to the present. Cabinet confidences should be excluded. (Includes references to CALEA, Interception standards, and regional interception standards bodies). This memo outlines why the CSIS does not believe that the arguments being made by industry stakeholders about the difficulty and costs of building in interception capabilities are accurate. It argues that the TSPs will not be required to meet any standards and that this is a good thing, because it will provide TSPs with the option of meeting requirements however they see fit. Moreover, there is an assertion that this isn’t all that different from CALEA, though there is no specific rationale as to why that’s the case–the Canadian proposal was in excess of just CALEA-based information. Dated 2011.
- A-2011-082: All information regarding CSIS involvement with the WikiLeaks Task Force from November 2010 to August 2011. This ATIP release mostly involved internal DFAIT assessments of the documents which were released about cables from Wikileaks. In aggregate, it showcases the number of people who were stood up into a ‘war room’ to assess cables and their potential damage towards Canadian interests, as well as media monitoring for how the Canadian and international media were covering the cables, with specific focus on the Canadian angle. Dated 2010.
- A-2011-07-04: For the period of 2008 to present. Threat assessments produced by the Integrated Threat Assessment Centre relating to cyber security, cyber threats and cyber incidents including but not limited to malware, bots and other cyber attacks. Page 3 includes an assessment that was created in response to request from Canadian Electricity Association Security and Infrastructure Protection Committee. We learn that, on page 4, insider threats to power generation systems, as opposed to external actors, were seen as the most significant threat. A definition of cyber-terrorism is provided on page 17: “…cyber terrorism is defined as a computer-generated attack against other computers or computer-controlled systems via a communications network … Examples of cyber terrorism include computer hacking introducing viruses to vulnerable networks, web site defacing, denial of service (DoS), and distributed denial of service (DDoS) attacks.” Page 30 includes the definition of a backdoor: “Backdoor: a means of access to a computer and or program that bypasses security mechanisms. A programmer may install a backdoor so that the program can be accessed for means of troubleshooting or other purposes, but an attacker may exploit or use a backdoor to gain unauthorized access to information or install spyware.” Dated 2008-2010.
Communications Security Establishment (CSE)
- A-2019-00040: Cyber Defence Activities MA 2nd Semi-Annual Report 2018/19. This ATIP pertains to private communications (PCs) that were retained by the CSE in the course of undertaking defensive elements of its mandate. It makes clear CSE adopts an analyst-based approach to identifying PCs (and redacted how many PCs were collected) and that, due to a new method, there were fewer identified. Of note, communications which were “intentionally malicious” were not counted as PCs. Dated August 2019.
- A-2019-00033: Directions for Data Science at CSE. This ATIP concerns data science activities that are being undertaken at the CSE, with all information being about the Tutte Institute or Applied Research at the CSE. Topics include the skills that are needed for data science at the CSE, a slide deck on what is data science/machine learning, and a discussion on page 72 that the Tutte Institute undertakes strategic research whereas the CSE undertakes applies research. Dated 2018.
- A-2019-00025: Memorandum to the Minister of National Defence–Notification of Cyber Defence Defence Activities at [Redacted]. This ATIP concerns requests to the CSE to provide federal institutions with services under part B of the CSE’s mandate. It includes a letter from an unnamed agency requesting cyber defence services (note: this does not indicate defensive cyber operations, but cyber security services). The party responsible for this defensive work was the Director Autonomous Defence and Sensors at the Cyber Centre. Dated May-June 2019.
- A-2019-00020: Social Media/WeChat Guidance. This ATIP addresses questions put to CSE about whether, and if so under what conditions, MPs should use WeChat. Page 26 includes a discussion of communications in the CSE, about the PMO asking for a sense of the kind(s) of advice that CSE would provide to MPs on using WeChat. This is in reaction to (page 27) a note that “…parties are encouraging the use of WeChat in their campaigning” to which an individual (presumably within CSE) responded with “Just heard about this … thought it was a joke. Thanks for flagging.” Dated June-July 2019.
- A-2018-903: 2017 Security Review Program report and Public Safety Media Clippings. Pages 1-17 are highly redacted but indicate that telecommunications systems (likely those associated with Huawei) are subject to a review though no company is named. Material is from Fall of 2018.
- A-2018-00041: Supply Chain Integrity. This is a slide deck prepared about supply chain integrity, with page 7 revealing the number of requests from SSC to the CSE about supply chain requests. In 2014-15 there were 449, 2015-16 were 704, 2016-17 were 868, and in 2017-2018 were 746. Dated late 2017 or 2018.
- A-2018-00040: PIAs concerning SIMON (used to disseminate, retain and dispose of personal information for the purposes of personnel screening) as well as its Key Management Infrastructure. SIMON is used by the CSE’s Corporate Security Directorate (CSD) to both record information about personnel who have been screened as well as control access to SIGINT materials and, on page 8, the document notes it is used to track accesses managed by other organizations, and specifically refers to National Defence as TALENT KEYHOLE (TK). Page 45 reveals that Canadian Top Secret Network (CTSN) was formally known as MANDRAKE. Dated 2016-2017.
- A-2018-00030: Response to CSE Commissioner’s Annual Review of the CSE Privacy Incidents File, Second Party Incidents File, and Minor Procedural Errors File. This ATIP discusses various errors made by the CSE over the course of the reviewed period. Of the 10 MPEFs, one led to a collection system collecting information that included Canadian-to-Canadian communications, though no information was collected before the problem was identified and rectified. In each of the 33 SPIF errors the CSE made requests to rectify the error, which sometimes arose as a result of the second party not appreciating Canadian policies. Some second parties received remedial education on Canadian policies but it is unclear whether this included all second parties or not. Page 6 reveals there were 48 PIFs, though none were material. In at least one case an employee untook an action that was “contrary to CSE policy” and that CSE’s response was “adequate”. In another instance, a collection tool caused Canadian person information to be collected into CSE repositories, though this appears to have been “satisfactorily identified and corrected.” Page 8 clarifies that the reviews undertaken by the CSE commissioner are done based on the instances the CSE has identified where a privacy incident took place and was recorded. Reviews of MPEF, PIF, and SPIF are meant to ensure that the Commissioner could assess whether there were trends in the kinds of violations being recorded, and are separate from the more in depth reviews of particular programs the Commissioner undertook.
- A-2018-00018: Documents Pertaining to the 2018 G7 Meeting in Canada. This ATIP includes materials from CSE as well as other bodies, such as ITAC. Page 13-31 are from a CSE Cyber Threat Briefing, with page 16 denoting that key threats were from hacktivists, state actors, and cyber criminals. Page 32 recognizes that SS7 or SCADA could be targeted during event, telecommunications infrastructure or websites and other systems. Pages 30-40 of the document maritime and RCMP-assessed risks. The former focuses extensively on the risks activists may pose–and the marginal risks posed by terrorists–and similarly the RCMP focuses principally on the risks posed by activists on the right and left.
- A-2017-00077: C-59 Briefing Binder. This ATIP includes the formal unclassified briefing binder associated with C-59, the Charter Statement associated with the legislation, and specific examples of how the different elements of the CSE’s mandate might be exercise (e.g., what was entailed in FORINT, Information Assurance, Assistance, and Active or Defensive Cyber Operations). Dated November 2017.
- A-2017-00073: Briefing notes, bulletins, studies, media lines and PowerPoint decks from the 2017 calendar year speaking to why these fixes in C-59 are necessary and what roles and responsibilities at CSE may change plus any email correspondence Greta Bossenmaier or her designates may have had with Public Safety Canada officials on this subject matter in January 2017 and March 2017. Pages 7-8 offer an overview of examples the CSE presents as to operations it might undertake following the passage of C-59. On page 9 CSE asserts that the privacy ramification of collecting any PII from public sources about Canadians is low, because it’s public. Pages 9-10 generally, outlines all of the cases where the CSE prohibition on targeting Canadians or infrastructure in Canada can be ignored. Notably, this is indicated for almost every type of new activity the CSE would be empowered to engage in, following the passage of C-59. Page 11 discusses how academic outreach meets were to “simply attend” and if “nothing blows up” then “immediately forget the event ever happened and move to the next one[.]”
- A-2017-00026: Briefing Note for Minister of DND-Response to the CSE Commissioner’s Review of CSE Cyber Defence Metadata Activities. This document includes a description of how CSE’s cyber threat detect systems operate, including that it extracts some metadata and content from communications and that such activities do not constitute bulk unselected collection. The collection of malicious code of social engineering prompts is treated by CSE as private communications at the time of writing. Dated February 2017.
- A-2017-00007: CSE Response to CBC article on IMSI Catchers and RCMP 2017 Briefing on IMSI Catchers. Page 11 includes the full PSC portfolio of responses; what the RCMP, CSIS, and PS generally asserted with regards to their agencies’ use of IMSI Catchers. They generally decline to provide information, and give standardized reasons for the refusal. Page 52 notes that the CSE is uncertain of the reliability of IMSI catcher catchers, and that someone will be looking into this and its likelihood of generating false positives. Page 54 details the conditions that are placed on policing uses of IMSI Catchers, with the recipient of the information being the Chief of CSE. Page 79, in response to whether CSE could assist RCMP or CSIS with IMSI Catchers, CSE declines to answer on the basis that doing so would entail commenting on an ongoing RCMP investigation.
- A-2015-00037: CSEC 2015 Report. This provides high-level summaries of CSE’s vision, mission, principles, and priorities. It contains extensive redactions, with information remaining addressing the new building CSE staff would be moving into, plans to generally strengthen the staff at CSE (e.g., by improving “transparency and accountability for decision making at CSEC within a renewed governance framework and improved resource management tools”), and ensure that by 2015 “cyber defence operations will fit seamlessly within the extended cryptologic enterprise, and ITS, SIGINT domestic and Five Eyes partners will continually share information critical to the protection of government systems.” Finally it is of note that CSE recognizes it had “delivered valued technology support to and strengthened partnerships with national security agencies and law enforcement” and that CSE was working “tirelessly” to secure additional funding for the CSE’s new building.
- A-2015-00037: Everything You Never Wanted To Know About ATIP (Part 1 and Part 2). This document provides a detailed explanation to CSE employees about the rules and laws surrounding ATIP legislation. It includes a warning that CSE staff should be careful to manage information, including deleting transitory information once it is no longer required while preserving official documents. It, also, explains how to handle information under CSE’s control but which might have originated from another government (e.g., USA and NSA) or agency (e.g. Department of Justice). CSE employees are advised that, if they have a concern that an ATIP request relates to a security breach that they “speak with the ATIP Analyst identified in the ATIP request” who can, then, but the concern to the “attention of the Minister’s senior delegated officials […] for consideration.” These officials “are authorized to know the identity of the requestor.” Notably, in at least some cases “very motivated requestors are willing to pay over a million dollars in additional fees for the records they originally requested.” Dated after April 1, 2014.
- A-2014-00059: Briefing material directly related to the CBC story on January 30, 2014 that CSEC used airport WIFI to track Canadian travellers. Please search records from January 1, 2014 through May 1, 2014. Most of the ATIP’s most interesting parts on on pp. 9-11 and pp. 14-18 and 37-44. Note that, apparently, the tool was to track terrorists, kidnappers, and foreign intelligence agents. This third category is new. (And noted on pp. 30). On pp. 14 there is a statement that the tool WAS used operationally, to the effect of “identify terrorist threats affecting Canadian and allied interests.” Thus, the assertions that this is ‘just’ an analyst model bely the fact that it was actually tested using dominantly Canadian data (firming up the position that Canada is CSE’s test population) and then implemented on the world (and, possibly, at home as RCMP/CSIS make requests for assistance). On pp. 27 they note that revealing the fact a Canadian airport was used as a seed “would be damaging in putting into question CSE’s SIGINT’s use of CND metadata”.
- A-2014-00043: OPS-1-7: Operational Procedures for Naming in SIGINT Reports.
- A-2014-00013: Most recent copies of operational document OPS-1-11 and OPS-1-14.
- A-2013-00129:A detailed cost breakdown of the $300-million dollar payment CSE incurred in 2014. This ATIP outlines how much was spent by the CSE in developing their new headquarters.
- Memo Regarding Updated Collection and Use of Metadata Ministerial Directive. This document explains how Ministerial Directives operate and also denote the number of Ministerial Authorizations being sought (1 SIGINT for supporting Canadian troops in Afghanistan, 1 SIGNT linked with CSE interception activities, and 2 SIGINT MAs for undisclosed interception activities.” Among the seven Ministerial Directives, there was one for assistance to federal law enforcement and security agencies, which updated a 2001 MD, and another on the Collection and Use of Metadata, which updated a 2005 MD on the same topic. There was no information bout other MDs. Dated 2011.
- A-2012-00690: Ministerial directives, final and draft media lines, memos and letters prepared or exchanged by CSEC regarding the ministerial directive that was created to guide the CSEC collection of “Information about Canadians” (metadata) for the period 2008. These documents relate, in part, to the OCSEC’s recent reviews which assessed the collection and use of metadata, as well as the support provided by the CSE to CSIS.
- A-2012-00688: Ministerial directives, final and draft media lines, memos and letters prepared or exchanged by CSEC regarding the ministerial directive that was created to guide the CSEC collection of “Information about Canadians” (metadata) for the period 2005 and 2006. This includes messages between the OCSEC and CSE concerning the CSE’s collection of metadata.
- A-2012-00543: Final Report Analysis of Darknet Space for Predictive Indicators of Cyber Threat Activity. Note that this was initially prepared by the National Cyber Forensics and Training Alliance (NCFTA) Canada.
- A-2012-00397: Supply Chain Threats to Canada. This highly-redacted document indicates that CSE was mindful of supply chain threats, and multiple slides in the deck discuss threats or risks associated with Huawei technologies. At the time the briefing was prepared IT security requirements were not frequently included in procurement processes which made it difficult for the government to protect information and services; proactively the government was working with PWGSC to finalize its IT security contract clauses with CSE, as well as developing recommendations for inclusion in all It contracts with the government of Canada. Dated May 2012.
- A-2012-00196: Briefing Note and Question Period notes to the Minister and DM, media lines, ministerial directives prepared or exchanged by CSEC regarding the suspension and resumption of domestic investigations for 2011.
- A-2012-00194: Briefing Note and Question Period notes to the Minister and DM, media lines, ministerial directives prepared or exchanged by CSEC regarding the suspension and resumption of domestic investigations for 2009.
- A-2012-00193: Briefing Note and Question Period notes to the Minister and DM, media lines, ministerial directives prepared or exchanged by CSEC regarding the suspension and resumption of domestic investigations for 2008.
- A-2012-00188: Briefing Note and Question Period notes to the Minister and DM Minister, media lines, ministerial directives, and correspondence between the CSEC Chief and CSEC Commissioner regarding the ministerial directive that was created to guide the CSEC collection of information for 2009.
- A-2012-00187: Briefing Note and Question Period notes to the Minister and Deputy Minister, media lines, ministerial directives, and correspondence between the CSEC Chief and CSEC Commissioner regarding the ministerial directive that was created to guide the CSEC collection of information for 2008.
- A-2012-00186: Briefing Note and Question Period notes to the Minister and Deputy Minister, media lines, ministerial directives, and correspondence between the CSEC Chief and CSEC Commissioner regarding the ministerial directive that was created to guide the CSEC collection of information for 2007.
- A-2012-00161: Briefing Notes to the Minister and Deputy Minister, media lines, ministerial directives, and correspondence between CSEC Chief and CSEC Commissioner regarding a July 28, 2011 article in the Globe and Mail titled “Canadian data used to detect foreign threats.” This briefing note provides advice to the minister on how to handle a range of possible questions, inclusive of whether CSE targets Canadians’ information (no, specific targeting of Canadians’ communications is not done, using the government’s interpretation of what ‘target’ means). Page: 9-10: discuss that while the CSE Commissioner did raise concerns about the ways in which Canadians’ information was collected, and the program which was collecting it was halted, it has continued under refined policy guidance. At no point does CSE believe that it ran afoul of Canadian law.
- CSEC Foundational Learning Curriculum. Dated approx 2012.
- Quantum Computing from an IT Security Perspective. This 1-page ATIP provides a high-level description of Quantum Computing. It notes that its academic partnerships have “focused on University of Waterloo’s Institute for Quantum Computing (IQC).” Undated.
- A-2011-00637: IT Security Bulletins. This sequence of bulletins provide information about government policy for the protection of Classified information, the security of PIN-to-PIN Blackberry messaging, guidance for the communication security of SECRET information, as well as a McAfee report that references Government of Canada victims of a hacking campaign and a discussion of best practices concerning emergency management notification systems. Dated March – September 2011.
- A-2011-00763: OPS-5-1 Operational Use of the Internet. This highly redacted document discusses Internet activities and associated risks, as well as best practices and definitions. The concluding annexes outline which systems can be used for which activities, as well as the matrix of approves systems vs kinds of Internet activity. Dated January 2005.
- A-2011-00969: Definitions. This document provides definitions for critical information, such as what constitutes a Canadian person, Target, the Global Information Infrastructure, and more. Dated March 2003.
Department of National Defence
- A-2022-00081: MND Cyber Playbook–A DND/CAF Perspective. This ATIP (French and English) provides a high-level overview of how DND/CAF looks at cyber, with attention to deterrence, collaboration, coordination across government, and workforce development as essential to advancing DND/Canadian interests.
- A-2013-00910: Event Approval for NATO Cyber Defence Capability Team (CD CaT). This document requests permission to send one individual to represent Canadian interests at the NATO Cyber Task Force from June 30-July 5, 2013. Not participating was seen as damaging given Canada’s past contributions and Canada operating as the lead nation in another NATO Cyber Defence Initiative (the Multi National Cyber Defence Capability Project). Dated May 13, 2013.
- A-2013-00390: Briefing note to the DG Cyber: “Innovation transfer and evaluation agreement” dated Feb. 22, 2013. This pertained to a short-range bio-detector device or system.
- A-2013-00389: Briefing note to the DG Cyber: “Cyber ops working group visit to UK” dated Feb. 24, 2013.
- A-2013-00005: Six most recent domestic intelligence reports created by the Canadian Forces National Counter Intelligence Unit.
Employment and Social Development Canada
- A-2019-03327: Possibility of Using Machine Learning and Artificial Intelligence to Identify an Individual in an Anonymized Dataset. This memo, in response to a MIT study of de-identification, provide advice to the Deputy Minister on re-identification of individuals in a dataset.
Global Affairs Canada
- A-2021-00531: Canada’s International Cybersecurity Strategy and Cyber Diplomacy Initiative. I discuss the contents of this release, at length, in a post entitled “Findings and Absences in Canada’s (Draft) International Cybersecurity Strategy“. Dated January 1, 2021 – July 13, 2021.
Innovation, Science and Economic Development Canada
- A-2019-00451: Records regarding Canada Infrastructure Bank exploring creating a public utility, investing in 5G in urban areas, public Wi-Fi and Next-Generation 9-1-1 services. This short ATIP just includes parts of an email chain that followed from the Logic posting an article about how the Canadian Infrastructure Bank had proposed developing a competing 5G network as a public utility to better serve rural customers. The chain indicates that, by the time that either the news outlet published the article or the participants in the chain had started discussing the issue, the government was believed to have moved past the proposal after setting it aside. Dated 2019.
- A-2018-00168: This ATIP provides information concerning the 2015-2016 Lawful Access Initiative (LAI) Performance Management Report (PMR) 2015-2016. This ATIP includes points of clarification that ISED posed for Public Safety, with the most interesting elements of the documents coming from the partial disclosure of the LAI PMR. Page 5 refers to Green Report and seems to strike off encryption and data retention, while not striking basic subscriber information (BSI) and intercept-ready networks. Page 12 refers to challenges to obtaining BSI; access laws are listed as those linked with reasonable expectations of privacy, costs to industry, potential secondary uses by industry (unclear what this means), and transparency reporting requirements. Finally, page 16 makes reference to the challenges to obtaining intercept-ready networks, and includes public optics, initial infrastructure costs, ongoing maintenance costs, regulatory inflexibility, potential impacts on small providers, transparency reporting by industry and government, and bundling with other initiatives. It also refers to “Plan B” without greater explanation.
- A-2018-00073: Examination of IMSI catcher and mobile device identifier devices (January 1, 2012 to April 24, 2018). The ATIP begins with an extensive report from Communications Research Centre Canada, titled “Technical Study on Privacy in Wireless Networks”. This 2014 study does a good job summarizing high level how wireless networks operate and associated privacy concerns. Items of note include that, on page 4, there isn’t a single thing to resolve privacy issues and, instead, a range of things must be done including work with providers, establish privacy metrics with industry players, work to steer international standards, and make sure CRC is available for relevant consultations. Of note, at the time of writing CRC was of the opinion that “… Canada’s wireless privacy is comparable with the US and behind Western Europe” (30). Page 31 moves to discuss the risks of IMSI Catchers and ease at which mobile communications can be intercepted using “recipes” from the public Internet with pages 38-39 continuing by noting that even on LTE you can obtain the IMSI, and that encryption isn’t a guaranteed to be implemented and thus must be tested to confirm transmission security. Page 40 discusses the possible ability to evade detection of using an IMSI catcher by actively compelling devices to attach to fake base station, which is using international (i.e. not licensed) spectrum. Pages 58-61 include a sample Harris Corp confidentiality contract. Page 90 notes that a company in the UK, Smith Myers Communication, sells an IMSI catcher that is referred to “the Artemis System”, and how it doesn’t interfere with emergency calls of non-targets, and can target mobile and non-mobile communications. It is an aerial system with a range of up to 25km and does not interfere with cellular networks. These were intended for Search and Rescue operations. Later in the ATIP, on pages 160-164, we see the RCMP’s draft 2016 policy for IMSI catchers/MDI devices and page 166 notes that the RCMP, at the time, had different policies for what warrants it used to obtain authorizations; sometimes they used a transmission data recorder order, in others a general warrant. Dated 2014-2017.
- A-2017-01408: This ATIP includes information from ISED to the RCMP (and other agencies) concerning authorizations to the RCMP technical branch for the use of IMSI Catchers. Of note, this ATIP makes clear that the RCMP, OPP, Calgary Police, Winnipeg Police, all receive authorizations. Dated 2017.
- A-2017-01164: Documents written by Huawei Canada that reference the 3.5 GHz spectrum, between May 1, 2017 and November 1, 2017. This set of documents is merely a briefing deck from Huawei about the uses of, and benefits of, 5G for everything from smart cities, to remote surgery and factory automation, to driving, as well as some of the standards work at 3GPP that are ongoing. Dated 2016.
- A-2017-00632: 2014-2015 Lawful Access Initiative Report. One page 5 it discuses that the partners in the lawful access initiative include: CSIS, CSE, DoJ, ISED, Public Prosecution Service of Canada, PSC, and RCMP, and page 6 asserts that the limited funds through LAI are insufficient to address operational requirements. Moving forward to page 46, the ATIP documents note that the CSE is responsible for actual cryptographic techniques and decryption efforts pertaining to communications, though a number of earlier categories indicate tracking of how often materials are inaccessible to CSIS/LEAs. Dated 2016.
- A-2017-00043: CBC or Radio-Canada story on MDI devices AKA IMSI catchers near Parliament Hill, March 27 – April 6, 2017. Page 1 discusses false positive, and potential to get the Certification and Engineering Bureau in ISED to evaluate IMSI Catcher detectors, “…even if only to debunk false positives reported in the media.” Dated 2017.
Offices of the Communications Security Establishment Commissioner
- A-2013-00084: A Review of CSEC Information Sharing with the Second Parties, CSE Commissioner report to MND, 17 July 2013.
Office of the Privacy Commissioner of Canada
- A-2016-00261: Please provide the following briefing notes prepared for the Privacy Commissioner (CTS#,Title): “CTS-091893 – Facebook Strategy, CTS-092891 – Meeting with Canada Revenue Agency, CTS-092040 – Online Reputation – Summary of Submissions, CTS-092709 – Media analysis, CTS-092810 – Gone Opaque? An analysis of hyporthetic (sic) IMSI Catcher Overuse in Canada, CTS-092816 – Outline for Security and Intelligence Consultations”. The document outlines, in depth, the planned meeting with the CRA. This is particularly pertinent given the concerns in Canada about how effective the Agency’s data security and collection processes are. This briefing note is incredibly extensive, and provides insight into the difficulties faced, and challenges overcome, by the CRA. Of note, the summary provided of “Gone Opaque” report probably does a better job that the one its authors in summarizing the text. Other documents aren’t particularly interesting. Dated 2016.
- A-2017-00026: Please provide the following briefing notes for the Commissioner Daniel Therrien in Nov. 2016: “7777-6-171215, Note – FTC Ashley Madison, ” “7777-6-171092, Briefing Note – Approach to lawful access by technology companies,” “7777-6-171347, Note to Cr – Facebook strategy,” “7777-6-171918, BN – Meeting with Canada Revenue Agency,” “7777-6-176219, Note to commissioner – letter of advice to PCO – Electoral Reform Strategy.” Pages 16-17 of the document involve the OPC declining to press an investigation into a company, who’s name is not revealed. The OPC asserts that they believe the company in question could, and should, develop and issue transparency reports despite the companies’ assertion that such reports would be expensive to develop. The discussions of lawful access in this report amount to internal advice concerning how companies respond to lawful requests for information, and being uncertain whether making local requests or utilizing MLAT are better approaches. Dated 2016.
- Memorandum: Review of the Royal Canadian Mounted Police — Problems with statistics and identifying warrantless access files. This short memo outlines that warrantless access to subscriber data statistics which were released in a 2010 ATIP request were “inaccurate, incomplete, not current and they were not useful in identifying PROS files for review” (1). Statistics were inaccurate “because of lack of reporting, multiple reporting or overlapping reporting” (2). The result was that the OPC was unable to rely on, or use, the statistics generated by the RCMP. Dated October 2014.
Public Safety Canada
- A-2021-00008: Concerning Government of Canada Cyber Security and Repatriation of Syrian Fighters. This document includes media lines responding to a reporter in northern Iraq who is asking the federal government questions on its policies to repatriate Canadian foreign fighters. Dated October-December 2020.
- A-2020-00246: Recent version of the Solicitor General’s Enforcement Standards. Dated January 1, 2020 – November 3, 2020.
- Public Safety Report of Summary of Notable Submissions on Lawful Access (Green Paper). Dated around 2017.
- Solicitor General’s Enforcement Standards (Non-Annotated and Non-Redacted) (Annotated) (Redacted). Current as of November 17, 2008.
- Solicitor General’s Enforcement Standards for Lawful Interception of Telecommunications – Compliance Table (2007)
- Any and all ministerial directions issued to the RCMP by the Solicitor General or the Minister of Public Safety and Emergency Preparedness concerning the conduct of national security related investigations. This set of documents includes three Ministerial Directions that are minimally (if at all) redacted. Specifically, they pertain to national security responsibility and accountability, to national security related arrangements and cooperations (largely discussing foreign arrangements), and to national security investigations in sensitive sectors (e.g., academia, politics, religion, the media, and trade unions with specific guidance regarding universities and post-secondary campuses). Dated October 31, 2003.
- Solicitor General’s Enforcement Standards for Lawful Interception of Telecommunications – Compliance Table (Rev. 4/25/2001)
- National Law Enforcement Standards (Rev. Feb 11, 1998)
- Solicitor General’s Enforcement Standards for Lawful Interception of Telecommunications – Compliance Table (Rev. Oct 28, 1997)
- Solicitor General’s Enforcement Standards for Law ful Interception of Telecommunications (Rev.Nov.95)
Royal Canadian Mounted Police
- Encryption and Law Enforcement. Discusses risks of ‘going dark’ due to encryption and how the RCMP was developing a study meant to identify challenges posed by encryption and, also, efforts with Five Eyes partners to work collectively to increase their “collective clout when engaging with TSPs, industry, and privacy-related academics” which was seen as important “given the challenges associated with developing a legislative or regulatory solution.” Dated February 2016.
- A-2014-02766: Requests for Subscriber Information/TSP Production Order Costs (Annotated).
Shared Services Canada
- A-2012-00049: Investment Canada Act and Foreign Takeover of Blackberry. This ATIP pertains to the Government of Canada’s Investment Canada Act, and the conditions under which Canada might reject a foreign takeover of RIM/Blackberry. Page 4 notes that ICA review takes place when a non-Canadian wishes to acquire control of an asset valued at $330 million (CAD) or more and page 34 includes the Minister’s briefing notes for discussion with new RIM CEO. These notes include a discussion concerning export controls/cryptography, though it’s not clear what, specifically, they spoke about beyond “administrative changes” by DFAIT. Dated December 2011 – March 2012.
- A-2012-00008: Issuance of UAV Licenses and Draft UAV Issue Paper. This ATIP contains answers to a reporter’s questions concerning the number of SFOCs that were issued (293 applicants and for approximately 1, 000 UAVs), media lines explaining relevant laws governing UAVs in Canadian airspace, training requirements, and recognition that LEAs can use drones “provided they comply with Transport Canada regulations and obtain the required SFOC” (13). Page 16 also details the number of SFOC applications that were rejected by region. The Issue Paper (pages 22-26) outline considerations for establishing restricted airspace for UAVs, as well as recommendations; many of these recommendations include ‘TBD’, which is indicative of the early stage of the government’s regulation of UAVs. Dated 2011-2012.
Treasury Board of Canada
- Cabinet Committee on Priorities and Planning, June 8, 2010. This document outlines the business need and rationale for Treasure Board to approve funding enterprise communications and infrastructure upgrades for CSIS’ foreign stations communications. It is suggested that the Minister approves the dispensation of funds. Dated June 8, 2010.