ATIPs

This page includes links to various Access To Information and Privacy (ATIP) requests that I have received or obtained over the past several years. Each link, unless otherwise indicated, is to a locally hosted .pdf of the relevant ATIP. In some cases I indicate what is notable about a given ATIP or the language of the original request and, where possible, dates associated with the released records.

Canadian Armed Forces

A-2019-01680: JDN 2017-02, Canadian Armed Forces Joint Doctrine Note: Cyber Operations. Ottawa: Canadian Forces Warfare Centre, 2017, AND all correspondence, discussion and/or documentation related to this document (within the CAF) from January 01, 2020 to January 31, 2020. This is the 2017 version of the CAF’s Joint Doctrine Note (JDN) concerning Cyber Operations. This is a highly notable document, insofar as it discusses the Canadian posture towards conflict in cyberspace, and identifies key terms that were not previously discussed (e.g., defensive operations, defensive operations that are in CAF’s network, and defensive response operations when CAF must respond to an adversary), as well as the ways in which CAF considered developing and structuring its cyber-related activities. Emails included in this ATIP, at the end of the document, reveal that subsequent updates to the Doctrine Note have occurred, and this document can be helpfully read against Canada’s interpretation of international law in cyberspace and, also, Global Affairs Canada’s international cyber policy. Readers may, also, be interested in earlier assessments of Canada’s draft international cybersecurity strategy. Note that annotations exist within this ATIP.

Canadian Security Intelligence Service

A-2021-364: All internal emails between senior CSIS officials from January 1, 2019 to January 1, 2020 regarding Russian foreign interference in Canada. This ATIP package only includes the 2018-2019 Annual Report to the Minister on Operational Activities, and is classified at the Top Secret/Canadian Eyes Only (CEO) level. It provides a highly-redacted discussion of the kinds of threats that CSIS identified and engaged with, as well as suggesting there are some kinds of issues associated with Canadian Extremist Travellers, s.16 challenges. The report documents the number of briefs or reports which were issued in alignment with various issue areas covered by CSIS and, also, denotes the number of security screening requests, and by type of request, during the period; it does not, however, provide information about the number of requests which were met. Page 57 reveals that CSIS had 311 s. 17(1)(b) agreements with 158 countries and territories, though redacted the number of active, dormant, restricted, restricted/dormant, or abeyance agreements. Finally, pages 58-63 provide a listing of many of CSIS’ domestic arrangements with federal agencies and provinces/provincial bodies. Of note, those agreements with the CSE include: Regarding s. 14 information (dated 2007-01-12), Regarding s. 16 information (1990-11-02), Regarding s. 12 information (1990-11-01), as well as Framework document; information sharing, intelligence collection and operational support (2011-12-14), Annex to the Framework MOU regarding certification & accreditation of facilities and systems processing SIGINT (2012-04-22), Annex 2 to the s. 12 MOU regarding s. 12.1 information (2016-06-13), and Addition of Annex B to the CSE Framework document: Integrated Internal Services initiative (2016-07-14).
A-2021-327: Copies of all CSIS and ITAC intelligence reports and briefs since June 1, 2020 to December 7, 2020 on security and the COVID-19 pandemic. This set of documents includes CSIS’s weekly newsletter as well as extensive discussions of the national security threat levels, and internal media bulletins, as well as specific analytic reports on ideologically motivated violent extremism. Documents also disclose the perceive threats to aviation security as a result of the COVID-19 pandemic. Of note, on page 15 under “Cyber” CSIS stated “there may be a heightened likelihood of a cyber attack impacting the Canadian electricity sector, given the connections between US and Canadian power grids. Moreover, Canadian allies in the United Kingdom and the United States have noted the presence of Russian state-sponsored actors on Internet infrastructure— including routers, switches and firewalls — which can be used to impact industrial control systems.”
A-2021-256: This is a re-release of an ATIP request from which the Globe and Mail article was written involving CSIS presentations to Universities in Canada, the association of CIO’s of Canadian Universities, and biopharma labs and agencies involved in the supply chain from April 2020 to June 2021, warning of international espionage. Page 3 makes it clear that CSIS is warning of ‘non-traditional intelligence collectors’ which include, “people without formal intelligence training but with a particular subject matter expertise such as businesspeople, scientists, researchers, and even students. These individuals know what is valuable and they are able to operate in business and research environments without raising suspicions.” Such individuals “can also be vulnerable to state demands if they return to an authoritarian country with a disregard for intellectual property rights and patents” and, moreover, there is a risk that universities “may unwittingly invite these non-traditional collectors into your front door, as you pursue business arrangements or R&D collaborations.”
A-2021-164: Please provide the following document: CSIS, Foreign Threats to Canadian Science and Technology. Aside from the title and classification (Secret//CEO) this document is entirely redacted.
A-2021-060: All records for the period between January 1, 2013 and April 29, 2021 related to the use (or potential use) of big data, big data analysis, algorithmic decision-making, algorithmic analytics, algorithmic analysis, predictive analytics, predictive analysis, and/or machine learning for the purpose of assessing or making determinations related to “risk of immigration and refugee applicants to Canada.”
Summaries of the US Senate Report on Examining the U.S. Capitol Attack and the US National Strategy for Countering Domestic Terrorism, and CSIS Considerations. This ATIP includes detailed discussion of sought-after powers for CSIS on page 4. Powers discussed include access to basic subscriber information, sharing classified information with law enforcement agencies, and possessing tools that enable the identification and disruption of IMVE-related threat actors operating online while simultaneously protecting Canadians’ privacy. Dated July 29, 2021.
A-2020-611: Speaking notes, briefing notes, communications and reports pertaining to CSIS monitoring of international students, student associations and universities with an emphasis on monitoring of Chinese, Russian, or Muslim students from January 1 2010 to March 22, 2020. This includes a 2019 memorandum entitled “Update on CSIS engagement with Muslim students” that followed from a CBC News story about Muslim university students being contacted by CSIS officers, and the issue within CSIS was heightened by an op-ed by two Toronto-based lawyers who wrote an op-ed that reinforced the CBC story’s narrative. In a subsequent meeting, where the lawyers explained to CSIS that students were discouraged from contacting lawyers, CSIS’ memorandum asserts the “CSIS assured the lawyers that the Service does not counsel individuals to avoid seeking legal advice.”
A-2020-462: All threat assessments/reports from July 1, 2020 to present that mention QAnon conspiracy, Proud Boys or other far-right groups and their presence in Canada or on social media. This has a number of internal threat reports associated with violence in the United States or Canada, though perhaps the most interesting element of this ATIP is in a report finishing the ATIP package entitled “White Supremacist/Neo-Nazi Women: Canadian Implications” that provides a detailed account of the role of women in supporting and promoting this ideology online. The only Canadian woman mentioned in the report is Laura Southern.
A-2020-390: Obtain a list of briefing notes received by the Director of CSIS or sent to the minister responsible for CSIS for the period from October 20, 2020 to December 13, 2020. This package release is 8 pages long and includes lists of all the briefings the Director was involved in. Notable ones include altering a s. 17(1)(b) foreign arrangements, Draft 2019-2020 Annual to the Minister on Operational Activities, Memorandum to Minister – Warrant Issues, and Min Memo – Renewal of Classes of Acts or Omissions.
A-2020-370: Intelligence studies/reports/briefs produced by CSIS in March 2020 and April 2020 on the coronavirus/COVID-19. This ATIP package includes regular CSIS reports which highlight issues or threats, broadly, around the world. These threats are not exclusively linked to the coronavirus and, in fact, generally address other threat-related activities.
A-2020-373: Copies of all CSIS and ITAC intelligence reports and briefs since June 1, 2020 on security and the COVID-19 pandemic.
A-2020-391: All documentation regarding geolocation and its illegal use by CSIS from the period from September 1, 2020 to December 11, 2020. This ATIP returned a copy of NSIRA’s classified (Secret) Annual report 2019-01. Of note, on page 4 is a report from NSIRA that recognizes that, “in SIRC’s review of CSIS’s use of Basic Identifying Information (BII) (SIRC Review 2018-09),3SIRC found that recent changes to the BII process brought about by Federal Court decisions have made the timely collection of BII challenging for CSIS.” Page 9 includes some mention of CSIS’ foreign station and their utility in understanding threats to Canada (though some reassurances from foreign entities hadn’t been sought or renewed since 2010). The same page makes reference to CSIS’ “practices for acquiring information from traditional and “non- traditional” Communication Service Providers (CSPs).” On page 10 we find that, “All Five-Eyes partners have faced challenges evaluating their disruption activities. SIRC found that CSIS is making efforts to improve its performance measurement, but that work remains to be done. Particular attention will have to be paid to assessing intermediate and strategic outcomes, leaving as little room as possible for subjectivity.” Notably, “SIRC found that incremental changes to Ministerial Direction and CSIS policies have collectively reduced the requirement to inform the Minister about foreign activities within Canada.”
A-2020-37: All CSIS and ITAC intelligence reports and briefs from January 1, 2020 to May 21, 2020 on security and the COVID-19 pandemic. This ATIP release contains dozens of weekly threat review reports from ITAC along with threat levels over the period. It is notable for identifying the issues which were surfaced through the reporting, though with a strong caveat that extensive redactions for news items tracked by ITAC were redacted across the release. The release also contains numerous CSIS Security Briefs, on topics such as conspiracy theorists, anarchists, alternative COVID-19 narratives, ideologically motivated violence and the pandemic, and more. Pages 81-90 include a high-redacted strategic briefing concerning COVID-19, labelled Top Secret, REDACTED, CSIS Eyes Only. Page 93-94 includes a high-level discussion/summary of the Nova Scotia shooter and the timeline of events reported at the time.
A-2019-1027: All documents related to COVID-19, PANDEMIC, VIRUS, EPIDEMIC and WUHAN for the period from December 1, 2019 to February 1, 2020. This large release contains reports and advisories concerning the COVID-19 pandemic. Of note, CSIS was updating its Pandemic Response Plan in November 2019 (Page 21), the plan itself which is dated December 2019 begins on page 35. The plan, itself, is principally concerned with a virulent flu and provides information on how the Service would respond in the face of a serious health event. The specific responsibilities of senior leadership (pages 42-47) are sometimes included and other times not (presumably due to redactions). On page 59 begins an updated April 2020 Pandemic Response Plan.
A-2019-675: Information pertaining to “Threat Reduction Measures” as defined in the CSIS Act, including historical examples of Threat Reduction Measures; documents relating to the approval process; examples of Threat Reduction Measures being used in combating disinformation (Especially during the recent 2019 Canadian federal election). This ATIP release includes the governing policy for conducting threat operations, and is dated June 21, 2019 and replaces s.12.1 Threat Reduction Measures (Version 2, dated 2017-11-20). While highly redacted it gives a sense of some of the processes involved in undertaking TRMs, including in exigent circumstances these operations being permissible based on verbal approval (page 8). In the accompanying FAQ, page 19 makes explicit that “the Communications Security Establishment (CSE) may assist the Service in undertaking a Threat Reduction Measure (TRM)”. Nothing in this ATIP release speaks specifically to using TRMs to address electoral interference, or mentions that such interference took place.
A-2018-997: Documents pertaining to Huawei and/or 5G technology. These documents include, from page 9-13, part of a slide deck that offers an introduction to 5G and its potential benefits; this may be used to understand how decision makers were informed of the capabilities of the technology as it interrelated with the Internet of Things and Artificial Intelligence. 5G was seen as an economic driver and, also, the document (Page 13) indicates that Canada was to begin planning for 6G technologies, with a recognition that Ericsson and Huawei–their Canadian divisions–were seen as leaders for domestic innovation. Dated 2018.
A-2018-524: A CSIS Developing Intelligence Issue document that provides brief and broad background on the positions held by opponents against the Trans Mountain Expansion project. Dated 2018.
A-2018-421: Documents completed from Jan. 1, 2018 to June 26, 2018 concerning potential threats to the energy industry/pipelines. Of note, on page 6 under ‘what does CSIS investigate?’: activities directed toward undermining the government of Canada by covert unlawful acts – but does not include lawful advocacy, protest or dissent, unless carried on in conjunction with espionage/sabotage/serious acts of politically, religiously or ideologically motivated violence. Dated 2018.
A-2018-122: Threats to the Montréal-Pierre Elliot Trudeau International Airport. This document contains a discussion of threats to Pierre-Elliot Trudeau airport. Page 4 notes that the two core threats to the airport include terrorism, as well as espionage/foreign interference. Other than noting a news report (CBC/Radio-Canada article) on detection of IMSI catchers are the airport, all espionage/foreign interference elements are redacted. Dated 2017.
A-2017-325. This document contains the entirety of CSIS’ advice for persons travelling outside of Canada, and generally provides security information when abroad.
A-2017-214: All documents created by the Forbearance Working Group, SGES working group, and forbearance program from Jan. 1 2016 to August 23, 2017. Page 3 notes that a party was making a forbearance request under the SGES on April 26, 2016 and that it was granted on July 25, 2016 (5-6). Page 20 reveals that the party that had previously requested forbearance, once again requested it in/around Feb 23, 2017. Dated 2016-2017.
A-2017-138: All documents produced or received by CSIS concerning what would happen to all of the data captured by devices used to intercept data and metadata from mobile devices, or any similar tool for the surveillance of cell phones or tracing tool. Per these documents, CSIS, under guidance from SIRC, was working to “further enhance feedback on the utility of IMSI operations, and based on these findings, that the 2012 internal assessments be updated to help guide the direction of this potentially promising program” (2). Per page 7, and in response to the Federal Court asserting that CSIS could not collect or retain certain technical identifiers indefinitely, the Service established new directions concerning the collection and retention of electronic identifiers. This mean that, as of Feb 13, 2017, CSIS could not use technical measures for the purpose of collecting identifiers under s.12 or s. 16 (though note: still could under s. 21), and that the retained identifiers had to be retroactively destroyed. At least some retained data which had previously been managed per DDO Directive on Long-Term Operational Data Retention, was to no longer be “considered as falling into the category of Potentially Exploitable.” Page 8-15 includes a memo pertaining to CSIS’s targeting procedures. Here, we find that there is a class of activities identified as “General Authority” which do not require a targeting authority, whereas Level 1 and Level 2 operational tools and techniques do require authorization. What is included in those levels is redacted as well as that where foreign states’ information is guiding a decision to potentially engage in targeting, CSIS is required to take into consideration the states’ or agency’s “human rights record … and the specific circumstances under which the information was obtained.” There are special rules for targeting underage individuals. Paged 16-19 includes a directive on long-term operational data retention. This is an updated directive, and adds a third kind of collected information to support the collection of non-warranted imagery and other non-warranted technical information. All data is classified as either Unpublished (that which doesn’t have intelligence value one year after collection and then destroyed, with all data defaulting ot this), Potentially Exploitable Information (which has not be Published but may be operationally relevant and thus kept per CSIS’ retention schedule) and Published (i.e. information which has been included in a report, or any data that is found relevant under s. 13, 15, or 16 of the Act; such data is subject to a formal data retention period). Page 18 explains that retention conditions do not apply to metadata or datasets that are received from a redacted source, save for that which contains solicitor-client privileged material and thus must be dealt with under CSIS’ protocols to determine if the information should be destroyed. Page 22 contains examples to explain retention and notes that if data is subject to two conditions (e.g., potentially exploitable vs published) that the longer of the two states prevails. Dated 2014-2017.
A-2017-90: Documents that were produced from March to June 2017 as a result of the CBC allegations on April 3, 2017 pertaining to devices known as Mobile Device Identifiers (MSI), Stingray, IMSI catcher, etc. and their use in Ottawa. On page 26 we learn that the CSIS legal department is looking to confirm/fact check CBC/Radio-Canada story, concerning IMSI Catchers. Otherwise, the released comments largely replicate CSIS ATIPs A-2017-18 and A-2017-19. Dated 2017.
A-2017-19: Documents from March 27, 2017 to April 6, 2017 concerning the CBC/Radio-Canada story on MDI devices (IMSI catchers) near Parliament Hill. This ATIP contains nothing of note given that the internal communications have largely been redacted. Dated 2017.
A-2017-18: Documents from January 1, 2016-July 20, 2017 concerning the use of MDI devices (IMSI Catchers) by Canadian security agencies. Of note, page 2 makes clear that CSIS is not always required to obtain warrants to use MDIs. On Page 14, CSIS recognises that in determining whether to use techniques like IMSI Catchers, they either rely on authority under S.12 of their Act or in a redacted situation apply for a warrant to the federal court under S.21 of their Act. Page 25 reveals that SIRC contacted CSIS for information following the release of the CBC/Radio-Canada story on IMSI Catchers near Parliament Hill and the Capital Region more generally. Dated 2017.
A-2016-331: All records pertaining to research and application in the field of quantum research. This is a pair of research reports, one from 2016 and the other from 2012. The 2016 report is actually written for CSE, and presumably the 2012 report for CSIS. Both are future looking forecasts, with big picture assessments of what technologies or trends might have national security implications in the future. On the whole, the reports are not particularly interesting save for how the agencies might have thought about, or planned for, future changes in society and technology. Dated 2012 and 2016.
A-2016-185: Threat Reduction Activities. This ATIP contains materials pursuant to “Any documents, including but not limited to, records of discussion on all strategic case management or four pillars discussions regarding threat reduction activities (TRA).”
Government Response to the ODAC Ruling. This 555 page ATIP includes communications following the ODAC federal court ruling. Highlights include the following. There is a transcript of for-background information provided to external CSIS stakeholders post-ODAC decision on pages 108-118. Page 159-172, in reference to the CSE Comissioner’s 2014-2015 report on the CSE, discusses how CSE cannot ascertain how much unredacted Canadian metadata was shared with 5-eyes partners, in contravention of the law (this was done unintentionally per the CSE Commissioner) (171), that FVEY partners were not asked to minimized the shared information b/c it was not believed to be sufficiently contextual to individual Canadians to raise a significant privacy concern (171), and that CSE does not clarify how long this was taking place (171-172). CSIS hold that, with regard to ODAC, “It is impossible to quantify the number of individuals linked to the associated data, much less identify personal data such as citizenship” (192) and that on page 194, “Neither metadata or associated data includes any information that could relate to content.” On page 378, when assessing the SIRC’s review of CSIS’ accessing taxpayer information without warrant, and with insufficient managerial controls, a proposed speaking point to the minister was that under SCISA no warrant would be required in the future. Between pages 398-400, CSIS outlined that ministers had received briefings, or mentions, of ODAC at least 7 times (including one verbal warning), and that while information about the legal basis of ODAC’s operations or associated data hadn’t been explicitly discussed, ODAC itself (insofar as it existed) had been raised. Page 400 includes each time CSIS could determine when a Minister or Deputy Minister had been advised. Page 445 has a sentence beginning “With these principles…”, indicates there are 2-3 major issues with how CSIS has handled the ODAC system, also suggesting that there are potential long-term consequences associated with CSIS’ handling of ODAC. Page 465 includes a discussion of CSIS’ collection of bulk datasets, and the fact that insufficient information existed to guide the lawful collection of ‘referential’ datasets, with the issue being that in at least one cases data was obtained that exceeded referentiality and thus constituted a collection (and would have required a warrant). At the time the assessment was conducted, there was “no evidence to indicate CSIS’s data acquisition program had appropriately considered the threshold of “strictly necessary” as required in the CSIS Act.” Page 467 suggests that CSIS used s.17 to establish a partnership with a foreign agency with which it lacked a formal s.17 arrangement. Broadly, much of the document includes CSIS doing the following: asserting that it needn’t notify the Federal Court regarding associated data and, upon being told that it violated its duty of candour, seeking to avoid blame by pointing to the number of times Ministers were notified, the PIA submitted to the OPC as sufficient to ‘explain’ the program to the Commissioner, etc. So it’s a document that outlines crisis communications and blame deferral. Dated 2016.
Project SITKA: Serious Criminality Associated to Large Public Order Events with National Implications. This document was principally created by the RCMP but was released by CSIS under provisions of the Privacy Act and/or Access to Information Act. The report summarizes RCMP intelligence gathering activities that were focused on aboriginal-rights issues, such as land claims, energy projects, and right advocacy. Dated March 16, 2015.
CSIS Policy: Conduct of Operations. This policy describes the Service’s stance regarding operations conducted pursuant to its national security mandate under Sections 12, 15, and 16 of the Canadian Security Intelligence Service Act (CSIS Act). It also provides additional principles and requirements that the Service and its employees will adhere to while working to achieve the commitments outlined in this policy. Notable details include a discussion that warrants are coordinated by the Warrant Acquisition Control and Requirements (WACR) unit of the DDO secretariat, which is responsible for reviewing paperwork before it is submitted to the courts. Further, under S. 15, collected data can be used for supporting S. 12 investigations, and where there is no pre-existing S.17 foreign partner agreement to share data, CSIS may share data in emergency situations without first consulting the Minister or Deputy Minister. The Deputy must be informed “as soon as possible”. Finally, “[t]he Service will weigh the need to use intrusive operational tools and techniques against potential damage to civil liberties or the activities of a Canadian Fundamental Institution (CFI). CFIs include, but are not limited to, post-secondary, political, religious and media organizations.” Dated January 10, 2014.
A-2012-238: All documents on terrorist and the use of cyberattacks to commit terrorist acts for the period from Nov 9 2010 to Nov 9 2012. On page 9 there is a discussion of Anonymous using SQL injections as part of their hacking tools, and page 11 discusses a proposal in an online jihadist forum to attack SCADA systems. Dated 2011-2012.
A-2012-088: Most recent reports concerning terrorism and extremism; foreign espionage and interference; proliferation of WMDs; cyber security and support to Canada’s Northern Strategy. On page 11 we learn that “small number of domestic extremists continue to be associated with issue-based causes such as environmentalism, anti-capitalism, anti-globalization, and far-right racism.” Further, ““Aboriginal communities across Canada remain focused on key issues such as sovereignty and outstanding land claims. At times more radical members of Aboriginal warrior societies advocate violence as a means of drawing attention to these issues.” On pages 12-24, there is a discussion of vulnerable computer systems and the availability of exploit kits, and as well as a note that companies are reticent to disclose intrusions to government authorities. Dated 2011-2012.
[Redacted] Data Management Governance Plan. This document outlines the data management and governance of the Operational Data Analysis Centre (ODAC) which is responsible for storing data collected by CSIS for analysis and analytics purposes. it contains broad-level discussions of how governance should function within CSIS that parallels equivalent discussions that would take place in any organization for data analytics purposes. Dated July 2012.
A-2011-150: All correspondence exchanged between the Director of CSIS and the Minister of Public Safety between January 1, 2011 and February 8, 2012. This release has a number of noteworthy elements. On page 10 we learn there is, “… a noticeable increase in economic espionage is posing risks to our control over strategic critical infrastructure, and refers to ongoing efforts by some countries to illegally acquire and transfer technology from Canada, especially as it relates to weapons proliferations.” Moreover, “As Canada is one of the most technologically advanced countries in the world, we remain especially vulnerable to cyber threats and attacks” (11). Pages 49-56 provide an update to the rules for CSIS sharing information with foreign partners. Page 52, in particular, notes that in some cases, CSIS may need to share or act on information derived from “mistreatment” (i.e. torture). Pages 97-102 includes an assessment by CSIS of the UK’s Green Paper at the time on the issue of intelligence to evidence. This is presented as a summary of the matters raised in the UK, with some small elements of lesson drawing (e.g., “the liberal democratic state is limited in how far it can reconcile the equally important imperatives of national security and procedural fairness in the administration of justice…the public communications benefit can also be limited, particularly when interlocutors choose to frame the debate in an adversarial manner.” Dated 2011-2012.
A-2011-114: All briefing notes to the Director and/or to the Minister concerning “Lawful Access” legislation for the period September 2011 to the present. Cabinet confidences should be excluded. (Includes references to CALEA, Interception standards, and regional interception standards bodies). This memo outlines why the CSIS does not believe that the arguments being made by industry stakeholders about the difficulty and costs of building in interception capabilities are accurate. It argues that the TSPs will not be required to meet any standards and that this is a good thing, because it will provide TSPs with the option of meeting requirements however they see fit. Moreover, there is an assertion that this isn’t all that different from CALEA, though there is no specific rationale as to why that’s the case–the Canadian proposal was in excess of just CALEA-based information. Dated 2011.
A-2011-082: All information regarding CSIS involvement with the WikiLeaks Task Force from November 2010 to August 2011. This ATIP release mostly involved internal DFAIT assessments of the documents which were released about cables from Wikileaks. In aggregate, it showcases the number of people who were stood up into a ‘war room’ to assess cables and their potential damage towards Canadian interests, as well as media monitoring for how the Canadian and international media were covering the cables, with specific focus on the Canadian angle. Dated 2010.
A-2011-07-04: For the period of 2008 to present. Threat assessments produced by the Integrated Threat Assessment Centre relating to cyber security, cyber threats and cyber incidents including but not limited to malware, bots and other cyber attacks. Page 3 includes an assessment that was created in response to request from Canadian Electricity Association Security and Infrastructure Protection Committee. We learn that, on page 4, insider threats to power generation systems, as opposed to external actors, were seen as the most significant threat. A definition of cyber-terrorism is provided on page 17: “…cyber terrorism is defined as a computer-generated attack against other computers or computer-controlled systems via a communications network … Examples of cyber terrorism include computer hacking introducing viruses to vulnerable networks, web site defacing, denial of service (DoS), and distributed denial of service (DDoS) attacks.” Page 30 includes the definition of a backdoor: “Backdoor: a means of access to a computer and or program that bypasses security mechanisms. A programmer may install a backdoor so that the program can be accessed for means of troubleshooting or other purposes, but an attacker may exploit or use a backdoor to gain unauthorized access to information or install spyware.” Dated 2008-2010.

Communications Security Establishment (CSE)

A-2019-00040: Cyber Defence Activities MA 2nd Semi-Annual Report 2018/19. This ATIP pertains to private communications (PCs) that were retained by the CSE in the course of undertaking defensive elements of its mandate. It makes clear CSE adopts an analyst-based approach to identifying PCs (and redacted how many PCs were collected) and that, due to a new method, there were fewer identified. Of note, communications which were “intentionally malicious” were not counted as PCs. Dated August 2019.
A-2019-00033: Directions for Data Science at CSE. This ATIP concerns data science activities that are being undertaken at the CSE, with all information being about the Tutte Institute or Applied Research at the CSE. Topics include the skills that are needed for data science at the CSE, a slide deck on what is data science/machine learning, and a discussion on page 72 that the Tutte Institute undertakes strategic research whereas the CSE undertakes applies research. Dated 2018.
A-2019-00025: Memorandum to the Minister of National Defence–Notification of Cyber Defence Defence Activities at [Redacted]. This ATIP concerns requests to the CSE to provide federal institutions with services under part B of the CSE’s mandate. It includes a letter from an unnamed agency requesting cyber defence services (note: this does not indicate defensive cyber operations, but cyber security services). The party responsible for this defensive work was the Director Autonomous Defence and Sensors at the Cyber Centre. Dated May-June 2019.
A-2019-00020: Social Media/WeChat Guidance. This ATIP addresses questions put to CSE about whether, and if so under what conditions, MPs should use WeChat. Page 26 includes a discussion of communications in the CSE, about the PMO asking for a sense of the kind(s) of advice that CSE would provide to MPs on using WeChat. This is in reaction to (page 27) a note that “…parties are encouraging the use of WeChat in their campaigning” to which an individual (presumably within CSE) responded with “Just heard about this … thought it was a joke. Thanks for flagging.” Dated June-July 2019.
A-2018-903: 2017 Security Review Program report and Public Safety Media Clippings. Pages 1-17 are highly redacted but indicate that telecommunications systems (likely those associated with Huawei) are subject to a review though no company is named. Material is from Fall of 2018.
A-2018-00041: Supply Chain Integrity. This is a slide deck prepared about supply chain integrity, with page 7 revealing the number of requests from SSC to the CSE about supply chain requests. In 2014-15 there were 449, 2015-16 were 704, 2016-17 were 868, and in 2017-2018 were 746. Dated late 2017 or 2018.
A-2018-00040: PIAs concerning SIMON (used to disseminate, retain and dispose of personal information for the purposes of personnel screening) as well as its Key Management Infrastructure. SIMON is used by the CSE’s Corporate Security Directorate (CSD) to both record information about personnel who have been screened as well as control access to SIGINT materials and, on page 8, the document notes it is used to track accesses managed by other organizations, and specifically refers to National Defence as TALENT KEYHOLE (TK). Page 45 reveals that Canadian Top Secret Network (CTSN) was formally known as MANDRAKE. Dated 2016-2017.
A-2018-00030: Response to CSE Commissioner’s Annual Review of the CSE Privacy Incidents File, Second Party Incidents File, and Minor Procedural Errors File. This ATIP discusses various errors made by the CSE over the course of the reviewed period. Of the 10 MPEFs, one led to a collection system collecting information that included Canadian-to-Canadian communications, though no information was collected before the problem was identified and rectified. In each of the 33 SPIF errors the CSE made requests to rectify the error, which sometimes arose as a result of the second party not appreciating Canadian policies. Some second parties received remedial education on Canadian policies but it is unclear whether this included all second parties or not. Page 6 reveals there were 48 PIFs, though none were material. In at least one case an employee untook an action that was “contrary to CSE policy” and that CSE’s response was “adequate”. In another instance, a collection tool caused Canadian person information to be collected into CSE repositories, though this appears to have been “satisfactorily identified and corrected.” Page 8 clarifies that the reviews undertaken by the CSE commissioner are done based on the instances the CSE has identified where a privacy incident took place and was recorded. Reviews of MPEF, PIF, and SPIF are meant to ensure that the Commissioner could assess whether there were trends in the kinds of violations being recorded, and are separate from the more in depth reviews of particular programs the Commissioner undertook.
A-2018-00018: Documents Pertaining to the 2018 G7 Meeting in Canada. This ATIP includes materials from CSE as well as other bodies, such as ITAC. Page 13-31 are from a CSE Cyber Threat Briefing, with page 16 denoting that key threats were from hacktivists, state actors, and cyber criminals. Page 32 recognizes that SS7 or SCADA could be targeted during event, telecommunications infrastructure or websites and other systems. Pages 30-40 of the document maritime and RCMP-assessed risks. The former focuses extensively on the risks activists may pose–and the marginal risks posed by terrorists–and similarly the RCMP focuses principally on the risks posed by activists on the right and left.
A-2017-00077: C-59 Briefing Binder. This ATIP includes the formal unclassified briefing binder associated with C-59, the Charter Statement associated with the legislation, and specific examples of how the different elements of the CSE’s mandate might be exercise (e.g., what was entailed in FORINT, Information Assurance, Assistance, and Active or Defensive Cyber Operations). Dated November 2017.
A-2017-00073: Briefing notes, bulletins, studies, media lines and PowerPoint decks from the 2017 calendar year speaking to why these fixes in C-59 are necessary and what roles and responsibilities at CSE may change plus any email correspondence Greta Bossenmaier or her designates may have had with Public Safety Canada officials on this subject matter in January 2017 and March 2017. Pages 7-8 offer an overview of examples the CSE presents as to operations it might undertake following the passage of C-59. On page 9 CSE asserts that the privacy ramification of collecting any PII from public sources about Canadians is low, because it’s public. Pages 9-10 generally, outlines all of the cases where the CSE prohibition on targeting Canadians or infrastructure in Canada can be ignored. Notably, this is indicated for almost every type of new activity the CSE would be empowered to engage in, following the passage of C-59. Page 11 discusses how academic outreach meets were to “simply attend” and if “nothing blows up” then “immediately forget the event ever happened and move to the next one[.]”
A-2017-00026: Briefing Note for Minister of DND-Response to the CSE Commissioner’s Review of CSE Cyber Defence Metadata Activities. This document includes a description of how CSE’s cyber threat detect systems operate, including that it extracts some metadata and content from communications and that such activities do not constitute bulk unselected collection. The collection of malicious code of social engineering prompts is treated by CSE as private communications at the time of writing. Dated February 2017.
A-2017-00007: CSE Response to CBC article on IMSI Catchers and RCMP 2017 Briefing on IMSI Catchers. Page 11 includes the full PSC portfolio of responses; what the RCMP, CSIS, and PS generally asserted with regards to their agencies’ use of IMSI Catchers. They generally decline to provide information, and give standardized reasons for the refusal. Page 52 notes that the CSE is uncertain of the reliability of IMSI catcher catchers, and that someone will be looking into this and its likelihood of generating false positives. Page 54 details the conditions that are placed on policing uses of IMSI Catchers, with the recipient of the information being the Chief of CSE. Page 79, in response to whether CSE could assist RCMP or CSIS with IMSI Catchers, CSE declines to answer on the basis that doing so would entail commenting on an ongoing RCMP investigation.
A-2016-00101A | A-2016-00101B | A-2016-00101C | A-2016-00101D. This ATIP is broken into four parts (A, B, C, and D) and provides documents about briefing notes, memos, guidelines, presentations, privacy impact assessments, reports, and/or studies on policies pertaining to law enforcement agencies seeking electronic investigative assistance from intelligence agencies (under Mandate C). Limit search to last five years.
A-2015-00037: CSEC 2015 Report. This provides high-level summaries of CSE’s vision, mission, principles, and priorities. It contains extensive redactions, with information remaining addressing the new building CSE staff would be moving into, plans to generally strengthen the staff at CSE (e.g., by improving “transparency and accountability for decision making at CSEC within a renewed governance framework and improved resource management tools”), and ensure that by 2015 “cyber defence operations will fit seamlessly within the extended cryptologic enterprise, and ITS, SIGINT domestic and Five Eyes partners will continually share information critical to the protection of government systems.” Finally it is of note that CSE recognizes it had “delivered valued technology support to and strengthened partnerships with national security agencies and law enforcement” and that CSE was working “tirelessly” to secure additional funding for the CSE’s new building.
A-2015-00037: Everything You Never Wanted To Know About ATIP (Part 1 and Part 2). This document provides a detailed explanation to CSE employees about the rules and laws surrounding ATIP legislation. It includes a warning that CSE staff should be careful to manage information, including deleting transitory information once it is no longer required while preserving official documents. It, also, explains how to handle information under CSE’s control but which might have originated from another government (e.g., USA and NSA) or agency (e.g. Department of Justice). CSE employees are advised that, if they have a concern that an ATIP request relates to a security breach that they “speak with the ATIP Analyst identified in the ATIP request” who can, then, but the concern to the “attention of the Minister’s senior delegated officials […] for consideration.” These officials “are authorized to know the identity of the requestor.” Notably, in at least some cases “very motivated requestors are willing to pay over a million dollars in additional fees for the records they originally requested.” Dated after April 1, 2014.
A-2014-00107: Export Control Issues and 0-Days. This ATIP provides a short summary of export control issues associated with cyber proliferation along with a raft of internal emails sending different news stories about 0-days and cyber mercenaries, with some comments interspersed. Dated 2013-2014.
A-2014-00059: Briefing material directly related to the CBC story on January 30, 2014 that CSEC used airport WIFI to track Canadian travellers. Please search records from January 1, 2014 through May 1, 2014. Most of the ATIP’s most interesting parts on on pp. 9-11 and pp. 14-18 and 37-44. Note that, apparently, the tool was to track terrorists, kidnappers, and foreign intelligence agents. This third category is new. (And noted on pp. 30). On pp. 14 there is a statement that the tool WAS used operationally, to the effect of “identify terrorist threats affecting Canadian and allied interests.” Thus, the assertions that this is ‘just’ an analyst model bely the fact that it was actually tested using dominantly Canadian data (firming up the position that Canada is CSE’s test population) and then implemented on the world (and, possibly, at home as RCMP/CSIS make requests for assistance). On pp. 27 they note that revealing the fact a Canadian airport was used as a seed “would be damaging in putting into question CSE’s SIGINT’s use of CND metadata”.
A-2014-00043: OPS-1-7: Operational Procedures for Naming in SIGINT Reports.
A-2014-00013: Most recent copies of operational document OPS-1-11 and OPS-1-14.
A-2013-00129:A detailed cost breakdown of the $300-million dollar payment CSE incurred in 2014. This ATIP outlines how much was spent by the CSE in developing their new headquarters.
CSE Organisational Chart (Image). Dated December 5, 2013.
“CSEC101”: Foundational Learning Curriculum. Date January 2013.
OPS-1-14: Operational Procedures for Cyber Defence Operations Conducted Under Ministerial Authorization. Dated December 2012.
Memo Regarding Updated Collection and Use of Metadata Ministerial Directive. This document explains how Ministerial Directives operate and also denote the number of Ministerial Authorizations being sought (1 SIGINT for supporting Canadian troops in Afghanistan, 1 SIGNT linked with CSE interception activities, and 2 SIGINT MAs for undisclosed interception activities.” Among the seven Ministerial Directives, there was one for assistance to federal law enforcement and security agencies, which updated a 2001 MD, and another on the Collection and Use of Metadata, which updated a 2005 MD on the same topic. There was no information bout other MDs. Dated 2011.
A-2012-01384: All internal audit and evaluation reports completed by or for Communications Security Establishment Canada in 2012. This includes the ‘High Assurance Products and Services Programs Evaluation (PAA 2.1.1)’ that was dated for December 2011.
A-2012-00938: Emails from September 21, 2012 that mention Huawei and/or refer to a Globe and Mail story published Sept. 21, 2012: ‘Ottawa casts wary eye on Chinese giant.’ Of note, on page 93, we find that “[t]oday, telecommunications equipment is undertaken by a small number of global vendors. Global manufacturing is susceptible to exploitation by foreign intelligence organizations seeking to exploit global supply chains for national advantages. The Communications Security Establishment Canada (CSEC) provides advice on a range of national security threats to the Government of Canada based on classified information that cannot be publicly disclosed.”
A-2012-00776: Briefing Note notes to the Minister and DM, media lines, ministerial directives, and correspondence prepared or exchanged by CSEC regarding the ministerial directive that was created to guide the CSEC collection of information for 2011.
A-2012-00690: Ministerial directives, final and draft media lines, memos and letters prepared or exchanged by CSEC regarding the ministerial directive that was created to guide the CSEC collection of “Information about Canadians” (metadata) for the period 2008. These documents relate, in part, to the OCSEC’s recent reviews which assessed the collection and use of metadata, as well as the support provided by the CSE to CSIS.
A-2012-00688: Ministerial directives, final and draft media lines, memos and letters prepared or exchanged by CSEC regarding the ministerial directive that was created to guide the CSEC collection of “Information about Canadians” (metadata) for the period 2005 and 2006. This includes messages between the OCSEC and CSE concerning the CSE’s collection of metadata.
A-2012-00543: Final Report Analysis of Darknet Space for Predictive Indicators of Cyber Threat Activity. Note that this was initially prepared by the National Cyber Forensics and Training Alliance (NCFTA) Canada.
A-2012-00397: Supply Chain Threats to Canada. This highly-redacted document indicates that CSE was mindful of supply chain threats, and multiple slides in the deck discuss threats or risks associated with Huawei technologies. At the time the briefing was prepared IT security requirements were not frequently included in procurement processes which made it difficult for the government to protect information and services; proactively the government was working with PWGSC to finalize its IT security contract clauses with CSE, as well as developing recommendations for inclusion in all It contracts with the government of Canada. Dated May 2012.
A-2012-00196: Briefing Note and Question Period notes to the Minister and DM, media lines, ministerial directives prepared or exchanged by CSEC regarding the suspension and resumption of domestic investigations for 2011.
A-2012-00194: Briefing Note and Question Period notes to the Minister and DM, media lines, ministerial directives prepared or exchanged by CSEC regarding the suspension and resumption of domestic investigations for 2009.
A-2012-00193: Briefing Note and Question Period notes to the Minister and DM, media lines, ministerial directives prepared or exchanged by CSEC regarding the suspension and resumption of domestic investigations for 2008.
A-2012-00188: Briefing Note and Question Period notes to the Minister and DM Minister, media lines, ministerial directives, and correspondence between the CSEC Chief and CSEC Commissioner regarding the ministerial directive that was created to guide the CSEC collection of information for 2009.
A-2012-00187: Briefing Note and Question Period notes to the Minister and Deputy Minister, media lines, ministerial directives, and correspondence between the CSEC Chief and CSEC Commissioner regarding the ministerial directive that was created to guide the CSEC collection of information for 2008.
A-2012-00186: Briefing Note and Question Period notes to the Minister and Deputy Minister, media lines, ministerial directives, and correspondence between the CSEC Chief and CSEC Commissioner regarding the ministerial directive that was created to guide the CSEC collection of information for 2007.
A-2012-00161: Briefing Notes to the Minister and Deputy Minister, media lines, ministerial directives, and correspondence between CSEC Chief and CSEC Commissioner regarding a July 28, 2011 article in the Globe and Mail titled “Canadian data used to detect foreign threats.” This briefing note provides advice to the minister on how to handle a range of possible questions, inclusive of whether CSE targets Canadians’ information (no, specific targeting of Canadians’ communications is not done, using the government’s interpretation of what ‘target’ means). Page: 9-10: discuss that while the CSE Commissioner did raise concerns about the ways in which Canadians’ information was collected, and the program which was collecting it was halted, it has continued under refined policy guidance. At no point does CSE believe that it ran afoul of Canadian law.
CSEC Foundational Learning Curriculum. Dated approx 2012.
Quantum Computing from an IT Security Perspective. This 1-page ATIP provides a high-level description of Quantum Computing. It notes that its academic partnerships have “focused on University of Waterloo’s Institute for Quantum Computing (IQC).” Undated.
A-2011-00970: Review of CSEC’s acquisition and implementation of technologies as a means to protect the privacy of Canadians – June 11, 2008.
A-2011-00969: Definitions. This document provides definitions for critical information, such as what constitutes a Canadian person, Target, the Global Information Infrastructure, and more. Dated March 2003.
A-2011-00968: Review of the process by which CSEC determines that entities of foreign intelligence interest are foreign entities located outside of Canada, as required by the National Defence Act – March 15, 2011. Of note, on page 4 target is defined as “to single out for collection or interception purposes.” On page 5 two kinds of targeting are noted; the first “allows SIGINT to direct its targeting activities at foreign entities located outside Canada and which are associated with foreign intelligence requirements”. The second is redacted. Per page 11 when the CSE provides to the CSE Commissioner the DoJ’s interpretations of law, used to justify CSE activities, the provision of such information does not constitute a waiver by CSE of its solicitor-client privilege. Finally, on page 58 we find that OPS-1, Protecting the Privacy of Canadians and Ensuring Legal Compliance in the Conduct of CSEC Activities is a cornerstone document for CSE protection of Canadians’ privacy.
A-2011-00967: Review of CSEC’s support to CSIS – January 16, 2008.
A-2011-00763: OPS-5-1 Operational Use of the Internet. This highly redacted document discusses Internet activities and associated risks, as well as best practices and definitions. The concluding annexes outline which systems can be used for which activities, as well as the matrix of approves systems vs kinds of Internet activity. Dated January 2005.
A-2011-00637: IT Security Bulletins. This sequence of bulletins provide information about government policy for the protection of Classified information, the security of PIN-to-PIN Blackberry messaging, guidance for the communication security of SECRET information, as well as a McAfee report that references Government of Canada victims of a hacking campaign and a discussion of best practices concerning emergency management notification systems. Dated March – September 2011.
A-2011-00566: OPS-1, OPS-1-13, OPS-3-1, and CSOI-4-3. This ATIP contains a range of CSE policy documents, including: OPS-1: Protecting the Privacy of Canadians and Ensuring Legal Compliance in the Conduct of CSEC Activities, 1 December 2010; OPS-3-1: Procedures for [redacted], 14 January 2011; OPS-1-13: Procedures for [redacted], 1 December 2010; CSOI-4-3: Protecting the Privacy of Canadians in the Use and Retention of Material for SIGINT, 11 April 2011.
OPS-1-10: Procedures for Metadata Analysis (June 2006 draft).

Department of Justice

Department of National Defence

A-2022-00081: MND Cyber Playbook–A DND/CAF Perspective. This ATIP (French and English) provides a high-level overview of how DND/CAF looks at cyber, with attention to deterrence, collaboration, coordination across government, and workforce development as essential to advancing DND/Canadian interests.
A-2017-00062. This ATIP pertains to IMSI Catchers detected by CBC-Radio Canada. Of note, on page 13 DND notes that IMSI Catchers were detected by CBC, and also raises the existence of Ability Inc, an Israeli firm that sells access to exploit the SS7 network. Companies providing services similar to Ability included Circles Bulgaria, Rayzone, and CleverSig.
A-2013-00910: Event Approval for NATO Cyber Defence Capability Team (CD CaT). This document requests permission to send one individual to represent Canadian interests at the NATO Cyber Task Force from June 30-July 5, 2013. Not participating was seen as damaging given Canada’s past contributions and Canada operating as the lead nation in another NATO Cyber Defence Initiative (the Multi National Cyber Defence Capability Project). Dated May 13, 2013.
A-2013-00390: Briefing note to the DG Cyber: “Innovation transfer and evaluation agreement” dated Feb. 22, 2013. This pertained to a short-range bio-detector device or system.
A-2013-00389: Briefing note to the DG Cyber: “Cyber ops working group visit to UK” dated Feb. 24, 2013.
A-2013-00005: Six most recent domestic intelligence reports created by the Canadian Forces National Counter Intelligence Unit.
A-2012-01220: Final draft of Defence S&T’s state of the art report on the science of cyber security as listed in National Defence’s 2011-2012 departmental performance report. Dated October 2012.
A-2008-01302: DND Cyber Organisational Charts. This ATIP includes the organisation charts for CSE, the IM Group, and the Canadian Forces Information Operational Group. Dated October 27, 2008 to November 23, 2008.

A-2019-03327: Possibility of Using Machine Learning and Artificial Intelligence to Identify an Individual in an Anonymized Dataset. This memo, in response to a MIT study of de-identification, provide advice to the Deputy Minister on re-identification of individuals in a dataset.

Global Affairs Canada

A-2021-00531: Canada’s International Cybersecurity Strategy and Cyber Diplomacy Initiative. I discuss the contents of this release, at length, in a post entitled “Findings and Absences in Canada’s (Draft) International Cybersecurity Strategy“. Dated January 1, 2021 – July 13, 2021.
A-2020-00492: All documents and information disclosed in the following prior requests: A-2019-01988, A-2018-02176, and A-2019-00879.
A-2019-01988: Meeting Talking Points for Deputy Minister of Foreign Affairs and NSIRA.
A-2019-00879: Memo on Canada’s International Approach to Cyber Security.
A-2018-02176: List of Reports Produced by IOL in 2018.
A-2018-01966: This 546 page ATIP includes discussions of foreign direct investment opportunities in Canada by Chinese companies, including Huawei. Pages 481-493 include a GAC powerpoint presentation entitled, “China Opportunities and Due Diligence.” The included emails showcase the routine efforts by the Canadian government to facilitate foreign direct investment, as well as some internal messaging following American trade barriers which were established. Documents cover the period of 2016-2018. The final two pages of the ATIP indicate the quick-effects of the arrest of Huawei’s CFO insofar as a conference about Weibo saw organisers tone down the positive messaging about Canada.

Immigration, Refugees and Citizen Canada

A-2016-11288RP. ATIP focuses, principally, on the denial of visas to Huawei employees, with the South China Morning Post (SCMP) assering that it was due to espionage concerns. Documents indicate that a discussion took place within government, and entailed development of lines to respond to press. Of note, on page 396 a Risk Assessment Officer with IRCC stated that “…I would recommend not reading the report. It is easier to talk about these files if we are just speculating and don’t know the details.” Stated in response to a chain where another person suggested that there would be value in reading a previously-issued report, presumably pertaining to immigration and security. On pages 432-496 we see records showing that one of the two Huawei cases was identified, and that had been flagged during assessment, with dialoguing within IRCC to communicate what was flagged.
A-2016-06768. This ATIP focuses on Huawei employees, and (I believe) the refusal to grant visas to some employees. The documents presented revolve around a South China Morning Post (SCMP) article that suggested Huawei employees were denied visas on the basis of espionage; emails show that the Department was scrambling to determine why these persons were, in fact, denied as well as speaking with an analyst to determine how national security decisions are actually made and adjudicated. The ATIP does not reveal how analysts engage in such activities, nor the specific reasons for which the Huawei employees were denied visas.

Innovation, Science and Economic Development Canada

A-2021-00174 (OCR): Records concerning the Government of Canada’s Online Harms Consultation. This lengthy 1000+ page ATIP provides copies of the submissions to the Government of Canada’s online harms consultation, which took place from late summer-early fall 2021.
A-2020-01469: This is an ATIP for all departmental information between 1 September 2020 and 26 March 2021 concerning Huawei and national security. Also part of this is a note that CSIS was working with universities to help them about foreign interference and potential threats that the students from abroad may feel from different countries (100). There is also a back and forth in the ATIP with Cssr. Lucki concerning ‘tips’ that are provided to the RCMP. Cssr. Lucki noted that, “As the volume oft h e tips increase, the threat percentage significantly declines. fI they are applicable to another agency, we will pass that on. Some might feel threatened, but fi it doesn’t meet the threshold then we don’t deal with it. Unfortunately, I don’t have the statistics of where the threats are generated from, just the number of tips. If we did have that information Icouldn’t share it. We might pass it on to the local police of jurisdiction” (102).
A-2019-00451: Records regarding Canada Infrastructure Bank exploring creating a public utility, investing in 5G in urban areas, public Wi-Fi and Next-Generation 9-1-1 services. This short ATIP just includes parts of an email chain that followed from the Logic posting an article about how the Canadian Infrastructure Bank had proposed developing a competing 5G network as a public utility to better serve rural customers. The chain indicates that, by the time that either the news outlet published the article or the participants in the chain had started discussing the issue, the government was believed to have moved past the proposal after setting it aside. Dated 2019.
A-2018-00168: This ATIP provides information concerning the 2015-2016 Lawful Access Initiative (LAI) Performance Management Report (PMR) 2015-2016. This ATIP includes points of clarification that ISED posed for Public Safety, with the most interesting elements of the documents coming from the partial disclosure of the LAI PMR. Page 5 refers to Green Report and seems to strike off encryption and data retention, while not striking basic subscriber information (BSI) and intercept-ready networks. Page 12 refers to challenges to obtaining BSI; access laws are listed as those linked with reasonable expectations of privacy, costs to industry, potential secondary uses by industry (unclear what this means), and transparency reporting requirements. Finally, page 16 makes reference to the challenges to obtaining intercept-ready networks, and includes public optics, initial infrastructure costs, ongoing maintenance costs, regulatory inflexibility, potential impacts on small providers, transparency reporting by industry and government, and bundling with other initiatives. It also refers to “Plan B” without greater explanation.
A-2018-00073: Examination of IMSI catcher and mobile device identifier devices (January 1, 2012 to April 24, 2018). The ATIP begins with an extensive report from Communications Research Centre Canada, titled “Technical Study on Privacy in Wireless Networks”. This 2014 study does a good job summarizing high level how wireless networks operate and associated privacy concerns. Items of note include that, on page 4, there isn’t a single thing to resolve privacy issues and, instead, a range of things must be done including work with providers, establish privacy metrics with industry players, work to steer international standards, and make sure CRC is available for relevant consultations. Of note, at the time of writing CRC was of the opinion that “… Canada’s wireless privacy is comparable with the US and behind Western Europe” (30). Page 31 moves to discuss the risks of IMSI Catchers and ease at which mobile communications can be intercepted using “recipes” from the public Internet with pages 38-39 continuing by noting that even on LTE you can obtain the IMSI, and that encryption isn’t a guaranteed to be implemented and thus must be tested to confirm transmission security. Page 40 discusses the possible ability to evade detection of using an IMSI catcher by actively compelling devices to attach to fake base station, which is using international (i.e. not licensed) spectrum. Pages 58-61 include a sample Harris Corp confidentiality contract. Page 90 notes that a company in the UK, Smith Myers Communication, sells an IMSI catcher that is referred to “the Artemis System”, and how it doesn’t interfere with emergency calls of non-targets, and can target mobile and non-mobile communications. It is an aerial system with a range of up to 25km and does not interfere with cellular networks. These were intended for Search and Rescue operations. Later in the ATIP, on pages 160-164, we see the RCMP’s draft 2016 policy for IMSI catchers/MDI devices and page 166 notes that the RCMP, at the time, had different policies for what warrants it used to obtain authorizations; sometimes they used a transmission data recorder order, in others a general warrant. Dated 2014-2017.
A-2017-01408: This ATIP includes information from ISED to the RCMP (and other agencies) concerning authorizations to the RCMP technical branch for the use of IMSI Catchers. Of note, this ATIP makes clear that the RCMP, OPP, Calgary Police, Winnipeg Police, all receive authorizations. Dated 2017.
A-2017-01164: Documents written by Huawei Canada that reference the 3.5 GHz spectrum, between May 1, 2017 and November 1, 2017. This set of documents is merely a briefing deck from Huawei about the uses of, and benefits of, 5G for everything from smart cities, to remote surgery and factory automation, to driving, as well as some of the standards work at 3GPP that are ongoing. Dated 2016.
A-2017-00632: 2014-2015 Lawful Access Initiative Report. One page 5 it discuses that the partners in the lawful access initiative include: CSIS, CSE, DoJ, ISED, Public Prosecution Service of Canada, PSC, and RCMP, and page 6 asserts that the limited funds through LAI are insufficient to address operational requirements. Moving forward to page 46, the ATIP documents note that the CSE is responsible for actual cryptographic techniques and decryption efforts pertaining to communications, though a number of earlier categories indicate tracking of how often materials are inaccessible to CSIS/LEAs. Dated 2016.
A-2017-00043: CBC or Radio-Canada story on MDI devices AKA IMSI catchers near Parliament Hill, March 27 – April 6, 2017. Page 1 discusses false positive, and potential to get the Certification and Engineering Bureau in ISED to evaluate IMSI Catcher detectors, “…even if only to debunk false positives reported in the media.” Dated 2017.
A-2013-00030-0001: First and final drafts of departmental responses to and emails regarding the Cyber Security Strategy Action Plan. timeline for request is Feb. 21 to March 15, 2013. Please exclude cabinet confidences and records originating from other departments.
A-2012-00734: Please provide all reports, including emails, reports, handwritten notes, memos, directives, briefing materials and letter sent and received about occurrences of computer hacking and other breaches of cyber security. The period sought is January 1, 2012 to March 11, 2013.
A-2012-00732: All briefing notes, memoranda, question period notes and reports to the minister between Sept. 1, 2012 and Feb. 28, 2013 regarding any of the following: cyber-security, IT security, IM security.
A-2012-00602: Any documents, including briefing notes, memos and reports, pertaining to the new policies on foreign takeovers released Dec. 7, 2012.
A-2012-00578: All records regarding ICANN’s list of proposed gTLDs created since June 1, 2012.
A-2012-00385: All talking points, briefing notes and correspondence related to CBC news report (by Greg Weston) on Huawei on May 15, 2012. There are no real documents of note in this ATIP; a former military person who held Secret clearance was upset Greg had a secret document and waved it around on CBC broadcast.
A-2012-00161: Records from May 23, 2012 to the present (June 7, 2012) concerning Research in Motion (RIM), including but not limited to correspondence, emails, reports, records, memoranda and final copies of briefing notes.
A-2012-00049-0001: Records from December 1, 2011 to the present concerning a possible foreign takeover of Research in Motion (RIM), and its impact on Canada, including, but not limited to correspondence, emails, reports, records, memoranda and final copies of briefing notes.
A-2011-00452: All records at Industry Canada about Bill C-30 from February 14, 2012, to February 29, 2012.
A-2011-00340: Any documents, including briefing notes, decks, backgrounders and reports, prepared since Jan. 1, 2011 pertaining to the foreign takeover of companies in Canada’s wireless sector, including companies that produce mobile devices and/or involved with wireless communications infrastructure. Please exclude any Investment Canada documents regarding specific takeovers being reviewed under ICA. Please exclude emails and provide documents in digital format (PDF on CD ideally) if possible. Please consider providing partial initial release of documents that don’t require consultations with PCO, other departments and/or third parties.
A-2009-00288: 1. All memos and reports on the subject of lawful access to communication and information over the Internet 2. A list of al parties with whom Industry Canada held discussions on the above mentioned subject 3. The timeframe for this request is from April 2006 to present (October 16, 2009).
A-2007-00169: Memos, decks and briefing notes since January 1, 2006, whose main topic is the issue of “Lawful Access” by Canadian police and security agencies to customer data held by Canadian telecommunication companies held by the Strategic Policy Sector.
Canadian Telecom Market and Drivers: Caught in the Web–Ottawa’s Implementation of Cyber-crime Treaty Requires Online Surveillance by xSPs. This brief prepared by IDC offers a background and overview of lawful interception/access requirements in Europe and the United States to set policy expectations for implementing the Cybercrime Convention. Dated August 2002.

NSERC

A-2019-00033: This 655 page ATIP includes the successful NSERC applications where Canadian universities partnered with Huawei. The ATIP is notable for identifying the faculty and universities which obtained the funding, as well as the names of the different projects which were funded. Also included are the “NSERC Strategic Network Agreement” on pages 119-158, which includes information such as the terms of controlling or managing intellectual property as well as export control information. Many projects are notable, such as studying for hardware vulnerabilities in continuous variable quantum communications. Pages 379-382, and 390, include listings of Huawei-supported research and the applicant name, though columns indicating whether and intellectual property agreement is on file, and intellectual property checklist is on file, or communications regarding intellectual property is on file are all redacted. Pages 543-560 include screenshots of an internal NSERC that identifies the kinds of questions that Huawei input as part of partnering with universities, though the values or responses to these questions have all been redacted. Some projects discussed in the ATIP were to be completed by 2022.

Office of the Communications Security Establishment Commissioner

A-2013-00084: A Review of CSEC Information Sharing with the Second Parties, CSE Commissioner report to MND, 17 July 2013.

Office of the Privacy Commissioner of Canada

A-2017-00026: Please provide the following briefing notes for the Commissioner Daniel Therrien in Nov. 2016: “7777-6-171215, Note – FTC Ashley Madison, ” “7777-6-171092, Briefing Note – Approach to lawful access by technology companies,” “7777-6-171347, Note to Cr – Facebook strategy,” “7777-6-171918, BN – Meeting with Canada Revenue Agency,” “7777-6-176219, Note to commissioner – letter of advice to PCO – Electoral Reform Strategy.” Pages 16-17 of the document involve the OPC declining to press an investigation into a company, who’s name is not revealed. The OPC asserts that they believe the company in question could, and should, develop and issue transparency reports despite the companies’ assertion that such reports would be expensive to develop. The discussions of lawful access in this report amount to internal advice concerning how companies respond to lawful requests for information, and being uncertain whether making local requests or utilizing MLAT are better approaches. Dated 2016.
A-2016-00261: Please provide the following briefing notes prepared for the Privacy Commissioner (CTS#,Title): “CTS-091893 – Facebook Strategy, CTS-092891 – Meeting with Canada Revenue Agency, CTS-092040 – Online Reputation – Summary of Submissions, CTS-092709 – Media analysis, CTS-092810 – Gone Opaque? An analysis of hyporthetic (sic) IMSI Catcher Overuse in Canada, CTS-092816 – Outline for Security and Intelligence Consultations”. The document outlines, in depth, the planned meeting with the CRA. This is particularly pertinent given the concerns in Canada about how effective the Agency’s data security and collection processes are. This briefing note is incredibly extensive, and provides insight into the difficulties faced, and challenges overcome, by the CRA. Of note, the summary provided of “Gone Opaque” report probably does a better job that the one its authors in summarizing the text. Other documents aren’t particularly interesting. Dated 2016.
Memorandum: Review of the Royal Canadian Mounted Police — Problems with statistics and identifying warrantless access files. This short memo outlines that warrantless access to subscriber data statistics which were released in a 2010 ATIP request were “inaccurate, incomplete, not current and they were not useful in identifying PROS files for review” (1). Statistics were inaccurate “because of lack of reporting, multiple reporting or overlapping reporting” (2). The result was that the OPC was unable to rely on, or use, the statistics generated by the RCMP. Dated October 2014.

Privy Counsel Office

A-2021-00388: Correspondence between the Privy Council Office and Global Affairs Canada on the topic of 5G, Huawei and Chinese suppliers for the period of June 1 to December 20, 2021.
A-2021-00387: Correspondence between Privy Council Office and Public Safety on 5G, called also “next generation wireless/telecommunications”, Huawei, Chinese suppliers, trusted suppliers, trusted vendors, non-trusted partners or the Prague Proposals.
A-2021-00386: Correspondence from the Clerk, the National Security Advisor, the Foreign and Defence Policy Advisor or Deputy Secretary to the Cabinet, Operations on the topics of 5G networks and Huawei. Timeframe: June 1, 2021, to December 20, 2021.
A-2018-00418: This ATIP entirely concerns Huawei and the Meng detention, along with briefing material to inform relevant officials about the public commentary and positioning of former security officials and the management of Canada’s ambassador to China, John MaCallum. Page 1-2: recites Canada’s opposition to China sentencing Canadian to death and recognition that the bilateral relationship matters to Canada. Page 10-11: summary of the initial state of play concerning the detention of Huawei’s CFO, Meng Wanzhou. Page 30: mention that the CSE’s review program has been in operation since 2013, and exclusively mentioned Huawei as a party that has been subjected to it (though doesn’t explicitly say that the company is alone in the assessments). Page 36-37: summarizes recent commentary by Canadian security officials (i.e., Ward Elcock, John Adams, and Richard Fadden) warning the Canadian government to abandon using Huawei equipment.
A-2018-00295: This ATIP pertains to the federal government’s use of IMSI catchers, as well as the use of those devices by federal agencies such as the RCMP. Page 11: a reporter asked a question to PCO about how parliamentary staffers should mitigate risks associated with IMSI catchers. Page 16: summarizes the old RCMP call about IMSI Catchers, when the service admitted to using them. Includes a note that the RCMP was getting jammer exemptions for some time, until they ‘realized’ that the devices were in fact not jammers and thus it was the improper mode of exemption/request. Page 87-88: responses to reporter asking whether ISED had approved the use of IMSI catchers, by way of issuing appropriate licenses. PSC maintains that authorizations from ISED had been obtained, and that any surveillance was conducted per the law (note: this ignores that the RCMP conducted numerous IMSI catcher operations w/o first obtaining warrant, as disclosed in the Adam press conference with G&M and TorStar).
A-2017-00362: This ATIP concerns a Bell data breach which occurred in 2017. There is nothing of note in this ATIP; this is just a sitrep (with redactions) about the fact that Bell had a significant breach. It was sent to Michael Wernick from David Vigneault via Daniel Jean.
A-2017-00311: This ATIP pertains to the FVEY 2017 Ministerial Joint Communique. Of note, on page 1 it notes that there “was significant back and forth on the encryption issue” but that PS thinks that there may be agreement in the FVEY ministerial language, though authors are unclear of Min. Goodale has provided final agreement. Page 8 contains internal recognition that Australia is driving the discussion to be had on encryption, and how it may enable undesirable activities (e.g., “access to target/terrorist data held by industry/social media providers”).

Public Safety Canada

A-2022-00434: This is a summary of PS-038158: Memorandum to the Minister – Privacy and National Security Concerns with TikTok, December 15, 2022, and includes a fact sheet on TikTok produced by the Intelligence Assessment Secretariat. Notably, the memorandum states that “[a]s of 2022, there are over 8 million Canadian TikTok users, ranging from 55% of teenagers to members of Parliament. It harvests their data, offering false public and governmental reassurances about data sovereignty and security.” Further, it notes that TikTok established a presence in Toronto after purchasing a Canadian company. The fact sheet asserts that, “[a]n Australian cybersecurity firm has concluded that most of TikTok’s access and data collection is not required for the app to function, and only serves as a “data harvesting” tool” and that “[s]eparate technical analysis highlights that TikTok conceals its data collection, including where that user data actually goes.” The fact sheet suggests that all TikTok data is available in China, and thus to the government, as well as the final statement that “TikTok–and its Chinese owner ByteDance–command the modern information environment, [REDACTED].”
A-2021-00008: Concerning Government of Canada Cyber Security and Repatriation of Syrian Fighters. This document includes media lines responding to a reporter in northern Iraq who is asking the federal government questions on its policies to repatriate Canadian foreign fighters. Dated October-December 2020.
A-2020-00246: Recent version of the Solicitor General’s Enforcement Standards. Dated January 1, 2020 – November 3, 2020.
A-2020-00219: All documents and information disclosed in the following prior request, A-2019-00086. This ATIP includes a list of documents, including: CSIS Proposed Response to McGill Academic Identified as Being Associated with Chinese Intelligence, 5G Network Review, CSE Proposed Response to Huawei, CSIS Government Engagement with Canadian Universities, Note on Huawei, Proposed Response to Cyber Security, Public Attributions of Cybercrime, Committee on National Security Meeting Notes, Memorandum for Minister of Public Safety on Project Sidewinder Report, Globe Article on China’s Crime Web in Canada, Draft Submission on Sidewinder for RCMP-CSIS Joint Review Committee, Review of CSIS Intelligence Activities, and Email from PFR Government Liaison on Project Sidewinder.
A-2018-00268: PS-023437 – Encryption. This document was created in the lead up/release of the Australian government’s document in 2018 on cryptography and the threat that it poses. Page 6 showcases how general warrants might be used to compel companies to assist with decryption and page 8 notes how wireline intercept have been developed on a voluntary basis with willing carriers, with the government largely responsible for funding. The same page notes that under the SGES there are decryption requirements, and under s. 487.01 of the Criminal Code (General warrant) the government could compel a company or provider to assist with decryption, though this hasn’t been tested in court.
A-2018-00078: All records pertaining to lawful access legislation and current status; timeframe January 1, 2016 to January 1, 2018. This is a lengthy, 676 page, ATIP that includes many items of note. Per page 7, some ISPs may only retain BSI-related information (e.g. IP information, I suspect…) for only 7 days. On page 27, in reference to Blackberry being able to decrypt BBM messages, Minister is advised to say, “While it would be inappropriate for me to comment about a company’s direct interaction with foreign law enforcement agencies, I can say that we expect Canadian companies to adhere to the laws of those countries.” Page 59 includes a series of news articles linked to CIPPIC/CitLab analysis on subscriber data from 2016. Pages 123-138 include a draft of the document circulated ahead of the 2016 meeting on access to subscriber information. It includes ‘questions’ like should an IP address be associated with BSI or function as a separate kind of data-type. Page 151 outlines comments drafted by CBSA in response to questions about how it deals with encrypted devices at the border (circa 2017). Page 153 includes a long list of responses to the CBC concerning encryption at the border, with CBSA asserting: It has not undertaken a PIA at the time, and relies on an Operational Bulletin; Per s. 99 of the Customs Act, CBSA officers can inspect electronic devices; CBSA does not retain stats on the regularity at which it conducts such inspections (p. 154); and Under s. 13 of the customs act, persons can be compelled to open any goods, and since a password is required to open a device then it can be compelled; failure can result in detainment and/or seizure of the device. Page 179 reveals that CBSA will not arrest persons for failing to open their electronic device, though the device may be seized; the decision to not arrest is a demonstration of restraint, as CBSA believes it has the right to arrest an unwilling person. Page 277 has a RCMP media line, where they decline to acknowledge or refute that they use IMSI Catchers on aircraft. On page 299 we find there was a FCM Paper on Encryption produced by Canada for the Australia event and, on 310, that Canada has penned a “Lessons Learned on Operation Syrian Refugees” in the context of refugees and migration. On page 330, Canada’s key message, when dialoguing with the Australian Attorney General on encryption, was: “In Canada’s view, while encryption poses challenges for Canadian law enforcement investigators, it also safeguards our cybersecurity and our fundamental rights and freedoms. Canada has no intention of undermining the security of the internet by impeding the use of encryption.” Page 345 references the Ottawa 5 in Australia meeting priorities (took place in June 2017), and which included “…improving and collective understanding of cyber aspects of export control issues.” A quote on 450 reveals that, “[i]f security and intelligence institutions do not provide citizens with adequate information, their understanding of security and intelligence activities will be formed through ‘leaks’, as seen with the Snowden documents, or through the media, as often seen with technological issues, such as mobile device identifier technology (IMSI Catchers). This puts security and intelligence institutions in the position of playing catch up, and damages the credibility of institutions.” Pages 477-480 contain a Ministerial Five Countries (MFC) briefer on encryption, ahead of the Australia meeting on encryption. Per page 478-479, while, on the one hand, the countries recognize the value of encryption for facilitating economic activities as well as those associated with the exercise of rights, they conclude that LESAs cannot always obtain access to data that is encrypted. As such, encryption poses a threat to public safety when only the recipient of the communication can control decryption; “Governments should be able to obtain decrypted evidence when it has lawful authority to do so in order to be responsible for protecting public safety and seeking justice.” Page 519 has a listing of the different Five Eyes forums, as well as their associated mandates. Forums include: Five Country Ministerial, Quintet of Attorneys General, Migration 5, Five Country Citizenship Conference (FCCC), Border 5 (B5), Five Nations (F5), Ottawa 5 (O5), Usual 5 (U5), Critical 5 (C5), Five Eyes Law Enforcement Group (FELEG). Finally, on page 583 we learn that Public Safety Canada has not addressed the recommendation from SECU/ETHI to make no changes to the lawful access regime with regards to Basic Subscriber Information (BSI) and encryption post-Spencer, and that the House Committee on Public Safety and National Security continue to study the area of cybersecurity.
A-2018-00021: Briefing note: PS-020796 – Request for Designation to Apply for Authorizations to Intercept Communications. This document indicates that the BC Combined Special Enforcement Unit is seeking to designate a redacted party to conduct electronic surveillance, and prepare and submit warrants to conduct associated surveillance activities. The request was granted, and the person requested to notify PSC whenever designated persons no longer require this certification so they can have their designation formally rescinded.
A-2017-00403: Briefing note: PS-019674 – Request for Designations to Apply for Authorizations to Intercept Private Communications. This ATIP captures Victoria Police, and Vancouver Police, seeking to provide designated authority to obtain authority to intercept communications per judicial warrants, all as remove persons who are no longer employed by the forces/to be designated as permitted to intercept communications.
A-2017-00207: All documents created by members of the Forbearance Working Group, SGES working group, and forbearance program. Page 1 indicates a delay in making a forbearance decisions, with a company having been “waiting for an answer from us for some time now.” Looking at the email thread, the request was made in November 2016, and a decision not yet reached in September 2017! Page 33 indicates that a TSP obtained a 24 month forbearance extension, coming into force somewhere around 2017. Page 36 indicates that a TSP obtained a 24 month forebearance extension, coming into force somewhere around 2017. Page 38 suggests there were two (2) forbearance letters drafted in 2016. Page 39 indicates that a TSP requested an additional forbearance request; presumably this is the same one noted on page 33. Page 41 indicates that a TSP obtained a 12 month forbearance; this may be the same one that obtained an extension on page 36. Pages 79-84 seems like 3 separate TSPs obtained forbearance from condition 6 a) in their COL, all dated in late September 2015. Pages 86-89 show that two separate TSPs obtained forbearance from condition 6 a) in their COL, dated mid-September 2016. Pages 99-100indicates that there is a CSIS or RCMP matrix which identifies the TSPs which have been granted SGES forbearance and, as such, do not have full intercept capability on some elements of their wireless networks.
A-2017-00170: All emails pertaining to the enclusion of a section regarding ‘encryption’ in the Five Eyes ministerial communiqué, released June 28 2017. Page 79 indicates that GoC received draft papers ahead of the Australia meeting pertaining to Intelligence and evidence, as well as encryption, and a draft of another document as well that was redacted. Page 88 includes a list of bullet points that highlight the government of Canada’s approach to encryption. This includes not proposing changes to lawful access as pertain to encryption, Canada remaining committed to ensuring the robust and wide use of encryption, the government not considering the adoption of backdoors, and continuing to evaluate options to ensure that Canadian LESAs have the resources and tools to deal with encryption.
A-2017-00038: Request Summary: Any applications under s. 191 of the Criminal Code to purchase, lease, or rent a Mobile Device Identifier, IMSI Catcher, or Stingray. Jan 1, 2017 – present. Page 1-5 includes a license allowing a vendor to sell IMSI Catcher to OPP. Pages 5-10 include a license allowing a vendor to sell IMSI Catcher to RCMP. Page 11-23 includes a license allowing a vendor to sell IMSI Catcher to RCMP, Durham police, and Winnipeg police, plus be licensed to demonstrate the product. Pages 24-26 include a license allowing a vendor to possess and sell IMSI catchers, with CSIS as the sponsor and 27-28 include a license allowing CSIS 2 licenses for IMSI Catchers. Pages 29-32 has a license allowing a party to possess IMSI catcher for demonstration purpose, sponsored by RCMP. Finally, pages 38-52 lists all the agencies which obtained licenses for operating IMSI catchers; includes: CSIS, RCMP, TPS, DND, Corrections Canada. Of note, some of the sensitivity of some of these correspondences/issuance of license are Protected, Protected A, some Secret, and one Confidential.
A-2017-00034: Request Summary: All documents pertaining to the CBC/Radio-Canada story on MDI devices (IMSI catchers) near Parliament Hill. Of note, on page 8 the RCMP refuses to confirm/deny that it uses IMSI Catchers on aircraft and on page 156, there is an indication that head of CSE (Greta) was in contact with the national security advisor (NSA) about what can be done to stop foreign providers from exploiting communications with IMSI Catchers.
A-2017-00033: All documents pertaining to the use of MDI devices (IMSI catchers) by Canadian security agencies. Page 55-57 of this ATIP include a briefing note to the Minister on IMSI Catchers. On page 55, we see that obtaining judicial authorization in 2017 was based on reasonable grounds to suspect that a crime has been, or will be, committed (i.e. transmission recorder standards). On page 55-56, “The RCMP does not use any ancillary collected data from non-targets (third parties) and immediately destroys this information following court proceedings, including appeal periods, and any specific orders from a judge.” Page 56 has a discussion of the decision to go public with IMSI Catcher related information; that decision was linked to public interest, effort to ‘correct’ misperceptions in public about abilities of devices, and (key!) “[t]his public shift is consistent with the approach taken by the United States Department of Justice and the Department of Homeland Security, which publicly announced and published information in the fall 2015 on the use of CSS technology by U.S. component agencies, including the Federal Bureau of Investigation.” Per page 95, “… MDIs used by the RCMP do not have the capability to monitor large groups of people, record calls, intercept the content of voice calls or text messages, or extract encryption keys used to conceal private communications.” Per page 96, “In situations where exigent circumstances exist, such as in the case of a kidnapping, imminent murder or terrorist activities, an MDI may be used without prior judicial authorization. In these situations, however, judicial authorization would be sought shortly after the deployment of the MDI … In 2015, the RCMP used an MDI in connection with 24 operational files, and only for priority criminal investigations including those linked to national security, serious and organized crime, and financial crime.” Finally, per page 97, when writing about Project Clemenza (Quebec case), “Notably, the redacted Factum, as it stands, reveals RCMP use of sensitive techniques, such as the RCMP’s use of the MDI as an investigative tool, or possession of an encryption key for a well-known cellular manufacturer.”
A-2017-00031: Request Summary: All documents pertaining to foreign entities using MDI devices (IMSI catchers) in Ottawa. This ATIP just has bullet points for speaking about MDIs in the aftermath of the CBC/Radio-Canada story concerning the detection of IMSI Catchers around downtown Ottawa.
Public Safety Report of Summary of Notable Submissions on Lawful Access (Green Paper). Dated around 2017.
A-2016-00342: All reviews focused on lawful interception and conditions and license. This ATIP entirely deals with transparency reporting by Canadian TSPs/ISPs, and is the result of research and work by the Citizen Lab. Per page 2, the Investigative Technologies and Telecommunications Policy (ITTP) division did work to ensure the maximization of lawful interception capabilities under the existing regulatory framework. Page three includes a quotation that, “Over the past several years, IC officials have had difficulties in monitoring TSPs’ compliance with the lawful interception condition of license…PS direct engagement with license holders to assess their compliance level will reduce the burden on IC and provide the Portfolio with valuable information on the interception capacity currently available.” Page 23 indicates that PSC would undertake an effort to “educate” the public on the merits of lawful access/interception; the goal would be, specifically, to “explore the merits of citizen engagement as a way to seek views on the appropriate balance between security and privacy, as well as to address misinformation regarding lawful access in the public environment.” Page 24 includes an informational memo that is seeking authorization to conduct closed meetings concerning TSP transparency efforts, with regards to lawful access and basic subscriber information (BSI) requests from government agencies. Page 28 has a follow up memo to that on page 24; it showcases that Citizen Lab is significantly responsible for transparency reporting by TSPs following its efforts. These efforts, plus the OPC calling for mandatory reporting in 2014, plus order paper questions (Borg), along with American releasing reports that have led to the pressures on Canadian industry. Page 29 continues to note how the influence of the US companies is a significant driver of transparency efforts, and has arisen due to a perceived imbalance between privacy and security. Page 56 has a memo regarding a meeting with TELUS about transparency reporting.
A-2016-00334: All documents pertaining to leaks of American National Security Agency documents by Edward Snowden (Part 1 | Part 2 | Part 3 | Part 4). Note that this is a *very* large ATIP that comes in at 14,810 pages. Part 1 (4000 pages): pages 44-942 are almost entirely composed of the media clippings collected by PSC and published internal on a daily basis. The remaining pages are almost exclusively either PSC news clippings or the news clippings for the CSIS Executive News Summary. Part 2/4 (4000 pages) comprises the PSC and CSIS Executive News Summary media clippings. Part 3/4 (4000 pages) comprise the PSC and CSIS Executive News Summary and RCMP summary media clippings. Part 4/4 (4000 pages) comprise the PSC and CSIS Executive News Summary media clippings.
A-2016-00340: All documents regarding telecommunications companies compliance with Solicitor General’s Enforcement Standards. Page 22 indicates that a TSP requested a SGES forbearance extension; TSP is not identified. Page 24 indicates that a TSP requested a SGES forbearance extension; TSP is not identified.
A-2014-00108: Electronic communications, invoices, memos, briefing notes (final version) and reports from January 31, 2012 to July 18, 2014 concerning the decryption of communications or data that has been encrypted by application service providers (Skype, Gmail, Facebook Chat, etc.), for law enforcement or intelligence purposes.
A-2013-00262: Documents pertaining to the Industry Canada 700MHz auction, as linked with lawful access legislation and requirements. (Part 1 | Part 2). In the Part 2 pdf, page 8 includes the following quotation: “According to the federal annual reports on the use of electronic surveillance, on average, 131 authorizations were granted each year from 2000 to 2011. For the same period, only 4 applications or renewals were refused, and 14 authorizations were granted for interceptions under exceptional circumstances (s.188 of the Criminal Code). Of the 131 authorizations granted per year, an average of 110 (84%) were granted under audio surveillance (s.185) and nearly all the remaining authorizations were granted for video surveillance (s.487). // For the 131 authorizations granted per year, an average of 945 interceptions (79% of the total) were conducted by means of telecommunications, with the remaining 255 interceptions conducted by microphone, video and other means. This gives a grand total of 1,200 interceptions per year, and an average of 9 interceptions per authorization.” Page 82 notes that Bill C-30 would have applied to Canadian application service providers (ASPs) and “thus would have compelled those companies to assist agencies in obtaining intercepted communications or other electronic data.”
A-2013-00261: Documents pertaining to Lawful Access Legislation, Bill C-30. (Part 1 | Part 2)
A-2013-00122: Ministerial Directives on information sharing with foreign entities (issued for CSIS, CBSA and/or RCMP), between Jan 1, 2011 to June 19, 2013. (Part 1 | Part 2) Disclosed in part; 309 pages Original: any records relating to: 1) The present status (including any revisions of or changes to) Ministerial Directives on information sharing with foreign entities (issued for CSIS, CBSA and/or CSIS); 2) Circumstances in which these Ministerial Directives have been used in or applied to information sharing with foreign entities; or 3) The compatibility of these Directives with Canadian or international legal obligations CLARIFICATION (June 19, 2013): Any records relating to: 1) The present status (including any revisions of or changes to) Ministerial Directives on Information sharing with foreign entities (issued by CSIS, CBSA and/or RCMP); 2) Circumstances in which these Ministerial Directives have been used in or applied to information sharing with foreign entities; or 3) The compatibility of these Directives with Canadian or international legal obligations. TIMEFRAME: January 1, 2011 to June 19, 2013 CLARIFICATION (June 21, 2013), Do NOT include emails unless relevant records are attached. And do NOT include Cabinet Confidences. CLARIFICATION (June 24, 2013): Final Documents only.
A-2013-00070: Hacker group Anonymous – especially on ‘#OPPartyCrasher’, from January 2012 to May 9, 2013.
A-2013-00065: All briefing material prepared for the ADM level and above for and about the Federal, Provincial and Territorial Assistant Deputy Minister Committee on Cyber Security identified in the Action Plan 2010-2015 for Canada’s Cyber Security Strategy. Timeline: Jan. 1, 2011 to present. Please exclude cabinet confidences and records originating from other departments.
A-2013-00020: All records regarding cyber threats (both possible and actual) against election systems, including, but not limited to, the use of electronic voting machines, internet-based voting and systems that print and mail out voter cards. Exclude cabinet confidences. Clarified: Final copies only between January 1, 2011 to April 10, 2013.
A-2012-00715-0001: Lawful interception-related documents. Of note, page 3 notes that government wants to extend intercept to include VoLTE, for voice only, to maintain intercept capability. Page 9 notes that while there might be additional software costs in intercepting data over 700Mhz as opposed to just voice, it is possible to intercept the data. Page 18 recognizes that Canada is a small market and thus cannot expect “tailor-made equipment standards from international equipment manufacturers… LEAs cannot cherry pick from a variety of different standards.” Page 18 also includes the following quotation: “At a minimum, allow Regulations to recognize role of commercially available industry standards to meet LA obligations (ideally = Meeting a standard should = safe harbour for compliance).” Per page 19: “The 1 in 5,000 subscribers capability requirement is significantly higher than other jurisdictions.” Page 27 indicated the federal government is involved in approx 18K/year wiretaps/intercepts, and warrants/court orders. Breakdown is approx. 6K communications intercepts/wiretaps across all platforms (e.g. wireline, wireless, internet) and 12K for CDRs. Page 27, also, indicates approximate 1.13 million/year subscriber information requests.
A-2012-00471: Briefing material to DM re: IT security, IM security and cyber security from Jan. 2012. (Part 1 | Part 2)
A-2012-00470: All briefing notes, memoranda, question period notes and reports to the Minister between Sept 1, 2012 and Feb 28, 2013 regarding any of the following: cyber-security, IT security, IM security. Please exclude cabinet confidences. (Part 1 | Part 2)
A-2012-00462: Documents pertaining to lawful access legislative reforms.
A-2012-00459: All correspondence and briefing notes prepared for the minister and senior department officials on Integrated Cross-border Law Enforcement, including the Next Generation of Integrated Cross-Border Law Enforcement from January 1, 2012 to February 22, 2013. Clarified: Records containing Cabinet Confidences are to be included.
A-2012-00457: SGES/Lawful Interception of Telecommunications as pertain to the 700MHz consultation and debates of extending LI to the new spectrum.
A-2012-00456: All documents and records from September 1, 2011 to June 1, 2012 prepared by Public Safety Canada related to the Hacker Group Anonymous and records from the Canadian Cyber Incidence response centre during this period. (Part 1 | Part 2)
A-2012-00336: Information from the National Cyber Security Directorate. The request is for all documents, including but not limited to briefing notes relating to recent cyber crime bills from Sept 2012 to Dec 4, 2012. I am not interested in emails. I am also not interested in cabinet confidences.
A-2012-00333: Records from Oct 1 to Dec 3, 2012 concerning Bill C-30 currently before Parliament (please exclude drafts, duplicates and obvious cabinet confidences).
A-2012-00331: Records from Aug 1 to Dec 3, 2012 concerning plans for inter-agency review mechanism to oversee security intelligence activities/agencies further to the recommendations of the federal Air India inquiry. Please exclude drafts, duplicates and obvious cabinet confidences.
A-2012-00328: All briefing notes, presentations, summaries, slide decks, speaking notes and recordings created and/or held by the department related to the most recent conference on cyber security and Canada’s critical infrastructures organized and hosted by the government of Canada. Please exclude records originating from other departments.
A-2012-00324: Records of consultations involving the Public Safety Minister or the department re: the Investment Canada Act, from Jan 1 to Nov 21, 2012. I understand the Industry Minister may consult the PS Minister with regard to national security considerations under the Act when it comes to proposed foreign investments.
A-2012-00266: Original: Emails and final drafts of reports evaluating the level of cyber security capabilities in Canada’s private sector. Please exclude cabinet confidences. Clarifies 22/10/12: Emails and final drafts of reports evaluating the level of cyber security capabilities in Canada’s private sector from January 1 2009 to October 22, 2012. Please exclude cabinet confidences. (Part 1 | Part 2)
A-2012-00265: All briefing materials to the ADM level and above from Jan 1, 2009 to Jan 1, 2010 re: Canadian Cyber Security Strategy. Please exclude cabinet confidences.
A-2012-00264: Original: All briefing material from the ADM level and above re: cyber security capabilities in government of Canada systems. Please exclude cabinet confidences. Clarified 22/10/12: All briefing material from the ADM level and above re: cyber security capabilities in government of Canada systems from January 1 2010 to October 22 2012. Please exclude cabinet confidences. (Part 1 | Part 2)
A-2012-00249: All records from Jan. 1 to October 15, 2012, related to Chinese espionage in general, and/or related to the company Huawei. Please limit emails to those of the director level and above. Exclude possible cabinet confidences. Modified on 26/10/2012: All records from Jan. 1 to Oct. 15, 2012, related to company Huewei [sic] and espionage. Please limit emails to those of the director level and above. Exclude possible cabinet confidences. (Part 1 | Part 2)
A-2012-00242: ORIGINAL: All briefing notes and memoranda from November 1, 2011 until October 11, 2012, concerning the sharing of information and intelligence with US officials. Please provide identifying reference information for all material provided, as well as providing section, page and/or paragraph information when the complete source is not provided. REVISED on October 22, 2012: Final versions of all briefing notes and memoranda to the Deputy Minister and the Minister from November 1, 2011 until October 11, 2012, concerning the sharing of information and intelligence with US officials. Exclude any records believed to be cabinet confidences. Please provide identifying reference information for all material provided, as well as providing section, page and/or paragraph information when the complete source is not provided. Where there are binders, the request can be limited to relevant pages only. REVISED on Oct. 23, 2012: Final versions of all briefing notes and memoranda to the Deputy Minster and Minister from November 1, 2011 until October 11, 2012, concerning the sharing of information and intelligence with US officials. Exclude any records believed to be cabinet confidences. Please provide identifying reference information for all material provided, as well as providing section, page and/or paragraph information when the complete source is not provided. Where there are binders, the request can be limited to relevant pages only.
A-2012-00146-2: All final briefing notes/memos delivered to the Minister from April 1 to July 30, 2012 (exclude cabinet confidence). Note that this only includes part 2 of the release; I lack access to part 1.
A-2012-00115: All intra-departmental and inter-departmental correspondence (letters, memos, email) and minutes of meetings, as well as correspondence exchanged with private industry and advocacy groups, relating to: (1) the decision to go back to the House Public Safety Committee after First Reading of Bill C-30 (Protecting Children from Online Predators Act) instead of proceeding to Second Reading; and (2) the reaction of industry and online advocacy groups to the First Reading of Bill C-30. Final versions only. Period: February 1, 2012 to March 1, 2012. (Part 1 | Part 2)
A-2012-00113: All intra-departmental and inter-departmental correspondence (letters, memos, e-mail) and minutes of meetings, as well as correspondence with private corporations and regulatory bodies, regarding requests made by law enforcement agencies to ISPs or online entities to gain access to Internet users’ personal information. Final versions only. Period: January 1, 2011 to present. – The request is meant to include all telecommunications service providers. – The type of information I was thinking includes name, address, phone number, current location based on cell-phone signals, websites visited, e-mails, texts, phone calls or Skype conversations sent and received. – I’m looking for statistics – the number of requests made to each telecommunications service provider, in what time frame and for what category of personal information – I’m also looking for correspondence related to those requests – the requests themselves as well as discussions around what can and cannot be requested.
A-2012-00076: Memos and briefing notes from March 1, 2012 to the present (June 21, 2012) produced by Public Safety concerning the Security Intelligence Review Committee’s assumption of duties that have previously been performed by the Inspector General of the Canadian Security Intelligence Service. If the records in each language are identical (or very close), please just process the English ones. (Part 1 | Part 2)
A-2012-00024: Any briefing notes, memos or correspondence prepared since Jan. 1, 2012 regarding foreign ownership in the telecommunications or telecom equipment sectors. Please exclude emails, documents originated by other government departments or agencies, and information already in the public domain.
A-2012-00016: Any documents, including briefing notes, decks, reports and correspondence, prepared since July 1, 2011 pertaining to the government’s Cyber Security Strategy. (Part I | Part 2) Please exclude emails, any documents already in the public domain, and any documents prepared by the Canadian Cyber Incident Response Centre. Clarified May 1: Documents prepared since July 1, 2011 pertaining to the government’s Cyber Security Strategy. Please include any briefing notes, decks or correspondence (memoranda and formal letters) regarding: 1) progress made against CSS goals since July 1, 2011; 2) work done on policy initiatives since that date; 3) work done in the area of engagement; 4) performance measurement. Please exclude emails, talking points, any document originated by other departments or agencies, any documents already in the public domain, and any documents prepared by the Canadian Cyber Incident Response Centre. You may also exclude any documents regarding the third pillar of strategy, helping Canadians to be secure online. Clarified May 2: Final versions of records only Clarifies July 12: I’m only interested in English copies. I agree to sever non-relevant docs Here are the documents I don’t need: – Cab confidences; Travel authorization forms and hospitality; Renewal memberships to various associations; QP notes; You can also omit anything before Nov 1, 2011.
A-2012-00010: This document was filed to obtain information about the government of Canada’s lawful access and customer name and address policies, circa 2007-2011.
2012–Lawful Access Regulations Documents: This ATIP includes the regulations that were being proposed to apply to TSPs, should a lawful access bill including interception obligations pass the House: these are proposed regulations, as opposed to legislative language.
A-2011-00220: All records from March 1 to November 4, 2011 about Canada’s privacy commissioners’ positions on the proposed lawful access bills.
A-2011-00255: In a letter from Minister Toews to MO Charlie Angus dated Nov 29, 2011, Toews states ‘the Government has consulted further with law enforcement and justice officials and determined that a warrant requirement for basic subscriber information would negatively impact the ability carry out investigations and would introduce an additional burden on the criminal justice system. I request all records related to these consultations including a list of specific meetings and any evidence substantiating the negative impact on investigations.
Solicitor General’s Enforcement Standards (Non-Annotated and Non-Redacted) (Annotated) (Redacted). Current as of November 17, 2008.
Solicitor General’s Enforcement Standards for Lawful Interception of Telecommunications – Compliance Table (2007)
Any and all ministerial directions issued to the RCMP by the Solicitor General or the Minister of Public Safety and Emergency Preparedness concerning the conduct of national security related investigations. This set of documents includes three Ministerial Directions that are minimally (if at all) redacted. Specifically, they pertain to national security responsibility and accountability, to national security related arrangements and cooperations (largely discussing foreign arrangements), and to national security investigations in sensitive sectors (e.g., academia, politics, religion, the media, and trade unions with specific guidance regarding universities and post-secondary campuses). Dated October 31, 2003.
Solicitor General’s Enforcement Standards for Lawful Interception of Telecommunications – Compliance Table (Rev. 4/25/2001)
National Law Enforcement Standards (Rev. Feb 11, 1998)
Solicitor General’s Enforcement Standards for Lawful Interception of Telecommunications – Compliance Table (Rev. Oct 28, 1997)
Solicitor General’s Enforcement Standards for Law ful Interception of Telecommunications (Rev.Nov.95)

Royal Canadian Mounted Police

A-2021-03051: This includes some emails (uninteresting) about Huawei, copies of the 2020 Cyber Threat Assessment, and planning information associated with the public safety portfolio following the Biden Administration; this latter item, on pages 87-89, may provide some insights into the government’s thinking prior to Biden’s administration coming to power.
A-2018-RCMP-Technology: This ATIP broadly addresses issues of policing capabilities, new technologies, OSINT, as well as misclassification of criminal reports and border crossing information. Of note, on page 11 we find that “[p]olice powers in relation to other strategic priorities such as combatting organized crime, reducing youth involvement in crime, and economic integrity also continue to evolve. Police authority to use investigative techniques, such as access to social media accounts and phone records, while respecting privacy rights is still to be clarified. Technological advances present both opportunities and challenges to police. For example, police attempt to keep pace with technology available to cloak organizations and identifies both for their own use and to investigate crime and criminal organizations who make use of these technologies. These same technological advances also pose HR challenges for the organizations, as the RCMP must ensure that personnel have the skills sets necessary to adapt to working with rapidly changing technology.” Per page 11: “The RCMP is also being influenced by the Government’s focus on delivering results for Canadians, using evidence-based decision-making, and fostering accountability … This Policy requires departments to establish Departmental Results Frameworks (DRF), Program Inventories and Performance Information Profiles to foster resources expended in the process. These requirements are posing a particular challenge for the RCMP given the diversity of the organization’s programs and services, and the difficulty of developing meaningful performance indicators.” On page 19, we find that both reviews forthcoming for how the RCMP collects and handles open source intelligence (OSINT) as well as the Counter Technical Intrusion (CTI) Program. This latter program entails providing “technical security assistance to all federal departments, crown corporations and agencies.” Page 27 notes there will be a future audit of the RCMP’s use of unmanned aerial vehicles (UAVs) as well as an assessment intended to determine “whether the RCMP’s monitoring of closed national security investigations assesses as low-to-no risk is consistent with policy and process requirements.” Pages 77-78 report how severe the ‘misclassification’ of sexual assault reports are within the RCMP. “A total of 2,225 unfounded [sexual assault] files were reviewed and, as a result, it was concluded that 1,260 unfounded cases were misclassified and 284 files were identified for further investigation.” Per page 80, “[p]rior to 2017, RCMP information related to interceptions [capture of people irregularly crossing the border] was captured annually, and did no differentiate between interceptions related to asylum seekers and other forms of interceptions (e.g., human smuggling).” Pages 83-84 provide a set of tables which identify the precise numbers of irregular migrations that were intercepted by the RCMP at the border. Showcases that Quebec has a massive number of persons migrating irregularly (approx 18K in 2017, on similar track for 2018), followed by Manitoba (1K in 2017) and BC (700 in 2017).
A-2016-00215: This ATIP concerns the use of encryption as it pertains to law enforcement in Canada. This document summarizes to the Minister the difficulties that the RCMP has identified regarding its ability to capture information of suspected criminals. It is written with the intent of contrasting Canada with close allies, including the United States, UK, Australia, and New Zealand. The RCMP propose shifting the lawful access debate to one of ‘going dark’, with a focus on: interception capabilities, use of encryption by criminals, lack of ‘adequate’ data retention; and challenges of MLAT operating successfully. The RCMP make particular note of the encryption-related ‘going dark’ challenges; this stands in contrast to lobbying efforts it took in November 2016, where the head of the RCMP asserted that the agency was not seeking mandatory decryption capabilities, but that basic subscriber identification was a more prominent concern. Significantly, the RCMP notes that it and other agencies in Canada and abroad should speak with a common voice to develop ‘clout’ when facing off against technologists, academics, and civil society advocates. Such clout is needed to advance challenging legislation or regulatory solutions. Left unstated, such solutions might not require the government to first pass authorizing legislation, as was prior attempts to extend the SGES absent the Parliament first passing lawful access legislation. Dated February 2016.
A-2014-02766: Requests for Subscriber Information/TSP Production Order Costs (Annotated).
A-2012-01201: This is the CPIC reference manual.
A-2011-06549: All records relating to lawful access/electronic surveillance techniques from October 1, 2010 to present.

Shared Services Canada

A-2013-00020: Any and all reference to cyberhacker group Anonymous in reports and emails to and from CSEC dating from August 2011 to present (June 20, 2013). Page 202-203 reveals that the duty analyst doesn’t have PKI set up, and so SSC/CSE is asked to send relevant files to other person who will subsequently provide to the analyst. This showcases challenges in setting up encryption/PKI as a security measure. On page 220-223, SSC recommends to PSC that anonpast.me be taken down due to its being used to coordinate DDoS against GOC. PSC doesn’t immediately consent due to the high profile nature of the site; a call is to be set up to discuss equities.
A-2012-00049: Investment Canada Act and Foreign Takeover of Blackberry. This ATIP pertains to the Government of Canada’s Investment Canada Act, and the conditions under which Canada might reject a foreign takeover of RIM/Blackberry. Page 4 notes that ICA review takes place when a non-Canadian wishes to acquire control of an asset valued at $330 million (CAD) or more and page 34 includes the Minister’s briefing notes for discussion with new RIM CEO. These notes include a discussion concerning export controls/cryptography, though it’s not clear what, specifically, they spoke about beyond “administrative changes” by DFAIT. Dated December 2011 – March 2012.

Transport Canada

A-2012-00008: Issuance of UAV Licenses and Draft UAV Issue Paper. This ATIP contains answers to a reporter’s questions concerning the number of SFOCs that were issued (293 applicants and for approximately 1, 000 UAVs), media lines explaining relevant laws governing UAVs in Canadian airspace, training requirements, and recognition that LEAs can use drones “provided they comply with Transport Canada regulations and obtain the required SFOC” (13). Page 16 also details the number of SFOC applications that were rejected by region. The Issue Paper (pages 22-26) outline considerations for establishing restricted airspace for UAVs, as well as recommendations; many of these recommendations include ‘TBD’, which is indicative of the early stage of the government’s regulation of UAVs. Dated 2011-2012.

Treasury Board of Canada

Cabinet Committee on Priorities and Planning, June 8, 2010. This document outlines the business need and rationale for Treasure Board to approve funding enterprise communications and infrastructure upgrades for CSIS’ foreign stations communications. It is suggested that the Minister approves the dispensation of funds. Dated June 8, 2010.

Technology, Thoughts & Trinkets

Touring the Digital Though Type

ATIPs

Canadian Armed Forces

Canadian Security Intelligence Service

Communications Security Establishment (CSE)

Department of Justice

Department of National Defence

Global Affairs Canada

Immigration, Refugees and Citizen Canada

Innovation, Science and Economic Development Canada

NSERC

Office of the Communications Security Establishment Commissioner

Office of the Privacy Commissioner of Canada

Privy Counsel Office

Public Safety Canada

Royal Canadian Mounted Police

Shared Services Canada

Transport Canada

Treasury Board of Canada

Canadian Armed Forces

Canadian Security Intelligence Service

Communications Security Establishment (CSE)

Department of Justice

Department of National Defence

Employment and Social Development Canada

Global Affairs Canada

Immigration, Refugees and Citizen Canada

Innovation, Science and Economic Development Canada

NSERC

Office of the Communications Security Establishment Commissioner

Office of the Privacy Commissioner of Canada

Privy Counsel Office

Public Safety Canada

Royal Canadian Mounted Police

Shared Services Canada

Transport Canada

Treasury Board of Canada