Home / Pulling Back the Curtain on Canada’s Mass Surveillance Programs – Part Two: The CSE Secret Spying Archive

Pulling Back the Curtain on Canada’s Mass Surveillance Programs – Part Two: The CSE Secret Spying Archive

Read Part 1: Pulling Back the Curtain on Canada’s Mass Surveillance Programs – Part One: A Decade of Secret Spy Hearings

The BCCLA is sharing over 4,000 never-before-seen pages detailing the Communications Security Establishment’s (CSE) surveillance practices.

These documents paint a picture of a powerful spy agency in dire need of oversight. Read on to learn more. 

Introduction

A key aspect of any legal proceeding is the discovery process, where both parties are required to disclose all relevant documents in their possession, regardless of whether they support or undermine their position. In the context of national security litigation, this process can be challenging for claimants. Courts tend to give significant weight to claims of secrecy by national security agencies, particularly when it relates to specific methods used by these agencies.

As part of the case these released documents come from, the Federal Court granted the government’s request that the hearings be conducted in secret, and that the related court files be sealed to prevent public access. These measures were allowed despite the fact that all documents were heavily redacted to conceal sensitive national security information. It seemed the public might never be allowed to learn important details about CSE’s spying programs or the BCCLA’s court case challenging them.

That changed when Bill Robinson, a researcher who worked with BCCLA on the case, made a request for the documents under the Access to Information Act. CSE initially refused to release them, claiming litigation privilege. Robinson then made a formal complaint to the Information Commissioner, which the commissioner upheld. Finally, CSE agreed to release the documents with no additional redactions, and the government agreed to lift the implied undertaking of confidentiality, allowing the BCCLA to share these critical documents with the public.

Document Contents

Even with these heavy redactions, the documents paint a picture of a powerful spy agency in dire need of oversight.

Despite rules against targeting Canadians, CSE regularly collected Canadians’ communications, shared Canadians’ information with third parties, chose to protect those intelligence sharing relationships over the privacy of Canadians, and prioritized its continued operation over all else.

These documents total over 4,900 pages, making up 284 individual documents and focus on the period immediately before the litigation was filed, from the mid-2000s to mid-2010s.

The documents fall into 3 broad categories:

1. Ministerial Authorizations, Ministerial Directives, and Memoranda of Understanding

Ministerial Authorizations and Ministerial Directives are documents signed by the Minister of National Defence. Ministerial Authorizations grant CSE authorities to conduct various classes of surveillance activities, while Ministerial Directives provide instruction on how to exercise those authorities.

The documents in this batch include:

Ministerial Authorizations from 2010 – 2015;

Ministerial Directives relating to:

  • the collection and use of metadata [1];
  • measures necessary to protect the privacy of Canadians [2]; and
  • information sharing with other governments when sharing the information creates a “substantial risk of mistreatment” [3];

Memoranda from the CSE chief requesting the Ministerial Authorizations and Directives and providing rationales for granting them; and

Memoranda of Understanding (“MOUs”) between CSE and various government agencies or departments allowing CSE to provide assistance with various matters, including computer network security, and often allowing CSE to intercept that agency or body’s communications. MOUs were signed with:

  • Canada Revenue Agency (CRA) [4];
  • Canadian Forces [5];
  • Canadian Nuclear Safety Commission [6];
  • Canadian Security Intelligence Service (CSIS) [7];
  • Department of Foreign Affairs and International Trade (DFAIT) [8];
  • Health Canada [9];
  • Public Works and Government Services Canada [10];
  • Natural Resources Canada [11];
  • Royal Canadian Mounted Police (RCMP) [12]; and
  • Shared Services Canada [13].

2. Policy and operations manuals

These documents include a wide array of CSE policy and operations manuals that guide the activities of the various branches of CSE and the agency as a whole. These include multiple documents from the following series:

  • Operational Policy Series (OPS);
  • Canadian SIGINT Operations Instructions (CSOI);
  • IT Security Operational Instructions (ITSOI);
  • Canadian SIGINT Security Standards (CSSS);
  • Policy and Communication Instructions (PCI); and
  • SIGINT Programs Instructions (SPI).

3. Reports and reviews

These documents cover a wide range of subjects, including public annual reports from the CSE Commissioner,[14] CSE reports to the Minister of National Defence,[15] and previously secret documents detailing failures by CSE to follow its own procedures intended to protect Canadians’ information,[16] and transferring information about Canadians to its Five Eyes partners without properly removing identifying information.[17]

7 Key Takeaways

1. A glossary of CSE’s vocabulary and non-standard use of words

Like many government agencies, CSE has developed a set of jargon and acronyms that can seem designed to be impenetrable to the public. The documents allowed us to produce a glossary of CSE terminology to assist you in reading them and other public documents released by the CSE. The documents also reveal how CSE redefines common words to create its own vocabulary. These non-standard definitions provide a misleading impression of CSE’s actions to the public, and potentially to the ministers tasked with authorizing CSE’s surveillance powers.

One example of this is the verb “intercept”. In common usage, intercepting a communication would mean getting the contents of a communication between two people, like a wiretap or reading someone’s mail. Even in the Criminal Code, “intercept” has a broad meaning that aligns with the common understanding of the word: “intercept includes listen to, record or acquire a communication or acquire the substance, meaning or purport thereof.”[18]

CSE’s definition of “intercept” is much narrower. They say a communication is only “intercepted” when it is “selected by CSEC on specific criteria, and is sent from the [REDACTED] to CSEC traffic repositories”.[19] Using the CSE’s vocabulary, taking a copy of an instant message as it moves across the internet is not “interception” – it is merely “collection.

2. CSE was not allowed to target Canadians but regularly collected Canadians’ information and received it from foreign partners

Under both the National Defence Act (NDA) regime and the new CSE Act regime, it is clear that CSE is not allowed to spy on Canadians or people in Canada and must have measures in place to protect the privacy of Canadians. The NDA, which was in place during the time period covered by the documents, stated that CSE’s activities “shall not be directed at Canadians or any person in Canada[20], and “shall be subject to measures to protect the privacy of Canadians in the use and retention of intercepted information”.[21]

All the same, CSE collected vast quantities of information about Canadians. CSE collects “raw SIGINT” data directly from its collection points in Canada’s communications infrastructure and elsewhere, including both content of communications and metadata.[22]

Typically, information that identifies a Canadian person is “suppressed” or “minimized” (CSE-speak for redacted or removed) before it is shared by CSE. However, the unredacted “raw SIGINT” is still maintained by CSE, and a wide range of CSE personnel can access the raw SIGINT “as needed to fulfill official duties”.[23] Raw SIGINT can also be shared outside of CSE, with Canadian Armed Forces personnel or Departmental Security Officers. The circumstances under which such sharing is allowed are redacted.[24]

CSE also advised the CSE Commissioner that CSE did not need a Ministerial Authorization to use metadata or communications involving Canadians if those communications were provided to CSE by another country. In CSE’s view, the prohibition on intercepting private communications of Canadians does not apply if it receives the information from a foreign partner. CSE could not provide the CSE Commissioner with details on how often this occurs.[25]

3. CSE had expansive metadata surveillance programs in place, and those programs were expanding

The documents confirm what we have suspected since the original release of the Snowden documents, and the subject of the BCCLA’s litigation: CSE had programs in place for the bulk collection of metadata relating to telephone and internet traffic, much like the programs operated by the National Security Agency in the United States. A secret report from the CSE Commissioner dated 2015 confirmed that “CSE may acquire “bulk” or “unselected” metadata at all SIGINT collection apertures for all telecommunications events[26] [emphasis added]. Those “SIGINT collection apertures” most likely include CSE surveillance posts located in or near internet backbones leading in and out of Canada.

In practice, this likely means that CSE has records of Canadians’ use of websites or apps based outside of Canada, including Google, Facebook, Instagram, YouTube, Tiktok, Twitter, and more, along with their calls, emails, or instant messages to people living outside Canada. Even the metadata of domestic telecommunications can be subject to collection, as a large percentage of Canada-to-Canada internet traffic crosses the Canadian border during its travels.

The 2015 report noted that “CSE’s collection posture has strengthened” since the last report on metadata in 2008.[27] It is likely that trend has continued, meaning the amount of data collected and sources it is collected from have increased since 2015.

4. CSE’s cybersecurity mandate gives it the authority to access Canadians’ personal information from within other government agencies

As the documents were produced via the BCCLA’s lawsuit over surveillance, most of the documents are focused on CSE’s SIGINT mandate. However, there are some interesting glimpses into CSE’s cybersecurity mandate provided in both policy documents and in a series of MOUs between CSE and various government agencies.

For example, a MOU with DFAIT, dated November 2012, allows CSE to “perform computer and network monitoring and related analysis”.[28] The MOU goes on to say that private communications will be intercepted by CSE, and that CSE may share any information that is identified as being relevant to CSE’s cybersecurity mandate, and thus comes under its “control”, with Five Eyes partners.[29]

5. CSE shared information potentially relating to Canadians with other government agencies and other countries, and developed a system to share bulk metadata collected by CSE with Five Eyes partners

CSE shared the information it collected with a variety of other government agencies. One example is shown in a MOU between CSE and CRA. Under that MOU, CSE provided CRA with access to SIGINT end-product reports to investigate terrorism financing and prevent terrorist organizations from obtaining charitable status.[30] Under the MOU, CRA had to notify CSE before taking any actions or initiating any proceedings based on information obtained from CSE, presumably to prevent the targets from learning about CSE’s techniques and information sharing.[31]

CSE had a similar MOU with Health Canada, noting that agency’s responsibilities for maintaining pandemic preparedness, and for responding to nuclear accidents or terrorist attacks. Like the MOU with CRA, the Health Canada MOU required Health Canada to notify CSE before taking actions based on information obtained from CSE.[32]

The Ministerial Directive on Metadata directs CSE to share the metadata it collects “with international allies to maximize its mandate activities […] and strengthen Canada’s partnerships abroad.”[33] However, when CSE shares information about Canadian persons with Five Eyes partners or other countries, information about Canadians must be “suppressed” or, in the case of metadata, “minimized”. [34]

A report from the CSE Commissioner in 2015 shows that CSE went beyond simply sharing information. It created an automated sharing system that allowed Five Eyes partners to search CSE’s collection of telephone and internet metadata.[35]

6. CSE violated law for five years by failing to minimize Canadian information shared with Five Eyes partners

As outlined above, under the Ministerial Directive on Metadata, CSE has the authority to share metadata with allied countries’ intelligence agencies as long as any information about people in Canada is “minimized” to remove any identifying information about the Canadian person.

A letter from the CSE Commissioner dated October 5, 2015, shows that information about Canadians was routinely shared with Five Eyes partners for five years without the data being properly minimized.  When sharing telephone metadata, CSE “failed to ensure” its systems were properly minimizing information identifying Canadian persons, resulting in Canadian information being shared. When allowing Five Eyes partners to search its collection of internet metadata, CSE failed to properly exclude search terms relating to Canadian persons. It shared results that included internet protocol (IP) addresses, which are considered personally identifiable information. [36] 

The report found that CSE had violated Canadian law, including the NDA and the Privacy Act, and that CSE “failed to act with due diligence. CSE was not able to provide the CSE Commissioner with details showing the scope of the privacy violations resulting from the unauthorized sharing.[37] The unauthorized sharing of Canadian information continued from 2009, when the automated sharing system was established, to spring 2014, when CSE suspended its programs for sharing telephone and internet metadata with its Five Eyes partners.[38]

7. CSE prioritized its relationships with other intelligence agencies over the privacy and safety of Canadians

CSE places a heavy emphasis on developing and maintaining its relationships with other intelligence agencies, particularly the Five Eyes agencies. The documents show how this plays out in CSE policy and operations, and how efforts to maintain these relationships often come before CSE’s duty to protect the privacy of Canadians.

CSE’s prioritization of relationships with foreign partners can be seen in its approach to the 2011 Ministerial Directive providing a “Framework for Addressing Risks in Sharing Information with Foreign Entities” (the “Mistreatment MD”). The Mistreatment MD is a guide for making decisions about sharing information with a foreign government when the information creates a “substantial risk of mistreatment” of the subject of the information.[39]Mistreatment” is defined by the Mistreatment MD as “torture or other cruel, inhuman, or degrading treatment or punishment”.[40]

CSE grades the risk of mistreatment according to a scale from Low Risk, when mistreatment is unlikely, to Speculative Risk, when the intended recipient has “a questionable human rights record” or there are “concerns about the recipient’s adherence to the Convention Against Torture,” to Substantial Risk if there is a “personal, present, and foreseeable risk of mistreatment”. A Substantial Risk can be mitigated by restrictions on the use of the information, assurances there will be no mistreatment, or further suppressing information so it is less likely to lead to mistreatment. [41]

Five Eyes countries have agreements for information sharing in place with CSE that set out how they will use the information shared, and are deemed “safe” for the purposes of the Mistreatment MD. The Five Eyes partners’ rules, such as NSA’s “strict policies that limit access to non-minimized raw traffic”, are cited by CSE as providing “confidence that partners are safeguarding the privacy of Canadians”.[42]

The CSE must conduct a Mistreatment Risk Assessment before sharing information with non-Five Eyes countries.[43] Sharing with those countries can also be limited based on those countries’ privacy safeguards and policies.[44] The CSE also makes sure that a “mention of mutual respect for privacy concerns be stated wherever appropriate in future agreements and shared policies”.

CSE asks Five Eyes countries to report monthly on measures meant to protect the privacy of Canadians whose information is shared with them. However, CSE states that it would not penalize second party countries for failing to comply with those safeguards, because doing so would “have a significant negative effect on [CSE].”[45] The CSE Commissioner recommended that CSE at least collect statistics on the number of Canadians’ private communications accessed by second parties, but CSE refused even this basic measure:

The proposed requirement to have Second Parties expand their reporting to [CSE] to include statistics on recognized private communications would likely have a similar negative effect on [CSE], in that it would become too onerous for Second Parties to do business with [CSE] (given that this requirement would have to apply to all [CSE] collection programs). There are limits on partnership commitments.

Despite the limited “partnership commitments” from Five Eyes partners, CSE is aware that Five Eyes countries “may derogate from the agreements, if it is judged necessary for their respective national interests.”[46] The documents show CSE and its Five Eyes partners do not “seek or share evidence from each other to demonstrate that these rules are in fact being followed.”[47]

The CSE acknowledged to the CSE Commissioner that, “[t]he sanction for not complying with these measures is the ability to restrict the sharing of further information.”[48] The documents show this is not a step CSE was willing to take. As CSE told the CSE Commissioner, “there are limits to what any country can require of another.

Conclusion

The documents in this collection demonstrate that the facts alleged by the BCCLA in its lawsuit were correct: CSE operates bulk metadata surveillance programs that collect and share information about Canadians with government clients and foreign intelligence agencies. What was truly shocking is how hard CSE pushes up against the edge of legality, and pushes back against even the most reasonable regulation and oversight.

The findings above are just the tip of the iceberg. We encourage journalists, academics, watchdogs, advocates, and the general public to dig into the documents and help us see what else can be found. We hope you’ll share your findings with the public, collaborate with each other, and reach out to us if you think you’ve found something we missed.

The BCCLA was represented by David Martin of Martin & Associates, Sebastian Ennis of Iris Legal, and Neil Abraham of Olthuis van Ert. The BCCLA was also represented by Joseph Arvay, O.C., O.B.C., Q.C.

Bill Robinson and Greg McMullen served as experts on the case. Due to the scope and duration of this litigation, it is not possible to give credit to all those who participated but the BCCLA is extremely grateful to everyone who contributed.

Explore the CSE Secret Spying Archive!

Index and Glossary of CSE Glossary of Terms:

Please note that this glossary is a work in progress and not intended as a formal dictionary.

Indexed Secret Spying Documents:

Please note, to view these documents, click the link and download the file (rather than viewing in a browser) as they are in a portfolio file structure.


[1] AGC0017

[2] AGC0021

[3] AGC0081

[4] AGC0148

[5] AGC0116

[6] AGC0149

[7] AGC0165

[8] AGC0120 and AGC0150

[9] AGC0147

[10] AGC0177

[11] AGC0156

[12] AGC0164

[13] AGC0128

[14] AGC0001-10, AGC0013-4, AGC0027, AGC0038, AGC0158, and AGC0282

[15] AGC0070, AGC0194, and AGC0236-7

[16] AGC0261

[17] AGC0166 and AGC0278

[18] Criminal Code, s 183

[19] AGC0241 at p 13 (p 8 of Report)

[20] NDA,s 273.64(1)(a)

[21] NDA,s 273.64(1)(b)

[22] AGC0157 at p 9

[23] AGC0157 at p 9

[24] AGC0157 at p 14

[25] AGC0166 at p 25.

[26] AGC0278 at p 15

[27] AGC0278 at p 31

[28] AGC0120 at p 2

[29] AGC0120 at p 3

[30] AGC0148

[31] AGC0148 at p 2

[32] AGC0147

[33] AGC0017

[34] AGC0157 at p 9.

[35] AGC0281

[36] AGC0281

[37] AGC0281

[38] AGC0281

[39] AGC0081

[40] AGC0081 at p 2

[41] AGC0266 at p 10-11

[42] AGC0166 at p 13, fn 17

[43] AGC0168 at p 10

[44] AGC0166 at p 13, fn 17

[45] AGC0166 at p 12, fn 16

[46] AGC0166 at p 18

[47] AGC0166 at p 29

[48] AGC0166 at p 13, fn 17

CIVIL LIBERTIES CAN’T PROTECT THEMSELVES