CSE’s management response to recommendations in NSIRA’s review of a Foreign Intelligence program

Table of contents

Recommendation 1:

CSE should update the Minister of National Defence on its relationship with a foreign partner.

CSE response to Recommendation 1:

CSE agrees with this recommendation.

CSE concurs and regularly updates the Minister on topics of importance, including the status of relationships with international partners.

CSE plans to continue providing comprehensive updates to the Minister on its international engagements and relationships with foreign partners, including the named foreign partner.

Recommendation 2:

CSE should comply with the Releasable SIGINT Products requirements pursuant to the Foreign Intelligence Mission Policy Suite when conducting analytic exchanges with its partners in the performance of all operational activities.

CSE response to Recommendation 2:

CSE agrees with this recommendation.

CSE recognizes that despite having robust policies, practices, and procedures, improvements can still be made in outreach and training to mission staff. CSE is working on a comprehensive revision of its operational legal and policy training, and will consider this recommendation when developing its compliance plans for 2023 to 2024.

Recommendation 3:

CSE should describe to the Minister of National Defence the full extent of its participation in any activities when applying for Foreign Intelligence Authorizations.

CSE response to Recommendation 3:

CSE agrees with this recommendation.

CSE will include relevant details to clarify [*specific activities*] in its next Ministerial Authorization application at a level of detail consistent with Ministerial Authorization applications.

Recommendation 4:

CSE must perform a Mistreatment Risk Assessment prior to sharing information with [*country*] in accordance with parameters established with the Minister of National Defence, Minister of Foreign Affairs, and the Privy Council Office in the development of CSE's working arrangement with this partner.

CSE response to Recommendation 4:

CSE agrees with this recommendation in principle.

CSE is of the view that its policy instruments are already clear and that there are already established best practices when sharing information with foreign entities about identifiable individuals. CSE continually seeks to improve both the implementation of internal policies, and the training and internal outreach programs for its analysts.

Additionally, it is important to note that there exists a strong mitigating factor in the overarching agreements with [*country*] which contain explicit language regarding how SIGINT may be used, and with explicit prohibitions for purposes that could result in mistreatment.

Recommendation 5:

When performing a Mistreatment Risk Assessment, CSE should specify why and how its risk rating applies to each individual implicated in the sharing of information with a foreign partner.

CSE response to Recommendation 5:

CSE agrees with this recommendation in principle.

Since 2011, CSE has continually refined its mistreatment risk assessment process and documentation. In certain cases where an initial assessment has determined that all of the conditions of information sharing will be identical across a category of individuals in an activity, CSE has determined that a group mistreatment risk assessment appropriately documents the risk profiles for all individuals associated with that activity. In the event that the information sharing conditions change, or specific characteristics related to an individual associated with the activity may change the risk, a separate assessment is conducted.

CSE has continued to improve our documentation to ensure that it better reflects the analysis behind the risk assessment and why a rationale would apply to a group of individuals under a single activity. As CSE's operational activities continue to evolve, the mistreatment risk assessment process grows to reflect the requirements of those activities.

Recommendation 6:

CSE should ensure that a foreignness assessment is completed prior to commencing collection and reporting on individuals. CSE should also develop policy requirements for the documentation, tracking, and management review of foreignness assessments.

CSE response to Recommendation 6:

CSE agrees with this recommendation in principle.

As part of the SIGINT process, and relying on a combination of policy, administrative, and technological means, CSE already documents a targeting justification demonstrating reasonable grounds to believe that a target is a foreign entity outside Canada. This auditable justification crystallizes the current state of knowledge about the foreignness of a target, at the time of targeting.

In addition, as analysts perform their duties and build knowledge about a target, a foreignness assessment persists throughout SIGINT analysis in a process that is guided by the Mission Policy Suite. Each new fragment of information acquired about a target increases the body of knowledge evaluated by an analyst, including more information about a target's foreignness that may not have been available at the time of targeting.

If at any point the analyst no longer has reasonable grounds to believe that the target is a foreign entity outside Canada, the analyst must de-target the associated selectors and register a privacy incident with CSE's Program for Operational Compliance team, who will guide internal processes through any additional required remedial steps, such as purging any collected information. In addition, a citizenship check can also be requested from Immigration, Refugees, and Citizenship Canada (IRCC) if sufficient information is available.

Recommendation 7:

CSE should develop a mechanism with Immigration, Refugees and Citizenship Canada, or other federal institutions as appropriate, to facilitate timely and concrete confirmation of the Canadian status of individuals implicated in CSE's operational activities.

CSE response to Recommendation 7:

CSE agrees with this recommendation.

This recommendation was previously put forward in the SCIDA 2020 final report. CSE continues to pursue discussions with IRCC for an information sharing agreement. CSE is reengaging at both working and executive levels to facilitate progress.

It should be recognized that in order to produce more accurate results, a citizenship check needs to include specific information regarding an individual target, which is not always available to CSE. In the absence of that information, a citizenship check is not guaranteed to produce conclusive results, and cannot be considered as a concrete confirmation of citizenship status. In addition, it is CSE's understanding that IRCC databases may not capture Canadians born with Canadian citizenship. The citizenship check process and associated timelines are fully within the jurisdiction of IRCC.

Recommendation 8:

CSE should develop policies and procedures to govern its participation in [*specific activities*] within the program.

CSE response to Recommendation 8:

CSE agrees with this recommendation.

CSE remains committed to building robust policy frameworks to govern its activities and ensure that its work continues at the highest level of integrity.

While at the time of review, policies and procedures specific to the program were still in development, CSE's existing policies and procedures include principles that govern all foreign intelligence activities conducted under CSE authorities, including [*program*].

Recommendation 9:

CSE should develop written arrangements with its partners implicated in activities, to set the parameters for collaborating on these activities.

CSE response to Recommendation 9:

CSE disagrees with this recommendation.

CSE has enjoyed a uniquely strong relationship with partners for [*amount of time*]. By leveraging shared capabilities, Canada benefits greatly, magnifying its ability to provide quality information exponentially. The cooperation with our partners means that we [*description*], with procedures in place to manage our interactions. CSE's operations with partners are based on bilateral information sharing and technical cooperation arrangements.

Recommendation 10:

When collaborating on an operation with a partner, CSE should prepare an operational plan and conduct a risk assessment associated with the activity with a view to ensuring an operation's alignment with CSE's priorities and risk tolerance levels. CSE should also ensure that parameters and any caveats for the partner's [*specific activity*] be outlined and acknowledged.

CSE response to Recommendation 10:

CSE agrees with this recommendation.

CSE policy outlines that, when conducting SIGINT operations, including joint operations with a partner, the activity be approved via an operational plan and risk assessment in order to exercise an aspect of the CSE mandate.

Collaboration that involves [*specific activity*] without participating in the resulting operation does not require operational plans or risk assessments to be created at CSE, but rather at the partner agency conducting the operation and adopting the risk. CSE will, however, ensure that the partner agency is aware of and acknowledges any caveats or parameters.

Recommendation 11:

When applying for a Ministerial Authorization, CSE should disclose to the Minister any related testing or evaluation activities that it intends to undertake pursuant to paragraph 23(1)(c) of the CSE Act.

CSE response to Recommendation 11:

CSE disagrees with this recommendation.

The purpose of a ministerial authorization is to seek authorities for activities that would contravene an Act of Parliament or involve the acquisition of information that interferes with the reasonable expectation of privacy (REP) of a Canadian or any person in Canada. Testing activities, as per s.23(1)(c) of the CSE Act, are not carried out under the authorities of a ministerial authorization if they do not risk contravening an Act of Parliament or do not involve the acquisition of information that interferes with the REP of a Canadian or any person in Canada. In such cases, it is not required to request authorities to conduct testing activities from the Minister through a ministerial authorization. However, at the Chief's discretion, CSE will inform the Minister of non- ministerial authorization activities through other means.

Paragraph 23(1)(c) provides an exception to CSE's prohibition on directing its activities at a Canadian or any person in Canada when conducting testing or evaluating products, software and systems. This means that CSE may conduct these activities which will not be considered directed at a Canadian or any person in Canada.

Any foreign intelligence activities, including testing activities, that contravene an Act of Parliament or involve the acquisition of information that interferes with the REP of a Canadian or any person in Canada can only be conducted under the authorities of a ministerial authorization. In such cases, the activities must be conducted under the authorities of an existing ministerial authorization or will require that the Minister issue a new ministerial authorization, and the Minister would be fully informed of the activities being considered before being in a position to approve them.

Date modified: