...except when it isn't.
2011-2012 Annual Report
Limitations Imposed by Law on CSEC
Parts (a) and (b) of CSEC's mandate
CSEC's activities related to the collection of foreign signals intelligence and to the protection of electronic information and information infrastructures of importance to the Government of Canada are subject to three legislative limitations aimed at protecting Canadians' privacy:
- CSEC is prohibited from directing its foreign signals intelligence collection and IT security activities at Canadians, regardless of their location anywhere in the world, or at any person in Canada, regardless of their nationality;
- In conducting these activities, CSEC may unintentionally intercept a communication that originates or terminates in Canada in which the originator has a reasonable expectation of privacy, which is a "private communication" as defined by the Criminal Code. CSEC may use and retain a private communication obtained this way but only if it is essential to either international affairs, defence or security, or to identify, isolate or prevent harm to Government of Canada computer systems or networks [see "Five Eyes' Daisy Chain" weaselly claimed exemption] ; and
- To provide a formal framework for the unintentional interception of private communications while conducting foreign signals intelligence collection or IT security activities, the National Defence Act requires express authorization by the Minister of National Defence. These are known as ministerial authorizations. The Minister may authorize the activities once he or she is satisfied that specific conditions provided for in the Act have been met, which includes assurances of how such unintentional interceptions of private communications would be handled should they arise.
Private Communication: "any oral communication, or any telecommunication, that is made by an originator who is in Canada or is intended by the originator to be received by a person who is in Canada and that is made under circumstances in which it is reasonable for the originator to expect that it will not be intercepted by any person other than the person intended by the originator to receive it, and includes any radio-based telephone communication that is treated electronically or otherwise for the purpose of preventing intelligible reception by any person other than the person intended by the originator to receive it" (section 183 of the Criminal Code).
Ministerial authorizations
When CSEC is conducting activities to acquire foreign signals intelligence, it cannot know beforehand with whom a targeted foreign entity outside Canada may communicate. Similarly, when CSEC is conducting activities to help protect Government of Canada computer systems, it cannot know beforehand who may communicate with or through that computer system. Given the complexity and interconnectedness of the global information infrastructure, it is unavoidable that CSEC will intercept a number of private communications. It is for this reason that CSEC requires a ministerial authorization for these activities — to shield itself from the Criminal Code in cases where it may unintentionally intercept a communication coming to or originating from Canada and where a person has an expectation of privacy. CSEC's ministerial authorizations relate to an "activity" or "class of activities" specified in the authorizations — that is, to a specific method of acquiring foreign signals intelligence or of protecting computer systems (the how); the authorizations do not relate to a specific individual or subject (the whom or the what).
Ministerial authorization: authorization provided in writing by the Minister of National Defence to CSEC so that CSEC is not in contravention of the Criminal Code if — in the conduct of foreign signals intelligence collection or IT security activities — it should unintentionally intercept a private communication. An authorization can be in effect for no longer than one year. In 2011–2012, there were six foreign signals intelligence collection and two IT security ministerial authorizations in effect.
Conditions for ministerial authorizations
To issue a ministerial authorization for foreign signals intelligence collection, the Minister must first be satisfied that:
- the interception will be directed at foreign entities located outside of Canada;
- the information could not be reasonably obtained by other means;
- the expected value of the interception would justify it; and
- satisfactory measures are in place to protect the privacy of Canadians and private communications will only be used or retained when essential to international affairs, defence or security.
To issue a ministerial authorization to protect the computer systems or networks of the Government of Canada, the Minister must be satisfied that:
- the interception is necessary;
- the information could not be reasonably obtained by other means;
- the consent of persons whose private communications may be intercepted could not reasonably be obtained;
- satisfactory measures are in place to ensure that only information essential to identify, isolate or prevent harm to Government of Canada computer systems or networks will be used or retained; and
- satisfactory measures are in place to protect the privacy of Canadians in the use and retention of that information.
Each year, I review all of CSEC's ministerial authorizations — which may be in effect for a period of no longer than one year — to ensure that the activities are authorized and that the above conditions for authorization are met. I report to the Minister of National Defence on my review.
Part (c) of CSEC's mandate
For CSEC to provide assistance to federal law enforcement and security agencies in fulfilling their mandated activities, the National Defence Act requires that those agencies first demonstrate that they have the legal authority — such as an authorization or a warrant — to conduct the activities. CSEC is then subject to the same laws and limitations that govern the agencies it is assisting rather than to the three legislative limitations listed above. In addition, ministerial authorizations do not apply to these activities.