Certificate 2018-07

Security Intelligence Comite de surveillance des activites Review Committee de renselgnement de securite Office of the Chairman Bureau du president

TOP SECRET

File no.: 2018-07

March 21, 2019

The Honourable Ralph Goodale, P.C.M.P.
Minister of Public Safety and Emergency Preparedness
269 Laurier Avenue West
Ottawa, Ontario K1A OP8

Dear Minister Goodale,

RE: Certification of the Director's Annual Report to the Minister of Public Safety (SIRC Study 2018-07)

Pursuant to subsection 38(2) of the Canadian Security Intelligence Service Act (CSIS Act), the Security Intelligence Review Committee (SIRC) hereby submits to you, as Minister of Public Safety and Emergency Preparedness, a certificate stating:

  1. the extent to which it is satisfied with the Director of CSIS's annual report to you under subsection 6(4) of the CSIS Act; and
  2. the extent to which the operational activities described in the report:
    1. contravened the CSIS Act or your direction to CSIS; or
    2. involved an unreasonable or unnecessary exercise by CSIS of any of its powers.

This certificate therefore provides an important high-level assessment of the legality, reasonableness and necessity of CSIS's operational activities for the period of April 1, 2017, to March 31, 2018.

To assess its satisfaction with the Director's report, SIRC reviewed the report in the context of its broader knowledge of CSIS's operations and challenges, including recent reviews. SIRC also methodically scrutinized the hundreds of documents underpinning the factual statements made throughout the report to ensure that it was well supported, accurately reflected the information in CSIS's holdings at the time of writing, and placed information in its proper context. Where the report raised questions, SIRC requested additional information or briefings from CSIS. In addition, SIRC verified that the report contained all of the elements required by the Ministerial Direction on Operations and Accountability.

As noted above, the CSIS Act also requires SIRC to state whether, in its opinion, the operational activities described in the Director's report contravened the CSIS Act or Ministerial Direction, or involved an unreasonable or unnecessary exercise by CSIS of any of its powers. As it is not possible to review all CSIS activities, SIRC undertook in-depth examinations of select aspects of the CSIS operations discussed in the Director's report, with a focus on those deemed to present higher risks. These included:

  1. CSIS targets under the age of 18 (Annex A);
  2. information sharing cases involving a significant risk of mistreatment (Annex B);
  3. internal compliance reporting (Annex C); and
  4. [redacted text] Canadian Fundamental Institutions (Annex D).

On the whole, SIRC found these activities to have been compliant with the CSIS Act, Ministerial Direction, and internal policies and procedures. In one instance, however, SIRC found that CSIS targeted a minor without proper authorization due to administrative errors.

Furthermore, in Annex C, SIRC observed that CSIS practice is not to report Charter violations by means of ss. 20(2) of the CSIS Act, even though ss. 20(2) requires that activity that may have been unlawful be reported to you and, ultimately, the Attorney General. Instead, CSIS interprets ss. 20(2) to encompass only criminal conduct. The Director's report notes that CSIS is working to ensure that Charter issues are addressed appropriately. SIRC, for its part, would note that the Charter is the supreme law of Canada. Charter violations are not less important than criminal conduct, regardless of whether they could lead to charges being laid. The Attorney General has a clear interest in staying informed of any possible Charter breaches committed by CSIS. For these reasons, Minister, SIRC takes the view that accountability for national security would be best supported by CSIS reporting all probable Charter violations to you and the Attorney General. In future, SIRC expects CSIS to report such instances, as a matter of practice, by means of ss. 20(2).

The Committee also has further general observations on the operations discussed in the Director's report. These are included in Annex E. In particular, the Director's report notes that, in response to a backlog of out-of-date policies and procedures, CSIS has committed to renewing the CSIS Governance System. SIRC welcomes this commitment, but notes that this will require CSIS to commit significantly more personnel to the project than it has to date. SIRC believes that the upkeep of the CSIS policy suite merits a permanent investment of resources. In this context, the Committee welcomes the Government's decision in Budget 2019 to invest additional resources in CSIS's compliance efforts.

One further issue bears mention, which is also discussed in Annex E. In January 2017, CSIS received clear and unambiguous advice from the Department of Justice stating that "CSIS cannot rely on Crown immunity in the context of its human source operations" and that "no alternative authority exists that would allow the Service to conduct otherwise illegal operations." Despite this, CSIS continued to undertake human source, operations that it had been advised were very likely unlawful. These operations are described in the Director's report as "high legal risk", and CSIS explains that it continues to rely on Crown immunity pending the coming into force of Bill C-59. This is not credible, however, in light of the 2017 advice -which was re-affirmed by the Department of Justice in 2019 -and based on the record before SIRC at the time of writing. It also cannot account for operations contrary to laws that are explicitly binding on the Crown, such as the United Nations Al Qaeda Taliban Regulations (UNAQTR). SIRC, for its part, was not aware of the substance of the 2017 legal advice to CSIS until it was provided to SIRC in January 2019.

In January 2019, CSIS decided to end high legal risk human source operations. SIRC acknowledges that this decision comes at no small cost to CSIS's collection of valuable intelligence on threats to the security of Canada, and that CSIS operations will remain impeded until Bill C-59 is passed and comes into force. The uncertain fate of CSIS operations is also harming morale. Nonetheless, the Committee must certify the Director's report as written and the operations it describes as they occurred. That the operations may have been important or valuable does not mitigate their unlawfulness.

In summary, SIRC is of the opinion that CSIS undertook human source activities despite knowing that these activities did not comply with the CSIS Act and Ministerial Direction, which stipulates that the rule of law must be observed.Footnote 1 SIRC takes note of CSIS's decision, following the period encompassed by the Director's report, to cease high legal risk human source operations and end non-compliance with the law.

With the important exception of the high legal risk human source activities described in the Director's report, SIRC is satisfied that the report fulfilled reporting requirements and provided accurate and appropriately contextualized information, and that the activities described in the report complied with the CSIS Act and Ministerial Direction and did not constitute an unreasonable or unnecessary exercise of any of CSIS's powers.

Minister, as noted earlier, the Director is obliged, under ss. 20(2) of the CSIS Act, to report CSIS activity that may have been unlawful. The Committee expects the Director to fulfil his obligations and report the matter of CSIS's unlawful human source activities via ss. 20(2) to you and the Attorney General in a timely fashion.

As you know, should Bill C-59 come into force, SIRC will be transformed into the National Security and Intelligence Review Agency (NSIRA). The NSIRA will not be required to certify the Director's report. Nonetheless, the NSIRA will be required to provide you with an annual classified report on CSIS, one that speaks to CSIS's compliance with the law, Ministerial Direction, and the reasonableness and necessity of its actions. The NSIRA will also brief you at least once annually on CSIS. Even if scrutiny of the Director's report is no longer a statutory requirement, the NSIRA will continue to review the document carefully. As such, the NSIRA, though a strictly independent entity, will continue to support CSIS's accountability to the Government.

Sincerely,

Pierre Blais

Pierre Blais, P.C.
Chair

c.c.: David Vigneault, Director of CSIS

P O. Box / C.P. 2430, Station / Succursale 'D' Ottawa, Canada K1P 5W5 613 990-8441

ANNEX A - CSIS TARGETS UNDER THE AGE OF 18

1. STATEMENT OF COMPLIANCE

With regard to the operational activities reviewed, SIRC found that CSIS acted lawfully, but that one case involving a target under the age of 18 was not compliant with the Ministerial Direction for Operations and Accountability as well as applicable policies and procedures. The operational activities did not involve an unreasonable or unnecessary exercise by CSIS of any of its powers.

2. SCOPE AND METHODOLOGY

The objective of the review was to assess CSIS's interactions with minors during the period of the Director's 2017-18 report to the Minister. Over the course of the year in question, the report notes that [redacted text] individuals under the age of 18 years were subject to investigation. Of the [redacted text] and subsequently remained a target [redacted text] Footnote 1

It is CSIS policy to take special precautions when conducting operations involving minors.Footnote 2 Specifically, when CSIS wishes to target a minor, approval must be obtained from the Deputy Director of Operations (DDO).Footnote 3 This accords with Ministerial Direction, which stipulates that higher levels of approval must be obtained for the targeting of persons under the age of 18.Footnote 4

SIRC took the [redacted text] subjects of investigation under 18 years of age noted in the Director's report as its starting point, and then examined their targeting authorities in order to assess compliance with the Ministerial Direction for Operations and Accountability as well as key relevant policies, including the CSIS Policy on the Conduct of Operations and the CSIS Procedures on Targeting.

3. ASSESSMENT

SIRC found that CSIS targeted an individual for approximately six months while the target was underage without valid authority to do so . In this instance, an administrative error resulted in the DDO not receiving the necessary request to approve the targeting of a minor. Instead, the Request for Investigation (RFI) produced by [redacted text] Region on [redacted text], erroneously indicated that the DDO had already approved the targeting of an underage person.Footnote 5 The target [redacted text] on[redacted text] but it was later that CSIS headquarters' Targeting and Warrants Unit noticed a missing signature in the RFI and contacted [redacted text] Region to seek clarification regarding the DDO's purported approval of the targeting.Footnote 6 The DDO finally approved the targeting on [redacted text] Because the targeting authority used by [redacted text] Region had not been properly approved, CSIS lacked the appropriate level of authority to investigate the target, and was thus non-compliant with Ministerial Direction as well as internal policies and procedures.Footnote 7

SIRC appreciates that the DDO approved the operation retroactively and that the non-compliance resulted solely from unintentional administrative errors. Nonetheless, these errors were later compounded when [redacted text] Region failed to send a "Notification and Reporting of Operational Non-Compliance" form containing its initial findings with regard to the incident -which it had drafted at the request of the DDO - to the External Review and Compliance (ERC) unit at headquarters for processing and evaluation.Footnote 8 As a result of SIRC's queries, the report was located and has now been processed by ERC.Footnote 9

A level of human error is unavoidable in any organization, but CSIS's lack of a modern case management system increases the likelihood that such errors will not be caught and rectified in a timely manner. CSIS is currently in the planning stages with regard to the development of such a system.Footnote 10

ANNEX B - INFORMATION SHARING CASES INVOLVING A SIGNIFICANT RISK OF MISTREATMENT

1. STATEMENT OF COMPLIANCE

With regard to the activities reviewed, SIRC found that CSIS complied with the 2011 Ministerial Direction on Information Sharing with Foreign Entities (hereinafter the 2011 MD) and the 2017 Ministerial Direction on Avoiding Complicity in Mistreatment by Foreign Entities (hereinafter the 2017 MD), as well as related internal directives. The activities reviewed did not involve an unreasonable or unnecessary exercise by CSIS of any of its powers.

2. SCOPE AND METHODOLOGY

In order to address threats to the security of Canada and to fulfill Canada's obligations with regard to international security, CSIS must maintain relationships with foreign counterparts. The exchange of information is central to achieving these goals. At the same time, the Government of Canada is committed to respecting human rights and does not condone torture or mistreatment, domestically or abroad.Footnote 1

The Information Sharing Evaluation Committee (ISEC) is an interdepartmental committee composed of senior CSIS executives, as well as representatives from Global Affairs Canada (GAC) and the Department of Justice, who review cases of information sharing with foreign entities in which operational personnel have identified a potential risk of mistreatment. The information sharing at issue could involve a proposal to share information with a foreign entity, a proposal to request information from such an entity, or perhaps a decision on how to use information that has already been received and that may have been derived from mistreatment.Footnote 2

This review scrutinized CSIS's handling of all four cases that arose over the course of 2017-18 where ISEC, upon review, found there to be a "substantial risk" of mistreatment. Cases with a substantial risk of mistreatment can have major implications given Canadian laws and international obligations. Moreover, the decisions in these cases can also affect Canada's relationships with other countries.

SIRC assessed CSIS's compliance with its framework for information sharing with regard to Ministerial Direction and internal policy directives. SIRC reviewed all branch briefings, foreign arrangements, ISEC minutes and records of decision, as well as other documents related to the decision-making process for the four cases.Footnote 3SIRC focused mainly on the information held in the official ISEC file, and particular attention was given to the information ISEC and the Director relied on to make a decision .Footnote 4

3. ASSESSMENT

For the period under review, CSIS's information sharing activities were subject to two different frameworks. The 2011 MD was replaced by new direction in September 2017. The new direction altered the ISEC process and the criteria for decision-makingFootnote 5 and added new reporting obligationsFootnote 6. An updated directive implementing the new MD was later issued by the Deputy Director for Operations (DDO).

The revised DDO directive was not issued immediately after the new MD was issued, however. As a result, ISEC evaluated one proposal to disclose information to a foreign entity under the new 2017 MD but under the old 2011 DDO directive.Footnote 7 Of the three other cases, one was evaluated under the 2011 MD and the corresponding 2011 DDO directive, while the final two were evaluated under the 2017 MD and the matching 2017 DDO directive.

Despite these changes, CSIS's decision-making process was in line with applicable procedures and thresholds. In one case, ISEC likely should have made the decision to deny the proposed request for information, as no credible measure had been proposed to mitigate the substantial risk of mistreatment had been identified. Instead, ISEC concluded that it was unable to determine whether the substantial risk of mistreatment could be mitigated, and referred the decision to the Director. Despite this, later the same day the Director rendered a reasonable, fact-based decision not to request the information.Footnote 8

Overall, ISEC's decisions were based on balanced information, and the deliberations between the various stakeholders at ISEC meetings were not beholden to the briefing provided to them by the responsible operational branch.Footnote 9ISEC members brought their varied expertise and perspectives to the table, which fostered vigorous discussion and helped to put into context - or even challenge - the operational branch's proposal. For example, ISEC meeting minutes show that GAC asserted that the background material could have been more nuanced as to the risk of mistreatment by [redacted text]Footnote 10 ln another instance, CSIS's Policy and Foreign Relations branch [redacted text] Footnote 11 These debates strengthened SIRC's confidence in the integrity and robustness of the ISEC process and of its resulting decisions.

It is important to note, however, that this review did not evaluate the robustness of the caveats and assurances that influenced CSIS's assessment of the risk of mistreatment. As noted in SIRC study 2018-03, in a future review SIRC will examine how CSIS uses and measures the effectiveness of caveats and assurances when used to facilitate information sharing.

ANNEX C - INTERNAL COMPLIANCE REPORTING

1. STATEMENT OF COMPLIANCE

With regard to the operational activities reviewed, SIRC found that CSIS complied with the CSIS Act. The operational activities did not involve an unreasonable or unnecessary exercise by CSIS of any of its powers.

2. SCOPE AND METHODOLOGY

The CSIS procedure on the Reporting of Operational Non-Compliance and Unlawful Activity stipulates that all instances of potentially unlawful activity, or of activity contrary to Ministerial Direction or to internal CSIS policies and procedures, must be reported to the External Review and Compliance (ERC) branch. ERC then analyzes the report and provides corrective recommendations and advice. Legal advice is sought when necessary.Footnote 1 Ultimately, if the Director is of the opinion that unlawful activity may have taken place, ss. 20(2) of the CSIS Act requires him or her to report it to the Minister, who must in turn pass the report to the Attorney General for appropriate action.Footnote 2If the issue relates to compliance with the terms and conditions of a warrant, CSIS now also routinely informs the Federal Court.Footnote 3

Most non-compliance incidents do not amount to unlawfulness, but they can nonetheless shed light on systemic problems and gaps in policy. Indeed, one of the goals of the non-compliance reporting process is to encourage the honest and open admission of errors, in a non-punitive context, so as to permit any underlying gaps in policies and procedures to be diagnosed and rectified. In this way, the noncompliance reporting process is intended to promote a culture of compliance within CSIS.

As part of the certificate process, SIRC reviewed all 23 non-compliance incidents reported to ERC during the period of the Director's report (2017-18). For each incident, SIRC scrutinized the originating branch's report as well as ERC's own findings and recommendations. SIRC reviewed legal advice where applicable, and traced the ultimate fate of the report inside CSIS, particularly with regard to the uptake of ERC recommendations and reporting to the Federal Court. Incidents of potential unlawfulness received additional attention.

The aim of the review was to assess the robustness of the ERC process and to ascertain whether CSIS was appropriately addressing serious non-compliance incidents, including potential unlawfulness.

3. ASSESSMENT

On the whole, SIRC found ERC's handling of non-compliance incidents for the year in question to have been responsible and impartial. ERC provided credible analysis of reported problems, and made sensible follow-up recommendations. SIRC found no evidence that ERC was downplaying problems in order to avoid reporting to the Director, Minister, or Attorney General.

Nonetheless, the current non-compliance reporting process has limitations. ERC is reliant on the full and frank disclosure of incidents by other CSIS branches; it is not an investigative body, and is thus not normally in a position to second-guess the explanations or context provided to it.Footnote 4 Furthermore, ERC has no authority to compel the implementation of its recommendations, and does not track their implementation in a systematic manner.Footnote 5Indeed, ERC concedes that it does not have "sufficient resources to follow up systematically with policy centres, regions and branches to verify or track actions taken to address compliance risks and vulnerabilities."Footnote 6 The usefulness of the non-compliance reporting process would be bolstered by the comprehensive tracking of recommendations, along with the status of their implementation, for the regular attention of senior CSIS executives.

ERC summarizes its work in an annual compliance report for the Director. Elements of this report are later incorporated into the Director's report to the Minister. In the 2016-17 Director's report, CSIS included the total number of non-compliance reports for the year (29).Footnote 7 In the 2017-18 report, by contrast, the total number of reports (23) was not mentioned; instead, the report described the four reports that ERC had escalated as potentially unlawful, along with a few other notable incidents.Footnote 8The raw number of non-compliance reports, by itself, is not necessarily indicative of the scale and severity of the non-compliance issues facing CSIS, but it nonetheless provides an opportunity for the Director to explain to you the breakdown of the reporting, notable trends, and CSIS's response. For instance, of the 23 reports for 2017-18, five were later deemed compliant; two pertained to errors by [redacted text] not by CSIS; twelve related to breaches of internal policy; five related to the terms and conditions of warrants; and four were escalated as potentially unlawful, although ultimately none were deemed to require a report under ss. 20(2) of the CSIS Act.Footnote 9 Conveying this context to you would help to understand the nature and scope of the compliance challenges facing CSIS.

Reporting of Charter Infringement

On [redacted text] a CSIS employee searched the phone of an individual held in CBSA custody at a [redacted text] border crossing without having obtained the informed and explicit consent of the individual.Footnote 10 ERC escalated the report as potentially unlawful and [redacted text]Footnote 11 The Director subsequently concurred with his officials that the incident did not require reporting under ss. 20(2) to the Minister and the Attorney General.Footnote 12 Instead, the incident was described in the Director's 2017-18 report to the Minister.Footnote 13

The Director's report notes that CSIS is working to ensure that Charter breaches are "escalated and addressed appropriately."Footnote 14 On October 29, 2018, the procedure on the Reporting of Operational Non-Compliance and Unlawful Activity was updated to clarify that Charter breaches are captured under the non-compliance reporting process.Footnote 15 It remains the Director's discretion to report such incidents to the Minister and the Attorney General, however.

In deciding not to report the probable Charter breach by means of ss. 20(2), CSIS acted [redacted text]Footnote 16 SIRC notes, however, that the Charter is the supreme law of Canada. Charter violations are not less important than criminal conduct, regardless of whether they could lead to charges being laid. Accountability for national security would be best supported by CSIS reporting all probable Charter violations. The Attorney General has a clear interest in staying informed of any possible Charter breaches committed by CSIS. In future, SIRC expects CSIS to report such instances to you, as a matter of practice, by means of ss. 20(2).

ANNEX D - [redacted text] CANADIAN FUNDAMENTAL INSTITUTIONS

1. STATEMENT OF COMPLIANCE

With regard to the operational activities reviewed, SIRC found that CSIS complied with the CSIS Act, Ministerial Direction and internal policies and procedures. The operational activities did not involve an unreasonable or unnecessary exercise by CSIS of any of its powers.

2. SCOPE AND METHODOLOGY

The Ministerial Direction on Operations and Accountability requires CSIS to weigh the use of intrusive operational techniques "against possible harm to civil liberties and to Canadian fundamental institutions." Accordingly, "more senior levels of approval must be obtained for investigations that affect Canadian fundamental institutions".Footnote 1

CSIS policy considers Canadian fundamental institutions (CFls) to include political, government, religious, post-secondary, and media establishments. [redacted text].Footnote 2

The Director's annual report to the Minister noted that, over the course of the period of the report (2017-18), [redacted text] required executive-level approval on account of the [redacted text] impact on a CFI. There were also [redacted text] for which approval had been obtained in previous years.Footnote 3 Supporting documentation reviewed by SIRC showed that a total of [redacted text] had been evaluated [redacted text] potential impact on CFls, however, and that all but [redacted text] had been assessed as having no impact on the CFI or CFls in question.Footnote 4

SIRC therefore set out to review a sample of the [redacted text] in order to determine whether CSIS's assessment of the extent of [redacted text] impact on CFls was appropriate.Footnote 5 SIRC reviewed [redacted text] comprised of [redacted text] currently assessed as having an impact on a CFI as well as [redacted text] selected at random. [redacted text] SIRC scrutinized [redacted text] as well as key [redacted text] including the report generated at the end of each [redacted text]

In reviewing the documentation, SIRC asked the following questions:

  • Did CSIS clearly state the [redacted text] within the CFI and assess the impact [redacted text] on the CFI?
  • Did CSIS provide adequate justification for its interest in [redacted text]?
  • Did CSIS appropriately assess the roles and functions of the CFI?

[redacted text] took place across all CSIS regions:

Breakdown by Region
B.C. Region Prairie Region Toronto Region Ottawa Region Quebec Region Atlantic Region International Region
[redacted text] [redacted text] [redacted text] [redacted text] [redacted text] [redacted text] [redacted text]

3. ASSESSMENT

Based on its review of the sampled [redacted text] SIRC found that CSIS assessed the impact of its [redacted text] operations on CFls in accordance with Ministerial Direction as well as internal policies and procedures.

ln one instance, [redacted text] had previously been assessed as having no impact on the CFI - began [redacted text]Footnote 6 [redacted text] might need to be re-assessed given [redacted text] potentially increased impact on the CFI.Footnote 7

This incident highlights how the impact [redacted text] on CFls can shift subtly over time. As noted above, the most thorough assessment of [redacted text] in practice the updates are often basic and repetitive, particularly if [redacted text] the CFI has not changed. CSIS does not undertake periodic baseline re-assessments of the impact of [redacted text] on CFls. Indeed, it may not be reasonable to expect CSIS intelligence officers, without specialized training, to assess the nuances of the impact [redacted text] on CFls.

While centralized monitoring [redacted text] provides a degree of support, CSIS's current practices place it at risk of failing to note gradual shifts in the impact [redacted text] on CFls. For this reason, SIRC will return to the topic of CSIS's interactions with CFls in future to perform an in-depth study of the process by which CSIS assesses impact on CFls.

ANNEX E - GENERAL OBSERVATIONS

Human source operations

SIRC first drew attention to the legal problems facing CSIS with regard to its human source operations in 2015, when it noted that certain CSIS operations abroad may have been in contravention of the United Nations Al Qaeda Taliban Regulations (UNAQTR) and other similar laws, and directed CSIS to review its activities for compliance.Footnote 1 In 2016, SIRC further recommended that "CSIS seek legal clarification on whether CSIS employees and CSIS human sources are afforded protection under the common law rule of Crown immunity". CSIS accepted the recommendation.Footnote 2

SIRC, in its annual report for 2016-2017, expressed concern regarding CSIS's continued conduct of human source operations that risked contravening Canadian law. The report noted that, pending the coming into force of Bill C-59 - which, as you know, contains a justification regime for human source operations that would otherwise be unlawful - SIRC would continue to monitor CSIS's efforts to mitigate the legal risks of human source operations.Footnote 3 SIRC raised the issue of potential contraventions of Canadian law again in its 2017-2018 annual report.Footnote 4

This year, in his report to you, the Director noted that he had approved [redacted text] human source operations during the reporting period, despite having been advised that [redacted text] of these involved a high legal risk (the [redacted text].Footnote 5 Here, it is important to clarify what "high legal risk" means. A high legal risk operation is one that is very likely to be found unlawful.Footnote 6 The Director's report also notes that, pending the coming into force of Bill C-59, CSIS would continue to rely on the legal defence of Crown immunity.Footnote 7

In January 2017, however, CSIS had been advised by the Department of Justice that Crown immunity did not constitute a plausible defence. Specifically, the Department of Justice advised that "CSIS cannot rely on Crown immunity in the context of its human source operations" and added that "no alternative authority exists that would allow the Service to conduct otherwise illegal operations." It further explained that with regard to laws that are expressly binding on the Crown, such as the UNAQTR, a Crown immunity defence was not even a theoretical possibility.Footnote 8

This legal advice was followed, ten days later, by a meeting between the Director, the Deputy Minister of Justice, and other senior officials, during which the Deputy Minister "identified certain areas where additional legal work is required." Consequently the earlier advice would be "reviewed in the light of the findings and conclusions that will be reached in this additional work".Footnote 9 The document did not contradict or retract the Department of Justice's advice, which remained in effect. In recent testimony before the Federal Court, it was confirmed that the "additional legal work" referred to work that would inform the future Bill C-59.Footnote 10

The Department of Justice again provided legal advice on January 7, 2019. This advice largely repeated the earlier 2017 advice, and indeed only underlined the tenuousness of CSIS's legal position. The advice re-affirmed that "in early 2017, [the Department of Justice] opined that relying on Crown immunity as a principle shielding the Service, its employees and its human sources from the application of criminal law is not an option", and cautioned that CSIS "is constitutionally required to act within the law. The continued commission of acts that likely constitute criminal offences conflicts with fundamental tenets of Canada's legal system... Ultimately, these operations entail acts that likely constitute criminal offences, with grave implications for the CSIS employees and human sources involved, and for the use of resulting information and intelligence."Footnote 11

CSIS has explained to SIRC that until it received the January 2019 legal advice, it believed that the applicability of Crown immunity to its human source operations was not settled and that therefore it was reasonable for CSIS to have continued relying on the doctrine, as it had in the past, pending the receipt of definitive legal advice or the coming-into-force of Bill C-59.Footnote 12 In view of the January 2017 advice, and based on the record before SIRC at the time of writing, this is not credible.Footnote 13 CSIS's stated position also cannot account for human source operations contrary to laws that are explicitly binding on the Crown, such as the UNAQTR, which prohibits payments to members of the titular terrorist organizations, even if they are human sources providing intelligence to CSIS.

Over the course of 2017-18, CSIS received a series of further legal opinions regarding specific human source operations which concluded that the operation in question was high legal risk - i.e. very likely unlawful - on account of various offences, including under the Criminal Code. In many instances, after receiving this advice, CSIS proceeded with the operation despite the advice.Footnote 14 In at least one instance, the Department of Justice advised that the human source operation likely contravened, not only the Criminal Code, but also the UNAQTR.Footnote 15 The Director nonetheless approved the operation.

Minister, briefing notes to you in 2017 state that the Crown immunity defence was likely to prove weak, but nonetheless portray continued reliance on it as an acceptable interim option pending clear, final legal advice.Footnote 16 These notes neglected to mention that CSIS had already received clear and unambiguous legal advice regarding the inapplicability of Crown immunity. The Director's statement in his report that CSIS "continues to rely on Crown immunity" was similarly misleading. SIRC, for its part, was not aware of the substance of the 2017 legal advice to CSIS until it was provided to SIRC in January 2019.

In April 2018, the Federal Court began to question whether some of the information CSIS was using to support an application for warrants had been obtained unlawfully. While discussions with the Court are ongoing, there is a risk that information obtained unlawfully could undermine warrant applications or even criminal proceedings, with the ultimate effect of harming CSIS's ability to protect national security.Footnote 17 Already, in response to discussions with the Court, CSIS has begun to segregate information in its holdings related to legally problematic warrants, and it may be called upon to justify its retention of that information - and its continued use of the warrants that were obtained through the use of that information.Footnote 18 SIRC would note that the certification of the Director's report is a statutory obligation that does not replace the Federal Court process or infringe on the Court's jurisdiction.

As you are aware, on January 17, 2019, CSIS decided that high legal risk human source operations would no longer be approved, and that existing high legal risk human source operations would be reshaped to mitigate their legal risks.Footnote 19 SIRC acknowledges that this decision comes at no small cost to CSIS's collection of valuable intelligence on threats to the security of Canada, and that CSIS operations will remain impeded until Bill C-59 is passed and comes into force. SIRC also notes that the uncertain fate of CSIS operations - operations in which employees are understandably invested - is harming morale.Footnote 20

Despite CSIS's January 2019 decision, the Director's report for 2017-18 documents high legal risk human source operations that CSIS undertook despite having no valid legal defence.Footnote 21 That the operations may have been important or valuable does not mitigate their unlawfulness.Footnote 22

Datasets

Separately, CSIS continues to ingest and exploit bulk datasets. Many of these datasets contain large amounts of non-public information, much of which is unrelated to a security threat. As SIRC first raised in 2015,Footnote 23 CSIS's dataset collection likely exceeds that which is "strictly necessary" under section 12 of the CSIS Act.Footnote 24 As a result, Minister, you should be aware that, pending the passage of Bill C-59, CSIS is assuming elevated legal risks with regard to datasets.

Compliance with policies and procedures

In recent years, SIRC has noted that CSIS's policies and procedures are falling out of date.Footnote 25 CSIS's suite of policies and procedures translate the law and Ministerial Direction into specific directives that guide all aspects of CSIS operations. As such, it is essential that they be kept up to date in order to reflect an evolving legal landscape, shifting operational realities, as well as SIRC recommendations that CSIS has committed to implementing. Out-of-date and contradictory policies and procedures make it difficult for CSIS employees to comply with the law and Ministerial Direction. They can also result in important problems festering for years, despite already having been identified.

The backlog of policies and procedures in need of drafting or revision has become extensive. As of December 2018, CSIS assessed 155 policy documents as requiring an update. Of these, 88 were assessed as high priority, 45 as medium, and 22 as low. Of the 155, 125 were new policies or substantive rewrites.Footnote 26

The Director's report notes that, in response to the problem, CSIS has committed to renewing the CSIS Governance System, the umbrella term for the whole of the policies and procedures governing CSIS operations.Footnote 27 To this end, an Operational Policy Taskforce has been established. SIRC welcomes this commitment, but notes that accomplishing this goal will require CSIS to commit significantly more personnel to the project than it has to date. SIRC was informed that even under the best-case scenario, the backlog will take roughly two years to clear away. Fewer resources will extend this period, during which CSIS will continue to face increased risks of non-compliance. SIRC believes that the upkeep of the CSIS policy suite merits a permanent investment of resources.

Compliance with Federal Court decisions

In October 2016, Justice Nöel of the Federal Court issued a decision clarifying that CSIS's retention of information under its primary investigative mandate, in section 12 of the CSIS Act, was authorized only to the extent "strictly necessary" to investigate threats to the security of Canada.Footnote 28 Since that time, CSIS has altered the terms and conditions of certain warrants - particularly those pertaining to the Internet - in order to avoid retaining third-party non-threat related information. Nonetheless, the ramifications of the Nöel decision extend beyond warranted collection; the principle of limited retention extends to all forms of CSIS collection that flow from section 12. As such, full compliance with section 12 of the CSIS Act may require significant additional changes to the manner in which CSIS operates.Footnote 29 CSIS recognizes the problem, and has struck a committee to delve into the matter, along with related legal topics. The ultimate goal is to produce policy guidance and training for employees. As CSIS has noted itself, this is important work.Footnote 30 Yet with the third anniversary of the Federal Court decision approaching, CSIS continues to contend, not only with elevated legal risks, but also with the risk of further damage to its crucial relationship with the Federal Court. These delays are an example of the more general CSIS policy backlog noted above.

Compliance with warrants

In recent years, the Department of Justice, on behalf of CSIS, has written to the Federal Court every few months to report instances of non-compliance with the terms and conditions of court-issued warrants.Footnote 31

The vast majority of the problems have stemmed from [redacted text] or else inadvertent human error in the face of complex and fragile systems and processes. The Director, in his report, notes that CSIS hopes to redesign and modernize its systems to avoid many of the pitfalls that have resulted in non-compliance.Footnote 32 Indeed, the renewal of CSIS's systems, including the development of a modern case-management system, is intended to go hand-in-hand with the renewal of CSIS's policy suite, as the systems would ideally be designed from the outset to enforce compliance with the latest policies. SIRC supports these efforts. Such an investment would help strengthen public confidence that CSIS respects their rights and freedoms, particularly as intelligence agencies have grown increasingly reliant on complex technologies and the proper management of potentially intrusive personal data.

The future of the Director's report

As this may well be the last formal certificate, it presents an opportunity to reflect on the value and relevance of the Director's report. SIRC has been critical of the Directors report in the past, both for its shortcomings as a tool of Ministerial accountability and for its lack of timeliness.Footnote 33 Although the report has changed and improved in recent years, CSIS's scope to re-imagine the report was always limited by the need to produce a document that was sufficiently specific and factual to withstand the certification process. With that constraint set to be lifted by Bill C-59, a conversation with CSIS regarding the future of the report would be opportune.

The CSIS Act stipulates that the Director's report must discuss CSIS's recent operational activities, but it otherwise affords the Director considerable latitude.Footnote 34 The CSIS Act does not require the report to be an exhaustive catalogue of CSIS operations, nor to comprise an annual recital of CSIS's main lines of investigation at a high level of generality.

While this year's report notes various threats facing Canada, the overall focus remains on highlighting CSIS's accomplishments. Shortcomings and challenges are mentioned, but their ultimate implications are rarely explored. For example, the fallout from the recent Federal Court ruling clarifying the meaning of "within Canada" for the purposes of section 16 is touched on in a few introductory lines as well as a sidebar text box, while CSIS's problems obtaining [redacted text] warrants are not mentioned, although both challenges have a direct bearing on operations.

From SIRC's perspective, Ministerial accountability could be better supported by a frank and strategic discussion of what went well over the past year, what did not, what challenges remain, and what the future likely holds. Some such issues may already have been raised over the course of the year by the Director, but there is value in an integrated stocktaking without the need to conduct an immediate transaction. The report need not be lengthy, and it should arrive quickly enough after the end of the reporting period to be relevant. Such a report should not require six to eight months to prepare, as it has in recent years. Details and statistics on specific topics of perennial interest to review bodies and to your officials in Public Safety could be included via annexes.

Minister, if you agree that changes would be beneficial, then you may wish to revise your direction to CSIS to reflect your expectations. Indeed, you may wish to contemplate an update to the current direction on operations and accountability in light of Bill C-59. Ministerial Direction regarding the new human source and dataset regimes would assist, not only CSIS, but also review bodies, by providing clear principles and criteria against which review bodies could assess CSIS's use of its new powers.

Date modified: