The Edward Snowden revelation that the Communications Security Establishment (CSE), without a warrant, used free airport Wi-Fi service to gather the communications of all travellers using the service and to track them after they had left the airport sparked an ongoing unfounded concern about mass surveillance in Canada.[1] It was reported but unverified that the number of Canadians affected by this surveillance is unknown apparently even to the Canadian Security Intelligence Service.[2]
The Department of National Defence (DND), the Communications Security Establishment, CFINTCOM and the Canadian Security Intelligence Service CSIS
The Communications Security Establishment Canada (CSE) is Canada's signals intelligence agency. The agency is responsible for foreign signals intelligence and for protecting the Canadian government's electronic information and communication networks. It reports to the Minister of National Defence, who is in turn accountable to Cabinet and Parliament. CSE is part of the Five Eyes, or the alliance of spying agencies of the United States, Australia, New Zealand, the United Kingdom and Canada.
CSE originated in World War II, as a military signals corps meant to collect foreign intelligence signals. The agency only came into public awareness, however, with the 1974 CBC TV documentary The Fifth Estate: The Espionage Establishment. Since the events of 9/11 and Canada's subsequent 2001 Anti-Terrorism Act, the CSE's capacities have expanded significantly, in terms of legal mandate, available technology, and financial resources. Today, it employs roughly 2000 people[3] and its estimated 2015-2016 budget was $1.075 billion.[4] The agency expects a net increase of $59.5 million in federal funding in the coming year[4]
The 2001 Anti-Terrorism Act amended the National Defence Act to establish the CSE's mandate as follows:
CSE is bound by the Canadian Criminal Code, the Canadian Charter of Rights and Freedoms, the Privacy Act, and all Canadian laws. The agency cannot legally intercept the private communications of Canadians, except for foreign communications that originate or end in Canada. Ministerial authority for such interception is given on a case-by-case basis. Additionally, for reasons of national security, the Security of Information Act permanently binds CSE employees to secrecy, meaning they cannot legally disclose certain information without special authorization.[5]
Per CSE's own description,[6] all of the agency's activities must be necessary to fulfill their relevant mandate; proportionate to the risk being mitigated or the foreign intelligence of interest; effective at protecting the privacy of Canadians; and as minimally intrusive as possible.
The agency is overseen by the CSE Commissioner's Office, which conducts an annual review of CSE activities and their compliance with the law and ministerial authority. The CSE Commissioner can issue recommendations as to the CSE's conduct, which are then, in theory, implemented by the Minister of Defence. To date, the Commissioner has yet to find any CSE activities to be in violation of Canadian law.
CSE is responsible for the Canadian government's metadata surveillance program. Even though metadata does not include the content of the communication itself, it yields a substantial amount of information about its source devices, users and transmissions.
A national security measure to track patterns of suspicious activity, the Canadian metadata surveillance program was first implemented in 2005 by secret decree.[7] It was then suspended for a year in 2008, amid concerns that the program could amount to unwarranted surveillance of innocent Canadians. However, the program was renewed in 2011 via ministerial directive from then-Defence Minister Peter MacKay. The program was broadly approved by the CSE Commissioner at the time.
CSE claims that it does not collect or use metadata to target Canadians without a warrant, as doing so would violate the National Defence Act. The agency holds that it only uses metadata to identify foreign intelligence targets and their social networks, and possible cyber threats.[8] However, CSE acknowledges that the subsets of metadata that it legitimately collects may inadvertently include metadata on the private communications of Canadians. To reduce this allegedly inevitable incursion of privacy, the agency takes measures such as limiting the length of time that metadata can be stored, restricting access to metadata to authorized CSE personnel, redacting any identifying information about Canadians when sharing intelligence with allies, and cooperating with the CSE commissioner's review of activities.
There are actually no oversight for the Communications Security Establishment.