CSIS failed to disclose use of new 'intrusive' technology to minister and court: watchdog
OTTAWA — Canada’s spy agency possibly broke the law when it failed to disclose its use of an “intrusive” new technology to capture sensitive information to both the government and a judge, according to an intelligence watchdog.
In a newly released review, the National Security and Intelligence Review Agency (NSIRA) said that the Canadian Security Intelligence Service’s (CSIS) handling of the technology and capture of sensitive data “raises concerns about how well prepared it is for the deployment of other novel technologies.”
The report comes as the government proposes granting CSIS and other law enforcement powers sweeping new warrantless powers to obtain information via its Strong Borders Bill (C-2).
The heavily redacted review was released to National Post via access to information request. The study began as a study of how CSIS collected, handled, stored and retained sensitive information obtained through a specific court-sanctioned (warranted) operation.
But during its review, NSIRA found that CSIS had deployed a new technical capability to collect the information under the warrant. NSIRA said CSIS twice failed to tell the watchdog about the novel tool beforehand.
Technical capabilities are CSIS’s secret tools and technique used to collect intelligence, whether they require a warrant or not.
All details about the nature and use of the technical capability studied in the review are redacted, although NSIRA notes that it introduced both a “significant expansion of collection capabilities” and “operational risks”.
An unredacted portion of the glossary refers to an IMSI catcher, which is used “for intercepting mobile phone traffic and obtaining location data of mobile phone users”, though there are no further unredacted mentions of that tool.
The report notes that CSIS began thinking about the new technology in 2018 but first deployed it later as part of a warranted operation, meaning the operation had been approved by a Federal Court judge.
But, NSIRA noted, CSIS didn’t tell the judge (or the Public Safety minister) about the new technology it would be deploying as part of the warrant.
CSIS also failed to advise the deputy minister of Public Safety Canada (PSC) that it had acquired the new capability, possibly contravening both the CSIS Act and a 2019 ministerial directive, it noted.
“The Court was not informed of the planned use of [redacted] new intrusive technique, to execute these powers. CSIS should have advised the Court in a timely manner,” read the report.
“PSC disclosed that it was unaware of CSIS’s [technology] and that the technology seemed both novel and potentially controversial” until a September 2022 meeting, the watchdog added. “CSIS only informed PSC about its new capability after using it, thus creating a fait accompli .”
At the time, CSIS said it considered the new technology as an extension of existing capability and not a novel tool that needed to be disclosed, the review noted. But Public Safety Canada, NSIRA and even an internal CSIS review committee disagreed.
The use of this technology came as a surprise to members of CSIS’s Operational Technology Review Committee (OTRC) tasked with identifying potential risks of new technologies and techniques at the service.
Many on the committee learned of the use of the novel tool when the agency publicized the first successful operation in an internal email, the report noted.
“Following discussion with management, the OTRC Chair agreed that [redacted] was a novel technology that should have been presented to and reviewed by the OTRC. Within days, CSIS paused all operational uses,” NSIRA wrote.
Months later, OTRC “partially endorsed” the continued use of the new capability in operations but told CSIS to inform the Federal Court of past and prospective uses.
According to memo advising the minister of the technology, CSIS has deployed the new tool a number of times in both warranted and non-warranted operations since 2022 and “further operational uses are being contemplated,” NSIRA wrote.
NSIRA also studied CSIS’s handling of sensitive information collected via the new capabilities.
The agency found that CSIS retained information without clearly articulating under which legal authority and that the teams tasked with ensuring data is managed lawfully “face challenges.”
“Until its organizational culture shifts from a narrow focus on data collection, under warrant or otherwise, to sound stewardship of data at every step of its lifecycle, CSIS will continue to place itself at risk of non-compliance with the law and Ministerial Direction,” the review warned.
CSIS did not respond to a request for comment by deadline.
National Post
cnardi@postmedia.com
Our website is the place for the latest breaking news, exclusive scoops, longreads and provocative commentary. Please bookmark nationalpost.com and sign up for our politics newsletter, First Reading, here.