Enhancing measures to counter foreign interference: Whether to amend the Canadian Security Intelligence Service Act

Public consultation paper

November 24, 2023

This document outlines a range of issues and approaches for consultation, and does not constitute the Government of Canada’s final position.

  Fill out the survey

Today's Evolving Threat Landscape

As an advanced economy and open democracy, Canada is targeted by foreign states, or those acting on their behalf, who seek to advance their strategic objectives. While foreign states may advance their interests in legitimate and transparent ways, some also act in ways that threaten or intimidate people in Canada, their families elsewhere, or are covert and deceptive, and harmful to Canada's national interests.

Canadian human rights activists and dissidents exercising their constitutionally-protected freedom of expression are prime targets of state-backed threats of intimidation. Influence and harassment are used to pressure diverse Canadian communities to act in the interests of foreign states. State actors target and obtain the personal information of Canadians to enable their foreign interference activities across all sectors. State actors also attempt to target provincial, territorial, municipal, and Indigenous governments, who have limited access to federal intelligence assessments.

Technology enables and accelerates these threats, especially in the online space, where widely available secure applications and tools like virtual private networks (VPNs) and end-to-end encryption, which help to protect the privacy of Canadians and Canadian companies, make threat actors difficult to detect and identify. Not only has technology changed, but Canadians' expectation of privacy relating to data and technology has also changed. CSIS' authorities were, however, written in 1984, at a time when the prolific use and expansion of digital technology could not have been foreseen; and since then the CSIS Act has only seen targeted amendments.

To investigate the aggressive and corrosive foreign interference that Canada faces today requires that CSIS has a toolkit appropriate for modern technology and modern day threats. Amendments to the CSIS Act would better equip CSIS to carry out its mandate to investigate, advise the Government of Canada, and take measures to reduce threats to the security of Canada.

CSIS' Role in Protecting Canada's National Security

CSIS is mandated to:

CSIS intelligence is used to advise the Government of Canada. For example, espionage and foreign interference intelligence informs best practices in safeguarding critical infrastructure, federally-funded science, and Canadian innovation. Information from CSIS' investigations can also be directed to the Royal Canadian Mounted Police to inform national security criminal investigations.

While CSIS provides critical intelligence to the Government of Canada to respond to foreign interference, there are limitations to CSIS' authorities, which hinder Canada's ability to face the sophisticated and aggressive tactics seen today.

Principles Guiding CSIS Act Amendments

The authorities in the CSIS Act must reflect the values and ideals of Canadians, whom CSIS seeks to protect. A pre-requisite to amending the CSIS Act is an informed conversation with Canadians about what role CSIS should play as a modern civilian intelligence service.

CSIS wants to hear your views on how CSIS should continue to protect Canada's national security, while also continuing to protect the rights and freedoms of people in Canada.

The proposals for amendments seek to enhance CSIS' authorities to better counter foreign interference and protect Canada's national security in a digital world. CSIS Act amendments would help to:

Safeguards

CSIS is committed to increasing transparency to ensure that the Canadian public has trust in their security intelligence service. Maintaining systems of review, oversight, and transparency will remain primary objectives with any CSIS Act amendments. The rights and freedoms of people in Canada are a cornerstone of Canadian democracy and a principal consideration in CSIS' work. CSIS has multiple layers of protections to ensure respect for the rights of people in Canada, which are protected under the Canadian Charter of Rights and Freedoms (the Charter). For instance, CSIS is required to seek a Federal Court warrant before undertaking activities that are more than minimally intrusive, and undergoes non-judicial rigorous external review. The National Security and Intelligence Review Agency, and the National Security and Intelligence Committee of Parliamentarians provide a review function for CSIS' activities. Other CSIS activities are subject to the review and approval of the Intelligence Commissioner, who acts as a quasi-judicial oversight body.

The following key principles would guide any possible CSIS Act amendments:

Trusted: Protect individuals' rights and freedoms in line with the Charter and Canadians' expectations.

Accountable: Comply with the rule of law and judicial oversight; ensuring accountability to the Government of Canada and the Canadian public.

Reliable: Support the Government of Canada in protecting Canada's national security, and remain a reliable and trusted partner both domestically and internationally.

Responsible steward: Use Government resources effectively to advance CSIS operations in a technologically advanced world.

Prepared: Equipped to respond to the threats of tomorrow.

Issue #1: Whether to enable CSIS to disclose information to those outside the Government of Canada for the purpose of increasing awareness and resiliency against foreign interference

Context

At the time of enacting the CSIS Act, national security was strictly the purview of the federal government, where espionage and foreign interference targeted military technology and federal government institutions. For that reason, CSIS is authorized to collect, retain, and provide necessary intelligence to the Government of Canada to make decisions to protect Canada's national security. Today, foreign interference impacts every level of government and all sectors of society, including Canadian communities, academia, the media, and private enterprises. CSIS' expertise and intelligence are increasingly relevant to those outside of the federal government, and these partners turn to CSIS more than ever for information. While national security remains a federal responsibility, it is clear that countering foreign interference requires a whole-of-society effort.

What is the issue?

The CSIS Act does not provide CSIS with sufficient authority to disclose classified intelligence to domestic partners outside the Government of Canada. This means that CSIS generally cannot share relevant information with provinces, territories, Indigenous governments, or municipalities, except in limited situations, such as for the purposes of law enforcement or when they can take action that would reduce a specific threat further to CSIS' threat reduction mandate (TRM). CSIS uses its TRM mandate to communicate information with partners outside of the Government of Canada in an effort to reduce specific threats, when other means are not available. However, the TRM mandate is meant for reducing specific threats, and not for disclosing information for the purpose of building awareness.

Prohibitions on disclosure also limit how CSIS can share relevant information with private sector and academic institutions. Such limitations prevent CSIS from directly sharing information that could help these partners build resilience to foreign interference and espionage threats.

Given the rise in threats facing Canada, CSIS has made significant efforts to increase outreach and awareness of threats. However, as the CSIS Act limits the disclosure of threat-related information, CSIS provides high-level, unclassified, and general threat briefings to those who are the target of foreign interference, but are outside of the Government of Canada. CSIS' inability to communicate more specific and tangible information prevents a full and frank discussion of threats, limiting partners' ability to develop informed mitigation measures or build resiliency.

With CSIS Act amendments, CSIS' information could help partners be more aware of the threats they face, be able to better identify specific foreign interference techniques, and take protective measures to withstand foreign interference.

Potential area for legislative change

CSIS would be authorized to disclose information to other entities or persons, in addition to the Government of Canada, on threats to the security of Canada, for the purpose of increasing awareness and resiliency against threats to the security of Canada. With a broader disclosure authority, CSIS would also implement safeguards recognizing the need to maintain privacy protections, as well as protect CSIS' investigative techniques and sources.

What Do You Think?

  1. Should CSIS be authorized to disclose information to those outside of the Government of Canada to build resiliency against threats, such as foreign interference?
  2. In your view, what considerations should apply to the sharing of information with those outside of the Government of Canada about the threats they face? What type of limits should there be on when and with whom CSIS can share information?

Issue #2: Whether to implement new judicial authorization authorities tailored to the level of intrusiveness of the techniques

Context

CSIS collects minimally intrusive information under its section 12 or 16 mandate. When the collection is more than minimally intrusive, CSIS uses its section 21 authority to obtain warrants from the Federal Court. Prior to applying for warrants, CSIS must consult the Deputy Minister of Public Safety, and the Minister of Public Safety must authorize the making of the application to the Federal Court. Section 21 has always required all warrant applications to satisfy the same requirements, even though investigative techniques can vary greatly in their relative degree of intrusiveness. Section 21 provides for a single warrant authority, featuring requirements that are appropriate for the most intrusive investigative techniques. Performing a single collection activity (e.g., a single examination of a USB) would require CSIS to meet the same requirements as obtaining a warrant authorizing more extensive warrant powers (e.g., authorizing the ongoing interception of private communications) that can be executed repeatedly for a year.

What is the issue?

CSIS' warrant authority requires that regardless of the type of warranted techniques CSIS wants to employ, the warrant application must demonstrate that non-warranted investigative techniques have been tried and failed, or why they are unlikely to succeed or impracticable in urgent circumstances, or that information of importance will not be obtained without the warrant. These elements are referred to collectively as the “investigative necessity” requirements. This means that whether CSIS is seeking a warrant to obtain the name and address of an individual behind an IP address or the call detail records from a device, or to intercept an individual's private communications for up to a year, the same requirements apply.

Similarly, CSIS is required to meet the same strict requirements for a warrant authorizing CSIS to receive and examine the contents of a device one time (e.g., a USB key), as to conduct repeated examinations of an individual's devices or the interception of communications to and from those devices for up to a year. CSIS also lacks a separate authority to compel an entity to preserve perishable information (e.g., financial transaction data that would otherwise need to be deleted by the financial institution). This means that information of importance to an investigation could be lost while CSIS takes the necessary steps to obtain a section 21 warrant.

By contrast, law enforcement investigators have access to a variety of warranted powers tailored to the level of intrusiveness of the techniques being requested. There are important differences between CSIS' authorities and those available to law enforcement, such as the fact subjects of law enforcement warrants often receive notice and can more easily challenge these warrants whereas the subjects of CSIS warrants may never know for national security reasons. At the same time, CSIS is subject to strong Ministerial and review body oversight, something that law enforcement does not have comparably. Nonetheless, over the years, the Criminal Code has seen amendments to allow for greater flexibility while still ensuring effective judicial oversight. For example, the production order provisions were introduced to Criminal Code in 2004. In addition, in the context of a criminal investigation, demonstrating “investigative necessity” is frequently a requirement when law enforcement investigators seek to intercept private communications or intrusive video surveillance, but not for all warranted collection methods.

Potential area for legislative change

New tailored judicial authorization provisions could be considered, alongside CSIS' existing warrant authority, for specific investigative techniques. This could include a preservation order authority, which would allow CSIS to obtain a judicial authorization compelling a third party to preserve perishable information that CSIS has reasonable grounds to suspect will assist with an intelligence investigation, before seeking a production order or warrant to obtain the information, but without CSIS having to demonstrate the investigative necessity requirement to the court.

Another new tool that could streamline CSIS' ability to investigate threats is a production order authority, which would enable CSIS to compel a third party to produce information where CSIS has reasonable grounds to believe that the production of the information is likely to yield information of importance that is likely to assist CSIS in carrying out its duties and functions. The production order could be used to obtain information such as basic subscriber information, call detail records, or transaction records. A new tailored warrant authority could assist CSIS in conducting a single collection activity, like obtaining and examining a USB stick. These types of single collection activities are inherently more predictable in terms of their impact on privacy interests – and as a result less privacy intrusive – than the types of activities that may be authorized under existing warrant powers, which can encompass all investigative techniques and continued collection for up to a year. This authority would still require CSIS to have reasonable grounds to believe that the collection activity is likely to yield information of importance that is likely to assist CSIS' duties and functions under sections 12 or 16 of the CSIS Act, while continuing to provide effective judicial oversight.

Lastly, it may be impracticable at times for the Minister of Public Safety to authorize a CSIS warrant application. This could be for a number of reasons, including that the Minister is outside of the country and unable to review a time-sensitive application. In such instances, the Minister's authorization power could be delegated to enable CSIS to obtain the necessary warrants from the Federal Court to advance its national security investigations.

What Do You Think?

  1. Should CSIS be able to compel an entity to preserve perishable information when it intends to seek a production order or a warrant to obtain that information?
  2. Should CSIS be able to compel production of information when it reasonably believes that the information is likely to yield information of importance that is likely to assist in the performance of its duties and functions under sections 12 or 16 of the CSIS Act?
  3. Should CSIS be able to conduct a single collection activity, like a one time collection and examination of a USB reasonably believed to contain threat-related information, without having to demonstrate investigative necessity? If yes, what requirements should CSIS have to meet for seeking different warrant powers?
  4. In situations where the Minister of Public Safety is unable to authorize the making of a CSIS application for judicial authorization to the Federal Court and where the matter cannot wait, should there be a mechanism to delegate this authority? If yes, who should this authority be delegated to and in what types of situations should this apply to?

Issue #3: Whether to close the gap, created by technological evolution, and regain the ability for CSIS to collect, from within Canada, foreign intelligence about foreign states and foreign individuals in Canada

Context

Section 16 of the CSIS Act authorizes CSIS to collect, at the request of the Minister of Foreign Affairs or the Minister of National Defence, information relating to foreign states and persons (i.e., foreign intelligence) “within Canada.” Technology has drastically evolved since the adoption of section 16 in 1984, and Parliament could not have foreseen how the “within Canada” geographic limitation would restrict foreign intelligence collection given how information today is largely digital and borderless.

What is the issue?

In 1984, through the CSIS Act, Parliament provided CSIS with its section 16 foreign intelligence assistance mandate. Parliament recognized that the collection of foreign intelligence in Canada requires expertise, which was best provided by CSIS. However, Parliament limited this mandate to collection “within Canada,” as it did not want CSIS to collect foreign intelligence abroad. Furthermore, the Communications Security Establishment Act explicitly prohibits the Communications Security Establishment (the CSE) from directing any of its collection activities at a Canadian or any person in Canada.

The Federal Court and Federal Court of Appeal (2018 FC 738, 2018 FCA 207, 2020 FC 757, 2021 FCA 165) have interpreted the “within Canada” limitation to mean that CSIS cannot collect information relating to foreign states and persons, from within Canada, when that information is located outside of Canada. Because of technological advancements, these decisions have reduced CSIS' visibility on the activities of foreign states or foreign individuals within Canada's borders when electronic information is located outside of Canada. The Courts have made it clear that “recalibrating the investigative techniques open to CSIS [under section 16 of the CSIS Act] in light of significant technological change is a matter for Parliament and not the courts” (2021 FCA 165, para 6).

The wording of the CSIS Act and the CSE Act create a foreign intelligence gap. Closing this gap is critical to supporting the Government of Canada in managing Canada's foreign relations and national defence by understanding the capabilities, intentions or activities of foreign states or foreign individuals, who may be involved in foreign interference activities.

Potential area for legislative change

Regain an ability, lost largely due to technological advancements, for CSIS to collect, from within Canada, foreign intelligence about foreign states, and foreign individuals in Canada, which resides outside Canada, while still maintaining the other existing limitations. The collection has to be at the request of the Minister of Foreign Affairs or Minister of National Defence, with the consent of the Minister of Public Safety, and subject to the Federal Court's authorization and conditions. In addition, any collection under section 16 cannot be directed at Canadian citizens, permanent residents, or corporations incorporated in Canada.

What Do You Think?

  1. Should the CSIS Act be amended so that CSIS' ability to collect foreign intelligence at the request of Ministers can keep pace with the evolution of technology, which creates digitally borderless information? If so, what should be the limitations?

Issue #4: Whether to amend the CSIS Act to enhance CSIS' capacity to capitalize on data analytics to investigate threats in a modern era

Context

The authority outlined in sections 11.01 to 11.25 of the CSIS Act, commonly referred to as the dataset regime, was introduced as part of Bill C-59 as an acknowledgement that data and technology had re-shaped the threat and investigatory landscape, as well as in response to the Federal Court's “associated data” decision (2016 FC 1105). The regime was meant to provide CSIS with the authority to collect, retain, and use datasets that are not “directly and immediately related” to a threat to the security of Canada, but that may assist in CSIS' duties and functions under sections 12 to 16 of the CSIS Act. The regime includes numerous safeguards and protections to minimize the personal and private information of individuals in collected datasets, especially for Canadians and individuals in Canada.

What is the issue?

Despite the introduction of the dataset regime, CSIS' ability to retain and use datasets, even when the relevance to CSIS' mandate is clear and obvious, is limited.

The 90-day evaluation period is one of several requirements that hinders the ability to make use of this regime. Specifically, when CSIS collects a dataset, a strict 90-day evaluation period starts, during which CSIS must complete a series of tasks, including translation, decryption, applying privacy protections, and organizing the data. If it is a foreign dataset, CSIS must also, during the 90-day evaluation period, remove the Canadian records to either delete them or constitute a separate Canadian dataset. CSIS must also prepare and submit the requisite application for Ministerial or judicial authorization to retain the dataset within the same 90-days. Should CSIS be unable to fully evaluate the dataset and prepare and submit the requisite application for retention within the 90-day timeline, it must destroy the dataset.

For example, a trusted partner could provide CSIS with a dataset of information (accounts, contact information, relationships) from a country known to engage in foreign interference. The information predominantly relates to non-Canadians outside Canada (foreign information), though the dataset may also contain some Canadian information. Under the legislation, foreign datasets and Canadian datasets have different pathways for approval and retention. For CSIS to retain the totality of this information under the dataset regime, it would need to evaluate the foreign dataset within the 90-day evaluation period, including removing any Canadian information, and request authorization from the Minister of Public Safety to retain the foreign dataset; the Intelligence Commissioner must also review and approve the Minister's authorization. Separately, CSIS would be required to obtain the Minister's approval to make an application to the Federal Court for authorization to retain the Canadian information as a Canadian dataset. Prior to doing so, CSIS must reasonably believe that the Canadian information would belong to an approved class of Canadian datasets. The totality of this process could require up to five separate submissions for review by the Minister, Intelligence Commissioner, and/or the Court, resulting in a delay of up to six to nine months before CSIS can exploit the data, by which time its intelligence value may have diminished significantly. If CSIS cannot evaluate and apply to retain the dataset within the statutory time limit, it is required to destroy all the data.

The regime also contains certain ambiguities that have hindered CSIS' ability to leverage datasets in the way Parliament intended, and have the potential to derogate from CSIS' duties and functions under sections 12 and 16 of the CSIS Act. Clarifying these ambiguities with select amendments would improve the viability of the regime and provide the clarity required to avoid multiple legal interpretations.

Other limitations in the dataset regime result in lost opportunity and value. For example, CSIS is currently unable to query or exploit Canadian datasets for the provision of security assessments or screening advice under section 15 of the CSIS Act. As part of screening applications, applicants must provide their education and employment histories, among other information, which supports the assessment of loyalty. Efforts by an applicant to hide or omit their association with certain institutions can be relevant to a screening investigation. A Canadian dataset of individuals in Canada that have studied at a university associated with a foreign military could not be queried for the purpose of a screening investigation.

CSIS works with many domestic partners like CSE and the RCMP in furtherance of its national security mandate. The datasets that CSIS may be able to collect under the regime could be relevant to the mandate of other agencies. However, CSIS is unable to share those datasets with partner departments because the regime does not contemplate the sharing of whole datasets. This limitation also hinders cooperation with foreign partners in relation to datasets that could be of mutual relevance, such as a dataset that, although not directly related to a threat, is likely to assist in the investigation of a state known to engage in aggressive foreign interference tactics.

Potential area for legislative change

The Government could introduce targeted amendments to the dataset regime to alleviate some of the more challenging elements by, for example, permitting extensions of the evaluation period, as well as increasing the duration of the determination of classes of Canadian datasets and/or authorizations to retain foreign and Canadian datasets.

Other amendments could clarify that the dataset regime only applies to datasets that do not fall under any other CSIS Act authority, that the classes of Canadian datasets must be valid only at collection, and to enable foreign datasets that contain Canadian information to be treated as Canadian datasets (the more stringent process of the two) to avoid multiple applications for authorization. Further amendments could also enable CSIS to share datasets under strict conditions and could enable CSIS to query or exploit Canadian datasets for section 15 screening investigations.

What do you think?

  1. How could CSIS increase its ability to collect and use datasets in a timely and relevant manner, while respecting protected Charter rights, in a data-driven world?
  2. Should CSIS be able to query or exploit Canadian datasets for section 15 purposes? If so, do you think there should be additional safeguards or limitations in place?
  3. Should CSIS be able to share Canadian or foreign datasets with domestic partners who have the lawful authority to collect the type of information contained in the dataset? If so, what safeguards or conditions should be in place, if any?
  4. Should CSIS be allowed to share foreign datasets with foreign partners? If so, what safeguards or conditions should be in place, if any?

Issue #5: Whether to introduce a requirement to review the CSIS Act on a regular basis so that CSIS may keep pace with evolving threats

Context

The threat environment facing Canada is in a constant state of evolution, and Canada needs to ensure that it has the tools necessary to detect and address national security threats. However, CSIS Act amendments are ad-hoc as there is no provision requiring statutory review.

What is the issue?

Unlike the majority of Canada's allied partners, there is no statutory requirement to review the CSIS Act on a regular basis to ensure that the Act keeps pace with technology and data, and their impact on national security threats. As a result, CSIS' authorities are prone to falling out of date, leaving Canada and Canadians vulnerable.

Better equipping CSIS to address the threats of today, but also the threats of the future is critical for protecting Canada and Canadians' national security. Up to date authorities also bolster CSIS and Canada's ability to engage with allies, maintaining Canada's reputation as a trusted partner in the fight against national security threats that more frequently cross-borders.

Potential area for legislative change

Introduce a statutory requirement for Parliament to periodically review the CSIS Act.

What Do You Think?

  1. Should legislation require that CSIS' authorities be regularly reviewed to keep pace with technological advances and Canada's adversaries? If so, how often?
  2. Do you have any other views to share regarding the development and possible amendments to the CSIS Act?

  Fill out the survey

Date modified: