Metadata also used in mandates B and C
CSE has a three-part mandate laid out in the National Defence Act, and within the agency these parts are referred to by the letter of the sub-paragraph that spells them out (A: provision of foreign intelligence; B: protection of electronic information and of information infrastructures of importance to the Government of Canada; C: provision of operational and technical support to federal law enforcement and security agencies). The fact that CSE has collected and/or used metadata in support of all three parts of its mandate suggests that its exploitation of Canadian metadata may be much more extensive than has been supposed to date.
The documents (which unfortunately are not yet available online) confirm that the Ministerial Directive on Collection and Use of Metadata signed in 2005 authorized metadata collection and use for both Mandate A and Mandate B operations:
On March 9, 2005 the Minister of National Defence signed a Ministerial Directive (MD) to the Chief CSE describing how the Minister expects CSE to collect, use [redacted] metadata acquired in support of its foreign intelligence acquisition programs (mandate (a)), as well as for its computer systems and networks protection programs (mandate (b)) as they relate to malicious cyber activity. [OCSEC Review of the Ministerial Directive, Communications Security Establishment, Collection and Use of Metadata, March 9, 2005, January 2008]That 2005 directive was subsequently replaced by an updated version signed by Defence Minister Peter MacKay on 21 November 2011. The documents that have been released do not confirm that the new version also authorizes both Mandate A and Mandate B activities. A highly redacted version of the new directive itself has been released, but the non-redacted portions of the text refer only to Mandate A.
It seems pretty clear, however, that Mandate B metadata activities are still being conducted by CSE. The CSE oversight commissioner stated on 13 June 2013 that "In the case of metadata, I verify that it is collected and used by CSEC only for purposes of providing intelligence on foreign entities located outside Canada and to protect information infrastructures of importance to the government." The second part of that statement is a direct reference to Mandate B. This suggests either that the 2011 Ministerial Directive, like its predecessor, does authorize Mandate B activities or that a separate Ministerial Directive or other instruction now does that.
The Commissioner's 2008 review looked only at the Mandate A activities. It did state, however, that
Any future OCSEC review will likely examine and assess CSE’s metadata activities in relation to mandate (b). While not a focus of this review, we did learn that all telecommunications data [redacted], is also subject to processes designed to identify malicious cyber activity [redacted].As the phrase "all telecommunications data" may suggest, the amount of communications metadata collected and analyzed in support of Mandate B could be quite large. Threats to Canadian government electronic information and information infrastructures do not emanate solely from outside Canada or solely from non-Canadians, and subsection 273.65(3) of the NDA gives the Minister the power to authorize the interception of private (i.e., Canadian) communications for the "purpose of protecting the computer systems or networks of the Government of Canada." It seems nearly certain, therefore, that extensive use is made of Canadian metadata in CSE's Mandate B operations.
Less information is available about Mandate C activities. However, a draft version of a CSE policy document (OPS-1-10, Procedures for Metadata Analysis, June 2006 draft) indicates that such activities do take place:
Metadata analysis conducted in support of Federal Law Enforcement or Security Agencies (LESAs) to obtain Security or Criminal Intelligence (mandated under paragraph 273.64(1)(c) of the NDA, known as ‘Mandate C’) is handled only in accordance with OPS-4-1, Procedures for CSE Assistance to Canadian Federal Law Enforcement or Security Agencies, and OPS-4-2, Procedures for CSE Assistance Under Section 12 of the CSIS Act.The primary focus of Canada's law enforcement and security agencies is on activities inside Canada, conducted mainly by Canadians. It is therefore safe to conclude that any metadata analysis conducted for these agencies is going to focus primarily on Canadians.
The existence of multiple metadata mandates raises the possibility that one set of activities may feed into the others. Is it possible, for example, for CSE to collect an extensive database of Canadian domestic metadata in support of its Mandate B activities and then mine that data for CSIS and the RCMP under the umbrella of Mandate C?
Safeguards may exist that prevent such cross-overs. But if so, what are they? And who guarantees that they will stay in place?
The main assurance we've heard from Defence Minister MacKay so far is that "this program is specifically prohibited from looking at the information of Canadians." (See also "we use metadata to identify and collect international, not domestic, communications.")
Those statements don't seem very convincing.
As the CSE Commissioner has reported, even Mandate A activities "involve CSEC's use and analysis of information about Canadians for foreign intelligence purposes". Mandate B must certainly involve extensive metadata about Canadians assuming CSE is doing its job properly. And Mandate C is almost entirely about Canadians and other people in Canada.