Intelligence Commissioner’s 2024 annual report

Intelligence Commissioner Simon Noël released his 2024 Annual Report on 13 June 2025. In a welcome move, the redacted versions of the written decisions the Commissioner rendered on the seven ministerial authorizations (MAs) that were issued to CSE in 2024 were also released on the same day. 

I’ll be honest with you. This kind of document typically does not make exciting reading, and this year's collection is no exception. But if you’re interested in gradually building a more complete picture of what CSE is up to, then they do deserve a careful reading, because Intelligence Commissioner Noël, like Commissioner Plouffe before him, has been steadily – if ever so slowly – widening the window these reports offer into CSE’s activities.

In the following post, I’ll try to draw out some of the key points that I think we can learn from this year’s reports, as supplemented by information released by other watchdogs and by CSE itself. I’ve also updated and in some cases corrected the post I did last year on the Intelligence Commissioner’s 2023 annual report based on what we’ve learned this year.
 

The Intelligence Commissioner rendered decisions on seven MAs in 2024: three MAs for foreign intelligence activities, one for cyber security activities on federal infrastructure, and three for cyber security activities on non-federal infrastructures. One element of one of the foreign intelligence MAs was not approved. All the other MAs were fully approved.


FOREIGN INTELLIGENCE MAs

The one foreign intelligence MA that was not fully approved was the first MA the Intelligence Commissioner addressed in 2024, File 2200-B-2024-01, dated 4 April 2024. 

The part of the MA that the Intelligence Commissioner did not approve sought authorization for “a new class of activities, an example of which is enabling research activities.” These activities were to be “undertaken to support existing operational activities and to develop new capabilities.”

“While I recognize the importance of research for CSE to develop tools and capabilities in support of its mandate,” the Commissioner wrote in his decision, “the [Minister’s] conclusions are unreasonable for the following reasons: a) contradictions in the record lead to uncertainty in the Minister’s conclusions about how Canadian-related information will be treated; b) the Minister’s conclusions do not explain how Canadian-related information in [redacted] could meet the essentiality test; and c) the Minister’s conclusions do not demonstrate that he sufficiently understands the nature of the activities that fall within the class given the broadness the class.”

The Intelligence Commissioner’s annual report explained the decision this way: “The IC identified uncertainty around how Canadian-related information collected incidentally would be handled. Specifically, it was unclear whether CSE intended to retain all this information. If so, there was no indication how the retention of the Canadian-identifying information satisfied the legal test that it be “essential”. The IC found that the Minister’s conclusions did not reflect a full understanding of the activities due to incomplete information from CSE. As a result, the IC found the Minister’s conclusions unreasonable with respect to that activity.”

What specifically does all this mean? That kind of detail was – as usual – redacted, so let the guessing games begin!

Let's start with the subject of the MA itself. 

The Commissioner is not permitted to tell us what types of activity any of the three foreign intelligence MAs annually sought by CSE address, but I suspect that this MA is the one that covers CSE’s interception of telecommunications traffic carried by fibre optic cable systems, primarily at intercept points where the cables carry traffic into and out of Canada. 

A schematic representation of CSE’s “cable access” (or “special source”) collection can be seen on this depiction of the “Canadian Cyber Sensor Grid” from a CSE slide deck that was part of the Snowden leak in 2013. Note the two clapper board symbols showing Canadian intercept points at the cable connections – the thick black lines – between Canadian internet space and foreign internet space. 

In addition to intercepting targeted foreign communications, this program collects vast amounts of “unselected” metadata: all of the metadata that passes through CSE’s collection systems. Those systems are located principally on cross-border links to minimize the incidental collection of two-end Canadian traffic, but very large amounts of one-end-Canadian metadata are incidentally collected, and thanks to what has been called boomerang routing, a great deal of two-end-Canadian metadata also ends up collected. 

The metadata that CSE obtains in this and other ways has multiple important uses in the foreign intelligence program, but the Canadian-related data within it also has serious privacy implications, and CSE is required to limit how it retains and uses that data when it is recognized as Canadian-related.

It strikes me as possible that the Intelligence Commissioner’s concerns in this case were centred on a CSE proposal to use metadata containing Canadian-related information in the development of new analytical processes and/or target discovery techniques. 

As some of you will no doubt recall, the Snowden leaks revealed that CSE was doing exactly this kind of thing back in 2012 as part of the tradecraft development effort that became known as the “Airport Wi-Fi” project. That project drew on a two-week sample of metadata pertaining to personal devices that had used the wi-fi at Pearson airport, analyzing usage patterns at other locations the devices appeared at before and after appearing at Pearson in order to develop a method of characterizing unknown IP addresses that target devices might be detected at elsewhere in the world. Data centred on a Canadian location was chosen for development of the technique, CSE later explained, because “In order to develop an accurate model we needed a thorough understanding of a network associated with a public internet access point. We used data where the parameters of the network could then be validated through publicly available and geographically accurate information.” 

CSE’s lack of explicit legal authority at that time to collect and use Canadian-related metadata was one of the main issues raised during a court challenge of CSE’s activities launched by the British Columbia Civil Liberties Association in 2013. The subsequent passage of the CSE Act addressed this concern by giving CSE a Charter of Rights-compatible route to the collection and use of such data, bringing it under the purview of the ministerial authorization system. 

But for such activities to be approved, the Intelligence Commissioner has to agree that the Minister’s decision to authorize them is reasonable in light of the requirements spelled out in the Act. Was the collection, use, and uncertain disposition of Canadian-related metadata one of the concerns underlying the Commissioner’s decision not to approve the “enabling activities” part of the 4 April 2024 MA? 

As ever, we don’t know. But it does seem like a possibility.

Interestingly, the Intelligence Commissioner also removed a clause pertaining to enabling activities in the 2023 version of this MA. In that case, it seems possible that CSE sought approval for a much broader range of activities than simple research and development. (See here for more on the 2023 decisions.) But that could well have been part of the issue this year too: research activities were only cited as an example of the kinds of things potentially authorized by the rejected clause.


Radio monitoring and CNE

The remaining two foreign intelligence MAs issued in 2024 were both approved in full on 9 July 2024. 

The first, File 2200-B-2024-03, may be the MA that covers eavesdropping from Canadian diplomatic facilities and other kinds of radio monitoring activities. 

The Commissioners’ decisions sometimes include “remarks” to highlight issues that they feel deserve more attention. In many cases, these remarks apply across the board, not just to the specific MA decision in which they are made. In this decision there is an intriguing passage that may represent one of those more widely applicable comments. 

The Commissioner writes: 

“As indicated by the Minister, in some cases there are technical and operational reasons for the retention of certain types of information for a longer period, and even indefinitely. In this year’s Authorization, the retention period set out by the Minister for a particular type of information has been [redacted]. The rationale for [redacted] is straightforward: [redacted], its usefulness for foreign intelligence purposes goes [redacted]. I accept the Minister’s rationale.” 

Going out on a limb here, I would guess that this passage refers to the collection and storage of encrypted information that it is not currently practical to decrypt but which might become decryptable using quantum computers in the not too distant future. It could be referring to something completely different, of course, but encrypted material seems to me like a pretty good fit.

When CSE recently warned Canadians that other countries might be doing this to Canadian data, they called it the HNDL threat: “Systems protecting the confidentiality of information in transit over public network zones may be at risk earlier than expected due to the harvest now, decrypt later (HNDL) threat. A HNDL threat is when a threat actor intercepts encrypted information, stores it and then decrypts it in the future, when sufficiently powerful quantum computers exist. It is recommended that any systems susceptible to a HNDL threat be a high priority for migrating to [post-quantum cryptography (PQC)].”

Sounds like a reasonable thing for a SIGINT agency to be doing, now they mention it.
 

The second MA approved on July 9th, File 2200-B-2024-04, was probably the one that covers Computer Network Exploitation (CNE). 

The Commissioner’s decision for that MA points out that “even though the legislative framework (s 3, CSE Act) allows for Acts of Parliament to be contravened, the Minister sets out certain limitations – a red line – that CSE employees cannot cross when carrying out activities such as causing, intentionally or by criminal negligence, death or bodily harm to an individual or willfully attempting to obstruct, pervert or defeat the course of justice or democracy.” 

These same limitations are required by the CSE Act for activities conducted by CSE under the active and defensive cyber operations parts of its mandate, and it is appropriate that CSE’s CNE activities – which significantly overlap with cyber operations in terms both of targets and of tactics, techniques, and procedures – also be subject to them. 

These stipulations by the Minister were also noted by the Intelligence Commissioner in 2023, at which time he commented that he was “of the view that explicitly including these limits is necessary, as the CSE Act does not provide for them [in the context of foreign intelligence authorizations] and they do not appear in policy documents in the record.” 

Indeed, although the Intelligence Commissioner hasn’t advocated this, it would make sense to amend the CSE Act to give this red line the kind of permanence that changeable annual authorizations do not provide. 


Over-sharing CII

This year also brought news of a significant privacy failure in CSE's foreign intelligence activities. According to the Commissioner's annual report, “In 2024, CSE informed the IC that it had shared information collected under ministerial authorizations with international partners without removing Canadian identifying information” (CII).

Such mistakes are in fact made quite often, but this case seems to have been something more systematic extending over several years. 

The Commissioner encouraged CSE to be publicly transparent about the problem, and CSE did provide a brief account of the problem in its own annual report, which was released at the end of June. In that report, CSE explained that it had “identified an activity where, between 2020 and 2023, we shared some information with international partners without properly removing Canadian information that had been acquired incidentally when targeting valid foreign intelligence targets. Although the information remained safeguarded” – whatever that means in the context of giving it to the wrong people – “this activity did not meet CSE’s policy requirements. CSE acted quickly to contain the issue. Corrective actions included placing strict limits on information sharing and seeking assurances from CSE’s trusted partners that the shared information was deleted. We continue to update our policies and procedures to prevent reoccurrence.”

I’m guessing the information in this case probably was not metadata, because CSE’s international sharing of metadata was on hold between 2014 and January 2023 as a result of an earlier series of privacy snafus. That period covers most of the time during which this latest oopsie was underway. 

It also seems unlikely that the problem was in CSE’s end-product reports (EPRs), most of which are routinely shared with our partners. Mistaken releases of CII regularly do occur in EPRs, but they are individually corrected when they are discovered and are unlikely to be attributable to any single systematic cause.

So where did the problem occur? One possibility is that it lay in the collection CSE does on behalf of its Five Eyes partners using selectors supplied by those partners. Partner-supplied selectors are vetted by CSE and only applied to Canadian collection systems if they are compatible with Canadian intelligence priorities and are associated with foreign entities located outside Canada. But the incidental collection of Canadian communications or information about Canadians is still possible, and if Canadian information was not properly suppressed before the resulting intercepts were forwarded to the partners who requested them, that would represent a pretty significant privacy failure. 

Whatever its cause, the incident drew a bit of media attention following the release of the Intelligence Commissioner’s annual report, with CSE explaining itself using the same sparse sprinkling of details that it then published in its annual report about a week later.


CYBERSECURITY – FEDERAL INFRASTRUCTURE

One omnibus MA covering all cybersecurity activities that CSE conducts on federal government infrastructure is issued each year. In 2024, that MA, File 2200-B-2024-02, was fully approved by the Intelligence Commissioner.

There were still a couple of interesting items in the Commissioner’s written decision, however. 

Let her REP

One noteworthy section shed some light on an earlier point of contention. In 2022, Intelligence Commissioner Plouffe rejected an activity proposed in that year’s version of the MA as “outside the scope” of the federal cybersecurity provisions of the CSE Act. CSE chose to go ahead with the activity anyway, asserting that it could do it without an MA, and in 2023, Commissioner Noël, who had replaced Plouffe by that time, called on CSE to explain itself.  

The 2024 decision provides some additional explanation about the activity: the issue was the acquisition of publicly available information that might contain information for which Canadians or persons in Canada have a reasonable expectation of privacy (REP). 

CSE can acquire such information under a ministerial authorization (assuming appropriate privacy measures are taken), but those authorizations pertain only to information obtained from the federal infrastructure (or non-federal infrastructures designated as of importance to the government of Canada, in the case of non-federal cybersecurity MAs). CSE can acquire publicly available information from other sources without an MA, but only if it does not contain REP information.

CSE’s position seems to have been that it could in fact acquire information that might have an REP without an MA as long as the risk that REP information would be collected was small, measures were taken to eliminate REP information if it was found, and any infractions were reported. 

The Commissioner was unconvinced by this argument: “I want to reiterate ... that when CSE determines whether it may conduct an activity without a ministerial authorization, the CSE Act makes it clear that the primary concern is that no information in which Canadians have a reasonable expectation of privacy be collected. Thus, determining that the information was not [redacted] would not necessarily be sufficient. Publicly available information, as defined by section 2 of the CSE Act, cannot include information in which Canadians or persons in Canada have a reasonable expectation of privacy. As a result, although subsection 23(4) of the CSE Act allows CSE to incidentally collect information related to a Canadian or a person in Canada when carrying out activities under a cybersecurity authorization, publicly available information acquired for the purposes of section 17 of the CSE Act cannot incidentally contain Canadian-related information. Indeed, pursuant subsection 23(4), the lawful authority to incidentally collect Canadian-related information is limited to activities carried out under an authorization.”

Since CSE was not asking to carry out these activities under that or any other MA, the agency's decision to proceed with them was not actually under the Intelligence Commissioner’s jurisdiction, as the Commissioner himself acknowledged.

But the question of whether CSE is operating lawfully is a vitally important one, and if CSE needs this kind of data to perform its duties (and can apply appropriate privacy measures), then the answer surely is for the government to amend the CSE Act accordingly. This seems to be the path preferred by the Intelligence Commissioner, who commented, “I do not disagree with the Chief’s assessment that there is an incongruity in the CSE Act and that a legislative amendment would bring clarity to CSE’s activities in this sphere.”

The National Security and Intelligence Review Agency (NSIRA) also looked at this question last year, agreeing with the Intelligence Commissioner that “CSE cybersecurity activities that risk interfering with a reasonable expectation of privacy of a Canadian or person in Canada can only be authorized on federal information infrastructures and systems designated as important to the Government of Canada.”

NSIRA also called for amendment of the CSE Act, recommending “that section 27 of the CSE Act be amended to permit the Minister to authorize CSE to acquire information that is necessary for CSE's cybersecurity and information assurance aspect (but which may contain information that interferes with the reasonable expectation of privacy of a Canadian or person in Canada, or contravene an Act of Parliament), from sources other than federal information infrastructures and systems of importance to the Government of Canada.”

In its official response to NSIRA's recommendation, CSE declared itself in agreement with the review agency: "CSE agrees that legislative amendments would help clarify the ability of the Minister of National Defence to authorize CSE to acquire cybersecurity information from the GII that interferes with the reasonable expectation of privacy of a Canadian or person in Canada."

Whether the Carney government will put such an amendment before parliament of course remains to be seen. 

Excessive retentiveness on retention periods

The Commissioner’s decision also contains an interesting discussion of how CSE retains some of the information it acquires for a certain amount of time to enable it to “go back in time” when performing certain analyses. 

Unfortunately for those of us who like the details, the length of that retention period was redacted from the document: “[T]he Minister explains CSE must be able to retain information that has not been identified as useful for a [redacted] period. A [redacted] assessment period is needed for CSE to analyse the information in the case of a cyber event and examine its evolution over time.... As explained in the record, keeping the information for a [redacted] period allows CSE to compare newly discovered vulnerabilities against its unassessed information and determine whether they exist within the federal systems. The record provided an example where the ability for CSE to “go back in time” enabled CSE analysts, following an identified vulnerability within the impacted federal systems to identify the threat and take immediate mitigation actions.”

As you might guess, I’m not persuaded that details like CSE’s data retention period really need to be redacted. But, of course, it’s not my call. 

That said, if it actually is important to keep information like that secret, maybe officials ought not to provide it to parliamentary committees in open testimony.

Like this: “For data that are not particularly useful, the retention period is a maximum of one year.” (Richard Larose, Senior Technical Advisor, CSE, 8 April 2024)

Or this: “In a cyberdefence operation, if information gathering impacts Canadians’ privacy, the information may be kept for a maximum of one year, unless it is deemed essential for the purposes of the cyberdefence operation.” (Intelligence Commissioner Simon Noël, 18 November 2024)

In my opinion, if information is already out there on the public record, there is no good reason to continue redacting it from documents like the Commissioner’s written decisions.


CYBERSECURITY – NON-FEDERAL INFRASTRUCTURES

Finally, we arrive at the three MAs issued for cybersecurity activities on non-federal infrastructures.

The first of the non-federal MAs to be approved, File 2200-B-2024-05, is an intriguing one. The need for the Cyber Centre’s assistance was evidently urgent, so the Intelligence Commissioner approved the MA immediately and issued his written reasons for the decision later. 

Other than the fact it was approved in 2024, all dates associated with this MA were redacted from both of these documents, presumably to make it more difficult for folks like us to correlate it with publicly known events. But of course this is tantamount to erecting a flashing neon sign announcing that the MA probably is correlatable with one or more publicly known events, so let’s give it a go.

In its most recent annual report, CSE referred in passing to “provinces and territories with access to our sensor services,” confirming – perhaps inadvertently – that the agency has begun providing cybersecurity services to provincial as well as territorial governments. Such services are only available via MA. Since the three territorial governments are already all accounted for by the MA approved on 15 November 2024 (see below), it would seem we’re looking for one or more provincial governments for this one.

That being the case, the government of British Columbia seems like the most obvious candidate for this year's mystery guest. 

As this CBC news report explains, the B.C. government became aware of a series of breaches or attempted breaches of its IT systems in April 2024:

“[T]he B.C. government first began investigating an attempted breach of its systems on April 10. On April 11, the cybersecurity incident was confirmed and reported to [the Cyber Centre (CCCS)], and the government also notified Microsoft's Detection and Response Team (DART) of the suspected breach attempt. A few weeks later, on April 29, [B.C. public service head Shannon] Salter said the same threat actor was involved in additional activity on government systems, and public service workers were told to change their passwords. On May 6, another cyberattack was identified, with Salter saying the same threat actor was responsible for all three incidents. Two days later, B.C.'s premier went public with news of the attack, after the CCCS told officials that safeguards had been put in place that would allow the public to be notified.”

(My thanks to a colleague who will remain unnamed for reminding me of this case.)

I am given to understand that one or two other, not publicly named, provincial governments also suffered serious intrusions last year, so it is possible that more than one government is covered by this MA. But given the speed with which the MA was processed, unless the requests for help were almost simultaneous, it seems less likely to me that multiple governments were involved. Time may eventually tell.
 

The second of the 2024 non-federal cybersecurity MAs, File 2200-B-2024-06, was approved on 22 October 2024. 

This MA is the fourth in a series of MAs first issued in 2021. Last year, I thought this extended series of renewals was evidence of a proactive, preventive intervention on the part of the Cyber Centre, not a reaction to a specific cyber threat. 

But this year’s written decision makes it clear that it is in fact a reactive activity – just one that is taking an unexpectedly long time to conclude.

When he approved the third iteration of this MA in 2023, the Commissioner thought that one would be the last one: “Based on the Minister’s conclusions in last year’s authorization, it was my understanding that following the completion of the [redacted] outstanding recommendations – which he anticipated would be implemented in 2024 – CSE’s support would no longer be required.”

But that turned out not to be the case. “The Minister explains that although the non-federal entity has made substantial progress with the implementation of CSE’s recommendations to improve its cybersecurity posture, there is continued presence of malicious activity on the system and some of the key recommendations remain to be completed.”

“The length of time taken is largely attributable to the procurement process,” the Commissioner reported.

Given this record and the sophistication of the threats facing it, Commissioner Noël questioned whether the entity receiving assistance would ever be able to look after its own security: 

“[The Minister] writes that “[t]he commercially available safeguards put in place by [the non-federal entity] are not sufficient to identify and counter persistent and increasingly complex cyber threats.” This raises the question of whether commercially available safeguards will ever be sufficient on their own. While last year’s authorization recognized that there would be an eventual cessation of CSE’s cybersecurity activities on the non-federal entity’s system – at the time expected in 2024 – this year’s record does not indicate when the outstanding recommendations might be completed, or suggest that once the recommendations are fully implemented, CSE’s presence will no longer be required.”

It will be interesting to see if a fifth MA is issued for this entity later this year.

We still don’t know what company or even type of industry is involved in this case, although a telecommunications company certainly seems like a plausible possibility. 

In June 2025, CSE revealed that it was “aware of malicious cyber activities currently targeting Canadian telecommunications companies. The responsible actors are almost certainly PRC state-sponsored actors, specifically Salt Typhoon.” 

Whatever the identity may be of the entity receiving assistance under this MA, the Intelligence Commissioner believes that CSE’s assistance to it has been extremely valuable, and for the second year in a row he made a point in his decision of urging CSE to tell the public the story of its intervention when security considerations make it possible to do so. 


The last of the three non-federal cybersecurity MAs issued in 2024, File 2200-B-2024-07, was approved on 15 November 2024. This is the MA that covers cybersecurity assistance to Canada’s three territorial governments, those of the Northwest Territories, the Yukon, and Nunavut. The first version of this MA was issued in 2023 (an earlier MA covering just the NWT government was issued in 2022), but the 2024 MA was the first in which the identities of these governments were left unredacted.

(They weren’t redacted this year presumably because CSE had already identified them in its 2023-24 annual report, released in June 2024.)

It seems likely to me that Cyber Centre support to these governments will continue for the foreseeable future, and that long-term support for a number of provincial governments may also become an ongoing thing.

But the Commissioner has laid down an interesting marker in this respect: “As mentioned in my reasons, CSE’s continued presence has a preventative, or proactive, objective. However, I wish to be clear that my conclusions do not entail that a designation as a non-federal entity of importance to the Government of Canada, in itself, is sufficient to support the Minister’s conclusions that a cybersecurity authorization would be reasonable if deployed for a preventative objective.... A cybersecurity authorization pursuant to section 27(2) of the CSE Act is issued for the purpose of helping to protect a non-federal entity’s system from mischief, unauthorized use or disruption. In contexts where cybersecurity activities are carried out for preventative or proactive purposes, I am of the view that the Minister nevertheless needs to establish a factual basis for CSE’s assistance.”

He made a similar argument in his 22 October 2024 decision, adding: “Cybersecurity authorizations are intrusive on privacy interests given the necessary collection of information in which Canadians have a reasonable expectation of privacy – even though the collection is ancillary to safeguarding the system. I consider the degree of intrusion even higher in the case of cybersecurity authorizations in support of non-federal entities because CSE – a Government of Canada agency – is collecting information it would otherwise not have access to. And of course, the intrusion is exacerbated the longer it lasts. It is therefore important that the rationale for continuing this ancillary collection over an extended period of time is sufficiently considered and justified in the Minister’s conclusions.”

The argument, I think, is that there is a trade-off that must always be weighed between the benefits of providing cybersecurity assistance and the value of minimizing government intrusion into the reasonable expectation of privacy of Canadians and persons in Canada.

Although the number of non-federal cybersecurity MAs may still be too low to draw definitive conclusions, there seems to be a trend away from short-term, reactive responses towards longer-term, proactive activities on CSE’s part, especially with respect to other levels of government. It will be interesting to see if this trend continues – and how this Intelligence Commissioner and future ones respond to it.


CSE NUMBERS DIFFER

CSE’s recently released 2024-25 annual report provides statistics that differ slightly from those reported by the Intelligence Commissioner in his annual report. According to CSE, “This year, CSE submitted 8 authorizations to the Intelligence Commissioner and all were approved.” Non-federal cybersecurity MAs accounted for four of the authorizations.

Meanwhile (as noted above), the Intelligence Commissioner reported that he considered seven authorizations in 2024, six of which were fully approved and one of which was only partly approved. Non-federal cybersecurity MAs accounted for three of the authorizations.

The primary explanation for these discrepancies almost certainly lies in the fact that the two sets of statistics cover somewhat different time periods. The Intelligence Commissioner reported on calendar year 2024, while CSE reported on fiscal year 2024-25, which ran from 1 April 2024 to 31 March 2025. 

A non-federal cybersecurity MA that was approved in the first quarter of 2025 would appear in CSE’s statistics but not those of the Intelligence Commissioner, thus accounting for the different totals.

If there was indeed a new non-federal cybersecurity MA approved in early 2025, it could be a sign that one or more additional provincial governments are now receiving federal cybersecurity assistance. 

Alternatively, the assistance might be going to another telecom victim of Salt Typhoon. CSE’s recent bulletin about Chinese state-sponsored actors revealed that “Three network devices registered to a Canadian telecommunications company were compromised by likely Salt Typhoon actors in mid-February 2025.” That would fit pretty well with a new MA in the first quarter of 2025. A media report later identified the unnamed company cited in CSE’s bulletin as Rogers. 

Next year we should get a better sense whether the new client is a company or a government. 

While the difference between CSE's overall numbers and those provided by the Intelligence Commissioner seems easily explainable, CSE's claim that all the MAs submitted to the Intelligence Commissioner in 2024-25 were "approved" is less easy to explain. The decision that the Intelligence Commissioner issued on 4 April 2024 – a date that falls unambiguously into CSE's fiscal year 2024-25 – was only a partial approval: one section of that MA was very much not approved. I can only assume that CSE made a mistake here: they can't really think an outcome like that can be classified as "approved".