What the overseer saw: 2025 edition

The Intelligence Commissioner’s 2025 annual report was released on 1 May 2026. In this post I'll look at some of the key issues raised in that report and its accompanying documentation.

The job of the Intelligence Commissioner (IC) is to provide quasi-judicial oversight over the ministerial authorizations (MAs) that are granted to CSE and CSIS to enable them to conduct certain of their activities. The MAs for CSE enable it to conduct its foreign intelligence and cybersecurity activities. Those for CSIS permit it to hold certain Canadian and foreign datasets and to undertake certain acts or omissions that would otherwise be unlawful. MAs are good for up to 12 months, and only those MAs that are approved by the IC go into effect.

The annual report explains the IC’s oversight role in more detail, comments in much lesser detail on important or novel aspects of the MA decisions the IC made in 2025, and highlights a number of other issues that have arisen. Wesley Wark has a good, readable overview of the report here. 

Also released on May Day were the 14 individual MA decisions the IC made in 2025. The versions publicly released had almost all key details redacted for security reasons, but they do provide some significant additional information, and because the original classified versions were written to facilitate their redaction, what remains is considerably more legible than is typical for highly redacted documents.

As in most years, there’s not much in the IC's report and its accompanying decision documents that’s likely to create headlines, but it’s still worthwhile to give them a careful read – or at least get some hapless schlub to go through them and draw out some of the key points for you.

Which perhaps for some of you is where I come in. In my case, I don’t really do CSIS, but there is some overlap in the issues that arise for the IC – as demonstrated in the way discussion of the CSE and CSIS decisions was blended together in this year’s report – so I will deign to talk about the HUMINT folks once at the end of what follows.

But, first, the CSE decisions.


FOREIGN INTELLIGENCE MAs

The IC issued nine CSE-related decisions in 2025, including three that cover CSE’s foreign intelligence activities, decisions CSE-2025-02, CSE-2025-04, and CSE-2025-05. Three is the standard number of foreign intelligence MAs issued to CSE every year. The IC is not allowed to say what they cover, but it is safe to say that everything CSE does under its foreign intelligence mandate that might otherwise contravene Canadian laws or interfere with the reasonable expectation of privacy of Canadians or persons in Canada – including all CSE collection activities – is covered in those three MAs somewhere. (You can see my speculations on the specific activities each MA covers in my comments on last year’s report, but they are just guesses.)

All three of the 2025 MAs were fully approved by the IC. In two of the three, the authorities that were sought were unchanged from those approved in the previous year. This includes CSE-2025-02, where a proposed class of activities that was not approved in 2024 was not requested in 2025. In the 2024 case, the IC rejected that part of the MA on the grounds that the support activities in question pertained not just to the activities covered by that MA, but also to activities covered by other MAs, which the IC concluded was not compatible with the CSE Act’s provisions concerning MAs.
 
Those other activities now seem to have appeared in the third foreign intelligence MA, CSE-2025-05, which is the only one of the three for which any new authorities were sought in 2025. In the redacted words of the IC’s decision, the authorization sought “new authorities to conduct [Activity A] in support of [a specific type of activities].” 

Yes, this really is the kind of information we have to work with here.

I’m fairly certain that CSE-2025-05 is the MA that covers CSE’s computer network exploitation (CNE) activities, so – to make a wild guess – the support activities in question might be something like developing new metadata analysis techniques to help CSE find and exploit targets for CNE operations. Much of the metadata that CSE obtains is collected by the interception of Internet and telephone traffic carried by large telecommunications providers, which likely falls under one of the other MAs (CSE-2025-02), so it doesn’t seem impossible that CSE would originally have attempted to authorize metadata analysis activities solely under that other MA.

That said, metadata analysis has been around for decades, so if this case really does have something to do with that, the new authorities that were sought must involve something other than the usual garden-variety techniques. Maybe the new stuff involves the use of AI systems to do it? Who knows. Whatever the actual subject of this additional authority was, what we can say for sure is that the Minister’s authorization of it was approved by the IC.


FEDERAL CYBERSECURITY MAs

As in previous years, one MA was issued to cover all CSE Cyber Centre activities on federal government infrastructures. This MA was fully approved by the IC in decision CSE-2025-03.

There’s not a lot that needs to be added here. The IC does make the rather disconcerting comment that the “number of malicious events detected on federal systems from May 2024 to October 2024... has nearly tripled since the 2023-24 authorization.” But he then goes on to note that this jump was due to a number of factors, including an increase in scanning activity and the use of new analytics by CSE. This somewhat reassuring interpretation seems to be borne out by CSE’s own 2024-2025 annual report, which reported a modest 17% increase in “cyber security incidents” across the Government of Canada and Canadian critical infrastructure in 2024-25 as compared to 2023-24, with most of that growth occurring in the critical infrastructure systems.


NON-FEDERAL CYBERSECURITY MAs

There were five non-federal cybersecurity MAs issued in 2025, all of which were fully approved by the IC. This was a big jump from 2024’s three authorizations, which were themselves an increase from the one to two issued per year in earlier years. However, one of the 2025 MAs was an in-year renewal of the same authorization. No dates were released concerning those two authorizations, but it is likely the first was approved around January 2025 and its renewal was approved around December 2025. Thus, there were at most four non-federal cybsecurity MAs, representing four discrete sets of activities, in effect at any time during the year.

CSE-2025-01 was the MA probably approved in January 2025, and CSE-2025-09 was its December-ish replacement. Unlike the three other non-federal cybersecurity MAs approved during the year, all of which renewed MAs from 2024, CSE-2025-01 and its replacement concerned a brand new set of cybersecurity activities, in all probability extending CSE’s cybersecurity services to another province.

Of course, they don’t tell us which province. For fun, I’ll throw a name out there: New Brunswick. But it could be any of them. (Or at least most of them: I really doubt any Quebec government would be willing to live with the optics of letting the federal government monitor its electronic communications and IT systems, whatever the safeguards, and the idiots who run Alberta are far too committed to being idiots to ever contemplate such a step on its merits. Meanwhile, British Columbia, if my guess is correct, is already on board, having signed on with CSE in 2024.)

Interestingly, whoever signed on this time, it was done purely as a proactive step. “CSE assesses that every Canadian province and territory has likely been targeted by cyber actors,” the IC’s decision noted, but the request for CSE’s support was not a response to a “known compromise or specific threat.”

Continuing with the provincial government theme, let’s look at CSE-2025-07 next. This is the decision that renewed support to the mystery province or provinces that first signed on with CSE in 2024 – or at least to the entities that I think correspond to one or more provinces, with my own guess being multiple agencies of a single province, quite possibly those of British Columbia (e.g., the BC government and maybe a provincial crown corporation such as the BC Hydro and Power Authority).

The renewed MA makes it clear that two entities are covered by these authorizations, and it also reports that at the time of the renewal CSE was still waiting to deploy its systems on the network of one of those entities. But their actual identities are still withheld. One thing we do learn, however, is that while this was originally a reactive MA, responding to an actual compromise or set of compromises, it too has now taken on a more proactive and thus likely more permanent character.

Next up is CSE-2025-08, approved on 5 November 2025. This decision renewed CSE’s cybersecurity support to the governments of the Northwest Territories (NWT), Nunavut and Yukon and added some extra, unidentified activities for NWT. The names of these clients are not redacted, as CSE publicly acknowledged their identities in 2024. This too is now a proactive program that is likely to remain in place for the foreseeable future.

The one other non-federal cybersecurity MA of 2025 was CSE-2025-06, which was approved on 2 July 2025. Unlike the others, this MA involves non-governmental entities. When it first appeared in 2021 the authorization involved only one company and seems to have been intended as a short-term, reactive response to specific issues being experienced at that time. By the time the 4th iteration of the MA was approved in 2024, however, the IC openly questioned “whether commercially available safeguards will ever be sufficient on their own. While [2023]’s authorization recognized that there would be an eventual cessation of CSE’s cybersecurity activities on the non-federal entity’s system – at the time expected in 2024 – this year’s record does not indicate when the outstanding recommendations might be completed, or suggest that once the recommendations are fully implemented, CSE’s presence will no longer be required.”

The 2025 MA adds two new entities (“Entity B” and “Entity C”) to the client list, and there no longer appears to be any anticipated end to the need for CSE’s services. I have long speculated that this series of MAs may pertain to a telecommunications company such as Bell, and the addition of the two new clients in 2025 seems to me to add weight to that theory. In June 2025, CSE announced that it was “aware of malicious cyber activities currently targeting Canadian telecommunications companies. The responsible actors are almost certainly PRC state-sponsored actors, specifically Salt Typhoon.” Network devices operated by at least one company were found to be compromised in February 2025. This sounds like just the sort of thing that would need the assistance of our national cybersecurity agency to remediate, so the only remaining question, as I see it, is whether that assistance was of the kind that requires an MA. It seems likely to me that it would, but what do I know.

Assuming an MA was sought, the company that was found to have the compromises, later reported by the media to have been Rogers, seems like a strong candidate for Entity B. As for Entity C, the IC’s decision identifies it as an entity “within [Entity B’s] network”. This might be Roger’s subsidiary Fido. The decision also notes that there are additional entities within Entity B’s network, and that CSE will inform the Minister and subsequently the IC if it receives and decides to accept requests to provide services to some of those entities as well. Whoever the companies are, and whatever industry they belong to, it seems clear that this MA, like the three provincial/territorial MAs issued this year, is likely to continue being renewed for some time into the future. 


ASSORTED OTHER COMMENTS

Informed consent?

In 2024 the IC suggested to CSE that individuals who communicate with federal government agencies by e-mail or a chat-based application should be informed that such communications are processed for cybersecurity and information assurance purposes. In decision CSE-2025-03, he reported that “CSE has endeavoured to assess the feasibility of providing notice to external users [i.e., the general public], which in my view would be valuable.” 

The Commissioner has also pressed CSE to address user consent with respect to activities on non-federal systems:

“25. In Decision CSE-2024-06, I explained that information in which there is a reasonable expectation of privacy shared on a non-federal entity’s system could eventually be retained by CSE for cybersecurity purposes. Consequently, issues relating to the consent of persons whose information may be acquired should remain central and be reflected in cybersecurity authorizations. In CSE 2024-07, I added that confirmation from the non-federal entities regarding their legal authority to collect and use the information for cybersecurity purposes may include elements related to the consent of users of the systems belonging to the non-federal entities. Further, in CSE-2025-01, I indicated that it would be useful for the confirmation to include an overview about the measures taken by the non-federal entity to provide notice to, and obtain consent from, the users of its systems that their information may be collected and used for cybersecurity purposes.”

“26. In this Authorization, CSE has undertaken to recommend to the non-federal entities to ensure that their login notices indicate to users that information contained or shared on the entities’ devices and networks can be used for cybersecurity purposes. This includes personal information and private communications that may be incidentally acquired and could be used, analysed, retained or disclosed. I expect CSE to inform the Minister and myself of developments related to this recommendation.” (CSE-2025-06)

Whether anything will come of these recommendations remains to be seen, but it seems like a valid issue for the IC to pursue, and who knows, it might even help us to crack the wall of secrecy around CSE’s assistance to any entity that isn’t a territorial government. It’s pretty hard to claim user consent when even the slightest knowledge of the activities supposedly consented to is deliberately withheld from those users.


Need the information

Even the Intelligence Commissioner has trouble getting information he needs, although the agencies don’t seem to be the main problem there. This year’s report makes a point of highlighting the value that appropriate access to Cabinet confidences would have for the job the IC is expected to do:

“The IC Act currently does not entitle the IC to receive Cabinet confidences, even when this information may have been relied upon by a minister when issuing an authorization. In past decisions, the IC has noted that providing him with access to documents subject to Cabinet confidence – even in redacted form – should be considered in future applications. Without access to documents the minister has relied on to issue an authorization, the IC cannot fully assess whether the minister’s conclusions are reasonable.

“Public inquiries into national security matters have demonstrated that Cabinet confidences can be effectively disclosed in a limited way without compromising their essential purpose. The IC already receives some documents related to Canada’s intelligence priorities, and Public Safety Canada has recognized that additional documents relating to them could help better contextualize CSIS’ duties and functions. The IC has welcomed the initiative, as expanding access would help strengthen the oversight process without intruding on core Cabinet confidences important to our system of government.”

The IC also noted in his report that CSE’s 2025 MA applications had relied on an October 2024 Federal Court ruling as justification for policies related to the use of communications protected by solicitor-client privilege, but the IC was not able to read that ruling until March 2025 when it was made public in redacted form. It seems just a bit crazy to give the IC access to reams of Top Secret compartmented information to enable him to perform an important quasi-judicial role and then deny him timely and complete access to judicial rulings relevant to that role.

Bill C-8: The IC calls for oversight

Commissioner Noël continues to argue for the addition of an oversight mechanism in Bill C-8, which is designed to provide greater control over cybersecurity practices in certain federally regulated critical infrastructure sectors, pointing to “specific provisions that could allow [CSE] access to information in which there is a reasonable expectation of privacy, without corresponding independent oversight.”

“To address this gap, the IC proposed an annual ministerial authorization establishing a framework for how CSE uses, analyzes, retains, and discloses such information as a mechanism to strengthen oversight and public confidence by ensuring regular, structured accountability.”

The IC also took this position with Bill C-26, the original version of the bill, which died when Parliament was prorogued in early 2025.

The House of Commons has declined to act on the IC’s recommendations, but the bill is now working its way through the Standing Senate Committee on National Security, Defence and Veterans Affairs. The IC testified to the committee on 4 May 2026. Several senators expressed interest in the IC’s recommendation, but it remains to be seen whether the committee will put forward an amendment to provide for IC oversight. 

A transparency win

One bright spot in the information picture is that the IC is no longer being forced to redact the length of time – 12 months – that CSE is permitted to retain unassessed data. This admittedly minor advance in transparency seems to have been made in the latter half of 2025, with the result that the retention period was redacted from three of the cybersecurity decisions but not from the three remaining ones. No explanation has been provided for this change, but I’d like to think it’s because I pointed out in July 2025 that the retention period had already been revealed in parliamentary testimony. Whether deserved or not, I’m going to do a little victory dance over that. 

OK, let’s talk CSIS

The one MA that the IC did not fully approve in 2025 was the one that covers acts and omissions by CSIS:

“In Decision CSIS-2025-01, the IC did not approve the Minister’s authorization of a new class of acts or omissions – the only instance of non-approval in 2025. He did however approve the other eight classes in the authorization, which were the same as classes that had been approved in previous years. The IC found that the Minister’s conclusions did not explain how certain otherwise illegal acts that appeared to be included in the proposed new class would comply with the restrictions in the CSIS Act, which specify the types of acts that can never be justified. Equally important for the IC, the conclusions did not consider the potential impact of those acts on Canadian fundamental institutions such as academia, the free press, and democratic institutions.”

Now, that may sound pretty vague. But if you go to the decision itself... you will of course find that all the key details are redacted there too. Still, there are some clues.

Apparently the IC was concerned that certain of the acts or omissions in the new class, if pushed far enough, might rise to the level of inflicting bodily harm or, in other cases, perverting the course of justice, both of which are forbidden by the CSIS Act. Also, as he mentioned in the annual report, the IC felt further consideration of potential impacts on fundamental institutions such as academia, the free press, and democratic institutions was needed.



What specifically did CSIS have in mind? Your guesses are as good as mine, or quite possibly better, but it occurs to me that hate crimes or arson attacks committed to establish one’s bona fides when infiltrating an extremist group might be one category of such acts.

The Commissioner also expressed concern about a novel interpretation by the Department of Public Safety and CSIS of the CSIS Act's provision that prohibits acts or omissions that could infringe rights or freedoms guaranteed by the Charter of Rights and Freedoms.

“85. This proposed interpretation and issues raised in Public Safety’s memorandum are novel. In no previous record have CSIS, Public Safety or the Minister referenced interpreting “infringe” in subsection 20.1(22) to mean that Charter rights could be justifiably limited. By contrast, in Decision CSIS-2023-07, I observed that a CSIS Memorandum to the Minister advanced a seemingly expansive view of the prohibition on infringing a Charter right by concluding that subsection 20.1(22) would by design exclude all offences under [a specific provision of an act of Parliament].

“86. Not only is the proposed interpretation novel, it is also significant. The interpretation raises whether constitutional rights can be limited. The Minister must have a full understanding of the limits of the class. In this instance, the issue is only summarily included in a record and subsequently not addressed in the Minister’s conclusions.

[Two paragraphs skipped by me.]

“89. I accept that legal positions may change, including regarding how legislative provisions are interpreted. However, to determine whether the Minister’s conclusions incorporating a new legal position were reasonable, the change would need to be fully addressed and supported in the record. Given the absence of any consideration of the issue by the Minister in his conclusions, I approved again this year Classes 1 to 8 with the understanding that the activities cannot limit rights or freedoms under the Charter. For greater certainty, I read the Authorization as providing that no infringements or limitations to Charter rights are permitted by it, even if these infringements or limitations were ultimately justifiable pursuant to the Charter.” 

In decision CSE-2025-05, the IC noted that this interpretation issue was potentially applicable to CSE as well. The IC urged the two agencies and the Department of Justice to develop a common approach to the issue and to address it in future authorizations.

Something to watch.