Below is a copy of the contents of the following Government of Canada webpage as it appeared on May 8, 2012: http://www.publicsafety.gc.ca/abt/wwa/igcsis/cert2008-eng.aspx.

Click here to return to the menu of the Archive of CSIS Inspector General Annual Certificate reports.

---

Submitted to the Minister of Public Safety pursuant to Subsection 33(2) of the Canadian Security Intelligence Service Act

Note: This is the text of the Inspector General of the Canadian Security Intelligence Service’s 2008 Certificate made public in April 2009 pursuant to a request under Canada’s Access to Information Act.
(The 2008 Certificate was classified TOP SECRET when submitted to the Minister of Public Safety in November 2008.  The symbol [—] represents classified information removed from the document.)

Introduction

Section 33 (2) of the Canadian Security Intelligence Service Act (CSIS Act) requires that I submit to you a Certificate stating the extent to which I am satisfied with the Director’s Annual Report.  It also requires that I state whether, in my opinion, the Service has done anything in the course of its operational activities, in the time period covered by the Annual Report, which is not authorized by the Act, has contravened any Ministerial Directions, or has involved the unreasonable or unnecessary use of its powers.  The mandate and functions of the Inspector General are described in an appendix to this Certificate.

This is my fifth Certificate that I am submitting since my appointment in 2003.  It is, however, my first Certificate for you as Minister, and so I believe that some initial background information for you may be helpful.

The Office of the Inspector General was created, in large part, to provide independent assurance to the Minister to support Ministerial responsibility for CSIS. The Inspector General serves no other master, neither political nor bureaucratic, than the Minister of Public Safety. The specific form this service takes is in the carrying out of internal, and at the same time, independent reviews of CSIS for you. The internal dimension means that there is a direct reporting relationship to you, similar to that between you and other public office holders in your portfolio. Consequently, the Inspector General works in concert with, not in opposition to, the Director of CSIS. This also means that the Inspector General can be directly tasked by you to carry out reviews or studies of CSIS and this authority was engaged during the past year with respect to an examination of a CSIS managerial review. The independent facet of the Inspector General’s function means that the Inspector General’s judgements or review results are not subject to direction or control by CSIS, your Deputy Minister, SIRC, or even, with all due respect, you as Minister. It also means that great care is taken to ensure that the Inspector General is in no way part of the decision making process affecting such matters as targets, warrants, and section 16 requests for assistance. When the Inspector General or her staff reviews something, it is de novo, for the first time without any stake in how the matter was initially decided. The independence of the work is what lends to the office value and credibility for you, as Minister, in what is submitted and reported to you.

To provide you with this independent perspective and assurance about the work of CSIS, my office undertakes a variety of review activities, which I will report on in more detail in the following pages.

In keeping with my established approach, I have sought and obtained briefings on several matters from the senior executive at CSIS Headquarters and the associated operational branches and have undertaken and completed one-day visits to all regions of CSIS, in order to meet with regional management and select investigators.   Some of these meetings were held in district offices, notably in Atlantic and Toronto this year, where I visited CSIS District Offices in Fredericton [—]. These visits provide me the valuable opportunity for first hand discussions with front-line managers and staff and, in my support role for your Ministerial responsibility, a very clear window into the daily operational work of employees of the Service, their environment, and the challenges that they face. This component of my work also provides me with an avenue to pursue my efforts on your behalf to continue to strengthen an organizational culture of compliance within the Service, which I view as an important dimension of my work.

Similar to last year, I noted the continuing challenge of the changing demographic with increased retirements [—]. Funding decisions by the government are showing a positive impact at the regional level and senior managers in the regions are integrating these new resources into their operations with an approach that is considered, forward looking and reflective of regional-specific challenges. Advances and increased sophistication in technology […].  This point was underscored in the Director’s Annual Report expressing the limitations on the Service’s capacity in the absence of related legislative provisions.

This year, I also met with members of the CSIS Audit Committee. This Committee was established by the Director under the Treasury Board Policy on Internal Audits. It is comprised of members who do not occupy a position within the federal public administration and is designed to provide the Director with objective advice and review of the Service’s spending control and accountability processes. The meeting was intended to ensure that the Committee members understood my role in support of you and provided me with the opportunity to gain insight into their planned activities.

As in previous years, I have maintained an active interest in staying abreast of international developments in part by maintaining contacts and consulting the larger intelligence review community.  In October, I attended the International Intelligence Review Agencies Conference in Auckland, New Zealand.  I was invited to participate in a panel on “Should particular aspects of agencies’ activities have priority in oversight”.  The conference afforded me the opportunity to meet other Inspectors General and a wide range of senior officeholders and Parliamentarians in the intelligence review community from the five eyes community, the United States, the United Kingdom, Australia and New Zealand, and other allies including Belgium, Poland and South Africa.  The oversight mechanism of an Inspector General and a Committee of Parliamentarians is a widely used model, in varied configurations, across many jurisdictions, i.e. Australia, New Zealand, South Africa. [—] indicated that they are looking at the possibility of creating an Inspector General as it seems to have served Canada and others very well.

In addition, I met this year with a representative from the Australian Intelligence Community who was in Ottawa.  Also, while conducting a review of the CSIS Foreign Office (FO) [—] I met with [—] with whom I discussed, generally, intelligence liaison with [—] and the threat environment in the region.

As always, I wish to note that I place the utmost importance on maintaining a healthy working relationship with CSIS, at all levels of contact, while at the same time making clear and respecting our separate and distinct roles in the national security system. We both share the mutual objective of working to continuously improve the effectiveness of CSIS operations while enhancing democratic accountability.  I can state as last year, without reservation, that is what both parties have strived to do during this period of reporting.

Certification

Minister, let me begin by stating the following:

In respect of all the reports and information that I, and my Office, have obtained and reviewed and of all the discussions held, and subject to the concerns raised below, I am as satisfied as I can be with the Director’s Annual Report to you on the Service’s operational activities for the period 2007-2008. In that respect, it is my opinion that the Service has not acted beyond the framework of its statutory authority, has not contravened any Ministerial Directions, and has not exercised its powers unreasonably or unnecessarily.

In order to ensure that every statement in the Director’s section 33 (1) Report is fully supported and documented, my office reviews all the pertinent information and intelligence collected and retained by the Service.  At a minimum, this involves the ‘facting’ intelligence reports on which each statement in the report is based.  This baseline is supplemented by exchanges of questions and answers in writing, by discussions, briefings and interviews.  The extent of the Inspector General’s satisfaction, as set out in the Certificate, is based on this comprehensive process of validation.

My Certification process is based not only on the Director’s Report dated August 14 2008, submitted to your predecessor, but also on reviews of CSIS operational activities and monitoring of compliance with CSIS operational policy conducted during the annual reporting period.  This year, the following reviews were completed:

1.  Reviews of a sample of warrants and targets as well as of human source case management
2.  Review of the Ottawa Region
3.  Review of a Foreign Office [—]
4.  Review of the Front End Screening Program
5.  Review of the Investigation [—]
6.  Review of the Investigation [—]
7.  Review of [—]
8.  Review of Foreign Intelligence Collection.

In addition to these reviews my office conducted a Special Review: [—].  This review was conducted at your predecessor’s request.

I also received a number of comprehensive briefings during the past year, including

1.  Revised Warrant Application and Targeting Process
2.  Use of the Internet [—]
3.  Use of the Internet [—]
4.  Special Events Program, [—]
5.  Policy Development Process
6.  Liaison Officer/Secondee Program
7. [—]
8. [—]

All these activities contribute to my ability to offer you, with some degree of confidence, the assurances that you require to support your accountability for CSIS.

General comments

With respect to the Director’s Report, I have determined that it complies with section 33 (1) of the CSIS Act and with Ministerial Directions reporting requirements. While I have determined that the report does meet these requirements, my office identified one numerical discrepancy.  I have informed the Director of this discrepancy.

As Inspector General, I am also responsible pursuant to the CSIS Act for identifying areas where operational activity has not been in compliance with the operational policies of the Service and for reviewing the operational activities of the Service.  As noted above, each year the office completes a number of reviews of Service operational activities. These reviews most often overlap the Director’s reporting period by a few months, but to ensure my Office does not interfere with ongoing operations, the review period does not equate exactly with the fiscal year to which the Director is reporting.  The results of these reviews are shared with CSIS and action, in most instances, is taken by the Service to correct errors with the objective of strengthening compliance with operational policy.

I define non-compliance as a non-adherence to the rules, procedures, principles and guidelines set out in operational policy, without any qualification as to the degree of significance of such non-compliance.  While some instances are termed administrative or clerical errors by some individuals to minimize their import, this is an overly simplistic approach. It is evident to me that errors such as these can lead to, and have led to, significant or substantive issues with ensuing negative impacts. In addition, the significance or impact of any given act of non-compliance often can only be assessed at some point in the future after subsequent developments. For this reason, I judge that it is far more appropriate to report all cases of non-compliance to operational policy without importing any pre-judgments as to importance.  I have determined that it is through this approach that I am best able to support your Ministerial responsibility for CSIS.

Areas of concern

The reviews conducted by my office this year have identified a larger number of instances of non-compliance with CSIS operational policy than noted in my four previous Certificates and also a higher level of errors in CSIS records. I can offer you no quantifiable explanation for the year over year increase. [—] Whatever the explanation, these increases in numbers each year do exist and are a concern that merits attention.

These instances of non-compliance and errors cannot be isolated to one program or one set of processes. They do appear, however, in key core activities of the Service [—].

I am also quite troubled this year that there were instances, which I will describe in greater detail below, where I was unable to verify compliance as no documentation could be produced to allow for validation.

A third area of concern that you should be aware of is the length of time taken to develop or amend operational policies to reflect changing requirements and operational activities of the Service.  This issue is apparent in a number of areas but most evident and arguably most urgent in the area [—]. As I have expressed in my previous Certificates, I view a sound, up-to-date operational policy framework as essential to the functioning of the Service, given the strategic focus of Ministerial Directions and the requirement placed on the Service executive to provide specific instructions to staff to guide operations.  This is even more critical in light of the changing nature of [—] in response to the actual threat environment and in view of [—]. Without an established policy framework to offer guidance, actions can be taken with the best of intentions that ultimately may have far reaching results and possibly negative consequences. As we have seen from the recent Commissions of Inquiry, the impact of actions is not always evident until some time has passed.

Director’s Annual Report 2007-2008

As I have noted, my office completes a thorough validation of the Director’s Report to you.  While one numerical discrepancy was identified, and this error was communicated to the Director, no material errors were identified and the Report satisfies the requirements of the CSIS Act and Ministerial Direction.

On August 11, 2008, the Director wrote to me with a Compliance Statement for 2007-2008 in which he identified five cases where employees were found to be in non-compliance, none of which, though, were determined to require investigation further to section 20 of the CSIS Act.  This letter itself is based on annual statements submitted by Headquarters Branches and Regional Offices and is a component of the CSIS internal accountability process.  I am satisfied that the Service has taken the appropriate measures in each case.

[—] The program has produced positive results for the investments made. [—] For this reason, I am concerned with some of the findings of my office through our review of the program. In addition, the Director, in his August 11, 2008 letter to me, identified an issue of non-compliance  in the [—].  I will speak more to the issue of date errors under Information Management, suffice to say now accuracy in reporting is critical and essential.

[—] is subject to an accountability framework established in operational policy.  This past year, our reviews identified two instances of [—]. In one instance [—] while in the other we were informed that verbal authority for [—] had been given. In the absence of any documentation, there was no way to validate this authority.  Acting on verbal authorities undermines the policy rationale in place and can lead to misunderstandings.  While somewhat different but exemplifying the potential for misunderstanding, a case of non-compliance was identified in the Director’s Compliance Statement for 2007-2008 [—] it is essential that appropriate levels of approval are obtained and clearly documented.

Similar issues arose with Service activities [—].Our review this year identified two [—]. Given the operational policy flexibility granted [—] it is easier to explain these cases, however, I would reiterate as I did last year the urgency for the Service to amend [—].

Warrant Acquisition and Execution Process

A review of CSIS execution of warrant powers noted one case of non-compliance with operational policy.  I do wish to note that the operational policy has been amended since last year and the level of compliance in this area has improved significantly.

With regard to acquisition of warrants there were no compliance issues but the rate of errors continues to be disconcerting.

In my 2007 Certificate I noted my concern with the [—].  In 2005, the Federal Court dismissed an application for a warrant that had been duly approved by the Minister.  The reason for this dismissal related to the Service’s failure to disclose full, fair and accurate information.  As I noted last year, [—].

This year, [—]. These errors have been highlighted to the Service and CSIS executive recognizes the requirement for complete factual accuracy in representations to the Court. CSIS has committed to inform the Federal Court of these errors and steps taken in response.

Following the Court’s dismissal of the 2005 application, the Director made a commitment to review the Warrant Process and this review was completed in 2006. As a result of this review initiated by the Director, the Service implemented a new process for warrant applications in July 2007. The implementation of the new process fell outside the review period established in our review of warrants this year. More recently, in response to the errors identified through the work of this office, the Service undertook to implement additional quality control measures in the process and to enhance training for affiants and analysts to better ensure accuracy in warrant applications.

This is an area that merits close monitoring for you during the coming year given the intrusive investigative authorities provided by warrants and the implications of these authorities on the civil liberties and privacy interests of individuals.

Validation of Compliance

This past year, during the reviews conducted by the office, occasions arose where it was impossible to validate whether certain authorities had been delegated or that appropriate measures had been taken, as documentation was not available or had not been created (i.e. decisions reported to have been taken verbally). As a review body, documentation is required to validate compliance.  In the absence of such documentation, I can only provide you with negative assurances.

One instance of this occurred as a result of my examination of the [—] which was a Special Review requested by your predecessor.  In this case, the Service could not provide documentation from which to conclude that the Minister of the day had been informed, either in writing or verbally, of [—].

A second instance identified through our review work involved [—].  In this situation, [—] a matter of public controversy. In instances such as this, the Minister should be informed. The Service assured my office that the Director had briefed the Minister verbally, however, no written briefing materials or other documentation could be provided to validate this fact.

A third instance involved situations where there was apparently a verbal delegation of authority.  In one case, [—]. In the second case, my office was informed that […]. While this may well have occurred, written delegation of authority which could be validated would provide stronger accountability measures as it would provide a record for future reference if required.

While I have no reason to question these statements, in the absence of an electronic or hard copy record, I cannot confirm compliance with policy. This is not only an issue for me in terms of being in a position to expressly indicate to you, as Minister, that the Service did comply with some operational policy or direction, but it should also be an issue for Service personnel as it would provide documented proof that an activity was undertaken with authority and in line with policy.

Information Management

The life-blood of a security intelligence organization is information and for this reason our review work looks at how information is managed by the Service.  Information management has many facets; accuracy in recording the information collected, how the information is retained and stored, how easily it is retrieved, who it is shared with and under what conditions. In my Certificates for the past two years, I shared my concerns about information handling by the Service. I must report that the matter of information management by the Service, and the accuracy of information, continue to be a significant area of concern.

As I have noted [—] accuracy of reporting persists as an issue, whether it is something as simple as inaccurate dates, which were identified in a number of reviews by my office regarding [—] or more substantive inaccuracies such as those I described in the [—]. When these errors are identified, the Service responds by making corrections; however, given the number of errors identified, there is clearly a need for greater vigilance by officers and supervisors or better training for staff, or perhaps both.

Records Tracking Codes are used to track operational information exchanged between CSIS and external organizations both domestic and foreign. Service personnel who disclose or receive information and intelligence are responsible for recording and tracking their exchanges in operational reports. Reviews by my office this year identified a very high number of reports regarding exchanges of information which did not include tracking codes. A significant number of these were identified in my office’s review of the Foreign Office in [—]. The Service recognizes the value of tracking codes and made the required corrections when the errors were identified. The Service has indicated also that a modification is being considered for their [—] reporting system which would make the Records Tracking Code field a mandatory field thereby minimizing the possibility of inadvertently forgetting to complete the field. I would encourage the Service to take this action.  It is hoped that future reporting to you will be more positive on this issue.

In my Certificate last year, I discussed issues with the use of the [—] system at the [—] Office.  The [—] is a correspondence and activity management/tracking tool used by CSIS Foreign Offices to log all [—] activities undertaken by the Foreign Officer (FO). The FO is responsible for sending all [—] entries to CSIS Headquarters on a monthly basis to be placed on the Headquarters’ [—] database.  The [—] system is considered by the Service to be a corporate record and to this extent should be accurate. During our review of the [—] Office, a comparison was made of the entries at the Foreign Office with those held in the Headquarters’ database.  A significant variance in the number of entries was noted. The Service did correct this variance but was unable to explain the reason for the occurrence other than to indicate that possibly it was a result of human error.  Given the current system in place, it is also impossible to determine whether variances exist between other Foreign Offices and Headquarters.  I understand that this system is a tracking system [—] but all the same, it is a corporate record and without identifying the cause, it is impossible to prevent this situation from reoccurring. I have been informed that changes are being planned which would improve the system (i.e. [—] at Foreign Offices and transferring responsibility for the system to the [—]. Given the importance being placed on [—] activities, the [—] and the increased foreign posture, it is important that steps be taken to ensure that the information contained in this corporate system is reliable.

Gaps in policy framework

As I expressed in my two previous Certificates, a matter of increasing concern and potential vulnerability for CSIS is the extent of delays in developing, updating and implementing operational policy. As I noted, policy is one of the cornerstones to governance of the activities of CSIS.  It provides the framework within which both staff and management conduct operational work and establishes the standard for measuring compliance. As the threat environment changes and CSIS activities enter new and more challenging situations, it is essential that the policy framework accurately reflects the requirements of this work and provides current and relevant direction to staff.

While some policy issues have been addressed this past year, others which I consider to be of critical importance remain outstanding.

[—] I raised this issue last year and I must raise it again. [—] but policy changes have not kept pace. [—] Several aspects of this policy are incompatible and unworkable for [—]. I was informed two years ago that [—] was being revised to address these gaps but to date it has not been finalized.

A second policy gap concerns [—].  Service policy has not kept pace with changes to [—].  I have previously reported on the absence of policy on [—] reporting. These reports were designed as a means for timely dissemination of CSIS information in response to Government intelligence requirements.  Direction on this line of intelligence products, which are now called [—] continues to be absent from operational policy.  With respect to the [—] I understand that operational policy is in the process of being amended to reflect changes made to the process in 2007.

From the review work of my Office this year, I have also come to the conclusion that policy gaps exist in the area of [—] areas which are subject to Ministerial Direction.  More detailed operational policy in this area would provide greater assurances that Ministerial Directions are being implemented as intended.  First, a clear definition of what activities constitute [—] does not exist in CSIS operational policy. By way of example, [—]. A case such as this one, in the absence of a clear definition, when viewed by a third party leaves room for interpretation and perhaps even the perception of by-passing required levels of approval.

Second, Ministerial Direction speaks to [—]. Service policy in these areas is inadequate.  Given the potential implication of both these activities, first in terms of public controversy and [—] should something go awry, and second in terms of providing direction to Service personnel, a clear policy foundation is required.

Collection of Foreign Intelligence

This past year, my office conducted a review of foreign intelligence collection by the Service. This review was similar to one completed in 2005-2006.  While not the primary mandate of the Service, this is an important operational activity for the Service and for the Government of Canada.  As you are aware, section 16 of the CSIS Act requires the Service to limit its collection of foreign intelligence to within Canada, as distinct from security intelligence which can be collected anywhere.  In my review this year, as with my previous review, I have found nothing to confirm that the Service has not complied with this geographical limitation imposed by the Act.  In my 2006 Certificate, I expressed the view that this geographic limitation is not as constraining as it would seem and I continue to hold this view.  Despite this substantial mandate overlap in some areas, there still exists some collection requirements that are strictly section 16 foreign intelligence, with little or no overlap with section 12 investigations.  These are the areas most visibly constrained by the section 16 geographic restrictions.

[—]

Conclusions

As I complete my fifth year in office as Inspector General, I can assure you, Minister, with some degree of confidence, that I believe CSIS exercises its duties and functions within the legislatively provided framework of authority in a professional and effective manner.  The experience of five years in office has given me an appreciation of the scope of investigative efforts and the diversity of operations and the challenges they present. I continue to be impressed by the calibre of employees, their dedication and their commitment to serving Canada and Canadians.  In addition, the new generation of employees are very representative of the demographic and geographic diversity of Canada.

That being said, even good employees, with the best of intentions, trying to do the right things, sometimes make mistakes and all organizations, as they continue to grow and change can benefit from independent assessment, review and observations. I believe this office fulfills that role in providing an independent source of support for your Ministerial responsibility for CSIS.  I am confident that the observations of this office have and do provide a practical and useful guide to the Service as it continues on its agenda of change and growth to respond to the increasing demand for intelligence in an ever changing world.

I do wish to reiterate that the observations and concerns raised in this Certificate are not presented in any way to detract from the good work performed by CSIS employees. They are offered rather in the spirit of a constructive partnership as a contribution to the continuous improvement of CSIS as a highly professional and effective security intelligence service and to support you and assist you in your role as Minister responsible for CSIS.