The Communications Security Establishment (CSE): Controversies and Abuses Related to the Collection and Use of Information

Claudiu Popa

* An article from the doctoral thesis (with adaptations) : Claudiu POPA,  Evidence Collection and State Investigation in the Era of the "Police, Intelligence Services, Private Corporations" Ecosystem. In search of the Protection of Fundamental Human Rights, doctoral thesis, Faculty of Law of the University of Sherbrooke and Faculty of Law and Political Science of the University of Bordeaux, 2024.

The Communications Security Establishment (CSE) is perhaps Canada's least-known spy agency. However, some of its activities have been just as controversial as those of its sibling, the Canadian Security Intelligence Service (CSIS).

Currently, the head of the Communications Security Establishment (CSE) is Caroline Xavier (left). Source : Government of Canada.  On the right is Ms. Xavier's political superior, Minister of National Defence and Liberal Party of Canada MP David McGuinty. Source : Government of Canada.

Some of these abuses perpetrated by the Communications Security Establishment (CSE) have been made public through the work of journalists or organizations responsible for monitoring post-factum CSE’s activities.

What is it about? Shadowy collaboration with foreign intelligence services to the detriment of Canadians, mass surveillance, including on a global scale, and so on. 

Collaboration with the NSA against the interests of Canadians

It has been revealed that "on several occasions the Communications Security Establishment (CSE) has pursued or participated in activities that violate or jeopardize the privacy rights of Canadians and non-Canadians both in Canada and abroad.

In a general study carried out by the Parliamentary Information and Research Service within the Legal and Social Affairs Division of the Parliament of Canada, it was mentioned that the Communications Security Establishment (CSE) had developed a process for developing cryptography (encryption key) standards[1] allowing to protect confidential data stored on the Internet, used worldwide by private companies, banks, governments and individuals[2]. However, it is considered that the Communications Security Establishment (CSE) allowed the NSA, the United States national security agency (affectionately called in the past ‘No Such Agency‘), to take control of the process and create a backdoor allowing it to access data otherwise protected by the encryption process[3]  :

‘Western allies, Canada included, have more than a passing acquaintance with IT supply chain infiltration. In 2006, for example, the United States National Security Agency (NSA) – with the possible knowledge of its Canadian counterpart, the Communications Security Establishment [[4]] – is reported to have paid a well-known U.S. cryptographic product vendor and the International Organization for Standardization to promote an encryption methodology containing a backdoor‘[5].

[On another occasion] in 2010, the Communications Security Establishment (CSE) endorsed a U.S. operation to monitor the communications of world leaders at the G20 Summit in Toronto[6] with the aim of ‘providing a negotiating advantage to the United States and supporting its political objectives‘[7]”[8]. 

Scrutinizing ‘millions of documents, including videos, shared online every day,‘ including personal photos, personal videos or professional documents of lawyers, journalists, activists, university professors

"Released documents also revealed other controversial practices of the Communications Security Establishment (CSE) in the mass surveillance of file-sharing sites of individuals on a global scale, including of Canadians, through the Levitation program  : starting in 2012, the Communications Security Establishment (CSE) was ‘scrutinizing millions of documents, including videos, shared online every day‘[9], including personal photos, personal videos or professional documents of lawyers, journalists, activists, university professors, etc.[10] , the agency having the ability to monitor ‘daily 10 to 15 million files shared from 102 free websites. The security agency particularly targeted the sharing sites Rapidshare, Sendspace and Megaupload. Of the 30 to 45 million documents analyzed each month, only 350 of them [were] worthy of interest‘[11], which is less than 0.0001% of the quantity of downloads collected and analyzed. In other words, the CST carried out a daily ‘fishing expedition‘ targeting millions of individuals, while having the ability to extract the metadata linked to a given file and use it to determine the correlative digital activity of the concerned user, going as far as being able to determine the identity and the digital behavior of the person uploading or downloading the file in question[12]”[13].

Collecting passenger information using airport Wi-Fi networks

"It was also revealed that, during two weeks in 2012, the Communications Security Establishment (CSE) collected information from passengers, both Canadian and non-Canadian, using airport Wi-Fi networks, allowing them to track their movements when they connected to public Wi-Fi networks, whether through their phones or laptops[14]. Then, the CSE ‘was able to track travelers for several days as soon as they entered the many places in the country with Wi-Fi networks, and even in American airports‘[15].

In 2013, the Communications Security Establishment Commissioner (CSE) found that a number of cases ‘suggested the possibility that Canadians were targeted by certain [CSE] activities, which is contrary to the law‘[16], with some files being either incomplete or unclear[17]. The number of Canadians affected by CSE surveillance actions remains unknown due to the deletion of correlative data from the CSE system[18]"[19].

Canada's Minister of National Defence essentially misled the Canadian public about CSE illegalities

In 2013, "then-Minister of National Defence Peter MacKay publicly assured his constituents that the CSE was not collecting their communications[20]. Ehen the minister was asked whether the Canadian government was spying on Canadians' phone calls and emails through its electronic surveillance program (similar to the American PRISM surveillance program)[21], he replied as follows:

‘This program is specifically prohibited from looking at the information of Canadians. This program is very much directed at activities outside the country, foreign threats, in fact. There is rigorous oversight. There is legislation in place that specifically dictates what can and cannot be examined.

[…] [according to the CSE Commissioner,] [CSE] activities were authorized and carried out in accordance with the law, ministerial requirements and CSEC’s policies and procedures'"[22].

However, despite these public claims, it was revealed that the same Minister MacKay had signed a Ministerial Directive in 2011 entitled Collection and Use of Metadata by the Communications Security Establishment[23] authorizing the revival of a secret interception program monitoring global telephone records and metadata related to online activities, including those of Canadians [24].

This program was initially launched in 2005[25], but was suspended between 2007 and 2008 by the CSE’s management[26] due to the existing risk of abuse in carrying out surveillance of Canadians without a warrant[27] resulting from a disagreement regarding the interpretation of the legislative provision[28] allowing the CSE to carry out such a surveillance and metadata collection program: ‘is CSE's (a) mandate the appropriate authority to conduct [redaction] in the context of a criminal or national security investigation of a Canadian in Canada?‘[29]. The Commissioner insisted on the interpretation of the provision and on the distinction between the CSE 's mandates, highlighting its importance because it ‘determines the legal requirements (ex., ministerial authorization vs. a court warrant) in cases where activities may be 'directed at' a Canadian‘[30]”[31].

"The CST may incidentally acquire personal information on Canadians," – is finally admitted to the Canadians

When it “collects foreign intelligence,

‘CSE may incidentally acquire personal information about Canadians. This information may be retained if assessed as essential to the understanding of the foreign intelligence, and it may be included in foreign intelligence reporting if it is suppressed […]. When receiving a subsequent request for disclosure of the full details of Canadian personal information, CSE requires its clients, including the RCMP, to justify their authority to collect this information under their own respective mandates and provide an operational justification of their need to know this information. If these conditions are met, CSE releases the information.‘[32].

It should be noted, however, that “[t]he legislative authority for CSEC to carry out its functions under the National Defence Act does not extend to the specific targeting of Canadian persons‘[33] and that the CSE may only do so ‘in the exercise of its assistance mandate when the assisted federal law enforcement or security agency is acting under lawful authority‘[34]. However, considering the CSE's expanded powers to collect intelligence (information), the secret nature of its missions, the confidentiality of the CSE's sources and its operational cooperation with the police services which allows for the transfer of intelligence from the CSE to the police services for the purposes of investigation and the judicialization of evidence, this transfer raises questions relating in particular to the risk of misuse of information obtained without a legal basis consistent with the prerogatives of each entity, as well as the fairness of the trial given the difficulties of examining the legality of the source of such evidence"[35].

Being “addicted” to sharing information

"With respect to the CSE 's collection of personal information on Canadians, the Communications Security Establishment Commissioner found ‘inconsistencies in requests and disclosures‘[36] [received by the CSE to which the CSE responded]. These types of inconsistencies, however, are not isolated cases. The National Security and Intelligence Review Agency (‘NSIRA‘) noted that, over a period of several years, between 2015 and 2019, the CSE received requests for disclosure of 3,708 pieces of information identifying Canadians[37], submitted by 15 national departments, following which the CSE disclosed 3,671, which represented a disclosure rate of 99%[38]. However, while the CSE accepted the operational justifications of these departments, the NSIRA considered that some of them were inadequate[39]  :

‘From the sample of all disclosures reviewed by NSIRA, we found 69% to be justified, 28% to be insufficiently justified to warrant the release of CII [Canadian identifying information] 2% that could not be evaluated, and 1% that CSE denied. Nevertheless, within this sample, CSE had approved these disclosure requests at a 99% rate‘[40].

The National Security and Intelligence Review Agency (NSIRA) also revealed that CSE disclosed personal information to their partners beyond what was initially requested, including names and other personal information of Canadians when its partner had only asked for the identity of a company[41] :

‘CSE also released additional personal information to clients beyond that which was requested and explained this to be a standard practice[42]. For example, NSIRA observed cases where CSE disclosed Canadians’ names and other personal information even when the recipient only asked CSE for a company’s identity. NSIRA observed other types of scenarios where CSE disclosed more identifiers than requested.‘[43]

In this regard, the National Security and Intelligence Review Office (NSIRA) concluded that the CSE :

‘has not sufficiently assessed the legal authorities invoked by its clients and recommended that CSE and these clients obtain legal advice from the Department of Justice to determine the extent of their legal authority to collect CII. NSIRA further found that CSE’s implementation of its CII disclosure regime may not have been in compliance with the Privacy Act framework and recommended that CSE cease disclosing CII to clients other than CSIS [Canadian Security Intelligence Service], RCMP [Royal Canadian Mounted Police], and CBSA [Canada Border Services Agency] until it addresses the findings and recommendations contained in NSIRA’s review‘[44].

"Court cases involving intelligence agencies, in connection with the collection and sharing of intelligence as well as the failure to disclose all essential evidence, or the submission of false statements in court, demonstrate questionable conduct by intelligence services that is already publicly and legally known, for which the current legal system cannot seek correction or can only sanction post factum"[45].  

Towards granting more powers to share information

"Despite the many controversies and rebukes for which there is no guarantee of cessation and which are likely to continue, the Special Senate Committee on Anti-terrorism recommended [in the 2010s] that the federal government amend the legislation governing national security agencies, such as the RCMP [Royal Canadian Mounted Police], the Department of Foreign Affairs and International Trade, the Canada Border Services Agency and the CSE , to ensure that these agencies share information with the National Security Advisor. The Committee also recommended the implementation of information-sharing mechanisms and memoranda of understanding with the private sector, provincial and territorial governments, as well as international partners[46]"[47].

Even in 2025, despite these problems, the Canadian government is still trying to pass bills that give more powers to collect and share information to intelligence services, such as the CSE and CSIS, notably through Bills C-2[48] and C-8[49] of 2025. To this end, the Canadian government acknowledged during ‘a technical briefing that the intent of certain provisions within Bill C-2 was to enable Canada to implement and ratify a new data-sharing treaty, known as the "Second Additional Protocol" to the Budapest Convention (‘2AP‘), and that other cross-border “co-operation” tools were foreseeable‘[50]. Bill C-2 “is being tabled at a time when it is widely known that the Canadian government has been in closed-door negotiations with the United States over a potential bilateral law enforcement data-sharing agreement between Canada and the United States under a piece of U.S. legislation called the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”)"[51].

*****

[1] Holly PORTEOUS, Cybersecurity : technical and policy challenges, Ottawa, Library of Parliament, 2018, p. 6.

[2] Christopher PARSONS et Tamir ISRALE, Canada’s Quiet History of Weakening Communications Encryption, Citizenlab.ca, August 11, 2015, online : <https://citizenlab.ca/2015/08/canadas-quiet-history-of-weakening-communications-encryption/>.

[3] H. PORTEOUS, Cybersécurité : défis techniques et stratégiques, supra, note 1, p. 6 and 18.

[4] Id., p. 18.

[5] Id., p. 6 et 18.

[6] Roch TASSÉ, « Révélations Snowden sur la NSA », (2014) 33-1 Droits et libertés 23, 26.

[7] Id., 28. See Greg WESTON, « New Snowden docs show U.S. spied during G20 in Toronto », Cbc.ca, November 27, 2013, online  : <https://www.cbc.ca/news/politics/new-snowden-docs-show-u-s-spied-during-g20-in-toronto-1.2442448>.

[8] Claudiu POPA,  Evidence Collection and State Investigation in the Era of the "Police, Intelligence Services, Private Corporations" Ecosystem. In search of the Protection of Fundamental Human Rights , doctoral thesis, Faculty of Law of the University of Sherbrooke and Faculty of Law and Political Science of the University of Bordeaux, 2024, p. 238 et 239.

[9] RADIO-CANADA, « Le Canada scrute des millions de fichiers partagés par les internautes », Ici.radio-canada.ca, 28 janvier 2015, en ligne : <https://ici.radio-canada.ca/nouvelle/704224/securite-canada-internet-surveillance-cst-fichiers-partage>; Dave SEGLINS, « CSE tracks millions of downloads daily : Snowden documents », Cbc.ca, January 27, 2015, online  : < https://www.cbc.ca/news/canada/cse-tracks-millions-of-downloads-daily-snowden-documents-1.2930120>.

[10] Dave SEGLINS, « CSE tracks millions of downloads daily : Snowden documents », Cbc.ca, January 27, 2015, online  : < https://www.cbc.ca/news/canada/cse-tracks-millions-of-downloads-daily-snowden-documents-1.2930120>.

[11] RADIO-CANADA, « Le Canada scrute des millions de fichiers partagés par les internautes », préc., note 9; SEGLINS, « CSE tracks millions of downloads daily : Snowden documents », supra, note 9.

[12] D. SEGLINS, « CSE tracks millions of downloads daily : Snowden documents », supra, note 9.

[13] C. POPA, supra, note 8, p. 239 et 240.

[14] RADIO-CANADA, « Des Canadiens espionnés avec le wifi d’un aéroport », Ici.radio-canada.ca, 30 janvier 2014, en ligne : <https://ici.radio-canada.ca/nouvelle/651902/enquete-cbc-aeroports-surveillance-electronique-cst-voyageurs>; CENTRE DE LA SÉCURITÉ DES TÉLÉCOMMUNICATIONS CANADA, « IP Profiling Analytics & Mission Impacts », Ottawa, Gouvernement du Canada, 2012, online  : <https://www.cbc.ca/news2/pdf/airports_redacted.pdf>.

[15] Id.

[16] COMMISSAIRE DU CENTRE DE LA SÉCURITÉ DES TÉLÉCOMMUNICATIONS, Rapport annuel 2012-2013, Ottawa, Ministre des Travaux publics et des Services gouvernementaux, 2013, p. 20.

[17] Id.

[18] COALITION POUR LA SURVEILLANCE INTERNATIONALE DES LIBERTÉS CIVILES, « 15 ans de politiques problématiques en matière de sécurité nationale et de lutte contre le terrorisme et leurs conséquentes », présenté au Comité permanent de la sécurité publique et nationale, Ourcommons.ca, p. 9, online : <https://www.ourcommons.ca/Content/Committee/421/SECU/Brief/BR8601764/br-external/InternationalCivilLibertiesMonitoringGroup-9475026-f.pdf>.

[19] C. POPA, supra, note 8, p. 240.

[20] CHAMBRE DES COMMUNES, Débats de la Chambre des communes, vol. 146, no 267, 1er sess., 41e légis., 11 juin 2013, Peter MacKay – Ministre de la Défense nationale (14h50); Marie VASTEL, « Peter MacKay – Le Canada n’espionne pas ses citoyens », Ledevoir.com, June 11, 2013, online  : <https://www.ledevoir.com/politique/canada/380443/le-canada-n-espionne-pas-ses-citoyens>.

[21] CHAMBRE DES COMMUNES, Débats de la Chambre des communes, vol. 146, no 267, 1er sess., 41e légis., 11 juin 2013, Thomas Mulcair – chef de l’opposition, NPD (14h20).

[22] Id., Peter MacKay – Ministre de la Défense nationale (14h50).

[23] BUREAU DU COMMISSAIRE DU CENTRE DE LA SÉCURITÉ DES TÉLÉCOMMUNICATIONS, « Points saillants des examens et des rapports présentés au ministre en 2014-2015 », Ocsec-bccst.gc.ca, September 15, 2015, online : <https://www.ocsec-bccst.gc.ca/s21/s46/s20/d274/fra/points-saillants-examens-rapports>.

[24] Colin FREEZE, « Data-collection program got green light from MacKay in 2011 », Theglobeandmail.com, June 10, 2013, online  : <https://www.theglobeandmail.com/news/politics/data-collection-program-got-green-light-from-mackay-in-2011/article12444909/>.

[25] BUREAU DU COMMISSAIRE DU CENTRE DE LA SÉCURITÉ DES TÉLÉCOMMUNICATIONS, « Points saillants des examens et des rapports présentés au ministre en 2014-2015 », supra, note 23.

[26] BUREAU DU COMMISSAIRE DU CENTRE DE LA SÉCURITÉ DES TÉLÉCOMMUNICATIONS, A Review of CSEC’S [       ] Activities [       ] [            ], Ottawa, Bureau du Commissaire du Centre de la sécurité des télécommunications, 2010, p. 1 à 2. (document divulgué en vertu de la loi LAI – renseignements non classifiés)

[27] OCSEC Review of the Ministerial Directive, Communications Security Establishment, Collection and Use of Metadata, 9 March 2005, p. 7, 16, 24 et 32; Craig FORCESE, « Law, Logarithms, and Liberties : Legal Issues Arising from CSE’s Metadata Collection Initiatives », dans Michael GEIST (éd.), Law, Privacy and Surveillance in Canada in the Post-Snowden Era, Ottawa, Les Presses de l’Université d’Ottawa, 2015, par. 37; CTV NEWS, « Data-collection program not targeting Canadians : MacKay », Ctvnews.ca, June 10, 2013, online : <https://www.ctvnews.ca/canada/data-collection-program-not-targeting-canadians-mackay-1.1319096>.

[28] Section 273.64 of the National Defence Act sets out the CSE's mandate. While paragraph (a) allows it to acquire and use information from the global information infrastructure ‘for the purpose of providing foreign intelligence in accordance with the intelligence priorities of the Government of Canada’, paragraph (c) allows it to ‘provide technical and operational assistance to federal law enforcement and security agencies in the performance of their duties and functions under this Act’.

[29] Craig FORCESE, « Law, Logarithms, and Liberties : Legal Issues Arising from CSE’s Metadata Collection Initiatives », in Michael GEIST (ed.), Law, Privacy and Surveillance in Canada in the Post-Snowden Era, Ottawa, Les Presses de l’Université d’Ottawa, 2015, par. 35; CTV NEWS, « Data-collection program not targeting Canadians : MacKay », Ctvnews.ca, June 10,  2013, online : <https://www.ctvnews.ca/canada/data-collection-program-not-targeting-canadians-mackay-1.1319096>.

[30] C. FORCESE, « Law, Logarithms, and Liberties : Legal Issues Arising from CSE’s Metadata Collection Initiatives », supra, note 29, par. 36.

[31] C. POPA, préc., note 8, p. 241 et 242.

[32] COMMISSAIRE DU CENTRE DE LA SÉCURITÉ DES TÉLÉCOMMUNICATIONS, Rapport annuel 2006-2007, Ottawa, Ministre des Travaux publics et des Services gouvernementaux Canada, 2007, p. 14.

[33] X (Re), 2013 CF 1275, [2015] 1 R.C.F. 635, par. 120.

[34] Id., par. 120.

[35] C. POPA, supra, note 8, p. 243.

[36] COMMISSAIRE DU CENTRE DE LA SÉCURITÉ DES TÉLÉCOMMUNICATIONS, Rapport annuel 2006-2007, supra, note 31, p. 17.

[37] OFFICE DE SURVEILLANCE DES ACTIVITÉS EN MATIÈRE DE SÉCURITÉ NATIONALE ET DE RENSEIGNEMENT, « Examen des divulgations d’informations identifiant un Canadien par le Centre de la sécurité des télécommunications », Nsira-ossnr.gc.ca, p. 1 and 2, online : <https://www.nsira-ossnr.gc.ca/wp-content/uploads/2021/06/10397868-001-FR-CII-Review-2018-19-1.pdf> (consulted on August 26, 2021).

[38] Id., p. 3.

[39] Id., par. 27.

[40] OFFICE DE SURVEILLANCE DES ACTIVITÉS EN MATIÈRE DE SÉCURITÉ NATIONALE ET DE RENSEIGNEMENT, « Examen des divulgations d’informations identifiant un Canadien par le Centre de la sécurité des télécommunications », supra, note 36, par. 28.

[41] Id., p. 6.

[42] Id., par. 29 et 30.

[43] C. POPA, supra, note 8, p. 243 et 244.

[44] OFFICE DE SURVEILLANCE DES ACTIVITÉS EN MATIÈRE DE SÉCURITÉ NATIONALE ET DE RENSEIGNEMENT, « Examen des divulgations d’informations identifiant un Canadien par le Centre de la sécurité des télécommunications », supra, note 36, par. 30.

[45] C. POPA, supra, note 8, p. 245.

[46] Hugh SEGAL et Serge JOYAL, Liberté, sécurité et la menace complexe du terrorisme : des défis pour l’avenir, Rapport intérimaire du Comité sénatorial spécial sur l’antiterrorisme, Ottawa, Travaux des Comités, 2011, p. 44.

[47] C. POPA, supra, note 8, p. 245.

[48] Loi concernant certaines mesures liées à la sécurité de la frontière entre le Canada et les États-Unis et d'autres mesures connexes liées à la sécurité, projet de loi C-2, 45e légis., 1ère sess., 2025, online : ‹https://www.parl.ca/DocumentViewer/fr/45-1/projet-loi/C-2/premiere-lecture›.

[49] Loi concernant la cybersécurité, modifiant la Loi sur les télécommunications et apportant des modifications corrélatives à d'autres lois, projet de loi C-8, 45e légis., 1ère sess., 2025, online : ‹https://www.parl.ca/LegisInfo/fr/projet-de-loi/45-1/C-8›.

[50] Marie WOOLF, « Border bill powers would allow warrantless police requests to doctors, abortion clinics, hotels » The Globe and Mail, June 16, 2025, online : ‹https://www.theglobeandmail.com/politics/article-border-bill-csis-snooping-powers/›.

[51] Kate ROBERTSON, « Unspoken Implications. A Preliminary Analysis of Bill C-2 and Canada’s Potential Data-Sharing Obligations Towards the United States and Other Countries », Citizen Lab, June 16, 2025, online : ‹https://citizenlab.ca/2025/06/a-preliminary-analysis-of-bill-c-2/›.