Today’s threats to Canada’s national security are fast, complex and dynamic, and threat actors are highly connected and mobile. The ease of movement across international borders and spread of social media networks and modern communications technology can now be exploited to promote extremism and facilitate threat activity, even as the perpetrators remain anonymous. This creates some very real challenges for CSIS.
When the CSIS Act was written, a wiretap to intercept the communications of a threat actor could be done with alligator clips on a telephone wire. The internet, smartphones and artificial intelligence were more science fiction than reality. Similarly, information was locally available, stored in one place, and transmission was straightforward. Today, a single message may transit through multiple jurisdictions at the same time and be stored in the “cloud”.
These changes in technology could not have been anticipated when the CSIS Act was written. In 2016, the Federal Court acknowledged that the Act was not keeping pace with changing technology. The Canadian Parliament agreed that legislative amendments were necessary to ensure CSIS had the tools of a modern intelligence service.
The National Security Act (2017), which came into force in 2019, was the first step towards modernizing the CSIS Act. The amendments to the CSIS Act introduced by this legislation provide clear authority for longstanding collection activities as well as 21st century investigative techniques that enable CSIS to effectively carry out its duties and functions in a challenging operational environment.
Today, data analytics is a key investigative tool for the Service, providing CSIS with the capacity to make connections and identify trends that is not possible through traditional methods of investigation. The Service analyzes data to confirm the identity of individuals associated to a threat, corroborate human source information, and generate other investigative leads.
The changes to the CSIS Act introduced by the National Security Act (2017) establish a framework for the collection, retention, and use of datasets by the Service. The framework authorizes CSIS to collect datasets that are likely to assist the Service in the performance of its duties and functions. However, in doing so, it establishes robust safeguards to ensure Canadians’ rights and freedoms, including privacy, are protected. These protections include enhanced requirements for ministerial accountability, requiring – at least once a year – that the Minister of Public Safety and Emergency Preparedness determine classes of Canadian datasets that the Service is authorized to collect if deemed reasonable.
The framework sets out three types of datasets: Canadian, foreign and publicly available. Depending on the type of dataset, the Service must meet different requirements before it is able to query or exploit the data. For example, CSIS can only collect Canadian datasets that fall into a class determined by the Minister and approved by the Intelligence Commissioner, and must apply to the Federal Court for approval to retain and use the dataset.