Metadata and our Mandate

On August 1, 2019 the Communications Security Establishment Act (CSE Act) came into force. The CSE web site is being updated to reflect the changes in CSE’s authorities and the accompanying accountability and transparency measures.

Metadata

The CSE is mandated to help protect Canada and Canadians by:

  • acquiring foreign intelligence in support of the Government of Canada’s intelligence priorities;
  • helping to protect and defend government and non-government networks;
  • assisting federal law enforcement and security agencies, the Canadian Forces and the Department of National Defence in their legally authorized activities;
  • conducting defensive and active foreign cyber operations.

In order to fulfill this mandate, the CSE Act authorizes CSE to collect information from the GII (Global Information Infrastructure), which includes metadata. Metadata is critical to understand the communications environments in which we operate and helps ensure we are directing our intelligence activities at foreign entities outside of Canada.

We’re selective in gathering metadata, collecting and analysing subsets of metadata to:

  • Understand complex and constantly changing communications networks;
  • Discover and analyse foreign intelligence targets and their social networks; and
  • Identify cyber threats.

What is metadata?

Metadata is the context, but not the content of a communication. It is information used by computer systems to identify, describe, manage or route communications across networks. For example, metadata can refer to an internet protocol address or a phone number or the time of a transmission or the location of a device. The complexity of technology used on global networks and the speed with which technology is advancing mean that communications metadata is constantly evolving. While metadata reveals a certain amount of information about devices, users and transmissions, it is contextual and does not expose the content of emails, phone calls or text messages.

Why do we need metadata?

For more than 70 years, metadata has been vital to the successful delivery of our mission. We operate in the global communications network, and metadata helps us characterize how foreign threat actors, such as terrorist groups, cyber actors or hostile intelligence agencies, use networks and systems. We need to understand how they communicate so we can discover the motivations, intentions, capabilities and activities of these actors, and work with our Government of Canada clients to stop threats before they materialize. The metadata is essential to ensuring that we are directing our activities at foreign adversaries, thus mitigating the risks of intercepting private communications from Canada or involving Canadians.

What we don’t do with metadata…

CSE does not collect or use metadata to target or otherwise direct signals intelligence or cyber defence activities at Canadians or anyone in Canada, as such activity is prohibited in the CSE Act.

Metadata and signals intelligence

CSE is a foreign intelligence agency, and must direct its signals intelligence activities exclusively against foreign targets outside of Canada, and in accordance with the Government of Canada intelligence priorities of the day. Given that intelligence targets are dispersed in the vast global network or networks, the collection and use of certain pools of communications metadata can help us hone our intelligence investigations and better pinpoint the networks on which foreign targets operate and how they communicate. Only then can we begin to engineer solutions to collect information and provide important insights to the Government. Without metadata, we would not be able to effectively direct our resources and capabilities to keep Canada and Canadians safe and secure. In the end, the more relevant information, including metadata, we have, the more certain we are in targeting foreign entities outside Canada.

Metadata and cyber security

CSE plays a vital role in protecting electronic information, systems and networks of importance to the Government. Every day, CSE analysts use metadata to discover and defend against cyber threats to Canadian networks. Malicious cyber actors are constantly evolving their techniques to exploit the private communications of Canadians, the intellectual property of our companies, and the secrets of our Government. At CSE, we work to uncover these threats by searching for clues in metadata that uncover malicious activity and, in the case of Government of Canada networks, stop their efforts to exploit the information under our control, including Canadians’ personal information.

Privacy protections

Any information that CSE collects and which may interfere with the reasonable expectation of privacy of a Canadian or person in Canada may only be acquired under a Ministerial Authorization approved by the Intelligence Commissioner, a retired superior court judge.

Given the interconnected, global nature of communications networks, some metadata associated with Canadian communications is likely to be present in the subsets of metadata collected by CSE. We, as Canadians, know the importance of protecting Canadian privacy interests in all of our activities and the CSE Act requires that CSE have measures in place to protect the privacy of Canadians. CSE has a culture of compliance with the law, ministerial authorizations and directives, and our own policies, including a suite of measures that provide robust protection. As part of these protective measures, CSE:

  • focuses collection of metadata to areas of the global network that are most likely to provide foreign intelligence, and avoids collection in areas that are not expected to be predominantly foreign in nature;
  • limits the length of time that metadata can be retained;
  • restricts access to metadata stores to only trained CSE operational and policy officials, and only for authorized analytic activities;
  • administers regular legal briefings, as well as annual privacy policy testing for CSE operational and policy officials (revoking access to data until successful results are achieved);
  • prohibits searches for information about Canadians anywhere or individuals in Canada;
  • respects the privacy rights of Canadians when sharing information, including suppressing any identifying information about Canadians in foreign intelligence reporting;
  • audits and reports on compliance with these activities; and
  • cooperates with the National Security and Intelligence Review Agency and the National Security and Intelligence Committee of Parliamentarians in the review of metadata activities.

Technology is constantly evolving, and CSE never stops adapting to these changes, striving to stay ahead. We do this to not only support our mandate to protect Canada and Canadians, but also to protect the privacy of Canadians. The collection and analysis of metadata are vital to CSE’s efforts to protect Canada and Canadians, but the protection of Canadians’ privacy interests are equally important.