Why is Canada’s privacy czar worried about the country’s cyber-spying agency? (and what’s she doing about it?)
Concerned for Canadians’ privacy online amid mushrooming revelations into U.S. cyber-spying, Privacy Commissioner Jennifer Stoddart approached the watchdog overseeing Canada’s electronic espionage agency and offered to help him.
That was in June. News of the National Security Agency’s PRISM program had just broken. As Global News reported at the time, Stoddart was worried. She met with Communications Security Establishment Commissioner Robert Décary, the man responsible for keeping an eye on Canada’s version of the NSA.
He hadn’t heard of PRISM, says Stoddart spokesperson Scott Hutchinson. Stoddart’s office, wanting to pursue the issue further, offered to help him out.
“We just offered general help, because it’s a smaller office and I guess they weren’t sure what was coming about because an issue such as this hadn’t hit them,” Hutchinson said.
“It is it was a small organization, and remains so. And so we offered some help if they wished.”
(A spokesperson for her office later noted she never offered to conduct his investigations for him, but rather to help “in any manner which would be of assistance”)
Décary never took Stoddart up on her offer.
“Nothing’s come of it yet,” Hutchinson said. “But we’ll see down the road if perhaps something may materialize.”
(Bill Galbraith, executive director of Décary’s office, notes Stoddart’s staff members don’t have the kind of security clearances needed to deal with this kind of classified information.)
The Communications Security Establishment, Canada’s $400-million-a-year cyberspying operation, came under scrutiny this week amid reports it’s been targeting the Brazilian government.
This isn’t, strictly speaking, Stoddart’s mandate: She’s responsible for safeguarding Canadians’ privacy.
CSEC’s raison d’etre is explicitly foreign: It isn’t allowed to target Canadians, and must prove an operation’s essential if it wants to intercept communication that could scoop up Canadian data.
But Stoddart’s worried nonetheless. She raised concerns with CSEC Sept. 20 about what she sees as a lack of transparency regarding the organization’s data holdings.
She never heard back, Hutchinson says. (CSEC didn’t immediately respond to a query about this Tuesday afternoon)
Now she’s taking things into her own hands.
“We’re also exploring the most constructive use of the tools under our mandate with regards to these issues that have been raised in terms of protecting Canadians right to privacy,” Hutchinson said.
In the meantime, Décary is conducting an unprecedented review of the way Canada’s cyber-spies share information with the country’s “closest international partners,” mentioned in his report this past summer.
That review should be available by next year’s annual report. But Décary’s tenure ends next week. Ottawa has yet to name a successor.
Read more: Who oversees Canada’s cyber spies?
The Commissioner’s office has grown from eight full-time staff in 2008 to 11 now, plus two part-time “subject matter experts.” Seven of those 11 work on reviews; two were hired this past year.
The additional resources come at the Commissioner’s request as the body he’s overseeing balloons in size and activity: It has a staff of about 2,000 and a $422-million budget. Its watchdog has an annual budget of about $2.1-million.
Décary has enough for now, Galbraith says, provided his mandate stays the same.
Meanwhile, the Privacy Commissioner’s office plans to announce its approach to the cyber-spying imbroglio over the next several weeks.
Watch: Diplomatic fallout over Brazil spy report
Note: Updated 3:30 p.m. ET Wednesday, Oct. 9 to reflect more precise information from the Privacy Commissioner’s office as to when she raised transparency concerns with CSEC, and what kind of help she offered CSEC’s watchdog.