Canadian spy agency’s big data program is breaking the law: review body

Click to play video: '‘The most serious threat to national security’: Ex-CSIS manager on insider threats after alleged nuclear plant info leak, Ortis case'
‘The most serious threat to national security’: Ex-CSIS manager on insider threats after alleged nuclear plant info leak, Ortis case
A former employee of Ontario Power Generation (OPG), the Crown corporation that operates the province’s nuclear plants, has been charged with leaking "safeguarded information" that could harm Canada. 'The West Block' host Mercedes Stephenson speaks with Dan Stanton, the former executive manager at the Canadian Security Intelligence Service (CSIS), about the dangers of insider threats at highly critical institutions like nuclear power plants and the Royal Canadian Mounted Police (RCMP). – Feb 25, 2024

Canada’s domestic spy agency violated its own rules by holding onto “tens of thousands of entries of Canadian personal information” harvested from foreign sources, an independent review body has ruled.

That finding was just one in a scathing report by the National Security and Intelligence Review Agency (NSIRA), which highlighted significant problems with the way the Canadian Security Intelligence Service (CSIS) approaches big data.

The report, published Thursday afternoon, was a deep dive into how CSIS has used new powers to collect “datasets” to aid their investigations and operations. The new powers were granted as part of the Liberal government’s sweeping 2019 national security law reforms.

“The review concludes that CSIS has failed to adequately operationalize the dataset regime,” NSIRA’s report read. “Absent an internal commitment to adequately operationalize, resource and support the implementation of a new legal regime, any such regime will fail no matter how fit for purpose it is perceived.”

Story continues below advertisement

This is not the first time CSIS has run afoul of the law in its collection of personal information.

In 2016, the Federal Court ruled the intelligence agency illegally kept and analyzed data on people who posed no threat to national security for almost a decade. CSIS used that data to analyze “specific, intimate insights into the lifestyle and personal choices” of an unknown number of “third party” and “non-threat” individuals since 2006.

The new dataset regime brought in by the Liberals in 2017 was in part a response to that ruling. CSIS has long argued it needs to be able to collect and assess big datasets to function as a modern intelligence agency.

Under the new rules, CSIS can collect datasets containing personal information “not directly and immediately related to” active national security threats, but “are likely to assist in national security investigations,” NSIRA noted. Those datasets fall into three categories – publicly available, foreign and Canadian – with different rules around their collection and use by CSIS.

CSIS can also collect datasets if they have reasonable grounds to believe it relates to a direct national security threat under Section 12 of its legislation.

NSIRA found that CSIS has increasingly relied on Section 12 to collect datasets, and that they’ve “broadened” the definition of “reasonable grounds” to suspect they relate to direct national security threats.

Story continues below advertisement

“The standards now invoked to justify the collection and retention of some datasets … under Section 12 are closer to the ‘satisfied’ and ‘likely to assist’ threshold for the dataset regime,” the agency wrote.

In other words, CSIS is collecting data that may not be strictly necessary – albeit very likely useful – with the explanation that it relates to an urgent national security issue.

But beyond the question of what does or does not constitute a national security threat, NSIRA found significant issues with how CSIS handles datasets, how it trains its employees and how much resources the agency is devoting to the program.

“These compounding factors have created a situation where (CSIS) employees have limited options for conducting data exploitation, and this has affected the utility of all three categories of datasets,” the report read.

“Based on briefings with technical experts and technical demonstrations, it is evident that the current systems are not designed to support bulk data use in a compliant manner.”

Global News requested a comment from the intelligence agency in response to NSIRA’s report, and was pointed to CSIS’s detailed responses to the review body’s recommendations. In those responses, CSIS disagreed that its data operations aren’t complying with federal law.

“CSIS disagrees with (the findings) that information collected in the referenced incident was not strictly necessary to retain for the purpose of investigating threats to the security of Canada,” the agency wrote. “NSIRA’s interpretation of ‘strictly necessary’ is overly narrow such that it would unreasonably impede CSIS’ ability to meet its mandates.”

Story continues below advertisement

The disagreement between the spy agency’s lawyers and NSIRA could be hashed out in Federal Court. CSIS agreed with the review body’s recommendation to forward an uncensored version of NSIRA’s findings to the court’s judges designated to weigh in on national security matters.

There’s also the possibility the Liberal government or its successor could revisit the dataset regime.

“CSIS always seeks to perform its duties and functions in accordance with the rule of law and in a manner that respects the Canadian Charter of Rights and freedoms,” wrote Eric Balsam, a spokesperson for the spy agency.

“The Government of Canada included consideration of the Dataset Regime in the recently concluded public consultations on potential CSIS Act amendments. The amendments under consideration intend to address the interpretative ambiguity, as well as some of the errors and inefficiencies, of the Dataset Regime that underlie NSIRA’s interpretive approach.”

Sponsored content