Canada’s domestic spy agency violated its own rules by holding onto “tens of thousands of entries of Canadian personal information” harvested from foreign sources, an independent review body has ruled.
That finding was just one in a scathing report by the National Security and Intelligence Review Agency (NSIRA), which highlighted significant problems with the way the Canadian Security Intelligence Service (CSIS) approaches big data.
The report, published Thursday afternoon, was a deep dive into how CSIS has used new powers to collect “datasets” to aid their investigations and operations. The new powers were granted as part of the Liberal government’s sweeping 2019 national security law reforms.
“The review concludes that CSIS has failed to adequately operationalize the dataset regime,” NSIRA’s report read. “Absent an internal commitment to adequately operationalize, resource and support the implementation of a new legal regime, any such regime will fail no matter how fit for purpose it is perceived.”
This is not the first time CSIS has run afoul of the law in its collection of personal information.
In 2016, the Federal Court ruled the intelligence agency illegally kept and analyzed data on people who posed no threat to national security for almost a decade. CSIS used that data to analyze “specific, intimate insights into the lifestyle and personal choices” of an unknown number of “third party” and “non-threat” individuals since 2006.
The new dataset regime brought in by the Liberals in 2017 was in part a response to that ruling. CSIS has long argued it needs to be able to collect and assess big datasets to function as a modern intelligence agency.
Under the new rules, CSIS can collect datasets containing personal information “not directly and immediately related to” active national security threats, but “are likely to assist in national security investigations,” NSIRA noted. Those datasets fall into three categories – publicly available, foreign and Canadian – with different rules around their collection and use by CSIS.
CSIS can also collect datasets if they have reasonable grounds to believe it relates to a direct national security threat under Section 12 of its legislation.
NSIRA found that CSIS has increasingly relied on Section 12 to collect datasets, and that they’ve “broadened” the definition of “reasonable grounds” to suspect they relate to direct national security threats.
“The standards now invoked to justify the collection and retention of some datasets … under Section 12 are closer to the ‘satisfied’ and ‘likely to assist’ threshold for the dataset regime,” the agency wrote.
In other words, CSIS is collecting data that may not be strictly necessary – albeit very likely useful – with the explanation that it relates to an urgent national security issue.
But beyond the question of what does or does not constitute a national security threat, NSIRA found significant issues with how CSIS handles datasets, how it trains its employees and how much resources the agency is devoting to the program.
“These compounding factors have created a situation where (CSIS) employees have limited options for conducting data exploitation, and this has affected the utility of all three categories of datasets,” the report read.
“Based on briefings with technical experts and technical demonstrations, it is evident that the current systems are not designed to support bulk data use in a compliant manner.”
Global News requested a comment from the intelligence agency in response to NSIRA’s report, and was pointed to CSIS’s detailed responses to the review body’s recommendations. In those responses, CSIS disagreed that its data operations aren’t complying with federal law.
“CSIS disagrees with (the findings) that information collected in the referenced incident was not strictly necessary to retain for the purpose of investigating threats to the security of Canada,” the agency wrote. “NSIRA’s interpretation of ‘strictly necessary’ is overly narrow such that it would unreasonably impede CSIS’ ability to meet its mandates.”
The disagreement between the spy agency’s lawyers and NSIRA could be hashed out in Federal Court. CSIS agreed with the review body’s recommendation to forward an uncensored version of NSIRA’s findings to the court’s judges designated to weigh in on national security matters.
There’s also the possibility the Liberal government or its successor could revisit the dataset regime.
“CSIS always seeks to perform its duties and functions in accordance with the rule of law and in a manner that respects the Canadian Charter of Rights and freedoms,” wrote Eric Balsam, a spokesperson for the spy agency.
“The Government of Canada included consideration of the Dataset Regime in the recently concluded public consultations on potential CSIS Act amendments. The amendments under consideration intend to address the interpretative ambiguity, as well as some of the errors and inefficiencies, of the Dataset Regime that underlie NSIRA’s interpretive approach.”