A federal watchdog says Canada’s electronic spy agency broke privacy laws by sharing information about Canadians with foreign partners.
In his annual report, Jean-Pierre Plouffe says the Communications Security Establishment (CSE) passed along the information – known as metadata – to counterparts in the United States, Britain, Australia and New Zealand.
Metadata is information associated with a communication – such as a telephone number or email address – but not the message itself.
The Ottawa-based CSE uses highly advanced technology to intercept, sort and analyze foreign communications for information of intelligence interest to the federal government. According to senior CSE officials who spoke on background Thursday, the agency is legally prohibited from targeting Canadians, or anyone in Canada, but metadata linked to Canadians can be scooped up in monitoring of the broader online environment.
Goodale: CSIS complied with recommendations
The officials said that the CSE itself caught on to the fact that certain metadata were not being properly protected (or the relevant private information linked to that data “minimized”) before it was shared with Canada’s “Five Eyes” partners. That happened in 2013, and in early 2014 the CSE stopped sharing that subset of metadata until the problem could be fixed.
The sharing has not yet resumed, and the problem was only made public on Thursday with the release of CSE Commissioner Plouffe’s annual report. Officials said the issue was not intentionally hidden from Canadians, however.
“We have taken appropriate action,” said Defence Minister Harjit Sajjan in Ottawa on Thursday following a technical briefing for reporters provided by CSE. “It’s very important that we do protect the privacy of Canadians.”
The Five Eyes partners are legally forbidden from drilling down into the metadata to identify a specific Canadian or Canadians linked to that data, reporters were told. Even if they were to do so, the intelligence reports produced using the relevant data would need to conceal the identity of any Canadian involved. The overall “privacy impact” of the breach, according to officials, was therefore assessed as low.
Officials were unable to say how many Canadians might have been affected by the breach, or when full metadata sharing with allies might resume.
The minister also indicated that there is no plan to curb collection of metadata or to change the CSE’s mandate. CSE helps to thwart hundreds of millions of cyber attacks on Canadian technology infrastructure daily, Sajjan added.
Documents leaked in 2013 by former American spy contractor Edward Snowden revealed the U.S. National Security Agency – a close CSE ally – had quietly obtained access to a huge volume of emails, chat logs and other information from major Internet companies, as well as massive amounts of data about telephone calls.
As a result, civil libertarians, privacy advocates and opposition politicians demanded assurances the CSE was not using its extraordinary powers to snoop on Canadians.
With files from the Canadian Press.