Canada’s cyber-surveillance body isn’t allowed to target Canadians. But it keeps information banks with Canadians’ personal details.
A spokesperson for the Communications Security Establishment said in an email the “vast majority” of personal information kept indefinitely in the digital surveillance agency’s information banks belongs to non-Canadians. But if they have information on you, chances are slim you’ll get to see it.
Canada’s digital espionage agency is growing, and preparing to move into swanky new headquarters. Its newly-minted watchdog takes the reins amid calls for closer policing of an agency with a lot of power and little public oversight.
Revelations earlier this month that Canadian cyberspies had been targeting Brazilian government ministries incensed President Dilma Rousseff and prompted global consternation over exactly what else Canadian cyberspies were looking for.
Meanwhile, U.S. digital intelligence came under fire this week amid allegations the NSA spied on German Chancellor Angela Merkel and dozens of other world leaders.
CSE Commissioner Jean-Pierre Plouffe, a former judge and federal auditor who was named to the Court Martial Appeal Court of Canada this past March, replaced Robert Décary Oct. 18.
He takes up office at a touchy time: The Canadian Civil Liberties Association is suing CSEC, alleging illegal collection of Canadians’ information. Privacy commissioners at both the provincial and federal level are worried CSEC is spying on Canadians – which it isn’t allowed to do.
Federal Privacy Commissioner Jennifer Stoddart was so worried she met with Décary this past summer, offering her help (he didn’t take her up on it).
Stoddart has also been in touch with CSEC herself, urging the agency in a Sept. 20 letter to be more transparent about the way it collects personal information. She also offered up her staff “to assist you as you continue to work on privacy-related issues.”
University of Ottawa law professor Amir Attaran has been pushing for more transparency from CSEC: In a complaint filed with Stoddart’s office this summer, he noted the Privacy Act requires the agency to publish at least a bare-bones description of its databases
On Oct. 16, CSEC posted descriptions of the personal information banks it keeps.
One database, designed to “identify, isolate or prevent harm to Government of Canada computer systems or networks,” contains personal information on members of the general public that can be held indefinitely.
The information “may be disclosed to domestic investigative bodies for the fulfillment of their lawful duties or foreign bodies in accordance with agreements or Ministerial Direction,” the description reads. This bank is covered by the Privacy Act, which means you should be able to get information about you.
A second, which also contains the general public’s personal information, is used “to advise the government regarding international affairs, security and defence.” And because it relates to defence and international affairs, it’s exempt from the Privacy Act. So you can ask for your personal information, Attaran says, “but the answer you’re going to get is ‘Get lost.'”
It’s possible much of that is “bycatch,” Attaran said – data from or about Canadians caught accidentally while trawling for foreign intelligence.
But it’s tough to know if we don’t know whose information is there, how CSEC got it or why exactly it’s exempt from the Privacy Act.
“There is literally no way to know whether a particular group of Canadians is being watched, whether Canadians generally are being watched,” Attaran said. “We don’t know. And we’re never going to know. And until there’s a Canadian Snowden, we won’t know.”