EDITOR’S NOTE: This article has been updated to reflect a change in the number of privacy incidents reported by the CSE. Following publication, the CSE corrected their own numbers to report a total of 137 privacy incidents in 2022-23. This article has been updated to reflect the change.
Canada’s electronic intelligence agency logged 137 privacy “incidents” over the last fiscal year, including 23 that were attributed to a Five Eyes partner agency.
The disclosure comes as the Communications Security Establishment (CSE), Canada’s cyber defence and espionage agency, resumes sharing “metadata” with close security partners after the program was halted due to privacy concerns.
“Privacy incidents” can include everything from minor procedural mistakes, for instance mislabeling data, to more significant disclosures of sensitive information. The CSE’s report does not include detail on how severe any of the 137 breaches in 2022-23 were.
“Metadata” refers to information related to electronic communications — for instance, IP addresses, the date and time messages were sent, phone numbers and email addresses — not the content of messages themselves. However, the information can still be extremely sensitive, and the CSE noted it’s an “essential” part of their foreign intelligence mission.
In its 2022-23 annual report, the CSE noted that it has “detailed” internal policies on “how to handle information related to Canadians.” By law, the CSE is prohibited from turning its surveillance capabilities on Canadians or people in Canada. But Canadians’ information can still be scooped up “incidentally” through the CSE’s surveillance of global internet infrastructure.
Even minor privacy breaches are logged as “operational privacy incidents,” the agency reported.
“CSE takes steps to correct the error, for instance by deleting data. CSE logs and tracks privacy incidents so we can take steps to prevent future incidents,” the report, released Thursday, read.
The CSE has only recently begun publicly admitting the number of privacy “incidents” it logs each year. In 2021-22 – the only other year where operational privacy incidents were publicly reported – the agency logged 114 incidents internally, and another 33 attributed to a foreign “second party” agency.
Separate reports on the agency’s compliance with privacy laws indicate a handful of breaches that were serious enough to notify Canada’s privacy watchdog over the last five years – although none of the incidents in 2022 met that threshold, the agency says.
“Over the decades we have developed a suite of policies and procedures designed to protect Canadian privacy. These measures are layered, so that a single error is unlikely to result in a privacy breach,” Robyn Hawco, a spokesperson for the agency, said in a statement to Global News.
“Any occurrence, however minor, that runs counter to our policies, or is not covered by them, is considered an ‘operational privacy incident.’”
The CSE has sophisticated electronic surveillance capabilities, and has been under increased scrutiny over the last decade after Edward Snowden leaked classified information about Five Eyes spying operations. While the agency is prohibited against directly targeting Canadians, it hoovers up massive amounts of information from the global internet, and has faced criticism over its privacy policies.
A 2020 report from the National Security and Intelligence Review Agency, an independent review body, stated that privacy breaches were “unavoidable” due to the nature of the CSE’s work – although noted some deficiencies in how the agency addressed the incidents.
The CSE’s report also disclosed that the agency has resumed sharing “metadata” with Five Eyes security partners — agencies in the U.S., U.K., Australia and New Zealand — almost a decade after the program was halted due to privacy concerns.
The agency suspended sharing metadata with close allies in 2014, after it discovered that some information that could identify Canadians was being shared — inadvertently, according to the CSE.
“CSE gathers metadata under the foreign intelligence aspect of our mandate, which prohibits us from targeting the communications of Canadians or anyone in Canada. However, the global information infrastructure (GII) is just that — global,” the report read.
“Therefore, when acquiring information from the GII, CSE may incidentally acquire information that can be used to identify a Canadian person or person in Canada.”
The agency said it has put in place a new system that gives CSE control over what metadata is shared, and minimizes the risk of sharing identifiable information about Canadians with security partners.
“In this heightened global environment where we see threats emerging from China and Russia, it is very important for us to be able to share intelligence with our Five Eyes allies and have them share intelligence with us,” Defence Minister Anita Anand said in an interview with Global News in London, U.K. Thursday.
“And we do that within the bounds of the law.”
Asked how Canadians can trust the metadata sharing program will not jeopardize Canadians’ privacy again, Anand said there are a number of “accountability measures” in place.
“CSE and Caroline Xavier, the chief of the CSE, take those accountability measures very seriously,” Anand said.
“Certainly we will make sure that any sharing of data occurs within the bounds of the law.”