The Communications Security Establishment of Canada came under fire yesterday when it was revealed it broke privacy laws by sharing information about Canadians with the electronic spy agency’s foreign counterparts and other parties. In a report released yesterday, CSE Commissioner Jean-Pierre Plouffe said he found several deficiencies in how the Ottawa-based agency collected and handled metadata pertaining to Canadians. Plouffe, who has been CSE commissioner since 2013, has made eight recommendations to improve the way the CSE operates. His annual report covered the period 2014 to 2015.
“I have met with Mr. Plouffe, and advised him that I support his recommendations,” Minister of National Defence Harjit Sajjan, said in a statement today. “CSE discovered, on its own, that certain types of metadata were not being properly protected prior to sharing with allies, due to technical deficiencies in the CSE system.”
The CSE, which is administered by the Department of National Defence (DND), is responsible for intercepting, collecting and analyzing foreign signal intelligence (SIGINT) and protecting Canadian government electronic information and communications networks. By law, it is prohibited from directing its operations on Canadians. The agency provides intelligence information to Canadian government clients but it also shares some information with so-called Five Eyes partners (an intelligence alliance comprised of Australia, Canada, New Zealand, United Kingdom and the United States) and non-Five Eyes, second party partners.
Metadata is information associated with communications that are used to identify, describe, manage or route that communication. It includes, but is not limited to, a telephone number, an email or IP (Internet protocol) address, network and location information.
“CSE will not resume sharing this information with our partners until I am fully satisfied the effective systems and measurements are in place,” said Sajjan.
In his review of the CSE, Plouffe said he found that “metadata ministerial directives lack clarity regarding the sharing of certain types of metadata with Five Eyes partners, as well as other aspects of CSE’s metadata activities.”
“In addition, while I was conducting this current comprehensive review, CSE discovered on its own that certain metadata was not being minimized properly,” he said.
Minimization is a process by which Canadian identity information contained in metadata is rendered unidentifiable prior to being shared, according to Plouffe. It is a privacy protection measure which the CSE is expected to implement as a matter of ministerial directive.
“Therefore, the fact that CSE did not properly minimize Canadian identity information contained in certain metadata prior to being shared was contrary to ministerial directive and to the CSE’s operational policy,” according to the commissioner.
Plouffe also said that his review revealed that there was a lack of proper record-keeping in the CSE’s process.
He also found incidents of procedural errors in the handling of information and that policies and procedures relating to the retention of private communications “were not followed in some instances.”
Recommendations and caveats
The report was not clear on the volume of data or the number of Canadians impacted by these lapses. Plouffe also said that he believed CSE personnel were not intentional in their failures.
Among Plouffe recommendations were the improvement to the clarity of ministerial directives, the removal of ambiguities regarding the CSE’s to conduct IT security activities that risk the interception of private communication, and the update of process documentation and development.
He also said “CSE should develop caveats” to attach to specific operational material that may be shared with Second Party partners to ensure the information would not be used without expressed authorization from CSE.