'Difficult to determine' scope of privacy breach in Five Eyes data sharing
Lack of information about metadata sharing 'unconscionable' and 'irresponsible,' privacy advocate says
It's impossible to know how many Canadians had their personal data shared by the country's electronic spy agency in a metadata glitch, according to its watchdog.
Jean-Pierre Plouffe, commissioner of the Communications Security Establishment (CSE), told a Senate committee Monday that data were erased from the agency's system, making it difficult to find out the number of people impacted.
"It is impossible to know the exact figure. After a certain amount of time, data disappears. They have a deadline after which system data is deleted."
- Canada's electronic spy service to take more prominent role in ISIS fight
- Canada's electronic spy agency stops sharing some metadata
- CSE worried about how its use of Canadian metadata might be viewed
A month ago, Plouffe tabled his annual report in the House of Commons, revealing for the first time that CSE illegally and unintentionally shared metadata with Canada's Five Eyes intelligence allies: the United States, United Kingdom, Australia and New Zealand.
That data may include Canadians' personal information, including phone numbers or email addresses, but not the content of emails or recordings of phone calls.
"It's not accidental," Plouffe said in an interview about the CSE breaking the law. "It's because of a lack of due diligence."
Metadata is information associated with communication that is used to identify, describe or route information. CSE is supposed to monitor only foreign communications for intelligence that may be of interest to Canada.
If the spy agency comes across Canadians' information, the law requires it to delete the data from its systems.
No idea how long problem lasted
The commissioner said CSE disclosed the metadata glitch as it prepared its 2014 annual report.
"When they discovered it, they didn't know for how long the problem existed," said Plouffe, who still doesn't know if the glitch lasted months or years.
When Conservative Senator Claude Carignan asked "How many Canadians were affected by this error?" the commissioner could not answer.
Plouffe explained that the spy agency intercepts millions of pieces of metadata each year. But it erases data after a certain deadline to make room in the system.
"It is very difficult to determine the number of Canadians affected," said Plouffe.
'First CSE non-compliance'
This is the first time the commissioner has said his office has ever discovered a non-compliance issue with CSE.
Plouffe says even if Canada's intelligence allies did receive some Canadian information, theoretically they should not act upon it, according to the policy.
All of the Five Eyes partners' data is stored in Washington. Plouffe checked with the U.S. National Security Agency in January 2015 and was told it wasn't aware of any Canadian's personal information being compromised.
- CSE monitors millions of Canadian emails to government
- CSE: What do we know about Canada's eavesdropping agency?
However, Canada has stopped sharing certain metadata with international partners. Defence Minister Harjit Sajjan said last month that sharing won't resume until he's satisfied that the proper protections are in place.
Unacceptable 'from A to Z'
Ontario's former privacy commissioner, Ann Cavoukian, says CSE never should have collected the metadata in the first place and wants the practice to end.
"It has been illegally collected," said Cavoukian. "It's unscrupulous they're doing this...The whole thing from A to Z is unacceptable."
Cavoukian questions how it's possible that the metadata isn't tracked.
"I just think it's unconscionable that they have no idea how much metadata has been collected, where it is and they're saying now it's all deleted. That's irresponsible."
In an email, a communications adviser said the federal privacy commissioner's office is in discussions with CSE and can't comment further at this time.
"We wanted to follow up to seek further clarity on the issues raised in the report, including how much personal information of Canadians was involved and what ultimately happened to the information, and whether appropriate protective measures were taken," wrote spokeswoman Tobi Cohen.