Politics

Cyber spies fall short on protecting Canadians' privacy after breaches, says new report

The foreign signals intelligence agency has put Canadians' privacy at risk in a growing number of incidents and then falls short in making sure that information is contained, says a newly published report from the intelligence watchdog.

NSIRA flagged issues in the way CSE mitigates the fallout from privacy breaches

The Communications Security Establishment complex is pictured in Ottawa on October 15, 2013. The CSE gathers foreign signals intelligence. (Sean Kilpatrick/Canadian Press)

Canada's foreign signals intelligence agency has been falling short when it comes to containing the damage done by privacy breaches, says a new report from the intelligence sector watchdog.

The findings are found in a redacted report from the National Security and Intelligence Review Agency (NSIRA) looking into reported breaches of Canadians' privacy by the Communications Security Establishment (CSE). The report was made public this week. 

The CSE gathers foreign signals intelligence — or SIGINT, to use the intelligence sector's term for it. Its mandate specifically limits it to monitoring online activity abroad. The agency also has been tasked with protecting critical government infrastructure from hackers and state-sponsored attacks.

Given the sensitive nature of its work, CSE has to catalogue every incident of its activities putting the privacy of Canadians, or of any individual in Canada, at risk.

The watchdog agency wrote that it understands privacy incidents are unavoidable due to the nature of CSE's work, but it flagged problems with the way CSE treats breaches — and warned that there's nothing stopping systemic incidents from reoccurring unless changes are made.

"The mitigation, documentation and reporting of privacy incidents was inconsistent and did not always meet the transparency and accountability objectives set out in CSE internal policy," said the NSIRA report.

"Moreover, incidents were not always assessed with a view to determining the impact on lawfulness and/or the privacy of Canadians."

CSE-watcher and Citizen Lab Research fellow Bill Robinson said the report shows that the spy agency isn't doing enough to clean up after it makes a mistake that leads to a privacy breach.

"We're talking about when they make mistakes and information about average Canadians ends up getting reported by them, or otherwise gets into people's inboxes or ... where it shouldn't be," he said.

"And then, what do they do when they find out about that and how do they try to prevent that from happening? And the report suggests they're not doing a very good job of that.

"It's kind of a damning report for CSE."

CSE failing to follow up, says NSIRA

While many details are blacked out in the report, NSIRA said it observed incidents of data containing Canadian identity information being incorrectly shared, and of foreign intelligence products created through inadvertent targeting of Canadians. CSE would cancel or delete the information without checking to see of the information had been used, said the report.

"Cancelling a SIGINT product, in NSIRA's opinion, is insufficient to mitigate the potential harm arising from inadvertently including Canadian information within a report," said the report.

'While the potential harm is limited from the moment the report is cancelled, information with a Canadian privacy interest might still have been used prior to the product's cancellation."

That failure to follow up could have real consequences, said Robinson.

"They don't check on asking what they've done with the information, which could be putting somebody on a no-fly list. Or it could be putting them on a 'kill them with a drone' list in the worst case," he said.

A spokesperson for CSE said the agency has either implemented or is in the middle of introducing policy changes and technical fixes to address privacy incidents going forward.

"We have accepted NSIRA's recommendation to modify and update our approach on reporting on privacy incidents, so that an incident report is completed for every incident with a Canadian privacy interest," said Evan Koronewski in a statement to CBC News.

"CSE's operational policies establish specific measures to protect the privacy of Canadians and persons in Canada in the acquisition, use and retention of information. To ensure our staff understand and abide by our operational policies, we regularly train, test, and verify their knowledge and compliance."

NSIRA said the number of breach incidents has nearly doubled over the previous year. It said CSE's failure to assess these incidents amounts to a "gap in responsibility" for the spy agency.

Koronewski said some of the incidents CSE self-identified were simple errors.

"CSE's robust and layered approach to privacy protection contributes to an operational environment resulting in a relatively small number of inadvertent privacy incidents," said Koronewski.

"Some of these incidents are unfortunately a result of simple errors, which requires information to be updated and/or corrected."

As part of its the review, the oversight body's staff reviewed incident files between July 1, 2018 and July 31, 2019 involving information about a person or business in Canada that was handled in a manner counter to CSE's mandate, and cases involving a Canadian or a person in Canada involving the Five Eyes alliance. It also looked at cases where CSE improperly handled information about a Canadian or a person in Canada — but the information was kept from leaking out.

Leah West, a former federal lawyer turned assistant professor on national security issues at Carleton University, said cases involving allies instead of adversaries do not absolve CSE of responsibility.

West cited the case of Maher Arar. The engineer was detained by the U.S. in 2002 and deported to Syria, where he was tortured and interrogated on false terrorism allegations. A judicial inquiry found the RCMP had given misleading information to U.S. authorities.

"We just have to look at the Maher Arar incident to see where information can be shared with an ally about a Canadian that has significant implications for that Canadian once they're outside our jurisdiction. So it's not that this stuff doesn't matter," she said.

"There was a lot of stuff in this report that made me question how much is being done here for purely for the sake of compliance, rather than the deeper understanding of the trust that we put in CSE to be able to collect this information and to keep that information safe, and to collect only that information that it's absolutely necessary, especially when it comes to information that impacts the privacy of Canadians."

CSE's privacy issues were also flagged in NSIRA's annual report late last year.