Privacy expert Ann Cavoukian has criticized the federal government for not better protecting the telecommunications metadata two Canadian intelligence agencies collect.
โThis is not some unimportant information that was released, Cavoukian, executive director of the Ryerson Universityโs Privacy and Big Data Institute and former Ontario privacy commissioner, told the CBC Radio program The House on Saturday.
โI was distressed that additional measures werenโt taken to ensure that before information was shared with our external ย partners there was no information on Canadians, metadata or otherwise.โ
Defence minister Harjit Sajjan issued a statement saying in this case โthe privacy impact was low,โ but Cavoukian disagreed. โMetadata can be far more revealing than the actual content of communications,โ she said.
It was the โheight of irony,โ she added, that reports describing the problems by federal watchdogs on the countryโs electronic spy agency, the Communications Security Establishment (CSE) and its domestic intelligence services, the Canadian Security Intelligence Service (CSIS), were released last week on Data Privacy Day.
In those reports
โCSE commissioner Jean Pierre Plouffe said he was told in 2014 that the agency realized that metadata it had been gathering hadnโt been anonymized properly before being shared with the U.S., Britain, Australia and New Zealand. That was contrary to a directive from the minister of defence.
CSE is prohibited from directing its metadata activities at a Canadian or at any person in Canada. However, if it collects metadata from electronic spying โ data thatย identifies, describes, manages or routes telecommunications โ it has to protect privacy in the use of that metadata.
CSE fixed the problem, and has suspended sharing certain metadata with our allies, Plouffe said. But he also found CSEโs system for minimizing certain types of metadata โwas decentralized and lacked appropriate control and prioritization. CSE also lacked a proper record-keeping process.โ
In addition, he found the defence ministerโs order lacks specificity regarding the application of privacy provisions to certain processes. Furthermore, the directive does not provide clear guidance regarding a specific metadata activity that is routinely undertaken by CSE in the context of its foreign signals intelligence mission.
But he didnโt think CSE was trying to get around the ministerโs order.
According to a new report, CSE blamed the problem on software.
This report dealt with the use of metadata and foreign signals intelligence. Plouffeโs office is also working on two other reports dealing with CSEโs use of metadata: One relating to counter-terrorism, and other on using metadata in an IT security context.
โThe other report was from the Security Intelligence Review Committee, which oversees CSIS, and dealt with the serviceโs unwillingness to destroy metadata.
CSIS can go to a Canadian court for a warrant to intercept communications and metadata of specified people from telecom providers here. According to the review committee report any communications of people other than those named in the warrant incidentally collected had to be destroyed.
But the warrant also said it could be kept if it โmay assistโ in the investigation of a threat to the security of Canada. And so that metadata was retained.
The problem, the review committee said, is that CSIS didnโt make it clear in 2011 to the Federal Court judge of this when it changed the wording of warrant conditions.
The review committee recommended CSIS be clear to the court about its retention and use of metadata.
However, the report adds, CSIS doesnโt agree it had to do that, arguing that it was clear in 2011 to the Federal Court and that in any rate the court doesnโt have any general supervisory authority. The review committeeโs suggestion, therefore was โinappropriate and unwarranted.โ
Meeting with reporters after the report was released Public Safety minister Ralph Goodale said CSIS has briefed the Federal Court about its use of metadata and therefore has complied with the reportโs recommendation.
Separately infosec pros might be interested to know that CSIS is having the same trouble controlling data access as some of them are.
The review committee looked at CSISโs practices surrounding access lists, the way the intelligence agency tracks how sensitive information is accessed and by whom. The committee โfound examples of a haphazard application of this process, as well as a lack of documented procedures governing the functioning and maintenance of its access lists. Therefore,ย SIRCย recommended thatย CSISย immediately develop robust procedures governing access lists.โ