Privacy expert Ann Cavoukian has criticized the federal government for not better protecting the telecommunications metadata two Canadian intelligence agencies collect.
“This is not some unimportant information that was released, Cavoukian, executive director of the Ryerson University’s Privacy and Big Data Institute and former Ontario privacy commissioner, told the CBC Radio program The House on Saturday.
“I was distressed that additional measures weren’t taken to ensure that before information was shared with our external partners there was no information on Canadians, metadata or otherwise.”
Defence minister Harjit Sajjan issued a statement saying in this case “the privacy impact was low,” but Cavoukian disagreed. “Metadata can be far more revealing than the actual content of communications,” she said.
It was the “height of irony,” she added, that reports describing the problems by federal watchdogs on the country’s electronic spy agency, the Communications Security Establishment (CSE) and its domestic intelligence services, the Canadian Security Intelligence Service (CSIS), were released last week on Data Privacy Day.
In those reports
—CSE commissioner Jean Pierre Plouffe said he was told in 2014 that the agency realized that metadata it had been gathering hadn’t been anonymized properly before being shared with the U.S., Britain, Australia and New Zealand. That was contrary to a directive from the minister of defence.
CSE is prohibited from directing its metadata activities at a Canadian or at any person in Canada. However, if it collects metadata from electronic spying — data that identifies, describes, manages or routes telecommunications — it has to protect privacy in the use of that metadata.
CSE fixed the problem, and has suspended sharing certain metadata with our allies, Plouffe said. But he also found CSE’s system for minimizing certain types of metadata “was decentralized and lacked appropriate control and prioritization. CSE also lacked a proper record-keeping process.”
In addition, he found the defence minister’s order lacks specificity regarding the application of privacy provisions to certain processes. Furthermore, the directive does not provide clear guidance regarding a specific metadata activity that is routinely undertaken by CSE in the context of its foreign signals intelligence mission.
But he didn’t think CSE was trying to get around the minister’s order.
According to a new report, CSE blamed the problem on software.
This report dealt with the use of metadata and foreign signals intelligence. Plouffe’s office is also working on two other reports dealing with CSE’s use of metadata: One relating to counter-terrorism, and other on using metadata in an IT security context.
—The other report was from the Security Intelligence Review Committee, which oversees CSIS, and dealt with the service’s unwillingness to destroy metadata.
CSIS can go to a Canadian court for a warrant to intercept communications and metadata of specified people from telecom providers here. According to the review committee report any communications of people other than those named in the warrant incidentally collected had to be destroyed.
But the warrant also said it could be kept if it “may assist” in the investigation of a threat to the security of Canada. And so that metadata was retained.
The problem, the review committee said, is that CSIS didn’t make it clear in 2011 to the Federal Court judge of this when it changed the wording of warrant conditions.
The review committee recommended CSIS be clear to the court about its retention and use of metadata.
However, the report adds, CSIS doesn’t agree it had to do that, arguing that it was clear in 2011 to the Federal Court and that in any rate the court doesn’t have any general supervisory authority. The review committee’s suggestion, therefore was “inappropriate and unwarranted.”
Meeting with reporters after the report was released Public Safety minister Ralph Goodale said CSIS has briefed the Federal Court about its use of metadata and therefore has complied with the report’s recommendation.
Separately infosec pros might be interested to know that CSIS is having the same trouble controlling data access as some of them are.
The review committee looked at CSIS’s practices surrounding access lists, the way the intelligence agency tracks how sensitive information is accessed and by whom. The committee “found examples of a haphazard application of this process, as well as a lack of documented procedures governing the functioning and maintenance of its access lists. Therefore, SIRC recommended that CSIS immediately develop robust procedures governing access lists.”