The Communications Security Establishment Canada (CSEC) routinely sweeps up information on Canadian citizens in the course of monitoring global communications and assessing the vulnerability of federal computer networks. That information can be held in a CSEC data bank for as long as 30 years, something a security expert calls “remarkable.”

The federal Info Source guide to personal information held by the government says the information held in the CSEC database can include a person’s full name, email address, IP address and metadata about the communication – which itself may include incidental personal details.

CSEC says the Canadian information is not deliberately targeted, but that in the course of its monitoring of foreign communications it can’t help but gather some data from inside the country.

Wesley Wark, a visiting professor at the University of Ottawa’s graduate school of public and international affairs, says that the full extent of the information held as a result of cybersecurity activities is still unknown.

In a Canadian Press story published on the CTV News web site, Wark also criticized independent annual reports on CSEC’s activities as “insider exercises that tell Canadians little.” Wark challenged senators to make any sense of the reports.

Information released under an Access to Information request say that when CSEC intercepts a private Canadian communication, “it can only be used or retained if it is deemed essential to international affairs, defence or security.” A CSEC spokesperson said that any information collected during an assessment of a federal network is destroyed afterwards — even sooner if it isn’t needed to help protect the network being assessed.

Because the gathering of a certain amount of Canadian data is unavoidable, CSEC has been given special authorization by the federal defence minister, in order to avoid contravening Criminal Code prohibition against intercepting the private communications of Canadian citizens.

Information from the data bank, fortuitously named CSEC PPU 007, may be shared with Canadian police agencies “or foreign bodies” under the provisions of formal agreements. CSEC works particularly closely with its U.S. counterpart the National Security Agency (NSA) and its other “Five Eyes” partners in Britain, Australia and New Zealand.