Cyber spies fall short on protecting Canadians' privacy after breaches, says new report

Canada'sforeign signals intelligence agency has been falling short when it comes to containing the damage done by privacy breaches, says a newreport from the intelligence sectorwatchdog.

The findings are found in a redacted report from the National Security and Intelligence Review Agency (NSIRA) looking into reported breaches of Canadians' privacy by theCommunications Security Establishment(CSE). The reportwas made public this week.

The CSE gathers foreign signals intelligence orSIGINT, to use the intelligence sector's term for it. Its mandate specifically limits it to monitoring online activity abroad.The agency alsohas been tasked with protectingcritical governmentinfrastructure from hackers and state-sponsored attacks.

Given the sensitive nature of its work, CSEhas tocatalogue every incident of itsactivities puttingthe privacy of Canadians, or of any individualin Canada,at risk.

The watchdog agency wrote that it understands privacy incidents are unavoidable due to the nature of CSE's work, but itflagged problemswiththe way CSE treats breaches and warned thatthere's nothingstopping systemic incidents from reoccurring unlesschanges are made.

"The mitigation, documentation and reporting of privacy incidents was inconsistent and did not always meet the transparency and accountability objectives set out in CSE internal policy," said theNSIRA report.

"Moreover, incidents were not always assessed with a view to determining the impact on lawfulness and/or the privacy of Canadians."

CSE-watcher andCitizen Lab Research fellowBill Robinsonsaid the report shows that the spy agency isn't doing enough toclean up after it makes a mistake that leads to a privacy breach.

"We're talking about when they make mistakes and information about average Canadians ends up getting reported by them, or otherwise gets into people's inboxes or ... where it shouldn't be," he said.

"And then, what do they do when they find out about that and how do they try to prevent that from happening? And the report suggests they're not doing a very good job of that.

"It's kind of a damning report for CSE."

CSE failing to follow up, says NSIRA

While many details are blacked outin the report, NSIRA said itobserved incidents ofdata containing Canadian identity information beingincorrectly shared, and offoreign intelligence productscreatedthroughinadvertent targeting ofCanadians. CSE would cancel or delete the information without checking to see of theinformation had been used, said the report.

"Cancelling a SIGINT product, in NSIRA's opinion, is insufficient to mitigate the potential harm arising from inadvertently including Canadian information within a report," saidthe report.

'While the potential harm is limited from the moment the report is cancelled, information with a Canadian privacy interest might still have been used prior to the product's cancellation."

That failure to follow up could have real consequences, said Robinson.

"They don't check on asking what they've done with the information, which could be putting somebody on a no-fly list. Or it could be putting them on a 'kill them with a drone' list in the worst case," he said.

A spokesperson for CSE said the agency has either implementedor is in the middle of introducingpolicy changes andtechnical fixes to address privacy incidents going forward.

"We have accepted NSIRA's recommendation to modify and update our approach on reporting on privacy incidents, so that an incident report is completed for every incident with a Canadian privacy interest," saidEvan Koronewskiin a statement to CBC News.

"CSE's operational policies establish specific measures to protect the privacy of Canadians and persons in Canada in the acquisition, use and retention of information. To ensure our staff understand and abide by our operational policies, we regularly train, test, and verify their knowledge and compliance."

NSIRA said the number of breach incidents has nearly doubled over the previous year. It said CSE'sfailure to assess these incidents amounts to a "gap in responsibility" for the spy agency.

Koronewskisaid some of the incidents CSE self-identified were simple errors.

"CSE's robust and layered approach to privacy protection contributes to an operational environment resulting in a relativelysmall number of inadvertent privacy incidents," saidKoronewski.

"Some of these incidents are unfortunately a result of simple errors, which requires information to be updated and/or corrected."

As part of its the review, the oversight body'sstaff reviewed incident files between July 1, 2018 and July 31, 2019involving information about aperson or business in Canada that was handled in a manner counter to CSE's mandate,and casesinvolving a Canadian or a person in Canada involving the Five Eyes alliance.It also looked at cases where CSE improperly handled information about a Canadian or a person in Canada but the information was kept from leaking out.

Leah West, a former federal lawyer turnedassistant professor on national security issues at Carleton University, said cases involvingallies instead of adversariesdo not absolveCSEof responsibility.

West cited the case ofMaher Arar.The engineer was detained by the U.S. in 2002 and deported to Syria, where he was tortured and interrogated on false terrorism allegations. A judicial inquiry found the RCMP had given misleading information to U.S. authorities.

"We justhave to look at the Maher Ararincident to see where information can be shared with an ally about a Canadian that has significant implications for that Canadian once they're outside our jurisdiction. So it's not that this stuff doesn't matter," she said.

"There was a lot of stuff in this report that made me question how much is being done here for purely for the sake of compliance, rather than the deeper understanding of the trust that we put in CSE to be able to collect this information and to keep that information safe, and to collect only that information that it's absolutely necessary, especially when it comes to information that impacts the privacy of Canadians."

CSE's privacy issues were alsoflagged in NSIRA's annual reportlate last year.