Canada’s cyber intelligence agency logged 114 ‘privacy incidents’ in 2022

Canada’s electronic intelligence agency logged 114 privacy “incidents” over the last fiscal year, including 23 that were attributed to a Five Eyes partner agency.

The disclosure comes as the Communications Security Establishment (CSE), Canada’s cyber defence and espionage agency, resumes sharing “metadata” with close security partners after the program was halted due to privacy concerns.

“Privacy incidents” can include everything from minor procedural mistakes, for instance mislabeling data, to more significant disclosures of sensitive information. The CSE’s report does not include detail on how severe any of the 114 breaches in 2022-23 were.  “Metadata” refers to information related to electronic communications — for instance, IP addresses, the date and time messages were sent, phone numbers and email addresses — not the content of messages themselves. However, the information can still be extremely sensitive, and the CSE noted it’s an “essential” part of their foreign intelligence mission.

In its 2022-23 annual report, the CSE noted that it has “detailed” internal policies on “how to handle information related to Canadians.” By law, the CSE is prohibited from turning its surveillance capabilities on Canadians or people in Canada. But Canadians’ information can still be scooped up “incidentally” through the CSE’s surveillance of global internet infrastructure.

Even minor privacy breaches are logged as “operational privacy incidents,” the agency reported.

“CSE takes steps to correct the error, for instance by deleting data. CSE logs and tracks privacy incidents so we can take steps to prevent future incidents,” the report, released Thursday, read.

It’s difficult to put the 114 incidents in 2022-23 in context, as CSE has not previously reported the number of privacy breaches in its last three annual reports. Separate reports on the agency’s compliance with privacy laws indicate a handful of breaches that were serious enough to notify Canada’s privacy watchdog over the last five years.

The CSE has sophisticated electronic surveillance capabilities, and has been under increased scrutiny over the last decade after Edward Snowden leaked classified information about Five Eyes spying operations. While the agency is prohibited against directly targeting Canadians, it hoovers up massive amounts of information from the global internet, and has faced criticism over its privacy policies.

A 2020 report from the National Security and Intelligence Review Agency, an independent review body, stated that privacy breaches were “unavoidable” due to the nature of the CSE’s work – although noted some deficiencies in how the agency addressed the incidents.

The CSE’s report also disclosed that the agency has resumed sharing “metadata” with Five Eyes security partners — agencies in the U.S., U.K., Australia and New Zealand — almost a decade after the program was halted due to privacy concerns.

The agency suspended sharing metadata with close allies in 2014, after it discovered that some information that could identify Canadians was being shared — inadvertently, according to the CSE.

“CSE gathers metadata under the foreign intelligence aspect of our mandate, which prohibits us from targeting the communications of Canadians or anyone in Canada. However, the global information infrastructure (GII) is just that — global,” the report read.

“Therefore, when acquiring information from the GII, CSE may incidentally acquire information that can be used to identify a Canadian person or person in Canada.”

The agency said it has put in place a new system that gives CSE control over what metadata is shared, and minimizes the risk of sharing identifiable information about Canadians with security partners.

by Global News